Non conformity classification

Answer: ISO 27001:2013 clause 6.1.3 requires the retention of documented information about the information security risk treatment process, and if your organization does not have written risk owner's approval of the information security risk treatment plan and acceptance of the residual information security risks this would be a major non-conformity, because this is a failure in complying with a standard's requirement.

Regarding an OFI (Opportunity For Improvement), this is not a nonconformity, but an issue raised by the auditor that requires an evaluation by the organization, because in the auditor's opinion this could lead to a non conformity in the future. In this case, after the evaluation an organizatio n can decide to do nothing or implement an action plan to handle the situation. An OFI can lead to a non conformity if:
- no evaluation is performed by the organization until the next audit
- the organization decided to implement an action plan but has not resolved it within the deadline

This article will provide you further explanation about nonconformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

These materials will also help you regarding non conformities:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/