Nonconformities, OFI's vs Low/Med/High Audit Gaps
"I got ISO 27001 certified last year and extensively used your site for references and the courses and found the materia to be very valuable and easy to understand. I have successfully completed a number of ISO 27001 audits in an internal auditor role and still use your docs for reference.
I am also CISA certified and the majority of my audits are IT General control audits where we rate gaps based on assessing impact and likelihood with ratings of low, medium and high.
I was looking to find information on how major/minor nonconformities and OFI's would compare to the 'traditional' audit gap ratings of low, medium, high. Would you be able to provide some guidance?
First is important to note that major/minor nonconformities are normally used only for certification/surveillance audits of certified ISO management systems. Internal audits in general use the ratings you mentioned.
Considering that, major nonconformities would compare to high rating, while minor nonconformities could be compared to low or medium rating, depending on criteria used by the organization.
As for Opportunities For Improvement (OFIs), they should be rated considering criteria adopted by the organization to evaluate their potential benefits (i.e., they could be rated low, medium, or high).
These materials will also help you regarding NC and OFI ratings:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://training.advisera.com/course/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Jan 13, 2021