Physical access control

An organization is using an access control system via card authentication to control physical entry and exit to a location within ISMS scope. The software that drives this access control was found to be 8 years and outdated with inherent vulnerabilities since the OEM has released much newer version with added security and performance features. Should this not be a non conformity minor given that this access software that drives this physical entry control could be compromised or fail out-rightly since its been 8 years without any update and outdated.

Answer:

First it is important to note that a non conformity is based on evidences that something required was not planned or was not performed as planned.

Considering that, and your stated scenario, you have evidence that the software that drives this access control was not properly updated, and a minor nonconformity is more related to controls A.12.5.1 (Installation of software o n operational systems) and A.12.6.1 (Management of technical vulnerabilities), than the control A11.1.2 (Physical entry control).

A non conformity related to control A11.1.2 must be based on evidence of failure of the control (e.g., reported incidents of unauthorized access), and your stated scenario only mentions a possible access compromise (which in fact is an increase in the risk, not a non conformity).

These articles will provide you further explanation about access control and vulnerability management:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/