Query on Classification of ISMS
Assign topic to the user
ISO 27001 does not require non-conformities to be classified. Normally non-conformities are classified during surveillance/certification audits as major or minor nonconformities, and the main purpose is the following: if the auditor raises a major nonconformity, a company cannot get certified.
For further information, see:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
The management feedback & concern is that without classification of Non-conformities from internal audit based on risk, decisions and priorities cannot be assigned appropriately.
Although ISO 27001 does not prescribe classification of non-conformities, an organization can define a classification scheme of its own if it understands that it can help improve the ISMS.
Regarding the classification scheme, you can either adopt the minor/major nonconformity scheme used by certification bodies (which will make it easier to explain to certification auditors) or develop your won scheme (e.g., based on a risk assessment of assets impacted by the non-conformity).
As we are planning to conduct to QMS Internal Audit prior to Certification Audit, we have a query which needs proper clarification and it is as follows:
Whether Internal audit of the entire scope is required prior to Certification Audit or IA of a one particular department will suffice prior to the Certification Audit?
Audit Scope - Department by Department (4 Departments)
Audit Criteria - ISO 9001:2015 Standard & Legal or Regulatory requirements
An entire internal audit that covers the whole scope is needed in order to go to the Certification Audit. Sometimes because of time constraints, it is not possible to cover all processes during the internal audit process, in that case it should be specified in the internal audit report.
For more information about internal auditing see the following materials:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
We have conducted & completed two ISMS Internal Audit in the month of August & December 2021. We are planning to conduct first QMS Internal Audit in the month of February 2022.
The query is as follows -
- Is there any possibility or conditions where we can audit the status of ISMS audit points in the QMS Internal Audit ?
- If yes, Can you can describe any procedure for the same
First is important to note that the term “audit point” does not exist in the ISO audit context, and assuming that by “audit point” you mean a list of deficiencies, not nonconformities, the closest term for an ISO audit would be observation.
In this case, it is possible to take advantage of a QMS internal audit to check the status of observations raised in the last ISMS audit.
You can do that when reviewing the status of previous QMS nonconformities. You only need to take care in planning the audit to consider this as a separate activity of the QMS internal audit, so you can plan the necessary time for the QMS internal audit.
An additional reminder is that you cannot include any information about the ISMS observations in the QMS report. The best approach would be for you to perform a QMS and ISMS integrated audit (this is possible because ISO 27001 and ISO 9001 share compatible internal audit requirements.)
Comment as guest or Sign in
Feb 23, 2022