Query related to ISO 27001 ISMS - (Classification of Non - Conformity)
In Advisera ISO 27001 Document toolkit, it is given/recommended that organization must provide classification for the risk. The query to be resolved are as follows:
Whether organization is supposed to provide classification for Non-Conformities as well?
If yes, please, suggest the method/mechanism to be adopted for the classification of NC's as well.
ISO 27001 does not require non-conformities to be classified. Normally non-conformities are classified during surveillance/certification audits as major or minor nonconformities, and the main purpose is the following: if the auditor raises a major nonconformity, a company cannot get certified.
Although ISO 27001 does not prescribe classification of non-conformities, an organization can define a classification scheme of its own if it understands that it can help improve the ISMS.
Regarding the classification scheme, you can either adopt the minor/major nonconformity scheme used by certification bodies (which will make it easier to explain to certification auditors) or develop your won scheme (e.g., based on a risk assessment of assets impacted by the non-conformity).
An entire internal audit that covers the whole scope is needed in order to go to the Certification Audit. Sometimes because of time constraints, it is not possible to cover all processes during the internal audit process, in that case it should be specified in the internal audit report.
First is important to note that the term “audit point” does not exist in the ISO audit context, and assuming that by “audit point” you mean a list of deficiencies, not nonconformities, the closest term for an ISO audit would be observation.
In this case, it is possible to take advantage of a QMS internal audit to check the status of observations raised in the last ISMS audit.
You can do that when reviewing the status of previous QMS nonconformities. You only need to take care in planning the audit to consider this as a separate activity of the QMS internal audit, so you can plan the necessary time for the QMS internal audit.
An additional reminder is that you cannot include any information about the ISMS observations in the QMS report. The best approach would be for you to perform a QMS and ISMS integrated audit (this is possible because ISO 27001 and ISO 9001 share compatible internal audit requirements.)