Expert Advice Community

Guest

Query on Classification of ISMS

  Quote
Guest
Guest user Created:   Jan 06, 2022 Last commented:   Feb 23, 2022

Query on Classification of ISMS

Query related to ISO 27001 ISMS - (Classification of Non - Conformity) In Advisera ISO 27001 Document toolkit, it is given/recommended that organization must provide classification for the risk. The query to be resolved are as follows: Whether organization is supposed to provide classification for Non-Conformities as well? If yes, please, suggest the method/mechanism to be adopted for the classification of NC's as well.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 06, 2022

ISO 27001 does not require non-conformities to be classified. Normally non-conformities are classified during surveillance/certification audits as major or minor nonconformities, and the main purpose is the following: if the auditor raises a major nonconformity, a company cannot get certified.

For further information, see:

Quote
0 0
Guest
Atul Kamat Jan 06, 2022

The management feedback & concern is that without classification of Non-conformities from internal audit based on risk, decisions and priorities cannot be assigned appropriately. 

Quote
0 0
Expert
Rhand Leal Jan 10, 2022

Although ISO 27001 does not prescribe classification of non-conformities, an organization can define a classification scheme of its own if it understands that it can help improve the ISMS.

Regarding the classification scheme, you can either adopt the minor/major nonconformity scheme used by certification bodies (which will make it easier to explain to certification auditors) or develop your won scheme (e.g., based on a risk assessment of assets impacted by the non-conformity).

Quote
0 1
Guest
Rohit D Jan 28, 2022

As we are planning to conduct to QMS Internal Audit prior to Certification Audit, we have a query which needs proper clarification and it is as follows:


Whether Internal audit of the entire scope is required prior to Certification Audit or IA of a one particular department will suffice prior to the Certification Audit?


Audit Scope - Department by Department (4 Departments)
Audit Criteria - ISO 9001:2015 Standard & Legal or Regulatory requirements

Quote
0 0
Expert
Iciar Gallo Feb 04, 2022

An entire internal audit that covers the whole scope is needed in order to go to the Certification Audit. Sometimes because of time constraints, it is not possible to cover all processes during the internal audit process, in that case it should be specified in the internal audit report. 

For more information about internal auditing see the following materials: 
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course – https://training.advisera.com/se/iso-14001-internal-auditor-course/o-9001-internal-auditor-course/ 
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Quote
0 0
Guest
Rohit D Feb 10, 2022

We have conducted & completed two ISMS Internal Audit in the month of August & December 2021. We are planning to conduct first QMS Internal Audit in the month of February 2022.


The query is as follows - 

  • Is there any possibility or conditions where we can audit the status of ISMS audit points in the QMS Internal Audit ?
  • If yes, Can you can describe any procedure for the same
Quote
0 0
Expert
Rhand Leal Feb 23, 2022

First is important to note that the term “audit point” does not exist in the ISO audit context, and assuming that by “audit point” you mean a list of deficiencies, not nonconformities, the closest term for an ISO audit would be observation.

In this case, it is possible to take advantage of a QMS internal audit to check the status of observations raised in the last ISMS audit.

You can do that when reviewing the status of previous QMS nonconformities. You only need to take care in planning the audit to consider this as a separate activity of the QMS internal audit, so you can plan the necessary time for the QMS internal audit.

An additional reminder is that you cannot include any information about the ISMS observations in the QMS report. The best approach would be for you to perform a QMS and ISMS integrated audit (this is possible because ISO 27001 and ISO 9001 share compatible internal audit requirements.)

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 06, 2022

Feb 23, 2022

Suggested Topics