Query related to ISO 27001 ISMS - (Classification of Non - Conformity)
In Advisera ISO 27001 Document toolkit, it is given/recommended that organization must provide classification for the risk. The query to be resolved are as follows:
Whether organization is supposed to provide classification for Non-Conformities as well?
If yes, please, suggest the method/mechanism to be adopted for the classification of NC's as well.
ISO 27001 does not require non-conformities to be classified. Normally non-conformities are classified during surveillance/certification audits as major or minor nonconformities, and the main purpose is the following: if the auditor raises a major nonconformity, a company cannot get certified.
Although ISO 27001 does not prescribe classification of non-conformities, an organization can define a classification scheme of its own if it understands that it can help improve the ISMS.
Regarding the classification scheme, you can either adopt the minor/major nonconformity scheme used by certification bodies (which will make it easier to explain to certification auditors) or develop your won scheme (e.g., based on a risk assessment of assets impacted by the non-conformity).