SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Raising a Non Conformity or Observation in Internal Audit

Guest

Raising a Non Conformity or Observation in Internal Audit

ISO 27001 & 22301
  Quote
Guest
Bills Created:   Oct 28, 2019 Last commented:   Oct 30, 2019

Raising a Non Conformity or Observation in Internal Audit

ISO 27001 & 22301

Hi 

I am managing ISMS and as per the standard and as a continual improvement I have to perform an internal audit for ISMS. An internal audit dept is performing an internal audit. I need clarification in understanding when an auditor can raise an NCR(Minor) and when he can raise an Observation? Suppose I say that since I am certified by an external auditor and I have passed a certification audit by complying with all the mandatory requirements of ISO 27001, you cannot raise an NCR for my ISMS but only can raise Observation.
So am I correct, or internal auditor can still raise an NCR for me?
Please advise
Thanks

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Oct 30, 2019

First, it is important to note that, considering ISO 19011, the standard used for auditing ISO management systems, audit findings can be conformity, nonconformity, opportunities for improvement, and recommendations (i.e., there is no definition for observation in the standard as an audit finding).

Considering that, an internal auditor also can raise a non-conformity for your ISMS even if you have passed a certification.

The difference between an NC and an observation is that for the second one you do not have enough evidence to support a non-conformity statement. In this situation, the internal auditor can make an observation to the organization so its staff can decide to work on an evaluation to identify if further work has to be done. It also can be used by another auditor in another audit to verify if the situation has evolved to a well-based non-conformity or not.

This course can give you further information about internal audit:
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

Quote
0 2

Comment as guest or Sign in

HTML tags are not allowed

Oct 28, 2019

Oct 30, 2019

Suggested Topics
Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Internal Audits
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Audit report
Guest user Created:   Oct 25, 2023 ISO 27001 & 22301
Replies: 1
0 0

Initial Risk Assessment Non-conformity