Writing a non conformity
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please just give me an example how to write finding in audit report, which should include finding , evidence and clause/requirements?
Sometimes, I found difficulties in determining which control or clauses should be for the finding. For example, if the server upgraded didn’t not raise any change request and fail to reassess the risk. What control would that be? It’s hard to made fair judgement
Answer: Considering your example, the finding is "A server was upgraded without a proper change request and risk assessment."
Possible evidences may be:
- a difference between the information in the inventory of assets and what is effectively on production (e.g., a hardware serial number or an application);
- the change is scheduled in the maintenance plan but there is no corresponding change request;
- there is no evidence that a risk assessment was performed for th e server change.
As for the non fulfilled requirements, the control most related to the situation is the control A.12.1.2 (Change management Control), which requires that changes that affect information security shall be controlled. Regarding the requirement related to the lack of risk assessment, you can menton clause 8.2 (Information security risk assessment), which requires that information security risk assessments must be performed at planned intervals or when significant changes are proposed or occur.
So, a proper non conformity statement may be:
Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and the clause 8.2 - Information security risk assessment. Evidences: "The serial number of server XXXX in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on server XXXX at DD/MM/YYYY, according maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."
You should note that writing a non conformity requires some level of knowledge of the standard and practice on performing audits.
I suggest you to take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Apr 28, 2018