www.generationnext.

in

ISO 27001:2013 AUDIT: MAJOR NON-CONFORMITIES

During an ISO27001 audit, the auditor will come up with some audit findings. These are in the form of:

1. Observations: Positive observation

Opportunity for improvement where an auditor wants to express a concern about a weak practice

2. Minor Non-Conformity:Partial fulfilment of a requirement or non-fulfilment of a minor requirement

3. Major Non-Conformity: Complete breakdown of the system

The impact of getting a major non-conformity is serious and in the instance of an external audit, even damaging.

In a Stage I Audit a major non-conformity would lead to the cancellation of the audit and the client would have to re-do Stage I again
before proceeding to Stage II.

In a Stage II Audit a major non-conformity simply means the organization would not get recommended for certification and would have to
re-do the Audits from Stage I.
In a continuous assessment or Surveillance Audit the organization would lose its certification if a major non-conformity was raised.
Below are some of the main reasons an auditor would raise a MAJOR non-conformity and that you should watch out for;
All requirements as defined in the Standard from Clause 4 10 are mandatory. A complete failure to fulfilling any of these requirements
will raise a major non-conformity. For instance wherever the standard mentions that the organization shall maintain documented
information about a process or as evidence of an activity then these MUST be mantained as documents. The failure to have any of these
documents will raise a major non-conformity. Key to note here are those statements written, the organisation shall in the standard.
The total breakdown of a documented process will also raise a major non-conformity.

For instance Clause 6.1 requires that the organization define and apply a documented risk assessment process that identifies risks in a
repeatable fashion. If your process says that you perform risk assessments twice a year and/or in the event that a major change is
introduced in the organization, and the risk rating criteria is defined but the risk assessments were not carried out as per the defined
criteria for performing assessments and that subsequent assessments rate risks using different rating scales then this will raise a major
non-conformity against the requirement that risk assessments should produce consistent, valid and comparable results.

A minor non-conformity is a partial fulfilment of a requirement. Sometimes there could be several minor non-conformities linked to the
same process or section of the management system.
For instance Clause 7.3 requires that all people under the organizations control should be made aware of;

The information security policy -their contribution to the effectiveness of the information security management system, including the
benefits of improved information security performance; and the implications of not conforming with the information security management
system requirements.

If during the audit, the auditor does not for example find an awareness programme, any evidence of awareness activities e.g. attendance
sheets, and when interviewing staff in different departments finds that they are not aware of the existence of the information security policy
or its contents then these minor non-conformities become a major nonconformity because there is obviously a major weakness with the
information security awareness effort.
If a certification mark is misused for instance if you claim to your customers e.g. via media campaigns or on the corporate website that
the organization is ISO Certified for IT processes yet the scope you were certified for was only the Billing process, then you are misusing
the certification mark and this will lead to the organization losing its certification.
5. Minor non-conformities must be resolved before the next audit e.g. if a minor non-conformity is raised in the Stage I Audit, then it has to
be resolved before Stage II Audit and this is confirmed by the auditor before proceeding with the Stage II Audit. If the minor non-conformity
still exists then it becomes a major non-conformity and the auditor cannot recommend you for certification.

Remember an audit is an objective exercise carried out by a competent individual(s) to gauge the level of conformance or fulfilment of the
requirements of ISO 27001:2013. This is achieved by the objective assessment of audit evidence gathered through documents, interviews
and observations that the auditor makes. So be sure to have fulfilled all the mandatory requirements of the standard and to provide clear
evidence of the same.

India: C 905 Krishna Appra Saphire, Vaibhav Khand, Indirapuram. Ghaziabad. UP. India
1 .No. 16, First Floor, 70 HK Bld, Y M Road, Masjid Bunder, West Mumbai, India
UAE: Spark International FZE, PO Box 16111, RAK FTZ, RAK-UAE.
Algeria: No: 2 Etage Batimet Billayat, Cite Eyalarsa, SETIF, ALGERIA.