August 19, 2014

Last Updated on January 14, 2024

One of the most frequently misunderstood elements of the ISO 27001 certification process is the area of “findings” and/or nonconformities.
One of our ISO 27001 Lead Implementers recently shared his observations on the types/levels of findings he has seen in his audits, which are worth passing along:

  • N/A — Effectiveness of controls could not be measured at the time of the audit due to lack of information, timing, etc.
  • Effective —The requirement is met.
  • Observation — Notes on a benign, anomalous event; a non-mandatory recommendation.
  • Opportunity for Improvement — Single observed lapse or isolated incident. Minimal risk of nonconforming product or service.
  • Minor Nonconformity — Failure to comply with a requirement which (based on judgment and experience) is not likely to result in management system failure.
  • Major Nonconformity — Absence or total breakdown of a system to meet a requirement. A number of minor nonconformities related to the same clause or requirement. A nonconformity that experience and judgment indicate will likely result in management system failure or significantly reduce its ability to assure controlled processes and products.

Minor and major nonconformities are the two findings that can impact your firm’s ability to achieve certification during a certification audit, or to maintain its certification during a surveillance audit.  Generally speaking, one or a small number of minor nonconformities will not prevent you from achieving or maintaining a certificate.  However, a single major non-conformity will prevent you from achieving or maintaining a certificate until it is corrected.
Remember, an ISO 27001 certificate does not imply infallibility. Rather, it’s an indication that an organization’s Information Security Management System effectively manages risk.