What are non-conformities or findings?
Non-conformities or findings refer to the deviations or breaches from the procedures, policies, or requirements specified in the established ISMS of your organization. Essentially, these are the gaps or areas where your ISMS falls short of meeting the standard you're working towards.
Levels of non-conformities
Non-conformities are typically classified into categories:
Major non-conformities: These involve severe breaches or systematic failures indicating a significant lapse in the ISMS, potentially compromising the security of information.
Example: The absence of a risk assessment process or a significant breach in data security.
Minor non-conformities: These refer to isolated incidents or lapses that do not have a significant impact on the integrity of the ISMS. They usually do not point to a systemic problem.
Example: A missing record in a documented process or a delayed response in a procedure.
Opportunities for improvement: smaller breaches on your ISMS that can signal improvement for upcoming audits. We recommend you to tackle those before your surveillance audits.
Addressing non-conformities
1. Identification and documentation
Identify the issue: clearly pinpoint the non-conformity and understand its nature and impact.
Documentation: Meticulously document the identified non-conformities for future reference and action.
๐ก To make it easier to track everything in one place, we recommend documenting your audit findings in your Nonconformity tracker. You can find a template for this under the manual evidence task Track and address noncomformities.
2. Analysis and evaluation
Root cause analysis: Conduct a root cause analysis to identify the underlying cause of the non-conformity.
Evaluation: Evaluate the scope and potential repercussions of the non-conformity on the ISMS.
3. Formulating corrective actions
Action plan: Develop a detailed action plan outlining the steps to rectify the non-conformity.
Allocation of resources: Ensure the necessary resources, including personnel and tools, are allocated to implement corrective actions.
4. Implementation and monitoring
Implementation: Execute the corrective action plan diligently and within the stipulated time frame.
Monitoring: Continuously monitor the progress of the corrective actions to ensure their effectiveness.
5. Verification and closure
Verification: Once the corrective actions are implemented, verify their effectiveness in addressing the non-conformities.
Closure: On successful verification, formally close the non-conformity, updating the relevant documentation accordingly.
Understanding and addressing non-conformities are pivotal steps in achieving ISO 27001 compliance. Itโs a journey of learning and continual improvement, guiding your organization towards a resilient and robust ISMS. By embracing a structured approach to non-conformities, you pave the way for a secure and compliant future.