How to Address ISO 27001 Non-Conformities

Written By Zoe Lowes

ISO 27001 certification is a critical step for organizations aiming to secure their information and follow best practices in information security management. However, during the audit process, auditors may identify non-conformities, areas where the organization does not meet the requirements outlined in the ISO 27001 standard. While this may seem like a setback, addressing these non-conformities is an integral part of the certification and continuous improvement process. In this blog, we’ll explore how organizations can effectively address non-conformities during an ISO 27001 audit, ensuring they can achieve or maintain certification.

What are Non-Conformities in ISO 27001?

Non-conformities are gaps or deficiencies in the Information Security Management System (ISMS) that do not meet the requirements of the ISO 27001 standard. These can range from minor issues, such as missing documentation or incomplete processes, to more serious issues like inadequate security controls or ineffective risk management. There are typically two levels of non-conformities in an ISO 27001 audit:

Minor Non-Conformities: These are issues that do not pose an immediate or serious risk to the organization’s ISMS but still need to be addressed for full compliance. While not critical to the overall functionality of the ISMS, they require attention to maintain certification. Examples of minor non-conformities include:

  • Missing Documentation: For instance, an information security policy that lacks a version history or audit trail.

  • Incomplete Processes: Incomplete risk treatment plans that are missing updates for new identified risks.

  • Inconsistent Training Records: Employees' training completion records that aren't fully up-to-date, even though the content was covered during sessions.

  • Minor Gaps in Access Control: For example, access control logs that are not regularly reviewed, even though the system is functioning correctly.

Major Non-Conformities: These are more significant issues that directly impact the effectiveness of the ISMS. They require immediate attention and corrective action. If left unaddressed, major non-conformities could jeopardize the integrity of the ISMS and pose risks to the security of sensitive information. Examples of major non-conformities include:

  • Inadequate Risk Management: If the organization fails to perform proper risk assessments or implement risk treatment plans that adequately address identified threats, this poses a critical vulnerability to the organization.

  • Lack of Security Controls: For instance, an organization may fail to implement mandatory security controls such as encryption, multi-factor authentication, or network intrusion detection systems for sensitive data.

  • Unaddressed Information Security Incidents: If the organization has experienced a security breach but has failed to implement effective incident management processes or does not notify affected parties or authorities as required.

  • Non-Compliance with Legal or Regulatory Requirements: A significant issue could arise if the organization fails to comply with industry regulations.

Addressing these non-conformities promptly is essential for ensuring the continued security of the organization’s information systems and maintaining the ISO 27001 certification.

Identifying Non-Conformities During the Audit

Non-conformities are typically identified during either internal audits or external certification audits. Internal audits are conducted by the organization itself to ensure their ISMS is functioning correctly and in compliance with ISO 27001. External audits, performed by independent third-party auditors, assess whether the ISMS meets ISO 27001 standards for certification. During the audit, the auditor will review various elements of the ISMS, including:

  • Risk assessment and treatment plans

  • Information security policies and procedures

  • Access control and data protection measures

  • Incident management and breach response procedures

  • Training and awareness programs

When a non-conformity is identified, the auditor will typically provide a report detailing the specific issue, its impact on the ISMS, and any corrective action required. This report serves as a guide for the organization in addressing the non-conformity before the audit is finalized or certification is granted.

Steps to Address Non-Conformities in ISO 27001 Audits

Once non-conformities are identified, organizations must take immediate and structured action to address them. The following steps outline how to effectively resolve these issues:

Step 1: Understand the Non-Conformity

The first step is to clearly understand the non-conformity. Review the audit report and the specific clause of ISO 27001 that was not met. Pay attention to the auditor’s explanation and any supporting evidence. Understanding the root cause of the non-conformity is key to determining the appropriate corrective action.

For instance, if a minor non-conformity relates to incomplete documentation, it’s essential to review the missing or incorrect documentation and understand why it was overlooked. For a major non-conformity, such as missing data encryption measures, a deeper investigation into the ISMS may be needed to understand the full scope of the issue.

Step 2: Root Cause Analysis

After identifying the non-conformity, conduct a root cause analysis. This involves determining why the non-conformity occurred. Common root causes may include:

  • Lack of proper training or awareness among employees

  • Ineffective communication between teams or departments

  • Insufficient resources allocated to information security

  • Inadequate documentation or record-keeping

  • Gaps in processes or procedures

  • Overlooked risks or security vulnerabilities

Performing a root cause analysis ensures that the corrective action addresses the underlying issue rather than just the symptoms, preventing the non-conformity from recurring.

Step 3: Develop a Corrective Action Plan

Once the root cause is understood, develop a corrective action plan. This plan should clearly outline the necessary steps to resolve the non-conformity and ensure it doesn’t recur. The plan should specify the actions required, assign responsibilities to relevant individuals or teams to ensure accountability, and establish a timeline for completion. It should also identify any resources needed, such as personnel, training, or software tools, to implement the corrective actions.

For example, if the non-conformity is related to inadequate risk assessment, the corrective action plan might include providing additional training for the risk management team, updating the risk assessment methodologies, and implementing a more robust monitoring system to better track and mitigate risks.

Step 4: Implement the Corrective Actions

With the corrective action plan in place, it’s time to implement the actions. Ensure that the individuals or teams responsible for each action carry out the necessary tasks on time. Monitor progress to ensure all corrective actions are completed as planned, and maintain communication throughout the process to ensure that everyone understands their responsibilities and deadlines.

Step 5: Verify the Effectiveness of the Corrective Actions

Once corrective actions have been implemented, verify their effectiveness. This might involve reassessing the areas where the non-conformity was identified to ensure the actions taken are producing the desired results.

For example, if the non-conformity was related to missing security controls, verify that the new controls are functioning as intended. If the non-conformity was related to employee training, check that employees have completed the required courses and can demonstrate their understanding of the information security policies.

Step 6: Document and Communicate the Results

Once corrective actions have been verified, document the results and communicate the successful resolution of the non-conformity to the auditor or certification body. Provide updated documentation or evidence that the corrective actions have been completed. Effective communication is essential, be transparent with the auditor and provide a clear timeline for when the non-conformity will be fully addressed.

Referencing Clause 10.2 – Non-Conformities and Corrective Actions

ISO 27001, Clause 10.2, explicitly addresses how organizations should manage non-conformities and take corrective actions. This clause requires organizations to identify non-conformities, investigate their root causes, and implement corrective actions to prevent recurrence. These actions must be proportionate to the impact of the non-conformity.

According to Clause 10.2 of ISO 27001, the organization must:

  • Evaluate the significance of the non-conformity.

  • Identify the root cause of the non-conformity.

  • Take corrective actions to eliminate the cause.

  • Monitor the effectiveness of those corrective actions.

By following the requirements of Clause 10.2, organizations can ensure they systematically address non-conformities and improve their ISMS. This process helps maintain compliance with ISO 27001 standards while fostering continual improvement in information security management.

Preventing Future Non-Conformities

In addition to addressing current non-conformities, it’s essential to take proactive steps to prevent future issues from arising. One effective approach is implementing continuous improvement practices within the ISMS. This strategy fosters a more proactive stance toward information security management, reducing the likelihood of future non-conformities.

Some key strategies include conducting regular internal audits to identify potential issues before they escalate, providing ongoing employee training to ensure everyone understands their role in maintaining the ISMS, and continually performing risk assessments to stay ahead of emerging threats. Additionally, conducting regular management reviews to evaluate the effectiveness of the ISMS will help identify areas for improvement and make necessary adjustments.

Turning Non-Conformities Into Opportunities

Addressing ISO 27001 non-conformities during an audit isn’t just about fixing issues, it’s an opportunity to strengthen your organization’s overall security posture and ensure long-term compliance with ISO 27001 standards. While errors and non-conformities are a natural part of the process, it’s how they’re handled that makes the difference. By adopting a structured approach to identifying, resolving, and verifying non-conformities, organizations can turn audit findings into valuable opportunities for improvement, ultimately reinforcing their ISMS.

Focusing on continuous improvement, transparency, and accountability ensures your organization remains committed to safeguarding sensitive information while meeting ISO 27001 requirements. Effectively addressing non-conformities demonstrates a proactive, robust approach to information security, building trust with customers, partners, and stakeholders, and showing that your organization is dedicated to evolving and growing in its security practices

Ready for your ISO 27001 audit?

Whether you're approaching certification for the first time or undergoing a renewal, MHM delivers independent audits you can trust. Demonstrate your commitment to security, compliance, and continual improvement—partner with MHM to move forward with confidence.

Zoe Lowes
Previous

MHM Becomes First Canadian Audit Firm Accredited to Audit AI Management Systems Under ISO/IEC 42001
Next

Expanding Beyond SOC 2: The Strategic Path to ISO 27001 for Global Security