In this article, we take a look at what non-conformance means, the difference between a major and a minor non-conformance, how to avoid and correct non-conformities, and we examine ten ISO 27001 non-conformance examples.
What’s an ISO 27001 non-conformity, anyway?
You might be asking yourself what a non-conformity is, exactly. The answer is quite straightforward. If your ISMS (Information Security Management System) doesn’t fulfil one of the ISO 27001 requirements, you’ve got yourself a non-conformity.
According to Wikipedia, a non-conformity generally occurs as a result of:
- Poor communication (or miscommunication)
- Poor documentation (or lack of documentation)
- Poor or limited training of personnel
- Poor motivation of personnel
- Poor quality materials (or lack of appropriate materials)
- Poor quality tools and equipment (or lack of appropriate tools and equipment)
- Poor or dysfunctional operating environment
It does get slightly more complicated, because not all non-conformities were created equal: there are major and minor non-conformities. Both will be noted during audit, and a major non-conformity will result in a failure to be certified for ISO 27001.
What’s the difference between a minor and a major ISO 27001 non-conformity?
A minor non-conformity is:
- A partial fulfilment of one of the ISO 27001 requirements…
- A failure to fulfil a minor requirement, or…
- A once-off failure to meet one of the standard’s requirements.
A major non-conformity is:
- A repeated or untreated failure to meet one of the requirements, or…
- An issue that will impact your customers if not corrected, and/or…
- If essential parts of the ISMS are missing or not implemented.
Requirements for ISO 27001
Let’s take a look at a topline overview of what the ISO 27001 requirements are:
- 4.1 – Understanding the Organisation and its Context
- 4.2 – Understanding the Needs and Expectations of Interested Parties
- 4.3 – Determining the Scope of the Information Security Management System
- 4.4 – Information Security Management System
- 5.1 – Leadership & Commitment
- 5.2 – Information Security Policy
- 5.3 – Organizational Roles, Responsibilities & Authorities
- 6.1 – Actions to Address Risks and Opportunities
- 6.2 – Information Security Objectives & Planning to Achieve them
- 7.1 – Resources
- 7.2 – Competence
- 7.3 – Awareness
- 7.4 – Communication
- 7.5 – Documented Information
- 8.1 – Operational Planning & Control
- 8.2 – Information Security Risk Assessment
- 8.3 – Information Security Risk Treatment
- 9.1 – Monitoring, Measurement, Analysis and Evaluation
- 9.2 – Internal Audit
- 9.3 – Management Review
- 10.1 – Non-conformity and Corrective Action
- 10.2 – Continual Improvement
ISO 27001 clause 10.1 – non-conformity and corrective actions
Mistakes happen. Even auditors know that. Of course it’s vital that you try to meet each and every requirement of the standard that you’re going for, in this case, ISO 27001. But even more important is that you record and resolve any non-conformities, once identified. You do this by taking corrective action.
Clause 10 (10.1 – 10.2) will help you to find non-conformities and take said corrective action. You should provide evidence of how you are ensuring that the corrective action you’re taking will return the company to a state of conformity. More about this later.
3 steps to conformity
Identified a non-conformity? You should follow these three steps:
- The first step in addressing non-conformity is identifying what went wrong in the first place. You achieve this by identifying the cause of a problem by asking yourself ‘Why?’ This is called a root cause analysis.
In practice, the response to the first “Why?” should prompt another “Why?” and the response to the second “Why?” will prompt another, and so on. This method can help you to establish the root cause of a non-conformity.
- Next, you need to come up with the appropriate corrective action to stop and prevent the problem. Preventive actions are measures to prevent non-conformity from recurring.
- Once your corrective actions are in place, you start monitoring and reviewing the process.
It really is as easy as 1, 2, 3.
10 ISO 27001 non-conformance examples, both minor and major
It can be tricky to try and distinguish between minor and major non-conformities, but remember that much depends on the failure to fulfil and the frequency of the failure as well as whether or not the failure is repeated or untreated.
- A few unattended laptops found on employee’s desks not secured with cable lock.
- Closed Circuit Television (CCTV) malfunction when audit is being performed.
- Absence of mandatory documentation.
- Internal audit is not performed within the organization.
- Leader of the organization doesn’t involve or give attention to ISMS (e.g. not attend to important ISMS meetings, involvement in main/general policies); doesn’t provide resources to implementation of ISMS.
- No evaluation of ISMS performance.
- No evidence that asset management is maintained properly.
- SOA content not justified or inconsistent.
- Risk assessment process not followed or inadequate.
- Misuse of a certification mark, thus misleading customers.
What’s the difference between non-conformance and CAPA?
A non-conformance process and a Corrective Action, Preventative Action process are vital for your QMS (Quality Management System).
Even though they are similar, it’s important to realise that some non-conformities will require CAPA and others won’t.
CAPA is a process which takes corrective or preventive action when an issue is identified by a customer, management, or an (internal or external) auditor.
The CAPA process follows five steps:
- Inquiry and assessment
- Planning and execution
- Review and verification
Only take these steps if non-conformance is critical or systemic.
According to Intelex, to determine whether the problem needs to progress to CAPA, ask yourself three questions:
- Can the problem be fixed in the process?
- Did the problem result in waste, scrap, significant rework, or customer dissatisfaction?
- Is the non-conformity an indication of a more systemic problem, or is it likely to reoccur?
ISO 27001 non-conformity report example and mock scenario
ISO 27001 Guide provides a clear outline of the difference between a non-conformance report and a corrective action report in ISO 27001.
Let’s create our own mock scenario of a non-conformity in action using the first major non-conformity mentioned above, i.e. absence of mandatory documentation.
ISMS scope statement is missing
Root cause analysis (Why?)
Why? When questioned, the team showed a lack of understanding of which documents were mandatory.
Why? Management insisted that the team attempt to achieve certification without the help of an online tool or third party.
Why? Management does not want to spend ‘unnecessary funds’
The problem is evident – a lack of investment in the ISO 27001 certification process.
Suggested Corrective Action
It is now clear what the corrective action should be: a third party (such as Compleye) or online ISO 27001 certification tool or platform (such as Compleye Online) should be used to find out what the mandatory documentation is and how to create an ISMS Scope Statement.
This is what the documentation for this non-conformity would look like:
Don’t let non-conformance stop you from making compliance (almost) fun!
The ISO 27001 non-conformance examples that we’ve provided are just a few of many that might form stumbling blocks for organisations wanting to achieve ISO 27001 certification.
To learn more about what you need to do to guarantee your ISO 27001 certification success and to find out how we’re making compliance (almost) fun, check out Compleye or book a demo below.