ISO27001 auditors cannot raise non conformities based on their judgment, view, opinion, experience, or good/best/common practice.
One of the very popular ISO27001 myths is that ISO27001 certification auditors can raise a non conformities based on their judgment, view, opinion, experience, best practice, common practice, etc. They can’t. But for some reason that doesn’t stop them. I suppose that is because most auditees don’t know that the auditors are not allowed to do it.
Let us look at why this is the case.
First of all. What is a non conformity (NC). It is where:
1) You are not meeting a mandatory requirement in ISO27001 clauses 4 to 10. For example you have not assigned owners to all the risks, or
2) you are not meeting one of your own mandatory requirements. I.e. you have stated/documented that X must happen or be true and it is not. For example you say that all laptops must be encrypted but some are not.
Just a quick reminder that none of the Annex A controls are mandatory requirements of ISO27001 unless you can make them mandatory under rule 2 above. I.e. if you decide that one or more of them are necessary controls to manage one or more of your risks.
The rules about this are defined in ISO17021 (the rules for certification bodies/auditors). It also says that an auditor can only raise an NC if they have objective evidence to support it.
Objective evidence, is (from ISO):
“data supporting the existence or verity of something. Objective evidence can be obtained through observation, measurement, test, or by other means. Objective evidence for the purpose of audit generally consists of records, statements of fact or other information which are relevant to the audit criteria and verifiable.“.
领英推荐
I.e. facts, data, and verifiable.
If you think about this for a minute you will realise this is quite a high bar. It means that if (say) 100 equally diligent auditors audited the same thing?and selected the same samples for the audit they would raise the same NC. If that is demonstrably not the case then there is no NC.
Certification auditors do of course need to use their judgement to decide how to audit something and what samples to choose, etc. But they can’t use their judgement to decide if something is an NC.
Of course an auditor can raise an Opportunity for Improvement (OFI) about anything they like but an OFI is just a recommendation/consultancy and can be ignored if it is not considered by the organisation to add sufficient value.
A couple more related thoughts for you.
1) Auditors cannot raise NCs against controls. This is covered in this article. https://www.dhirubhai.net/pulse/why-you-should-never-get-major-minor-non-conformity-against-hall/
2) Auditors should not raise NCs about controls where you already know about the non conformity. See this article. https://www.dhirubhai.net/pulse/iso27001-auditor-should-raise-non-conformity-something-chris-hall/
I must admit I get tired of meeting certification auditors who do not understand this and seem to think that they can raise NCs without objective evidence or they try to sort of try to justify their NC with objective evidence that is clearly not. Sometimes they think just quoting the requirement in ISO27001 is sufficient objective evidence. It isn’t. They need to be able to prove it based on facts and data.
Chris
An index of all my articles is here?https://btrp.co.uk/Articles2
?
IATF 16949 l VDA 6.3 I ISO 9001 l ISO 14001 l ISO 45001 l ISO 50001 Internal auditor & QHSE and TISAX/ Information security management system
1 年Apart from that conversation, Auditor inputs / OFI's are always help to the organization's to develope re modify the system gaps instead of putting NC's.
Solopreuner ,Organizational assessment(Oil & Energy) Certification personnel API Lead Auditor, QR & Monogram(contract consultant )for API-Middle East & India, Volunteering, Quality Qoach ,QMS Expertise.
1 年If there's factual evidence an Auditor would raise a non conformance. Reviewed against audit criteria and applicable product specifications and any deviation would be a non conformance. That's why few CB's are unique and has credibility and others have lost business due to dilution. A customer gains confidence if only a CB is Authentic and maintains the sanctity of the Auditing and certification process.
Management Systems Consultant, Auditor & Trainer
1 年I have read 17012-1: The relevant paragraphs are: 9.4.5.2 - Opportunities for improvement may be identified and recorded, unless prohibited by the requirements of a management system certification scheme. Audit findings, however, which are nonconformities, shall not be recorded as opportunities for improvement. 9.4.5.3 - A finding of nonconformity shall be recorded against a specific requirement, and shall contain a clear statement of the nonconformity, identifying in detail the objective evidence on which the nonconformity is based. Nonconformities shall be discussed with the client to ensure that the evidence is accurate and that the nonconformities are understood. The auditor however shall refrain from suggesting the [root] cause of nonconformities or their solution. (my [...] ) So, OFIs are legitimate unless specifically prohibited; I am not aware of any standards that prohibit OFIs. Nothing in the above suggests that the 'specific requirement' needs to be a clause in the standard (you already admit that anything the client's Management System deems to re required is fair game) and I would contend that the SoA, where controls are deemed applicable, are treated similarly. Thanks, P
Retired / Management Consulting
1 年At the core the causation of this issue is the certification Industry refusal to provide effective auditor oversight, The certification industries dedication to not solving problems and no effective control over CB's exists. What has developed is an industry where the paying customer voice is made mute, the prime focus is on creating profit increases for the majority of the developers and improvers. It is an industry that is void of effective oversight. It is an industry where the basic rules are ignored. Also, one can and should question the quality of auditor training.
Management Systems Consultant, Auditor & Trainer
1 年i shall review 17021