What an ISO27001 auditor should do if they see something they think should be different

This advice only applies to ISO27001 certification audits. It does not apply to any other kind of audit. To be clear - someone undertaking an internal audit does not need to do this.

Suggested approach and considerations

As a certification auditor if you come across something that you think should be different you have a number of things to check and a number of possible courses of action:

Initial checks.

1) Check if this is something in the scope of the Information Security Management System (ISMS). If not then you won’t be able to raise a non conformity (NC) or opportunity for improvement (OFI) although you could possibly raise it verbally and informally with the organisation. As an example, if the scope is only certainly businesses in certain buildings but you see something amiss with a building not in the scope – perhaps whilst having lunch.

2) Check if this is in the scope of the audit. A Stage 2 audit is likely to cover most of the clauses and most of the controls but a surveillance audit may only cover some clauses and some controls. However, you are not constrained by the scope of the audit. If you see something amiss that is not in the scope of your audit you can still raise it formally with the organisation as an NC/OFI (subject to what is said below). As an example, if at a surveillance audit you were not going to look at clear desk/clear screen but whilst on site you saw several instances where this was not being followed. If this is a necessary control then you could raise an NC.

3) If this relates to a control you will need to check that this is an applicable necessary control as defined in the Statement of Applicability (SOA). For example, you may see that they do not have a classification policy or approach in place and think they should have one but if classification policy/approach is not defined as a necessary control then you cannot raise a NC about it being “missing”. You might of course think they should have a classification policy/approach but the time to challenge this is with respect to the risk assessment and not whilst going about your audit. If the organisation does have a classification policy/approach but you can see clearly that it is not being followed then you still cannot raise a NC unless classification policy/approach is defined as applicable in the SOA. The organisation could have a classification policy but it is not a sufficiently important control for them to define it as necessary to manage any risks to manage using their ISMS. This article covers this point in some detail. https://www.dhirubhai.net/pulse/iso27001-auditor-should-never-say-control-statement-marked-chris-hall/

4) You check to see if this is something that they already know about and can provide evidence that they know about it and are dealing with it. It is not sufficient for them to say “Yes we already know about that and are dealing with”. They need evidence somewhere (e.g. in their NC log) or they could have just “made it up”. If this relates to a clause (4 to 10) then even if they already know about it then you should probably still raise it although you might choose to apply some discretion although you are not really supposed to. If what you have seen relates to a control and they can provide evidence that already know about it then you should not raise it as an NC or OFI. Perhaps it is already in an internal audit report and/or raised and documented as an NC in the ISMS and being dealt with. You should not raise a NC in these circumstances because this is the ISMS in action and operating how it should. This is covered in detail in https://www.dhirubhai.net/pulse/iso27001-auditor-should-raise-non-conformity-something-chris-hall/

Possible actions.

5) You ignore it and carry on. You might well choose to do this if your view is that doing something about this will make no or only a negligible difference to the management of the risks. You should not really do this for NCs against the clauses but most auditors should be pragmatic about this to avoid any indication that they are being unduly harsh or pedantic. As noted in the previous point if this relates to an issue with a control that the organisations does not already know about and is not dealing with then you should probably raise an NC/OFI. But you do have a bit of discretion about this. Use this approach with care.

6) You talk to the organisation about it informally but do not document anything. An auditor will sometimes do this if the organisation is very open and responsive to suggestions and they say things like “A great idea – we will definitely do that”. An auditor should not do this for NCs but might choose to do this for OFIs. However, I would suggest that in most circumstances you should formally raise these so that there is a proper record of them.

7) You raise a NC. Remember that you can only do this if you can refer to a specific requirement in clauses 4 to 10 and can identify objective evidence (i.e. facts) to support this.

8) You raise an OFI. An OFI should be viewed as harmless and non contentious as they are simply recommendations and can be ignored by the organisation if they decide there is not sufficient value in doing them. Feel free to raise OFIs. After all, you will almost certainly have seen a lot more ISMSs than anyone in the organisation and may be able add value by doing so. Strictly speaking you need to be very careful with OFIs because certification auditors are not allowed to do consultancy but if phrased carefully an OFI might be very helpful to an organisation. However, strictly speaking you need to remember at all times that your job is not to “add value”. It is to assess conformance to clauses 4 to 10 of ISO27001.

?

If you decide you are going to raise an NC or OFI there is some detailed guidance about this in https://www.dhirubhai.net/pulse/guide-raising-documenting-iso27001-non-conformity-chris-hall/

#iso27001 #chrishalliso27001 #NC #OFI #iso27001auditing