Instructions
Each of the following audit scenarios may include sufficient evidence of non-conformity with the requirements of ISO 27001. In the space provided, write the number and the sub-clause reference of ISO 27001 which most directly relates to the nature of the non-conformity. If more than one clause is directly relevant, note them all and circle the best one.
If insufficient evidence of nonconformity is shown, state what you would look for before making a NC ranking conclusion– major or minor.
SAMPLE ANSWER FOR GUIDANCE: Each of the following audit scenarios may include sufficient evidence of nonconformity with the requirements of ISO 27001. In the space provided, write the number and the sub-clause reference of ISO 27001 which most directly relates to the nature of the nonconformity. If more than one clause is directly relevant, note them all and circle the best one. (This is optional, in majority of cases one clause is identified). In place of organization name, you may write ABC Pty Ltd. Category of Nonconformity may be decided based on judgement, whether nonconformity may result in complete breakdown of Management System. In this situation, you may choose it as Major Nonconformity.
Scenario 1 The auditee is unable to provide an ISMS Scope document identifying internal and external issues considered, requirements from interested parties for specific information security needs, or internal and external dependencies between activities performed within or outside the organization impacting internal processes.
This is the case where Nonconformity is to be raised as Standard Requirement is not complied with. In this scenario, Section A needs to be filled as below. First Write Nonconformity statement Then Standard Requirement And then Objective Evidence that was sighted. All these three subsections are mandatory to be filled in case of Nonconformity.
Scenario 1 The auditee is unable to provide an ISMS Scope document identifying internal and external issues considered, requirements from interested parties for specific information security needs, or internal and external dependencies between activities performed within or outside the organization impacting internal processes.
This is the case where Nonconformity is to be raised as Standard Requirement is not complied with. In this scenario, Section A needs to be filled as below. First Write Nonconformity statement Then Standard Requirement And then Objective Evidence that was sighted. All these three subsections are mandatory to be filled in case of Nonconformity.
Section A
Section B
Further investigation:
Organization Name: | Non-Conformity no. |
Process Under Review: | ISO 27001 Clause no. |
Category of Non-Conformity: Major/Minor |
Nonconformity statement: The ISMS scope document was not available during the audit. |
Standard Requirement: When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information. – taken it from standard directly. |
Objective Evidence: The Scope document identifying internal and external issues considered, requirements from interested parties for specific information security needs, or internal and external dependencies between activities performed within or outside the organization impacting internal processes. |
Section B
Further investigation:
Scenario 7
According to interviews with purchasing staffs, purchasing employees use their private home PCs to email with customers when confirming orders and customer requirements outside business hours and on weekends. The “Management System Manual” (MA-QA- 01) only permits company or customer data to be processed on configured systems.
This is the scenario where there is insufficient evidence for raising Nonconformity and hence further investigation is required. In this scenario, section B needs to be filled with bullet points of questions to be asked for further investigation as below.
According to interviews with purchasing staffs, purchasing employees use their private home PCs to email with customers when confirming orders and customer requirements outside business hours and on weekends. The “Management System Manual” (MA-QA- 01) only permits company or customer data to be processed on configured systems.
This is the scenario where there is insufficient evidence for raising Nonconformity and hence further investigation is required. In this scenario, section B needs to be filled with bullet points of questions to be asked for further investigation as below.
Section A
Section B
Further investigation:
Organization Name: | Non-Conformity no. |
Process Under Review: | ISO 27001 Clause no. |
Category of Non-Conformity: Major/Minor |
Nonconformity statement: |
Standard Requirement: |
Objective Evidence: |
Does organization policy provide for configuration of home PCs?
-What is the organization’s policy for teleworking? -What is the organization’s mobile device policy? -How is remote access provided when working from home? |