Over the years, I have had the pleasure of delivering tens of ISO27001 Lead Auditor and ISO27001 Lead Implementer training courses across the world and many ISO27001 audits and ISMS implementations. One of the topics that people always find a bit challenging to grasp is the different levels of non-conformities that can be raised during the course of an audit and how they relate to the level of compliance or not compliance. Common questions are "how many non-conformities are allowed in order the be compliant?" or "can you give me examples of non-conformities that would result in non-compliance?" The objective of this post is to provide some clarifications on the subject.
First of all, a non-conformity can be defined as the non-fulfillment of a requirement. If a company does not meet one of the requirements of the standard or if it does not comply with a law or applicable regulation or if it does not comply with its own policies and procedures, that is a non-conformity. On the latter point, company policies and procedures are controls that the company chooses to implement in order to respectively define clear roles and responsibilities to achieve specific objectives and to define how to fulfill one's responsibilities. Contrary to popular belief, most security policies and procedures are NOT a requirement imposed by ISO27001. Yet they are implemented by the company, willingly, to mitigate risks and, as such, the company must comply with them. Otherwise what's the point of having them? Remember that one of the key requirements of the standard is continuous improvement. Therefore, if you need a procedure, write it and follow it!
On the matter of non-conformities, the standard itself does not provide any grading. Non-conformity grading is used by certification bodies in order to assess the level of compliance and communicate it to the audited company, in the same way that a university professor assigns grades to students when marking their exam paper. Certain mistakes are more serious than others and some mistakes give the professor no confidence in the knowledge and competence of the student. The most common scale used to differentiate the levels of non-conformities includes only two levels, described below:
- Minor Non-Conformity – This non-conformity is associated to an instance of non-compliance that does not affect the overall effectiveness of the ISMS and the ability of the organization to achieve its information security objectives. Examples include a missing a single backup review, a document without the appropriate version control, a single password found to be weak etc.
- Major Non-Conformity – This non-conformity is associated to an instance of non-compliance which instead does affects the overall effectiveness of the ISMS and the ability of the organization to achieve its information security objectives. Examples include no internal audits, undocumented risk assessment, no information security policy etc.
The above definitions however are not sufficient. Context is everything and any non-conformity must be looked at bearing in mind the big picture of the ISMS and one cannot generally get the full picture, or at least a good one, unless we have audited the entire ISMS. That is why the same instance of non-conformity can be either a minor or a major depending on the context. Let's look at the example of a weak password. If the password gives access to an end-user pc with little access to sensitive processes and information is one thing. If however that is the administrator's password for the company Internet banking site, that is another matter. Would the latter example be classed as a major non-conformity? Again it depends on the context. Why did the administrator choose such a weak password? Are there other controls in place that would mitigate the impact of an authorized access? Does the company have effective monitoring processes and controls do detect such weaknesses and intrusions? Was the company aware of it or would it have been caught off guard?
At this point, someone may think that if it always "depends" then, when can we say that a non-conformity is really major? Let me give another example, which I always use in my classes.
Let's compare the company to a ship that has to go from port A to port B. ISO27001 is about making sure that the ship reaches port B, having assessed all the risks that could prevent it from achieving its goal, that the ship has a captain giving clear directions, allocating roles and responsibilities, and ensuring the ship crew has all the necessary resources to reach port B. The choice of ports is up to the captain of the ship. What matters is the ability to reach the intended destination. In this example, ISO27001 is not about making sure the ship has no problems, but that the captain is aware of the problems that may affect the ability of its ship to reach the intended destination and no major problem has been left out. Now, as we know, there exist different types of ships and different journeys (short, medium, around the world etc.) which is why the same type of problem on one ship may be acceptable for one ship/journey but totally unacceptable for another ship/journey.
The job of an auditor is to assess the ability of a company to reach its information security goals and to gather sufficient evidence to gain confidence about the same. A major non-conformity will occur when the auditor has gathered evidence that give him/her absolute not confidence in the ability of the organizations to reach its goals.
Again here, one may feel an unbearable degree of subjectivity being applied to ISO27001 audits, which many people over time have lamented when talking about the meaning of being ISO27001 certified. It is true, an ISO27001 audit is a subjective view of an auditor or of an audit team, supported by relevant evidence. However, that is why ISO27001 certificates are not issued by the auditors themselves but by the Certification Body the auditor works for. And that is why the choice of reputable certification bodies is important. The role of a certification of body is to ensure its auditors are competent, have a consistent interpretation of the standard and have clear guidelines defining how to raise minor/major non-conformities, among other things. Reputable certification bodies are also accredited by Accreditation Bodies who audit the certification bodies to ensure they act in a consistent manner and issues ISO27001 certificate in a responsible way.
Finally, it is important to remember that ISO27001 does not mean military grade information security. It simply means that the company defines what it wants to achieve as a business, it clearly identifies, achieves and maintain the right level of security it must have to support the business and comply with applicable regulations and laws. When a company says it is ISO27001 certified, read the label (i.e. the scope) and see what they are actually doing. That is what an auditor will do to be able to grade non-conformities.