What is an ISO 27001 nonconformity?
Jessica Doering

September 8, 2022



 min reading time

Top ISO 27001 nonconformities

Nonconformities, bruh... sounds like you didn't do the dishes or it was your week to take out the trash... or the laundry... the list just won't end. NO thanks. But when it comes to the security of your data or the data of your loved ones... ohoh, who actually knows my phone code? So let's get back to the topic at hand - your business! So let's dive right into the topic of this one!

Let's assume that your ISMS is established and covers all relevant areas of your organization that relate to ISO 27001 certification. 

Phew, it’s time, so off to the certification audit... but what can actually happen there and what should I expect? Will I possibly get arrested? I mean my ISMS is pretty good, but what can be error-free? Was it all for nothing in the end? What actually happens if the auditor discovers deficiencies or even absolute NO-Go's?

Nervousness like at your best friend's wedding because you consider the bride might run away. Take a breath... no one will be arrested and maybe your best friend will be happy about this possible incident in the end. 

C’mon “non-conformities”… We need to get serious about this, so read on and get the real facts: 

Of course, once your ISMS is in place and certification is pending, it's always good to know what to expect during the audit. Nonconformities are one of the most significant and uncomfortable outcomes of the certification audit. Therefore, you should know what to expect and what is involved.

What is a non-conformity?

A nonconformity is the failure to meet a requirement of the ISO standard. If there are requirements of the ISO standard that your company has not met, if your own documentation specifies a process that you do not follow, or if your company does not comply with contractual requirements when dealing with third parties, you are in the area of nonconformity.

The ISO auditor will use nonconformities to assess the compliance of your organization's ISMS with the ISO standard. The nonconformity will be described, evidence of the problem will be provided, the requirement that was not adequately met will be mentioned in a paragraph, and what needs to be done to meet the stated requirement will be summarized.

Why are nonconformities critical?

Nonconformities (two categories) are used in both internal and external audits. They are kinda a tool that allows the auditor to assess the extent to which your management system conforms to a standard. That means, the more nonconformities you have, the less compliant you are. Nonconformities must be reported in an audit report.

The auditor records the following information in his report: 

1. General description of the non-conformity 

2. Audit evidence - point to a specific document or record that is missing or improperly used, an activity that is not performed or is performed incorrectly, etc.

3. Reference to the exact requirement - e.g. the specific number of the clause in the standard, procedure or contract.

4. Summary of the requirement - usually a restatement of what the standard, internal document, or contract requires

The differences between serious and minor nonconformities

Both serious and minor nonconformities may be identified during the certification process. The presence of a serious nonconformity means that a company cannot get certified.

The definition of a minor nonconformity is simple: it is any nonconformity that is not serious. For example, a minor non-conformity could be that the backup was performed every day except one day in a given month. But(!) the mass makes the difference, so read on!

Examples of serious nonconformities

When the certification process goes to the dogs in any case…  

  • Complete failure to meet a specific requirement of the standard:  If your company did not meet a certain requirement at all - for example, you did not conduct a management review at all, even though it was required by the standard.

  • Breakdown of a process or procedure:  If your procedure got completely out of hand - for example, if you had to perform a backup once a day, while the backup was performed only a few times a month, or even better, randomly. One mean muh…

  • The accumulation of minor nonconformities related to a process or an element of your management system that points to a larger problem or the Absence of mandatory documentation: When multiple minor nonconformities occur that relate to the same process or element of your ISMS - a good example is employee security awareness training: for example, when certificates are not present.

  • Misuse of a test mark and thus misleading customers: If a certification is misused - e.g. false claims towards your customers 

  • Minor nonconformities that are not corrected within the time period provided for their correction: If a minor error found during the last audit was not corrected within the time limit, this minor error automatically becomes a major error.

What to do? SIMPLE! Don't put yourself in a position where a major nonconformity pops up. Use Secfix to make sure you're properly implementing the ISO standard! Not just to get a certification to brag about, because experienced auditors notice when they've only set up your system in theory. Crafty people.. these auditors. 

We help you out, book a consultation with us!

Focus on building Security and run Compliance in the background

Secfix has the largest partner network of pentesting companies and auditors in EU and can reduce the time, effort and cost for an ISO 27001 certification with its software.

non-binding and free of charge

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet and is especially open-minded for any future-oriented inspiring humans and things that cross her path.

ISO 27001

ISO 27001
ISO 27001