What to do after a nonconformity is identified?
Finally you got your new house! It really is an absolute dream! Everything is furnished according to your wishes and the bathrooms have never been used. All the neighbors are jealous, but in a positive sense, because your cute golden retriever only plays in your garden and your garbage cans are equipped with the latest stop technology and therefore will not be blown away by the wind. Welcome Home! Same with an ISO certification!
To the outside world, it looks like there's nothing to complain about when you have certification. There is simply nothing to fault. Certifications sound like the ultimate! So in the ISO world, it means that your management system meets all security requirements.
And that, in turn, means you can assure your customers that you handle their data in an exemplary manner. But unfortunately, that's not always the case, and breaches do occur.
Now let's get to the topic of this blog: The audit of an ISO certification!
Such an audit is a bit like before a first date (5 years later you will buy that house we talked about at the beginning), an important exam or even the job interview at SpaceX.
At worst, nervous eye twitching until the auditor thinks you're trying to flirt away the nonconformities. Unfortunately, this will not bring anything, except for asking if everything is okay with you.
If the auditor finds fault, you are not meeting a compliance requirement, and that can impact you in many ways if that incident is not handled appropriately.
What to do when an auditor finds a non-conformity?
What is the protocol for remediation so that you can continue to meet the requirements for certification? Where is my right hand? What to do? Who is responsible for that? Hm, take a breath, and go for a walk (maybe with the dog).
How exactly non-conformities (minor / major) are defined in more detail, you can read in this blog.
This is about the difference between "correction" and "remediation". The goal is to know exactly what to do when these cases occur, and thus ensure that you ultimately receive certification anyway. So, let’s dive in.
What should you do after an ISO nonconformity is found?
Together, you and your certification body (your assigned auditor) will review, discuss and agree on all findings during the final meeting. At that time, your auditor will provide you with a nonconformity report detailing each finding.
Same as an awkward relationship conversation: „You wanted the dog!“ or „You never take care of the lawn!“ Okay…
They will also determine the conditions of certification for you depending on the severity of the finding(s).
For both major and minor nonconformities, you must submit a full report of the nonconformity within 14 days of completing the review. Your report should include an explanation of a corrective action plan (CAP), the cause of each nonconformity, and plans by when and how to correct it.
With such similar but different wording, misunderstandings can arise, so let's clarify!
For all major and minor nonconformities, you must provide proof of correction within 30 days of completing the review. It is called Evidence of correction (EoC).
This is your instant solution to the problem and part of your corrective action plan. That means, if something is missing, you have to put it in and so on.
- You must submit the completed corrective action plan and the evidence of correction before the auditor can issue you the certification and associated report.
- Likewise, evidence of corrective actions must be listed. This will show your auditor that you have now addressed these controls and the process has been fully implemented. Unlike the EoC, the remedy should address the above cause that caused the non-conformity so that it does not recur.
- For all major Nonconformities, you must provide this evidence within 60 days of completing the certification review. For all minor nonconformities, you must provide evidence of the remedy in time for the subsequent review.
While you are taking all appropriate action on any nonconformities identified during your assessment, your certification body will also assign them a status in the interim. Status classifications are defined as follows:
Open - A nonconformity is "open" if your assessor has not yet reviewed the corresponding CAP and EoC OR if either the corresponding CAP or EoC is unacceptable.
Closed - A nonconformity is "closed" if your auditor has reviewed the corresponding CAP, EoC, and timely evidence of corrective action and finds it acceptable.
This sounds simple at first, but a nonconformity will still be declared open if you only provide evidence of correction, but no evidence of an acceptable corrective action plan. And most importantly, meet the specified deadlines or your certification will be in jeopardy.
Let's use an easy one to demonstrate this: 27001:2013 Annex A.8.1 (Asset Management - Responsibility for Assets)
1. The control objective is "to identify organizational assets and define appropriate protection responsibilities." in this case, to achieve this, you need to consider four control areas:
2. Inventory of Assets: Information, other information-related assets, and information processing equipment are identified, and an inventory of these assets is created and maintained.
3. Ownership of assets: The assets listed in the inventory must be owned.
4. Acceptable Use of Assets: Rules for the permissible use of information and assets associated with information and information processing equipment are established, documented, and implemented.
5. Return of Assets: All employees and external users are required to return all assets in their possession to the organization upon termination of their employment, contract or agreement.
All right, that are the facts, and now? What happens when the auditor finds some nonconformity here:
Assumed minor non-conformity:
If you do not safely maintain an acceptable use policy that outlines the rules for the appropriate handling of your organization's assets. This is a failure to comply with requirement 3.
A suspected major non-conformity:
If you have failed to securely monitor and maintain a complete and accurate inventory of all information assets, and if you have also failed to identify the owner of the assets in the inventory list. 2/4 Error… oops.
What is the difference between a proof of correction and a corrective action?
The temporary solution - also known as Evidence of Correction (EoC) - is to create a complete and accurate inventory indicating the owner of each asset.
So the complete fix to the problem would be to not only properly create and maintain the directory, but also continuously and constantly update it. Simply a CAP - a corrective action plan!
To Sum Up: A constant bugaboo is the failure to address potential issues, especially when there are regulations. Certification to an ISO standard requires a lot of work up front. Nothing is more annoying than having to resell your dream home because the neighbors are incessantly accusing you of faults. And the dog couldn't do anything about it anyway. Poor puppy.