This document discusses continual improvement and audit findings related to ISO 27001 certification. It describes the three types of audit findings - conformity, non-conformity, and opportunities for improvement. For non-conformities, organizations must take corrective action, evaluate the root cause, and prevent reoccurrence. Organizations must also continually improve the suitability, adequacy and effectiveness of their information security management system. Audit follow-ups check that suggested corrections from previous audits were properly implemented and effective.
2. Audit findings
Clause 10.1 : Nonconformity and Corrective action
Clause 10.2 : Continual Improvement
Audit follow-up with example
References
Contents
Continual improvement in kentico software development companies
3. Audit findings
Continual improvement in kentico software development companies
Three types of audit findings:
Positive finding:
Conformity
Negative finding:
Non-conformity
Observation:
Opportunity for improvement
4. Conformity:
Policies and procedures of an organization are matched to Audit criteria
Non-Conformity:
Policies and procedures of an organization are not matched to Audit criteria
Opportunity For Improvement (OFI):
Improvements are suggested for not to convert policies into non-conformity
Audit finding ( Continued)
Continual improvement in kentico software development companies
5. Clause 10.1 : Nonconformity and Corrective action
When a non-conformity occurs, the organization shall react to the
non-conformity by:
Taking action to control and correct it
Dealing with the consequences
Corrective actions shall be appropriate to the effects of the non-conformities
encountered.
Continual improvement in kentico software development companies
6. Evaluate the need for action to eliminate the causes of non-conformity, in order
that it does not recur or occur elsewhere, by:
Reviewing the non-conformity
Determining the causes of the non-conformity
Determining if similar non-conformities exist, or could potentially occur
Implement corrective action if needed
Review the effectiveness of any corrective action taken
Make changes to the information security management system (ISMS).
Clause 10.1 ( Continued..)
Continual improvement in kentico software development companies
7. Documented Information for Clause 10.1
Organization shall retain documented information as evidence of:
Nature of the non-conformities and any subsequent actions taken
Results of any corrective action
Nature of non-conformity:
Minor non-conformity:
• If part of any policy/procedure is not implemented
Major non-conformity:
• If full policy/procedure is not implemented
Continual improvement in kentico software development companies
8. Organization shall continually improve the suitability, adequacy and effectiveness of
the information security management system.
Clause 10.2 : Continual Improvement
Suitability
Adequacy Effectiveness
Continual improvement in kentico software development companies
9. Audit follow-up
Conducted for continual improvement
Check corrective actions suggested in previous audit is actually implemented or not
Evaluate the effectiveness of corrective actions
Suggest corrective actions needed for implemented corrective actions
Continual improvement in kentico software development companies
10. Implemented corrective action is appropriate to the effects of the non-conformity
encountered or not
Corrective actions are implemented timely or not
Policies and procedures of an organization are followed according to ISO 27001 :
2013 or not
Auditor should sample for effectiveness of implemented corrective actions and on-
going conformance
Audit follow-up checklist
Continual improvement in kentico software development companies
11. Non-conformity (Finding):
Review of policies for information security is not done in the last 18 months.
This NC is given against Control A.5.1.2 of ISO 27001 : 2013 which states that
policies for information security shall be reviewed at planned intervals.
So for audit follow-up, Auditor shall review whether review of policies for
information security is done at planned intervals or not.
Example of Audit follow-up
Continual improvement in kentico software development companies
13. iFour Consultancy Services
Visit these websites for more details:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
THANK YOU!!!
Continual improvement in kentico software development companies
Hinweis der Redaktion
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com
eCommerce solution provider India – http://www.ifour-consultancy.com