Classifying Findings: Major Nonconformities, Minor Nonconformities, Observations

Lesson 14/18 | Study Time: 25 Min

Course: ISO/IEC 27001 Information Security Audit Professional Course

During an ISO/IEC 27001 audit, identifying and classifying findings accurately is essential to understand the severity of issues discovered and to prioritize corrective actions.

Findings typically fall into three categories: major nonconformities, minor nonconformities, and observations.

Major Nonconformities

A major nonconformity represents a significant failure in the ISMS that seriously impacts its ability to meet ISO/IEC 27001 requirements or achieve its intended results.

Examples include the complete absence of a required process, a systemic failure affecting multiple clauses or controls, or nonconformities that jeopardize product or service security.

Major nonconformities raise substantial doubts about the ISMS’s effectiveness and often require immediate corrective action before certification or recertification can be granted.

For instance, if risk assessments are not performed or if critical controls like access management are not implemented, these would be considered major nonconformities.

Minor Nonconformities

Minor nonconformities are less severe deviations that do not critically impair the ISMS’s overall functioning but still represent lapses or weaknesses that need correction.

Examples include isolated incidents of non-compliance, incomplete documentation, or procedural inconsistencies. While these do not immediately threaten the ISMS’s integrity, they must be addressed within an agreed timeframe to prevent escalation.

An example might be missing signatures on a few policy documents or a one-time failure to follow a control procedure.

Observations (Opportunities for Improvement)

Observations, also known as opportunities for improvement (OFIs), are suggestions or minor concerns identified during an audit that do not constitute nonconformities but could enhance the ISMS’s efficiency or effectiveness.

They highlight areas where processes could be optimized or risks further minimized. Organizations are encouraged to consider these observations proactively, though they are not mandatory to resolve to maintain certification.

For example, an auditor might note that improving employee awareness training frequency could enhance security culture.

Importance of Accurate Classification

Properly classifying findings helps organizations focus their resources effectively, addressing critical risks promptly while planning improvements for less urgent issues.

It also guides auditors in making certification decisions and supports continuous improvement in the ISMS.

Previous Lesson Next Lesson

Samuel Wilson

Product Designer

Profile

Class Sessions

1- Introduction to the ISO/IEC 27001:2022 Standard—Scope, Structure, and key Clauses 2- Purpose and Benefits of ISMS Audits in Organizational Risk Management 3- ISO 19011 Audit Principles 4- Types of Audits 5- Defining Audit Objectives, Scope, Criteria, and Stakeholder Roles 6- Crafting an Audit Plan and Schedule Using Provided Template 7- Preparing an Audit Checklist Based on ISO/IEC 27001 Clauses and Annex A controls 8- Document Review Guidelines 9- Identifying Common Documentation Gaps and Red-Flags 10- Opening Meeting Essentials 11- Interview Techniques 12- Observation and Inspection 13- Recording Audit Evidence 14- Classifying Findings: Major Nonconformities, Minor Nonconformities, Observations 15- Structuring the Audit Report 16- Writing Clear Corrective Action Requests with Root-Cause Analysis Prompts 17- Conducting the Closing Meeting 18- Follow-Up Best Practices