ISO 27001 Non-Conformities

An ISO 27001 non-conformity is defined as the non-fulfillment of an organization’s requirement established by the ISO standard. Both major and minor nonconformities are considered during the company’s audit certification process. Under these circumstances, if there is a major non-conformity present, then it means that the company in question cannot get certified for audit and compliance. 

Every organization is at risk of ISO 27001 non-conformity if they do not meet the required and stated ISO 27001 standards. These could vary from minor non-conformities to major non-conformities like not following the set of standardized processes mentioned in the organization’s documentation. Or, for example, dealing with third parties without upholding the agreed contractual elements.  

These non-conformities are measured and judged by the company’s ISO auditor to analyze the company’s ISMS (Information Security Management System) compliance by comparing them against the ISO standard. The auditor follows the steps of describing the attested non-conformity, providing evidence for it, and then referencing the clause in the standard that implies the requirement is not being met to finally conclude what needs to be done by the company to achieve compliance.

Certain examples of major non-conformities that a company can lose audit certification for are:

  1. The failure to complete or fulfil a certain requirement of the ISO standard
  2. If there is an absence of required documentation
  3. The breakdown of a necessary process or procedure is not mentioned in the documentation. 
  4. If the company has accumulated plenty of minor non-conformities under one processor element of its information security management system. 
  5. They are misleading the clients, partners, and prospects by misusing a claimed certification mark.  
  6. Combined minor non-conformities that remain unresolved


See Scrut in action!