ISO 27001 Certification: What’s next after receiving the audit report?

For those who already run a management system, like an ISMS based on ISO 27001, the certification audit event is already known: the auditor arrives, performs the audit opening, evaluates processes and records, states the result, and elaborates the audit report, closing this phase of the audit process. However, why did I say “this phase of the audit”? It isn’t over yet?

Depending on the report’s content, there may be a lot of work for an organization to do, and to help you get the most value from this report, and not forget some crucial issues, let’s see what you can find in it.

Audit report main parts

In general, an audit report is composed of:

  • data identification: report ID and date, audit period, audit team, etc.
  • scope: the organizational unit, process, or product that was audited
  • evaluation criteria: the reference used to perform the audit
  • evidence trails: a brief description of what was audited (process names, locations, evidences, etc.)
  • results: conclusions of the audit team, which include:
    • recommendation status
    • nonconformities
    • opportunities for improvement

I’ll also talk a little about the use of the audit report information in management review.

Recommendation status

The most important result of the certification audit report is that it states if the organization’s ISMS complies with the ISO 27001 requirements, and grants the certification. The possible statuses are “recommended,” “recommended upon action plan development,” and “not recommended.”

A “recommended” status means no nonconformities were identified during the audit. For the other two types, the difference refers to the type of nonconformities identified, which I’ll present in the next section, as well as what you should be doing to achieve your ISMS certification.


Nonconformities

Nonconformities occur when the organization does not fulfill what is required by the standard, by its own documentation, or by a third party. Some examples of nonconformities are:

  • lack of a specific record defined as required by the organization
  • a usual practice adopted and maintained by the organization that is not documented (e.g.: prototype development by a design company)
  • a process that is required by the standard and is not being performed properly (e.g.: management review)

Since nonconformities are failures to address management system requirements, the organization must, according ISO 27001 clause 10.1 (nonconformities and corrective actions):

  1. react in a proper way to control and correct them,
  2. treat the consequences,
  3. evaluate the need to eliminate or control causes,
  4. implement corrective actions to address causes,
  5. review the effectiveness of the corrective actions, and
  6. change the organization’s ISMS whenever necessary.

For certification audit purposes, nonconformities are classified as major or minor, which defines the demanded actions.

A minor nonconformity is a deviation that doesn’t compromise the ISMS management, and leads to the “recommended upon action plan development” status. For this kind of nonconformity, a simple action plan shall be defined and sent to the auditor. Upon plan receipt and approval, the auditor proceeds to the recommendation for certification of the ISMS. Note that you have a deadline to send this plan (from 5 to 10 days), and on the next audit the plan’s results will be evaluated by the auditor.

On the other hand, major nonconformities are problems that compromise the ISMS operations as a whole, resulting in the “not recommended” status. Once identified, the organization must correct major nonconformities before the certification audit can proceed. And, since these problems normally take time to correct, it’ll require a new visit by the auditor to finish the process. Good monitoring processes (see ISO 27001 clause 9) are an excellent way to avoid such problems.

For more explanation about major and minor nonconformities, see this article: Major vs. minor nonconformities in the certification audit.

Opportunities for improvement

These are situations where, in the auditor’s point of view, the organization can increase suitability, adequacy, or effectiveness of its ISMS. Examples of opportunities for improvement are:

  • incorporation of new or updated technologies (e.g.: adoption of cryptographic solutions)
  • adoption/exclusion of activities in business processes (e.g.: inclusion of check points in critical activities, or exclusion of activities that don’t affect business results)

Since an audit is based on samples to assess conformity, which represent only a fraction of the organization’s reality, there is no standard requirement demanding an organization to treat opportunities for improvement, but they always should be reviewed to determine their value to the organization and whether they are worth implementing.

The audit report in the management review

Since audit results are required inputs for a management review (clause 9.3 c) 3)), the organization shall be prepared to present to management the nonconformities identified, action plans defined, and evaluations of opportunities for improvement.

In this situation, not only is the auditor’s report information useful, but also information provided by those who accompanied the audit process (the auditor’s guide or the audited personnel). They can provide insights on aspects not identified by the auditor, but that can be sources of vulnerabilities or additional opportunities for improvement. For example, by understanding the auditor’s method to follow evidence trails, the staff can identify that their backup process can fail in a specific scenario and devise a plan to avoid that.

Explore all available audit information to your advantage

Besides its value to the certification process, I consider the audit report one of the most valuable sources of information to improve any management system. The fact that it is performed by someone normally outside the audited process workflow (e.g.: an internal auditor, a consultant, or a certification auditor) means that it can provide a different and fresh view of the practices adopted by the organization’s operational and management activities.

To help you track and handle all of your nonconformities found during certification audit, and the corrective actions put in place, you can use this Conformio compliance software.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.