When preparing your organisation for ISO27001 certification, a major non-conformity is your obvious worry.
A major non-conformity (i.e. a failure to meet the requirements set out in the standard) will result in your organisation not being recommended for certification. You will have a certain time period to address these issues and to reapply for certification, but this will of course cost you extra time, money and resources.
Robert Whitcher, Product Manager at BSI America has addressed the most common major non-conformities in ISO27001.
- The biggest culprit of major non-conformities in ISO27001 establishing the ISMS (Clause 4.2.1). 18% of companies suffer a lack of defining the scope, ISMS policy, risk assessment, analysis of risks or the statement of applicability
- 11.5% fail to comply with Clause 7: Management review of the ISMS. Management are meant to review the organization’s ISMS at planned intervals (at least once a year) to assess opportunities and improve the ISMS; all of which should be clearly documented.
- 10.5% of companies fail to comply with the Internal ISMS audit (Clause 6) where they are unsuccessful in conforming, effectively implementing and performing in what an audit expects of them.
Make sure you avoid all major non-conformities by purchasing a copy of the ISO27001 standard. Errors in documentation can also be solved by investing in a documentation toolkit, such as the No 3 Comprehensive ISO27001 ISMS Toolkit.
It also may be wise to book on to one of our training courses, depending on your level of involvement you are with the project. IT Governance has a range of courses from Foundation through to Internal/Lead Auditor and then through to Lead Implementer.