ISO 27001: Nonconformity & Opportunity for Improvement

A key part of any security framework, from FedRAMP to ISO 27001, is enforcement. Putting out a set of standards is only as effective as the ability to penalize failure to comply.

Within the ISO ecosystem, compliance is validated through the use of external audits. The auditors will evaluate your organization based on both ISO standards and other external factors, like regulatory requirements within your industry.

When a flaw or gap is found, the auditor will inform you about it, and provide information on what next steps you should take. They aren’t going to do all of the work for you, but they’ll put you on the right track.

There are, broadly speaking, two kinds of suggestions that come from an auditor: identification of nonconformities and opportunities for improvement. These are both specific terms with defined meanings, and they’re used throughout the ISO architecture, not just in ISO 27001. You can, for example, have ISO 9001 nonconformities as well.

While the two (nonconformities and OFIs) are similar, they have very important differences and mean specific things, so it’s important to know what they are. So, let’s go through the differences, what they mean, and what you should do when your auditor informs you of one or the other.

What is a Nonconformity?

A nonconformity is an identified area of failure to comply with a requirement in the framework. You are meant to implement your ISMS such that you conform with ISO 27001 rules.

A nonconformity is not an incident. It is, however, a gap in your implementation that could later become an incident if it is identified and exploited. When an auditor identifies nonconformities, they are telling you about areas where your implementation needs improvement.

Nonconformities:

• Represent a failure to meet the standard of ISO 27001.
• Offer you a chance to improve your security posture.
• Can, if not corrected, jeopardize your ISO certification.

The last one is the most important point. If an auditor identifies nonconformities in your ISO 27001 implementation, you will be given the opportunity to correct them (similar to the concept of POA&Ms in CMMC) on a timeline. If you do, you’re good to go. If you fail to correct them, however, you’ll fail your audit, and you won’t be granted ISO certification. If you already had certification, you can lose it.

That is one of the biggest keys to understanding nonconformities: action to correct them is required. At least, it’s required if you intend to keep ISO certification.

Two Types of Nonconformities

Nonconformities fall into two categories: major and minor.

Major nonconformities are serious, significant failures to comply with the rules of the ISO 27001 framework.

• A complete failure to fulfill a requirement.
• A process that has fallen apart completely and doesn’t function.
• A misuse of a certification mark.
• A minor nonconformity that is left past its resolution deadline.
• Numerous minor nonconformities centered on the same process.

Any of these categories makes for a major nonconformity. Major nonconformities need to be dealt with ASAP and typically have a significant impact on the overall ISMS.

Minor nonconformities are the catch-all category for any nonconformity that isn’t major. They generally don’t get in the way of ISMS operation, but they still represent a risk, however small it may be.

Major nonconformities may include things like:

• Employees who don’t follow the required security procedures.
• A data breach of company data.
• A misconfigured firewall allowing external access to internal systems.

Meanwhile, minor nonconformities may include problems such as:

• A security policy that is not updated.
• A terminated employee’s user account not being properly removed.
• An employee security training session that is not completed on time.

When an auditor identifies a nonconformity, they will describe it to you, provide evidence from the audit that proves the nonconformity exists, refer you to the specific ISO 27001 clause governing the nonconformity, and summarize what you need to do to comply.

How to Handle a Nonconformity

Dealing with a nonconformity is relatively simple in concept: just fix the problem.

ISO 27001 clause 10.1 is the relevant clause outlining the full process.

First, you will generally need to identify (or confirm the identification from the auditor) of the nonconformity. Internal audits can find nonconformities without the burden of an external auditor doing it, and further investigation may be necessary.

Then, you react to the nonconformity by taking whatever immediate actions are necessary to control it, and then correcting what needs to be corrected to fix the nonconformity. If necessary, you will also need to deal with any consequences for that nonconformity.

Next, you need to evaluate the nonconformity in the context of your overall ISMS. Is it an isolated, one-off problem, or a symptom of a larger failure to comply throughout your organization? Could there be other related nonconformities stemming from the same underlying issue? This also needs to be addressed.

Once you’ve fixed your nonconformity, you will need to validate that fix. For internal audits, that just means monitoring the situation and ensuring that it’s no longer a problem. For external audits, what you do depends on the type of nonconformity.

• For minor nonconformities, submitting an analysis and remediation plan is usually enough.
• For major nonconformities, the auditor will need to validate the fix.

All of this, of course, is documented. If necessary, it may need to be reported to various authorities, depending on the kind of nonconformity and what it impacted. It’s obviously a lot more severe if a nonconformity was actively targeted and used, versus if it was identified and fixed before it was used.

Nonconformities can be identified at your initial certification audits, during routine internal audits, and during recertification audits. You might also simply notice them through routine operations, without an audit involved. It doesn’t matter when they’re identified; they need to be fixed ASAP.

What is an Opportunity for Improvement (OFI)?

Nonconformities are cases where you fail to meet the mark. Opportunities for improvement are a little different: they’re areas where, while you meet the minimum standards, you can take some action and still improve your overall security or compliance. Again, like nonconformities, opportunities for improvement apply to any ISO standard, not just 27001.

While a nonconformity can jeopardize your ISO 27001 certification, an opportunity for improvement will not. However, an OFI could later become a nonconformity if the underlying standards change. ISO/IEC moves slowly, though, so that’s not very likely.

Put simply, an opportunity for improvement is a way that an auditor identifies that you could use to improve the security and operations of your business, without putting undue burden on your organization. They’re gentle suggestions, a way to make your business more secure. But, above all, they’re optional.

Opportunities for improvement can be beneficial in a few ways.

• They can help increase your overall security posture across your organization.
• They can help ensure you’re in compliance with other security regulations, like GDPR, HIPAA, or CMMC.
• They can help buff up security, so you’re not an easy target by being the low-hanging fruit.
• They can help reduce the workload or documentation burden of uneven security.

For example, ISO 27001 requires you to use encryption to store and transmit data according to various industry and regulatory needs. Many organizations choose to encrypt only sensitive data in only the most accessible cryptographic standards.

Other potential OFIs might include things like:

• Your response time to security incidents is within regulatory requirements, but on the slow end; making it faster helps speed up reactions and minimize damage.
• Use of multi-factor authentication is mandatory for employees handling sensitive data, but by requiring it for everyone, you minimize the risks of any account, however minor, being compromised.
• Employee training to avoid phishing emails is required, but you may also want to set email filters organization-wide to prevent them from arriving in the first place as well.

An auditor might look at that and say, “You know, if you just used this slightly better encryption method, across all of your data, it’d be a lot easier and better for you.” That’s an opportunity for improvement. Better encryption, and encryption across the board, makes it easier to manage and can prevent even non-sensitive data leaks in any potential breach.

There’s one other significant benefit to paying attention to and implementing recommended opportunities for improvement. They’re tangible changes you make to improve your security posture. One of the things that ISO 27001 recertification audits look at is your continual monitoring and improvement over time. By implementing OFI suggestions, you demonstrate your willingness to improve above and beyond the bare minimum, which is a point in your favor.

Why People Feel OFIs are Bad

One thing we want to talk about here is the simple fact that nonconformities and opportunities for improvement are talked about in the same way at all. There are a couple of reasons for this.

The first is, of course, the source. Auditors will review your compliance and your ISMS, and will give you a report with both nonconformities and OFIs listed. This makes them feel like they’re part of the same whole.

Another is that “opportunity for improvement” has been “business slang” for getting in trouble for many years. They’re almost never used as a good thing in these more casual settings, instead being a euphemism for problems that need to be solved in order to keep a job.

This means many people are conditioned to view nonconformities and opportunities for improvement in the same light. Essentially, many tend to think of OFIs as the minor nonconformity, minor as moderate, and major as major.

The reality is different. Nonconformities, yes, are bad. They’re holes and gaps that need fixing in order to proceed. OFIs, meanwhile, are optional suggestions for even better performance. They’re a good thing; tips from experts to improve your security in ways that benefit everyone.

Shifting your way of looking at OFIs can be a good way to realize they’re a good thing for your organization. If an auditor is giving you OFIs, it’s not because you’re failing in some way; it’s because they want you to succeed more than you already are.

• Nonconformities are a failure to live up to a standard; OFIs are a way to exceed the standard baseline.
• Nonconformities have to be addressed to earn or maintain certification; OFIs are optional areas to grow and improve.
• Nonconformities can have significant consequences; OFIs generally do not.

Understanding the difference is key to having a good experience with your audit reports.

Valid Reasons to Ignore an Opportunity for Improvement

While OFIs are optional, they’re often considered recommended, and many companies treat them as mandatory. But there are some good reasons why you might want to ignore an OFI when it’s given to you.

Some of these reasons include:

• It’s outside your scope. Scoping is a big part of effective security, and expanding your scope needlessly presents a larger threat surface and may not actually be helpful.
• It’s within your risk tolerance. If your organizational risk analysis has shown that you can accept some small risk in this area, improvement may be an expense without much benefit.
• It’s not actually an improvement. You may have, for example, alternative ways to solve the same problem already implemented, but which are outside of the ISMS framework, and so the auditor didn’t see them.
• The cost-benefit isn’t there. Sometimes the auditor’s view of what is involved in an OFI is different from yours, and your own cost-benefit analysis shows that the costs or the disruption to your business would be too severe for the benefit.

This is why OFIs are firmly considered optional. As long as you’ve met or exceeded the baselines for ISO 27001, you don’t need to go above and beyond; in fact, it doesn’t make sense to do so, and can dilute more important efforts.

Tracking Nonconformities and Opportunities for Improvement

When you undergo an audit, you’re given a report that discusses any nonconformities you may have, their status, and their deadlines. You’ll also be given any opportunities for improvement that the auditor wants to suggest.

Tracking all of this is important. That’s where we come in. The Ignyte Assurance Platform is a comprehensive dashboard for many different frameworks, including ISO 27001, and it can help a ton in this area.

For one thing, by using the Platform to track your ISO implementation, you’re less likely to have nonconformities in the first place. If you do have any, their status can be easily tracked through the dashboard. OFIs, likewise, can be aggregated and tracked in their implementation.

To see how it can all work for you, and make the compliance process for ISO 27001 dramatically easier, just get started by reaching out for a demo today. We’ll show you how it works and how it can help you succeed, more quickly and more easily than ever before.