The three audit findings that would prompt you to raise a nonconformity report are:
•The organisation is treating information security risks in the order in which they are identified
•The organisation’s risk assessment criteria have not been reviewed and approved by top management
•The organisation’s information security risk assessment process is based solely on an assessment of the impact of each risk
According to ISO/IEC 27001:2022, clause 6.1.2, the organisation must establish and maintain an information security risk management process that is consistent with the organisation’s context and aligned with its overall risk management approach1. This process must include the following steps:
•Establishing the risk assessment criteria, which must be approved by top management and reflect the organisation’s risk appetite and objectives2
•Identifying the information security risks, which must consider the assets, threats, vulnerabilities, impacts, and likelihoods3
•Analysing the information security risks, which must determine the levels of risk and compare them with the risk criteria4
•Evaluating the information security risks, which must prioritise the risks and decide whether they need treatment or not5
Therefore, the audit findings B, E, and F indicate that the organisation is not following the required steps of the information security risk management process, and thus are nonconformities with the standard.
The other audit findings are not necessarily nonconformities, as they may be acceptable depending on the organisation’s context and justification. For example:
•Audit finding A may be acceptable if the organisation has identified and treated the additional information security risks that are relevant to its scope and objectives, and has documented the rationale for doing so6
•Audit finding C may be acceptable if the organisation has assigned clear roles and responsibilities for the information security risk management process, and has ensured that the risk owners have the authority and competence to manage the risks7
•Audit finding D may be acceptable if the organisation has defined and communicated the meaning and implications of the emoji-based risk classification, and has ensured that it is consistent with the risk criteria and the risk treatment process8
•Audit finding G may be acceptable if the organisation has justified the use of discrete values for the probability of the information security risks, and has ensured that they are realistic and consistent with the risk criteria and the risk analysis method9
•Audit finding H may be acceptable if the organisation has established and maintained different systems for assessing operational and strategic information security risks, and has ensured that they are integrated and aligned with the overall risk management approach and the ISMS objectives10
References: 1: ISO/IEC 27001:2022, 6.1.2; 2: ISO/IEC 27001:2022, 6.1.2 a); 3: ISO/IEC 27001:2022, 6.1.2 b); 4: ISO/IEC 27001:2022, 6.1.2 c); 5: ISO/IEC 27001:2022, 6.1.2 d); 6: ISO/IEC 27001:2022, A.0.2; 7: ISO/IEC 27001:2022, 5.3; 8: ISO/IEC 27001:2022, 6.1.2 a) 2); 9: ISO/IEC 27001:2022, 6.1.2 c) 2); 10: ISO/IEC 27001:2022, 6.1.2 a) 1); : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022
