An ISO 27001 nonconformity is an organization’s non-fulfillment of a requirement of the ISO standard. Both major and minor nonconformities may be recorded in the process of a company’s certification audit. The presence of a major nonconformity means that a company cannot get certified.
An organization is at risk of nonconformity if they have not fulfilled the standard requirements of the ISO 27001; if an organization’s documentation specified a process the organization is not following; or if an organization is not upholding contractual requirements in its dealings with third parties.
A company’s ISO auditor will utilize nonconformities to judge the compliance of that company’s Information Security Management System (ISMS) against the ISO standard. An auditor will describe the nonconformity, provide evidence of the issue, reference by clause the requirement that is not being adequately addressed, and summarize what must be done to meet the stated requirement.
Examples of major nonconformities include: