Over the last year, we, along with our friends at Assent, have been collating non-conformance data identified at Stage 1/Stage 2,continuous assessment visits, and recertification audit from various certification bodies.
Assent has touched on ISO 9001:2015 and used the dataset for a blog they have put together. Please head over to their published article for further information.
At AvISO we looked at the data set specifically for ISO 27001:2013, here's our findings.
Data set for ISO 27001:2013
Data from 107 audits for ISO 27001 have been included within this dataset for 2021. The first key difference between the data from 2021 and data from 2020 is the rapid increase in the number of audits conducted against27001, which has increased by nearly 25%. This is fundamentally driven by the need for organisations to ensure that robust systems are in place to protect customers data, either in the office or at home.
As expected, the minor non-conformances have also increased with the total number of audits being conducted.
· Minor non-conformances raised in 2020 – 137
· Minor non-conformance raised in 2021 – 165
This equates to an 18% increase in the non-conformances raised from 2020 to 2021 – this is in line with the overall rise of audits being conducted.
The following key areas have contributed to this 18%increase
· Access control
· Information security risk assessment &treatment (Risk and opportunities)
· Infrastructure
You could summarize from the above data that this increase in findings around access control, risk assessment/treatment, and infrastructure is due to the change in remote working and this process not being effectively implemented, mitigated, or communicated within an organisations Information Security management system
The above data can be broken down into the following control objectives from Annex A of ISO 27001:2013
· A.9– Access control – 2 minor non-conformances
o To limit access to information and information processing facilities
· A.9.2– User Access Management – 16 Minor non-conformances
o To ensure authorised user access and to prevent unauthorised access to systems and services
· A.9.3– User Responsibilities - none
o To make users accountable for safeguarding their authentication information
· A.9.4– System and application access control - 1
o To prevent unauthorised access to systems and applications
The 16 minor non-conformances that have been raised against user access management could be due to the following weaknesses within an ISMS
· Lack of formalised user registration and de-registration process
· Restriction and identification of privileges, access rights, and control of those users
· A Review of user access rights
The key element to take from the above is ensuring that are view of user access is conducted periodically and whenever a fundamental change is implemented into an organisation, such as remote working.
I have included the following elements into the final dataset
· Clause 6 – Planning
· Clause 8 – Operations
· A.12 – Operations Security
· A.16 Information security incident management
As with the information found within the previous data, it appears at first glance that the areas of non-conformance are contained within the operations of an organisation. This includes actions to address risks to an organisations data security and managing that risk through determined incident management, such as a disaster recovery plan/business continuity plan. This trend in findings could also be directly related to Covid and the certification bodies looking into how organisations are mitigating the risks associated with the pandemic and how this has been communicated within the organisation's management system.
If you would like to learn more about how we can help you gain certification to ISO Standards or with Software, Training or Consultancy solutions? Don't hesitate to contact us for a no-obligation chat, and one of our team will be more than happy to discuss this and our flexible pricing options with you.
