CHAPTER 5:
WHAT HAPPENS WHEN THE AUDITOR FINDS SOMETHING WRONG?

If the auditor discovers something which (s)he thinks shows that your organisation is not meeting one or more aspects of ISO 27001, (s)he will record the facts which (s)he has seen on a form, and later ask the guide to sign and confirm that the facts are correct.

This does not mean that everything the auditor writes down is a problem. Auditors have to record in their reports all the good things they see as well.

If it is agreed that your organisation has not met one or more aspects of ISO 27001, your organisation will be asked to provide a plan to address the issue within a reasonable time scale. Subject to the non-conformance being addressed, your organisation will be awarded certification, or if you are already certificated you will retain certification (the third party accredited certification body conduct ‘surveillance’ or ‘continuing assessment’ visits, typically every six months).

If the failure, or non-conformance, is extremely serious the assessment may result in the assessment being suspended until the issue has been addressed. If you already have certification, and then fail to address a serious non-conformance in the agreed timescale, the third party accredited certification body will start to take steps to remove your status as a firm registered to ISO 27001.