.png)
Audits and found non-conformities are crucial elements of information security management. Audits and non-conformities drive organizations toward continuous improvement, making security a living, evolving process rather than a checkbox exercise.
Audits help you identify weaknesses before they become incidents and track your security progress over time. Non-conformities provide an opportunity for learning and growth and fosture a culture of accountability. Organizations that embrace audits see them as a tool for refinement rather than punishment.
Information security audits are systematic evaluations of organization's information security. Audits aim to ensure the organization actually operates according to set requirements or chosen best practices to safeguard its information assets.
Goals of an information security audit usually include:
%201.png)
Audits can be implemented internally by competent and employees that have the proper authorities (internal audit) or externally by chosen independent partners (external audit).
Some audits are done mainly from compliance point-of-view (compliance audits) and some from a more technical point-of-view (technical audits), focusing e.g. on specific data systems or topics (e.g. network security, application security).
"Failing" a security audit can basically mean, that the organization didn't meet all the requirements of the standard at the time of the audit, and thus some non-conformities were identified.
After this the organization will have the opportunity to address the non-conformities with corrective actions. This means coming up with a corrective action plans and implementing those corrections. In certification audits, the corrections for major non-conformities need to be verified by the auditor. For minor non-conformities, just verifying the corrective action plan is enough.
It's important to understand there's really no failure in the audit process. The auditor will help you identify non-conformities and other improvement potential. Even when non-conformities are spotted (which is quite normal), you will have a clear to-do list towards improving your information security.
📌 Related ISO 27001 section: 6.1.2 – Information security risk assessment
🔍 What's missing?: Organizations may fail in providing a clearly defined risk management procedure, according to which information security risk management is implemented. This should include e.g. used risk evaluation criteria and how treatment actions are defined and monitored. Procedure should also explain, how often and where the risk management gets implemented.
💡 How to fix?: Implement a structured risk management process (often supported by an ISMS app). Have a core "Risk management procedure" report available that explains all the key steps and is updated in a controlled manner. Ensure regular reviews and workshops on information security risk management, at least quarterly or when significant changes or need occurs.
📌 Related ISO 27001 section: 6.1.3 – Information security risk treatment
🔍 What's missing?: The organization has identified risks but does not have sufficient evidence to demonstrate how these risks are being mitigated. Treatment plans for risks are vague, missing concrete actions, timelines, or responsible persons, making it difficult to track progress. Organizations rely on verbal assurances or outdated documents instead of maintaining verifiable records of treatment implementation.
💡 How to fix?: Risks that are prioritized for treatment should get a clear risk treatment plan, including the chosen treatment option (accept, mitigate, transfer, or avoid), specific safeguards to mitigate the risk (linked to ISO 27001's Annex A when relevant), responsible persons and due dates. Evidence of implementation should get generated to your ISMS.
⭐ Extra: Use an integrated ISMS tool to ensure risk evaluations and treatment are done and tracked in the same place as any information security measures, to ensure visibility to risk treatment progress.
📌 Related ISO 27001 section: 9.2 – Internal audit & 9.3 – Management review
🔍 What's missing?: There has been no internal audit implemented during the latest 12 months, or the conducted audits are missing clear records of findings. Top management has not participated in a management review during the latest 12 months, otr there are no review results to showcase.
💡 How to fix?: Schedule annual internal audits and maintain reports of findings and corrections. Conduct management reviews to assess ISMS effectiveness and maintain reports of results.
📌 Related ISO 27001 section: 6.1.3 (d) – Statement of Applicability
🔍 What's missing?: The Statement of Applicability (SoA) is incomplete, outdated, or poorly documented, making it difficult to demonstrate compliance with ISO 27001's requirements. The organization may fail to justify why certain Annex A controls are included or excluded. The implementation of controls is not clearly explained and connect to risks. The document is not regularly reviewed, causing it to be misaligned e.g. with organizational changes or new security threats.
💡 How to fix?: Ensure the SoA clearly lists all Annex A controls, marking most as applicable and rest as non-applicable with strong justifications. Make sure the SoA explains the implementation of applicable controls clearly along with evidence. Review and update the SoA regularly and maintain cross-references between the SoA, risk treatment plan, and all other ISMS parts to demonstrate a cohesive ISMS. Ensure the SoA is accessible to auditors and relevant stakeholders, with a well-structured format for easy understanding.
⭐ Extra: In Cyberday, SoA gets created and tracked automatically through your ISMS tasks that are linked to relevant requirements in ISO 27001 / ISO 27002.¨
📌 Related ISO 27001 section: 9.1 – Monitoring, measurement, analysis, and evaluation
🔍 What's missing?: No defined key metrics (aka KPIs) to measure the effectiveness of the ISMS. In this situation security performance is not quantified, making it difficult for management to assess security posture or identify trends. Organizations rely on hunches without real-time security monitoring or incident trend analysis. This usually also weakens the regular reporting of ISMS performance to top management (e.g. in management reviews), causing a lack of visibility and engagement.
💡 How to fix?: Define measurable security objectives and metrics. These could be e.g. security incidents per quarter, compliance score in ISMS, % of employees who complete security awareness training, # of non-conformities resolved within a given timeframe, amount of unpatched vulnerabilities exceeding defined SLAs. Conduct regular ISMS performance reviews (e.g., quarterly) with senior management involvement. Align security metrics with business goals, such as reducing financial losses from cyber incidents or improving regulatory compliance.
⭐ Extra: Implement automated security dashboards that track performance metrics in real time. Use trend analysis to proactively address weaknesses before they become critical issues..
📌 Related ISO 27001 section: 5.23 – Information security incident management
🔍 What's missing?: No formalized incident response process, leading to inconsistent, delayed and unclear handling of security incidents. Employees don’t know how to report security incidents, increasing the risk of unnoticed breaches. Documentation of previous incidents is not properly maintained, making it difficult to analyze past incidents and improve response strategies. No clear responsibilities or escalation process, causing confusion during incident handling.
💡 How to fix?: Establish a centralized incident reporting system, ensuring employees can easily report security incidents (e.g., phishing, malware, unauthorized access). Maintain documentation of previous incidents, especially the actions taken to mitigate similar incidents in future. Assign incident response roles with defined responsibilities (e.g. incident manager, technical lead, communications lead) and create clear incident response plans for commonly expected or extremely adverse incidents. Implement an escalation process to ensure severe incidents are promptly reported to management and external regulators if required.
⭐ Extra: Conduct regular incident response drills, including tabletop exercises and real-world simulations like phishing tests.
📌 Related ISO 27001 section: A: 8.2 – Identity and access management
🔍 What's missing?: Employees have more access to data and systems than necessary, increasing the risk of insider threats and data breaches. Access rights are not periodically reviewed, leading to e.g. former employees still having access to sensitive systems they don't need. Access to information is granted inconsistently instead of using standardized roles and least privilege principles. No formal process for approving, modifying, or revoking access, making it unclear who can authorize changes. Weak or non-existent logging and monitoring of access activities, making it difficult to detect unauthorized access or potential security incidents.
💡 How to fix?: Implement role-based access control (RBAC) and follow the principle of least privilege to ensure users only have the minimum access necessary for their job functions. Communicate these best practices for all employees, so they can identify non-conformities too. Conduct regular access reviews (e.g. quarterly by asset owners) to verify that access rights align with job roles and unnecessary access is removed. Establish a clear approval and revocation process for granting and removing access, ensuring that managers and security teams oversee changes. Enable multi-factor authentication (MFA) for all critical systems, reducing the risk of unauthorized access.
⭐ Extra: Automate access control management with identity and access management (IAM) solutions to streamline provisioning, tracking, and deprovisioning. Maintain detailed access logs and set up alerts for suspicious activities, such as failed login attempts or privilege escalation..
📌 Related ISO 27001 section: A.5.19 – Supplier relationship management
🔍 What's missing?: Unclear categorization of suppliers based on priority and required security assurance (e.g. certification, questionnaire, audit, none). No formal security agreements with suppliers, leaving the organization vulnerable to supply chain attacks. No contractual obligations ensuring important suppliers comply with ISO 27001, CIS18 or other best practices. Lack of an offboarding process when terminating supplier relationships, leading to risks like orphaned accounts, lingering access permissions, or unmanaged data transfers.
💡 How to fix?: Categorize your suppliers according to priority (e.g. based on their connection to your services, the sensitivity of data they handle and their replaceability) and according to your bargaining power. Establish clear security assurance criteria for important suppliers, requiring e.g. certifications, compliance reports, independent audits or filled security questionnaires as proof of security. Include security clauses in contracts, ensuring compliance with legal and regulatory requirements.
📌 Related ISO 27001 section: A.6.3 – Awareness, education, and training
🔍 What's missing?: Employees information and cyber security responsibilities are unclear. Employees are not systematically receiving security awareness training, leaving them vulnerable to phishing attacks, weak password practices, and social engineering. There is no structured training program, or training is conducted inconsistently, without tracking employee participation. Organizations fail to update training content based on new threats, regulatory changes, or past security incidents.
💡 How to fix?: Make employees security responsibilities crystal-clear. This can e.g. mean accepting their written security guidelines regularly and obeying them on everyday work. Establish a security awareness program covering key topics like phishing, password security, secure remote work, and incident reporting. Track both, the acceptance of guidelines and participation on trainings and maintain records. Conduct regular refresher courses and update content based on the latest threats, compliance requirements, and real-world incidents.
⭐ Extra: Use interactive training methods, such as phishing simulations, gamified learning, and quizzes, to ensure engagement and knowledge retention.
📌 Related ISO 27001 section: A.8.1.1 – Inventory of assets
🔍 What's missing?: Organizations lack a comprehensive and up-to-date inventory of information assets, leading to poor visibility and increased security risks. No clear ownership assignment, making it unclear who is responsible for managing, documenting and protecting each asset. Asset inventory is not regularly reviewed, leading to outdated or incorrect records. No classification of assets based on sensitivity, criticality, or regulatory requirements.
💡 How to fix?: Establish a centralized asset management system that includes software assets, hardware assets, information assets (data, databases, documents), physical assets and human assets. Assign an owner for each asset, responsible for its security, maintenance, and disposal. Categorize assets based on priority or in more detail according to CIA triad. Conduct regular reviews to ensure records are accurate and up-to-date.
⭐ Extra: Implement an automated asset discovery tool to detect and track new assets.
📌 Related ISO 27001 section: A.18.1.1 – Identification of applicable legislation and contractual arrangements
🔍 What's missing?: Organizations fail to systematically identify, document and comply with legal, regulatory, and contractual requirements.
💡 How to fix?: Maintain a legal register, listing relevant other legal or contractual information security requirements. Update this list regularly.
So there we went through some common ISO 27001 audit non-conformities. These often stem from gaps in documentation, inconsistent implementation, and lack of monitoring. However, these are just common examples as every organization's information security program becomes more and more unique, especially as the maturity level grows.
But as already said in the beginning, non-conformities provide an opportunity for learning and growth. They shouldn't be seen as purely negative things.
Your information security program is a continuous improvement process, that gets updated through technological updates in your environment, changes in implementing certain policies, treating risks or incidents, or through any other errors and changes. A well-maintained ISMS, with regular audits and updates, is key to passing ISO 27001 audits smoothly and maintaining your compliance. 🚀
