Study Document 09
Nonconformity reporting and closing.
A practical guide to writing clear NCRs, presenting findings, closing meetings, audit reports, corrective action review, and evidence-based closure decisions.
Core idea
A nonconformity is the non-fulfilment of a requirement.
In an ISO 27001 audit, the requirement may come from ISO/IEC 27001, internal ISMS documentation, legal obligations, customer contracts, supplier requirements, or other agreed audit criteria.
NCR structure
Write findings that are factual, traceable, and fair.
A strong NCR should not blame people or speculate. It should describe what requirement was not fulfilled and which objective evidence supports that conclusion.
Element
Question it answers
Example
Requirement
What should have happened?
The access control procedure requires privileged access reviews to be completed quarterly.
Evidence
What was found?
Finance application privileged access records had no review evidence for Q2 and Q3.
Problem
Why does this show non-fulfilment?
Privileged access reviews were not performed in accordance with the procedure.
Location
Where was it found?
Finance application access management process.
Example
A clear NCR connects criteria to evidence.
Use this pattern when answering scenario questions that ask whether a finding is valid or how the finding should be written.
Example NCR wording
Requirement: The access control procedure requires quarterly privileged access reviews. Evidence: The auditor reviewed finance application privileged access records and found no review evidence for Q2 or Q3. Nonconformity: Privileged access reviews for the finance application were not performed in accordance with the procedure. Location: Finance application access management process.
Classification
Major and minor findings depend on impact and system weakness.
Classification should be based on the seriousness of the failure, its effect on the management system, and whether the issue is isolated or systemic.
Serious or systemic failure.
A major nonconformity may involve absence of a required process, failure to implement a required process, repeated related minor issues, or a weakness that affects the ISMS ability to achieve intended results.
Limited or isolated lapse.
A minor nonconformity is a limited failure where the process exists and is generally implemented, but a specific requirement or record is missing, incomplete, or not consistently followed.
Correction vs corrective action
Fixing the issue is not the same as preventing recurrence.
Exam answers often confuse correction with corrective action. Correction handles the detected issue. Corrective action addresses root cause and recurrence risk.
Term
Meaning
Example
Correction
Action to eliminate the detected nonconformity.
Complete the missing privileged access review and record the result.
Corrective action
Action to eliminate the cause and prevent recurrence.
Assign review ownership, implement reminders, add escalation, and monitor completion.
Effectiveness review
Verification that the corrective action worked.
Next quarterly reviews are completed on time and exceptions are escalated.
Closing meeting
The closing meeting presents conclusions, not negotiations.
The auditor should explain findings clearly, allow questions, correct factual misunderstandings, and explain next steps. The meeting should remain professional and evidence-based.
Open the meeting
Thank participants, confirm attendance, restate audit objectives, scope, and criteria.
Explain sampling
Make clear that audit evidence is based on samples and the audit conclusion is limited to audit criteria and scope.
Present findings
Present positive points, nonconformities, observations, and opportunities for improvement where applicable.
Explain grading and next steps
Explain classification, corrective action process, timelines, reporting route, and appeal or complaint process where applicable.
Confirm understanding
Allow questions, correct factual errors, confirm follow-up responsibilities, and close professionally.
Audit report
The report must be complete enough to support follow-up.
The report should give a clear record of what was audited, what was found, what conclusion was reached, and what action is required.
Typical report contents
- Audit type, objectives, scope, criteria, dates, locations, and audit team.
- Auditee representatives, activities performed, processes audited, and sampling statement.
- Findings, nonconformities, positive observations, unresolved issues, and audit conclusions.
- Recommendation, where applicable, plus corrective action and follow-up requirements.
Corrective action review
- Correction completed and evidence provided.
- Root cause identified and logically linked to the issue.
- Corrective action implemented and evidence supports completion.
- Effectiveness reviewed and similar issues considered.
Common mistakes
Weak NCRs fail because they are vague.
- Blaming a person instead of describing a process failure.
- Writing a finding without audit criteria.
- Using words such as poor, inadequate, or bad without evidence.
- Combining several unrelated issues into one unclear finding.
- Accepting correction as sufficient when root cause is not addressed.
Exam technique
Choose the finding with evidence and requirement.
- If the finding lacks criteria, it is incomplete.
- If the finding lacks objective evidence, it is not supportable.
- If the wording blames people, it is not professional.
- If only the symptom is fixed, corrective action may be incomplete.
- If closure lacks evidence of effectiveness, the auditor should request more evidence.
Quick memory aid
NCR = Requirement + Evidence + Problem + Location. Correction fixes the detected problem. Corrective action removes the cause. Closure needs evidence that action was implemented and effective.
Use note
This is a KISCyber learner guide.
This page is an original training summary using user-provided ISO 19011 audit guidance and ISO 27001 Lead Auditor study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.