During which stage of the audit are potential non-conformities identified?

The identification of potential non-conformities occurs during the Stage 2 audit. This stage is where the auditor evaluates the effectiveness of the organization’s Information Security Management System (ISMS) against the requirements of ISO/IEC 27001. At this point, the auditor looks for evidence that the ISMS is being implemented properly and is functioning as intended. This involves assessing policies, procedures, and practices, as well as conducting interviews and reviewing documentation.

In contrast, the Stage 1 audit primarily focuses on reviewing the organization's readiness for the Stage 2 audit. It examines documentation and ensures that the organization has established an ISMS that meets the standard's requirements but does not delve into the effectiveness of its operation. Follow-up audits do not identify non-conformities per se; rather, they assess whether previously identified issues have been resolved. Thus, the Stage 2 audit is crucial for identifying any significant issues that need to be addressed for compliance with the standard.