How should the situation be evaluated if the auditee controls access but does not document it?

The situation should be evaluated as a minor nonconformity because while there is a control in place regarding access, the lack of documentation indicates a gap in the established management system. ISO/IEC 27001 emphasizes the importance of documented information to demonstrate that controls are effectively implemented and maintained. Documentation serves as a critical aspect of accountability, enabling the organization to verify that access controls are functioning as intended and can be reviewed during audits.

In this case, the absence of documentation does not suggest that access is uncontrolled or that the existing controls are ineffective; instead, it points to a deficiency in the documentation aspect of the information security management system (ISMS). This situation is less severe than a major nonconformity, which would imply that a significant requirement of the standard is unmet, thus putting the overall control at risk. Therefore, categorizing this as a minor nonconformity allows for corrective action to be taken without implying a total failure of the controls in place.