What action should be taken if significant nonconformities are found during the audit?

When significant nonconformities are identified during an audit, the appropriate action is to document and report the findings. This is fundamental to the integrity of the audit process and plays a critical role in ensuring that the organization addresses any issues that could undermine its information security management system (ISMS).

Documenting the findings provides a clear record of the nonconformities, which is essential for accountability and for guiding the organization in resolving these issues. This documentation serves as a basis for further investigation, corrective actions, and continuous improvement. By reporting these significant nonconformities, the auditor ensures that senior management is informed and can allocate the necessary resources to address the issues effectively.

Addressing nonconformities is vital for maintaining the effectiveness of the ISMS, and it also helps build trust with stakeholders. Failure to document and report significant nonconformities could lead to unresolved risks, regulatory non-compliance, and potential damage to the organization's reputation.

Overall, taking systematic action by documenting and reporting nonconformities aligns with best auditing practices and ISO/IEC 27001 standards, reinforcing the need for transparency and continuous improvement in information security management.