What is a common practice concerning the timing of follow-up audits for nonconformities?

The correct choice highlights the requirement that follow-up audits for nonconformities must occur within a specific timeframe—12 months from the last audit. This timing is significant because it ensures that any nonconformities identified during the audit are addressed in a timely manner, helping to maintain the effectiveness of the management system and the integrity of the information security management system (ISMS).

By conducting follow-up audits within this defined period, organizations can demonstrate their commitment to continuous improvement and compliance with ISO/IEC 27001 standards. This timeframe is aligned with the principles of internal audits, where prompt corrective actions help to mitigate risks and ensure that issues do not persist or recur over time.

Setting such a consistent timeline encourages organizations to prioritize the resolution of nonconformities and fosters accountability among staff responsible for implementing corrective actions. This disciplined approach aids in the overall risk management process and helps uphold the trust of stakeholders in the organization's security measures.

In contrast, other options suggest either more rigid time limits (like 6 months) or less frequent engagements that might allow for lapses in compliance or issues to go unaddressed for extended periods, which could negatively impact the organization's information security posture.