What should auditors do if they encounter a significant non-conformity?

When auditors encounter a significant non-conformity, it is essential to report it in the audit findings. Documenting significant non-conformities is crucial because this process not only highlights areas where the auditee fails to comply with the established standards or requirements, but it also serves as a basis for corrective actions to improve the organization’s information security management system. By reporting it, auditors ensure that the organization is aware of the risks and the necessary steps to address the deviations from compliance.

Addressing non-conformities transparently helps maintain the integrity of the audit process and enables ongoing improvement of the management system. Additionally, such documentation is vital for maintaining accountability and can aid in future audits or assessments.

In contrast, simply ignoring a significant non-conformity undermines the audit’s purpose and can lead to greater risks for the organization. Revisiting the auditee after a month without any prior documentation of the non-conformity does not guarantee that it will be addressed effectively within that period. Issuing an immediate termination notice would not be an appropriate response without first addressing the underlying issues through a structured reporting process.