When might an auditor draft a nonconformity report?

An auditor drafts a nonconformity report during the audit activities when evidence indicates discrepancies between the actual practices and the requirements outlined in the Information Security Management System (ISMS) or related standards. This is a crucial part of the audit process as it provides immediate documentation of any identified issues that need to be addressed.

Timing is key; addressing nonconformities as they arise allows for real-time discussion with the auditee, which can lead to a clearer understanding of the problems and facilitate immediate corrective actions, if appropriate. This practice ensures that findings are captured accurately while the situation is fresh, which helps to maintain the integrity of the audit and supports the auditee in making necessary adjustments during the audit process itself.

Other situations, such as after completing an ISMS review or receiving corrective action plans from the auditee, are not the right time to draft a nonconformity report because they do not align with the identification phase of discrepancies during the audit. Additionally, waiting until the end of the audit program to draft such reports could lead to oversight of critical issues that should be communicated as soon as they are detected.