Which scenario would likely lead to a major nonconformity finding?

A scenario that involves a lack of a documented policy for information security would likely lead to a major nonconformity finding because having a documented policy is a fundamental requirement of an effective information security management system (ISMS) under ISO/IEC 27001. This standard emphasizes the need for organizations to establish, implement, and maintain an information security policy that outlines their commitment to managing risks associated with information security.

In the context of ISO/IEC 27001, a documented policy serves as the guiding framework for all subsequent processes and is critical for ensuring consistency, accountability, and compliance with legal and regulatory requirements. Without such a policy, an organization may lack direction and clarity on how to protect its information assets, which can expose it to significant risks and vulnerabilities. This inadequacy can result in a major nonconformity finding during an audit, as it reflects a serious deficiency in the organization's ISMS both in terms of governance and operational control.

In contrast, while delayed responses to nonconformities, minor administrative errors in documentation, and periodic audit findings may indicate issues within the ISMS, they do not necessarily represent the same level of critical deficiency as the absence of a documented security policy. Delays in addressing nonconformities may reflect operational