You are sitting in a conference room. The air is thick with caffeine and nerves. Across from you, the auditor flips through a notebook, clears their throat, and says: “I’d like to present my findings.”
In that moment, your heart rate spikes. We have been conditioned to see audits as a pass-or-fail exam—a binary world where you are either a compliant hero or a security villain. But management system auditing under ISO/IEC 17021-1 is more nuanced than that. It is not a grade; it is a professional mirror. If you want to survive the closing meeting without a panic attack, you need to understand the language they are speaking.
The Types of Audit Findings
In the context of a management system audit, a “finding” is not just a random observation. According to the standard, audit findings are used to summarize conformity and detail nonconformity. These are the data points used to determine if your system is actually doing what it says it is doing.
1. Conformity
This is the goal. Conformity is the fulfillment of a requirement. It means your processes match the criteria of the standard, they are effectively implemented, and they are capable of achieving your organization’s stated policy and objectives.
2. Nonconformity
This is the term that causes the most stress, but its definition is quite clinical. A nonconformity is simply the “non-fulfilment of a requirement.” It represents a gap between the “audit criteria” (the rules) and the “audit evidence” (the reality of what is happening). When an auditor records a nonconformity, they must identify the specific requirement that isn’t being met and provide the objective evidence—the facts—that prove the gap exists.
3. Opportunities for Improvement (OFI)
An OFI is a suggestion where a process is technically meeting the requirement but could be more effective or efficient.
There is an important “integrity” rule here for auditors: an audit finding that is a nonconformity shall not be recorded as an opportunity for improvement. This prevents auditors from “being nice” and hiding a systemic failure behind a friendly suggestion.
Grading the Gaps: Minor vs. Major
Not all nonconformities carry the same weight. The distinction isn’t arbitrary; it depends entirely on a single threshold: does the mistake threaten the “intended results” of your management system?
The Minor Nonconformity
A minor nonconformity is defined as a “nonconformity that does not affect the capability of the management system to achieve the intended results.”
Think of this as a slip-up. It is usually a single instance or a small, isolated mistake in a process that is otherwise healthy.
Example 1: The Outdated Review. Your policy says you review your firewall rules every six months. The auditor sees that you did the last three reviews on time, but the most recent one was delayed by two weeks because the admin was on leave. The review happened, but it missed the deadline. This is a non-fulfillment of your rule, but the “intended result”—maintaining secure firewall rules—is still being met.
Example 2: The One-Off Oversight. You have a fleet of 100 laptops. The auditor samples five and finds that one doesn’t have the “Property of [Company]” sticker required by your asset management policy. However, the laptop is fully encrypted, tracked in your MDM, and has a strong password. The security intent is met; the sticker is an isolated administrative oversight.
The Major Nonconformity
This is a much more serious situation. A major nonconformity is a “nonconformity that affects the capability of the management system to achieve the intended results.” If you have a Major finding, the auditor is essentially saying your system is broken in a fundamental way.
Under the standard, a finding is classified as “Major” in two primary circumstances:
Significant Doubt: This occurs when a gap is so large that the auditor can no longer trust your system.
Example: An auditor asks to see your Risk Assessment—the foundation of any ISO system. You show them a document from three years ago that hasn’t been updated to reflect your move to the cloud. Because the foundation is missing or irrelevant, there is “significant doubt” that your controls are actually protecting the right things.
Systemic Failure: This is when “a number of minor nonconformities associated with the same requirement or issue” are found.
Example: The auditor checks your offboarding process. They find one ex-employee still has email access. Then they find another. Then they find a third. Each one might be a “minor” slip-up on its own, but together they prove that your offboarding process is non-existent or ignored. The “intended result”—denying access to former staff—is not being achieved.
Essentially, a Major nonconformity means the auditor cannot recommend you for certification (or maintenance of it) until the root cause is addressed and the fix is verified.
What Do You Think? Two Real-World Scenarios
To help this sink in, let’s look at two real-world scenarios.
Scenario 1: The Vague Background Check
An organization has a clear policy for screening new employees. One requirement is that a criminal records check must be conducted for every candidate. During the audit, the auditor finds that the checks are being done, but there is no written process explaining what happens next. There are no criteria for what kind of record would disqualify someone. For instance, if a candidate has a minor record for speeding, it isn’t clear if they would still be hired. The HR team says they “just use their best judgment,” but nothing is documented.
Scenario 2: The MFA Gap
A company uses Microsoft 365 for everything—emails, sensitive spreadsheets, and internal documents. They use Microsoft Entra as their identity provider. Their internal security policy is very specific about password complexity, and the auditor confirms that these rules are strictly enforced. However, you notice that Multi-Factor Authentication (MFA) is not enabled. The organization argues that their passwords are “complex enough” and that the standard doesn’t explicitly name “MFA” as a mandatory requirement for their setup.
The Verdict
Here is how a professional auditor would likely view these cases:
Scenario 1: Nonconformity
This is a Nonconformity. While the organization is performing the check (doing the “work”), they have failed the requirement to have a process that produces “consistent, valid, and comparable results.” By relying on “best judgment” without documented criteria, the screening process is arbitrary. If two different HR managers look at the same criminal record, they might make two different decisions. This lack of a defined process is a clear non-fulfillment of management system requirements.
Scenario 2: Opportunity for Improvement (OFI)
This is an Opportunity for Improvement. While modern security best practices virtually demand MFA, most high-level standards are “technology neutral.” If the organization has identified their risks and decided that complex passwords meet their specific security objectives, the auditor cannot immediately issue a nonconformity just because they personally prefer MFA. However, the auditor would record this as an OFI, noting that the “intended result” of data protection would be significantly strengthened by adding a second layer of authentication.
What do you think about these verdicts? Would your team agree, or would the “best judgment” argument hold up in your office?