Company ABC is a leading software development and testing company headquartered in Frankfurt, Germany offering services based on the clients’ requests and needs. The development process is divided into the following phases: discovery, development, testing, deployment, and maintenance. During each phase, the company ensures information privacy and protection through a successfully implemented and maintained ISMS.

However, the ISMS implementation alone could not help them expand their market. That is why they decided to apply for an ISO/IEC 27001 certification.

The company contacted a certification body to undergo the process of certification. You, an auditor that works for the certification body, are selected as the audit team leader. During the course of audit activities, you draft the audit findings and the nonconformity reports.

Upon considering the validity of the audit evidence, you drafted two nonconformity reports for the detected nonconformities. The reports followed the same structure: the audit criteria, description of the observed nonconformity, and the audit finding.

Based on the audit findings and other information collected during the audit, you recommend Company ABC for certification upon the filing of corrective action plans. The audit conclusion was discussed with the auditee’s representatives, who ensured you that action plans will be submitted as soon as possible.

To resolve the first detected nonconformity, Company ABC submitted the following action plan: “A formal user registration and de-registration process to grant or deny access to systems and services that process sensitive information will be created.” The action plan addressing the second nonconformity stated that “A new version of the security policy will be published to include legal and regulatory requirements.”

 Once the submitted action plans and the implemented corrective actions were evaluated, you decide to close the detected nonconformities.

 Answer the following questions by referring to the above-mentioned scenario:

What should have you taken into consideration, in addition to the audit evidence, when determining the audit findings?