Why OFIs in Your Internal ISO 27001 Audit Report are a “Good Thing”

I regularly perform internal Information Security Management System (ISMS) ISO 27001 audits for our clients. These internal audits provide management with assurance that the ISMS is effectively implemented and maintained. They also provide a mechanism to assess your “readiness” for the certification/surveillance audit. As the auditor, I can submit several types of findings in my internal audit reports. These primarily include:
Nonconformities
Opportunities for Improvement, or OFIs
A nonconformity reports a complete or partial breakdown of a process within your ISMS and is something you definitely must fix or have documented plans to fix before an external audit. An OFI, however, is an observation or suggestion regarding a potential improvement opportunity. No action is necessarily required.
Despite their nonbinding and essentially helpful nature, some clients view OFIs as a “problem” and react to them (surprisingly) defensively. To me this indicates that their understanding of them is off and I’m here to set the record straight.
OFIs are a good thing!
They’re not about something you did “wrong.” Their purpose is to help you improve your ISMS, which you must do continuously to maintain your ISO 27001 certification.
For example, following a recent internal audit, my audit report included an OFI around listing a few more “major internal and external issues” to be considered for future risk assessments. I felt there were several areas our client hadn’t adequately considered. During the wrap-up meeting, the CISO argued about this observation and clearly was unhappy that it was pointed out. I reminded them that OFIs are something they can choose to address.
Conversely, some clients are grateful and thank me for flagging OFIs, because fixing OFIs helps them show continuous improvement on future audits, which is a requirement of ISO 27001. One of the things many auditors, including myself, look for in audits is whether a client addressed prior OFIs.
Further, an OFI could be a nonconformity “waiting to happen,” so putting some focus on it proactively can save time and money and reduce risk down the line — including the risk of not passing a future audit.
A wise person once said, “The biggest room in the world is the room for improvement.” Perfection doesn’t exist in the realm of information security, and even a very good ISMS can always be a little better. From this perspective, OFIs in an audit report are advantageous because it saves you the trouble of hunting them down on your own.
To talk with an expert about the ISO 27001 audit/certification process and the steps involved, contact Pivot Point Security.