What are deviations according to the ISO standard?
As a rule, the term “non-conformity” can be found in the specialist literature. For better understanding, the term deviation is often used in colloquial language. All ISO standards refer to deviations as the situation of an “unmet requirement”. In the ISO 9001 standard there is chapter “3.6.9 Non-conformity”: Failure to fulfill a requirement (3.6.4).
How does ISO27001 deal with deviations?
The ISO 27001 standard expects certain content in an ISMS set of rules. For example, if the inventory list of all values (at risk or to be protected) is missing, this represents a deviation. The ISO 27001 lead auditor will document non-conformity in his determination. Companies can also specify industry-specific additional requirements in the ISMS. If the company does not meet these self-defined requirements in operational practice, this can also lead to certification failing.
How do deviations differ?
Auditors distinguish between serious and minor deviations. The English-language standard definition speaks of “major nonconformities” and “minor nonconformities”. In German, the terms main deviation and minor deviation are often used.
Major Deviation: When an important characteristic is not met, auditors identify major deviations. Elementary requirements must be met in order for a certificate to be issued. Companies must resolve the causes of the deviations and demonstrate compliance with the relevant requirement within a certain period of time. Only then can the auditor recommend issuing the certificate to the certification body.
Minor deviation: These deviations are usually viewed as non-critical deviations from the desired condition. However, if too many major deviations occur, they can collectively develop into a major deviation and jeopardize the certification.