Nonconformity lab

Classify twenty realistic ISO 27001 findings and judge the strength of the sampled evidence

Use this dedicated lab to decide whether a gap is major, minor, or an observation, then review whether the evidence is sufficient, what makes the issue systemic, and what a stronger corrective response would look like.

Nonconformity library

Twenty realistic ISO 27001 findings with evidence, auditor logic, and stronger corrective responses

For each case, judge the likely classification and the strength of the evidence. Then review what made the issue systemic or isolated, what an auditor would ask next, and how a good response differs from a weak one.

Score

In progress

Search the librarySeverityClause

Case 1Clause 6.1.2Clause 6.1.3

No formal risk assessment methodology exists

Aucune méthodologie formelle d'analyse des risques n'existe

Business context

A Paris-based SaaS provider is preparing for its first certification audit after several enterprise deals asked for ISO 27001 evidence.

Scenario

The team can point to a spreadsheet of 'top risks', but there is no approved method, no defined criteria, and no current ISMS risk register that covers the scoped service.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

risk-register

Old spreadsheet with unscored concerns from the previous year

Ancien tableur avec préoccupations non notées datant de l'année précédente

It lists issues, but not current risk ownership, scoring criteria, or treatment logic.

approval-record

No approved risk methodology

Aucune méthodologie de risque approuvée

Interviewed staff could not name who approved the method because no approval exists.

meeting-minutes

Steering notes mention 'high risks' without a defined scoring basis

Les notes du comité évoquent des « risques élevés » sans base de notation définie

Management language exists, but the underlying method does not.

What the auditor notices

Control and treatment decisions appear to have been made on intuition rather than through a repeatable ISMS planning process.

What makes it systemic or isolated

Different teams described different scoring approaches and no one could show a common decision model. That points to a systemic gap rather than a single missed record.

Follow-up questions

How were current treatment decisions approved if the method does not exist? / Comment les décisions actuelles de traitement ont-elles été approuvées si la méthode n'existe pas ?
Who owns the risk criteria for the scoped service today? / Qui porte aujourd'hui les critères de risque du service dans le périmètre ?

Recommended corrective action

Approve a formal risk methodology with scoring criteria and acceptance rules. / Approuver une méthodologie de risque formelle avec critères de notation et règles d'acceptation.
Run a scoped risk assessment using nominated owners and current business context. / Mener une analyse des risques sur le périmètre avec des responsables nommés et le contexte métier actuel.
Create a maintained risk register linked to treatment actions and SoA decisions. / Créer un registre de risques maintenu, relié aux actions de traitement et aux décisions SoA.

Good response

A strong response acknowledges that the current spreadsheet is not a valid ISMS method, commits to approving one method quickly, and shows a dated plan for re-running the assessment and rebuilding treatment traceability.

Weak response

A weak response argues that experienced staff already know the risks and that formal methodology would only add bureaucracy.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining poor traceability

risk

English

The risk treatment decision is not traceable.

Français

La décision de traitement du risque n'est pas traçable.

Useful when a register exists but treatment logic cannot be linked to owners, dates, or controls.

Explaining business value

meeting

English

We pursue ISO 27001 to make security decisions repeatable, credible, and governable.

Français

Nous poursuivons l'ISO 27001 pour rendre les décisions de sécurité répétables, crédibles et pilotables.

This keeps the discussion focused on management-system value rather than only certification optics.

Case 2Clause 6.1.3Clause 6.1.4

The SoA exists but is not aligned with treatment decisions

La SoA existe mais n'est pas alignée avec les décisions de traitement

Business context

A cloud services company refreshed its Statement of Applicability shortly before the audit using an inherited template.

Scenario

The SoA marks several controls as applicable with generic language, but the treatment plan uses different wording, omits owner linkage, and does not explain why a few supplier and logging controls are marked not applicable.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

soa

SoA with blanket rationales such as 'best practice' and 'not relevant'

SoA avec justifications génériques comme « bonne pratique » et « non pertinent »

The artifact exists, but the reasoning is too shallow for audit reliance.

risk-register

Treatment plan with local project labels that do not match control language

Plan de traitement avec libellés de projet qui ne correspondent pas au langage des mesures

Some decisions exist, but they are hard to trace into the SoA.

approval-record

Consultant-issued version with no internal approval context

Version émise par le consultant sans contexte d'approbation interne

The organization cannot show who accepted the control position.

What the auditor notices

The SoA looks like a document produced for the audit rather than a reliable statement of the organization's real control position.

What makes it systemic or isolated

The same traceability weakness affects multiple control families, not one isolated control entry. That makes the issue systemic.

Follow-up questions

Which risk or obligation made these controls applicable or not applicable? / Quel risque ou quelle obligation a rendu ces mesures applicables ou non applicables ?
Who reviewed and approved the current SoA position? / Qui a revu et approuvé la position SoA actuelle ?

Recommended corrective action

Rebuild applicability rationales from current context, obligations, and treatment decisions. / Reconstruire les justifications d'applicabilité à partir du contexte actuel, des obligations et des décisions de traitement.
Link each high-relevance control decision to a risk, obligation, or boundary condition. / Relier chaque décision de mesure à forte pertinence à un risque, une obligation ou une condition de frontière.
Record ownership, approval, and implementation status with evidence expectations. / Enregistrer la responsabilité, l'approbation et l'état de mise en oeuvre avec des attentes de preuve.

Good response

A strong response admits that the current SoA is not decision-grade, then shows how the organization will re-baseline it against real treatment logic instead of defending generic wording.

Weak response

A weak response argues that the SoA is only a formality because the controls exist somewhere in operations anyway.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining poor traceability

risk

English

The risk treatment decision is not traceable.

Français

La décision de traitement du risque n'est pas traçable.

Useful when a register exists but treatment logic cannot be linked to owners, dates, or controls.

Commenting on SoA quality

soa

English

The SoA rationale is too generic for audit reliance.

Français

La justification de la SoA est trop générique pour être fiable en audit.

Useful when applicability statements are broad, unsupported, or disconnected from risk treatment.

Case 3Clause 4.3

The scope statement is vague and inconsistent with operations

La déclaration de périmètre est vague et incohérente avec les opérations

Business context

A managed services provider wants to certify a customer-facing service while keeping shared support complexity outside the conversation.

Scenario

The scope says 'managed services activity in France', but sampled evidence shows a foreign NOC, shared HR joiner/leaver activity, and common supplier tooling materially affect the same service.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

policy-standard

Scope statement with broad wording and no boundary narrative

Déclaration de périmètre avec wording large et sans récit de frontière

It names a service, but not the interfaces that support it.

asset-inventory

Inventory includes shared systems outside the written scope

L'inventaire inclut des systèmes partagés hors du périmètre écrit

The asset view contradicts the scope narrative.

meeting-minutes

Kickoff notes mention support interfaces but there is no final decision trail

Les notes de kickoff mentionnent des interfaces support mais il n'existe pas de trace finale de décision

The issue was noticed internally but never resolved clearly.

What the auditor notices

The organization appears to be describing a marketing boundary rather than a defensible ISMS boundary.

What makes it systemic or isolated

The inconsistency affects governance, assets, and supporting processes. It is not one bad sentence but a broader boundary problem.

Follow-up questions

Why are these shared support activities excluded when they materially affect the scoped service? / Pourquoi ces activités de support partagées sont-elles exclues alors qu'elles affectent matériellement le service dans le périmètre ?
Who approved the final scope boundary and on what basis? / Qui a approuvé la frontière finale du périmètre et sur quelle base ?

Recommended corrective action

Rewrite the scope with explicit services, locations, interfaces, and dependencies. / Réécrire le périmètre avec des services, lieux, interfaces et dépendances explicites.
Document why shared functions are in or out of scope and how they are controlled. / Documenter pourquoi les fonctions partagées sont dans ou hors périmètre et comment elles sont maîtrisées.
Approve the revised scope through leadership governance. / Approuver le périmètre révisé via la gouvernance de direction.

Good response

A strong response accepts that the current scope wording is too broad and shows a practical plan to redefine boundaries honestly, even if that makes the audit conversation harder in the short term.

Weak response

A weak response insists that everyone 'understands what we mean' and that a more explicit scope would only create unnecessary attention on shared teams.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Clarifying ISMS scope

meeting

English

The scope includes the customer platform and support operations, but not every corporate function.

Français

Le périmètre inclut la plateforme client et les opérations de support, mais pas toutes les fonctions corporate.

Good for kickoff and audit-readiness discussions where boundaries must stay explicit.

Case 4Clause 9.2Clause 10.1

The internal audit programme exists on paper but not in evidence

Le programme d'audit interne existe sur le papier mais pas dans la preuve

Business context

An organization approaching recertification says it performs internal audits annually.

Scenario

An audit schedule exists, but no recent audit plans, reports, sampling records, opening or closing meeting notes, or corrective-action follow-up can be produced for the current cycle.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

internal-audit-report

No report or working papers for the current audit cycle

Aucun rapport ni papier de travail pour le cycle d'audit en cours

The programme is claimed, but execution cannot be demonstrated.

meeting-minutes

Calendar invite labeled 'internal audit prep'

Invitation calendrier intitulée « préparation audit interne »

Preparation activity exists, but not the audit evidence itself.

approval-record

Previous-year programme approval

Approbation du programme de l'année précédente

Approval exists historically, but not current execution.

What the auditor notices

The organization cannot show that it independently checked the ISMS before the external audit sample.

What makes it systemic or isolated

The absence covers the entire audit cycle, not a missing page in one report. That points to non-execution rather than isolated filing weakness.

Follow-up questions

Who performed the internal audit and how was competence or independence ensured? / Qui a réalisé l'audit interne et comment la compétence ou l'indépendance a-t-elle été assurée ?
What findings from the last internal audit cycle were tracked to closure? / Quels constats du dernier cycle d'audit interne ont été suivis jusqu'à leur clôture ?

Recommended corrective action

Re-establish the internal audit programme with named auditors, scope, and timing. / Réétablir le programme d'audit interne avec auditeurs nommés, périmètre et calendrier.
Execute the audit with working papers, sampled evidence, and report output. / Exécuter l'audit avec papiers de travail, preuves échantillonnées et rapport formel.
Track audit findings through corrective action and closure verification. / Suivre les constats d'audit via l'action corrective et la vérification de clôture.

Good response

A strong response stops defending the calendar and admits that execution evidence is missing, then lays out when the audit will be completed and how independence will be ensured.

Weak response

A weak response says the team was too busy this year but everyone knows the environment well enough already.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Linking a finding to a clause

audit

English

This finding relates to Clause 9.2.

Français

Ce constat est rattaché à la clause 9.2.

Helps learners speak with clause discipline during internal and external audits.

Requesting operational proof

audit

English

Please show the sampled evidence, not only the procedure.

Français

Merci de montrer la preuve échantillonnée, pas seulement la procédure.

A practical sentence for audit prep and live walkthroughs.

Case 5Clause 9.3

Management review is claimed, but the minutes are incomplete

La revue de direction est revendiquée, mais le compte rendu est incomplet

Business context

Leadership says its quarterly steering committee also serves as the management review for the ISMS.

Scenario

The minutes discuss security budget and customer issues, but sampled records do not show internal-audit inputs, objective performance, changes in context, or resulting decisions on improvement and resources.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

management-review-minutes

Quarterly steering deck and summary minutes

Deck de comité trimestriel et compte rendu synthétique

A leadership forum exists, but the required ISMS inputs are only partly visible.

meeting-minutes

Action list on commercial and project topics only

Liste d'actions portant uniquement sur des sujets commerciaux et projets

The record does not show whether ISMS outcomes were decided.

internal-audit-report

Prior internal audit report was available but not referenced in management review

Le précédent rapport d'audit interne est disponible mais non référencé dans la revue de direction

An important input exists but does not visibly feed leadership review.

What the auditor notices

The organization may have a leadership meeting, but the record does not show that leadership is reviewing the ISMS as ISO 27001 expects.

What makes it systemic or isolated

This looks like a design and evidence-quality issue in one governance mechanism, not an absence of all leadership review activity.

Follow-up questions

Where in the record can we see review of audit results, objective performance, and improvement needs? / Où, dans la trace, voit-on la revue des résultats d'audit, de la performance des objectifs et des besoins d'amélioration ?
What leadership decisions were made for the ISMS after this review? / Quelles décisions de direction ont été prises pour le SMSI à la suite de cette revue ?

Recommended corrective action

Add a clear management-review agenda aligned to required ISO 27001 inputs. / Ajouter un agenda de revue de direction aligné sur les intrants requis par l'ISO 27001.
Capture decisions, owners, and deadlines in the minutes. / Capturer les décisions, responsables et échéances dans le compte rendu.
Ensure internal-audit results, objective trends, and context changes are explicitly reviewed. / Veiller à ce que les résultats d'audit interne, les tendances d'objectifs et les changements de contexte soient explicitement revus.

Good response

A strong response accepts that the current meeting record is not enough and proposes a better agenda and minute structure rather than arguing about the meeting title.

Weak response

A weak response insists that the committee is obviously the management review because the same executives attend it.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Challenging management review quality

audit

English

The minutes do not show the required management review inputs.

Français

Le compte rendu ne montre pas les intrants requis de la revue de direction.

This keeps the discussion evidence-based instead of turning it into a debate about meeting labels.

Case 6Clause 8.1

The access review process is documented but not evidenced consistently

Le processus de revue d'accès est documenté mais pas démontré de manière cohérente

Business context

A support-heavy SaaS provider runs quarterly access reviews across multiple business systems.

Scenario

Three sampled applications have review exports and sign-off, but two smaller support tools rely on verbal manager confirmation and no documented follow-up for stale accounts exists.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

access-review-record

Quarterly review records for core systems only

Traces de revue trimestrielle uniquement pour les systèmes centraux

The control works in part of the scope but not all of it.

ticket-workflow

No ticket trail for removals from smaller tools

Aucune piste de ticket pour les suppressions sur les petits outils

Execution is hard to prove for the weaker systems.

policy-standard

Documented quarterly review procedure

Procédure de revue trimestrielle documentée

The design exists and is known by managers.

What the auditor notices

The organization has a control design, but execution and proof are uneven across the scoped tooling estate.

What makes it systemic or isolated

The gap affects more than one tool, but not the entire environment. It looks broader than an isolated sample and narrower than a fully systemic collapse.

Follow-up questions

How do you know smaller support tools have actually been reviewed this quarter? / Comment savez-vous que les petits outils support ont réellement été revus ce trimestre ?
Where is the evidence that identified removals were completed? / Où se trouve la preuve que les suppressions identifiées ont bien été réalisées ?

Recommended corrective action

Extend the review format and evidence expectations to all in-scope tools. / Étendre le format de revue et les attentes de preuve à tous les outils dans le périmètre.
Require traceable removal follow-up for any exception identified during review. / Exiger un suivi traçable des suppressions pour toute exception identifiée pendant la revue.
Monitor missed or incomplete reviews centrally. / Surveiller de manière centralisée les revues manquées ou incomplètes.

Good response

A strong response admits that the process is stronger for major systems than for long-tail tooling and commits to closing the evidence gap with one standard review model.

Weak response

A weak response argues that smaller tools are low risk and therefore do not need the same review evidence.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining inconsistent execution

evidence

English

The process exists but is not consistently evidenced.

Français

Le processus existe mais n'est pas démontré de manière cohérente.

This phrasing is stronger than saying the process is missing when the real issue is execution discipline.

Requesting operational proof

audit

English

Please show the sampled evidence, not only the procedure.

Français

Merci de montrer la preuve échantillonnée, pas seulement la procédure.

A practical sentence for audit prep and live walkthroughs.

Case 7Clause 8.1Clause 7.2

Onboarding exists, but offboarding evidence is inconsistent

L'onboarding existe, mais la preuve d'offboarding est incohérente

Business context

A consulting and support organization handles frequent employee and contractor churn.

Scenario

Joiner and mover steps are documented, but one terminated contractor kept VPN group access for 12 days and two sampled leaver cases have no revocation evidence attached to the HR trigger.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

ticket-workflow

HR-triggered access tickets exist for joiners but not consistently for leavers

Des tickets d'accès déclenchés par les RH existent pour les arrivées mais pas de manière cohérente pour les départs

The process is stronger on entry than on exit.

access-review-record

Quarterly review later found a stale account

La revue trimestrielle a détecté plus tard un compte obsolète

The stale account shows delayed control effectiveness.

policy-standard

Documented joiner-mover-leaver process

Processus arrivées-mobilités-départs documenté

The control design and intended workflow exist.

What the auditor notices

The organization has a documented lifecycle process, but leaver execution and proof are not strong enough to prevent avoidable residual access risk.

What makes it systemic or isolated

Multiple sampled leaver cases show the same weak evidence pattern, so the issue is broader than one forgotten account.

Follow-up questions

Who is accountable for proving access removal after HR signals a departure? / Qui est responsable de démontrer la suppression d'accès après le signalement RH d'un départ ?
How do you detect a missed offboarding action before the quarterly review? / Comment détectez-vous une action d'offboarding manquée avant la revue trimestrielle ?

Recommended corrective action

Align HR and IT triggers so every leaver case creates a traceable revocation workflow. / Aligner les déclencheurs RH et IT afin que chaque départ crée un workflow de révocation traçable.
Require closure evidence for critical access removal. / Exiger une preuve de clôture pour les suppressions d'accès critiques.
Add monitoring for stale accounts or unclosed leaver tasks. / Ajouter une surveillance des comptes obsolètes ou des tâches de départ non clôturées.

Good response

A strong response accepts that the stale account reveals a process weakness, then strengthens trigger, ownership, and evidence capture rather than treating the case as a one-off mistake.

Weak response

A weak response focuses only on disabling the one sampled account and insists the general process is already good enough.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Describing control maturity

implementation

English

The control is partially implemented.

Français

La mesure est partiellement mise en oeuvre.

Useful when the design exists but execution or evidence is still incomplete.

Explaining a stronger response

nonconformity

English

A strong corrective action addresses root cause, ownership, and closure evidence.

Français

Une action corrective solide traite la cause racine, la responsabilité et la preuve de clôture.

Useful when coaching teams to move beyond immediate fixes.

Case 8Clause 8.1

The asset inventory is incomplete for in-scope systems

L'inventaire des actifs est incomplet pour les systèmes dans le périmètre

Business context

An e-commerce company moved quickly into new SaaS tools and cloud components while building its ISMS.

Scenario

The formal inventory covers the webshop, ERP, and office tooling, but omits the analytics warehouse, CI/CD runners, and a support integration that all touch the scoped customer service.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

asset-inventory

Formal inventory missing several active components

Inventaire formel omettant plusieurs composants actifs

The artifact exists but does not reflect the real technical estate.

system-log

Deployment logs reference CI/CD runners not listed in the inventory

Les logs de déploiement référencent des runners CI/CD non listés dans l'inventaire

Operations reveal dependencies that the inventory misses.

meeting-minutes

Architecture notes mention the omitted tools informally

Les notes d'architecture mentionnent les outils omis de manière informelle

Knowledge exists, but not in a controlled inventory process.

What the auditor notices

The organization cannot show complete visibility over the systems and services that support the in-scope environment.

What makes it systemic or isolated

The issue affects several omitted components tied to the same service, suggesting a weak process for keeping the inventory aligned with change.

Follow-up questions

How do new systems get added to the inventory after technical change? / Comment les nouveaux systèmes sont-ils ajoutés à l'inventaire après un changement technique ?
Which risk or control decisions may already be incomplete because these assets are missing? / Quelles décisions de risque ou de contrôle peuvent déjà être incomplètes parce que ces actifs manquent ?

Recommended corrective action

Refresh the inventory against the real architecture and service dependencies. / Rafraîchir l'inventaire par rapport à l'architecture réelle et aux dépendances de service.
Link inventory updates to the change-management flow. / Relier les mises à jour d'inventaire au flux de gestion des changements.
Assign owners and review cadence for inventory completeness. / Attribuer des responsables et une cadence de revue pour la complétude de l'inventaire.

Good response

A strong response accepts that asset visibility must follow the operating model and then closes the gap through a controlled update process, not a one-time spreadsheet cleanup.

Weak response

A weak response treats the omitted components as too technical or too minor to matter for the ISMS.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining inconsistent execution

evidence

English

The process exists but is not consistently evidenced.

Français

Le processus existe mais n'est pas démontré de manière cohérente.

This phrasing is stronger than saying the process is missing when the real issue is execution discipline.

Clarifying ISMS scope

meeting

English

The scope includes the customer platform and support operations, but not every corporate function.

Français

Le périmètre inclut la plateforme client et les opérations de support, mais pas toutes les fonctions corporate.

Good for kickoff and audit-readiness discussions where boundaries must stay explicit.

Case 9Clause 8.1Clause 6.1.3

Supplier security review is claimed, but no review records exist

La revue sécurité fournisseur est revendiquée, mais aucune trace de revue n'existe

Business context

A technology-enabled service provider depends on multiple third parties for hosting, support tooling, and payment processing.

Scenario

Supplier review is described in the policy, but there are no completed due diligence packs, no renewal reassessment records, and no formal risk decisions for sampled critical suppliers.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

supplier-review-record

No completed review records for sampled critical suppliers

Aucune trace de revue complétée pour les fournisseurs critiques échantillonnés

The process claim exists, but execution evidence does not.

policy-standard

Supplier security review procedure

Procédure de revue sécurité fournisseur

The organization knows what it intended to do.

approval-record

Purchase approvals without any visible security decision

Validations d'achat sans décision sécurité visible

Commercial approval is being mistaken for security review.

What the auditor notices

Supplier governance is being asserted but not demonstrated for dependencies that materially affect the scoped service.

What makes it systemic or isolated

No sampled critical supplier had a review trail. This is not one missing file; it indicates that the supplier review process is not operating as claimed.

Follow-up questions

How do you decide a supplier is acceptable if there is no security review record? / Comment décidez-vous qu'un fournisseur est acceptable s'il n'existe aucune trace de revue sécurité ?
Which suppliers are considered critical to the scoped service today? / Quels fournisseurs sont considérés comme critiques pour le service dans le périmètre aujourd'hui ?

Recommended corrective action

Identify critical suppliers and define review criteria based on service and risk exposure. / Identifier les fournisseurs critiques et définir des critères de revue basés sur le service et l'exposition au risque.
Execute initial and renewal reviews with retained evidence and approval decisions. / Exécuter les revues initiales et de renouvellement avec conservation des preuves et des décisions d'approbation.
Feed supplier review outcomes into the risk register and SoA where relevant. / Alimenter le registre de risques et la SoA avec les sorties de revue fournisseur lorsque c'est pertinent.

Good response

A strong response accepts that policy without review records is not enough, then focuses on standing up a real supplier-governance workflow for critical suppliers first.

Weak response

A weak response says that large well-known suppliers are already secure and therefore do not require internal review evidence.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Requesting operational proof

audit

English

Please show the sampled evidence, not only the procedure.

Français

Merci de montrer la preuve échantillonnée, pas seulement la procédure.

A practical sentence for audit prep and live walkthroughs.

Describing a pattern

nonconformity

English

This looks systemic rather than isolated.

Français

Cela semble systémique plutôt qu'isolé.

Use this when similar weaknesses appear across teams, systems, or periods.

Case 10Clause 8.1

The incident process exists, but incidents were not logged or escalated as defined

Le processus d'incident existe, mais les incidents n'ont pas été enregistrés ni escaladés comme défini

Business context

A fintech startup has documented incident handling to reassure customers and investors.

Scenario

A phishing event was handled in Slack, the affected mailbox was reset, and the issue was considered closed. No incident ticket, no severity assignment, and no lesson-learned record were created.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

incident-record

No incident ticket or formal record for the sampled event

Aucun ticket d'incident ni enregistrement formel pour l'événement échantillonné

The documented process was bypassed in practice.

policy-standard

Documented incident response workflow

Workflow documenté de réponse à incident

The intended process is clear on paper.

system-log

Mail-security logs showing the event occurred

Logs de sécurité mail montrant que l'événement a eu lieu

Operational evidence exists, but not the governance trail around response.

What the auditor notices

The organization can describe the process, but the sampled incident shows that real execution may still depend on informal habits.

What makes it systemic or isolated

One sample alone is not enough to prove full system collapse, but the reliance on informal channels suggests the issue may extend beyond one event.

Follow-up questions

How do you know future incidents will be logged and escalated formally rather than in chat? / Comment savez-vous que les incidents futurs seront enregistrés et escaladés formellement plutôt que dans le chat ?
Where are lesson-learned outputs captured for management review or improvement? / Où sont capturés les retours d'expérience pour la revue de direction ou l'amélioration ?

Recommended corrective action

Require formal incident logging for the defined event categories. / Exiger un enregistrement formel des incidents pour les catégories d'événements définies.
Train responders and managers on the expected escalation path. / Former les intervenants et managers sur le circuit d'escalade attendu.
Review recent incidents to confirm whether the weakness is broader than one case. / Revoir les incidents récents pour confirmer si la faiblesse dépasse un seul cas.

Good response

A strong response treats the sampled event as evidence of a workflow weakness, then checks whether other incidents show the same pattern before claiming the issue is isolated.

Weak response

A weak response says the team solved the problem quickly, so documentation was unnecessary.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining inconsistent execution

evidence

English

The process exists but is not consistently evidenced.

Français

Le processus existe mais n'est pas démontré de manière cohérente.

This phrasing is stronger than saying the process is missing when the real issue is execution discipline.

Requesting operational proof

audit

English

Please show the sampled evidence, not only the procedure.

Français

Merci de montrer la preuve échantillonnée, pas seulement la procédure.

A practical sentence for audit prep and live walkthroughs.

Case 11Clause 8.1

The backup process exists, but restore testing evidence is missing

Le processus de sauvegarde existe, mais la preuve de test de restauration manque

Business context

A payroll processor relies on nightly backups to support customer continuity commitments.

Scenario

Monitoring shows backup jobs completing successfully, but there is no restore test report for the ERP or customer database in the last 14 months and no documented learning from any exercise.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

system-log

Nightly backup-job success reports

Rapports de réussite des jobs de sauvegarde nocturnes

There is good evidence that backups run regularly.

restore-test-evidence

No recent restore test record for sampled critical systems

Aucune trace récente de test de restauration pour les systèmes critiques échantillonnés

Recoverability is being assumed rather than demonstrated.

meeting-minutes

Continuity meeting notes mention testing as a future action

Les notes de réunion continuité mentionnent les tests comme une action future

Awareness exists, but not a current evidence trail.

What the auditor notices

The organization can prove backup activity, but not recoverability for sampled critical systems.

What makes it systemic or isolated

The missing restore evidence affects more than one critical system and one period, which suggests a recurring execution gap rather than a single paperwork miss.

Follow-up questions

Which critical systems have been restored successfully in the last year and where is that evidence? / Quels systèmes critiques ont été restaurés avec succès l'an dernier et où est la preuve ?
What did the organization learn from the most recent continuity exercise? / Qu'a appris l'organisation du dernier exercice de continuité ?

Recommended corrective action

Plan and execute restore tests for sampled critical systems. / Planifier et exécuter des tests de restauration pour les systèmes critiques échantillonnés.
Document scope, timing, outcome, and follow-up actions for each exercise. / Documenter le périmètre, le timing, le résultat et les actions de suivi pour chaque exercice.
Integrate restore testing into the continuity review cadence. / Intégrer les tests de restauration à la cadence de revue de continuité.

Good response

A strong response distinguishes backup-job evidence from restore-test evidence and commits to proving recoverability rather than defending job success alone.

Weak response

A weak response says backups are obviously fine because the monitoring dashboard is green.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Requesting operational proof

audit

English

Please show the sampled evidence, not only the procedure.

Français

Merci de montrer la preuve échantillonnée, pas seulement la procédure.

A practical sentence for audit prep and live walkthroughs.

Talking about continuity evidence

evidence

English

Backup jobs are visible, but restore testing was not evidenced.

Français

Les jobs de sauvegarde sont visibles, mais le test de restauration n'a pas été démontré.

This distinguishes activity output from effectiveness evidence.

Case 12Clause 7.2Clause 7.3

The awareness programme exists, but attendance and effectiveness evidence is weak

Le programme de sensibilisation existe, mais la preuve de présence et d'efficacité est faible

Business context

An insurance broker runs annual security awareness for office and remote sales populations.

Scenario

The awareness deck exists and office attendance is tracked, but remote sales populations are missing from the attendance data and no quiz, phishing, or effectiveness indicator is available.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

training-attendance

Attendance list covers only part of the target population

La liste de présence ne couvre qu'une partie de la population cible

Completion is not visible for everyone in scope.

policy-standard

Documented annual awareness programme

Programme annuel de sensibilisation documenté

The programme exists and has assigned timing.

meeting-minutes

No review of training effectiveness in governance notes

Aucune revue de l'efficacité de la formation dans les notes de gouvernance

Completion may be tracked partially, but effectiveness is not being challenged.

What the auditor notices

The programme exists, but the organization cannot yet show complete reach or whether the learning changed behavior.

What makes it systemic or isolated

The weakness is visible across some populations, but there is still meaningful programme activity. The issue is better described as an improvement opportunity than as full nonconformity at this stage.

Follow-up questions

How do you confirm completion for remote populations? / Comment confirmez-vous la réalisation pour les populations distantes ?
How do you know the programme improved awareness rather than only attendance? / Comment savez-vous que le programme a amélioré la sensibilisation plutôt que seulement la présence ?

Recommended corrective action

Expand attendance capture to all target populations. / Étendre la capture de présence à toutes les populations cibles.
Add a light effectiveness measure such as quiz results or phishing outcomes. / Ajouter une mesure simple d'efficacité comme les résultats de quiz ou de phishing.
Review awareness outcomes in governance rather than tracking completion alone. / Revoir les résultats de sensibilisation en gouvernance plutôt que de suivre seulement la réalisation.

Good response

A strong response accepts that awareness is not only about content delivery and commits to closing both the population-coverage and effectiveness gaps.

Weak response

A weak response says the policy exists and therefore the awareness control should be considered complete.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Describing control maturity

implementation

English

The control is partially implemented.

Français

La mesure est partiellement mise en oeuvre.

Useful when the design exists but execution or evidence is still incomplete.

Explaining an evidence gap

evidence

English

Evidence was not available for the sampled period.

Français

La preuve n'était pas disponible pour la période échantillonnée.

A neutral but precise way to explain why a process claim is not yet supported.

Case 13Clause 10.1Clause 10.2

Corrective actions are raised, but not tracked to closure

Les actions correctives sont ouvertes, mais pas suivies jusqu'à la clôture

Business context

An organization uses internal audits and reviews, but struggles to keep improvement work visible across teams.

Scenario

A corrective-action tracker exists with owners, but several items have no due date, no verification note, and the same access-review issue appears again in a later audit sample.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

ticket-workflow

Tracker with open items but weak closure evidence

Suivi avec éléments ouverts mais preuve de clôture faible

Actions are being recorded, but not fully controlled through completion.

internal-audit-report

Repeated finding visible across audit cycles

Constat récurrent visible sur plusieurs cycles d'audit

Recurrence suggests closure discipline is weak.

approval-record

No clear sign-off on completed actions

Pas de validation claire des actions terminées

The organization cannot show who verified effectiveness.

What the auditor notices

The organization raises actions, but the management-system loop from finding to verified improvement is not reliably closed.

What makes it systemic or isolated

The recurrence of the same issue across audit cycles suggests the weakness is broader than one overdue task.

Follow-up questions

Who verifies that an action really addressed the root cause before closure? / Qui vérifie qu'une action a réellement traité la cause racine avant clôture ?
Why did the same issue reappear if the previous action had been marked complete? / Pourquoi le même sujet a-t-il réapparu si l'action précédente avait été marquée comme terminée ?

Recommended corrective action

Define mandatory closure evidence and verification criteria. / Définir une preuve de clôture obligatoire et des critères de vérification.
Add due dates, escalation, and ageing review for open actions. / Ajouter dates d'échéance, escalade et revue d'ancienneté des actions ouvertes.
Check repeated issues for weak root-cause analysis. / Examiner les sujets récurrents sous l'angle d'une analyse de cause racine insuffisante.

Good response

A strong response focuses on root cause, verification, and recurrence prevention rather than only updating the tracker status field.

Weak response

A weak response closes overdue actions administratively because the responsible person says the issue is 'handled'.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Describing a pattern

nonconformity

English

This looks systemic rather than isolated.

Français

Cela semble systémique plutôt qu'isolé.

Use this when similar weaknesses appear across teams, systems, or periods.

Explaining a stronger response

nonconformity

English

A strong corrective action addresses root cause, ownership, and closure evidence.

Français

Une action corrective solide traite la cause racine, la responsabilité et la preuve de clôture.

Useful when coaching teams to move beyond immediate fixes.

Case 14Clause 6.1.3Clause 6.1.4

The risk register exists, but treatment decisions are not traceable

Le registre des risques existe, mais les décisions de traitement ne sont pas traçables

Business context

A manufacturing group has spent time on risk scoring but less time on formalizing treatment logic.

Scenario

The register lists dozens of scored risks, but the treatment column contains phrases such as 'handled' or 'monitor', with no decision owner, no target date, no residual-risk view, and no link to selected controls.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

risk-register

Scored register with shallow treatment wording

Registre scoré avec wording de traitement superficiel

Assessment exists, but treatment logic is not decision-grade.

soa

Some control decisions exist, but not linked back to register items

Certaines décisions de mesures existent, mais sans lien retour vers les entrées du registre

The bridge between risk and controls is weak.

approval-record

No visible approval of individual treatment decisions

Aucune approbation visible des décisions individuelles de traitement

Decision authority is not evidenced.

What the auditor notices

The organization can show assessed risk, but not how assessment became owned treatment decisions that drive implementation.

What makes it systemic or isolated

The weakness affects the entire register structure and its linkage to controls, not one badly filled cell.

Follow-up questions

Who approved the treatment path for this high-priority risk? / Qui a approuvé le choix de traitement pour ce risque prioritaire ?
Which control or project shows that this treatment decision is being implemented? / Quelle mesure ou quel projet montre que cette décision de traitement est en cours de mise en oeuvre ?

Recommended corrective action

Define mandatory fields for treatment owner, decision, due date, and control linkage. / Définir des champs obligatoires pour le responsable de traitement, la décision, l'échéance et le lien vers les mesures.
Link high-priority risks to SoA positions and implementation actions. / Relier les risques prioritaires aux positions SoA et aux actions de mise en oeuvre.
Approve treatment decisions through a visible governance step. / Approuver les décisions de traitement via une étape de gouvernance visible.

Good response

A strong response treats the register as a decision system, not a scoring archive, and rebuilds treatment traceability accordingly.

Weak response

A weak response argues that the scoring column is the important part and that treatment wording can stay informal.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining poor traceability

risk

English

The risk treatment decision is not traceable.

Français

La décision de traitement du risque n'est pas traçable.

Useful when a register exists but treatment logic cannot be linked to owners, dates, or controls.

Commenting on SoA quality

soa

English

The SoA rationale is too generic for audit reliance.

Français

La justification de la SoA est trop générique pour être fiable en audit.

Useful when applicability statements are broad, unsupported, or disconnected from risk treatment.

Case 15Clause 8.1

Change management exists informally, but not consistently in the system of record

La gestion des changements existe de manière informelle, mais pas de façon cohérente dans le système de référence

Business context

A fast-moving engineering team ships often and relies on chat and shared calendars to coordinate production changes.

Scenario

Major releases usually have tickets, but emergency changes and higher-risk operational changes are often approved in chat with no durable approval or rollback evidence attached to the formal workflow.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

ticket-workflow

Formal change tickets for standard releases

Tickets de changement formels pour les versions standard

The process exists for planned work, but not consistently for higher-pressure cases.

approval-record

Chat approvals for emergency changes

Approbations dans le chat pour les changements urgents

Approval exists informally, but the audit trail is weak.

meeting-minutes

Post-release reviews note rushed changes but do not link them back to workflow gaps

Les revues post-release notent des changements précipités sans les relier aux lacunes de workflow

The weakness is noticed, but not controlled.

What the auditor notices

The organization has a change process, but its discipline weakens precisely when risk is highest.

What makes it systemic or isolated

The issue appears when speed and pressure increase, which suggests a recurring control-design or discipline weakness rather than one forgotten ticket.

Follow-up questions

How are emergency changes approved and evidenced today? / Comment les changements urgents sont-ils approuvés et démontrés aujourd'hui ?
Where is rollback readiness or post-change review captured for higher-risk changes? / Où la préparation au rollback ou la revue post-changement est-elle capturée pour les changements à plus haut risque ?

Recommended corrective action

Bring emergency and high-risk changes into the formal workflow with minimum mandatory fields. / Faire entrer les changements urgents et à haut risque dans le workflow formel avec un minimum de champs obligatoires.
Retain approval and rollback evidence in the system of record. / Conserver la preuve d'approbation et de rollback dans le système de référence.
Review recent emergency changes to see whether the weakness is broader than sampled cases. / Revoir les changements urgents récents pour voir si la faiblesse dépasse les cas échantillonnés.

Good response

A strong response recognizes that high-pressure changes need the strongest evidence discipline, not the weakest, and adjusts the workflow accordingly.

Weak response

A weak response says documenting emergency changes would slow the team down too much.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Describing control maturity

implementation

English

The control is partially implemented.

Français

La mesure est partiellement mise en oeuvre.

Useful when the design exists but execution or evidence is still incomplete.

Explaining inconsistent execution

evidence

English

The process exists but is not consistently evidenced.

Français

Le processus existe mais n'est pas démontré de manière cohérente.

This phrasing is stronger than saying the process is missing when the real issue is execution discipline.

Case 16Clause 5.2Clause 7.5

The information security policy is outdated and misaligned with the current context

La politique de sécurité de l'information est obsolète et désalignée du contexte actuel

Business context

A company expanded through acquisition and moved to a cloud-first operating model during the certification cycle.

Scenario

The policy still names a departed leader, describes a pre-acquisition scope, and has not been re-approved since major organizational and technical changes were introduced.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

policy-standard

Policy version approved before major scope and leadership changes

Version de politique approuvée avant de grands changements de périmètre et de leadership

The document exists, but no longer matches the operating reality.

approval-record

No re-approval after the operating-model change

Aucune réapprobation après le changement de modèle opérationnel

Direction has not visibly reconfirmed policy direction.

meeting-minutes

Leadership discussions acknowledge change, but not policy refresh

Les discussions de direction reconnaissent les changements, mais pas l'actualisation de la politique

The gap is known, but not formally addressed.

What the auditor notices

The policy still exists, but it no longer represents the system leadership says it is governing.

What makes it systemic or isolated

The problem concerns one core policy artifact, not every clause mechanism, so it is important but not necessarily systemic across the full ISMS.

Follow-up questions

When was leadership last asked to confirm the policy direction against the current context? / Quand la direction a-t-elle été sollicitée pour confirmer la politique au regard du contexte actuel ?
How do teams know which version is authoritative today? / Comment les équipes savent-elles quelle version fait autorité aujourd'hui ?

Recommended corrective action

Refresh the policy to reflect the current scope, leadership structure, and operating model. / Actualiser la politique pour refléter le périmètre, la structure de direction et le modèle opérationnel actuels.
Re-approve and communicate the refreshed policy. / Réapprouver et communiquer la politique actualisée.
Tie future policy review to major organizational or scope changes. / Lier les futures revues de politique aux changements majeurs d'organisation ou de périmètre.

Good response

A strong response recognizes that policy credibility depends on current context and quickly refreshes both content and approval rather than defending the old version.

Weak response

A weak response says the policy still expresses the same values, so a formal update is unnecessary.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Describing control maturity

implementation

English

The control is partially implemented.

Français

La mesure est partiellement mise en oeuvre.

Useful when the design exists but execution or evidence is still incomplete.

Challenging management review quality

audit

English

The minutes do not show the required management review inputs.

Français

Le compte rendu ne montre pas les intrants requis de la revue de direction.

This keeps the discussion evidence-based instead of turning it into a debate about meeting labels.

Case 17Clause 6.2Clause 9.1

Security objectives are stated but not measurable or monitored

Les objectifs sécurité sont énoncés mais ni mesurables ni suivis

Business context

A logistics company wants to show that its ISMS drives performance, not only documentation.

Scenario

Objectives such as 'improve security culture' and 'strengthen resilience' are documented, but there are no measures, target values, review cadence, or owner accountability visible in the evidence trail.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

policy-standard

Objectives page with aspirational wording only

Page d'objectifs avec un wording uniquement aspirational

Objectives exist in theory, but not in measurable form.

management-review-minutes

No trend review against objectives

Aucune revue de tendance contre les objectifs

Management review cannot show whether objectives are progressing.

approval-record

Leadership endorsed the objectives list but not any metrics or target thresholds

La direction a validé la liste d'objectifs, mais pas de métriques ni seuils cibles

Direction approved aspiration, not measurement.

What the auditor notices

The organization can say what it wants, but not how it knows whether the ISMS is performing against those aims.

What makes it systemic or isolated

The weakness is structural across the objective set rather than a single missing KPI.

Follow-up questions

How do you know whether these objectives improved during the sampled period? / Comment savez-vous si ces objectifs se sont améliorés pendant la période échantillonnée ?
Who owns the target level and review cadence for each objective? / Qui porte le niveau cible et la cadence de revue pour chaque objectif ?

Recommended corrective action

Add measurable indicators, targets, owners, and review cadence for each objective. / Ajouter pour chaque objectif des indicateurs mesurables, des cibles, des responsables et une cadence de revue.
Review objective performance formally in management review. / Revoir formellement la performance des objectifs en revue de direction.
Remove objectives that cannot be translated into decision-useful measures. / Retirer les objectifs qui ne peuvent pas être traduits en mesures utiles à la décision.

Good response

A strong response turns vague ambition into a small number of decision-useful metrics and shows where leadership will review them.

Weak response

A weak response argues that security objectives are naturally qualitative and therefore cannot be monitored in a meaningful way.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Challenging management review quality

audit

English

The minutes do not show the required management review inputs.

Français

Le compte rendu ne montre pas les intrants requis de la revue de direction.

This keeps the discussion evidence-based instead of turning it into a debate about meeting labels.

Explaining business value

meeting

English

We pursue ISO 27001 to make security decisions repeatable, credible, and governable.

Français

Nous poursuivons l'ISO 27001 pour rendre les décisions de sécurité répétables, crédibles et pilotables.

This keeps the discussion focused on management-system value rather than only certification optics.

Case 18Clause 5.3Clause 7.1

ISMS roles and responsibilities are unclear

Les rôles et responsabilités du SMSI sont flous

Business context

An early-stage AI platform has grown fast and formalized some security practices later than the business would like.

Scenario

Teams disagree on who approves risk acceptance, who owns supplier reviews, and who is responsible for coordinating internal audits. Everyone says 'security handles it', but no formal responsibility record exists.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

policy-standard

Policy references leadership commitment but not clear role allocation

La politique évoque l'engagement de la direction mais pas une répartition claire des rôles

Direction is expressed, but responsibilities are not made operational.

approval-record

No RACI or responsibility matrix approved

Aucune matrice RACI ou de responsabilités approuvée

Ownership is assumed rather than defined.

meeting-minutes

Repeated discussion on who should own specific ISMS tasks

Discussions répétées sur qui devrait porter certaines tâches SMSI

The ambiguity is visible in practice.

What the auditor notices

The system may have committed individuals, but it lacks a clear ownership model for core ISMS decisions and activities.

What makes it systemic or isolated

The ambiguity affects several recurring decisions, which makes the issue structurally important even if the system still functions around it.

Follow-up questions

Who is accountable for approving residual-risk acceptance today? / Qui est responsable d'approuver l'acceptation du risque résiduel aujourd'hui ?
Where are ISMS roles and responsibilities formally communicated? / Où les rôles et responsabilités SMSI sont-ils formellement communiqués ?

Recommended corrective action

Define and approve role ownership for key ISMS decisions and activities. / Définir et approuver la responsabilité des décisions et activités SMSI clés.
Communicate the responsibility model to process owners and leadership. / Communiquer le modèle de responsabilité aux responsables de processus et à la direction.
Use internal audit or review to test whether the assigned roles are working in practice. / Utiliser l'audit interne ou la revue pour tester si les rôles attribués fonctionnent dans la pratique.

Good response

A strong response clarifies decision ownership quickly and makes it visible enough that different teams answer consistently when asked.

Weak response

A weak response says everyone collaborates anyway, so formal ownership is not necessary.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining a stronger response

nonconformity

English

A strong corrective action addresses root cause, ownership, and closure evidence.

Français

Une action corrective solide traite la cause racine, la responsabilité et la preuve de clôture.

Useful when coaching teams to move beyond immediate fixes.

Explaining business value

meeting

English

We pursue ISO 27001 to make security decisions repeatable, credible, and governable.

Français

Nous poursuivons l'ISO 27001 pour rendre les décisions de sécurité répétables, crédibles et pilotables.

This keeps the discussion focused on management-system value rather than only certification optics.

Case 19Clause 4.2Clause 6.1.3

The legal and contractual requirements register is outdated

Le registre des exigences légales et contractuelles est obsolète

Business context

A French BPO serves EU clients with evolving contract clauses and incident-reporting expectations.

Scenario

The obligations register omits newer customer logging clauses, a revised incident-notification expectation, and an updated internal privacy escalation requirement tied to French regulatory practice.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

policy-standard

Requirements register last updated before recent contract changes

Registre des exigences mis à jour avant les récents changements contractuels

The register exists but has fallen behind operational reality.

meeting-minutes

Commercial reviews mention new commitments without formal ISMS update

Les revues commerciales mentionnent de nouveaux engagements sans mise à jour formelle du SMSI

The business knows requirements changed, but the ISMS record did not catch up.

approval-record

No ownership evidence for periodic requirements review

Aucune preuve de responsabilité pour la revue périodique des exigences

Review responsibility is not visible.

What the auditor notices

The organization may understand obligations commercially, but it cannot show a controlled ISMS mechanism that keeps requirements current and actionable.

What makes it systemic or isolated

Several changed obligations were missed, which indicates a recurring maintenance weakness rather than one missed line item.

Follow-up questions

Who reviews changed customer security obligations and how often? / Qui revoit les évolutions des obligations de sécurité client et à quelle fréquence ?
How are new obligations fed into risk treatment and control decisions? / Comment les nouvelles obligations alimentent-elles le traitement du risque et les décisions de mesure ?

Recommended corrective action

Refresh the requirements register against current contracts and internal obligations. / Mettre à jour le registre des exigences par rapport aux contrats actuels et obligations internes.
Assign ownership and review cadence for ongoing maintenance. / Assigner une responsabilité et une cadence de revue pour le maintien continu.
Link changed requirements to risk, SoA, or operational actions where needed. / Relier les exigences modifiées au risque, à la SoA ou aux actions opérationnelles lorsque nécessaire.

Good response

A strong response treats the register as a live decision input and reconnects it to risk and control changes rather than filing it as a legal appendix.

Weak response

A weak response says account managers know the customer expectations anyway, so formal maintenance of the register is not critical.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining poor traceability

risk

English

The risk treatment decision is not traceable.

Français

La décision de traitement du risque n'est pas traçable.

Useful when a register exists but treatment logic cannot be linked to owners, dates, or controls.

Explaining business value

meeting

English

We pursue ISO 27001 to make security decisions repeatable, credible, and governable.

Français

Nous poursuivons l'ISO 27001 pour rendre les décisions de sécurité répétables, crédibles et pilotables.

This keeps the discussion focused on management-system value rather than only certification optics.

Case 20Clause 8.1Clause 9.1

Logging exists, but review evidence for privileged activity is inconsistent

La journalisation existe, mais la preuve de revue des activités à privilèges est incohérente

Business context

A cloud operations team retains central logs for privileged and production activity.

Scenario

The SIEM collects admin events, but sampled months show only ad hoc notes of review, with no clear review cadence, no documented anomalies, and no evidence for one high-risk production change window.

Would this likely be major, minor, or observation?

Is the available evidence sufficient, weak, partial, or absent?

Open the full auditor view

Evidence available, what the auditor notices, follow-up questions, corrective action, and response quality.

Evidence available

system-log

Centralized privileged-activity logs

Logs centralisés d'activité à privilèges

The data source exists and appears technically robust.

meeting-minutes

Ad hoc review notes with no owner or cadence

Notes de revue ad hoc sans responsable ni cadence

Review happens informally, not as a controlled activity.

ticket-workflow

One anomaly was investigated, but no consistent review record exists

Une anomalie a été investiguée, mais aucune trace cohérente de revue n'existe

Reactive evidence exists, proactive evidence is weaker.

What the auditor notices

The organization can prove log collection, but not a reliable review discipline for high-risk privileged activity.

What makes it systemic or isolated

The weakness is visible in cadence and documentation, but not necessarily in the underlying technical control. That makes it more of a maturity issue than a control collapse.

Follow-up questions

Who reviews privileged-activity logs, how often, and what evidence is retained? / Qui revoit les logs d'activité à privilèges, à quelle fréquence et quelle preuve est conservée ?
How do you know anomalies will be spotted in periods where no incident has yet been raised? / Comment savez-vous que des anomalies seront détectées pendant les périodes où aucun incident n'a encore été signalé ?

Recommended corrective action

Define a documented review cadence and retained evidence for privileged-activity review. / Définir une cadence de revue documentée et une preuve conservée pour la revue des activités à privilèges.
Add owner accountability and anomaly follow-up records. / Ajouter une responsabilité nominative et des traces de suivi des anomalies.
Sample the last few months to confirm whether the weakness is wider than the audit sample. / Échantillonner les derniers mois pour confirmer si la faiblesse dépasse l'échantillon d'audit.

Good response

A strong response acknowledges that log existence and log review are not the same thing, then builds a sustainable review trail.

Weak response

A weak response says the SIEM already stores everything, so review evidence is optional.

Bilingual wording for this case

Language you can use in close-out meetings, walkthroughs, or readiness reviews.

Explaining inconsistent execution

evidence

English

The process exists but is not consistently evidenced.

Français

Le processus existe mais n'est pas démontré de manière cohérente.

This phrasing is stronger than saying the process is missing when the real issue is execution discipline.

Requesting operational proof

audit

English

Please show the sampled evidence, not only the procedure.

Français

Merci de montrer la preuve échantillonnée, pas seulement la procédure.

A practical sentence for audit prep and live walkthroughs.