When implementing a management system (such as SGSI-ISO27001) we need to understand the difference between several concepts, the one I’d like to discuss with you is between an event, an incident and a non-conformity.
Can you tell the difference between these concepts?
The ISO 27000 standard provides the definitions I’m presenting here:
Event
Article 3.21 describes an event as an occurrence or change in a system.
We can continue our discussion of cybersecurity by saying that an information security event indicates that an action has taken place on a system, typically involving access, change or read/write.
The event may indicate that an element of the information security policy has not been respected.
An event can be a one-off or a recurring event. It can have several causes.
An event can also consist of something that doesn’t happen.
An event can sometimes be meant to be an “incident” if it compromises system security, but an event is not always an incident.
Safety incident
ISO 27000 Articles 3.31 describes: information security incident,
one or more undesirable or unexpected information security events with a high probability of compromising the organization’s business operations and threatening information security.
an information security incident is one or more unwanted or unexpected information security events that could compromise information security and weaken or compromise operations.
Non-compliance
Finally, clause 3.47 of the ISO27000 standard describes a non-conformity as the failure to satisfy a requirement or control.
Typically, a non-conformity will not directly compromise the security of information systems, but rather the security program or information security management system that does not meet its requirements.
Major
A major non-conformity is a breach or deviation that has a significant impact on information security. It can result in data security risks, significant disruption to business operations and major financial losses. A major non-conformity requires immediate action to correct the problem and prevent further damage.
Minor
A minor non-conformity is a violation or deviation from the standard’s requirements that has no significant impact on information security. It can be corrected quickly and easily, without disrupting normal business operations.
OFI – Opportunity for improvement
An Opportunity for Improvement (OFI) is a suggestion or idea for improving the company’s information security management processes or practices. It is typically identified by the auditor during the audit and presented to company management for consideration.
Opportunities for improvement can be linked to areas such as implementing new processes, improving existing documentation, introducing new security tools or improving existing processes. They are not necessarily linked to non-compliance, but are seen as an opportunity for the company to improve its processes and thus enhance information security.
It is important to note that improvement opportunities are not requirements of ISO 27001, but they can help companies to improve compliance and enhance information security. It is therefore important for companies to consider the opportunities for improvement proposed by the auditor and include them in their continuous improvement plan.
Do you know how to manage your:
1) Safety events?
2) Safety incidents?
3) Non-conformity?
You must have a written, shared and followed procedure for all these cases!
I invite you to click on “Follow” to continue learning more about the field of information security.
