When is it possible for the auditor NOT to perform a follow-up audit?

The auditor may determine that a follow-up audit is not necessary in the case of a minor nonconformity. Minor nonconformities typically indicate a small issue that does not significantly impact the overall compliance with the ISO/IEC 27001 standard or the effectiveness of the information security management system (ISMS). These might include procedural discrepancies that can be addressed without extensive investigation into the system as a whole.

In such situations, the organization may be able to resolve the minor issues through corrective action without the need for a formal follow-up audit. The focus of the auditor, in this case, shifts to monitoring the implementation of the correction in the regular audit cycle rather than incurring additional costs and resources for a follow-up audit.

Follow-up audits are usually reserved for more significant nonconformities, where the potential impact on the organization or compliance is greater and requires reassurance that corrective actions have been effectively implemented. Thus, determining that a follow-up audit is not warranted due to a minor nonconformity aligns with practical approaches in auditing where resources are allocated efficiently based on risk and impact.