An actual findings register, written exactly the way it gets written for a paying client.

Risk Register entry RR-014 (“Third-party access logging gap — vendor portal”) was risk-assessed and a treatment plan approved by the ISMS Steering Group on 14 February. Target completion: 30 April. As of the audit sample date, the control remains unimplemented. No revised target date exists in the register. No escalation record exists.

Risk Register RR-014 (approval minute) → IT Operations sprint backlog (ticket VPN-2231, status: backlog, untouched 6 months) → Management Review minutes, Q1 and Q2 (no mention of RR-014 in either).

Clause 6.1.3 requires that risk treatment plans be implemented. A plan that exists only as a document, with no enforced checkpoint and no escalation trigger when it stalls, does not satisfy the clause regardless of how well the plan itself was written. This is reachable on a routine sampling pass.

Escalation accountability sits with whoever holds delivery authority over the IT Operations backlog — not with the ISMS Manager who correctly identified, assessed, and assigned the risk.

Documented procedure SOP-HR-09 states system access is revoked “within one business day” of termination. Sample of three involuntary terminations showed access revoked at 1, 3, and 4 business days respectively. The 4-day case involved a termination processed at 16:40 on a Friday; the IT ticket was not logged until the following Tuesday.

HR termination log (timestamp 16:40 Friday) → IT access ticket queue (first entry, following Tuesday 09:14) → SOP-HR-09 (states 1 business day, no exception handling for after-hours terminations).

The organisation’s own documented SOP sets a one-day standard it then fails to meet in 100% of the sampled exceptions. An auditor sampling termination records against the access log will find this on first pass.

Jointly HR (notification timing) and IT (ticket processing cadence). No single name currently owns the after-hours exception — which is precisely why it has gone uncorrected.

The internal audit programme listed Annex A.8 (technical controls, including configuration management) in scope. The internal audit report contains no sampled evidence, findings, or test records against it — the heading is present in the report; the content beneath it is not.

Internal Audit Programme (lists A.8 in scope) → Internal Audit Report, Section 6 (A.8 heading present, no content) → Internal Auditor interview (confirmed time constraints, deferral not documented).

Clause 9.2 requires the internal audit programme to be implemented, not merely planned. Classified Minor because no control failure has yet been demonstrated within A.8 itself — only the fact that nobody has checked.

Internal Audit Manager, specifically the planning-to-execution handoff.

Management Review minutes record decisions in passive voice, with no individual named as responsible and no target date attached. Three of five decisions sampled across two review cycles show no subsequent evidence of action.

Management Review minutes (five decisions recorded) → Corrective Action Log (two of five appear; three do not) → follow-up interview (decisions “generally understood” to sit with Security Operations, not formally assigned).

Not yet a nonconformity, but the same structural defect found in F-01 and F-02: decisions without a named owner and a date do not survive a surveillance auditor’s follow-up question.

Chair of the Management Review should adopt a fixed minute template: decision, owner, date, status — four fields, no exceptions.