4 Surprising Truths About the ISO Clause Auditors Can't Touch

When you think of an ISO audit, you probably picture a meticulous, line-by-line examination of every requirement in a standard. It's a world of objective evidence, nonconformity reports, and rigorous scrutiny where every clause is under the microscope. For the most part, that perception is accurate.

But what if there was a formal clause within a major international standard that auditors are explicitly forbidden from auditing? Tucked away in ISO 28000, the standard for security management systems in the supply chain, is just such a clause. It exists in plain sight, yet it generates no findings, requires no evidence, and is off-limits for compliance verification.

Why would a standards body create a requirement that can't be enforced? The existence of this "unauditable clause" isn't an oversight or a loophole. It's a deliberate design choice that reveals a deeper truth about the philosophy of modern, risk-based standards. Here are four surprising truths about the ISO clause auditors can't touch.

A Clause That's "Non-Auditable" By Design

The clause in question is Clause 2, "Normative References." In many ISO standards, this section lists other documents that are considered indispensable for applying the requirements correctly, but in ISO 28000, it contains no such mandatory references. Therefore, its primary function is to maintain a formal structure consistent with ISO's own drafting rules.

Because of this, it is officially classified as "non-auditable." In practice, this means:

• Auditors do not raise nonconformities against it.
• No direct objective evidence is required from the organization.
• No compliance verification is performed on the clause itself.

While auditors don't scrutinize it, this doesn't mean the clause is irrelevant. Instead, it serves a different and more subtle purpose, which leads to our next point.

ISO 28000 Prioritizes Flexibility Over Prescription

The fact that ISO 28000 intentionally contains no mandatory normative references is its most powerful feature. This design choice gives your organization the freedom and flexibility to design security controls that are genuinely appropriate for your specific supply chain risks.

Rather than prescribing a single, rigid methodology, the standard empowers you to choose how you meet the requirements. An auditor cannot require your organization to implement other specific standards simply because they are well-known or considered best practice. This means an auditor is explicitly prohibited from requiring that you implement:

• ISO 31000 (risk management)
• ISO 22301 (business continuity)
• ISO 27001 (information security)

The choice of tools, frameworks, and methodologies is yours. The audit focuses on the effectiveness of your chosen approach, not its name or origin.

Auditors Are Forbidden From 'Inventing' Requirements

Because Clause 2 grants so much freedom to the organization, it places a strict requirement on the auditor: professional discipline. Auditors are trained to avoid "overreach" by imposing their personal preferences for specific tools or frameworks. Their job is to audit the standard as written, not to add requirements that don't exist.

Common mistakes that disciplined auditors are trained to avoid include:

• Imposing other ISO standards
• Raising findings for missing references
• Confusing guidance with requirements
• Auditing personal preferences

This principle is so critical it's codified in a simple rule.

An auditor must never audit requirements that do not exist in the standard.

A Flaw Here Will Trigger a Finding Somewhere Else

So, if Clause 2 is off-limits, can an organization just ignore fundamental concepts like risk assessment? Absolutely not. While the clause itself isn't audited, any real-world deficiency in your security system will be identified and cited against the auditable clauses where the work actually happens, such as Clause 4 (System establishment), Clause 6 (Risk assessment and planning), Clause 7 (Operational controls), or Clause 8 (Monitoring and improvement).

This is the key principle: auditors assess the effectiveness of your system. If your chosen risk assessment method is flawed or inconsistently applied, it won't be a finding against the non-auditable Clause 2. Instead, it will be a finding against the clause that requires a functional risk assessment process.

Consider this example of an incorrect versus a correct audit finding:

• Incorrect Finding: "Nonconformity – No reference to ISO 31000 in Clause 2."
• Correct Finding: "Clause 6.2 – The organization has not defined a consistent security risk assessment methodology."

The first finding is invalid because it attempts to audit Clause 2 and invent a requirement. The second is valid because it identifies a failure to meet a mandatory requirement in Clause 6, regardless of the specific methodology used.

A Deeper Lesson in Modern Standards

The "unauditable" Clause 2 is far from being a mistake or a loophole. It is a deliberate and sophisticated feature that underscores the core philosophy of ISO 28000: flexibility, adaptability, and a sharp focus on real-world effectiveness rather than rigid prescription. It trusts the organization to know its own risks and build a system to manage them.

This approach reflects a broader shift in how modern management system standards operate. They are moving away from being prescriptive checklists and toward becoming powerful frameworks for risk-based thinking. This leads to a final question to consider: Does this level of built-in flexibility make a standard like ISO 28000 more powerful, or does it place a greater burden on organizations to prove their methods are effective?

Share This Article

Found this useful? Share it with your network: