Build or upgrade your ISMS on our platform

Nonconformity & Corrective Action For ISO 27001 Requirement 10.1

What is covered under ISO 27001 Clause 10.1?

Clause 10.1 is part of the improvement requirement within ISO 27001. It concerns the actions an organisation takes to address information security oriented nonconformities. The corrective action that follows from a nonconformity is also a key part of the ISMS improvement process that needs to be evidenced along with any other consequences caused by the nonconformity.

ISO 27001 clause 10.1 actually offers up the process for organisations to follow as a core part of the standard and smart organisations will integrate the process into that of the broader continuous improvement requirement in line with clause 10.2.

A simple process approach includes:

  • Identify the nonconformity
  • React to it – both correcting or controlling it and dealing with the consequences
  • Evaluate if there is a root cause issue that should be addressed (eg from pattern, measurement and other issues that might tie in with other parts of the ISMS that could be evident through 9.3 management reviews and other parts of the operation
  • Review the effectiveness of any changes or interventions (i.e. monitor it)
  • Make other changes to the ISMS as needed

Make sure that the work done on the way is documented. Some organisations may have sign off and approval processes to consider within the process, especially for investments in change or because of delivery failures and losses that may occur.

Remember, to obtain and maintain ISO 27001 certification, an auditor will expect to see evidence of improvements. It is not a failure to show you are addressing nonconformities, taking corrective actions etc so do make sure that they are visible if appropriate to demonstrate the philosophy of continuous improvement that is required by the standard. Hiding things away and pretending there are no issues will also be a red flag to an auditor so we recommend the organisation is open and embraces improvements – although ideally few if any of them should be as a result of nonconformity!

How to demonstrate nonconformities and corrective actions are being addressed for ISO 27001

This is one of the popular areas for using spreadsheets and simply keeping a list of what has happened and been done in line with the simple process above. Spreadsheets dont hold the evidence or link up well enough to illustrate the depth of case with the history that would satisfy an auditor so other tools will also be required alongside the static sheet. There are much better ways.

A more integrated approach uses software. It includes a policy for 10.1, and also the preconfigured Corrective Actions & Improvement Track to simply demonstrate and evidence the work being done. It is ready to use immediately and enables corrective actions and broader improvements to go through a standard workflow process, which can easily be customised too if organisation processes differ. It is quick to assign actions to team members, set due dates, show the underlying evidence of the failure and join-up your ISMS by linking it quickly to other areas, such as a policy or control which may need updating. It includes automated reporting and insight that can be used in the management reviews in line with 9.3, making the whole ISMS management process far simpler.

Start 77% of the way to ISO 27001

How to easily demonstrate 10.1 Nonconformities and corrective actions

The platform makes it easy for you to demonstrate how nonconformities and corrective actions will be addressed.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 10.1 within our platform and easily adapt it to your organisation’s needs. The AAA framework for 10.1 gives you an approach for managing nonconformities and corrective actions, which is tied in with the tool that is pre-configured around the nonconformities, giving you a place to record the entire process.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 10.2 is part of the third section that ARM will guide you on, where once the foundations of your ISMS have been paid, and Annex A controls have been described, you’ll detail how you comply with the remaining core requirements.
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it