What is covered under ISO 27001 Clause 10.1?
Clause 10.1 is part of the improvement requirement within ISO 27001. It concerns the actions an organisation takes to address information security oriented nonconformities. The corrective action that follows from a nonconformity is also a key part of the ISMS improvement process that needs to be evidenced along with any other consequences caused by the nonconformity.
ISO 27001 clause 10.1 actually offers up the process for organisations to follow as a core part of the standard and smart organisations will integrate the process into that of the broader continuous improvement requirement in line with clause 10.2.
A simple process approach includes:
- Identify the nonconformity
- React to it – both correcting or controlling it and dealing with the consequences
- Evaluate if there is a root cause issue that should be addressed (eg from pattern, measurement and other issues that might tie in with other parts of the ISMS that could be evident through 9.3 management reviews and other parts of the operation
- Review the effectiveness of any changes or interventions (i.e. monitor it)
- Make other changes to the ISMS as needed
Make sure that the work done on the way is documented. Some organisations may have sign off and approval processes to consider within the process, especially for investments in change or because of delivery failures and losses that may occur.
Remember, to obtain and maintain ISO 27001 certification, an auditor will expect to see evidence of improvements. It is not a failure to show you are addressing nonconformities, taking corrective actions etc so do make sure that they are visible if appropriate to demonstrate the philosophy of continuous improvement that is required by the standard. Hiding things away and pretending there are no issues will also be a red flag to an auditor so we recommend the organisation is open and embraces improvements – although ideally few if any of them should be as a result of nonconformity!
How to demonstrate nonconformities and corrective actions are being addressed for ISO 27001
This is one of the popular areas for using spreadsheets and simply keeping a list of what has happened and been done in line with the simple process above. Spreadsheets dont hold the evidence or link up well enough to illustrate the depth of case with the history that would satisfy an auditor so other tools will also be required alongside the static sheet. There are much better ways.
A more integrated approach uses ISMS.online software. It includes a policy for 10.1, and also the preconfigured Corrective Actions & Improvement Track to simply demonstrate and evidence the work being done. It is ready to use immediately and enables corrective actions and broader improvements to go through a standard workflow process, which can easily be customised too if organisation processes differ. It is quick to assign actions to team members, set due dates, show the underlying evidence of the failure and join-up your ISMS by linking it quickly to other areas, such as a policy or control which may need updating. It includes automated reporting and insight that can be used in the management reviews in line with 9.3, making the whole ISMS management process far simpler.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement