ISO 27001 Requirement 10.1 – Nonconformities & Corrective Actions

What does Clause 10.1 involve?

ISO 27001 clause 10.1 actually offers up the process for organisations to follow as a core part of the standard and smart organisations will integrate the process into that of the broader continuous improvement requirement in line with clause 10.2.

A simple process approach includes:

• Identify the nonconformity
• React to it – both correcting or controlling it and dealing with the consequences
• Evaluate if there is a root cause issue that should be addressed (eg from pattern, measurement and other issues that might tie in with other parts of the ISMS that could be evident through 9.3 management reviews and other parts of the operation
• Review the effectiveness of any changes or interventions (i.e. monitor it)
• Make other changes to the ISMS as needed

Make sure that the work done on the way is documented. Some organisations may have sign off and approval processes to consider within the process, especially for investments in change or because of delivery failures and losses that may occur.

Remember, to obtain and maintain ISO 27001 certification, an auditor will expect to see evidence of improvements. It is not a failure to show you are addressing nonconformities, taking corrective actions etc so do make sure that they are visible if appropriate to demonstrate the philosophy of continuous improvement that is required by the standard.

Hiding things away and pretending there are no issues will also be a red flag to an auditor so we recommend the organisation is open and embraces improvements – although ideally few if any of them should be as a result of nonconformity!

How to demonstrate nonconformities and corrective actions are being addressed

This is one of the popular areas for using spreadsheets and simply keeping a list of what has happened and been done in line with the simple process above. Spreadsheets dont hold the evidence or link up well enough to illustrate the depth of case with the history that would satisfy an auditor so other tools will also be required alongside the static sheet. There are much better ways.

A more integrated approach uses ISMS.online software. It includes a policy for 10.1, and also the preconfigured Corrective Actions & Improvement Track to simply demonstrate and evidence the work being done. It is ready to use immediately and enables corrective actions and broader improvements to go through a standard workflow process, which can easily be customised too if organisation processes differ.

It is quick to assign actions to team members, set due dates, show the underlying evidence of the failure and join-up your ISMS by linking it quickly to other areas, such as a policy or control which may need updating. It includes automated reporting and insight that can be used in the management reviews in line with 9.3, making the whole ISMS management process far simpler.

Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business