Continual Improvement For ISO 27001 Requirement 10.2

What is covered under ISO 27001 Clause 10.2?

A large part of running an information security management system is to see it as a living and breathing system.  Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader business-led strategy, going beyond a ‘tick box’ regime.

There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:

  • 6.1 risk assessment and treatment – ongoing
  • 6.2 objectives monitoring, measurement and evaluation – ongoing
  • 9.2 Internal audits – ongoing
  • 9.3 management reviews – ongoing
  • 10.1 nonconformities and corrective actions – ongoing
  • Annex A 5 – reviews of policies – ongoing
  • Annex A 7 – human resource engagement and awareness
  • Annex A 16 – security incidents, events and weaknesses – ongoing
  • Annex A 18– compliance reviews – ongoing
  • General external audits (eg for UKAS certification by ISO certified bodies)

Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.

Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process. These include:

  • Customers requests or concerns
  • Trending data from other operational systems
  • Other observations e.g. from suppliers or other interested parties

It is also useful to determine what is not an improvement in the information security management system. For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement – so make sure that it is clear what is and what isn’t considered.

See how simple it is with

How to demonstrate the organisation is continually improving the suitability, adequacy, and effectiveness of the ISMS

This is a great example of how the solution brings everything together so there is no need to duplicate effort. Simply reiterate the work that is going on in the wider system, joining it up holistically and through the powerful linking feature. comes with a Policy for 10.2 to adopt and the toolset integrated with 10.1 requirements, and includes links to the ISMS areas that quickly demonstrate continual improvement is effectively practiced and managed.

How to easily demonstrate 10.2 Continual Improvement

The platform makes it easy for you to continually improve the suitability, adequacy and effectiveness of the information security management system.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 10.2 within our platform and easily adapt it to your organisation’s needs. The framework for 10.2 references the relevant requirements that address this area, such as:

  • Regular management reviews per (9.3)
  • Internal Audits per (9.2) including ISMS scope and specific policy reviews
  • Corrective Actions per (10.1)

Evidence of continual improvement is documented in the Corrective Actions and Improvements Track and the respective audit and incident management areas.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification.

Requirement 10.2 is part of the third section that ARM will guide you on, where once the foundations of your ISMS have been paid, and Annex A controls have been described, you’ll detail how you comply with the remaining core requirements.

Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it