ISO 27001:2022 Clause 10 Improvement

Uncategorized 4 Minutes

This part of the standard is concerned with corrective action requirements. You will need to show how you react to nonconformity, take action, correct them and deal with the consequences. You’ll also need to show whether any similar nonconformity exist or could potentially occur and show how you will eliminate the causes of them so they do not occur elsewhere. There is also a requirement to show continual improvement of the ISMS, including demonstrating the suitability and adequacy of it and how effective it is. However, you do this is up to you.

10.1 Continual improvement

The organization must continually improve the suitability, adequacy, and effectiveness of the information security management system.

Continual improvement is a key aspect of the ISMS in the effort to achieve and maintain the suitability, adequacy, and effectiveness of the information security as it relates to the organizations’ objectives. Organizations with operational ISMS’ must continually strive to improve their management system. This is fundamental to all management systems and an ISMS is no exception.
Improvements can come from a number of sources. These include:
• Internal audits;
• The output from Management reviews;
• External audits;
• Security incidents;
• Security reviews and testing;
• Suggestions, including those from interested parties.
Suggested improvements should be considered but do not need to be implemented. The organization selects those improvements it feels add value to the ISMS. Suggestions from internal and external auditors also do not need to be implemented but should be considered. Time frames for implementing agreed improvements are set by the organization.

10.2 Nonconformity and corrective action

When a nonconformity occurs, the organization must react to this nonconformity by taking action to control and correct it; and deal with the subsequent consequences. The organization must evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by reviewing the nonconformity, determining the causes of the nonconformity, and determining if similar nonconformities exist, or could potentially occur. The organization must implement any action needed. It must review the effectiveness of any corrective action taken and make changes to the information security management system, if necessary. The Corrective actions taken should be appropriate to the effects of the nonconformities encountered. The organization must keep a record of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action taken.

Outputs from management reviews, internal audits, and compliance and performance evaluation should all be used to form the basis for nonconformity and corrective actions. Once identified, a nonconformity or corrective action should trigger, if considered relevant, proper and systematic responses to mitigate its consequences and eliminate root causes, by updating processes and procedures, to avoid recurrence. The effectiveness of actions taken must be evaluated and documented, along with the originally reported information about the nonconformity / corrective action and the results achieved. ISO 27001 requires an organization to continually improve its ISMS. These improvements come from a number of activities. Corrective action is one mechanism to drive improvements and address weaknesses within the system. Corrective action is required by ISO 27001 when a non-conformance or deficiency is identified. The need for corrective action can arise from a number of ISMS activities. These include:

  • Internal audits;
  •  Management reviews;
  •  External audits;
  •  Security incidents;
  •  Security reviews and testing.

Corrective Actions

  • Corrective Action is required to address any deficiencies as per the agreed procedure
  • Your agency specifies its timelines for response
  • The only exception is issues raised by the certification bodies
  • Operate on very specific time frames for correction of defects

The organization’s response to a need for corrective action is documented in some form of corrective action procedure. This procedure includes the requirement for root cause analysis to ensure that the non-conformance does not re-occur. The timeframe for response and implementation of corrective action is the choice of the organization, except for non-conformances raised by certification bodies. There are defined timeframes for the implementation of corrective action for any non-conformances raised during certification or surveillance audits.

One of the main drivers of improvement is to learn from security incidents, issues identified in audits, performance issues identified from monitoring, complaints from interested parties, and ideas generated at management reviews. For each learning opportunity identified you must maintain a record of:

  • what occurred;
  • if the event had undesirable consequences, what action was taken to contain and mitigate those;
  • the root cause of the event (if determined);
  • the action is taken to eliminate the root cause (if needed); and
  • an assessment of the effectiveness of any action taken.

Root cause analysis
To identify effective corrective action, it is strongly advisable to complete a root cause analysis of the issue that occurred. If you don’t get to the bottom of why or how it happened, then it is likely that whatever fix you implement will not be fully effective. A simple approach such as “5 Whys” is a good root cause analysis tool:
start with the issue, then ask “Why” enough times to reach the root cause. Usually, 5 times of asking are enough, but for more complex problems you may need to dig deeper.
For example:
Problem statement:
The organization was infected by the bogus virus
Why?
Someone clicked on a link in an email and it downloaded the virus and infected their PC
Why?
They had not received any training in clicking on links in emails they are not expecting to receive
Why?
The training manager is on maternity leave and the organization has not implemented cover for them
Why?
The maternity leave process is not covered in the Change Management Procedure and so a risk assessment was not completed to identify any information security risks.

You may not have sufficient resources to undertake root cause analysis for every event. To prioritize your efforts, you should consider first completing a simple risk assessment of an event and then undertake root cause analysis only for those that are medium or high risk.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion is also welcome.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply