Example of ISO 27001:2022 Corrective action Procedure

Uncategorized 3 Minutes

1 Introduction

This procedure describes the steps to be taken when a nonconformity is found within the Information Security Management System (ISMS). A nonconformity is defined by ISO as the “non-fulfillment of a requirement”.
This is a wide definition which basically means that the ISMS is not succeeding in its purpose, which is to fulfil the information security requirements of the organization. A nonconformity may arise for many reasons, in many forms and from many different sources. The purpose of this procedure is to ensure that they are recorded when they are identified and that the appropriate steps are taken to ensure that the immediate and wider actual and potential impacts of the nonconformity are addressed.
In addition to internal and external audits, non conformity may be identified from the day- to-day performance of procedures, management meetings and communication with suppliers, customers and other interested parties.

2 Nonconformity Management Procedure

2.1 Procedure Diagram

The procedure for identifying and managing non conformity is summarized in the diagram below. The detail of the steps is described in the following sections.

2.2 Identifying Nonconformities

Nonconformities may be identified from any source and the [Information Security Manager] will encourage staff, users, customers and suppliers to propose ways in which they can be addressed. Such nonconformities may be identified from:

  • Security reviews
  • Team meetings
  • Supplier meetings
  • Risk assessments
  • User surveys
  • Internal and external audits

However, the above is not an exhaustive list.

2.3 Add to Nonconformity and Corrective Action Log

Once identified, the nonconformity will be documented within the Nonconformity and Corrective Action Log with a status of “Open”. At this stage, the action to correct the nonconformity has not necessarily been determined. As much detail as possible should be specified as to the exact nature of the nonconformity.

2.4 React to the Nonconformity

If action needs to be taken to address the nonconformity immediately then this should be done without delay. This may be to fix it, stop it from getting worse or to reduce its effects until further action may be taken. Appropriate resources should be allocated to addressing the nonconformity depending on the current assessment of its seriousness. Actions taken should be recorded in the action log, with dates.

2.5 Cause determination

Once logged and initial reactive actions put in place, the nonconformity will be evaluated to assess its underlying cause i.e. why it has arisen. Other parties may be consulted during this stage to understand the mechanism and events leading to the nonconformity. The identified cause should be recorded in the action log with as much description as appropriate.

2.6 Assess potential impact

Once the cause is understood, a review should be undertaken to assess whether similar nonconformities already exist elsewhere within the ISMS and whether they could potentially arise in the future. The findings of this review should be recorded in the action log.

2.7 Implement corrective action

Once the cause and real or potential impact has been established, appropriate corrective action should be identified to address both the current situation and potential future impact of the nonconformity. The expected benefits of correcting the nonconformity should be sufficient to justify the resources required to achieve the corrective action. The details of the corrective action to be taken should be recorded in the action log, along with the timescale and person responsible. Dated progress updates should also be added when appropriate. Once corrective action has been completed the status of the nonconformity record within the Nonconformity and Corrective Action Log should be updated to “Review Pending” and the date of closure recorded.

2.8 Review effectiveness of corrective action

After a reasonable period of time (which will depend on the nature of the nonconformity and the corrective action) the effectiveness of the corrective action should be reviewed to assess whether it has fixed the issue, including its actual and potential impacts. If the benefits expected are not achieved, the reasons for this will be investigated as part of the regular management review meeting. If successful, the date and results of the review will be recorded, and the status of the nonconformity will be updated to “Closed”.

2.9 Amend ISMS if necessary

If the nonconformity is judged to have occurred due to a fault in the ISMS, it may be necessary to amend the ISMS itself, including any relevant policies, procedures and forms. This should be done with the agreement of top management.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply