ISO 27001 Continual Improvement is the continual improvement of the Information Security Management System (ISMS). Continual Improvement is about acknowledging that things are never perfect and do not work 100% of the time. As such having a process to continual improve and get better is baked in the standard.
The clause sets out the requirement of how you continue to improve our information security management system so it remains effective and continues to meet its intended outcomes.
In ISO 27001 this is known as ISO27001:2022 Clause 10.1 Continual Improvement. It is one of the mandatory ISO 27001 clauses.
It is important because things change and problems happen.
The requirement is to continually improve the suitability, adequacy and effectiveness of the information security management system.
Key Takeaways
- ISO 27001 Continual Improvement is about always improving the management system
- It relies on audit and incident management to identify improvements
- It is called ISO27001:2022 Clause 10.1 Continual Improvement
Table of contents
- Key Takeaways
- Watch the Tutorial
- ISO 27001 Clause 10.1
- Implementation Guide
- General Guidance
- Best Practice
- ISO 27001 Continual Improvement Policy Template
- ISO 27001 Continual Improvement Policy Example
- ISO 27001 Incident and Corrective Action Log Template
- ISO 27001 Incident and Corrective Action Log Example
- ISO 27001 Continual Improvement Process Example
- How to pass the audit
- What the auditor will check
- Common Mistakes
- Implementation Checklist
- Audit Checklist
- FAQ
- Related ISO 27001 Controls
Watch the Tutorial
In this tutorial video, How to implement ISO 27001 Clause 10 Improvement I show you how to implement continual improvement.
ISO 27001 Clause 10.1
Before I show you how to implement it, let us first look at what the standard actually wants you to do.
The purpose of ISO 27001 clause 10.1 Continual Improvement is to make sure you have an actual information security management system and that it is established, implemented and continually improved.
The ISO 27001 standard defines ISO 27001 Continual Improvement as:
The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.
ISO27001:2022 Clause 10.1 Continual Improvement
Let me go into a bit more detail about this requirement.
Information Security Management System
This is the people, processes and documentation that make up how you are managing information security.
Suitability
There are many ways to implement an information security management system but it has to be right for you and it has to work for you. There is no point in implementing an ISMS that is at odds with the organisation so the standard wants you to make sure that it aligned with how you work, your culture and your business objectives.
Adequacy
The ISMS should meet the needs of the business and be able to address the information security risks that you have. This includes having the right level of information security controls based on your needs.
Effective
The ISMS and the information security controls should protect you from the risks to the confidentiality, integrity and availability of data and you should be able to demonstrate that is indeed the case with evidence of effective operation.
Implementation Guide
Based on my experience and what I have seen work well the following are the best practice implementation steps to implement ISO 27001 Continual Improvement.
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 10.1 Continual Improvement
- Implement a Continual Improvement Policy
You need an ISO 27001 Continual Improvement Policy. Policies are statements of what you do, not how you do it which is covered in the process documents, but the policy sets out your approach to how you handle nonconformities and corrective actions.
- Implement a Continual Improvement Process
The ISO 27001 continual improvement process sets out how you make fundamental changes to prevent nonconformities from re occurring. It is covered in detail in ISO 27001 Continual Improvement: Clause 10.1
- Implement an Internal Audit Process
Put in place an internal audit plan. Have an internal audit process. Be sure to audit the entire information security management systems at least annually and ideally based on risk. It is covered in detail in ISO 27001 Internal Audit: Clause 9.2
- Implement Feedback Mechanisms
Establishing feedback mechanisms from employees, customers, and other stakeholders can provide valuable insights for improvement. Ensure that there is a way for people to provide feedback.
- Implement an Incident Management Process
The incident management process sets out how you deal with incidents. Incidents are one of the major sources of identifying nonconformities. It is covered in detail in ISO 27001 Response To Information Security Incidents: Annex A 5.26
- Implement an Incident and Corrective Action Log
Implement and use an incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.
- Reporting
The Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.
General Guidance
The first step in improvement is identifying what needs to be improved. You do this by finding nonconformities which are deviations from your established policies and procedures. We covered this in ISO 27001 Nonconformity and Corrective Action: Clause 10.2 but here is some additional guidance to consider:
Management Review
The management review process provides oversight and ensures that continual improvement activities are effective and aligned with organisational goals. For a deeper understanding read the guide, ISO 27001 Management Review: Clause 9.3.
Culture of Improvement
Continual improvement should be embedded into your organisational culture and it should encourage employees to actively participate in identifying and implementing improvements.
Incident Management
Incidents, whether isolated or indicative of a larger issue, are a great way to identify things that need to be improved. When you have an incident the standard already gives guidance and you will investigate the incident, performs root cause analysis and then react which may lead to improvements like policy/procedure changes, retraining, or new tools. You can take a deeper dive in ISO 27001 Response To Information Security Incidents: Annex A 5.26
Audits
Audits provide independent checks of your information security management system and your information security controls. ISO 27001 mandates internal audits, and you may also face external client and certification audits. These offer a structured way to pinpoint areas for improvement. Further details is provided in ISO 27001 Internal Audit: Clause 9.2
Brainstorming
Simply asking people for their input is valuable. Staff often have excellent ideas for improving your information security management system.
Incident and Corrective Action Log
When a problem is identified, you take appropriate corrective action to prevent recurrence. This might involve risk management, including accepting a risk (with management review team approval) if the cost of mitigation is prohibitive. In my experience an incident and corrective action log is essential for managing this process effectively and meeting ISO 27001 requirements. The benefits of such a log, both for compliance and process efficiency, are significant.
Goals and Objectives
Consider the need to set specific, measurable, achievable, relevant, and time-based (SMART) goals and objectives for your ISMS. Be sure to monitor and measure the progress towards those goals and objectives. This will help you to identify what is working well and what needs to be improved.
Best Practice
Consider the following best practice for continual improvement.
Involve everyone
Be inclusive as continual improvement is everyone’s responsibility. Be sure to involve the your ISO 27001interested parties including staff and third parties.
Prioritise Continual Improvement
Ensure that adequate resources in time and money are made available to identify improvements and to take action and implement them.
Risk Management
ISO 2701 is a risk based management system and it makes sense to prioritise your improvements on the areas that pose the greatest risk.
Evidence Based Improvements
Base changes and improvements to the information security management system based on evidence rather than personal wants and needs. Use metrics, measures and audit reports to back the changes that you make.
ISO 27001 Continual Improvement Policy Template
The ISO 27001 Continual Improvement policy template sets out what must be done for continual improvement. As a requirement of the standard continual improvement is covered in ISO 27001 Continual Improvement: Clause 10.1
ISO 27001 Continual Improvement Policy Example
The ISO 27001 continual improvement policy example that covers: Purpose, Scope, Principle, Audit, Internal Audits, External Certification Audits, Client and Third-Party Audits, Incidents, Change Management, Management Review Team, Review of Objectives, Legal Regulatory and Information Security Standards, Change Improvement as a result of Non-Conformity and
management of improvement.
ISO 27001 Incident and Corrective Action Log Template
The ISO 27001 Incident and Corrective action Log Template is used track and manage continual improvements effectively. This log is an essential part of the ISO 27001 continual improvement process and managing and records how the improvement was identified and how it was managed.
ISO 27001 Incident and Corrective Action Log Example
This ISO 27001 Incident and Corrective action Log Example shows the layout of a typical ISO 27001 Incident and Corrective action Log and the required columns and data captures needs. ISO 27001 continual improvements are recorded in this log and the log used to manage them.
ISO 27001 Continual Improvement Process Example
The following is what a documented ISO 27001 Continual Improvement Process example would look like if you are not using the ISO 27001 templates.
How to pass the audit
You demonstrate compliance to ISO 27001 Clause 10.1 Continual Improvement by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:
- Incident management
- Audit (both internal audit and external audit)
And you need policy and process to deal with the nonconformities being
To demonstrate evidence you will have a series of documents and records
- Incident tickets on your associated help desk systems
- Change tickets that support any changes that have been made
- The complete incident and corrective action log that is used to manage nonconformities
- Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted
What the auditor will check
The auditor is going to check a number of areas for compliance with Clause 10.1. Lets go through them
1. That you have a corrective action process
When a non conformity is identified you need to be able to manage it. The auditor will look at the process and a sample of recent corrective actions to ensure they followed the process and they were managed effectively. Were they recorded? Were they added to the corrective action log? Were they managed? Were they reported to the management review team? Were any corrective actions checked to ensure they were effective?
2. That you a corrective action log
You need an effective way to record corrective actions and continual improvements. A corrective action log is a simple way to do it but how ever you do it ensure that you have evidence of continual improvement in operation.
Common Mistakes
In my experience, the top 3 mistakes people make for ISO 27001 Continual Improvement are:
- Having no evidence of any continual improvement to the Information Security Management System (ISMS)
- Not having a continual improvement process
- Not following your documented processes or not being able to evidence them in operation
Implementation Checklist
In this 10 step implementation checklist I will show you the best practice, practical steps you can take to implement ISO 27001 continual improvement setting out the challenges that you will face and the common solution to over come them.
1. Establish a Continual Improvement Process
Define a formal process for identifying, implementing, and evaluating improvements to the ISMS.
Challenge
Creating a process that’s actually used and not just paperwork. Resistance to change from staff.
Solution
Make the process simple and easy to follow. Involve staff in its design. Show how improvements benefit everyone.
2. Identify Opportunities for Improvement
Actively seek out areas where the ISMS can be better.
Challenge
Hard to see where improvements are needed. People may be complacent with the status quo.
Solution
Use various methods like audits, incident reviews, and staff feedback. Encourage a culture of open communication.
3. Prioritise Improvements
Focus on the improvements that will have the biggest impact on the ISMS.
Challenge
Hard to decide which improvements are most important. Limited resources can make prioritisation difficult.
Solution
Use a risk-based approach. Consider the potential benefits and costs of each improvement.
4. Plan Improvements
Develop detailed plans for implementing each improvement.
Challenge
Plans can become too complex. Things change, making plans outdated.
Solution
Keep plans simple and flexible. Regularly review and update them.
5. Implement Improvements
Put the planned improvements into action.
Challenge
Implementing changes can be disruptive. Staff may resist new ways of working.
Solution
Communicate clearly about the changes. Provide training and support to staff.
6. Evaluate Effectiveness
Check if the implemented improvements are working as intended.
Challenge
Hard to measure the effectiveness of improvements. It can take time to see results.
Solution
Define clear metrics for evaluating improvements. Track progress and analyse the results.
7. Document Improvements
Keep records of all improvement activities, including plans, implementation details, and evaluation results.
Challenge
Documenting everything can be time-consuming. Hard to keep records organised.
Solution
Use a central system for storing records. Make it easy for people to access the information they need.
8. Communicate Improvements
Share information about successful improvements with staff and other interested parties.
Challenge
Hard to communicate complex information clearly. People may not be interested in the details.
Solution
Keep communications short and to the point. Focus on the key benefits of the improvements.
9. Learn from Successes and Failures
Analyse both successful and unsuccessful improvement efforts to identify lessons learned.
Challenge
People may be reluctant to admit failures. Hard to learn from mistakes.
Solution
Create a culture of learning and improvement. Focus on identifying root causes, not blaming people.
10. Integrate with other processes
Ensure the continual improvement process is linked to other ISMS processes, like risk management and internal audit.
Challenge
Processes can become siloed. Hard to ensure they work together effectively.
Solution
Map out the interactions between different processes. Look for opportunities to streamline and integrate them.
Audit Checklist
This 10 step audit checklist for ISO 27001 continual improvement will show you what to audit and the audit technique that is best suited, based on real world audit experience.
1. Review the Improvement Process
Check if a formal continual improvement process exists and is documented.
Audit Technique
Examine documented procedures, flowcharts, or other documentation describing the continual improvement process. Verify its existence and understand how it’s supposed to work.
2. Examine Improvement Records
Review records of improvement activities to verify they’ve been planned and implemented.
Audit Technique
Inspect records of implemented improvements, including project plans, implementation details, and evidence of testing or validation. Look for evidence of management review and approval.
3. Check for Improvement Identification
Verify that opportunities for improvement are actively sought and documented.
Audit Technique
Review records of internal audits, management reviews, incident reports, risk assessments, and staff feedback. Look for documented identification of areas for potential improvement.
4. Assess Prioritisation of Improvements
Confirm that improvements are prioritised based on risk and business impact.
Audit Technique
Examine records of prioritisation exercises. Check if a clear methodology is used and that decisions are justified.
5. Verify Implementation of Improvements
Check that planned improvements have been implemented as intended.
Audit Technique
Conduct site visits, examine system configurations, interview staff, and review implementation records to confirm that improvements are in place and functioning.
6. Evaluate Effectiveness of Improvements
Verify that implemented improvements have achieved their intended outcomes.
Audit Technique
Review performance data, metrics, and feedback gathered after implementation. Check if the improvements have led to measurable improvements in the ISMS.
7. Check Communication of Improvements
Ensure that information about successful improvements is communicated to relevant interested parties.
Audit Technique
Review communication logs, training records, and other evidence to confirm that interested parties are informed about improvements and their impact.
8. Review Lessons Learned
Verify that lessons learned from both successful and unsuccessful improvements are documented and shared.
Audit Technique
Examine records of lessons learned sessions, post-implementation reviews, and any updates to the improvement process based on lessons learned.
9. Assess Integration with Other Processes
Check that the continual improvement process is integrated with other ISMS processes, like risk management and internal audit.
Audit Technique
Review process documentation and interview staff to confirm that the continual improvement process is linked to and interacts effectively with other relevant processes.
10. Verify Management Commitment
Confirm that top management is actively involved in and supports the continual improvement process.
Audit Technique
Interview top management personnel about their understanding of and commitment to continual improvement. Review minutes of management review meetings to check for discussions and decisions related to improvements.
FAQ
The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.
You evidence compliance to the ISO 27001 Clause 10.1 Continual Improvement with an incident and corrective action log and being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.
You can download ISO 27001 Clause 10.1 Continual Improvement templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 10.1 Continual Improvement can be found in the ISO 27001 Toolkit.
Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.
Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.
You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.
Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.
Non conformities are reported via the incident management process.
Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.
Related ISO 27001 Controls
ISO 27001 Internal Audit: Clause 9.2
ISO 27001 Response To Information Security Incidents: Annex A 5.26
ISO 27001 Compliance With Policies, Rules And Standards For Information Security: Annex A 5.36
