Table of contents
ISO 27001 Continual Improvement
ISO 27001 Continual Improvement is about acknowledging that things are never perfect and do not work 100% of the time. As such having a process to continual improve and get better is baked in the standard.
What is ISO 27001 Clause 10.1?
ISO 27001 Clause 10.1 Continual Improvement is a sub clause to ISO 27001 Clause 10 Improvement that requires an organisation to continually improve the Information Security Management System (ISMS).
The ISO 27001 standard for ISO 27001 certification wants you to be in control of your management system and continually improve it. It is one of the ISO 27001 controls.
Purpose
The purpose of ISO 27001 clause 10.1 Continual Improvement is to make sure you have an actual information security management system and that it is established, implemented and continually improved.
Definition
The ISO 27001 standard defines ISO 27001 Continual Improvement as:
The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.
ISO27001:2022 Clause 10.1 Continual Improvement
ISO27001:2022 Changes
The ISO 27001 2022 Update to ISO 27001 Clause 10.1 Continual Improvement are minor.
They changed the number of the clause to bring in line with other standards in the series. That is it!
So it is now called ISO27001:2022 Clause 10.1 Continual Improvement.
It was called ISO27001:2013 Clause 10.2 Continual Improvement.
Everything, but everything else is the same.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Implementation Guide
General
The first step in improvement is identifying areas for it. We do this by finding “nonconformities”โdeviations from our established policies and procedures. Several processes help us uncover these:
Incident Management: Incidents, whether isolated or indicative of a larger issue, are addressed. Our process investigates incidents, performs root cause analysis, and may lead to improvements like policy/procedure changes, retraining, or new tools.
Audits: Audits provide independent checks on our practices. ISO 27001 mandates internal audits, and we may also face external client and certification audits. These offer a structured way to pinpoint areas for improvement.
Brainstorming: Simply asking people for their input is valuable. Staff often have excellent ideas for improving our information security management system.
When a problem is identified, we take appropriate corrective action to prevent recurrence. This might involve risk management, including accepting a risk (with management review team approval) if the cost of mitigation is prohibitive. We find an incident and corrective action log essential for managing this process effectively and meeting ISO 27001 requirements. The benefits of such a log, both for compliance and process efficiency, are significant.
Implement a Continual Improvement Policy
We need an ISO 27001 Continual Improvement Policy. Policies are statements of what we do, not how we do it which is covered in the process documents, but the policy sets out your approach to how you handle nonconformities and corrective actions.
Implement an Incident and Corrective Action Log
Implement and use an incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.
Implement an Incident Management Process
The incident management process sets out how we deal with incidents. Incidents are one of the major sources of identifying nonconformities. The incident management process is include the ISO 27001 Toolkit but to see what it should include take a look at the following contents table:
Implement a continual improvement process
The ISO 27001 continual improvement process sets out how you make fundamental changes to prevent nonconformities from re occurring. The continual improvement process is include the ISO 27001 Toolkit but to see what it should include take a look at the following contents table:
Implement an Internal Audit Process
Put in place an internal audit plan. Have an internal audit process. Be sure to audit the entire information security management systems at least annually and ideally based on risk.
Reporting
The Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.
Implementation Checklist
Continual Improvement ISO 27001 Clause 10.1 Implementation Checklist
Establish a Continual Improvement Process
Define a formal process for identifying, implementing, and evaluating improvements to the ISMS.
Challenge: Creating a process that’s actually used and not just paperwork. Resistance to change from staff.
Solution: Make the process simple and easy to follow. Involve staff in its design. Show how improvements benefit everyone.
Identify Opportunities for Improvement
Actively seek out areas where the ISMS can be better.
Challenge: Hard to see where improvements are needed. People may be complacent with the status quo.
Solution: Use various methods like audits, incident reviews, and staff feedback. Encourage a culture of open communication.
Prioritise Improvements
Focus on the improvements that will have the biggest impact on the ISMS.
Challenge: Hard to decide which improvements are most important. Limited resources can make prioritisation difficult.
Solution: Use a risk-based approach. Consider the potential benefits and costs of each improvement.
Plan Improvements
Develop detailed plans for implementing each improvement.
Challenge: Plans can become too complex. Things change, making plans outdated.
Solution: Keep plans simple and flexible. Regularly review and update them.
Implement Improvements
Put the planned improvements into action.
Challenge: Implementing changes can be disruptive. Staff may resist new ways of working.
Solution: Communicate clearly about the changes. Provide training and support to staff.
Evaluate Effectiveness
Check if the implemented improvements are working as intended.
Challenge: Hard to measure the effectiveness of improvements. It can take time to see results.
Solution: Define clear metrics for evaluating improvements. Track progress and analyse the results.
Document Improvements
Keep records of all improvement activities, including plans, implementation details, and evaluation results.
Challenge: Documenting everything can be time-consuming. Hard to keep records organised.
Solution: Use a central system for storing records. Make it easy for people to access the information they need.
Communicate Improvements
Share information about successful improvements with staff and other interested parties.
Challenge: Hard to communicate complex information clearly. People may not be interested in the details.
Solution: Keep communications short and to the point. Focus on the key benefits of the improvements.
Learn from Successes and Failures
Analyse both successful and unsuccessful improvement efforts to identify lessons learned.
Challenge: People may be reluctant to admit failures. Hard to learn from mistakes.
Solution: Create a culture of learning and improvement. Focus on identifying root causes, not blaming people.
Integrate with other processes
Ensure the continual improvement process is linked to other ISMS processes, like risk management and internal audit.
Challenge: Processes can become siloed. Hard to ensure they work together effectively.
Solution: Map out the interactions between different processes. Look for opportunities to streamline and integrate them.
Audit Checklist
Continual Improvement ISO 27001 Clause 10.1 Audit Checklist
Review the Improvement Process
Check if a formal continual improvement process exists and is documented.
Audit Technique: Examine documented procedures, flowcharts, or other documentation describing the continual improvement process. Verify its existence and understand how it’s supposed to work.
Examine Improvement Records
Review records of improvement activities to verify they’ve been planned and implemented.
Audit Technique: Inspect records of implemented improvements, including project plans, implementation details, and evidence of testing or validation. Look for evidence of management review and approval.
Check for Improvement Identification
Verify that opportunities for improvement are actively sought and documented.
Audit Technique: Review records of internal audits, management reviews, incident reports, risk assessments, and staff feedback. Look for documented identification of areas for potential improvement.
Assess Prioritisation of Improvements
Confirm that improvements are prioritised based on risk and business impact.
Audit Technique: Examine records of prioritisation exercises. Check if a clear methodology is used and that decisions are justified.
Verify Implementation of Improvements
Check that planned improvements have been implemented as intended.
Audit Technique: Conduct site visits, examine system configurations, interview staff, and review implementation records to confirm that improvements are in place and functioning.
Evaluate Effectiveness of Improvements
Verify that implemented improvements have achieved their intended outcomes.
Audit Technique: Review performance data, metrics, and feedback gathered after implementation. Check if the improvements have led to measurable improvements in the ISMS.
Check Communication of Improvements
Ensure that information about successful improvements is communicated to relevant interested parties.
Audit Technique: Review communication logs, training records, and other evidence to confirm that interested parties are informed about improvements and their impact.
Review Lessons Learned
Verify that lessons learned from both successful and unsuccessful improvements are documented and shared.
Audit Technique: Examine records of lessons learned sessions, post-implementation reviews, and any updates to the improvement process based on lessons learned.
Assess Integration with Other Processes
Check that the continual improvement process is integrated with other ISMS processes, like risk management and internal audit.
Audit Technique: Review process documentation and interview staff to confirm that the continual improvement process is linked to and interacts effectively with other relevant processes.
Verify Management Commitment
Confirm that top management is actively involved in and supports the continual improvement process.
Audit Technique: Interview top management personnel about their understanding of and commitment to continual improvement. Review minutes of management review meetings to check for discussions and decisions related to improvements.
Watch the Tutorial
Watch How to Implement ISO 27001 Clause 10 Improvement | Step-by-Step Guide
How To Comply
You demonstrate compliance to ISO 27001 Clause 10.1 Continual Improvement by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:
- Incident management
- Audit (both internal audit and external audit)
And you need policy and process to deal with the nonconformities being
To demonstrate evidence you will have a series of documents and records
- Incident tickets on your associated help desk systems
- Change tickets that support any changes that have been made
- The complete incident and corrective action log that is used to manage nonconformities
- Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
What the auditor will check
The auditor is going to check a number of areas for compliance with Clause 10.1. Lets go through them
That you have a corrective action process
When a non conformity is identified we need to be able to manage it. The auditor will look at the process and a sample of recent corrective actions to ensure they followed the process and they were managed effectively. Were they recorded? Were they added to the corrective action log? Were they managed? Were they reported to the management review team? Were any corrective actions checked to ensure they were effective?
That you a corrective action log
You need an effective way to record corrective actions and continual improvements. A corrective action log is a simple way to do it but how ever you do it ensure that you have evidence of continual improvement in operation.
Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 clause 10.1 are:
- Having no evidence of any continual improvement to the Information Security Management System (ISMS)
- Not having a continual improvement process
- Not following your documented processes or not being able to evidence them in operation
ISO 27001 Clause 10.1 FAQ
The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.
You evidence compliance to the ISO 27001 Clause 10.1 Continual Improvement with an incident and corrective action log and being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.
You can download ISO 27001 Clause 10.1 Continual Improvement templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 10.1 Continual Improvement can be found in the ISO 27001 Toolkit.
Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.
Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.
You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.
Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.
Non conformities are reported via the incident management process.
Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.
