ISO 27001 Clause 10.1 Continual Improvement

Home / ISO 27001 Clauses / ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Continual Improvement is about acknowledging that things are never perfect and do not work 100% of the time. As such having a process to continual improve and get better is baked in the standard.

In this ultimate guide to ISO 27001:2022 Clause 10.1 Continual Improvement you will learn

  • What ISO 27001 Clause 10.1 is
  • How to implement it
  • Examples of continual improvement

What is ISO 27001 Clause 10.1?

ISO 27001 Clause 10.1 Continual Improvement is a sub clause to ISO 27001 Clause 10 Improvement that requires an organisation to continually improve the Information Security Management System (ISMS).

You can learn more about the ISO 27001 Clause 4.4 Information Security Management System.

The ISO 27001 standard for ISO 27001 certification wants you to be in control of your management system and continually improve it. It is one of the ISO 27001 controls.

Purpose

The purpose of clause 10.1 is to make sure you have an actual information security management system and that it is established, implemented and continually improved.

Definition

The ISO 27001 standard defined ISO 27001:2022 clause 10.1 as follows:

The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.

ISO27001:2022 Clause 10.1 Continual Improvement

ISO27001:2022 Changes

The ISO 27001 2022 Update to ISO 27001 Clause 10.1 Continual Improvement are minor.

They changed the number of the clause to bring in line with other standards in the series. That is it!

So it is now called ISO27001:2022 Clause 10.1 Continual Improvement.

It was called ISO27001:2013 Clause 10.2 Continual Improvement.

Everything, but everything else is the same.

Implementation Guide

General

The first step is to implement the policies and process that catch the things that need improvement. These are termed non conformities.

Non conformities are deviation from the norm. A deviation from the written and agreed policies and procedures.

The processes that we have that find things that need improving are:

Incident Management: Incidents occur and are either a one off or symptomatic of a bigger problem. Our process will deal with the incident, then perform a root cause to see why it happened. It may then need an improvement actions such as a change to policy, procedure or a re education or an investment in tooling.

Audit: Audit is the process of independently checking that we do what we say we do. Internal audit is built into the standard. You will also have external client audits and external certification audits. A more formal process for identifying areas that need improving.

Brainstorming: A wide term that refers to just asking people. People are good at coming up with ways that our information security management system can be improved. Ask them.

When we find something that has gone wrong we take appropriate actions to ensure that this does not and cannot occur again. This may include risk management and accepting that it may occur, if the cost of action is too high. That would require us to follow the risk management process and seek to get approval and sign off of the management review team.

We find the use of an incident and corrective action log is ideal for managing this process. The benefits of having an effective log that meets the requirements of the ISO 27001 standard whilst also efficiently handling the process are worth it.

Implement Policy

We need an ISO 27001 Continual Improvement Policy. Policies are statements of what we do, not how we do it which is covered in the process documents, but the policy sets out your approach to how you handle nonconformities and corrective actions.

ISO 27001 Continual Improvement Policy-Black

Implement an incident and corrective action log

Implement and use an incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.

ISO 27001 Incident and Corrective Action Log Template
ISO27001-Incident-and-Corrective-Action-Log-Example

Implement an incident management process

The incident management process sets out how we deal with incidents. Incidents are one of the major sources of identifying nonconformities. The incident management process is include the ISO 27001 Toolkit but to see what it should include take a look at the following contents table:

Implement a continual improvement process

The ISO 27001 continual improvement process sets out how you make fundamental changes to prevent nonconformities from re occurring. The continual improvement process is include the ISO 27001 Toolkit but to see what it should include take a look at the following contents table:

Continual Improvement 1
Continual Improvement 2
Continual Improvement 3

Implement an Internal Audit Process

Put in place an internal audit plan. Have an internal audit process. Be sure to audit the entire information security management systems at least annually and ideally based on risk.

Reporting

The Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.

Watch the training video

Watch How to Implement ISO 27001 Clause 10 Improvement | Step-by-Step Guide

How To Comply

You demonstrate compliance to ISO 27001 Clause 10.1 Continual Improvement by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:

  • Incident management
  • Audit (both internal audit and external audit)

And you need policy and process to deal with the nonconformities being

To demonstrate evidence you will have a series of documents and records

  • Incident tickets on your associated help desk systems
  • Change tickets that support any changes that have been made
  • The complete incident and corrective action log that is used to manage nonconformities
  • Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted

ISO 27001 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 Toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 10.1

ISO 27001 Toolkit

What the auditor will check

The auditor is going to check a number of areas for compliance with Clause 10.1. Lets go through them

That you have a corrective action process

When a non conformity is identified we need to be able to manage it. The auditor will look at the process and a sample of recent corrective actions to ensure they followed the process and they were managed effectively. Were they recorded? Were they added to the corrective action log? Were they managed? Were they reported to the management review team? Were any corrective actions checked to ensure they were effective?

That you a corrective action log

You need an effective way to record corrective actions and continual improvements. A corrective action log is a simple way to do it but how ever you do it ensure that you have evidence of continual improvement in operation.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 clause 10.1 are:

  • Having no evidence of any continual improvement to the Information Security Management System (ISMS)
  • Not having a continual improvement process
  • Not following your documented processes or not being able to evidence them in operation

FAQ

What is ISO 27001 Clause 10.1 Continual Improvement?

The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.

How do I evidence I meet the requirement of ISO 27001 Clause 10.1 Continual Improvement?

You evidence compliance to the ISO 27001 Clause 10.1 Continual Improvement with an incident and corrective action log and being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.

Where can I download ISO 27001 Clause 10.1 Continual Improvement templates?

You can download ISO 27001 Clause 10.1 Continual Improvement templates in the ISO 27001 Toolkit.

ISO 27001 Clause 10.1 Continual Improvement example?

An example of ISO 27001 Clause 10.1 can be found in the ISO 27001 Toolkit.

Do I report non conformities to senior management?

Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.

Do I do a root cause analysis on non conformities?

Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.

Can I classify non conformities?

You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.

Can a corrective action be that I do nothing?

Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.

How do I report a non conformity?

Non conformities are reported via the incident management process.

Can I pass ISO 27001 certification with non conformities?

Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing