Table of contents
- What is ISO 27001 ISO 27001 Continual Improvement?
- ISO 27001 2022 Update to Continual Improvement
- ISO 27001 Clause 10.1 Continual Improvement Definition
- How to comply with ISO 27001 Continual Improvement
- ISO 27001 Continual Improvement Implementation Guide
- How do you demonstrate compliance to ISO 27001 Continual Improvement?
- ISO 27001 Continual Improvement Templates
- ISO 27001 Continual Improvement FAQ
What is ISO 27001 ISO 27001 Continual Improvement?
The ISO 27001 standard requires an organisation to continually improve the information security management system.
ISO 27001 Continual Improvement is about acknowledging that things are never perfect and do not work 100% of the time. As such having a process to continual improve and get better is baked in the standard.
The ISO 27001 standard for ISO 27001 certification wants you to be in control of your management system and continually improve it. It is one of the ISO 27001 controls.
ISO 27001 2022 Update to Continual Improvement
They changed the number of the clause. That is it! Why? Don’t ask me. When it comes to justifying your existence someone somewhere sat round a table and convinced other people to swap the numbering of 2 clauses and most likely presented it as a giant leap forward in cyber security thinking. Bell. Ends.
So it is now called ISO 27002:2022 Clause 10.1 Continual Improvement.
It was called ISO 27001:2013 Clause 10.2 Continual Improvement.
Everything, but everything else is the same.
Go figure.
ISO 27001 Clause 10.1 Continual Improvement Definition
The ISO 27001 standard defined clause 10.1 as follows:
The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.
ISO 27001 Clause 10.1 Continual Improvement Defined
How to comply with ISO 27001 Continual Improvement
Implement policy
Put in place an incident management and corrective action policy as well as a continual improvement policy. The policies say how you deal with non conformity.
Implement an incident and corrective action log
Implement and use an incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.
Implement an incident management process
The incident management process sets out how we deal with incidents. Incidents are one of the major sources of identifying nonconformities.
Implement a continual improvement process
The continual process sets out how you make fundamental changes to prevent nonconformities from re occurring.
Implement an Internal Audit Process
Put in place an internal audit plan. Have an internal audit process. Be sure to audit the entire information security management systems at least annually and ideally based on risk.
Report non conformity and corrective action to the Management Review Team
The Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.
ISO 27001 Continual Improvement Implementation Guide
The first step is to implement the policies and process that catch the things that need improvement. These are termed non conformities.
Non conformities are deviation from the norm. A deviation from the written and agreed policies and procedures.
The processes that we have that find things that need improving are:
Incident Management: Incidents occur and are either a one off or symptomatic of a bigger problem. Our process will deal with the incident, then perform a root cause to see why it happened. It may then need an improvement actions such as a change to policy, procedure or a re education or an investment in tooling.
Audit: Audit is the process of independently checking that we do what we say we do. Internal audit is built into the standard. You will also have external client audits and external certification audits. A more formal process for identifying areas that need improving.
Brainstorming: A wide term that refers to just asking people. People are good at coming up with ways that our information security management system can be improved. Ask them.
When we find something that has gone wrong we take appropriate actions to ensure that this does not and cannot occur again. This may include risk management and accepting that it may occur, if the cost of action is too high. That would require us to follow the risk management process and seek to get approval and sign off of the management review team.
We find the use of an incident and corrective action log is ideal for managing this process. The benefits of having an effective log that meets the requirements of the ISO 27001 standard whilst also efficiently handling the process are worth it.
How do you demonstrate compliance to ISO 27001 Continual Improvement?
You demonstrate compliance to ISO 27001 Clause 10.1 Continual Improvement by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:
- Incident management
- Audit (both internal audit and external audit)
And you need policy and process to deal with the nonconformities being
- Continual Improvement
To demonstrate evidence you will have a series of documents and records
- Incident tickets on your associated help desk systems
- Change tickets that support any changes that have been made
- The complete incident and corrective action log that is used to manage nonconformities
- Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted
ISO 27001 Continual Improvement Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 10.1
ISO 27001 Continual Improvement FAQ
The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.
You evidence compliance to the ISO 27001 Clause 10.1 Continual Improvement with an incident and corrective action log and being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.
You can download ISO 27001 Clause 10.1 Continual Improvement templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 10.1 can be found in the ISO 27001 Toolkit.
Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.
Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.
You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.
Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.
Non conformities are reported via the incident management process.
Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.