ISO 27001 Nonconformity and Corrective Action is the identification and management of nonconformities. Nonconformities are deviations to the norm. If a policy or process is not operating as expected, that would be classed as a nonconformity. The clause sets out the requirement of what we do once we have identified the problem.
In ISO 27001 this is known as ISO27001:2022 Clause 10.2 Nonconformity and Corrective Action. It is one of the mandatory ISO 27001 clauses.
Things don’t always go as planned, and that’s okay, as long as a clear process exists to correct issues and prevent them from happening again.
Key Takeaways
- ISO 27001 Nonconformity & Corrective Action is a process for effectively managing and resolving issues. It involves correcting a problem and taking steps to prevent it from happening again.
- The goal of this process is to ensure you have control of your management system and are continually improving it, which is a core requirement of the ISO 27001 standard.
Table of contents
- Key Takeaways
- What is ISO 27001 Clause 10.2 and Why is it Important?
- What are minor nonconformities and major nonconformities?
- ISO 27001 Clause 10.2 Explained: A Complete Guide
- How to implement ISO 27001 Clause 10.2: Step-By-Step
- How to pass the ISO 27001 Clause 10.2 audit
- Top 3 ISO 27001 Clause 10.2 Mistakes and How to Fix Them
- ISO 27001 Clause 10.2 Nonconformity and Corrective ActionFAQ FAQ
- Related ISO 27001 Controls
- Further Reading
What is ISO 27001 Clause 10.2 and Why is it Important?
A nonconformity is a deviation from the requirements of your ISMS. This could be anything from a broken process, a missed security policy, an incident, or a failed audit finding.
It is important because things change and no management system is 100% effective 100% of the time, so you need a process to handle when things inevitably go wrong.
Purpose and Definition
The purpose of ISO 27001 Clause 10.2 Nonconformity and Corrective Action is to identify when things are not operating as expected and to make sure that when things go wrong they are corrected.
The ISO 27001 standard defines ISO 27001 Clause 10.2 Nonconformity and Corrective Action as:
When a nonconformity occurs, the organisation shall:
ISO 27001:2022 Clause 10.2 Nonconformity and Corrective Action
a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur
or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
Documented information shall be available as evidence of:
f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.
The requirement is that when a non conformity happens that the organisation:
- take action to control and correct it
- deal with the consequences
- review the nonconformity
- determine the causes of the nonconformity
- determine if similar nonconformities exist, or could potentially occur
- implement any action needed
- review the effectiveness of any corrective action taken
- make changes to the information security management system, if necessary
- keep documents and evidence for audit
1. React to the nonconformity
Reacting and responding to a nonconformity means taking action to control and correct what went wrong and dealing with the consequences.
2. Evaluate the nonconformity
Evaluation is about understanding what went wrong, why it went wrong and then deciding on the course of action to take so that it does not happen again.
3. Manage the nonconformity
What ever the non conformity was, you are going to correct it. It may be an isolated incident of it may be something more fundamental that requires a change to the information security management system (ISMS) and a continual improvement plan. It is about making changes that are appropriate to what you found and the evaluation you did.
4. Check the changes worked
You will correct the mistake and then you will review the effectiveness of the change that you made to make sure it is indeed, actually, effective. The usual way to do this is do an internal audit of the area that changed.
5. Document the nonconformity
The auditor is going to look for documentation of how you managed the nonconformity. It is also required by the standard. You are going to be able to evidence the nature of the nonconformity and the actions that you took as well as evidence that the changes were effective.
Non-conformity and corrective action are processes that fall within the scope of incident management. This framework can be structured as a Level 2 incident management process or as a dedicated sub-process. The critical first step is to identify that an event has a potential or actual impact on information security. Once this is established, you can invoke your formal processes for managing the non-conformity.
What are minor nonconformities and major nonconformities?
While a non-conformity is simply a failure to meet a requirement, auditors typically classify them into two main types: minor nonconformities and major nonconformities.
ISO 27001 has built in the distinction between things that on the whole work but on a couple of times it was found it did not work (minor nonconformities) and things that just do not work at all and may even not be implemented (major nonconformities).
This classification is a convention used during audits to determine the severity of the issue and the potential impact on certification.
Minor nonconformity
A minor nonconformity is a single, isolated lapse or a partial failure to meet a requirement that does not significantly impact the overall effectiveness of your management system (e.g., ISO 27001 or ISO 9001). It’s a localised issue that does not compromise the system’s ability to achieve its objectives.
An organisation can still achieve or maintain its certification with minor nonconformities, but it must have a clear plan and timeline for corrective action
Minor nonconformity examples
Here are some examples that I have seen:
- One person in ten has not done their mandatory information security training
- One person out of fifteen was seen to have anti virus disabled
- A document in the management system was found to have not been updated
Major nonconformity
A major nonconformity is a significant failure to meet a requirement that has or could have a serious impact on the management system’s effectiveness. It indicates a systemic or critical breakdown that could compromise the company’s ability to meet its objectives, customer expectations, or regulatory requirements.
A major nonconformity will result in a failed audit and a delay in certification until the issue is fully resolved and verified by the auditor.
Major nonconformity examples
- You said you do disaster recovery tests but in fact you have not
- You have policies and procures but no one follows them
- A previous nonconformity was not addressed, and the issue has recurred.
ISO 27001 Clause 10.2 Explained: A Complete Guide
In this tutorial video, How to implement ISO 27001 Clause 10 Improvement I show you how to implement nonconformity and corrective action as part of the wider requirement of continual improvement.
How to implement ISO 27001 Clause 10.2: Step-By-Step
Based on my experience and what I have seen work well the following are the best practice implementation steps to implement ISO 27001 Nonconformity and Corrective Action.
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 10.2 Nonconformity and Corrective Action
- Implement a Continual Improvement Policy
We need an ISO 27001 Continual Improvement Policy. Policies are statements of what we do, not how we do it which is covered in the process documents, but the policy sets out your approach to how we handle nonconformities and corrective actions.
- Implement an incident and corrective action log
Implement and use the ISO 27001 incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.
- Implement an incident management process
The incident management process sets out how you deal with incidents. Incidents are one of the major sources of identifying nonconformities.
- Implement a continual improvement process
The ISO 27001 continual improvement process sets out how you make fundamental changes to prevent nonconformities from re occurring.
- Identify a Nonconformity
A nonconformity is usually identified by audit or the occurrence of incidents.
- Nonconformity from Incidents
Our first step is to handle the incident and to manage the consequences of that incident. We document everything as you go and best practice would be to use and incident management system or a help desk system. Many of these come with capability out of the box and at worst they require some minor tweaks.
This ensures we have a record of the incident and what happened.
Once this step has completed we then do an assessment of what happened. We are looking to see if this was a one off or if there is potential that the incident could happen either again or elsewhere.
We take appropriate actions to ensure that this does not and cannot occur again. This may include risk management and accepting that it may occur, if the cost of action is too high. That would require us to follow the risk management process and seek to get approval and sign off of the management review team.
We find the use of the ISO 27001 incident and corrective action log is ideal for managing this process. The benefits of having an effective log that meets the requirements of the ISO 27001 standard whilst also efficiently handling the process are worth it. - Nonconformity from Audits
When an audit results in a nonconformity we follow as similar process to handling incidents. The non conformity is recorded on the incident and corrective action log. A root cause analysis is conducted. Remediation is implemented under the guidance of the management review team.
- Report
The ISO 27001 Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.
ISO 27001 Continual Improvement Policy Template
The ISO 27001 Continual Improvement policy template sets out what must be done for continual improvement and specifically addresses improvement as a result of Non-Conformity as well as wider requirements on non conformity and corrective action. As a requirement of the standard, continual improvement is covered in ISO 27001 Continual Improvement: Clause 10.1
ISO 27001 Nonconformity and Corrective Action Policy Example
Let us take a look an example of an ISO 27001 Nonconformity and Corrective Action Policy. It is in fact covered in the continual improvement policy. This is a best practice example based on a real world application and use.
ISO 27001 Continual Improvement Process Example
The continual improvement process is include the ISO 27001 Toolkit but to see what it should include take a look at the following example.
ISO 27001 Incident and Corrective action Log Template
The ISO 27001 Incident and Corrective action Log Template is used track and manage incidents and corrective actions effectively. This log is an essential part of the ISO 27001 continual improvement process and managing non conformities and corrective actions.
ISO 27001 Incident and Corrective action Log Example
This ISO 27001 Incident and Corrective action Log Example shows the layout of a typical ISO 27001 Incident and Corrective action Log and the required columns and data captures needs. ISO 27001 non conformities and corrective actions are recorded in this log and the log used to manage them.
ISO 27001 Incident Management Process Example
ISO 27001 non conformities and corrective actions are managed via the ISO 27001 Incident Management process. This is a standard process and the following is an example of the ISO 27001 Incident Management process. As a requirement of the ISO 27001 standard it is covered in ISO 27001 Response To Information Security Incidents: Annex A 5.26
How to pass the ISO 27001 Clause 10.2 audit
You demonstrate compliance to ISO 27001 Clause 10.2 Nonconformity and Corrective Action by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:
- Incident management
- Audit (both internal audit and external audit)
And you need policy and process to deal with the nonconformities being
To demonstrate evidence you will have a series of documents and records
- Incident tickets on your associated help desk systems
- Change tickets that support any changes that have been made
- The complete incident and corrective action log that is used to manage nonconformities
- Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted
What an auditor looks for
The auditor is going to check a number of areas for compliance with Clause 10.2. Lets go through them
1. That you have incident management in place
When a non conformity is identified we need to be able to manage it. Incident management is required to respond to incidents and manage them through to resolution. The auditor will look at the process and a sample of recent incidents to ensure they followed the process and they were managed effectively.
2. That you have internal audit in place
Internal audit is the main mechanism to identify non conformity. Through the process of internal audit we identify when things are not operating as expected. The auditor will look at the process of internal audit and sample internal audits over the last 12 months. They will examine how the internal audits were reported and what happened as a result, especially in relation to any identified non conformities.
3. That you have corrective action in place
When a non conformity is identified something needs to happen. This is the corrective action. The auditor will want to see the corrective action process and that you have followed it. They will sample corrective actions from the last 12 months and want you to walk through them and explain how you managed them.
Top 3 ISO 27001 Clause 10.2 Mistakes and How to Fix Them
In my experience, the top 3 mistakes people make for ISO 27001 Nonconformity and Corrective Action are:
- Not having independent internal audits
- Not having documented processes
- Not following your documented processes or not being able to evidence them in operation
ISO 27001 Clause 10.2 Nonconformity and Corrective ActionFAQ FAQ
The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.
You evidence compliance to the ISO 27001 Clause 10.2 Nonconformity and Corrective Action by being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.
You can download ISO 27001 Clause 10.2 Nonconformity and Corrective Action templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 10.2 Nonconformity and Corrective Action can be in the ISO 27001 Toolkit.
Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.
Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.
You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.
Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.
Non conformities are reported via the incident management process.
Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.
A nonconformity is a failure to meet a requirement. In ISO 27001, this means not complying with a clause of the standard, a control from Annex A, your own established policies and procedures, or legal and regulatory requirements.
A nonconformity is a clear breach of a requirement. An observation (or opportunity for improvement) is not a direct nonconformity but suggests an area where the Information Security Management System (ISMS) could be strengthened or made more efficient.
Promptly addressing nonconformities is crucial for maintaining the effectiveness of your ISMS, preventing recurrence, demonstrating continuous improvement, and ensuring ongoing compliance with ISO 27001, which is essential for certification and maintaining trust.
Nonconformities can be identified by anyone within the organization, including employees, internal auditors, external auditors (during certification or surveillance audits), or even customers and other interested parties.
A corrective action is an action taken to eliminate the cause of a detected nonconformity or other undesirable situation and prevent its recurrence. It’s not just about fixing the immediate problem, but addressing its root cause.
The typical steps include:
a. Identifying and documenting the nonconformity.
b. Investigating the nonconformity and its root cause.
c. Planning and implementing a corrective action.
d. Verifying the effectiveness of the corrective action.
e. Making changes to the ISMS documentation as needed.
f. Reviewing the nonconformity and corrective action during management review.
Internal audits are a key mechanism for proactively identifying nonconformities and areas for improvement within the ISMS. They provide an independent assessment of your ISMS’s compliance and effectiveness.
Management review is a mandatory output of the ISMS and provides a formal opportunity for top management to review the status of nonconformities and corrective actions, ensuring they are being effectively managed and resourced.
Yes, significant or recurring nonconformities, especially if not adequately addressed, can lead to a suspension or withdrawal of ISO 27001 certification during surveillance or re-certification audits.
Related ISO 27001 Controls
ISO 27001 Clause 10.1: Continual Improvement
ISO 27001 Annex A 5.24: Information Security Incident Management Planning and Preparation
ISO 27001 Annex A 5.25: Assessment And Decision On Information Security Events
ISO 27001 Annex A 5.26: Response To Information Security Incidents
ISO 27001 Annex A 5.27 Learning From Information Security Incidents
