Ok, so with the 2022 update they have balls’ed this right up. For no reason what so ever the clause remains the same but the number of the clause has changed. Why? Who knows. Keener minds than ours are at play but lets unpick and present it.
Table of contents
- What is ISO 27001 Nonconformity and Corrective Action?
- ISO27001 Clause 10.2 Nonconformity and Corrective Action
- ISO27001 Clause 10.1 Nonconformity and Corrective Action Defined
- How to comply with ISO 27001 Nonconformity and Corrective Action
- ISO 27001 Nonconformity and Corrective Action Implementation Guide
- How do you demonstrate compliance to ISO 27001 Nonconformity and Corrective Action ?
- ISO 27001 Nonconformity and Corrective Action Templates
- ISO 27001 Nonconformity and Corrective Action FAQ
- Reference
What is ISO 27001 Nonconformity and Corrective Action?
The ISO 27001 standard requires an organisation to manage when things go wrong.
ISO 27001 Nonconformity and Corrective Action is about effectively managing when things go wrong, correcting it and taking steps to make sure it does not happen again.
The ISO 27001 standard for ISO 27001 certification wants you to be in control of your management system and continually improve it. It is one of the ISO 27001 controls.
ISO27001 Clause 10.2 Nonconformity and Corrective Action
Now in the 2022 update the clause has shifted from being ISO27001 Clause 10.1 to ISO 27001 Clause 10.2
They have removed the word ‘and‘ from 10.2 a part 1.
They have changed the words ‘the organisation shall retain documented information as evidence of’ to ‘Documented Information shall be available as evidence of’.
I mean it does feel at times that people make changes just to justify their existence.
Someone really hates the word ‘and‘ as they also removed it from 10.2 f
That is it.
It is the same. With a different number.
ISO27001 Clause 10.1 Nonconformity and Corrective Action Defined
The ISO 27001 standard defined clause 10.2 as follows:
When a nonconformity occurs, the organisation shall:
React to the nonconformity, and as applicable:
– take action to control and correct it; and
– deal with the consequences;Evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
– reviewing the nonconformity;
– determining the causes of the nonconformity;and
– determining if similar nonconformities exist, or could potentially occur;
Implement any action needed;Review the effectiveness of any corrective action taken; and
Make changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organisation shall retain documented information as evidence of:
ISO 27002 Clause 10.2 Nonconformity and Corrective Action
– the nature of the nonconformities and any subsequent actions taken,and
– the results of any corrective action.
How to comply with ISO 27001 Nonconformity and Corrective Action
Implement policy
Put in place an incident management and corrective action policy as well as a continual improvement policy. The policies say how you deal with non conformity.
Implement an incident and corrective action log
Implement and use an incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.
Implement an incident management process
The incident management process sets out how we deal with incidents. Incidents are one of the major sources of identifying nonconformities.
Implement a continual improvement process
The continual process sets out how you make fundamental changes to prevent nonconformities from re occurring.
Report non conformity and corrective action to the Management Review Team
The Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.
ISO 27001 Nonconformity and Corrective Action Implementation Guide
Non conformity and corrective action falls under incident management. It can be implemented as a level 2 incident management process or a sub process. The trick is to identify that what has happened has or could impact information security and then to invoke your processes for managing the non conformity.
Our first step is to handle the incident and to manage the consequences of that incident. We document everything as we go and best practice would be to use and incident management system or a help desk system. Many of these come with capability out of the box and at worst they require some minor tweaks.
This ensures we have a record of the incident and what happened.
Once this step has completed we then do an assessment of what happened. We are looking to see if this was a one off or if there is potential that the incident could happen either again or elsewhere.
We take appropriate actions to ensure that this does not and cannot occur again. This may include risk management and accepting that it may occur, if the cost of action is too high. That would require us to follow the risk management process and seek to get approval and sign off of the management review team.
We find the use of an incident and corrective action log is ideal for managing this process. The benefits of having an effective log that meets the requirements of the ISO 27001 standard whilst also efficiently handling the process are worth it.
How do you demonstrate compliance to ISO 27001 Nonconformity and Corrective Action ?
You demonstrate compliance to ISO 27001 Clause 10.2 Nonconformity and Corrective Action by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:
- Incident management
- Audit (both internal audit and external audit)
And you need policy and process to deal with the nonconformities being
- Continual Improvement
To demonstrate evidence you will have a series of documents and records
- Incident tickets on your associated help desk systems
- Change tickets that support any changes that have been made
- The complete incident and corrective action log that is used to manage nonconformities
- Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted
ISO 27001 Nonconformity and Corrective Action Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 10.2
ISO 27001 Nonconformity and Corrective Action FAQ
The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.
You evidence compliance to the ISO 27001 Clause 10.2 Nonconformity and Corrective Action by being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.
You can download ISO 27001 Clause 10.2 Nonconformity and Corrective Action templates here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of ISO 27001 Clause 10.2 Nonconformity and Corrective Action can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.
Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.
You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.
Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.
Non conformities are reported via the incident management process.
Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.
ISO27001 Certification Requirements
ISO27001 Certification Requirements set out clause by clause with these complete certification guides that include everything you need to know, what you need to do and ISO 27001 templates.
- ISO27001 Clause 4.1 Understanding The Organisation And Its Context
- ISO27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO27001 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO27001 Clause 4.4 Information Security Management System (ISMS)
- ISO27001 Clause 5.1 Leadership And Commitment
- ISO27001 Clause 5.2 Information Security Policy
- ISO27001 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO27001 Clause 6 Planning
- ISO27001 Clause 6.1.1 Planning General
- ISO27001 Clause 6.1.2 Information Security Risk Assessment
- ISO27001 Clause 6.1.3 Information Security Risk Treatment
- ISO27001 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO27001 Clause 7.1 Resources
- ISO27001 Clause 7.2 Competence
- ISO27001 Clause 7.3 Awareness
- ISO27001 Clause 7.4 Communication
- ISO27001 Clause 7.5.1 Documented Information
- ISO27001 Clause 7.5.2 Creating And Updating Documented Information
- ISO27001 Clause 7.5.3 Control Of Documented Information
- ISO27001 Clause 8.1 Operational Planning And Control
- ISO27001 Clause 8.2 Information Security Risk Assessment
- ISO27001 Clause 8.3 Information Security Risk Treatment
- ISO27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO27001 Clause 9.2 Internal Audit
- ISO27001 Clause 9.3 Management Reviews
- ISO27001 Clause 10.1 Continual Improvement
- ISO27001 Clause 10.2 Non Conformity and Corrective Action
Read Next
- ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- ISO27001 Reference Guide: Clause by Clause