ISO 27001 Information Security Management Standard - Clauses 10.1, 10.2

Written by Craig Thornton | 13/09/18 22:41

Part 23 - Clauses 10.1 and 10.2 Nonconformity, corrective action and continual improvement

Clause 10 of ISO 27001 is the “Act” part of Deming’s Plan-Do-Check-Act cycle. Once you have “checked” the performance of your system (as per Clause 9) you then use Clause 10 to act on the findings.

Meeting this clause will provide real value for your business. When you record non-conformances, implement some great corrective actions and continuously improve how you do things, you are significantly upping your game. Clause 10 is a potential game changer for your business.

10.1 Nonconformity and corrective action

Let’s start with 10.1 Nonconformity and corrective action.

The ISO 27003 guidance document describes the types of non-conformance that you should be recording in your ISMS. There are a shed-load of them:

Failure to fulfil or correctly implement or conform to a requirement, rule or control stated by your ISMS.
Partial or total failure to comply with legal, contractual or agreed customer requirements.
Persons not behaving as expected by procedures and policies.
Suppliers not providing agreed products or services.
Projects not delivering expected outcomes.
Controls not operating according to design.
Deficiencies of activities performed in the scope of the management system.
Ineffective controls that are not re-mediated appropriately.
Analysis of information security incidents, showing the non-fulfilment of a requirement of the ISMS.
Complaints from customers.
Alerts from users or suppliers.
Monitoring and measurement results not meeting acceptance criteria.
Objectives not achieved.

Now that is a lot. And at the start it can seem overwhelming. But once you knock the non-conformances off with great corrective actions, it gets easier and easier.

The secret? Record everything!

For example, here at Mango we record every information security incident reported by the New Zealand Government’s cyber security department CERTNZ. These are things like:

malware alerts
scams
email vulnerabilities
device misuse
denial-of-service alerts and more.

You should engage with your own country’s cyber security agency and start recording all of the threats to your business.

Next up, you need to put some corrective action in place to correct or protect yourself from these threats or non-conformances.

The guidance standard has some handy steps to address nonconformities. There is always some immediate short-term correction you can take to handle the situation, and these are:

Identify the extent and impact of the nonconformity.
Decide on the corrections in order to limit the impact of the nonconformity. This can include switching to previous, failsafe or other appropriate states. Care should be taken that corrections do not make the situation worse.
Communicate with your staff to ensure that corrections are carried out.
Implement the corrections.
Monitor the situation to ensure that corrections have had the intended effect and have not produced unintended side-effects.
Act further to correct the nonconformity if it is still not remediated.
Communicating with other relevant interested parties.

Now that you have the non-conformance in hand, you can put in some long-term corrective action. Once again ISO 27003 provides valuable advice about corrective actions:

Decide if there is a need to carry out a corrective action.
Review of the nonconformity to see if similar nonconformities have been recorded.
Conduct a root cause analysis of the nonconformity. I have done a great webinar on this - watch it here.
Analyse of potential consequences on the ISMS.
Determine the actions needed to correct the root cause.
Implement the corrective actions, giving priority, if possible, to areas where there are higher likelihood of recurrence and more significant consequences of the nonconformity.
Assess the corrective actions to determine whether they have actually handled the cause of the nonconformity, and whether it has prevented related nonconformities from occurring.

The standard requires you to keep document information (or records) as evidence that the non-conformities and subsequent actions have been taken, as well as the results of any corrective action that are also taken.

For example, here at Mango we use the Improvement module that has a workflow that records the implementation of corrective action using the stages described above. It makes meeting this clause oh so easy.

10.2 Nonconformity and corrective action

Finally clause 10.2 has a requirement to continuously improve the ISMS.

Here at Mango we are continually talking about the ISMS. It is a topic of discussion in all our processes and all our meetings. It has become second nature.

We are constantly looking at making improvements. It’s a mindset. It’s not just a requirement of our ISMS. It’s what we do around here.

In addition, we have a great forum that we use to get the message to all staff. Our monthly all-staff Management Review meetings discuss all of the ISMS improvements that are happening. This is great for showing leadership, communication, participation and culture. You should try and do the same.