Required activity
ISO 27001 Clause 10.1 Non conformity and corrective action, Clause 10 containing sections 10.1 and 10.2 covers the “Act” part W. Edwards Deming’s Plan-Do-Check-Act (PDCA) cycle. This clause helps an organisation react to nonconformities, evaluate them and take corrective actions with the end goal of continually improving how it runs its daily activities.
Explanation
Nonconformity may be a non-fulfilment of a requirement of the ISMS. Nonconformity cannot always be avoided, because mistakes do happen in an organisation; however, what is important is that the issue is identified and handled accordingly when it presents itself. Requirements are needs or expectations that are stated, implied or obligatory. There are several types of nonconformities such as:
- Failure to fulfil a requirement (completely or partially) of ISO/IEC 27001 within the ISMS;
- Failure to properly implement or conform to a requirement, rule or control stated by the ISMS;
- Partial or total failure to suits legal, contractual or agreed customer requirements.
Nonconformities are often for example:
- Persons not behaving needless to say by procedures and policies;
- Suppliers not providing agreed products or services;
- Projects not delivering expected outcomes; and
- controls not operating consistent with design.
Nonconformities are often recognised by:
- Deficiencies of activities performed within the scope of the management system;
- Ineffective controls that aren’t remediated appropriately;
- Analysis of data security incidents, showing the non-fulfilment of a requirement of the ISMS;
- Complaints from customers;
- Alerts from users or suppliers;
- Monitoring and measurement results not meeting acceptance criteria; and
- Objectives not achieved.
Related Product: Certified Lead Implementer | ISO 27001
How should organisations deal with non-conformity?
The three basic steps when it comes to controlling nonconformity are identifying the problem or violation, recording it and taking appropriate action to put an end to it.
In general, following steps should be adopted:
- Identifying the extent and impact of the nonconformity.
- Choosing the corrections so as to limit the impact of the nonconformity. Corrections can include switching to previous, failsafe or other appropriate states. Care should be taken that corrections don’t make things worse.
To identify effective corrective action, it is strongly advised to complete a root cause analysis of the issue that occurred. If you don’t get to the bottom of why or how it happened, then it is likely that whatever fix you implement will not be fully effective.
- Communicating with relevant personnel to make sure that corrections are carried out.
- Completing corrections as decided;
- Monitoring things to make sure that corrections have had the intended effect and haven’t produced unintended side-effects;
- Acting further to correct the nonconformity if it’s still not remediated; and
- Communicating with other relevant interested parties, as appropriate.
However, corrections alone won’t necessarily prevent recurrence of the nonconformity. Corrective actions can occur after, or in parallel with, corrections. the subsequent process steps should be taken:
- The organisation needs to decide if there’s a requirement to hold out a corrective action, in accordance with established criteria (e.g. impact of the nonconformity, repetitiveness);
- Review of the nonconformity, considering:
– If similar nonconformities are recorded;
– All the results and side-effects caused by the nonconformity;
– The corrections taken.
- Perform an in-depth root cause analysis of the nonconformity.
- Patterns and criteria which will help to spot similar situations within the future.
- Perform an analysis of potential consequences on the ISMS, considering:
– whether similar nonconformities exist in other areas, e.g. by using the patterns and criteria found during the cause analysis;
– whether other areas match the identified patterns or criteria, in order that it’s only a matter of your time before an identical nonconformity occurs.
- Determine actions needed to correct the cause, evaluating if they’re proportionate to the results and impact of the nonconformity, and checking for any potential side-effects which can cause other nonconformities or significant new information security risks.
- To plan for the corrective actions, giving priority, if possible, to areas where there are higher likelihood of recurrence and more significant consequences of the nonconformity.
- Implement the corrective actions consistent with the plan.
- Finally, to assess the corrective actions to work out whether or not they have actually handled the explanation for the nonconformity, and whether it has prevented nonconformities from occurring. This assessment should be impartial, evidence-based and documented. It should even be communicated to the acceptable roles and stakeholders.
Also Read: ISO 27001 Clause 10.2 Continual Improvement
As a result of corrections and corrective actions, it is possible that new opportunities for improvement are identified. These should be treated accordingly. Sufficient documented information is required to be retained to demonstrate that the organization has acted appropriately to deal with the nonconformity and has addressed the related consequences.
All significant steps of nonconformity management (starting from discovery and corrections) and, if started, corrective action management (cause analysis, review, decision about the implementation of actions, review and alter decisions made for the ISMS itself) should be documented. The documented information is additionally required to incorporate evidence on whether or not actions taken have achieved the intended effects.
Some organizations maintain registers for tracking nonconformities and corrective actions. There is often one register (for example, one for every functional area or process) and on different media (paper, file, application, etc.). If this is often the case, then they ought to be established and controlled as documented information and that they should allow a comprehensive review of all nonconformities and corrective actions for ensuring the right evaluation of the necessity for actions.
Thus, stakeholders need to realise that the event of a nonconformity itself within an organization is not the end of the world, but it will have more dire consequences if the nonconformity is not properly identified, addressed, corrected, and prevented in the future.
“Information is an asset, a building block and the key to growth for any organisation. To ensure business keeps ahead of the competition, it is essential to safeguard business critical information from threats of data hacking and data loss. At Infosavvy, we give you an in-depth knowledge of IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (training (certified by TÜV SÜD) and other aspects of ISMS to help you better prepare your business against internal and external ISMS audits while also helping you, as an individual to add value to your career”
Questions related to this topic
1. What are the actions to be taken by an organization when a nonconformity occurs?
2. What is the immediate action taken against a non conformity?
3. How do you answer a non conformance report?
4. What is Annex A ISO 27001?
5. Explain ISO 27001 Clause 10.1 Non conformity and corrective action?
6. Explain what are the controls using ISO 27001 Clause 10.1 Non conformity and corrective action?
ISO 27001 Requirements
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.2 Continual Improvement
ISO 27001 Annex A Controls
Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews
About ISO 27002
- ISO 27002 – INTRODUCTION
- ISO 27002 Information technology Security techniques Code of practice for information security controls
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com