ISO 27001 Clause 10.1 Nonconformity and corrective action
The task to be performed
ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act” part W. Edwards Deming’s Plan-Do-Check-Act (PDCA) cycle. The purpose of this clause is to help an organization evaluate nonconformities and take corrective action, ultimately improving its daily operations.
Nonconformity may be a non-fulfilment of a requirement of the ISMS. Nonconformity cannot always be avoided, because mistakes do happen in an organisation; however, what is important is that the issue is identified and handled accordingly when it presents itself. Requirements are needs or expectations that are stated, implied or obligatory.
Nonconformities consist of a variety of types, including:
1. Failure to comply with ISO/IEC 27001 requirements (in whole or part);
2. Non-conformance to a requirement, rule or control outlined in the ISMS;
3. Inability to meet the legal, contractual, or business requirements of the customer.
Examples of nonconformities are:
1. People who are not following procedures and policies;
2. Suppliers failing to deliver products or services;
3. Projects that fail to deliver expected results;
4. Controls that do not operate as designed.
These signs of nonconformity include:
1. Inadequacies in the activities undertaken under the management system;
2. Ineffective controls that do not receive the necessary remediation;
3. A study of data security incidents that demonstrates non-compliance with ISMS requirements;
4. Customer complaints;
5. Alerts from suppliers or customers;
6. Monitoring or measurement results that fail to meet expectations; and
7. The objectives were not achieved.
How should organizations handle non-conformity?
To control nonconformity, the three basic steps are to identify the problem, record it, and then take appropriate action to eliminate it.
The following steps should be taken in general:
1. Identify the extent and consequences of the nonconformity.
2. Choosing corrective actions in a way that minimizes the impact of nonconformity. Corrections can involve switching to the previous state, a failsafe state, or another suitable state. If corrections are made, care should be taken not to make things worse.
To know effective corrective action, it is highly recommended that a root cause analysis be performed. In the absence of understanding how or why it occurred, any fix you implement is unlikely to be effective.
1. Getting in touch with relevant personnel to ensure corrections are completed.
2. Resolving any corrections that were decided upon;
3. Checking to ensure that the corrective action has had the desired effect and hasn’t led to unexpected results;
4. Taking further corrective action if the nonconformity hasn’t been mitigated; and
5. Keeping in touch with other relevant parties, as necessary.
Corrections alone will not prevent recurrences of nonconformity.
Corrections can occur before or after corrective actions. The following steps should be taken:
1. Determine whether corrective action is necessary, considering established criteria (e.g. the effect of nonconformity, repetition);
2. The nonconformity should be reviewed considering:
– If the same nonconformity is observed;
– Any consequences and side-effects caused by the nonconformance;
– The corrections made.
3. Conduct an in-depth root cause analysis to determine the cause of the nonconformance.
4. Patterns and criteria that will make it easier to pinpoint similar situations in the future.
5. Assess the potential consequences of the ISMS, taking into account:
– Identifying additional nonconformities by utilizing the patterns and criteria noted in the cause analysis;
– determining whether similar nonconformities exist in other areas so that they will be identified within a short period.
6. Identify possible causes of the nonconformity, determining if corrective actions are proportional to their impact, and making sure no side-effects are expected to follow that can result in a broader nonconformity or increased risk to information security.
7. Prepare a corrective action plan, giving priority to those areas where there are more significant consequences of the nonconformity and a higher likelihood of recurrence.
8. Carry out the corrective actions prescribed in the plan.
9. Assess whether the corrective actions dealt with the cause and prevented future nonconformities by evaluating the results of the corrective action. The assessment should be unbiased, based on evidence, and documented. Even those with acceptable roles and responsibilities should be informed.
The process of correcting errors and taking corrective action can lead to new opportunities for improvement. The situation should be dealt with accordingly. It is necessary to retain sufficient documentation to demonstrate that the organization has dealt with the nonconformity appropriately and that the consequences have been addressed.
The steps in nonconformity management (from discovery to correction) as well as corrective action management (cause analysis, review, implementation decision, review and revision of ISMS) must be documented. It is also essential that the documentation provide evidence that the actions taken were effective.
Nonconformity and corrective actions are tracked in some organizations through registries. A single register is often present (e.g., one for each functional area or process) and on different media (for example, paper, file, application, etc.). These reports should be established as detailed documents, as well as controlled as information, which should guarantee the right evaluation of whether corrective actions are required.
It is, therefore, crucial to realize that nonconformity itself is not the end of the world, but the consequences of not identifying, addressing, correcting, and preventing such occurrences in the future will be much worse.
1. What should an organization do when a Nonconformity arises?
2. What are the immediate measures taken against Nonconformity?
3. What is your response to a non-conformance report?
4. What exactly is Annex A ISO 27001?
5. How do you explain ISO 27001 Clause 10.1 – Nonconformity and corrective actions?
6. What are the controls in ISO 27001 Clause 10.1 Nonconformity and corrective action?