Your-ultimate-guide-to-ISO-27001-Certification-Background

Navigating ISO 27001

ISO 27001 Clause 10.2: Nonconformity and Corrective Action

ISO 27001 made easy: A comprehensive guide to understanding the standard

Get your free guide

 

Get your free guide

Overview: ISO 27001 requirement 10.2

  1. Introduction

  2. What is the difference between minor nonconformities and major nonconformities?  

  3. Nonconformity and corrective action process

  4. What will auditors check while validating Clause 10.2 that is nonconformity and corrective action?

  5. Conclusion

ISO 27001 is an international standard that outlines the requirements for an information security management system (ISMS). An ISMS is a framework for managing information security risks and protecting information assets.

Clause 10.2 of ISO 27001 requires organisations to identify, investigate, and resolve nonconformities. A nonconformity is a departure from the requirements of the ISMS.

This article will discuss the requirements of ISO 27001 clause 10.2 and provide guidance on how to implement a nonconformity and corrective action process in order to achieve or maintain an ISO 27001 certification.

What is a nonconformity in ISO 27001?

Nonconformities can be identified through a variety of means, such as internal audits, management reviews, and external audits. Once a nonconformity has been identified, the organisation should investigate it to determine the root cause and any potential impact on information security.

 

What is the difference between minor nonconformities and major nonconformities?

The difference between minor nonconformities and major nonconformities is the severity of the impact on the organisation's information security management system.

Minor nonconformities are those that do not have a significant impact on the effectiveness of the ISMS. They may be isolated incidents or one-off occurrences. Minor nonconformities can be dealt with relatively quickly and easily, and they do not necessarily require immediate corrective action.

Major nonconformities, on the other hand, are those that have a significant impact on the effectiveness of the ISMS. They may be systemic problems that could lead to serious information security risks. Major nonconformities require immediate corrective action to mitigate the risk and prevent further problems.

Here is a table that summarizes the key differences between minor and major nonconformities:

Characteristic

Minor nonconformity

Major nonconformity

Severity of impact

Does not have a significant impact on the effectiveness of the ISMS.

Has a significant impact on the effectiveness of the ISMS.

Likelihood of occurrence

Isolated incident or one-off occurrence.

Systemic problem that could lead to serious information security risks.

Time to resolution

Relatively quick and easy.

Immediate corrective action required.

Impact on certification

May not affect certification.

May affect certification.

It is important to note that the severity of a nonconformity can vary depending on the specific circumstances of the organisation. For example, a minor nonconformity for one organisation could be a major nonconformity for another organisation.

Here are some examples of minor and major nonconformities:

  • Minor nonconformity: A security policy is not up to date.

  • Major nonconformity: A firewall is misconfigured, allowing unauthorized access to the organisation's network.

  • Minor nonconformity: A user account is not properly disabled when an employee leaves the organisation.

  • Major nonconformity: A data breach occurs due to a lack of security controls.

  • Minor nonconformity: A security training session is not conducted on time.

  • Major nonconformity: Employees are not following security procedures, such as using strong passwords and avoiding phishing emails.

Organisations should have a process in place for identifying, reporting, and resolving both minor and major nonconformities. This process should be documented and communicated to all employees.

By promptly addressing nonconformities, organisations can help to improve the overall effectiveness of their ISMS and protect their information assets.

What are corrective actions in ISO 27001?

Once the root cause of a nonconformity has been determined, the organisation should take corrective action to eliminate the cause and prevent it from happening again. Corrective action may involve changing policies and procedures, training employees, or implementing new security controls.

 

Nonconformity and corrective action process

The following is a general overview of the nonconformity and corrective action process:

  1. Identify the nonconformity: This can be done through a variety of means, such as internal audits, management reviews, and customer feedback.

  2. Investigate the nonconformity: Determine the root cause of the nonconformity and any potential impact to information security.

  3. Determine corrective action: Identify the steps that need to be taken to eliminate the root cause of the nonconformity and prevent it from happening again.

  4. Implement corrective action: Take the steps that were identified in step 3.

  5. Verify the effectiveness of the corrective action: Once the corrective action has been implemented, verify that it has eliminated the root cause of the nonconformity and prevented it from happening again.

Move towards your ISO 27001 certification with ease 

Reduce manual work by up to 75%

Cut your prep time for re-audits by up to 30%

Book a demo
DG Seal ISO 27001

What will auditors check while validating Clause 10.2 that is nonconformity and corrective action?

To prepare for the external audit, it is helpful to understand common areas, topics, and questions an auditor may ask or check. The following list gives an overview of potential areas auditors may check while validating clause 10.2 of ISO 27001:

  • Whether the organisation has a process for identifying, investigating, and resolving nonconformities.

  • Whether the process is documented and communicated to employees.

  • Whether the organisation has assigned responsibility for each step of the process.

  • Whether the organisation is monitoring the effectiveness of the process.

  • Whether the organisation is taking appropriate corrective action to eliminate the root causes of nonconformities and prevent them from happening again.

Specifically, the auditor will check the following:

  • Nonconformity identification: Does the organisation have a process for identifying nonconformities? This process may include internal audits, management reviews, employee feedback, and customer feedback.

  • Nonconformity investigation: Does the organisation have a process for investigating nonconformities? This process should identify the root cause of the nonconformity and any potential impact on information security.

  • Corrective action: Does the organisation have a process for determining and implementing corrective action? Corrective action should be taken to eliminate the root cause of the nonconformity and prevent it from happening again.

  • Verification of corrective action: Does the organisation verify the effectiveness of corrective action? This may involve monitoring the process, testing the controls, or conducting follow-up audits.

The auditor will also review the organisation's records of nonconformities and corrective actions.

Here are some additional questions that the auditor may ask:

  • How does the organisation identify nonconformities?

  • How does the organisation investigate nonconformities?

  • How does the organisation determine corrective action?

  • How does the organisation implement corrective action?

  • How does the organisation verify the effectiveness of corrective action?

  • What are some examples of nonconformities that the organisation has identified and resolved?

  • What are some examples of corrective actions that the organisation has implemented?

By asking these questions and reviewing the organisation's records, the auditor can assess the effectiveness of the organisation's nonconformity and corrective action process. Therefore, preparing for these questions will facilitate the audit process and increases the chances of successfully passing the external ISO 27001 audit.

Pass the external ISO 27001 audit in the first time with our 100% first-try pass rate

Our user-friendly web-based platform automates manual tasks while our in-house experts guide you every step of the way.

Download your free guide now
DG Seal ISO 27001

Conclusion

The nonconformity and corrective action process is an essential part of an ISMS. By identifying and resolving nonconformities, organisations can improve the effectiveness of their ISMS and reduce the risk of information security incidents.

Additional Tips for Implementing a Nonconformity and Corrective Action Process

Make sure that the process is well-defined and documented. This will help to ensure that all nonconformities are handled in a consistent manner.

Assign responsibility for each step of the process. This will help to ensure that nonconformities are resolved promptly and effectively.

Communicate the process to all employees. This will help to ensure that everyone is aware of their role in the process.

Monitor the effectiveness of the process. This will help to identify any areas for improvement.

By following these tips, organisations can implement a nonconformity and corrective action process that will help them to improve the security of their information assets.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Opt-in

up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate

100%

First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Get in touch

P I C

p

PRIVACY

External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts

i

INFOSEC

Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit

c

COMPLIANCE

Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information security policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

 

ISO 27001 Annex A

 

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.