Clause 10 Improvement: Understanding the ISO 27001 Part 7

Clause 10 of the ISMS is called improvement, and it is divided into two sections;

• 10.1 Continual Improvement
• 10.2 Non-conformity and Corrective Action

10.1 Continual Improvement

Clause 10.1 states that:

“The organization shall continually improve the suitability, adequacy, and effectiveness of the information management system “

This clause expects the organization to be reactive or proactive about improving the ISMS. The ISMS continual improvement policy is the statement of the organization's commitment to improving its ISMS daily.

The policy should include the following:

• The process for identifying opportunities for improvement.
• The process of implementing improvements.
• The process for monitoring and measuring the effectiveness of improvements.
• The roles and responsibilities of personnel involved in continual improvement.

Treating the clause as “Reactive”

In treating clause 10.1 as reactive, you treat the clause as a requirement that covers all the other clauses. If any other clause identifies something that needs changing for any reason when you do that “ change” or “fix” you are viewed as “improving” the ISMS to get it to where you want it to be.

Treating the clause as “Proactive”

This means you should look at the ISMS and see if you can find any improvements.

Where can continual improvements come from?

1. Performance assessment activities

2. Internal audit activities

3. External audits

4. Management review

5. Information Security Steering Committee meetings

6. Risk assessment reviews

7. Non-Conformities Incidents

Why is continual improvement important in ISMS?

Continual improvement helps organizations to:

1. Reduce their information security risks

2. Protect their assets

3. Comply with ISO 27001

4. Maintain their ISO certification

Implementing Continual Improvement in ISMS

1. Establish a culture of continual improvement

2. Set goals and objectives

3. Identify opportunities for improvement

4. Implement improvements

5. Monitor and measure progress

The continual improvement should be documented in the ISMS improvement log, and this can also be documented and presented in the management review meeting. The end goal of continual improvement is to improve the ISMS.

10.2 Non-conformity and Corrective Action

Clause 10.2 of the ISMS expects organizations to identify, investigate, and resolve non-conformities. A nonconformity is a departure from the requirements of the ISMS. In simple terms, a nonconformity is something that does not meet a requirement.

Ways to find out about non-conformities.

1. Incident reported.

2. Internal audits as part of the ISMS internal audit or by an internal audit.

3. External audits.

4. Certification audits.

5. The management reviews.

6. Customer feedback.

7. Information Security Steering Committee.

A nonconformity can be either a minor nonconformity or a major nonconformity. A minor nonconformity does not have a significant impact on the effectiveness of the ISMS. They can be isolated or one-off incidents. This can be dealt with easily and quickly, and they do not require immediate corrective actions.

A major non-conformity will have a significant impact on the ISMS, and they are a major systematic problem that can lead to serious information security risks. They require immediate corrective actions to mitigate the risks. The severity of nonconformity can differ depending on the specific organization's environment. A minor conformity in an organization can be a major nonconformity in another organization.

What are the corrective actions in ISO 27001?

Corrective actions are actions taken to fix the root cause of a nonconformity. These are actions the organization takes to eliminate the root cause and prevent it from happening. It may involve new controls, changing policies and procedures, and training of employees. These actions are usually documented in a Corrective Action and Preventive Action log known as a CAPA log. The nonconformity and corrective action process involves the following;

• Identify the nonconformity.
• Investigate the nonconformity.
• Determine corrective action.
• Implement corrective action.
• Verify the effectiveness of the corrective action.

What will the external auditor check while validating clause 10.2?

Areas the auditor will check include:

• Whether the organization has a process for identifying, investigating, and resolving non-conformities.
• Whether the process is documented and communicated to employees
• Whether responsibility is assigned to each step of the process
• If the organization is monitoring the effectiveness of the process
• Whether the organization is taking corrective actions to eliminate the root causes.

By identifying and resolving non-conformities, the organization will improve the effectiveness of its ISMS and reduce the risk of information security incidents.