Practical use of corrective actions for ISO 27001 and ISO 22301
Is your company one of those that has no idea what the purpose of corrective actions is? Do you prepare your corrective actions only a couple of days prior to your certification audit? And do you think corrective actions are one of those requirements of ISO 27001/ISO 22301 with no real practical use?
You are wrong. Here’s why.
The purpose of corrective actions
Basically, any company that is trying to survive in the current market is making improvements on a daily basis – developing new products, resolving the problems with existing products/services, decreasing costs, etc. – otherwise, they wouldn’t be in business anymore.
And all those things are, in fact, corrective actions, although these companies probably didn’t think of them in such a way. ISO 27001, ISO 22301 and other ISO standards require nothing more than performing those corrective actions in a systematic way – so that it is known exactly where problems (nonconformities, in ISO terminology) are to be reported, who needs to review them and make a decision on how to resolve them, who is responsible for eliminating them, etc. And the best thing of all – in such a transparent system everyone can see what the problems are (nothing can be hidden), when and how those problems are to be resolved, and who is responsible for them.
Who can initiate corrective actions?
Anyone in the company can raise a corrective action, and the same goes for your partners and suppliers who have a role in your ISMS or BCMS. A corrective action may be raised because of an internal audit report or because of the results of testing and exercising, but also because someone thought of a better way to write the policies and procedures, or, e.g., decrease the costs of your alternative location. Corrective actions can also demand larger changes as well; e.g., top management might conclude that BCMS did not reach its objectives, and wants the whole Business continuity strategy redefined.
You should have the following documents regarding your corrective actions:
- Corrective action procedure – this procedure defines the basic rules for resolving corrective actions – how to raise one, where are they documented, who has to make which decisions, how to control their execution, etc.
- Corrective actions – these are the records of actual nonconformities, decisions and activities made to resolve them.
Options for corrective actions
Here are a couple of options you have to decide regarding your corrective actions:
- Where to document them. Numerous times, I’ve seen companies use specially designed paper forms for corrective actions (especially those that implemented ISO 9001) – they are usually called CARs. The result? No one uses them because it is totally impractical, and besides, no one knows where to find them. A much better solution is to use some kind of help desk (or even task management) tool, which probably already exists in your company and your employees are using on a daily basis – you just need to add another category for corrective actions, and basically, such solution will be both practical and compliant with ISO 27001/ISO 22301.
- Merge corrective actions with other management systems. This is definitely recommended – you don’t need three separate databases (or forms) for, e.g., ISO 27001, ISO 22301 and ISO 9001. Use the same procedure, the same system, the same database – of course, the nature of nonconformities and subsequent corrective actions will be different, but that doesn’t prevent you from uniforming the system.
- Write a procedure, or not. It is not mandatory to write the Corrective action procedure according to ISO 27001 and ISO 22301; however, it is recommended. Normally, the employees are not familiar with something they don’t do every day, so it might make sense to write those rules down – unless, of course, it is a process that works flawlessly in your company, so you won’t need such a document.
Each time a corrective action is raised, someone will have to make a decision whether to take corrective action or not (because sometimes it doesn’t make sense to do anything) – this decision can be left to the head of the department where the nonconformity is noticed. If the corrective action is to be carried out, then the same head of department can decide who will be responsible for the corrective action, and what the deadline is for its execution.
So, my key point is this – you already make corrective actions regularly in your company, and you probably do have the technology needed to record them in a way that is compliant with ISO standards. So, why not using such a system in your day-to-day operations if it can help your effort to create a better company?
To handle and track corrective actions with ease, use Conformio compliance software.