How to establish the ISO 27001 corrective actions process using an online tool

Corrective actions (CAs) are one of the most powerful tools at our disposal for striving towards improvement of an Information Security Management System (ISMS) according to ISO 27001. The better the tool is, the more effect it will bring. But, in the real world, CAs are often neglected and many companies avoid recording nonconformities just because they don’t want to deal with corrective actions afterwards. The reason for this notion is the conventional approach to the process of ISO 27001 corrective actions, which often leads to just a formal documentation of CAs to meet requirements during the certification audit. So, what can be done to improve the CA process and finally make it effective?

What is holding us back?

One of the biggest setbacks in issuing and really conducting the ISO 27001 CA process is documentation. Nobody likes writing reports, and if there were some solution that would enable us to avoid this, the probability of the CA to be recorded would increase. The second big issue is that people are reluctant in initiating a CA because the occurrence of a nonconformity usually means that somebody made a mistake, and might be fired or punished. But this is a misconception – effective CAs find root cause not in the people, but in processes, and their ultimate goal is to improve processes rather than finding somebody to blame.

Additional problems can emerge when you have an integrated management system that complies with two or more standards. Developing one effective system for CAs can be easier said than done. The steps taken when implementing a CA will be the same, but how can we sort them and define their relationships with other parts of the system, and perform overall monitoring of the CA’s effectiveness?

So, the second issue is really the failure to discover a source of the nonconformity, and misunderstanding the purpose of the corrective action. All this is fine, but how can we overcome these issues?

How to establish the ISO 27001 corrective actions process using an online tool - Advisera

One solution to fit them all

The answer to these issues can be found in ISO 27001 online solutions that enable us to use interactive tools, rather than simple pieces of paper. The proper online solution must enable the company to:

  • Easily record CAs – if the employees can record the CA with little to no effort, the chances are greater that the corrective action will be initiated in the first place.
  • Assign responsibilities – this step ensures that something will be done, and a good online solution will facilitate not only the assignment activity, but also an overview of the CAs that haven’t been assigned yet.
  • Connect the CA with the related nonconformity – instead of just writing the nonconformity ID on the CA form, the online solution will provide you with easy linking of the nonconformity to the CA and enable access to the nonconformity details with one click of a mouse.
  • Integrate the corrective action process to meet the requirements of several different standards – developing a single CA system for several standards is not an easy task, and it can be more difficult in bigger companies where different people are in charge of different standards and there is no real-time overview of the situation.
  • Monitor the status of each corrective action – having a clear picture of what is going on with each corrective action allows the management to get involved and provide additional resources to help with the resolution of the CA.

Can Conformio help?

The very purpose of the Conformio platform is to facilitate the maintenance and improvement of an Information Security Management System, and its Nonconformities and Corrective Actions Module is the “right man for the job.” By clicking on the module and the “See Corrective Actions” button, you will see the recent events, discussions, and documents related to the corrective actions.

The Corrective Actions screen provides an overview of the active corrective actions, together with their statuses and assignees. All CAs are marked with colored dots, so their statuses are easy to notice. This screen also enables you to initiate the corrective action. At the bottom left of the page, there is a button that returns you back to the List of Nonconformities.

Corrective actions main page, the main sidebar, overview of the CA, and initiation of new ones
Figure 1. Corrective actions main page, the main sidebar, overview of the CA, and initiation of new ones

Conformio allows you to easily fill in all important information about the CA, including definition of the CA status and assigned person, and to write the cause of the nonconformity to be resolved with this CA (Figure 2).

Creating a new corrective action
Figure 2. Creating a new corrective action

Conformio enables you to connect the CA to a relevant nonconformity, to an information security incident, to management review, or even to another CA.

 Entering additional information about the corrective action
Figure 3. Entering additional information about the corrective action

This feature creates a unified system for resolving all nonconformities in your company. If the related nonconformity is not entered in the system, you can create a new nonconformity by going to the Nonconformities and Corrective Actions Module and clicking on the “Add new” button. Also, working on the information security incidents, in the Incident Register you are also able to create a new corrective action if needed, so you don’t have to juggle between two registers.

The better the tool, the better the results

ISO 27001 corrective actions are tools for improvement, and the effectiveness of the tool you use will determine the level of improvements your company can achieve. Having an ineffective corrective action system will keep your company running in circles, or just stuck in one place. The application of tools like Conformio can help you bring effectiveness to your CAs and make your company better.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal