When it comes to being compliant with ISO 27001, even at the best of times it can be a problem to track the actions needed to address nonconformities, and the subsequent corrective actions. This can be especially difficult when the people involved are not located at the same facility. One way to address this need is to use an online ISO 27001 nonconformities tool to track these actions and ensure that they are completed in a timely manner. This case study, the handling of an information security nonconformance identified in data protection, will show how you can ensure adequate completion of the tasks for a nonconformity and corrective action using a compliance tool called Conformio.

Steps to take when correcting a nonconformity and taking corrective action

When a company finds that there is a problem with information security, and the situation was not foreseen in the risk assessment and treatment process, there is a need for investigation. First, the nonconformity needs to be addressed and the information security needs to be restored to an acceptable level on a nonconformity report. The company also needs to investigate why this happened and take action to prevent it from recurring on a corrective action request.

You can follow and complete these activities with an online ISO 27001 compliance tool that includes nonconformity control and a corrective action process. Take, for example, a nonconformity due to an incident where there was loss of data due to a fire. The five steps for correcting the problem and taking corrective action are outlined below, and the screen captures explain how this is done through Conformio:

  1. The first thing to note about this online tool is the access to the ISO 27001 nonconformities and corrective actions, which are on the first page when a user signs in. To start the nonconformity process, click “Add New” and enter the title, description of the problem, and other relevant information, so the correction of the problem can take place, and hit Save.
Adding a nonconformity

Figure 1. Adding a nonconformity

  1. Once the nonconformity is created, you can later edit it by clicking on the title in the list to access it, and then pressing the “Edit Details” button. In order to track the correction of the nonconformity (access to documents), assign the nonconformity to an individual who will be responsible for resolving it. They will be assigned tasks and receive notifications through the online tool. You should also define people who must be notified about nonconformity treatment.
Editing a nonconformity

Figure 2. Editing a nonconformity

  1. If further root cause investigation is required, the tool allows you to create a linked corrective action request from within the ISO 27001 nonconformity tool. For the nonconformity to be closed once correction is completed, it is necessary that all investigation tasks and corrective actions are completed.
Tasks for resolving a nonconformity

Figure 3. Tasks for resolving a nonconformity

Corrective actions in a nonconformity

Figure 4. Corrective actions in a nonconformity

  1. The creation of the corrective action is done by completing the information in the pop-up window and saving this to the corrective action module. For more details, check out this article: How to establish a corrective actions process using an online tool.
Add tasks for resolving a nonconformity

Figure 5. Add tasks for resolving a nonconformity

  1. As with the corrective actions identified and tracked through the nonconformity module, corrections (tasks) can be tracked for the investigation of the root cause and determination of the appropriate corrective action activities to take to ensure the nonconformity does not recur.
Nonconformity register with completed task and corrective action

Figure 6. Nonconformity register with completed task and corrective action

Online ISO 27001 tool: Making it easier to handle nonconformities and corrective actions

With the easy link between the two processes of nonconformity control and corrective action, an online ISO 27001 compliance tool is a useful way to ensure that all actions are addressed, and nothing is lost. Task tracking through the tool ensures that people assigned to the actions know what needs to be done, including notification through email that tasks are assigned or coming due.

In the case study above, the actions to correct the loss of data due to fire are simply controlled through the nonconformity module. Because it was necessary to investigate why the data loss problem occurred, a corrective action was created to investigate the root cause and correct the underlying problem. In the future, when you are looking at these records, you can quickly confirm that all the necessary actions were taken to correct the product, and to ensure that similar problems would not occur in future designs.