The basics
ISO 27001 sub-clause 10.1 is called “Continual improvement” — this is a short sub-clause and it requires continually improving the ISMS in order to achieve that the security is appropriate and that it performs as expected.
Documentation
ISO 27001 clause 10.1 Continual improvement does not require writing any documents.
The following document is not mandatory, and companies can decide whether to write it:
- Procedure for continual improvement
Implementation
To implement Clause 10.1 Continual improvement of ISO 27001, an organization must establish, maintain, and continually improve its ISMS.
This involves identifying opportunities for improvement and necessary changes, integrating them into the ISMS, and evaluating the effectiveness of actions taken. The organization must establish these processes and maintain records to demonstrate compliance and continual improvement in information security performance.
Audit evidence
During the ISO 27001 certification audit, the auditor will ask for the following evidence regarding clause 10.1 Continual improvement:
- If nonconformities are recorded and if their cause is being analyzed.
- If corrective actions are recorded and if they are effectively executed.
- If regular reviews of the system are being performed.
- Any other activity that could improve (enhance) security – e.g., purchase of a new security software.
