ISO 27001 Clause 10 Clause 10.2

ISO 27001 clause 10.2 Nonconformity and corrective action

The basics

ISO 27001 sub-clause 10.2 is called “Nonconformity and corrective action” — if a nonconformity is identified, this sub-clause requires companies to consider taking corrective action in order to mitigate the consequences of the nonconformity and eliminate its root cause.

Documentation

ISO 27001 clause 10.2 Nonconformity and corrective action requires writing the following documents:

  • Results of corrective actions, usually as Corrective Action Forms

The following documents are not mandatory, companies can decide whether to write them:

Implementation

To implement ISO 27001 clause 10.2 Nonconformity and corrective action, follow these steps:

  1. Identify Nonconformities: Establish a process to detect and document nonconformities within the ISMS. This can be done through audits, reviews, or incident reports.
  2. Evaluate Nonconformities: Assess the nonconformities to understand their impact and determine the root cause. This helps in planning effective corrective actions.
  3. Take Corrective Action: Develop and implement actions to address the root cause of the nonconformity, ensuring it does not recur. This may involve changes to processes, training, or controls.
  4. Review Effectiveness: After implementing corrective actions, evaluate their effectiveness to ensure the nonconformity has been resolved and similar issues are prevented in the future.
  5. Document Actions: Keep records of the nonconformities, the corrective actions taken, and the results of these actions. This documentation is crucial for audits and continual improvement.
  6. Communicate and Train: Ensure relevant personnel are aware of the nonconformities and the corrective actions. Provide training if necessary to prevent recurrence.

By following these steps, organizations can effectively manage nonconformities and improve their ISMS.

Audit evidence

During the ISO 27001 certification audit, the auditor will ask for the following evidence regarding clause 10.2 Nonconformity and corrective action:

  • If nonconformities are recorded and if their cause is being analyzed.
  • If corrective actions are recorded and if they are effectively executed.