Clause 10.2 is part of the improvement requirement within ISO 27001. It concerns the actions an organisation takes to address information security oriented nonconformities. The corrective action that follows from a nonconformity is also a key part of the ISMS improvement process that needs to be evidenced along with any other consequences caused by the nonconformity.

ISO 27001 clause 10.2 actually offers up the process for organisations to follow as a core part of the standard and smart organisations will integrate the process into that of the broader continuous improvement requirement in line with clause 10.1.

A simple process approach includes:

• Identify the nonconformity
• React to it - both correcting or controlling it and dealing with the consequences
• Evaluate if there is a root cause issue that should be addressed (eg from pattern, measurement and other issues that might tie in with other parts of the ISMS that could be evident through 9.3 management reviews and other parts of the operation
• Review the effectiveness of any changes or interventions (i.e. monitor it)
• Make other changes to the ISMS as needed

Make sure that the work done on the way is documented. Some organisations may have sign off and approval processes to consider within the process, especially for investments in change or because of delivery failures and losses that may occur.

Remember, to obtain and maintain ISO 27001 certification, an auditor will expect to see evidence of improvements. It is not a failure to show you are addressing nonconformities, taking corrective actions etc so do make sure that they are visible if appropriate to demonstrate the philosophy of continuous improvement that is required by the standard.

Hiding things away and pretending there are no issues will also be a red flag to an auditor so we recommend the organisation is open and embraces improvements - although ideally few if any of them should be as a result of nonconformity!

How to demonstrate nonconformities and corrective actions are being addressed for ISO 27001

This is one of the popular areas for using spreadsheets and simply keeping a list of what has happened and been done in line with the simple process above. Spreadsheets dont hold the evidence or link up well enough to illustrate the depth of case with the history that would satisfy an auditor so other tools will also be required alongside the static sheet. There are much better ways.