ISO 27001 Clause 10.2 is about fixing problems with your information security management system (ISMS). When something isn’t working as it should, this is called a nonconformity. This rule tells you how to deal with these problems and make sure they don’t happen again.
What is ISO 27001 Clause 10.2 Nonconformity and Corrective Action?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Nonconformity and Corrective Action”.
What is the ISO 27001 Clause 10.2 control objective?
The formal definition and control objective in the standard is: “When a nonconformity occurs, the organisation shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur
or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
Documented information shall be available as evidence of:
f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.e full life cycle of identities shall be managed.“
What is the purpose of ISO 27001 Clause 10.2?
The purpose of ISO 27001 Clause 10.2 is “To identify when things are not operating as expected and to make sure that when things go wrong they are corrected.“
Is ISO 27001 Clause 10.2 Mandatory?
ISO 27001 Clause 10.2 (Nonconformity and Corrective Action in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
When you find a problem, you must:
- React quickly: Take action to fix the immediate issue and deal with any negative results.
- Find the cause: Figure out why the problem happened. Look for the root cause, not just the symptom.
- Fix it for good: Take steps to solve the root cause. This will stop the problem from coming back.
- Make changes: If needed, update your ISMS plans to reflect what you’ve learned.
- Keep records: Write down what the problem was, what you did, and if your fix worked. This is important for audits.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- An auditor will want to see that you have a plan for finding and fixing problems.
- They will look at your records to see if you are really doing what your plan says.
- They will check if your fixes were successful and if you documented everything.
ISO 27001 Clause 10.2 Frequently Asked Questions
A nonconformity is when something doesn’t meet the rules of your ISMS. This could be a missed step in a process, a security policy that isn’t being followed, or something else.
A minor nonconformity is a small issue that does not greatly affect your security system. For example, a document that is a bit out of date. A major nonconformity is a more serious problem. This could be a security weakness that leads to a data breach.
They can be found in a number of ways. Most often, they are found during internal audits. But they can also come from looking at security logs, from incident reports, or even from employee feedback.
