ISO 27001 Clause 10.2 is about fixing problems with your information security management system (ISMS). When something isn’t working as it should, this is called a nonconformity. This rule tells you how to deal with these problems and make sure they don’t happen again.
What to Do
When you find a problem, you must:
- React quickly: Take action to fix the immediate issue and deal with any negative results.
- Find the cause: Figure out why the problem happened. Look for the root cause, not just the symptom.
- Fix it for good: Take steps to solve the root cause. This will stop the problem from coming back.
- Make changes: If needed, update your ISMS plans to reflect what you’ve learned.
- Keep records: Write down what the problem was, what you did, and if your fix worked. This is important for audits.
Frequently Asked Questions
A nonconformity is when something doesn’t meet the rules of your ISMS. This could be a missed step in a process, a security policy that isn’t being followed, or something else.
An auditor will want to see that you have a plan for finding and fixing problems. They will look at your records to see if you are really doing what your plan says. They will check if your fixes were successful and if you documented everything.
A minor nonconformity is a small issue that does not greatly affect your security system. For example, a document that is a bit out of date. A major nonconformity is a more serious problem. This could be a security weakness that leads to a data breach.
They can be found in a number of ways. Most often, they are found during internal audits. But they can also come from looking at security logs, from incident reports, or even from employee feedback.