ISO 27001:2022 Clause 10: Improvement

ISO27001-2022 Clause 10 Improvement

The Definitive Governance Requirement.

Clause 10 mandates that your ISMS is not a static monument; it is a living organism. It requires you to react to failures (Nonconformity) and proactively drive evolution (Continual Improvement). If your security posture looks exactly the same today as it did twelve months ago, you are not compliant—you are stagnant.

The Mandate

The standard acknowledges a simple truth: You will fail. Systems break. People make mistakes. Threats evolve.

Clause 10 splits the requirements into two distinct disciplines:

  1. Clause 10.1 (Continual Improvement): The proactive requirement to enhance the “suitability, adequacy, and effectiveness” of the ISMS. You must find ways to make the system leaner, faster, and stronger even when nothing is “broken.”
  2. Clause 10.2 (Nonconformity and Corrective Action): The reactive requirement. When a defect occurs, you must do more than patch it. You must identify the Root Cause and implement a systemic fix to prevent recurrence.

The Verdict: “Zero Non-Conformities” is not a badge of honour; it is a statistical impossibility. An empty Non-Conformance Log tells the auditor you aren’t looking hard enough.

The Implementation Strategy

You must build a culture where reporting a failure is safe, but repeating a failure is unacceptable.

  1. The Forensic Mindset (10.2): When an incident occurs, do not settle for “Human Error.” That is a symptom, not a cause. Use the 5 Whys or Fishbone methodology to dig deeper.
    • Symptom: Data Leak.
    • Cause: Why? -> USB drive lost. -> Why? -> USB ports open. -> Why? -> Policy not enforced by Group Policy Object (GPO). -> Root Cause.
  2. The Improvement Pipeline (10.1): Don’t wait for disaster. Source improvements from your metrics (Clause 9.1). If your patching time is 48 hours, set a goal to make it 24 hours. That is continual improvement.
  3. The Feedback Loop: Every Corrective Action must be verified. You cannot close the ticket until you have proof that the fix actually worked.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Band-Aid Culture.” I see organizations that have suffered the same phishing breach three times in a row. They keep “retraining the user” (Correction) but fail to implement MFA or email filtering (Corrective Action). If the same issue keeps happening, you have failed Clause 10.2.

Required Evidence

An auditor looks for evidence of learning and evolution.

  • Non-Conformance Log: A register of things that went wrong.
  • Corrective Action Reports (CARs): Detailed forms showing the Root Cause Analysis and the systemic fix.
  • Continual Improvement Log: A register of proactive enhancements (distinct from the CARs).
  • Management Review Minutes: Evidence that improvements are reported to and funded by the Board.

Strategic Acceleration

Managing improvements via email threads is professional negligence. You need a centralized ledger of truth.

The Improvement Framework separates your “Fixes” from your “Wins.” It provides the templates for Root Cause Analysis and the registers for tracking evolution, ensuring you can prove to the auditor that you are moving forward.

The Next Move: Deploy the Improvement Framework