ISO 27001 Clause 10.2: Nonconformity and Corrective Action

Identify and address Nonconformities in your ISMS to improve information security, according to ISO 27001 clause 10.2.

ISO 27001 Framework

ISO 27001 is an international standard that outlines the requirements for an information security management system (ISMS). An ISMS is a framework for managing information security risks and protecting information assets.

Clause 10.2 of ISO 27001 requires organisations to identify, investigate, and resolve nonconformities. A nonconformity is a departure from the requirements of the ISMS.

This article will discuss the requirements of ISO 27001 clause 10.2 and provide guidance on how to implement a nonconformity and corrective action process in order to achieve or maintain an ISO 27001 certification.


What is a nonconformity in ISO 27001?

Nonconformities can be identified through a variety of means, such as internal audits, management reviews, and external audits. Once a nonconformity has been identified, the organisation should investigate it to determine the root cause and any potential impact on information security.


What is the difference between minor nonconformities and major nonconformities?

The difference between minor nonconformities and major nonconformities is the severity of the impact on the organisation's information security management system.

Minor nonconformities are those that do not have a significant impact on the effectiveness of the ISMS. They may be isolated incidents or one-off occurrences. Minor nonconformities can be dealt with relatively quickly and easily, and they do not necessarily require immediate corrective action.

Major nonconformities, on the other hand, are those that have a significant impact on the effectiveness of the ISMS. They may be systemic problems that could lead to serious information security risks. Major nonconformities require immediate corrective action to mitigate the risk and prevent further problems.

It is important to note that the severity of a nonconformity can vary depending on the specific circumstances of the organisation.

Organisations should have a process in place for identifying, reporting, and resolving both minor and major nonconformities. This process should be documented and communicated to all employees.

By promptly addressing nonconformities, organisations can help to improve the overall effectiveness of their ISMS and protect their information assets.


Here is a table that summarizes the key differences between minor and major nonconformities:

Characteristic

Minor nonconformity

Major nonconformity

Severity of impact

Does not have a significant impact on the effectiveness of the ISMS.

Has a significant impact on the effectiveness of the ISMS.

Likelihood of occurrence

Isolated incident or one-off occurrence.

Systemic problem that could lead to serious information security risks.

Time to resolution

Relatively quick and easy.

Immediate corrective action required.

Impact on certification

May not affect certification.

May affect certification.

It is important to note that the severity of a nonconformity can vary depending on the specific circumstances of the organisation. For example, a minor nonconformity for one organisation could be a major nonconformity for another organisation.

Here are some examples of minor and major nonconformities:

  • Minor nonconformity: A security policy is not up to date.
  • Major nonconformity: A firewall is misconfigured, allowing unauthorized access to the organisation's network.
  • Minor nonconformity: A user account is not properly disabled when an employee leaves the organisation.
  • Major nonconformity: A data breach occurs due to a lack of security controls.
  • Minor nonconformity: A security training session is not conducted on time.
  • Major nonconformity: Employees are not following security procedures, such as using strong passwords and avoiding phishing emails.

Organisations should have a process in place for identifying, reporting, and resolving both minor and major nonconformities. This process should be documented and communicated to all employees.

By promptly addressing nonconformities, organisations can help to improve the overall effectiveness of their ISMS and protect their information assets.

What are corrective actions in ISO 27001?

Once the root cause of a nonconformity has been determined, the organisation should take corrective action to eliminate the cause and prevent it from happening again. Corrective action may involve changing policies and procedures, training employees, or implementing new security controls.


Nonconformity and corrective action process

The following is a general overview of the nonconformity and corrective action process:

  1. Identify the nonconformity: This can be done through a variety of means, such as internal audits, management reviews, and customer feedback.
  2. Investigate the nonconformity: Determine the root cause of the nonconformity and any potential impact to information security.
  3. Determine corrective action: Identify the steps that need to be taken to eliminate the root cause of the nonconformity and prevent it from happening again.
  4. Implement corrective action: Take the steps that were identified in step 3.
  5. Verify the effectiveness of the corrective action: Once the corrective action has been implemented, verify that it has eliminated the root cause of the nonconformity and prevented it from happening again.
PILLAR_DE_ISO27001_Popup_image cta_COM

Get ISO 27001 certified in as little as 3 months.

Reduce manual work by up to 75%

What will auditors check while validating Clause 10.2 that is nonconformity and corrective action?

To prepare for the external audit, it is helpful to understand common areas, topics, and questions an auditor may ask or check. The following list gives an overview of potential areas auditors may check while validating clause 10.2 of ISO 27001:

  • Whether the organisation has a process for identifying, investigating, and resolving nonconformities.
  • Whether the process is documented and communicated to employees.
  • Whether the organisation has assigned responsibility for each step of the process.
  • Whether the organisation is monitoring the effectiveness of the process.
  • Whether the organisation is taking appropriate corrective action to eliminate the root causes of nonconformities and prevent them from happening again.

Specifically, the auditor will check the following:

  • Nonconformity identification: Does the organisation have a process for identifying nonconformities? This process may include internal audits, management reviews, employee feedback, and customer feedback.
  • Nonconformity investigation: Does the organisation have a process for investigating nonconformities? This process should identify the root cause of the nonconformity and any potential impact on information security.
  • Corrective action: Does the organisation have a process for determining and implementing corrective action? Corrective action should be taken to eliminate the root cause of the nonconformity and prevent it from happening again.
  • Verification of corrective action: Does the organisation verify the effectiveness of corrective action? This may involve monitoring the process, testing the controls, or conducting follow-up audits.

The auditor will also review the organisation's records of nonconformities and corrective actions.

Here are some additional questions that the auditor may ask:

  • How does the organisation identify nonconformities?
  • How does the organisation investigate nonconformities?
  • How does the organisation determine corrective action?
  • How does the organisation implement corrective action?
  • How does the organisation verify the effectiveness of corrective action?
  • What are some examples of nonconformities that the organisation has identified and resolved?
  • What are some examples of corrective actions that the organisation has implemented?

By asking these questions and reviewing the organisation's records, the auditor can assess the effectiveness of the organisation's nonconformity and corrective action process. Therefore, preparing for these questions will facilitate the audit process and increases the chances of successfully passing the external ISO 27001 audit.

 

Conclusion

The nonconformity and corrective action process is an essential part of an ISMS. By identifying and resolving nonconformities, organisations can improve the effectiveness of their ISMS and reduce the risk of information security incidents.

 

Additional Tips for Implementing a Nonconformity and Corrective Action Process

Make sure that the process is well-defined and documented. This will help to ensure that all nonconformities are handled in a consistent manner.

Assign responsibility for each step of the process. This will help to ensure that nonconformities are resolved promptly and effectively.

Communicate the process to all employees. This will help to ensure that everyone is aware of their role in the process.

Monitor the effectiveness of the process. This will help to identify any areas for improvement.

By following these tips, organisations can implement a nonconformity and corrective action process that will help them to improve the security of their information assets.

🏢 Organization Schema Preview (Development Only)
{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Organization",
      "@id": "www.dataguard.com#organization",
      "name": "DataGuard",
      "legalName": "DataCo GmbH",
      "description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
      "foundingDate": "2018",
      "taxID": "DE315880213",
      "logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
      "url": "www.dataguard.com",
      "email": "info@dataguard.de",
      "telephone": "+49 89 452459 900",
      "address": {
        "@type": "PostalAddress",
        "streetAddress": "Sandstrasse 33",
        "addressLocality": "Munich",
        "addressRegion": "Bavaria",
        "postalCode": "80335",
        "addressCountry": "Germany"
      },
      "sameAs": [
        "https://www.linkedin.com/company/dataguard1/",
        "https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
        "https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
      ]
    }
  ]
}

✅ Organization schema markup for "DataGuard" has been injected into the document head.