August 24, 2023

ISO 27001:2022 Requirements: Clause 10.1 Non-conformity and Corrective Action

This version of ISO 27001 Clause 10.1 is applicable to ISO 27001:2022.

By
Full name
Share this post

Non-conformity means that a certain requirement is not complied with. In the context of ISO 27001, the requirements might be ISO 27001 requirements, relevant legislation, the ISMS documentation as well as requirements of interested parties.

Non-conformity and corrective actions are important because they enable companies to identify oversight errors and mistakes timeously and deal with them effectively. Non-conformities can be identified by anyone in the organisation at any time (during everyday operations in the monitoring processes etc.).

However, most of the nonconformities are usually identified by conducting an internal audit.

Corrective actions are a formal way for a company to resolve non-conformities and the standard requires companies to keep records as evidence of the nature of the non-conformity, the actions that are taken and the results of the implemented corrective actions.

It is not enough to implement the corrective action as the company should attempt to ensure that it has resolved the root cause of the non-conformity through a detailed analysis to assess whether the reoccurrence of the non-conformity has been prevented.

Corrective actions are significant in terms of showing improvements in the ISMS and therefore the standard requires that you document a corrective action procedure This procedure defines the steps for analysing the non-conformity, initiating corrective actions, assigning responsibilities for implementing the corrective actions, how to document the corrective actions, how to evaluate the effectiveness of the corrective actions and so on.

ISO 27001 requires the company to take action when a non-conformity occurs to correct the nonconformity and deal with the consequences. As an example when the non-conformity is that the internal audit was conducted by untrained auditors the company should ensure that the internal auditors are trained and then understand how this occurred to prevent recurrence, this could involve correctly understanding the audit process or assigning competent resources.

Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments

Ready to Take Control of Your Privacy Compliance?

Book a demo and experience the difference with Hicomply.

By providing your email, you agree that Hicomply may contact you for scheduling and marketing purposes, subject to Hicomply’s Privacy Policy. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments