All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact

ISO 27001 Clause 10.1: Non-Conformity And Corrective Actions (2013)

This version of ISO 27001 Clause 10.1 is applicable to ISO 27001:2013.

Non-conformity means that a certain requirement is not complied with. In the context of ISO 27001, the requirements might be ISO 27001 requirements , relevant legislation, the ISMS documentation as well as requirements of interested parties.

Non-conformity and corrective actions are important because they enable companies to identify oversight errors and mistakes timeously and deal with them effectively. Non-conformities can be identified by anyone in the organisation at any time (during everyday operations in the monitoring processes etc.).

However, most of the nonconformities are usually identified by conducting an internal audit.

Corrective actions are formal way for a company to resolve non-conformities and the standard requires companies to keep records as evidence of the nature of the non-conformity, the actions that are taken and the results of the implemented corrective actions.

It is not enough to implement the corrective action as the company should attempt to ensure that it has resolved the root cause of the non-conformity through a detailed analysis to assess whether the reoccurrence of the non-conformity has been prevented.

Corrective actions are significant in terms of showing improvements of the ISMS and therefore the standard requires that you document a corrective action procedure This procedure defines the steps for analysing the non-conformity, initiating corrective actions, assigning responsibilities for implementing the corrective actions, how to document the corrective actions, how to evaluate the effectiveness of the corrective actions and so on.

ISO 27001 requires the company to take actions when a non-conformity occurs to correct the nonconformity and deal with the consequences. As an example when the non-conformity is that the internal audit was conducted by untrained auditors the company should ensure that the internal auditors are trained and then understand how this occurred to prevent recurrence, this could involve correctly understanding the audit process or assigning competent resources.