ISO 27001:2013 Requirements: Clause 10.1 Non-conformity and Corrective Action (2013)

Non-conformity means that a certain requirement is not complied with. In the context of ISO 27001, the requirements might be ISO 27001 requirements, relevant legislation, the ISMS documentation as well as requirements of interested parties.

Non-conformity and corrective actions are important because they enable companies to identify oversight errors and mistakes timeously and deal with them effectively. Non-conformities can be identified by anyone in the organisation at any time (during everyday operations in the monitoring processes etc.).

However, most of the nonconformities are usually identified by conducting an internal audit.

Corrective actions are a formal way for a company to resolve non-conformities and the standard requires companies to keep records as evidence of the nature of the non-conformity, the actions that are taken and the results of the implemented corrective actions.

It is not enough to implement the corrective action as the company should attempt to ensure that it has resolved the root cause of the non-conformity through a detailed analysis to assess whether the reoccurrence of the non-conformity has been prevented.

Corrective actions are significant in terms of showing improvements in the ISMS and therefore the standard requires that you document a corrective action procedure This procedure defines the steps for analysing the non-conformity, initiating corrective actions, assigning responsibilities for implementing the corrective actions, how to document the corrective actions, how to evaluate the effectiveness of the corrective actions and so on.

ISO 27001 requires the company to take action when a non-conformity occurs to correct the nonconformity and deal with the consequences. As an example when the non-conformity is that the internal audit was conducted by untrained auditors the company should ensure that the internal auditors are trained and then understand how this occurred to prevent recurrence, this could involve correctly understanding the audit process or assigning competent resources.

‍