ISO 27001 Requirement 10.2 – Continual Improvement

A large part of running an information security management system is to see it as a living and breathing system. Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader business-led strategy, going beyond a ‘tick box’ regime.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Mark Sharron
Updated 14 December 2023
LinkedIn Twitter Twitter

What does Clause 10.2 involve?

There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:

  • 6.1 risk assessment and treatment – ongoing
  • 6.2 objectives monitoring, measurement and evaluation – ongoing
  • 9.2 Internal audits – ongoing
  • 9.3 management reviews – ongoing
  • 10.1 nonconformities and corrective actions – ongoing
  • Annex A 5 – reviews of policies – ongoing
  • Annex A 7 – human resource engagement and awareness
  • Annex A 16 – security incidents, events and weaknesses – ongoing
  • Annex A 18– compliance reviews – ongoing
  • General external audits (eg for UKAS certification by ISO certified bodies)

Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.

Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process. These include:

  • Customers requests or concerns
  • Trending data from other operational systems
  • Other observations e.g. from suppliers or other interested parties

It is also useful to determine what is not an improvement in the information security management system. For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement – so make sure that it is clear what is and what isn’t considered.

Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Compliance doesn’t have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Jump to topic

Mark Sharron

Mark works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001 and compliance.

Twitter

ISO 27001:2022 requirements

ISO 27001:2022 Annex A Controls

Organisational Controls

People Controls

Physical Controls

Technological Controls

About ISO 27001

Streamline your workflow with our new Jira integration! Learn more here.