ISO 27001 Requirement 10.2 – Continual Improvement

Name: ISMS.online
Telephone: +441273041140
Price range: ££
Location: ISMS.online

Jump to topic

What does Clause 10.2 involve?

There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:

6.1 risk assessment and treatment – ongoing
6.2 objectives monitoring, measurement and evaluation – ongoing
9.2 Internal audits – ongoing
9.3 management reviews – ongoing
10.1 nonconformities and corrective actions – ongoing
Annex A 5 – reviews of policies – ongoing
Annex A 7 – human resource engagement and awareness
Annex A 16 – security incidents, events and weaknesses – ongoing
Annex A 18– compliance reviews – ongoing
General external audits (eg for UKAS certification by ISO certified bodies)

Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.

Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process. These include:

Customers requests or concerns
Trending data from other operational systems
Other observations e.g. from suppliers or other interested parties

It is also useful to determine what is not an improvement in the information security management system. For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement – so make sure that it is clear what is and what isn’t considered.

Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Compliance doesn’t have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001 Requirement 10.2 – Continual Improvement

Jump to topic

What does Clause 10.2 involve?

Get certified up to 5x faster with ISMS.online

Compliance doesn’t have to be complicated.

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information Security Policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

ISO 27001:2022 Annex A Controls Organisational Controls

A 5.1 Information Security Policies

A 5.2 Information Security Roles and Responsibilities

A 5.3 Segregation of Duties

A 5.4 Management Responsibilities

A 5.5 Contact With Government Authorities

A 5.6 Contact With Special Interest Groups

A 5.7 Threat Intelligence

A 5.8 Information Security in Project Management

A 5.9 Inventory of Information and Other Associated Assets

A 5.10 Acceptable Use of Information and Other Associated Assets

A 5.11 Return of Assets

A 5.12 Classification of Information

A 5.13 Labelling of Information

A 5.14 Information Transfer

A 5.15 Access Control

A 5.16 Identity Management

A 5.17 Authentication Information

A 5.18 Access Rights

A 5.19 Information Security in Supplier Relationships

A 5.20 Addressing Information Security Within Supplier Agreements

A 5.21 Managing Information Security in the ICT Supply Chain

A 5.22 Monitoring and Review and Change Management of Supplier Services

A 5.23 Information Security for Use of Cloud Services

A 5.24 Information Security Incident Management Planning and Preparation

A 5.25 Assessment and Decision on Information Security Events

A 5.26 Response to Information Security Incidents

A 5.27 Learning From Information Security Incidents

A 5.28 Collection of Evidence

A 5.29 Information Security During Disruption

A 5.30 ICT Readiness for Business Continuity

A 5.31 Legal, Statutory, Regulatory and Contractual Requirements

A 5.32 Intellectual Property Rights

A 5.33 Protection of Records

A 5.34 Privacy and Protection of PII

A 5.35 Independent Review of Information Security

A 5.36 Compliance With Policies, Rules and Standards for Information Security

A 5.37 Documented Operating Procedures

People Controls

A 6.1 Screening

A 6.2 Terms and Conditions of Employment

A 6.3 Information Security Awareness, Education, and Training

A 6.4 Disciplinary Process

A 6.5 Responsibilities After Termination or Change of Employment

A 6.6 Confidentiality or Non-Disclosure Agreements

A 6.7 Remote Working

A 6.8 Information Security Event Reporting

Physical Controls

A 7.1 Physical Security Perimeters

A 7.2 Physical Entry

A 7.3 Securing Offices, Rooms and Facilities

A 7.4 Physical Security Monitoring

ISO 27001:2022 Annex A Controls

Organisational Controls