Improvement for ISO 27001 Requirements 10.1 – 10.2

team,brainstorming,process.,photo,young,creative,managers,crew,working,with

What is covered under Section 10 of ISO 27001:2013?

Section 10 addresses how you will improve your ISMS on an ongoing basis.

ISO 27001, like many other ISO standards, is concerned with continual improvement. Given the speed of change in many organisations, not to mention the ever-changing threat landscape, this is arguably one of the most important areas of the standard.

Falling under Sect.10 is:

10.1 – Demonstrate how nonconformities and corrective actions will be addressed
10.2 – Demonstrate how the organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system

Do you find ISO 27001 confusing?

Speak with a specialist

ISO 27001 Section 10.1 – Nonconformity and corrective action

Section 10.1 of ISO 27001 concerns the actions your organisation commits to taking when a failure in the compliance of the standard occurs. The standard refers to this as a ‘nonconformity’ and the steps you take to correct this is called a ‘corrective action’.

In the event of a nonconformity, the organisation should ‘take action to control and correct it’, and deal with the consequences of the event. They should then take steps to ensure that it doesn’t happen again. This is done by addressing the cause of the nonconformity.

The corrective action should be assessed and the effectiveness of that action, measured and documented. Remember, to obtain and maintain ISO 27001 certification, an auditor will expect to see evidence of improvements.

It is not a failure to show you are addressing nonconformities, taking corrective actions etc so do make sure that they are visible if appropriate to demonstrate the philosophy of continuous improvement that is required by the standard.

Requirement 10.1 Noncomformites and corrective actions

We make achieving ISO 27001 easy

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.

Book your demo

How to demonstrate nonconformities and corrective actions are being addressed

Using ISMS.online software to manage your ISMS will give you access to not just a policy for 10.1, but also the Corrective Actions & Improvement Track which has been built for you to quickly and simply demonstrate and evidence the work being done.

It is customised ready to use immediately and will help you manage the corrective actions and improvements you identify through a standard workflow process. You will be able to assign actions to team members, set due dates, and join-up your ISMS by linking it quickly to other areas, such as a policy or control which may need updating.

ISO 27001 Section 10.2 – Continual improvement

A large part of running an information security management system is to see it as a living and breathing thing. Your organisation should always be assessing, testing, reviewing and measuring the performance of the ISMS, to ensure it is still supporting and meeting your business goals.

There are several mechanisms covered within ISO 27001 for the continual evaluation and improvement of your ISMS including audits, management reviews, the corrective actions and improvements process, ongoing risk assessment, ongoing staff engagement etc. The secret is not to waste time duplicating work that is going on in the wider ISMS in order to easily demonstrate continual improvement is taking place.

How to demonstrate the organisation is continually improving the suitability, adequacy, and effectiveness of the ISMS

This is a great example of how the ISMS.online solution brings everything together so there is no need to duplicate effort. Simply reiterate the work that is going on in the wider system, joining it up holistically and through the powerful linking feature.

Again, ISMS.online comes with a Policy for 10.2 which already includes links to the areas where you will be able to quickly demonstrate continual improvement is embedded in your organisation.

Expert guidance on meeting the requirements of Sect 10. is included in our optional ISO 27001 Virtual Coach.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

ISO 27001 Annex A Controls

A.5 Information security policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development, and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance

About ISO 27001

ISO 27001 requirements

4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
5.1 Leadership and commitment
5.2 Information Security Policy
5.3 Organizational roles, responsibilities and authorities
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10.1 Nonconformity and corrective action
10.2 Continual improvement

The proven path to ISO 27001 success

Built with everything you need to succeed with ease, and ready to use straight out of the box – no training required!

Perfect Policies & Controls

Easily collaborate, create and show you are on top of your documentation at all times

Find out more

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Find out more

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Find out more

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Find out more

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Find out more

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Find out more

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Find out more

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Find out more

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Find out more

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Find out more

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Find out more

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

Find out more

« Avoid disastrous assumptions with ISO 27001 Clause 9

Req 10.1 – Nonconformity and corrective actions »

See how simple it is with ISMS.online

Book your demo