ISO/IEC 27001 Clause 10: Improvement
Clause 10 “Improvement” requirements are based around continual improvement. Naturally, improvement follow up is the next step after evaluations. As stated in the standard, it is imperative that nonconformities are addressed and action is taken to eliminate the root cause when applicable.
- Determine and select opportunities for improvement
- React to nonconformities and take action to eliminate the cause
- Implement corrective actions as appropriate and review their effectiveness
- Keep records of nonconformities and corrective actions
- Continually improve your ISMS
Clause 10.1: Continual Improvement
When running an information security management system it is key to view the ISMS as a living, breathing system. Organizations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS. This will create a strong system, and is the appropriate way to view the ISMS rather than implementing it with no intent to manage and work with the system. Consider using internal audits, management reviews, or company performance metrics to help identify opportunities for improvement.
Clause 10.2: Nonconformity and corrective action
When nonconformities occur, it is imperative to react to them appropriately by controlling, correcting, or dealing with the consequences. Determine what the cause is of the nonconformity and take actions to ensure the nonconformity does not recur. After you have implemented these corrective actions, review them to ensure they were effective. Corrective actions will often require updating ISMS processes and/or risks and opportunities determined during planning. Records describing nonconformities, actions taken, and the results of those actions must be kept.
Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.