ISO/IEC 27001 Clause 10: Improvement

Clause 10 “Improvement” requirements are based around continual improvement. Naturally, improvement follow up is the next step after evaluations. As stated in the standard, it is imperative that nonconformities are addressed and action is taken to eliminate the root cause when applicable.

Key Requirements:

  • Determine and select opportunities for improvement
  • React to nonconformities and take action to eliminate the cause
  • Implement corrective actions as appropriate and review their effectiveness
  • Keep records of nonconformities and corrective actions
  • Continually improve your ISMS

Clause 10.1: Continual Improvement

When running an information security management system it is key to view the ISMS as a living, breathing system. Organizations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS. This will create a strong system, and is the appropriate way to view the ISMS rather than implementing it with no intent to manage and work with the system. Consider using internal audits, management reviews, or company performance metrics to help identify opportunities for improvement.

Clause 10.2: Nonconformity and corrective action

When nonconformities occur, it is imperative to react to them appropriately by controlling, correcting, or dealing with the consequences. Determine what the cause is of the nonconformity and take actions to ensure the nonconformity does not recur. After you have implemented these corrective actions, review them to ensure they were effective. Corrective actions will often require updating ISMS processes and/or risks and opportunities determined during planning. Records describing nonconformities, actions taken, and the results of those actions must be kept.

Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022