ISO 27001 Clause 10.1 Non conformity and corrective action

ISO 27001 Clause 10.1 Non conformity and corrective action

Required activity

ISO 27001 Clause 10.1 Non conformity and corrective action, Clause 10 containing sections 10.1 and 10.2 covers the “Act” part W. Edwards Deming’s Plan-Do-Check-Act (PDCA) cycle. This clause helps an organisation react to nonconformities, evaluate them and take corrective actions with the end goal of continually improving how it runs its daily activities.


Nonconformity may be a non-fulfilment of a requirement of the ISMS. Nonconformity cannot always be avoided, because mistakes do happen in an organisation; however, what is important is that the issue is identified and handled accordingly when it presents itself. Requirements are needs or expectations that are stated, implied or obligatory. There are several types of nonconformities such as:

  1. Failure to fulfil a requirement (completely or partially) of ISO/IEC 27001 within the ISMS;
  2. Failure to properly implement or conform to a requirement, rule or control stated by the ISMS;
  3. Partial or total failure to suits legal, contractual or agreed customer requirements.

Nonconformities are often for example:

  1. Persons not behaving needless to say by procedures and policies;
  2. Suppliers not providing agreed products or services;
  3. Projects not delivering expected outcomes; and
  4. controls not operating consistent with design.

Nonconformities are often recognised by:

  1. Deficiencies of activities performed within the scope of the management system;
  2. Ineffective controls that aren’t remediated appropriately;
  3. Analysis of data security incidents, showing the non-fulfilment of a requirement of the ISMS;
  4. Complaints from customers;
  5. Alerts from users or suppliers;
  6. Monitoring and measurement results not meeting acceptance criteria; and
  7. Objectives not achieved.
Related Product: Certified Lead Implementer | ISO 27001

How should organisations deal with non-conformity?

The three basic steps when it comes to controlling nonconformity are identifying the problem or violation, recording it and taking appropriate action to put an end to it.

In general, following steps should be adopted:
  1. Identifying the extent and impact of the nonconformity.
  2. Choosing the corrections so as to limit the impact of the nonconformity. Corrections can include switching to previous, failsafe or other appropriate states. Care should be taken that corrections don’t make things worse.

To identify effective corrective action, it is strongly advised to complete a root cause analysis of the issue that occurred. If you don’t get to the bottom of why or how it happened, then it is likely that whatever fix you implement will not be fully effective.

  1. Communicating with relevant personnel to make sure that corrections are carried out.
  2. Completing corrections as decided;
  3. Monitoring things to make sure that corrections have had the intended effect and haven’t produced unintended side-effects;
  4. Acting further to correct the nonconformity if it’s still not remediated; and
  5. Communicating with other relevant interested parties, as appropriate.

However, corrections alone won’t necessarily prevent recurrence of the nonconformity. Corrective actions can occur after, or in parallel with, corrections. the subsequent process steps should be taken:

  1. The organisation needs to decide if there’s a requirement to hold out a corrective action, in accordance with established criteria (e.g. impact of the nonconformity, repetitiveness);
  2. Review of the nonconformity, considering:
    – If similar nonconformities are recorded;
    – All the results and side-effects caused by the nonconformity;
    – The corrections taken.
  3. Perform an in-depth root cause analysis of the nonconformity.
  4. Patterns and criteria which will help to spot similar situations within the future.
  5. Perform an analysis of potential consequences on the ISMS, considering:
    – whether similar nonconformities exist in other areas, e.g. by using the patterns and criteria found during the cause analysis;
    – whether other areas match the identified patterns or criteria, in order that it’s only a matter of your time before an identical nonconformity occurs.
  6. Determine actions needed to correct the cause, evaluating if they’re proportionate to the results and impact of the nonconformity, and checking for any potential side-effects which can cause other nonconformities or significant new information security risks.
  7. To plan for the corrective actions, giving priority, if possible, to areas where there are higher likelihood of recurrence and more significant consequences of the nonconformity.
  8. Implement the corrective actions consistent with the plan.
  9. Finally, to assess the corrective actions to work out whether or not they have actually handled the explanation for the nonconformity, and whether it has prevented nonconformities from occurring. This assessment should be impartial, evidence-based and documented. It should even be communicated to the acceptable roles and stakeholders.
Also Read: ISO 27001 Clause 10.2 Continual Improvement

As a result of corrections and corrective actions, it is possible that new opportunities for improvement are identified. These should be treated accordingly. Sufficient documented information is required to be retained to demonstrate that the organization has acted appropriately to deal with the nonconformity and has addressed the related consequences.

All significant steps of nonconformity management (starting from discovery and corrections) and, if started, corrective action management (cause analysis, review, decision about the implementation of actions, review and alter decisions made for the ISMS itself) should be documented. The documented information is additionally required to incorporate evidence on whether or not actions taken have achieved the intended effects.

Some organizations maintain registers for tracking nonconformities and corrective actions. There is often one register (for example, one for every functional area or process) and on different media (paper, file, application, etc.). If this is often the case, then they ought to be established and controlled as documented information and that they should allow a comprehensive review of all nonconformities and corrective actions for ensuring the right evaluation of the necessity for actions.

Thus, stakeholders need to realise that the event of a nonconformity itself within an organization is not the end of the world, but it will have more dire consequences if the nonconformity is not properly identified, addressed, corrected, and prevented in the future.

“Information is an asset, a building block and the key to growth for any organisation. To ensure business keeps ahead of the competition, it is essential to safeguard business critical information from threats of data hacking and data loss. At Infosavvy, we give you an in-depth knowledge of IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (training  (certified by TÜV SÜD) and other aspects of ISMS to help you better prepare your business against internal and external ISMS audits while also helping you, as an individual to add value to your career”

Questions related to this topic

1. What are the actions to be taken by an organization when a nonconformity occurs?
2. What is the immediate action taken against a non conformity?
3. How do you answer a non conformance report?
4. What is Annex A ISO 27001?
5. Explain ISO 27001 Clause 10.1 Non conformity and corrective action?

ISO 27001 Requirements

Clause 4.2 Understanding the needs and expectations of interested parties & Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities & Clause 7.1 Resources
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.2 Competence , Clause 7.3 Awareness & Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control, Clause 8.2 Information security risk assessment & Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.2 Continual Improvement

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment

Your email address will not be published. Required fields are marked *