ISO 27001:2013 defines the requirement for organisations to actively identify a non-conformity and conduct corrective action. But what is the difference between non conformance report and corrective action report according to ISO 27001:2013? And which reports are mandatory/non-mandatory? This article looks at the requirements further and provides some context to the requirements as defined in the standard.
Let’s start by looking at what a non conformity and a corrective action are defined as according to ISO 27001.
What is a non conformity in ISO 27001?
A non conformance can be thought of as a deviation or defect against a given requirement. In the context of ISO 27001:2013, this can range from non conformance with a given security policy or standard through to misuse of systems from an internal or external perspective. We are essentially saying that a given process or product does not conform with the requirements we have identified within our system and as a result of this the results are not as we would expect.
A non conformity can be identified through numerous methods ranging from internal audits to customer complaints or security incidents. An example may be a security policy that requires all suppliers to be on-boarded through a defined due diligence process that requires management sign-off. However, during audit it is identified that numerous suppliers have been on-boarded without following due process in accordance with the security policy requirements. This can be identified as a non conformance with the security policy and will require a non conformity raising for action.
ISO 27001:2013 does not define how organisations shall manage the non conformity once identified, it simply states the organisation shall react to the non conformity and take action to control and correct it as shown in the extract below taken from ISO 27001:2013:
When a non-conformity occurs, the organisation shall react to the nonconformity, and as applicable:
1) take action to control and correct it; and 2) deal with the consequences; b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; and 3) determining if similar nonconformities exist, or could potentially occur;
The above describes the process organisations should align with in order to ensure a non conformity can be identified, controlled, corrected, assessed and managed to prevent re occurrence. The non conformity report may detail the above, explaining exactly how the non conformity was identified, actions taken to control and correct it and what consequences it may have on the organisation from a security perspective. Once the non conformity has been identified and managed, actions should be taken to prevent re occurrence – these are known as corrective actions.
What are corrective actions in ISO 27001?
As detailed above, corrective actions can be thought of as an action taken to remedy a non conformity. Using the example of supplier on-boarding above, this may consist of training the supplier management teams on the on-boarding process and issuing communications to prevent re occurrence. This may also require re-engineering of the process to ensure it fits the business, or removing altogether if it is not feasible and/or there is no risk identified.
Corrective actions should be proportionate to the perceived level of risk to the organisation. For example, a major non conformity may result in significant impacts to the organisation in terms of financial loss or reputational damage. This non conformity would require significant corrective action in order to reduce risk levels and protect the organisation from damage.
A corrective action report may be issued detailing the new controls, or maturity of existing controls, to prevent the non conformity re occurring. Corrective actions should be tested to ensure they are fit for purpose, and the results documented and communicated to management where appropriate.
So there we have it, the above provides some detail on the difference between non conformance report and corrective action report in ISO 27001:2013. In reality, some organisations may wish to produce one report with separate sections for the non conformance and corrective action undertaken, but corrective actions should only be performed as a result of a non conformity. Corrective actions should be logged and assessed to ensure they are fit for purpose, and re tested wherever possible.