ISO 22301 Clause 10.1
This sub-clause requires the organisation to react to nonconformities, eliminate the underlying causes, and retain documented evidence of the actions taken.
ISO 22301 Clause 10.1 - Nonconformity and Corrective Action
Clause 10.1 sets out the process for dealing with things that go wrong in the BCMS. Note the clause numbering - in ISO 22301, Clause 10.1 is nonconformity and corrective action, while in ISO 9001 the same content is at 10.2. The substance is the same: react to the nonconformity, evaluate the cause, take action, check the action worked, and update the BCMS where needed.
What ISO 22301 Clause 10.1 Requires
When a nonconformity occurs, the organisation must react by taking action to control and correct it and dealing with the consequences. It must evaluate the need for action to eliminate the cause so the nonconformity does not recur or occur elsewhere - by reviewing the nonconformity, determining the causes, and determining whether similar nonconformities exist or could occur. It must implement any actions needed, review the effectiveness of the corrective actions taken, and make changes to the BCMS as required. Corrective actions must be appropriate to the effects of the nonconformities encountered.
Documented information must be retained as evidence of the nature of the nonconformity and any subsequent actions, and the results of any corrective action.
The Difference Between Correction and Corrective Action
The standard separates immediate correction (dealing with the problem in front of you) from corrective action (eliminating the underlying cause). A failed exercise communications cascade is a nonconformity. The correction is to fix the immediate problem - update the contact list, send the messages manually. The corrective action is to understand why the contact list was out of date - was the update process not being followed, was responsibility unclear, was the change control inadequate - and to fix that underlying cause so the problem does not happen again.
Both correction and corrective action have to be documented. Most organisations use a single issues and actions register that records the nonconformity, the immediate correction, the cause analysis, the corrective actions, the review of effectiveness and any resulting BCMS changes.
An issues and actions register that meets all the required stages is the simplest way to comply. Each entry describes the nonconformity, the immediate correction, the root cause analysis, the corrective actions assigned with owners and dates, the verification of effectiveness, and any resulting BCMS updates. Auditors love it because the chain is all in one place.
For nonconformities identified during internal audits or in operation, I expect to see clear evidence of the actions taken, the cause analysis and the verification that the corrective actions worked. If a nonconformity has been raised, dealt with, and never followed up to check the action was effective, that is itself a finding under 10.1.
Practical Compliance Guidance
The ER1 Issues and Actions Register is the central artefact for handling nonconformities and corrective actions. The F-Q10 Significant Problem, Incident or Complaint form supports the recording of larger or more complex events that need detailed investigation.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| ER1 Issues and Actions Register | The register that records nonconformities, corrections, root causes, corrective actions, verification and follow-up. |
| F-Q10 Significant Problem, Incident or Complaint | The form for recording larger events that need detailed investigation, root cause analysis and structured corrective action. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
