Continual Improvement for ISO 27001 Information Security

ISO 27001 Clause 10.1

This sub-clause requires the organisation to continually improve the suitability, adequacy and effectiveness of the ISMS.

ISO 27001 Clause 10.1 - Continual Improvement

Clause 10.1 is the shortest clause in the standard. It contains a single requirement - that the organisation continually improves the suitability, adequacy and effectiveness of the ISMS. There is no documentation requirement attached to it. Evidence of compliance comes from the rest of the management system showing that improvement is happening.

What ISO 27001 Clause 10.1 Requires

The organisation must continually improve the suitability, adequacy and effectiveness of the ISMS. The standard does not specify how this is done. The improvements can come from any source - audit findings, incident lessons, monitoring data, risk reassessment, technology changes, regulatory changes, customer feedback, staff suggestions or general observation.

What 'Continual' Means

Continual is a deliberate choice of word. It does not mean continuous - all the time, never stopping. It means happening regularly over time. A management system that improves twice a year through audits and management reviews is operating continual improvement. A management system that has not changed in two years is not.

The improvements do not all have to be large. Small ongoing refinements - tightening up a procedure, automating a manual check, adding a new monitoring metric - count as much as major changes. What matters is that the system is being actively maintained and developed rather than left alone.

How Improvement Shows Up Across the Management System

The other clauses of the standard create the improvement opportunities. Clause 9.1 Monitoring identifies trends that suggest changes are needed. Clause 9.2 Internal Audit identifies gaps and weaknesses. Clause 9.3 Management Review surfaces strategic improvement opportunities. Clause 10.2 Nonconformity and Corrective Action drives improvement in response to specific failures.

The output is most often visible in the issues and actions register. A live register with a flow of completed improvement actions is the simplest evidence that Clause 10.1 is being met. A register that has not been updated in months suggests improvement has stalled.

The clause is short but the expectation behind it is significant. Auditors are alert to management systems that look the same year on year. The Statement of Applicability, the risk register, the policy, the training programme - they should all show evidence of being kept current. A static system is rarely an effective system.

I look at the dates across the documentation set. If most documents have not been touched for two years and the issues register has nothing closed in six months, I know to look harder elsewhere. Continual improvement is hard to prove with one document. It shows up across the whole system, or it does not.

Practical Compliance Guidance

The issues and actions register is the central evidence document for Clause 10.1. The management review template incorporates improvement opportunities as a required output, feeding actions into the register.

The documents below support the planning, recording and follow-up of continual improvement activity.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the issues and actions register and the management review template.
ER1 Issues and Actions Register	Live register tracking improvement actions through to closure with effectiveness review, used as the central evidence document for Clause 10.1.
F-Q3 Management Review	Management review template that builds improvement opportunities into the standard inputs and outputs.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 10.1 require documented improvement plans?

No. The clause itself has no documentation requirement. Most organisations record improvement actions in the issues and actions register and through the management review outputs, which together provide adequate evidence of continual improvement activity.

What is the difference between Clause 10.1 and Clause 10.2?

Clause 10.1 is about ongoing, proactive improvement of the management system as a whole. Clause 10.2 is about reactive improvement in response to specific nonconformities. The two work together - corrective action under 10.2 contributes to continual improvement under 10.1, and continual improvement under 10.1 reduces the rate of nonconformities triggering 10.2.

How is continual improvement evidenced at audit?

Through patterns visible across the management system - updates to documents, actions completed in the issues register, improvements recorded against management review outputs, changes to the risk register and the SoA. The evidence is cumulative. No single document proves continual improvement on its own.

UK Legislation

No UK legislation directly governs continual improvement of an information security management system. UK GDPR creates an implicit expectation through its accountability principle - that the technical and organisational measures protecting personal data are kept under review.

Further Resources