Nonconformity and Corrective Action for ISO 27001 Information Security
ISO 27001 Clause 10.2
This sub-clause requires the organisation to react to nonconformities, eliminate the underlying causes, and retain documented evidence of the actions taken.
ISO 27001 Clause 10.2 - Nonconformity and Corrective Action
A nonconformity is a failure to meet a requirement - of the standard, of the organisation's own ISMS or of the controls that have been chosen. Clause 10.2 sets out the structured process for responding to nonconformities. It applies to nonconformities found through audits, monitoring, incidents, customer feedback, or by any other route.
What ISO 27001 Clause 10.2 Requires
When a nonconformity occurs, including any arising from complaints, the organisation must: react to the nonconformity, taking action to control and correct it, and deal with the consequences; evaluate the need for action to eliminate the causes so that it does not recur or occur elsewhere by reviewing the nonconformity, determining the causes and determining if similar nonconformities exist or could potentially occur; implement any action needed; review the effectiveness of any corrective action taken; and make changes to the ISMS if necessary.
Corrective actions must be appropriate to the effects of the nonconformities encountered. Documented information must be retained as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action.
Containment Versus Correction Versus Corrective Action
The clause requires three different responses, all happening together but each with its own purpose. Containment is the immediate response - stop the bleeding. If a system is exposed, take it offline. If a phishing email reached users, remove copies of it. Correction is the short-term fix - rebuild the affected system, reset the affected accounts. Corrective action is the longer-term work - find out why this happened and make sure it cannot happen again.
The first two are necessary but they are not enough. A management system that fixes incidents but never finds the underlying cause will keep encountering the same problems. Corrective action is what turns a single incident into an improvement.
Root Cause and Recurrence
The clause requires the organisation to evaluate the need for action by reviewing the nonconformity, determining the causes and determining whether similar nonconformities exist or could potentially occur. The 'or could potentially occur' phrase is important - it means looking beyond the specific incident at the systemic factors that allowed it.
Various root cause analysis techniques can be used. The 'five whys' technique works well for simple cases. Fishbone diagrams help when there are multiple contributing factors. The technique is for the organisation to choose. What matters is that the analysis is genuine and the corrective actions address the causes, not just the symptoms.
Reviewing Effectiveness
Corrective actions are not closed when they are completed. They are closed when their effectiveness has been reviewed - typically a few weeks or months after completion, to confirm that the cause really has been addressed and the nonconformity has not recurred. The issues and actions register usually has a separate field for the effectiveness review date and outcome.
If the effectiveness review finds that the corrective action did not work, the issue is reopened and a different action is tried. The cycle continues until the organisation is satisfied that the nonconformity is unlikely to recur.
The biggest mistake I see with corrective action is closing actions when they are completed rather than when they are confirmed effective. A few weeks later the same problem comes back, and the original action gets reopened. The effectiveness review takes minutes, but it is the bit that turns reactive firefighting into actual improvement.
I look at the issues register at audit and trace findings through the cycle. I want to see containment, correction and corrective action distinguished clearly, with effectiveness reviews completed and the cause genuinely addressed. Generic actions like 'reminded staff to be careful' rarely meet the standard - they are not addressing causes.
Practical Compliance Guidance
The issues and actions register and the significant problem - incident - complaint form together capture the documented information required by Clause 10.2. The form supports the structured analysis of cause and the planning of corrective action; the register tracks each issue through to closure including effectiveness review.
The documents below support the management of nonconformities and corrective action.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set for ISO 27001:2022 including the issues register and incident form covering corrective action. |
| ER1 Issues and Actions Register | Register that tracks each nonconformity through containment, correction, corrective action and effectiveness review to closure. |
| F-Q10 Significant Problem - Incident - Complaint | Structured form for capturing the nonconformity, evaluating the cause, planning corrective action and recording effectiveness. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
UK GDPR creates explicit nonconformity and corrective action obligations for personal data breaches, including the 72-hour notification requirement to the ICO. The NIS Regulations 2018 create similar obligations for operators of essential services and digital service providers.
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Network and Information Systems Regulations 2018
Further Resources
- ISO 27001 Clause 10.1 - Continual Improvement
- ISO 27001 Clause 9.2 - Internal Audit
- ISO 27001 Clause 9.3 - Management Review
- Annex A 5.24 - Information Security Incident Management Planning and Preparation
- Corrective Action and Audit Follow-up
- ISO 9001 Clause 10.2 - Nonconformity and Corrective Action
