ISO 37001 Clause 10.2

Non-conformity and corrective action - react, evaluate cause, take action, check effectiveness, change the ABMS if needed.

ISO 37001 Clause 10.2 - Non-conformity and Corrective Action

Clause 10.2 is the most prescriptive clause in ISO 37001 Clause 10. It sets out a multi-step response that the organisation has to take when a non-conformity occurs - including a non-conformity arising from bribery itself.

What ISO 37001 Clause 10.2 Requires

When a non-conformity occurs the organisation:

Reacts to the non-conformity - takes action to control and correct it, and deals with the consequences;
Evaluates the need for action to eliminate the causes - reviews and analyses the non-conformity, determines its causes, and determines whether similar non-conformities exist or could potentially occur;
Implements any action needed;
Reviews the effectiveness of any corrective action taken;
Updates risks and opportunities determined during planning, if necessary;
Makes changes to the ABMS if necessary.

Corrective actions are appropriate to the effects of the non-conformities encountered. The organisation retains documented information as evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective action.

The Difference Between Correction and Corrective Action

The clause distinguishes carefully between two related but separate steps:

Correction - dealing with the immediate issue. If a payment was made without the required approval, correction is recovering the payment if possible and putting the approval in place.
Corrective action - dealing with the cause. The corrective action investigates why the approval was bypassed and changes the process or controls so the same gap does not enable a future failure.

Both are required. Skipping the correction leaves the immediate consequences unaddressed; skipping the corrective action leaves the underlying weakness in place and the next non-conformity becomes inevitable.

Root Cause Analysis

The "evaluate the need for action to eliminate the causes" step is where most of the value sits. Surface causes are usually obvious. Underlying causes - process design, training gaps, supervisory weaknesses, cultural factors, resource constraints - take longer to find. The standard requires the cause analysis to be done; it does not prescribe a method. Common approaches include the five whys, fishbone diagrams, and structured root cause review forms. Whatever method is used, the analysis has to land on something the organisation can actually change.

Effectiveness Review

The effectiveness review is the part most often skipped. After a corrective action is implemented the organisation has to check it actually worked - that the cause has been addressed and the same non-conformity is not recurring. This typically happens at a defined interval after implementation - some weeks for short-cycle processes, some months for longer ones. Without the effectiveness check, corrective actions get marked closed when they are really still open.

The temptation when a non-conformity surfaces is to fix it and move on. The standard does not allow that. The fix is the start. The cause analysis, the wider check for similar issues, the implementation of structural change and the effectiveness review are all separate steps and all required. Skipping any of them leaves the same non-conformity ready to happen again.

The corrective action record on F-Q16 captures all the steps - the description, the immediate correction, the cause analysis, the corrective action taken, the effectiveness review and the closure. A complete record on a single form is the strongest evidence to an auditor that the clause has been worked through properly. A record that lists the action but skips the cause analysis or the effectiveness check will draw a finding.

I sample corrective actions from the period and trace each one through. I want to see the immediate correction, the cause analysis, the corrective action, the implementation evidence and the effectiveness review. I also look for trends - are similar non-conformities recurring, suggesting the cause analysis was incomplete? Are corrective actions being closed without effectiveness review? These are the patterns that tell me whether 10.2 is working in practice or just on paper.

Practical Compliance Guidance

Non-conformities are logged on ER1 and the corrective action lifecycle is managed using F-Q16 - including the immediate correction, root cause analysis, corrective action, effectiveness review and closure.

The documents below support the corrective action activities required by Clause 10.2.

alphaZ document	How to use it
ISO 37001 Toolkit	Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms.
ER1 Issues and Actions Register	Logs non-conformities and tracks corrective actions through to closure.
F-Q16 Improvement Request	Used to capture the full corrective action lifecycle - description, correction, cause analysis, action, effectiveness review.
F-IMS34 Anti-bribery Compliance Register	Trends in non-conformities feed analysis of whether the ABMS itself needs to change under Clause 10.2.
F-Q3 Anti-bribery Management Review	Non-conformity trends and corrective actions are required inputs to management review under Clause 9.3.2.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What counts as a non-conformity in an ABMS context?

Anything that does not meet a requirement of the ABMS. This includes failures of internal controls (an approval missed, a training gap), failures against ISO 37001 (a clause requirement not being met), and bribery itself - whether attempted, suspected or confirmed. The breadth means non-conformity covers both administrative gaps and substantive bribery incidents.

How proportionate does the corrective action have to be?

The standard requires corrective actions to be appropriate to the effects of the non-conformities encountered. A minor administrative gap typically needs a lighter response than a significant control failure. The judgement is recorded on the F-Q16 form so the proportionality decision is itself documented and reviewable.

When does a non-conformity require changes to the ABMS itself?

When the cause analysis identifies a structural weakness rather than an isolated incident. If the non-conformity could only have happened because the ABMS design has a gap, the response cannot be limited to the specific case - the design has to change. The clause requires changes to the ABMS to be made if necessary, and the cause analysis is what determines whether that necessity exists.

What records have to be kept under Clause 10.2?

The clause requires retained documented information as evidence of the nature of the non-conformities and the actions taken, and the results of corrective action. In practice this means a record of each non-conformity, the analysis, the corrective action, the implementation and the effectiveness review - typically on F-Q16 with the issue cross-referenced to ER1.

UK Legislation

Corrective action records support the corporate due-diligence defences in UK legislation by demonstrating active response to identified weaknesses.

Further Resources