Professional Documents
Culture Documents
ISO27k Corrective Action Procedure
ISO27k Corrective Action Procedure
Document Ref No
I27KIForum-ROR-CA
Approved by
Revision Stat
Richard O. Regalado
Page/Total
1/2
Purpose
The purpose of this procedure is to have a defined method in applying corrective actions to eliminate the cause of non-conformities
on the established information security management system (ISMS).
Scope
This procedure covers the collection of data on non-conformities, analysis of the root cause of nonconformities and action planning
to prevent recurrence of problems.
RESPONSIBILITY
PROCESS FLOW
Auditor
Observer
Identify non-conformities
Auditor
Observer
Auditor
Observer
2
Auditee
Auditees management
DETAILS
Lead Auditor
Auditor
Corrective action is
valid?
No
Yes
Lead Auditor
Lead Auditor
REVISION HISTORY
No
0
Revision Details
Initial issue
Effectivity Date
2007 09 20
1
2
This work is copyright 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons
Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it
is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c)
derivative works are shared under the same terms as this.).
Document Title
Document Ref No
I27KIForum-ROR-CA
PROCESS FLOW
2/2
DETAILS
Lead Auditor
Corrective action is
implemented?
Yes
Lead Auditor
No
2
Lead Auditor
Corrective action is
effective?
Yes
No
Lead Auditor
Lead Auditor
Process non-conformity
Product non-conformity
Customer complaints
Information security
incidents
DESCRIPTION
All observed non-conformities and observations shall merit corrective actions from
the auditee and auditees management.
Non-conformities related to process deviations. Examples would be: non-updating
of virus definitions, non-monitoring of required logs, non-implementation of a
security procedure. Process non-conformities may be raised outside the inernal
audit activities by any staff who has observed the event.
A deviation or error on the output of a process thereby compromising integrity.
Examples would be errors in coding that were uncovered by the customer, nonattainment of service level agreements. Product non-conformities may be raised
outside the internal audit activities by any staff who has witnessed the nonconformity.
Valid complaints coming from customers.
Corrective action shall be established on all valid information security breaches
after the remediation steps have been accomplished (Refer to IS Investigation
form)
This work is copyright 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons
Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it
is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c)
derivative works are shared under the same terms as this.).