Scribd Logo
Upload

Welcome to Scribd!

  • ISO27k Preventive Action Procedure PDF

    Uploaded by

    Tahir
    21 views2 pages

    Original Title

    ISO27k_Preventive_action_procedure.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views2 pages

    ISO27k Preventive Action Procedure PDF

    Uploaded by

    Tahir

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Document Title

    Document Ref No

    PREVENTIVE ACTION PROCEDURE


    Original Author:

    I27KIForum-ROR-PA

    Approved by

    Revision Stat

    Richard O. Regalado
    Purpose
    Scope

    Page/Total

    1/2

    The purpose of this procedure is to have a defined method in applying preventive actions to eliminate the
    cause of potential non-conformities on the established information security management system (ISMS).
    This procedure covers the collection of data on potential non-conformities, analysis of the potential root
    causes of nonconformities and action planning to prevent occurrence of non-conformities.

    RESPONSIBILITY

    PROCESS FLOW

    Auditor
    Observer

    Determine the extent or gravity of the


    potential non-conformity
    Issue Non-conformance Corrective Action/
    Preventive Action report (NCPAR) to
    concerned person or auditee

    Auditor
    Observer

    Auditee
    Auditees management

    Lead Auditor
    Auditor

    Potential non-conformities maybe in the


    form of findings during internal audits
    (improvement potentials), suspected
    information security weaknesses and
    suggestions by [company] staff.

    Identify potential non-conformities

    Auditor
    Observer

    Auditee
    Auditees management

    DETAILS

    Refer to instructions on page 2 of NCPAR


    for proper usage

    Apply immediate or containment action to


    arrest the non-conformity
    Determine potential root cause of the nonconformity

    Root cause analysis tools such as the


    why-why analysis and Ishikawa diagram
    shall be used to identify potential root
    causes of the non-conformity.

    Establish preventive action based on rootcause analysis

    Preventive actions shall be applied in a


    holistic manner with efforts done to
    ensure applicability on other areas or
    processes.

    Preventive action
    is valid?

    No

    For preventive action to be valid, it


    shall ensure non-occurrence of the
    non-conformity.

    Yes
    Lead Auditor

    Enter details in the NCPAR Log

    Lead Auditor

    Perform follow-up audit within 3 days after


    the committed date of implementation.

    Lead Auditor shall monitor NCPAR Log


    on a weekly basis to verify open
    potential non-conformities and ensure
    timeliness of follow-up audits.
    Follow-up shall be performed to ensure
    implementation of preventive action.

    REVISION HISTORY
    No
    0

    Revision Details
    Initial issue

    Effectivity Date
    2009 06 03

    1
    2
    This work is copyright 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons
    Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it
    is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c)
    derivative works are shared under the same terms as this.).

    Document Title

    Document Ref No

    PREVENTIVE ACTION PROCEDURE


    RESPONSIBILITY

    Revision Stat Page/Total

    I27KIForum-ROR-PA
    PROCESS FLOW

    2/2

    DETAILS

    Lead Auditor

    Preventive action
    is implemented?

    Issue new NCPAR

    Yes

    Lead Auditor

    No
    2

    Perform 2nd follow-up 3 months after


    committed implementation date
    Follow-up shall be performed to ensure
    implementation of corrective action.

    Lead Auditor

    Preventive action
    is effective?

    Yes

    No

    Issue new NCPAR

    Lead Auditor

    Close out non-conformity by making proper


    notations on the NCPAR Log.

    Lead Auditor

    File and maintain all records in


    accordance with Control of records
    procedure

    Instances where potential non-conformities may be identified


    SITUATIONS

    DESCRIPTION

    As a result of internal
    audits

    Observed improvement potentials are possible sources of preventive actions.

    Identification of
    information security
    weaknesses

    Weaknesses shall be issued appropriate preventive actions lest they become fullblown information security incidents.

    Near-misses

    Environmental and health and safety near-misses shall be issue corresponding


    preventive actions before they become accidents.

    This work is copyright 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons
    Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it
    is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c)
    derivative works are shared under the same terms as this.).

    You might also like