Scribd Logo
Upload

Welcome to Scribd!

  • ISO27k Preventive Action Procedure PDF

    Uploaded by

    arunrad
    15 views2 pages

    Original Title

    ISO27k_Preventive_action_procedure.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views2 pages

    ISO27k Preventive Action Procedure PDF

    Uploaded by

    arunrad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Document Title Document Ref No

    PREVENTIVE ACTION PROCEDURE I27KIForum-ROR-PA


    Original Author: Approved by Revision Stat Page/Total

    Richard O. Regalado 0 1/2

    The purpose of this procedure is to have a defined method in applying preventive actions to eliminate the
    Purpose
    cause of potential non-conformities on the established information security management system (ISMS).
    This procedure covers the collection of data on potential non-conformities, analysis of the potential root
    Scope
    causes of nonconformities and action planning to prevent occurrence of non-conformities.
    RESPONSIBILITY PROCESS FLOW DETAILS

    Potential non-conformities maybe in the


    Auditor form of findings during internal audits
    Identify potential non-conformities
    (improvement potentials), suspected
    Observer
    information security weaknesses and
    suggestions by [company] staff.

    Determine the extent or gravity of the


    Auditor potential non-conformity
    Observer

    Issue Non-conformance Corrective Action/


    Refer to instructions on page 2 of NCPAR
    Preventive Action report (NCPAR) to for proper usage
    Auditor concerned person or auditee
    Observer

    Apply immediate or containment action to


    2
    arrest the non-conformity
    Auditee
    Auditee’s management
    Determine potential root cause of the non- Root cause analysis tools such as the
    why-why analysis and Ishikawa diagram
    conformity shall be used to identify potential root
    Auditee causes of the non-conformity.
    Auditee’s management Preventive actions shall be applied in a
    Establish preventive action based on root-
    holistic manner with efforts done to
    cause analysis ensure applicability on other areas or
    processes.

    Lead Auditor Preventive action No For preventive action to be valid, it


    shall ensure “non-occurrence” of the
    Auditor is valid? non-conformity.

    Yes

    Lead Auditor shall monitor NCPAR Log


    Lead Auditor Enter details in the NCPAR Log on a weekly basis to verify “open”
    potential non-conformities and ensure
    timeliness of follow-up audits.

    Perform follow-up audit within 3 days after Follow-up shall be performed to ensure
    Lead Auditor implementation of preventive action.
    the committed date of implementation.

    REVISION HISTORY
    No Revision Details Effectivity Date
    0 Initial issue 2009 06 03
    1
    2
    This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons
    Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it
    is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c)
    derivative works are shared under the same terms as this.).
    Document Title Document Ref No Revision Stat Page/Total
    PREVENTIVE ACTION PROCEDURE I27KIForum-ROR-PA 0 2/2
    RESPONSIBILITY PROCESS FLOW DETAILS

    Preventive action
    Lead Auditor No
    is implemented?

    Issue new NCPAR 2


    Yes

    Perform 2nd follow-up 3 months after


    Lead Auditor
    committed implementation date

    Follow-up shall be performed to ensure


    implementation of corrective action.
    Preventive action
    Lead Auditor No
    is effective?

    Issue new NCPAR 2


    Yes

    Close out non-conformity by making proper


    Lead Auditor
    notations on the NCPAR Log.

    File and maintain all records in


    Lead Auditor accordance with Control of records
    procedure

    Instances where potential non-conformities may be identified


    SITUATIONS DESCRIPTION
    As a result of internal
    Observed improvement potentials are possible sources of preventive actions.
    audits
    Identification of
    Weaknesses shall be issued appropriate preventive actions lest they become full-
    information security
    blown information security incidents.
    weaknesses

    Environmental and health and safety near-misses shall be issue corresponding


    Near-misses
    preventive actions before they become accidents.

    This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons
    Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it
    is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c)
    derivative works are shared under the same terms as this.).

    You might also like