** FREE PREVIEW VERSION ** Commented [EU GDPR1]: To learn how to fill out this

document, and to see real-life examples of what you need to write,

watch this video tutorial: “How to Write ISO 27001 Procedure for
Corrective and Preventive Action”.

To access the tutorial, choose one of the following options

(depending on how you received the document):

a) For document(s) delivered via Conformio: log into

Conformio, click "Helpful materials" in the top menu, choose
your language, and open the folder "Video tutorials".

b) For document(s) delivered via email: in your Inbox, find the

email that you received at the moment of purchase - there, you
will see a link that will enable you to access the video tutorial.

[Organization logo] Commented [EU GDPR2]: All fields in this document marked
by square brackets [ ] must be filled in.
[Organization name]

Commented [EU GDPR3]: To learn more about this topic,

PROCEDURE FOR CORRECTIVE ACTION read this article:

Practical use of corrective actions for ISO 27001 and ISO 22301
https://advisera.com/27001academy/blog/2013/12/09/practical-
use-of-corrective-actions-for-iso-27001-and-iso-22301/
Code:
Commented [EU GDPR4]: The document coding system
should be in line with the organization's existing system for
Version: document coding; in case such a system is not in place, this line
may be deleted.

Date of version:

Created by:

Approved by:

Confidentiality level:

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. www.advisera.com in accordance with the License
Agreement.
[organization name] [confidentiality level]

Change history
Date Version Created by Description of change

dd.mm.yyyy 0.1 EUGDPRAcademy Basic document outline

Table of contents
1. PURPOSE, SCOPE AND USERS ..............................................................................................................3

2. REFERENCE DOCUMENTS ....................................................................................................................3

3. CORRECTIONS AND CORRECTIVE ACTIONS ...........................................................................................3

3.1. NONCONFORMITIES AND CORRECTIONS........................................................................................................... 3

3.2. CORRECTIVE ACTIONS ..................................................................................... ERROR! BOOKMARK NOT DEFINED.
3.3. IMPLEMENTATION OF CORRECTIVE ACTIONS ........................................................ ERROR! BOOKMARK NOT DEFINED.

4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT .........ERROR! BOOKMARK NOT DEFINED.

5. VALIDITY AND DOCUMENT MANAGEMENT........................................ERROR! BOOKMARK NOT DEFINED.

6. APPENDICES .....................................................................................ERROR! BOOKMARK NOT DEFINED.

Procedure for Corrective Action ver [version] from [date] Page 2 of 3

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. www.advisera.com in accordance with the License
Agreement.
[organization name] [confidentiality level]

1. Purpose, scope and users

The purpose of this procedure is to describe all activities related to the initiation, implementation
and keeping of records of corrections, as well as corrective actions.

This procedure is applied to all activities implemented in the Information Security Management
System (ISMS) and to all personal data processing activities.

Users of this document are all employees of [organization name].

2. Reference documents
 ISO/IEC 27001 standard, clause 10.1
 Information Security Policy
 Internal Audit Procedure
 Incident Management Procedure

3. Corrections and corrective actions

3.1. Nonconformities and corrections

A nonconformity is any failure to meet the requirements of the standards, internal documentation,
regulations, contractual and other obligations within the ISMS. Nonconformities can be identified
during an internal or external audit, based on results of the management review, after incidents,
during normal business operations or on any other occasion.

An employee who notices a nonconformity must take immediate action to control it, contain it and
correct it, and to deal with its consequences; if an employee is not responsible for such
nonconformity he/she must forward information about that nonconformity to a responsible person,
who must make a correction.

** END OF FREE PREVIEW **

To download full version of this document click here:

https://advisera.com/27001academy/documentation/procedure-for-corrective-action-2/

Procedure for Corrective Action ver [version] from [date] Page 3 of 3

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. www.advisera.com in accordance with the License
Agreement.