Professional Documents
Culture Documents
And all those things are, in fact, corrective actions, although these companies probably didn’t
think of them in such a way. ISO 27001, ISO 22301 and other ISO standards require nothing
more than performing those corrective actions in a systematic way – so that it is known exactly
where problems (nonconformities, in ISO terminology) are to be reported, who needs to review
them and make a decision on how to resolve them, who is responsible for eliminating them,
etc. And the best thing of all – in such a transparent system everyone can see what the
problems are (nothing can be hidden), when and how those problems are to be resolved, and
who is responsible for them.
Corrective action procedure – this procedure defines the basic rules for resolving
corrective actions – how to raise one, where are they documented, who has to make
which decisions, how to control their execution, etc.
Corrective actions – these are the records of actual nonconformities, decisions and
activities made to resolve them.
Where to document them. Numerous times, I’ve seen companies use specially designed
paper forms for corrective actions (especially those that implemented ISO 9001) – they are
usually called CARs. The result? No one uses them because it is totally impractical, and
besides, no one knows where to find them. A much better solution is to use some kind of
help desk (or even task management) tool, which probably already exists in your company
and your employees are using on a daily basis – you just need to add another category for
corrective actions, and basically, such solution will be both practical and compliant with
ISO 27001/ISO 22301.
Write a procedure, or not. It is not mandatory to write the Corrective action procedure
according to ISO 27001 and ISO 22301; however, it is recommended. Normally, the
employees are not familiar with something they don’t do every day, so it might make
sense to write those rules down – unless, of course, it is a process that works flawlessly in
your company, so you won’t need such a document.
Making decisions
Each time a corrective action is raised, someone will have to make a decision whether to take
corrective action or not (because sometimes it doesn’t make sense to do anything) – this
decision can be left to the head of the department where the nonconformity is noticed. If the
corrective action is to be carried out, then the same head of department can decide who will be
responsible for the corrective action, and what the deadline is for its execution.
So, my key point is this – you already make corrective actions regularly in your company, and
you probably do have the technology needed to record them in a way that is compliant with ISO
standards. So, why not using such a system in your day-to-day operations if it can help your
effort to create a better company?