Practical use of corrective actions for ISO

27001 and ISO 22301

Is your company one of those that has no idea what the purpose of corrective actions is? Do
you prepare your corrective actions only a couple of days prior to your certification audit? And
do you think corrective actions are one of those requirements of ISO 27001/ISO 22301 with no
real practical use?

You are wrong. Here’s why.

The purpose of corrective actions

Basically, any company that is trying to survive in the current market is making improvements
on a daily basis – developing new products, resolving the problems with existing
products/services, decreasing costs, etc. – otherwise, they wouldn’t be in business anymore.

And all those things are, in fact, corrective actions, although these companies probably didn’t
think of them in such a way. ISO 27001, ISO 22301 and other ISO standards require nothing
more than performing those corrective actions in a systematic way – so that it is known exactly
where problems (nonconformities, in ISO terminology) are to be reported, who needs to review
them and make a decision on how to resolve them, who is responsible for eliminating them,
etc. And the best thing of all – in such a transparent system everyone can see what the
problems are (nothing can be hidden), when and how those problems are to be resolved, and
who is responsible for them.

Who can initiate corrective actions?

Anyone in the company can raise a corrective action, and the same goes for your partners and
suppliers who have a role in your ISMS or BCMS. A corrective action may be raised because of
an internal audit report or because of the results of testing and exercising, but also because
someone thought of a better way to write the policies and procedures, or, e.g., decrease the
costs of your alternative location. Corrective actions can also demand larger changes as well;
e.g., top management might conclude that BCMS did not reach its objectives, and wants the
whole Business continuity strategy redefined.
Required documents
You should have the following documents regarding your corrective actions:

 Corrective action procedure – this procedure defines the basic rules for resolving
corrective actions – how to raise one, where are they documented, who has to make
which decisions, how to control their execution, etc.
 Corrective actions – these are the records of actual nonconformities, decisions and
activities made to resolve them.

Options for corrective actions

Here are a couple of options you have to decide regarding your corrective actions:

 Where to document them. Numerous times, I’ve seen companies use specially designed
paper forms for corrective actions (especially those that implemented ISO 9001) – they are
usually called CARs. The result? No one uses them because it is totally impractical, and
besides, no one knows where to find them. A much better solution is to use some kind of
help desk (or even task management) tool, which probably already exists in your company
and your employees are using on a daily basis – you just need to add another category for
corrective actions, and basically, such solution will be both practical and compliant with
ISO 27001/ISO 22301.

 Merge corrective actions with other management systems. This is definitely

recommended – you don’t need three separate databases (or forms) for, e.g., ISO 27001,
ISO 22301 and ISO 9001. Use the same procedure, the same system, the same database –
of course, the nature of nonconformities and subsequent corrective actions will be
different, but that doesn’t prevent you from unfirming the system.

 Write a procedure, or not. It is not mandatory to write the Corrective action procedure
according to ISO 27001 and ISO 22301; however, it is recommended. Normally, the
employees are not familiar with something they don’t do every day, so it might make
sense to write those rules down – unless, of course, it is a process that works flawlessly in
your company, so you won’t need such a document.

Making decisions
Each time a corrective action is raised, someone will have to make a decision whether to take
corrective action or not (because sometimes it doesn’t make sense to do anything) – this
decision can be left to the head of the department where the nonconformity is noticed. If the
corrective action is to be carried out, then the same head of department can decide who will be
responsible for the corrective action, and what the deadline is for its execution.

So, my key point is this – you already make corrective actions regularly in your company, and
you probably do have the technology needed to record them in a way that is compliant with ISO
standards. So, why not using such a system in your day-to-day operations if it can help your
effort to create a better company?