Iso27k Corrective Action Procedure
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Iso27k Corrective Action Procedure as PDF for free.
More details
- Words: 716
- Pages: 2
Document Title
Document Ref No
CORRECTIVE ACTION PROCEDURE Prepared and reviewed by
I27KIForum-ROR-CA
Approved by
Revision Stat
Richard O. Regalado
0
Page/Total
1/2
Purpose
The purpose of this procedure is to have a defined method in applying corrective actions to eliminate the cause of non-conformities on the established information security management system (ISMS).
Scope
This procedure covers the collection of data on non-conformities, analysis of the root cause of nonconformities and action planning to prevent recurrence of problems.
RESPONSIBILITY
PROCESS FLOW
Auditor Observer
Non-conformities may be identified in any several ways. Refer to non-conformities identification guide on page 2.
Identify non-conformities
There are cases wherein the observed or detected non-conformity is just the “surface” of a much bigger or serious nonconformity.
Determine the extent or gravity of the nonconformity
Auditor Observer
Issue Non-conformance Corrective Action/ Preventive Action report (NCPAR) to concerned person or auditee
Auditor Observer
2 Auditee Auditee’s management
DETAILS
Refer to instructions on page 2 of NCPAR for proper usage
Apply immediate or containment action to arrest the non-conformity Root cause analysis tools such as the why-why analysis and Ishikawa diagram shall be used to identify root causes of the non-conformity.
Determine root cause of the non-conformity Auditee Auditee’s management
Lead Auditor Auditor
Corrective actions shall be applied in a holistic manner with efforts done to ensure applicability on other areas or processes.
Establish corrective action based on rootcause analysis
Corrective action is valid?
No
For corrective action to be valid, it shall ensure “non-recurrence” of the non-conformity.
Yes Lead Auditor
Enter details in the NCPAR Log
Lead Auditor
Perform follow-up audit within 3 days after the committed date of implementation.
Lead Auditor shall monitor NCPAR Log on a weekly basis to verify “open” nonconformities and ensure timeliness of follow-up audits. Follow-up shall be performed to ensure implementation of corrective action.
1
REVISION HISTORY No 0
Revision Details Initial issue
Effectivity Date 2007 09 20
1 2 This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
Document Title
Document Ref No
CORRECTIVE ACTION PROCEDURE RESPONSIBILITY
Revision Stat Page/Total
I27KIForum-ROR-CA PROCESS FLOW
0
2/2
DETAILS
1
Lead Auditor
Corrective action is implemented?
Issue new NCPAR
Yes
Lead Auditor
No 2
Perform 2nd follow-up 3 months after committed implementation date Follow-up shall be performed to ensure implementation of corrective action.
Lead Auditor
Corrective action is effective?
Yes
No
Issue new NCPAR
Lead Auditor
Close out non-conformity by making proper notations on the NCPAR Log.
Lead Auditor
File and maintain all records in accordance with Control of records procedure
2
Instances where non-conformities may be found SITUATIONS As a result of internal ISMS audits
Process non-conformity
Product non-conformity
Customer complaints Information security incidents
DESCRIPTION All observed non-conformities and observations shall merit corrective actions from the auditee and auditee’s management. Non-conformities related to process deviations. Examples would be: non-updating of virus definitions, non-monitoring of required logs, non-implementation of a security procedure. Process non-conformities may be raised outside the inernal audit activities by any staff who has observed the event. A deviation or error on the output of a process thereby compromising integrity. Examples would be errors in coding that were uncovered by the customer, nonattainment of service level agreements. Product non-conformities may be raised outside the internal audit activities by any staff who has witnessed the nonconformity. Valid complaints coming from customers. Corrective action shall be established on all valid information security breaches after the remediation steps have been accomplished (Refer to IS Investigation form)
This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
Document Ref No
CORRECTIVE ACTION PROCEDURE Prepared and reviewed by
I27KIForum-ROR-CA
Approved by
Revision Stat
Richard O. Regalado
0
Page/Total
1/2
Purpose
The purpose of this procedure is to have a defined method in applying corrective actions to eliminate the cause of non-conformities on the established information security management system (ISMS).
Scope
This procedure covers the collection of data on non-conformities, analysis of the root cause of nonconformities and action planning to prevent recurrence of problems.
RESPONSIBILITY
PROCESS FLOW
Auditor Observer
Non-conformities may be identified in any several ways. Refer to non-conformities identification guide on page 2.
Identify non-conformities
There are cases wherein the observed or detected non-conformity is just the “surface” of a much bigger or serious nonconformity.
Determine the extent or gravity of the nonconformity
Auditor Observer
Issue Non-conformance Corrective Action/ Preventive Action report (NCPAR) to concerned person or auditee
Auditor Observer
2 Auditee Auditee’s management
DETAILS
Refer to instructions on page 2 of NCPAR for proper usage
Apply immediate or containment action to arrest the non-conformity Root cause analysis tools such as the why-why analysis and Ishikawa diagram shall be used to identify root causes of the non-conformity.
Determine root cause of the non-conformity Auditee Auditee’s management
Lead Auditor Auditor
Corrective actions shall be applied in a holistic manner with efforts done to ensure applicability on other areas or processes.
Establish corrective action based on rootcause analysis
Corrective action is valid?
No
For corrective action to be valid, it shall ensure “non-recurrence” of the non-conformity.
Yes Lead Auditor
Enter details in the NCPAR Log
Lead Auditor
Perform follow-up audit within 3 days after the committed date of implementation.
Lead Auditor shall monitor NCPAR Log on a weekly basis to verify “open” nonconformities and ensure timeliness of follow-up audits. Follow-up shall be performed to ensure implementation of corrective action.
1
REVISION HISTORY No 0
Revision Details Initial issue
Effectivity Date 2007 09 20
1 2 This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
Document Title
Document Ref No
CORRECTIVE ACTION PROCEDURE RESPONSIBILITY
Revision Stat Page/Total
I27KIForum-ROR-CA PROCESS FLOW
0
2/2
DETAILS
1
Lead Auditor
Corrective action is implemented?
Issue new NCPAR
Yes
Lead Auditor
No 2
Perform 2nd follow-up 3 months after committed implementation date Follow-up shall be performed to ensure implementation of corrective action.
Lead Auditor
Corrective action is effective?
Yes
No
Issue new NCPAR
Lead Auditor
Close out non-conformity by making proper notations on the NCPAR Log.
Lead Auditor
File and maintain all records in accordance with Control of records procedure
2
Instances where non-conformities may be found SITUATIONS As a result of internal ISMS audits
Process non-conformity
Product non-conformity
Customer complaints Information security incidents
DESCRIPTION All observed non-conformities and observations shall merit corrective actions from the auditee and auditee’s management. Non-conformities related to process deviations. Examples would be: non-updating of virus definitions, non-monitoring of required logs, non-implementation of a security procedure. Process non-conformities may be raised outside the inernal audit activities by any staff who has observed the event. A deviation or error on the output of a process thereby compromising integrity. Examples would be errors in coding that were uncovered by the customer, nonattainment of service level agreements. Product non-conformities may be raised outside the internal audit activities by any staff who has witnessed the nonconformity. Valid complaints coming from customers. Corrective action shall be established on all valid information security breaches after the remediation steps have been accomplished (Refer to IS Investigation form)
This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
Related Documents
Iso27k Corrective Action Procedure
November 2019 14
Corrective Action
August 2019 36
Prompt Corrective Action Directive
April 2020 17
Corrective Action Form
May 2020 16
Corrective Action Plan Fy2005
December 2019 24