Non-conformities in ISMS audit : Implementing Corrective Controls
Image : Shutterstock
Despite all the efforts made by organisations to establish a perfect ISMS, there still may exist not fully imlemented or unimplemented controls . A non-conformity is non-fulfillment of a requirement in ISO 27001. The internal and in external auditor use nonconformities to judge the level of ISMS compliance with ISO 27001 standard. non-conformities take up major part of audit report.
Following are common non-fulfillment examples.
- Lack of records on corrective actions taken.
- Not using specific reporting form defined by a procedure.
- Not producing reports for customers as agreed.
- A control not implemented as specified.
- A control is not implemented at all.
non-conformities are found from a missing a report on a control or reported result not in specified from as required.
It's possible for an organisation to fail in fulfilling an ISO 27001 requirement, as well as management review not done for taking corrective action. For instance you have a requirement to make backups raise a day, but backup were made weekly or randomly. It is possible that the process completed but not recoded.
The most important is identifying and stopping reoccurrence of
non-conformities.
Follow thus process in managing non-conformities.
First identify the issue. This can be done by anyone in the organisation. You need to have a reporting process for and nonconformities. Identify the impact of the non-conformity and who will be affected before any corrective action taken. All actions taken from the time of identification should be recorded in Corrective Action Report.
Nonconformity reporting includes following elements.
- Short description of the non-conformity.
- Evidence of the audit.
- Reference to the requirement such as procedure or contract.
- Summary of the requirement.
- Identify the non-conformity.
- Communicate and gather a response crew.
- initiating a containment action. This could range from stopping a process, adjusting controls, or rescheduling activities.
- Communicate to relevant stakeholders, who may have been affected.
- Start an investigation promptly to find the root cause.
- Implement a permanent corrective control.
- Review corrective control effectiveness.
- Include the nonconformity in monitoring and Review process.
- The problem and history of occurence.
- Where did the non-conformity occur?
- What is the impact?
- Who was effected?
- When did it occur and when was it reported?
- How big is the problem?
- How frequent does it occurr?
- Why this is happening?
- How can it be measured?
During the investigation make sure that the interim action will contain the problem.
Niranjan Meegammana
Comments
Post a Comment