ISO 27001 Clause 10 – Continual Improvement & Corrective Action Guide
ISO/IEC 27001:2022 Clause 10, “Improvement,” is the final set of mandatory requirements for an Information Security Management System (ISMS). This clause defines how an organization must handle nonconformities (instances where the ISMS deviates from requirements) and drive continual improvement of the ISMS.
Navigate
ISO/IEC 27001
Templates & Tools
ISO/IEC 27001 Clause 10 – Improvement (Continual Improvement & Corrective Action)
Clause 10 is divided into two sub-clauses: 10.1 Continual Improvement and 10.2 Nonconformity and Corrective Action.
Together, these requirements reinforce a culture of continuous enhancement and effective problem resolution in your security program. Below, we break down each sub-clause and offer guidance on how to meet these requirements.
Clause 10.1 – Continual Improvement
Clause 10.1 requires organizations to continually improve the suitability, adequacy, and effectiveness of their ISMS. In practice, this means your information security practices should never remain static or “good enough” – the ISMS must be regularly refined and updated. The standard recognizes that new threats, business changes, and lessons learned will always create opportunities to strengthen security. In other words, no ISMS is ever perfect; there are always evolving risks and new best practices, so the system should evolve too.
Why continual improvement matters
The cyber threat landscape is constantly changing, and internal operations aren’t static either. New technologies, evolving attack methods, and shifting business objectives can all render yesterday’s controls insufficient. Continual improvement ensures your ISMS keeps pace with these changes. It also addresses the reality that initial implementations of controls might not be 100% effective – by measuring performance and making adjustments, you fine-tune the ISMS over time. Clause 10.1 essentially “sets the stage” for this proactive approach, ensuring that security measures remain appropriate and effective as conditions change.
Key practices to foster continual improvement include:
- Regular Monitoring and Reviews: Use internal audits and management reviews (per Clause 9) to identify weaknesses or opportunities for improvement. For example, management review meetings should discuss ISMS performance and generate action items for enhancements. Auditors will look for evidence that you actually implement these improvement actions, demonstrating a culture of ongoing progress.
- Plan-Do-Check-Act (PDCA) Cycle: Apply the PDCA approach to structure improvements. Plan changes (based on identified issues or opportunities), implement them, check the results (through testing or metrics), and act by refining the ISMS further. This systematic cycle helps ensure changes are effective and aligned with organizational goals.
- Risk-Based Prioritization: Not all improvements are equal. Focus on areas where security risks or business impact are highest. For instance, if a new threat could critically affect your operations, improvements to mitigate that threat should be prioritized. Clause 10.1’s focus on suitability and adequacy implies that enhancements should address the most significant risks and business needs first.
- Documentation of Changes: Keep an improvement log or similar record of enhancements made to the ISMS. Documenting what was changed and why provides transparency and helps track the effectiveness of each improvement. It also ensures lessons learned are preserved. Clear records make it easier to demonstrate to auditors that continual improvement is happening and to understand the history of your security program’s growth.
Auditors will expect to see this mindset in action – for example, they may check that findings from internal audits or new risk assessments have led to concrete improvements in the ISMS.
Continual improvement helps keep your ISMS effective amid change and reinforces that information security is not a one-time project but an ongoing process.
Clause 10.2 – Nonconformity and Corrective Action
Clause 10.2 comes into play when something goes wrong or doesn’t meet the ISMS requirements. A nonconformity is any situation where you find that your ISMS is not in conformity with planned arrangements – in plain terms, a problem or failure in your ISMS (e.g. a missed control, a policy violation, or an incident that shouldn’t have happened). Clause 10.2 requires organizations to react to nonconformities and take corrective actions to control and correct the issue, deal with any consequences, and eliminate the root causes so the problem doesn’t recur.
To comply with Clause 10.2, your organization should establish a clear corrective action process. Key steps in this process include:
- React Promptly to the Nonconformity: When a nonconformity is identified (e.g. through an incident report or audit finding), take immediate action to control and correct it. This might involve containing a security incident, fixing a process error, or isolating affected systems. You must also deal with the consequences of the issue – for example, if a data breach occurred, this means notifying stakeholders or regulators as required and remediating any damage. The standard separates “control and correct” from “deal with the consequences” to ensure you manage both the immediate fix and the fallout comprehensively.
- Investigate and Determine Root Cause: Perform a thorough analysis to identify the cause of the nonconformity, and determine if similar issues exist or could occur elsewhere. Techniques like the “5 Whys” or a fishbone diagram can be useful in digging beyond the surface symptom to uncover underlying causes.
For instance, if an internal audit finds that backups failed, ask why – maybe the procedure was unclear or a responsible person wasn’t assigned. Continue probing until you find the fundamental issue that needs addressing. Additionally, check if the same root cause might be affecting other areas (could this problem happen in another department or system?). This step is critical for prevention – fixing just the symptom is not enough if the root cause remains. - Implement Corrective Actions: Develop and execute a plan to eliminate the root cause identified in step 2. This could mean updating a procedure, providing additional training, fixing a configuration, or other actions so that the nonconformity won’t happen again. Be sure to assign responsibility and deadlines for each action.
For example, if the root cause of a security incident was an outdated firewall rule, the corrective action might include updating the rule set, auditing other rules for similar issues, and instituting a quarterly review of firewall configurations. - Review Effectiveness of the Fix: After implementing corrective actions, evaluate whether they were effective in resolving the issue. Don’t just assume the fix worked – verify it. This may involve follow-up audits, tests, or monitoring to ensure the nonconformity has truly been corrected and hasn’t recurred. If the problem persists or pops up elsewhere, further action might be needed. Clause 10.2 explicitly expects organizations to review the effectiveness of any corrective action taken as part of closing out a nonconformity.
- Update the ISMS as Necessary: Use what you learned to improve the ISMS. This could mean updating policies, procedures, risk assessments, or controls that were related to the nonconformity. The goal is to make systemic changes so that not only is this issue resolved, but similar issues are less likely to happen.
For example, if a procedure was unclear and led to an error, revise that procedure document and perhaps provide training on the new guidance. Clause 10.2 effectively ties back into Clause 10.1 here – the lessons from each incident or nonconformity drive continual improvement of the system. - Document Everything: Maintain documented information as evidence of the nature of the nonconformity, the actions taken, and the results of those actions. In practice, this means keeping a record (log/report) of each nonconformity and corrective action: what happened, when it was identified, who handled it, what was done to fix it, and how you confirmed it’s resolved.
Consider maintaining a Nonconformity and Corrective Action Register or using incident tracking software for this purpose. Each entry should link the initial issue to the corrective actions and include references to any updated documents or controls. This makes it easy to review during management meetings or audits.
Certification auditors will often want to see proof of this process in action – for instance, they may ask, “Can you show me an example of a recent security incident or internal audit finding and how you addressed it?”. They expect to find that the organization is not ignoring issues and that there’s an effective, systematic process to correct problems and learn from them.
Clause 10 as a whole is designed to ensure the ISMS keeps improving and becoming more resilient over time, rather than stagnating.
How CyberZoni Can Help with Continuous Improvement
Clause 10 requires vigilance, expertise in problem-solving, and a commitment to ongoing improvement. CyberZoni, as a dedicated cybersecurity service provider, offers support and services to help your organization meet these requirements and build a culture of continual improvement:
- Expert ISMS Audits & Assessments: CyberZoni’s consultants can conduct thorough internal audits or gap assessments of your ISMS to identify nonconformities and areas for improvement. This proactive approach helps catch issues early and provides clear guidance on what needs corrective action before external certification audits.
- Root Cause Analysis & Corrective Action Planning: When problems are found, our team assists in performing in-depth root cause analysis – using proven techniques like 5 Whys or fishbone diagrams – to pinpoint underlying causes. We then help develop effective corrective action plans tailored to your organization, ensuring that fixes address the root issues and are practical to implement.
- Continual Improvement Roadmaps: CyberZoni can work with your management team to establish a continual improvement program. We help set up improvement logs, define relevant Key Performance Indicators (KPIs) for security (e.g. incident trends, control effectiveness measures), and integrate improvement initiatives into your regular management review cycle. Our experts ensure that improvement actions align with your business objectives and risk priorities, so resources are focused where they matter most.
- Training and Awareness: A common challenge in improvement is getting staff to recognize and report nonconformities. CyberZoni provides training workshops and awareness programs so that your employees understand ISO 27001 requirements and know how to spot and report issues. Building this awareness helps cultivate an internal culture where everyone is involved in highlighting improvement opportunities rather than waiting for audits to catch problems.
- Policy and Procedure Updates: As part of corrective actions, policies or procedures often need revision. Our specialists can assist in updating your ISMS documentation to reflect changes (for example, writing a clearer procedure or updating a security policy), and ensure those changes are effectively communicated to all relevant personnel. This documentation support helps maintain compliance and ensures lessons learned are institutionalized.
- Ongoing Support and Guidance: Continuous improvement is an ongoing effort. We offer Virtual CISO services and ongoing consulting, where we periodically review your ISMS performance, advise on emerging best practices, and help plan improvements. With our support, you have an experienced partner to guide you through the “act” phase of the PDCA cycle repeatedly, keeping your ISMS aligned with the latest threats and standards.