Even the best-designed safety programs run into discrepancies. What to do in these situations?

Photo by Etienne Girardet on Unsplash

What does clause 10.2 actually require?

Clause 10.2 of ISO 27001:2022 requires organizations to develop and maintain a process for dealing with non-conformances to the security program.

In concrete terms, this means identifying and assessing deviations from standard requirements or internal policies, analyzing the root causes using tools such as the “5 Whys” method, defining and prioritizing appropriate corrective measures, documenting each step in appropriate records, and regularly evaluating the effectiveness of implemented solutions.

This process must be carried out diligently, within reasonable deadlines, and include rigorous follow-up to prevent any recurrence of the problem. This often involves internal or external audits. These audits are an ideal opportunity to clearly identify any discrepancies. However, depending on the size and type of company, other spot checks or systematic audits may also be carried out to identify non-conformities in specific processes or during critical events.

Clause 10.2 has its origins in the fundamental principles of continuous improvement, which is the cornerstone of standardized management systems, notably the Plan-Do-Check-Act (PDCA) approach. It acts as a reactive and proactive mechanism for rectifying shortcomings identified during internal or external audits, management reviews or information security incidents. It plays a complementary role by establishing a continuous cycle of improvement that reinforces the organization’s resilience in the face of threats.

Perfection doesn’t exist, but continuous improvement means we can always move forward.

Non-conformity management procedure

The purpose of this procedure is to describe the steps to be taken to identify, deal with and prevent non-conformances within the scope of the ISMS, thus ensuring compliance with clause 10.2 of ISO 27001:2022.

Responsibilities :

Auditors, managers or line managers: Monitor and report non-conformities.

Information security manager: Analyzes causes, plans corrective actions and monitors execution.

Management: Validates corrective actions and ensures their alignment with strategic objectives.

Stage of the non-conformity management procedure

a) Identification :

Regularly monitor processes and carry out internal or external audits to identify deviations. Detect non-conformities through incidents reported by staff.

Provide a standard form for reporting non-conformities. This can be done via digital forms, platforms such as SharePoint or Jira, or by direct notification to the ISMS manager.

The procedure must allow all employees to report deviations without fear. Information to be included in the form: Date of detection, description of non-conformity, system concerned, clause affected, potential impact and priorities.

Examples of non-compliance

  1. Do not regularly review access to critical systems.
  1. Do not perform backup recovery tests.
  1. Failure to manage a major vulnerability in a timely manner.

b) Immediate reaction if necessary

When a non-conformity is detected, the organization must immediately take note and react by putting in place a temporary fix, if necessary, to avoid any incident until a thorough analysis has been carried out. This patch ensures continuity of operations while minimizing risks until a lasting solution is defined.

c) Cause analysis :

The “5 Whys” method is a simple yet powerful approach to identifying the root causes of a non-conformity or problem. It involves asking the question “Why?” repeatedly, usually five times, until the root cause is revealed.

If necessary, hold a meeting with the parties concerned to carry out the exercise or validate the root cause. This step is crucial to confirm that the non-conformity has been correctly identified and its implications understood.

d) Planning :

Define corrective actions to address the root cause of the non-conformity and prevent its recurrence. These actions must be context-specific, realistic and aligned with the organization’s safety objectives. Clearly assign responsibility for their implementation to a designated person, setting precise deadlines to ensure follow-up.

If the implementation of corrective actions requires modifications to the Security Program (ISMS), the organization must follow the procedure defined in clause 6.3 of ISO 27001. This clause provides a framework for change management, ensuring that any modifications are planned, executed and evaluated in a controlled manner to preserve the integrity and effectiveness of the ISMS.

e) Implementation :

Implement planned measures by involving the necessary teams.

Make sure employees understand and follow the new guidelines. Train them if necessary to ensure adoption of the changes.

f) Monitoring and verification :

Carry out post-implementation checks to assess the effectiveness of corrective actions, and to check that they have correctly resolved the non-conformity. A designated person should be responsible for this evaluation, ensuring that the measures taken meet expectations and correct the root cause.

In addition, regularly review non-conformance records to detect trends or recurring problems. This proactive analysis helps identify areas for continuous improvement and anticipate risks before they become critical, strengthening the overall resilience of the ISMS.

Performance indicators :

  • Average time to identify and deal with a non-conformity.
  • Recurrence rate of non-conformities after corrective action.
  • Percentage of actions completed on schedule.

Documentation

Document the details of each non-conformity in a formal log. The log should include:

  • A unique identifier for each non-conformity.
  • A detailed description of the non-conformity.
  • The clause of the standard concerned by the non-conformity
  • The date of detection of the non-conformity.
  • Root cause identified.
  • A short-term action plan to resolve the non-conformity if necessary.
  • A long-term action plan to prevent recurrence.
  • The action plan manager.
  • Next action plan follow-up dates
  • Success criteria to validate the implementation of corrective actions.

Common pitfalls :

  • Don’t put off until tomorrow what can be done today. Deal with non-conformities as soon as they are detected.
  • Tackling only the symptoms without treating the root cause is like shoveling snow without clearing the driveway.
  • Keep a written record of the entire process to ensure transparency and facilitate future audits.
  • An informed and committed team is your best defense against non-conformities.

Success Criteria

Here are some questions an auditor might ask to validate compliance with clause 10.2 of ISO 27001:2022:

  • How do you identify and document ISMS non-conformities?
  • How do you analyze the root causes of non-conformities?
  • Can you provide recent examples of corrective actions implemented and their results?
  • How do you check the effectiveness of corrective actions?
  • How is the non-conformity management process documented?

I invite you to click on “Follow” to continue learning more about the field of information security.