Non-conformities in ISMS audit : Implementing Corrective Controls

By

Image : Shutterstock

Despite all the efforts made by organisations to establish a perfect ISMS, there still may exist not fully imlemented or unimplemented controls . A non-conformity is  non-fulfillment of a requirement in ISO 27001. The internal and in external auditor use nonconformities to judge the level of ISMS compliance with ISO 27001 standard. non-conformities take up major part of audit report.

Following are common non-fulfillment examples.

  • Lack of records on corrective actions taken.
  • Not using specific reporting form defined by a procedure.
  • Not producing reports for customers as agreed.
  • A control not implemented as specified.
  • A control is not implemented at all.

non-conformities are found from a missing a report on a control or reported result not in specified from as required.

It's possible for an organisation to fail in fulfilling an ISO 27001 requirement, as well as management review not done for taking corrective action. For instance you have a requirement to make backups raise a day, but backup were made weekly or randomly. It is possible that the process completed but not recoded. 

The most important is identifying and stopping reoccurrence of 

non-conformities. 

Follow thus process in managing non-conformities.

First identify the issue. This can be done by anyone in the organisation. You need to have a reporting process for and nonconformities. Identify the impact of the non-conformity and  who will be affected before any corrective action taken. All actions taken from the time of identification should be recorded in Corrective Action Report.

Nonconformity reporting includes following elements.

  • Short description of the non-conformity.
  • Evidence of the audit.
  • Reference to the requirement such as procedure or contract.
  • Summary of the requirement.
Steps for non-conformity handling:

  • Identify the non-conformity.
  • Communicate and gather a response crew.
  • initiating a containment action. This could range from stopping a process, adjusting controls, or rescheduling activities.
  • Communicate to relevant stakeholders, who may have been affected.
  • Start an investigation promptly to find the root cause.
  • Implement a permanent corrective control.
  • Review corrective control effectiveness.
  • Include the nonconformity in monitoring and Review process.
The  investigation should be carried out find answers to:

  • The problem and history of occurence. 
  • Where did the non-conformity occur?
  • What is the impact?
  • Who was effected?
  • When did it occur and when was it reported?
  • How big is the problem?
  • How frequent does it occurr?
  • Why this is happening?
  • How can it be measured?

During the investigation make sure that the interim action will contain the problem. 

Niranjan Meegammana 

Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more