Understanding ISO 27001 Clause 10: Continual Improvement of Your ISMS

Written By Zoe Lowes

If your organization is implementing or maintaining an Information Security Management System (ISMS) under ISO 27001, Clause 10 is a key component you can’t overlook. It's focused on continual improvement, ensuring your system doesn’t just stay compliant, but keeps getting better over time.

Whether you're new to ISO 27001 or looking to strengthen your current practices, understanding Clause 10 helps ensure your ISMS remains effective, adaptive, and resilient.

What Is Clause 10?

Clause 10 is all about continuous improvement, meaning it's focused on making your Information Security Management System (ISMS) better over time. No system is perfect at first, and the goal of clause 10 is to ensure that you're always looking for ways to improve your security practices.

In simpler terms, clause 10 encourages you to regularly check in on your ISMS and ask, “How can we do this better?” If you spot any problems or areas that need attention, the idea is to take action to improve them. It’s about always aiming higher, not just staying where you are. Clause 10 focuses on three core areas: 

  • Nonconformities: If something goes wrong or doesn't meet expectations, you need to identify it, understand why it happened, and fix it.

  • Corrective Actions: When problems are found, you take corrective steps to prevent them from happening again, making your system stronger.

  • Preventive Actions: You also need to look ahead and try to spot potential problems before they happen, so you can stop them before they cause harm.

The big takeaway from clause 10 is that information security is an ongoing effort. It's a process of continually learning, improving, and making sure your ISMS stays strong and effective at protecting your organization’s information. Let’s dive into more detail.

Subclause 10.1 - Continual Improvement

Subclause 10.1 emphasizes the need for ongoing improvement of the ISMS to keep it effective. This involves regularly reviewing the ISMS performance through audits, risk assessments, and incident reviews to spot areas for improvement. Feedback from audits, security incidents, and employees should guide these improvements. When nonconformities (things that aren’t working right) are found, corrective actions are needed to fix the root cause and prevent the same issues from recurring.

But continual improvement isn’t just about fixing problems, it’s also about looking for ways to improve proactively, such as by adopting new technologies or refining processes. Leadership plays a key role in driving these improvements, making sure the necessary resources are in place, and promoting a culture of growth. It’s also important to document and communicate any improvements, ensuring transparency and consistency across the organization. This approach helps the ISMS evolve and stay aligned with changing risks and organizational needs, ensuring it remains relevant and effective.

Subclause 10.2 - Nonconformity and Corrective Action

Subclause 10.2 focuses on nonconformity and corrective action within the ISMS. Nonconformity refers to situations where the ISMS doesn’t meet its intended requirements, whether internal (like policies, procedures, or objectives) or external (such as legal or regulatory standards). Corrective actions are the steps taken to address these nonconformities and prevent them from happening again. Here’s a breakdown of the key concepts:

Nonconformity

Nonconformity happens when the ISMS doesn’t meet a specific requirement, whether internal (like organizational policies or performance goals) or external (such as legal, regulatory, or contractual requirements). Examples of nonconformities include:

  • Failure to follow security policies or procedures.

  • Unresolved security vulnerabilities or gaps in the system.

  • Unmet security objectives or goals.

  • Noncompliance with legal or regulatory requirements.

Nonconformities need to be addressed quickly to avoid security risks that could weaken the ISMS.

Corrective Action

Once a nonconformity is identified, corrective action is needed to solve the problem and prevent it from recurring. The goal is not just to fix the immediate issue but to eliminate the root cause of the nonconformity. Here’s the typical process for corrective action:

  1. Identify the nonconformity: This could come from audits, incident reports, employee feedback, or ongoing monitoring. Once recognized, the nonconformity should be documented, explaining what went wrong and why it was considered a nonconformity.

  2. Root Cause Analysis: It’s important to understand the underlying cause of the issue. Simply addressing the surface level problem might not prevent it from happening again. By identifying the root cause, you can uncover deeper issues, such as insufficient training, weak processes, or lack of resources.

  3. Develop Corrective Actions: Once the root cause is clear, corrective actions should be designed to fix the problem. These could include:

    • Updating policies or procedures.

    • Providing additional training or resources.

    • Implementing new technology or controls.

    • Refining risk management processes.

  4. Implement Corrective Actions: After corrective actions are developed, they should be put into action quickly. Ensure that the necessary resources are allocated, communicate changes to all relevant stakeholders, and make sure those responsible have what they need to carry out the actions.

  5. Monitor Effectiveness: After the corrective actions are implemented, it’s essential to monitor their effectiveness. Make sure the actions successfully resolve the root cause and prevent recurrence. If they don’t work as intended, further analysis and adjustments may be needed.

  6. Documentation and Communication: The entire corrective action process should be documented for transparency, and the changes should be communicated to relevant parties within the organization.

Corrective actions are crucial for maintaining the integrity of the ISMS, ensuring that security practices stay strong and adapt to new challenges. By addressing nonconformities and taking corrective actions, an organization shows its commitment to continual improvement and its dedication to maintaining a secure environment.

Summary

In summary, clause 10 is essential because it drives the ongoing improvement of the ISMS, keeping it effective and adaptable to new risks, business changes, and security challenges. It encourages organizations to proactively identify and address nonconformities, ensuring that potential issues are tackled before they escalate. This process not only strengthens the ISMS but also aligns it with organizational goals, helping to protect valuable information and support business success.

Ready to Improve Your ISMS? At MHM, we support organizations in achieving and maintaining ISO 27001 certification with expert-led audits and guidance. If you’re reviewing your ISMS or planning for certification, our team can help you navigate continual improvement with confidence. Contact us today to learn more about how we can support your compliance journey.

Zoe Lowes
Previous

Trust, Security, Success: The Framework Advantage
Next

Compliance Audits with MHM: Why a Personalized Approach Can Offer Big Benefits