What is covered under Section 10 of ISO 27001:2022?
Section 10 addresses how you will improve your ISMS on an ongoing basis.
ISO 27001, like many other ISO standards, is concerned with continual improvement. Given the speed of change in many organisations, not to mention the ever-changing threat landscape, this is arguably one of the most important areas of the standard.
Falling under Sect.10 is:
- 10.1 - Demonstrate how the organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system
- 10.2 - Demonstrate how nonconformities and corrective actions will be addressed
ISO 27001 Section 10.1 - Continual improvement
A large part of running an information security management system is to see it as a living and breathing thing. Your organisation should always be assessing, testing, reviewing and measuring the performance of the ISMS, to ensure it is still supporting and meeting your business goals.
There are several mechanisms covered within ISO 27001 for the continual evaluation and improvement of your ISMS including audits, management reviews, the corrective actions and improvements process, ongoing risk assessment, ongoing staff engagement etc. The secret is not to waste time duplicating work that is going on in the wider ISMS in order to easily demonstrate continual improvement is taking place.
ISO 27001 Section 10.2 - Nonconformity and corrective action
Section 10.2 of ISO 27001 concerns the actions your organisation commits to taking when a failure in the compliance of the standard occurs. The standard refers to this as a 'nonconformity' and the steps you take to correct this is called a 'corrective action'.
In the event of a nonconformity, the organisation should 'take action to control and correct it', and deal with the consequences of the event. They should then take steps to ensure that it doesn't happen again. This is done by addressing the cause of the nonconformity.
The corrective action should be assessed and the effectiveness of that action, measured and documented. Remember, to obtain and maintain ISO 27001 certification, an auditor will expect to see evidence of improvements.
It is not a failure to show you are addressing nonconformities, taking corrective actions etc so do make sure that they are visible if appropriate to demonstrate the philosophy of continuous improvement that is required by the standard.