Introducing ISO 27001 Clause 10: Improvement
Clause 10 of ISO 27001 is the final clause, focusing on how you handle problems and drive continuous improvement in the ISMS.
Even with all the best planning and checking, there will be times you need to correct things (nonconformities) and chances to improve the ISMS (continual improvement). This clause falls under the ‘Act’ stage of the widely recognised PLAN-DO-CHECK-ACT cycle, which ensures that organisations continuously enhance their ISMS to maintain optimal security performance.
Read on below to learn what ISO 27001 Clause 10 means and how to implement it.
Explore Each ISO Clause in More Detail by Selecting One to View
Table of Contents
Clause 10.1 – Continual Improvement
ISO 27001 Clause 10.1 is a general requirement that you continually improve the ISMS’s suitability, adequacy, and effectiveness. This is somewhat abstract – it doesn’t specify how, just that you should always be looking to enhance the ISMS.
In practice, continual improvement can be achieved by:
- Addressing any findings from audits or reviews (this overlaps with 10.2 since those are nonconformities or at least opportunities).
- Enhancing controls proactively: If you find a new technology that could reduce risk, you implement it even if it is not required by a specific incident.
- Streamlining ISMS processes: making risk assessment easier, or awareness training more engaging, etc.
- Benchmarking and adopting best practices: You might have seen a neighbouring company’s ISMS and had ideas for improving yours.
- Employee suggestions: Perhaps users suggest a better way to enforce a policy—you consider and implement it if it is beneficial.
A simple way to show continual improvement is through your management review action items and subsequent completion of them.
Also, documenting the version history can show that they were updated to be better.
Each cycle of PDCA (Plan-Do-Check-Act) inherently implies improvement; Plan your improvement, Do it, Check how it went, Act upon any feedback. Simple.
Auditors will look for an improvement mindset. They might ask, “How do you drive continual improvement in your ISMS?” and expect answers like “We use findings from audits and incidents to make changes; plus, annually, we set new objectives or raise the bar.”
Clause 10.1 itself might not generate a specific document, but improvement actions are documented via Clause 10.2 or management review outputs.
Clause 10.2 – Nonconformity and Corrective Action
Clause 10.2 is very specific on handling nonconformities (including incidents, audit findings, or any failure to meet requirements) and taking corrective actions. It mirrors the corrective action process found in standards like ISO 9001 quality management.
The Process
The steps are:
Identify & Respond
React to the nonconformity, take action to control and correct it, and deal with the consequences.
In information security, a “nonconformity” could be a security incident (e.g., a breach of a control) or failure to follow a procedure (e.g., backups weren’t done).
First, you fix the immediate problem (contain the incident, get the backups running, etc.) – that’s the “control and correct” part.
Also, mitigate any consequences (e.g., data leaked? Notify as required, recover data, etc.)
Evaluate the need for action to eliminate causes
We should investigate the cause of the nonconformity so it doesn’t reoccur. This is the root cause analysis. Ask why this happened.
For example, if an employee clicked a phishing email (incident) – cause might be insufficient awareness or a missing email filter. Or if an internal audit found “no risk assessment was done for a new system” – cause might be lack of a process to trigger risk assessments on new projects.
Determine any necessary corrective actions
Work out a plan of action to plug that root cause: who, what, when.
Implement the actions
The actual corrective action should be implemented and reviewed as to their effectiveness.
So if you decide “root cause of phishing click is lack of training,” an action could be to do a targeted phishing training or implement simulated phishing tests. After implementing, you might later check “did clicks reduce?” to see if effective.
Review the impact
Keep track of the corrective action and how it is performing. Is it having the desired effect?
Update the nonconformities
This could mean updating procedures, modifying risk assessments, and adding controls (Annex A) – whatever change is needed so the system prevents this issue in the future.
Maintain a log of any nonconformities and any actions taken.
ISO 27001 expects you to have a formal way of handling corrective actions. Usually, companies use a Corrective Action Plan or Log. Each nonconformity (be it from an internal/external audit or an incident) is logged with details:
- Description of nonconformity,
- Date found,
- Owner,
- Root cause analysis summary,
- Corrective action planned,
- Target date,
- Status,
- Close date and verification of effectiveness.
Some treat incidents separately (with incident reports) and audit findings separately, but it’s good to unify tracking because all need corrective actions.
Nonconformity in ISO terms is broad: it can include not fulfilling a requirement of ISO or your ISMS. A security incident often indicates a non-fulfillment (like “policy says no tailgating, but tailgating happened” is nonconformance to policy).
So yes, treat incidents as nonconformities for ISO’s corrective action tracking (in addition to your immediate incident response).
Outputs
Corrective Action Records
Document each nonconformity and how it was resolved. ISO 27001 requires keeping records of corrective actions. This could be completed corrective action forms, an Excel log, or entries in a ticket system.
Updated procedures or policies
If a corrective action required changing documentation or implementing new controls, those updated documents are outputs (with new version numbers).
Preventive changes
Though ISO no longer has a separate “preventive action” clause (since the whole risk management is preventive), your corrective actions often double as preventive for the future.
If no nonconformities occurred in a period, there might be no records — but that’s unlikely (there’s always something to improve, even if it’s small).
Auditors will definitely examine how you handle corrective actions, especially those arising from:
- Internal audits, previous external audits: They will follow up on past findings to ensure you did address them.
- Incidents: They will see if you documented what happened and what you did to prevent recurrence.
- Management review actions: If any actions were set in management review, they are essentially improvements—they’ll check those, too, possibly under Clause 10 or Clause 9.
Documentation and Outputs for Clause 10
Corrective Action Log/Tracker
A centralised log of issues and actions. It could be part of an incident log or separate. Should include root cause and status.
Incident Reports
For security incidents, keep a report detailing what happened and what corrective steps were taken (including future prevention).
Sometimes, organisations have an “Incident Management Report” template that aligns with this clause (sections for root cause, etc.).
Internal/External Audit Nonconformity Reports
Usually, after an internal audit, if nonconformities are found, an NCR report is filled out for each and attached to the corrective action system.
Changes implemented
If, say, a corrective action was “draft a portable media policy,” then that new policy (document) is evidence of improvement.
Procedure for corrective action
Not mandatory, but many have a Corrective Action Procedure that outlines how they log and manage NCs. If you have it, ensure you follow it.
Continual Improvement initiatives
If you have any records of doing improvements outside of specific NCs (like a security improvement plan or budget proposals for new controls), keep those. They show proactive improvement.
What Auditors Look For in ISO 27001 Clause 10
Handling of Past Issues
Auditors will check that all nonconformities from sources like internal audits or the cert audit’s stage 1 (if any) have been addressed or are being addressed. They will likely pick a few examples:
- “Your internal audit in May found a nonconformity: ‘No encryption on executive laptops.’ What did you do?” You should show the corrective action: perhaps by July you encrypted them and updated policy to enforce encryption. And show that’s verified (maybe a vulnerability scan report now shows compliance).
- If any issues were raised in the Stage 1 (readiness) audit, they will ensure those are closed.
My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant
Incident follow-up
Suppose you had a real incident (like a minor breach). The auditor will absolutely ask about it. They’ll want to see an incident report and evidence that you not only resolved the issue but also changed something to prevent it.
Did you update the risk assessment and add a control if an incident revealed a gap? If yes, show it (updated risk register, new control in SoA, etc.). They want you to treat incidents as opportunities to harden the system (this is improvement).
Proactive Improvement
They might ask, “How do you drive improvements aside from reacting to incidents and audits?” A good answer might be, “We set new objectives each year and track them (as per 6.2), and we keep an eye on new best practices.
For example, “this year, we decided to implement an endpoint detection system to improve threat response, even though we hadn’t had a breach – it was an improvement initiative.” If you did something like that, mentioning it is evidence of Clause 10.1 (continual improvement).
Records of corrective actions
The auditor will likely want to see your corrective action log.
They’ll see entries: e.g., “Internal audit NC#3: Found unprotected USB usage – Root cause: lack of policy – Action: implemented USB control software and created procedure by Dec 2024 – Status: Closed, verified by security test Jan 2025.”
They will look if:
- Timelines are reasonable (you didn’t leave things unaddressed for too long without reason).
- Effective verification: You checked that the fix solved the issue.
- You updated the documentation where needed.
- The issue doesn’t keep recurring – if the same NC appears repeatedly in logs, they might question the effectiveness of corrective actions.
No swept-under-rug issues
If an auditor finds a nonconformity during the certification audit that you clearly should have known about (like something an internal audit should have caught or an incident that happened but was not acted on), they will question your Clause 10.2 process.
Ideally, you should find and correct issues before the external audit. It’s okay to have had issues; it’s not okay to ignore them.
Attitude
They’ll sense if the organization treats corrective action as just paperwork or truly as a learning tool. A positive sign is when employees openly discuss improvements they made after something went wrong, rather than trying to hide problems. That shows a culture of improvement rather than blame.
Example:
During an audit, a company had an unexpected email outage that wasn’t directly a security incident but affected the availability of information (relevant to ISMS). The auditor asked how they handled it. The company showed an incident report: the root cause was a misconfiguration, corrective action was taken (fix config), and they updated their change management process to include a peer review for email server changes (improvement). The auditor was pleased because even though it wasn’t a required ISO control, the company demonstrated the spirit of continual improvement by learning from an IT incident to improve the ISMS (availability control). This helped satisfy ISO 27001 Clause 10.
Another example:
The internal audit found that some employees weren’t aware of the clean desk policy (a minor issue). The corrective action was to send out a reminder and include it in onboarding training. By the time of the external audit, the auditor saw that and maybe even observed desks – and indeed found a much cleaner environment. This closes the loop on a small improvement. The auditor will likely note that as a positive outcome of your corrective action process.
ISO 27001 Clause 10 FAQs
Do we need a separate document for ISO 27001 Clause 10.1 (Continual Improvement)?
No, Clause 10.1 doesn’t require a standalone document. What’s important is that you can show improvement is happening over time. This might be captured through updated procedures, management review outputs, or project plans for enhancements. If you do keep a “Continual Improvement Register” – great! But it’s not mandatory.
What counts as a nonconformity under Clause 10.2?
A nonconformity is any failure to meet ISO 27001 requirements, your internal policies, or procedures. It could be a missed backup, a breach of physical access controls, a policy not being followed, or even an unclear process. Security incidents often highlight nonconformities, but audit findings or staff feedback can uncover them too.
Are incidents and nonconformities the same thing?
Not exactly – but they often overlap. An incident is an event that compromises information security. A nonconformity is a failure to meet a requirement. Many incidents reveal nonconformities, and therefore should trigger corrective actions. For ISO purposes, treat incidents as nonconformities unless it’s clear they didn’t breach any requirement.
Do I need to document root cause analysis?
Yes – ISO 27001 clause 10 expects you to evaluate the cause of each nonconformity before deciding on corrective action. The root cause doesn’t need to be pages long – a short summary will do – but it should show you’ve thought beyond the surface issue. Using techniques like “5 Whys” or “fishbone” diagrams can help, especially for recurring issues.
Can I track corrective actions in a spreadsheet?
Absolutely. A well-structured Excel log is fine – as long as it’s controlled, updated, and includes the required fields: issue, root cause, corrective action, owner, due date, status, and verification of effectiveness. Some organisations use helpdesk/ticket systems or Confluence pages – format doesn’t matter, process does.
What if we had no nonconformities this year – is that a problem?
It’s not automatically a red flag, but auditors might raise an eyebrow. Even well-run ISMSs usually have at least minor issues or improvement opportunities. If your records are completely empty, it could suggest the system isn’t being critically assessed. It’s better to log and fix small things than pretend everything’s perfect.
How do I show continual improvement to an auditor?
Auditors will look for evidence of change and maturity over time. Examples include:
– Updated risk treatments or SoA changes
– Enhanced training or awareness programmes
– New controls implemented (even if not triggered by an incident)
– Lessons learned applied after incidents or audits
– Objectives set and reviewed as part of Clause 6.2
Version control, meeting minutes, and your corrective action log can all help demonstrate this.
Does Clause 10 require a “Corrective Action Procedure”?
Not explicitly – but having one helps ensure consistency. Many organisations document how they raise, analyse, implement, and verify corrective actions. If you don’t have a procedure, be ready to explain your process clearly during an audit and show that it’s consistently followed.
Who should own corrective actions?
Each action should have a clear owner – usually someone who understands the issue and has the authority to fix it. The ISMS lead or security team might oversee the process, but actions could be assigned across departments (IT, HR, facilities, etc.). Ownership and accountability are key to driving completion.
Can we treat customer complaints as nonconformities?
Ooo… It overlaps with ISO 9001. Yes, if the complaint points to a failure to meet an internal requirement or control. For example, if a customer reports receiving another client’s data, that’s not just a complaint – it’s a security incident and a nonconformity that must be investigated and corrected.
Further Reading
Get the ISO 27001 Standard
