top of page

Check out the brand new FREE ISO 27001 Information Security Toolkit!

Writer's pictureAlan Parker

ISO 27001 CONTINUOUS IMPROVEMENT

Updated: Aug 16

Acting on feedback to constantly improve your ISMS.


Contents

button
 

Monitoring & Review Phase of ISO 27001 Continuous Improvement

The ISO 27001 implementation process overview

Don’t worry, my friend, we’ve almost made it.


The Continuous Improvement phase of ISO 27001 implementation focuses on maintaining and enhancing the Information Security Management System (ISMS) effectiveness. In this implementation plan, it is directly linked to Clause 10 “Improvement”.


This phase ensures the ISMS evolves with the organisation's changing needs and continuously improves its information security posture.


Using systematic review and improvement activities, this phase helps to address non-conformities, implement corrective actions, and promote a culture of continuous improvement.


In the previous stage, I talked about the Plan-Do-Check-Act cycle. Well, this part is the “Act”.


The inputs are numerous, but include;


-          ISMS Performance Report

-          Management Review Minutes

-          Audit Findings

-          Nonconformities Log


These input into the step;


1)      Create an Improvement Plan


And output… guess what? An improvement plan.


continuous improvement plan steps and outputs

 

 

Create Improvement Plan

Overview

Developing a comprehensive improvement plan is the main purpose of the Continuous Improvement phase.


The improvement plan is based on inputs from ISMS performance reports, management review minutes, audit findings, and non-conformities log. It aims to address identified non-conformities and propose actions to enhance the ISMS.


Having an Improvement Plan is not mandatory, but you do have to demonstrate how you are taking the outputs from the previous stage “Monitoring & Review” and then acting upon non-conformances and deviations.

 

Implementation Steps


Collect Inputs

 There are lots of sources of improvement inputs, but here are the main ones;


ISMS Performance Reports

Gather data from regular monitoring and measurement activities. This includes metrics on incident response times, the number of security breaches, compliance levels, and other key performance indicators that you deemed important in the previous stage.


Use performance reports to identify trends, deviations, and improvement areas.


Management Review Minutes

Utilise minutes from the management review meetings (ISG). These minutes provide insights into the overall performance of the ISMS, highlight strategic areas for improvement, and record decisions made by senior management.


Audit Findings

Leverage findings from internal and external audits. Audit reports should highlight non-conformities, observations, and recommendations for improvement. They are a absolute wealth of


Non-Conformities Log

Maintain a log of all identified non-conformities from various sources, including audits, incident reports, and monitoring activities.


Make sure to track the status of each non-conformity, including the root cause analysis, corrective actions taken, and verification of the effectiveness of those actions.

 

Identify Non-Conformities and Areas for Improvement

Review the collected inputs to identify any non-conformities, weaknesses, or areas that require improvement.


Prioritise the identified issues based on their impact on the ISMS and organisational objectives.


Develop Actionable Plans

Formulate specific, measurable, achievable, relevant, and time-bound (SMART) actions to address the identified non-conformities and improvement areas.


Assign responsibilities for each action item to ensure accountability and effective implementation.

Set realistic timelines for completing each action item and ensure that resources are available to support the implementation.

 

Document the Improvement Plan

Create a detailed improvement plan document that outlines the identified issues, proposed actions, responsible parties, and timelines.


Ensure that the improvement plan is reviewed and approved by senior management to ensure alignment with organizational goals and resource commitment.


Monitor and Review Implementation:

Given that the whole stage is about reviewing progress and acting upon it, we’ll need to track the improvements and their progress.


Continuously monitor the progress of the improvement actions to ensure they are being implemented as planned.


Conduct regular reviews to assess the effectiveness of the actions taken and make necessary adjustments based on feedback and performance data.

 


 

Alignment with ISO 27001:2022 Clause 10

As mentioned earlier, Clause 10 of ISO 27001:2022 focuses on continual improvement of the Information Security Management System (ISMS).


This clause mandates organisations to enhance the ISMS's effectiveness through continuous review and improvement activities.


The Continuous Improvement phase of the implementation supports Clause 10 by systematically addressing non-conformities, implementing corrective actions, and promoting ongoing enhancement of the ISMS.

 

Continual Improvement (Clause 10.1)

The Continuous Improvement phase ensures the ISMS evolves with the organisation's changing needs and continuously improves its information security posture.


  • Created, Documented & Communicated an Improvement Plan: We’ve developed a comprehensive improvement plan based on inputs from performance reports, management reviews, audit findings, and non-conformities log. Then, we’ve documented the improvement plan detailing identified issues, proposed actions, responsible parties, and timelines. Finally, we communicated the plan to all relevant stakeholders.


  • Monitor and Review Implementation: Continuously monitor the progress of improvement actions to ensure effective implementation. Regularly review the actions taken to assess their effectiveness and make necessary adjustments.

 

Nonconformity & Corrective Action (Clause 10.2)

The Continuous Improvement phase ensures the ISMS evolves with the organisation's changing needs and continuously improves its information security posture.


  • Collected Inputs: Regularly gather data from ISMS performance reports, management review minutes, audit findings, and non-conformities log to identify issues.


  • Identified Non-Conformities: Reviewed inputs to detect non-conformities, weaknesses, or areas needing improvement.


  • Developed Corrective Actions: We’ve formulated specific actions to address identified non-conformities.


  • Monitor and Review Implementation: We will continuously monitor the progress of improvement actions to ensure effective implementation.

 

 


 

Important Notice

This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.


Comments

image.png

Play Crossy Chicken

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page