I'm finding a contradiction. In the article Practical use of corrective actions for ISO 27001 and ISO 22301, it says under Required Documents that that a procedure must be documented. But further down, it says that it is not mandatory. Which is it?
Please note that this article was written according to the old 2005 revision of ISO 27001, and for this version the Corrective Action Procedure was mandatory. In the current 2013 version of ISO 27001 the Corrective Action Procedure is not mandatory. We apologize for this confusion and will work ASAP to update the article.
In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are: - Scope of the ISMS (clause 4.3) - Information security policy and objectives (clauses 5.2 and 6.2) - Risk assessment and risk treatment methodology (clause 6.1.2) - Statement of Applicability (clause 6.1.3 d) - Risk treatment plan (clauses 6.1.3 e and 6.2) - Risk assessment report (clause 8.2) - Records of training, skills, experience and qualifications (clause 7.2) - Monitoring and measurement results (clause 9.1) - Internal audit program (clause 9.2) - Results of internal audits (clause 9.2) - Results of the management review (clause 9.3) - Results of corrective actions (clause 10.1)
Regarding the Corrective Action Procedure, it is documented in most cases because it is considered a good practice (it helps new employees to understand faster and easier how to handle corrective actions).