Corrective actions
I do have one more question about best practices for ISO 27001 implementation regarding corrective actions.
Let's assume the scenario:
- We have implemented ISMS policy
- During the internal audit, we have found out non-conformance to the policy in a specific area/control.
We can take three decisions based on known risks:
- Register non-conformance and resolve it in short-term
- Register exception to policy for 6-12 months
- Modify policy since it was too strict
The option to address it in short therm is always the best, but I want to find out the best practices for long-term solutions (option 2).
Is it better to keep the non-conformance list or exception list and revalidate it every time?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that if you have a nonconformity you need to resolve it, so you have to record and handle the nonconformity.
Regarding exceptions/policy modifications, you have two options:
- a) If there are legal or contractual requirements or unacceptable risks, you cannot adapt the policy; rather you need to resolve the problem in the implementation;
- b) If there are no such requirements, you should consider modifying the policy to make it less strict.
Comment as guest or Sign in
Nov 12, 2019