SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Handling nonconformities

Guest

Handling nonconformities

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jul 02, 2019 Last commented:   Jul 02, 2019

Handling nonconformities

ISO 27001 & 22301
I'm creating an action plan in order to close some NC found during the audit, what is the document that I have to fulfill in order to close the NC, the point is D.6 6.2 Information Security in projects?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Jul 02, 2019

Answer: I'm assuming you are referring to control A.6.1.5 - Information security in project management.

First it is important to note that there are many similarities with implementing an ISMS in an organisation that you can use to drive the implementation of this control in a specific project:

1 – You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restricted to the scope of the project

2 – You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other business processes, to identify necessary controls

3 – You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing)

In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and will be proportional to the project's lifetime and budget.

Considering these, you would be using the same documents you use for an ISM applied to your organization (there is no need for documents specific for managing information security in a project) , and for any non conformity related to ISO 27001 you can use a document called Corrective Action Form, which describes the non-conformity, its cause, defines corrective / preventive actions and verification method of their implementation.

To see how this document looks like, I suggest you to take a look at this free demo: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/

This article will provide you further explanation about non conformities:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 02, 2019

Jul 02, 2019

Suggested Topics
Guest user Created:   Mar 13, 2018 ISO 27001 & 22301
Replies: 1
0 0

Handling non-conformities
Guest user Created:   Aug 16, 2023 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Toolkit for consultants questions
Guest user Created:   Jun 21, 2023 ISO 27001 & 22301
Replies: 1
0 0

Should nonconformities undergo a documented risk assessment / analysis?