Preventive actions in ISO 27001
Assign topic to the user
The 27000:2013 refers to preventive actions as an action aimed at getting rid of a potential noncompliance. But no trace of preventive in 27001:2013. But in my opinion, there is no such thing as a potential noncompliance.
Or you detect it and then it is a detected noncompliance requiring a corrective action. Or you do not detect it and then it has no existence.
Answer: It is true that in ISO 27001:2013 there are no requirements for preventive actions, however preventive actions are in fact included in risk assessment and treatment because the essence of risk management is to recognize a potential problem before it happens, and by treating it to prevent such an incident from happening.
There are examples of potential noncompliance - e.g. if the top management is not investing enough in training and awareness, the nonconformit ies will not happen right away, they will happen in the future. Therefore, in this case the preventive action would be to invest more in training and awareness.
Comment as guest or Sign in
Jan 12, 2016