There are always lots more vaguely related points to be made, but it seems like more interesting and somewhat overlapping concerns relate to security incident management.
Corrective actions are systems lapses or requirements gaps identified by audits and such, and of course can be defined other ways by an individual system, but a security incident is any lapse of actual security controls. These incidents are much more relevant to actual system function, with resolution covering functional cause and prevention review, and categorization along with reporting. This would be a good opportunity for KPI style reporting and such. Measures of effectiveness review results, required by 27001, would also provide a similar opportunity.
It goes without saying but the standard reference for incident management is IT service management practices documented by ITIL best practices, the basis for ISO 20000 (but I've just said it anyway). I've not reviewed ITIL guidance for information security but it does cover that scope.