ISO 27001 Corrective Action Document Requirements

G

glenn0004

I'm looking to update our ISO 9001 and 14001 corrective action documents and register to include ISO 27001. From past CAPA we have catagorised the actions raised in the past to enable drop down selection of catagories of CAPA this enabling us to measure and quantify - does any one have any backgrown data on the range of reasons that ISO 27001 may raise CAPA.
 
Richard Regalado

Richard Regalado

Trusted Information Resource
For starters you may want add 133 fields to your drop-down list to accommodate the 133 controls of ISO 27001. Then, count all the SHALL requirements as all of these may be valid reasons for the raising of NCs.

For PA, the reasons are limitless.
 
J

john.b

Involved In Discussions
According to basic standards implementation you would identify both corrective action and non-conformances (overlapping concepts) according to both standard content (controls and main body requirements, as Equus mentioned) and your own designed system (ISMS) requirements.

Hard to imagine including either some general process references or specific documentation (policy, procedure, record, etc.) as included in drop-down references in that sort of record, or for use as a reporting category. It would be easy to draw the wrong conclusions from such reporting since corrective actions in quality, environmental management, and security are different types of things.
 
G

glenn0004

john.b said:
According to basic standards implementation you would identify both corrective action and non-conformances (overlapping concepts) according to both standard content (controls and main body requirements, as Equus mentioned) and your own designed system (ISMS) requirements.

Hard to imagine including either some general process references or specific documentation (policy, procedure, record, etc.) as included in drop-down references in that sort of record, or for use as a reporting category. It would be easy to draw the wrong conclusions from such reporting since corrective actions in quality, environmental management, and security are different types of things.
Click to expand...
Thanks for this..I think that I understand the concerns that you have highlighted. On the present system by choosing either a 9001 or 14001 Corrective / Preventative action different options are available.
 
J

john.b

Involved In Discussions
There are always lots more vaguely related points to be made, but it seems like more interesting and somewhat overlapping concerns relate to security incident management.

Corrective actions are systems lapses or requirements gaps identified by audits and such, and of course can be defined other ways by an individual system, but a security incident is any lapse of actual security controls. These incidents are much more relevant to actual system function, with resolution covering functional cause and prevention review, and categorization along with reporting. This would be a good opportunity for KPI style reporting and such. Measures of effectiveness review results, required by 27001, would also provide a similar opportunity.

It goes without saying but the standard reference for incident management is IT service management practices documented by ITIL best practices, the basis for ISO 20000 (but I've just said it anyway). I've not reviewed ITIL guidance for information security but it does cover that scope.
 
Richard Regalado

Richard Regalado

Trusted Information Resource
john.b said:
There are always lots more vaguely related points to be made, but it seems like more interesting and somewhat overlapping concerns relate to security incident management.

Corrective actions are systems lapses or requirements gaps identified by audits and such, and of course can be defined other ways by an individual system, but a security incident is any lapse of actual security controls. These incidents are much more relevant to actual system function, with resolution covering functional cause and prevention review, and categorization along with reporting. This would be a good opportunity for KPI style reporting and such. Measures of effectiveness review results, required by 27001, would also provide a similar opportunity.

It goes without saying but the standard reference for incident management is IT service management practices documented by ITIL best practices, the basis for ISO 20000 (but I've just said it anyway). I've not reviewed ITIL guidance for information security but it does cover that scope.
Click to expand...

Incidents are non-conformities and should be "fed" into the CA process.
 
A

AndyN

Moved On
glenn0004 said:
I'm looking to update our ISO 9001 and 14001 corrective action documents and register to include ISO 27001. From past CAPA we have catagorised the actions raised in the past to enable drop down selection of catagories of CAPA this enabling us to measure and quantify - does any one have any backgrown data on the range of reasons that ISO 27001 may raise CAPA.
Click to expand...

You might not want to 'share' this aspect between management systems! One 'story' I hear under similar circumstances is NOT to integrate ISMS with QMS/EMS even though the requirements 'look' similar, in practice, they aren't and may not be manageable by a common system.
 
Richard Regalado

Richard Regalado

Trusted Information Resource
AndyN said:
You might not want to 'share' this aspect between management systems! One 'story' I hear under similar circumstances is NOT to integrate ISMS with QMS/EMS even though the requirements 'look' similar, in practice, they aren't and may not be manageable by a common system.
Click to expand...

The story is not be applicable to everyone. ;)

Here is one client: http://www.epldt.com/content.aspx?id=10

They have an integrated QMS, EMS and ISMS. All of the similar requirements from document control, management review, NCs, CAPA and internal audits are integrated.

Soon they'll be adding BCMS.

Here is another client - BPO (http://www.spi-global.com/quality) with QISMS for ALL of their business processes (5,000+ employees). They were certified in 2003 and is happy with their integrated QISMS.
 
A

AndyN

Moved On
Equus08 said:
The story may not be applicable to everyone.

Here is one client: http://www.epldt.com/content.aspx?id=10

They have an integrated QMS, EMS and ISMS. All of the similar requirements from document control, management review, NCs, CAPA and internal audits are integrated.

Soon they'll be adding BCMS.

Here is another client - BPO (http://www.spi-global.com/quality) with QISMS for ALL of their business processes (5,000+ employees). They were certified in 2003 and is happy with their integrated QISMS.
Click to expand...

True, as with all things in life. However, one or two examples, don't necessarily set the pattern for everyone else. For example, many companies implement a QMS and EMS, often without integration. Some (a few) have well integrated QMS/EMS. The norm is, I'd suggest, that the two aren't integrated. Sure they could do it, but it may present problems which they don't have currently! My comment wasn't that it shouldn't be done, only that it's often too much to bite off!
 
You must log in or register to reply here.

Similar threads

Richard Regalado
Informational ISO/IEC 27001:2022 has been published
Replies
0
Views
870
Richard Regalado
Richard Regalado
G
8D on Audit Non Conformance -- Incomplete Document
2 3 4 5 6
Replies
53
Views
5K
Randy
Randy
T
Measuring Corrective Action Effectiveness
2
Replies
10
Views
1K
Bev D
Bev D
M
Not a Calibration Expert but questioning in-house calibration method.
Replies
3
Views
476
MarcoSimone
M
Q
Corrective Action Notification - Registration Audit
2
Replies
12
Views
1K
qualitytf
Q
Top Bottom