Corrective Action Procedure Template
Document Control
| Field | Value |
|---|---|
| Document ID | ISMS-PROC-CAR |
| Version | 1.0 |
| Date | [DATE] |
| Owner | ISMS Manager |
| Review Frequency | Annual |
1. Purpose
This procedure defines the process for:
- Identifying nonconformities and their causes
- Implementing corrective actions
- Reviewing effectiveness
- Preventing recurrence
2. Scope
Applies to all nonconformities related to:
- ISO 27001 requirements
- ISMS processes and controls
- Security incidents and events
- Internal and external audit findings
3. Definitions
Nonconformity: Non-fulfillment of a requirement
Corrective Action: Action to eliminate the cause of nonconformity and prevent recurrence
Root Cause: Fundamental reason a nonconformity occurred
Preventive Action: Action to eliminate potential causes of nonconformity
4. Responsibilities
| Role | Responsibility |
|---|---|
| ISMS Manager | Overall process ownership, review major nonconformities |
| Action Owner | Implement corrective actions, provide updates |
| Internal Auditor | Verify effectiveness of corrective actions |
| All Staff | Report nonconformities when identified |
5. Procedure
5.1 Nonconformity Identification
Nonconformities may be identified through:
- Internal audits
- External audits (certification, surveillance)
- Security incidents
- Monitoring and measurement activities
- Management reviews
- Staff reports
- Customer complaints
Action: Log all identified nonconformities in the Corrective Action Register.
5.2 Nonconformity Recording
For each nonconformity, document:
- Unique ID and date
- Source of identification
- Description of the issue
- Affected process/control/clause
- Severity (Major/Minor/Observation)
- Immediate containment actions taken
- Action owner assigned
Form: Use Corrective Action Request (CAR) form.
5.3 Immediate Containment
Within 24-48 hours:
- Take immediate action to control consequences
- Prevent further occurrence of the issue
- Document containment actions taken
- Notify affected parties if required
5.4 Root Cause Analysis
For Major Nonconformities:
- Conduct formal root cause analysis (5 Whys, Fishbone, etc.)
- Document analysis in CAR form
- Involve relevant stakeholders
For Minor Nonconformities:
- Simplified analysis acceptable
- Document apparent cause
Timeline: Complete within 5 working days of identification.
5.5 Corrective Action Planning
Develop corrective action plan including:
- Actions to eliminate root cause
- Actions to prevent recurrence
- Changes to ISMS documentation if needed
- Resources required
- Responsible person
- Target completion date
Approval: ISMS Manager approves all corrective action plans.
5.6 Implementation
Action Owner:
- Implements planned corrective actions
- Updates ISMS documentation as required
- Communicates changes to affected parties
- Provides progress updates
- Notifies ISMS Manager when complete
Timeline:
- Major: 30 days (or as approved)
- Minor: 15 days
- Observation: 30 days
5.7 Effectiveness Review
After implementation:
-
Verification (Internal Auditor or ISMS Manager):
- Review evidence of implementation
- Verify documentation updated
- Confirm training completed if required
-
Effectiveness Check (after 1-3 months):
- Monitor for recurrence
- Review related metrics/KPIs
- Conduct follow-up audit if needed
-
Decision:
- Effective: Close corrective action
- Not effective: Reopen and revise action plan
5.8 Risk and Opportunity Update
Evaluate if the nonconformity requires:
- Risk assessment update
- Statement of Applicability revision
- New controls implementation
- Control effectiveness re-evaluation
5.9 Documentation
Maintain records of:
- Corrective Action Request forms
- Root cause analysis documentation
- Implementation evidence
- Effectiveness review results
- Updated ISMS documents
Retention: 3 years minimum (longer if required by regulations).
5.10 Closure
Close the corrective action when:
- Actions fully implemented
- Documentation updated
- Effectiveness verified
- ISMS Manager approval obtained
6. Escalation
Escalate to Top Management when:
- Major nonconformity identified
- Corrective action requires significant resources
- Systemic ISMS issues identified
- Risk of certificate suspension
- Actions overdue by >30 days
7. Metrics
Track and report:
- Number of nonconformities by source
- Number of nonconformities by type (Major/Minor/Observation)
- Average time to close corrective actions
- Percentage closed on time
- Recurrence rate
- Effectiveness rate
8. Related Documents
- ISMS-FORM-CAR: Corrective Action Request Form
- ISMS-REG-CAR: Corrective Action Register
- ISMS-PROC-AUDIT: Internal Audit Procedure
- ISMS-PROC-INC: Incident Management Procedure
Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| Prepared By | |||
| ISMS Manager | |||
| Executive Sponsor |
Next Lesson: Master root cause analysis techniques to identify true causes of nonconformities.