Question - ISO 27001 Chapter 10.1 Nonconformity and corrective action

We have just performed a surveillance audit to ISO 27001.
One of the auditor’s requirements is that all findings from the audits be analysed, what caused them, whether the findings occur in a similar form elsewhere and how the organisation treats them.
Specifically, it is about how the requirement “Chapter 10.1 Nonconformity and corrective Action / 1) reviewing the nonconformity; / 2) determining the causes of the nonconformity; and / 3) determining if similar nonconformities exist, or could potentially occur;” is treated.
Has anyone had any experience with this?
How do you use eramba to document these requirements?

I am very grateful for help

1 Like

I had different types of ISO auditors (some technical, some not, some into the details, some who did not care anything other than where we would invite him for lunch, etc) and they typically all had different expectations or / and understanding of any given ISO requirement (on any of the norms I was audited, not just 27k) so the answer to your question in my experience was “it depends”

Lovely, very useful start, i know.

Basically they all wanted some sort of “root cause analysis” (everyone called this different) for the “problem” which would typically (but not always) apply to a control “audit”. I would document my analysis on the “description” field (later on we used custom fields to split the different stages of the root cause analysis - a painful and unnecessary thing to do in my view) of a sec operations / project, i would use the “project tasks” to describe the “corrective actions” and of course i would link that project to the “problem” (audit would be almost always the case, but also risks, compliance analysis items, etc).

notifications, comments, attachments, etc would be use to demonstrate follow ups on the project and tasks.

for whatever is worth, that is my real life experience on the matter. ISO was a great driver to get things going but at some points it was just too much “red carpet” type of standard.

In the begining our auditor was more technical, he did not care so much about “paperwork” so we simply used the comments and attachments on the item that had the issue. Then the guy got sacked (he was pretty laid back) and we got another person that loved paperwork and then is when we started using the method i describe above.

I might be oversimplifying this, but we use a Corrective Action Plan process to address nonconformity and risk remediation. Similar to how HITRUST makes you document a CAP for your certification process.

Initially, we performed a gap assessment by determining what controls were applicable to our business environment, the risk associated with not implementing the control and other specific asset and process-related risks. Findings from this initial assessment were documented, assigned a Risk Owner for the development and documenting of a Corrective Action Plan and then presented to a steering committee for review and approval. Many of the items listed in your question are part of the template for the Corrective Action Plan. We then map that Corrective Action Plan document as a Risk Response Plan to the associated Asset Risk that’s mapped to the ISO control. If the Corrective Action Plan requires substantial resources, a project will be created in our Project Management solution and mapped in Eramba for tracking. As mentioned, there’s also the option of creating Custom Fields in the Compliance Analysis Findings section if you want to track the above criteria directly on the finding.

TLDR; Document outside of Eramba and map using Risk Response Plan and Mitigating Projects or use Custom Fields.

Thank you for all the suggestions. I’ll try some of them to see what fits best for our Company.