ISO 27001 Information Security - Clause 10 Improvement

ISO_27001_Clause 10_Improvement
ISO 27001 Clause 10 Improvement

24th November 2022 - ISO 27001 Information Security in plain English - Blog post #17.

ISO 27001 - Clause 10 Improvement.

This clause forms the Act step of the PDCA cycle. It has two elements:

  • 10.1 Continual improvement
  • 10.2 Nonconformity and corrective action

These are discussed below.

10.1 Continual improvement

Continual improvement does not mean that everything must improve all the time. The intention is that improvement is systemised to address weaknesses and take advantage of opportunities. In effect, there should be a programme of seeking continual improvement by considering the results of data analysis, internal audits, management reviews, and other feedback or inputs.

We shouldn't overlook the fact that the people that often knows best how a process can be improved are those at the coal-face. Many successful organizations have gained real benefits by implementing worker suggestion / reward schemes.

10.2 Nonconformity and corrective action

Before we go too much further, it might be worthwhile to clarify the ISO definitions of some of the terms used here:

  • Nonconformity is the non-fulfillment of a requirement - that requirement could be a need or expectation that is stated, implied, or obligatory.
  • Correction is action to eliminate a nonconformity that has been identified
  • Corrective action is action to eliminate the cause (or causes) of a nonconformity - and prevent its recurrence.

The initial requirement is to deal with any identified nonconformities and their consequences. That may be thought of as Control and Correction.

Moving on from that, we should also consider the matter more broadly e.g.

  • Could the issue exist elsewhere
  • Could the issue recur later
  • What are the root cause(s) of the nonconformity

The necessary corrective actions then need to be implemented and recorded.

Root Cause Analysis and corrective action

When problems occur in organizations, it is generally easiest to deal with the symptoms. After all, they are the immediately obvious aspects of the problem, and dealing with them is what gets recognition. So that's exactly what people tend to do. If something doesn't work, we fix it, replace it, or re-do it. Job done. Problem solved. When something else goes wrong, once again they fix it, replace it, or re-do it. Job done. Problem solved. Or is it? There may be an opportunity to be a little more pro-active. That can start with an investigation or analysis of the root causes of problems or events. Root cause analysis is based on the belief that problems are best solved by taking corrective action to eliminate their root causes, instead of simply responding to the symptoms. By identifying and then dealing with root causes, the recurrence of problems may be eliminated or minimized.

It's worth noting that all of the following standards also have similar clauses:

QUALITY - ISO 9001:2015
OHS - ISO 45001:2018
ENVIRONMENT - ISO 14001:2015
FOOD SAFETY - ISO 22000:2018
ENERGY MANAGEMENT - ISO 50001:2018

Addressing those common requirements may most achieved most efficiently by taking an integrated approach.

This article is based on an extract from the Qudos ISO 27001 InfoSec Toolkit Guide Book.

ISO 27001 InfoSec Toolkit
Qudos 3 IMS software

Qudos 3 software - Supporting ISMS Improvement

Qudos 3 software clients will find that the Actions module offers an extremely powerful tool to address this clause efficiently and effectively.

The Actions module is supported by a wealth of tools and reources to aide understanding and implementation.

Those looking to deal with this issue in an integrated manner, may choose to use their Qudos 3 Actions module as the basis for recording nonconformances, taking action to fix the nonconformity, then investigating cause(s), and taking corrective action to address them. Records could be categorised according to the topic e.g. Quality, Information Security, OHS etc. Applying the same tool in a range of contexts can help workers to become familiar with it, and encourage more widespread usage. In turn, that will aid reporting and decision-making.

Find out about Qudos 3 IMS software

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Now updated for the latest version of the standard - ISO 27001:2022.

Click the LinkedIn Follow button below to receive notifications.


There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!

Contact us