How You Can Continually Improve Your ISO 27001 ISMS (Clause 10)

Your ISO 27001 journey doesn’t end once you’ve implemented your ISMS (information security management system) and controls.

You must check your measures are doing what they’re supposed to do by:

• Monitoring their effectiveness;
• Measuring their performance against your objectives; and
• Continually improving your measures and overall management system.

This reflects what you’re trying to address: information security risks.

---

In this blog

• Risk evolves over time
• ISO 27001 and continual improvement
• Nonconformity types
• Corrective actions
• Root-cause analysis
• Is continual improvement expensive?

---

Your information security risks evolve over time

All recent ISO management system standards, including ISO 27001:2022, require you to continually improve your management system.

Risks evolve over time – particularly in a cyber security context. Cyber criminals are, unfortunately, innovative. They’re constantly coming up with new tools and exploits, meaning that organisations need to be pro-active about their defences, too.

Furthermore, your initial controls may be suboptimally implemented. Don’t forget, you select controls based on your best guess only. That makes it important to measure your measures’ performance and adjust them as necessary so that they’re working as expected.

In addition, the organisation itself will change over time, which can introduce new risks or change existing ones.

---

What does ISO 27001 say about continual improvement?

ISO 27001 contains requirements for continual improvement in Clause 10.

Clause 10.1 sets the stage by requiring the organisation to continually improve the suitability, adequacy and effectiveness of its ISMS.

This is achieved through:

• Opportunities for improvement identified during management review; and
• The nonconformity and corrective action process – Clause 10.2 of ISO 27001.

---

Nonconformity types

Again, no management system maintains 100% conformity over time.

Organisations evolve and change to meet the requirements and challenges of new business. So, the management systems they operate must change with them.

Nonconformities are a natural and expected part of running any management system. They simply indicate that some parts of the system aren’t operating as they should – not that the system is failing entirely.

Nonconformities are usually grouped into three categories:

1. Major nonconformities

These usually indicate one of the following:

• Prolonged or wilful failure to meet the requirements.
• A requirement is completely absent – for example, no risk assessment process.
• Total failure of an ISMS component – for example, an audit programme exists, but no audits have been carried out for six months.

2. Minor nonconformities

These indicate requirements that:

• Are partly met…
• But suffer from some non-critical deficiency that won’t actively harm the operation of the ISMS.

For example, an out-of-date document is still in use, or a procedure is missing a requirement.

3. Opportunities for improvement

These are also known as ‘OFIs’. They indicate:

• Minor deficiencies that don’t currently pose a problem, but could become one in future.
• General improvement opportunities identified through management review or during normal day-to-day operations.

How are nonconformities identified?

This usually happens through the internal audit process (Clause 9 of ISO 27001).

Nonconformities can also be identified via other opportunities that can highlight deficiencies in the ISMS, such as:

• Monitoring and measurement results; and/or
• Analysis of logs or records.

---

Finding this blog useful? To get notified of our
latest insights, subscribe to our free weekly
newsletter: the Security Spotlight.

---

Corrective actions

When a nonconformity is identified, you must act to resolve it.

In other words, you must issue a corrective action. Clause 10.2.a requires you to react to the nonconformity – no pretending it doesn’t exist – then both:

• Act to control and correct it; and
• Deal with the consequences.

Separating ‘act to control and correct it’ from ‘deal with the consequences’ may seem needless, but resolving nonconformities is often a multi-stage process – particularly with an ISMS.

For example:

• A failure of a key security control might result in a security incident, making it necessary to deal with regulators and affected individuals after you’ve resolved the core issue with the security control.
• Nonconformities arising from a zero-day vulnerability might involve both:
  • Short-term actions, such as temporarily taking down a server or website; and
  • Longer-term actions, such as setting up a new system.

ISO 27001 expects you to manage those ‘consequential’ actions with as much diligence as the initial response, and uses the distinction to make this clear.

---

Root-cause analysis

A key part of effective continual improvement is identifying the root cause of nonconformities and taking action to prevent recurrence.

Clause 10.2.b addresses this directly, stating that organisations must:

[Determine] the causes of the nonconformity; and [determine] if similar nonconformities exist, or could potentially occur.

When investigating the cause of nonconformities, remember that the most proximate reason isn’t always the true cause.

Determining the root cause often involves working several steps backward in the causal chain.

For example, a poorly maintained firewall may initially appear the result of inadequate work instructions given to the person responsible for maintaining it. So, the obvious answer may be to improve the work instructions.

But if the person responsible has so many duties that they don’t have time to properly maintain the firewall, no amount of improvement to the work instructions will resolve the problem. Rather, you need to give them fewer duties or transfer the responsibility to someone with more time (and with the right competence).

---

Is continual improvement expensive?

No. Or rather, not necessarily.

If done well, continual improvement means you’re getting a better return on investment. It can actually save you money, by making sure your measures are doing their job.

In fact, you can improve their performance without spending more money, or achieve the same performance with less effort or money. You could achieve this by, for example, replacing a manual task with an automated tool, or cutting an unnecessary step in a process.

Remember that ISO 27001 isn’t just a security investment, but a business investment with long-term benefits that go far beyond preventing the bad press associated with a breach.

---

Want to learn how to effectively implement, monitor and audit an ISMS?

Our Certified ISO 27001:2022 ISMS Lead Implementer and Lead Auditor Combination Training Course equips you with the knowledge and skills you need to become a successful ISO 27001 lead implementer and auditor.

Delivered by an ISO 27001 consultant with extensive practical experience, you’ll learn:

• The nine critical steps involved in planning, implementing and maintaining an ISMS;
• Information security management best practices to ensure data confidentiality, integrity and availability;
• Typical implementation pitfalls and challenges and how to deal with them;
• How to conduct second-party (supplier) and third-party (external and certification) ISMS audits; and
• How to competently manage an ISMS audit programme.

The post How You Can Continually Improve Your ISO 27001 ISMS (Clause 10) appeared first on IT Governance UK Blog.