iFour ConsultancyClause 10 : Improvement

Software development company india http://www.ifourtechnolab.com1

Audit findingsClause 10.1 : Nonconformity and Corrective actionClause 10.2 : Continual ImprovementAudit follow-up with exampleReferences

ContentsSoftware development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com

2

Audit findingsSoftware development company indiaThree types of audit findings:Positive finding:ConformityNegative finding:Non-conformityObservation:Opportunity for improvement

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com3

Conformity:Policies and procedures of an organization are matched to Audit criteria

Non-Conformity:Policies and procedures of an organization are not matched to Audit criteria

Opportunity For Improvement (OFI):Improvements are suggested for not to convert policies into non-conformityAudit finding ( Continued)Software development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com

4

Clause 10.1 : Nonconformity and Corrective actionWhen a non-conformity occurs, the organization shall react to the non-conformity by:Taking action to control and correct itDealing with the consequences

Corrective actions shall be appropriate to the effects of the non-conformities encountered.

Software development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com5

Evaluate the need for action to eliminate the causes of non-conformity, in order that it does not recur or occur elsewhere, by:Reviewing the non-conformityDetermining the causes of the non-conformityDetermining if similar non-conformities exist, or could potentially occur

Implement corrective action if neededReview the effectiveness of any corrective action takenMake changes to the information security management system (ISMS).

Clause 10.1 ( Continued..)Software development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com6

Documented Information for Clause 10.1 Organization shall retain documented information as evidence of:Nature of the non-conformities and any subsequent actions takenResults of any corrective action

Nature of non-conformity:Minor non-conformity:If part of any policy/procedure is not implementedMajor non-conformity:If full policy/procedure is not implementedSoftware development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com7

Organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

Clause 10.2 : Continual Improvement

SuitabilityAdequacyEffectivenessSoftware development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com

8

Audit follow-upConducted for continual improvement

Check corrective actions suggested in previous audit is actually implemented or not

Evaluate the effectiveness of corrective actions

Suggest corrective actions needed for implemented corrective actionsSoftware development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com9

Implemented corrective action is appropriate to the effects of the non-conformity encountered or not

Corrective actions are implemented timely or not

Policies and procedures of an organization are followed according to ISO 27001 : 2013 or not

Auditor should sample for effectiveness of implemented corrective actions and on-going conformance

Audit follow-up checklistSoftware development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com

10

Non-conformity (Finding):Review of policies for information security is not done in the last 18 months.

This NC is given against Control A.5.1.2 of ISO 27001 : 2013 which states that policies for information security shall be reviewed at planned intervals.

So for audit follow-up, Auditor shall review whether review of policies for information security is done at planned intervals or not.Example of Audit follow-upSoftware development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com11

Referenceshttp://www.slideshare.net/null0x00/iso-27001-2013-changeshttp://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdfhttps://en.wikipedia.org/wiki/ISO/IEC_27001:2013http://www.iso27001security.com/html/27001.html

Software development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com

12

iFour Consultancy Services

Visit this website for more details:http://www.ifourtechnolab.com

THANK YOU!!!Software development company india

http://www.ifourtechnolab.com

Software development company india http://www.ifourtechnolab.com

13