Nonconformity and corrective action (draft)
ISO 27001 expects a consistent approach to nonconformities and corrective actions. This page provides a minimal structure for recording and closing issues.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 0.1 |
| Last updated | 2025-12-24 |
| Review cadence | On process changes |
1. What counts as a nonconformity (examples)
Section titled “1. What counts as a nonconformity (examples)”- A required process wasn’t followed (e.g., missing approval, missing review).
- A control is not implemented as described.
- Evidence expected by policy/procedure is missing.
2. Sources
Section titled “2. Sources”- Internal audits (see ISMS internal audit (draft))
- Incidents and near-misses
- Risk reviews and objective tracking
3. Minimal corrective action flow
Section titled “3. Minimal corrective action flow”- Record the issue (what/where/when).
- Contain (if needed) to reduce immediate risk.
- Identify root cause (why it happened).
- Define corrective action(s) and owner(s).
- Verify effectiveness.
- Close and retain the record.
4. Record template
Section titled “4. Record template”| Field | Value |
|---|---|
| ID | |
| Source (audit/incident/etc) | |
| Description | |
| Impact | |
| Root cause | |
| Corrective action(s) | |
| Owner | |
| Due date | |
| Verification | |
| Status |