Recently,, I was educating some IT professionals about ISO 27001, specifically about the implementation of corrective measures as part of information and cybersecurity risk management. I mentioned that from ISO 27001 perspectives, organizations should use corrections and corrective actions in their information security risk management approaches. I was surprised by the reaction on some of my audience faces as it appears, I lost them. Obviously, I had, and the question was; what was the difference between a correction and corrective action? Before going into the details, let’s look at what the ISO 27001:2013 standard says.
For those that may not be familiar with the ISO 27001:2013 standard, there are a total of eleven sections known as clauses. Clauses 0 – 3, deals with background information and does not mandate compliance. Clauses 4 – 10 are mandatory for organizations that wishes to satisfy the requirement of the standard whether pursuing certification or not. A section of Clause 10 that deals with information security improvement titled – Improvement – will be our focus for now.
Section 10.1 – Nonconformity and corrective actions – states (paraphrasing here)
“In the event of a nonconformity, an organization shall:
1) react (respond) to the nonconformity, and as applicable:
take action to control and correct it; and deal with the consequences;
2) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
reviewing the nonconformity; determining the causes of the nonconformity; and …..”
This section has been interpreted to contain two distinct risk treatment approaches – Correction and Corrective action. Let me illustrates these with an example to better clarify the differences between them.
Correction: Taking action to control and correct a nonconformity
Let’s assume you were assigned the responsibility of examining and evaluating the information security awareness program of an organization. This organization has both regular and third-party contractors working on its facilities that have access to its IT infrastructure and systems. This access is required to enable each of the employees and contractors perform their duties.
Your assessment and evaluation reveal that about 60% of all employees had completed the security awareness training while 40% did not do so. You reported this finding to the Security Manager who then decided to conduct a security awareness for all those who did not do the training by organizing an on-premise security awareness training. Eventually all employees including contractors participated in an information security awareness training. This example is that of a correction and not necessarily a corrective action. Why? There is no guarantee that this incident would not reoccur again as the ingredients to prevent recurrence are missing.
Corrective action: Determining the causes of the nonconformity
To implement a corrective action, organizations must try to understand the root cause(s) of the nonconformity at hand and implement safeguards or countermeasures that will prevent the recurrence of the nonconformity in the future. Doing so require some further analysis of the issue in question.
Taking our example further, the security manager should seek to understand what led to 40% of personnel to not undertake the security awareness training. While there are various techniques of digging into the root cause(s) of nonconformities, I personally like to use the 5 Why’s (5Ys) for its simplicity. This approach involves asking the question ‘why?’ repeatedly and iteratively until you find the root cause. In most cases, by the time you get to the 5th why, you would have identified the root cause of a nonconformity or any issue of concern for that matter.
So, back to our example, you should ask why (1) about 40% of employees did not undertake the security awareness training. This may prompt the analyst to dig further and discover a pattern, say about 95% of the personnel who did not do the training were contractors. This may equate to 100% of contractors that did not do the initial training. Why (2) did the contractors not undergo the training? Because they were not captured in the Learning Management System (LMS) as such unable to participate in such a training. Why (3) were the contractors not captured in the LMS? Because the feed to the existing LMS is from the HRMS which is for employees only. Why (4) was the feed for employees only? Because HR online portals captures only full-time employees excluding contractors. Bingo!
It is now becomingly clear that the organization has a systematic problem in this case. While the root cause in this case is the fact that, contractors were not considered in the design and implementation of the Learning Management Systems, it is possible that, when the systems and associated policies were designed and implemented, the organization was not using third-party contractors. As it began to evolve and grow, the need to use third-party contractors became paramount and of cause the company did what it had to do to meet its customer demand. What was missing is the performance of a detailed risk assessment of what the introduction of third-party contractors meant for the organizations and how best to deal with associated risks.
While the above is one illustration of the difference between a correction and corrective action, both are important in improving information security posture of organizations. There are times that the only feasible option to take in a timely manner may be to implement a correction while the organizations take its time to investigate the root cause of a nonconformity especially where systematic and technical issues may be involved.
In conclusion, there is a difference between a correction and corrective action from ISO 27001 perspective. Correction is an action taken to eliminate a detected nonconformity while Corrective action is taken to eliminate the root cause(s) of a detected nonconformity. To put it mildly, correction is like treating the symptoms of an illness while corrective action is diagnosing and treating the root cause of the illness.
Program Manager/Lead Information Security Consultant
Note: Please subscribe to our Newsletter if you wish to receive future articles from this writer