M6.3.1 - CORRECTIVE ACTION Implementation Guidance
The entity shall correct any nonconformity with these Standards.
Back to M6.3.1 - P2 - CORRECTIVE ACTION
The entity should have a clear action plan that describes how identified non-conformities will be addressed. This can take place in the Information Security Committee (refer to M.1.1.2 - P1 - LEADERSHIP AND MANAGEMENT COMMITMENT ) and should be initiated and controlled by the Information Security Manager. Determine whether corrective action is justified on the basis of evaluating the following considerations:
- A. Whether it is a first or a repeat occurrence
- B. Frequency and history of occurrences (repeated occurrences)
- C. Seriousness of the impact
- D. Root cause for the non-conformity for which the following activities have to be performed
- Collect data
- Get expert advice
- Consult with vendors, partners and associates
The corrective action(s) identified should be implemented within an appropriate timeframe and prioritized based on the risk treatment plan (see M2); delays should be avoided to reduce the negative effects of non-conformities to the information security in place at the entity. It is also important to ensure that the implemented corrective actions achieve their intended objective and are effective. The review of the effectiveness of corrective actions can be done by the Information Security Committee, and the results should be documented.
Back to M6.3.1 - P2 - CORRECTIVE ACTION
