Document ID: ISMS-PROC-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Purpose and Scope
This procedure defines the process for identifying, recording, analysing, and correcting nonconformities in [Organisation Name]βs ISMS, in accordance with ISO/IEC 27001:2022 Clause 10.1. It ensures that nonconformities are addressed at their root cause rather than only at the surface symptom, and that corrective actions are tracked to verified closure.
This procedure applies to nonconformities identified from any source: internal audits, external audits, security incidents, management reviews, day-to-day operations, or self-identification by any staff member. The ISM is responsible for maintaining the Nonconformity Register and the Corrective Action Tracker.
1. Nonconformity Classification
| Type | Definition | Examples |
|---|---|---|
| Major Nonconformity | Systematic failure of a requirement; absence of a required process or control; multiple related minor nonconformities indicating a systemic breakdown | No internal audit conducted for over 12 months; no risk register exists or has not been reviewed in over 2 years; no incident response procedure in place; no security awareness training programme exists |
| Minor Nonconformity | A single, isolated failure that does not indicate systematic breakdown of the process; the control or requirement exists but has been applied imperfectly in one instance | One system not patched within SLA; one employee training record missing; one access review conducted 6 weeks late; one document out of review cycle by a short period |
| Observation | Not a nonconformity against a specific requirement, but indicates a risk of becoming a nonconformity if left unaddressed; processes exist but rely on informal practices | Supplier review process not documented β currently managed informally by one person; single person performs and approves access provisioning (separation of duties not enforced but not yet a documented requirement) |
| Opportunity for Improvement (OFI) | A positive suggestion that could improve the ISMS; no current nonconformity exists | Automating a manual quarterly process; adopting a new threat intelligence feed; implementing a configuration drift detection tool |
2. Nonconformity Log
The Nonconformity Register is the authoritative record of all identified nonconformities. It is maintained by the ISM and reviewed at each Management Review.
| NC ID | Date Raised | Source | Clause / Control | Type | Description | Raised By | Assigned To | Due Date | Status | Date Closed |
|---|---|---|---|---|---|---|---|---|---|---|
| NC-2026-001 | 2026-03-10 | Internal Audit 2026-01 | Clause 9.2 (Internal Audit) | Minor | No evidence that an internal ISMS audit was conducted in 2025. The ISMS requires audits at planned intervals; no audit report or documentation exists for the preceding 12-month period. | [Auditor Name] | ISM | 2026-06-30 | Open | β |
| NC-2026-002 | 2026-03-10 | Internal Audit 2026-01 | 5.18 (Access Rights) | Minor | Finance system access review last performed March 2024 (18 months ago). The Access Control Policy requires quarterly reviews for systems rated Confidential. No record of subsequent reviews found in the IT service desk or access register. | [Auditor Name] | IT Manager | 2026-04-30 | In Progress | β |
| NC-2026-003 | 2026-02-14 | Security Incident INC-2026-002 | 8.8 (Technical Vulnerability Management) | Minor | A critical vulnerability (CVSSv3 score 9.1 β remote code execution) in the SOC platformβs web framework remained unpatched for 47 days, exceeding the 30-day SLA defined in the Patch Management Procedure. The patch was available at day 0. | ISM | IT Manager | 2026-03-31 | Closed | 2026-03-28 |
| NC-2026-004 | 2026-01-20 | Management Review (Dec 2025) | 5.19 (Supplier Security) + 5.20 (Supplier Agreements) | Major | Two Tier 1 suppliers (SIEM vendor and HR SaaS provider) have no contractual security obligations. No Data Processing Agreements (DPAs) have been signed with either supplier despite both processing client or employee personal data. This is a systemic gap β no standard security contract clause template exists. | CISO | Legal / ISM | 2026-05-31 | In Progress | β |
| NC-2026-005 | 2026-03-01 | Self-identified (HR Manager) | 6.3 (Information Security Awareness) | Minor | Three employees who joined in January 2026 have no record of completing the mandatory security awareness induction training. The HR onboarding checklist does not include a step to enrol new starters in the training platform within their first week. | HR Manager | HR Manager | 2026-04-15 | In Progress | β |
3. Root Cause Analysis Worksheet
For every nonconformity, a Root Cause Analysis (RCA) must be completed before corrective actions are defined. RCA ensures that the action addresses the cause rather than just the visible symptom. The 5 Whys method is used for Minor NCs; Fishbone (Ishikawa) diagrams or Fault Tree Analysis may be used for Major NCs.
Example β NC-2026-004 (Major NC: No supplier security contracts):
| Field | Response |
|---|---|
| NC ID | NC-2026-004 |
| Description | No security requirements in contracts with two Tier 1 suppliers; no DPAs signed |
| Immediate Containment Action | Identify the two suppliers and all personal data currently being processed; pause any planned data sharing expansion until contracts are in place; notify CISO |
| RCA Method | 5 Whys |
| Why 1 | Why do the contracts lack security requirements? β No standard security contract clause template was used during negotiations |
| Why 2 | Why was no template used? β No security contract template existed at the time both contracts were executed (2022 and 2023) |
| Why 3 | Why didnβt a template exist? β The Supplier Security Policy was created in 2024, after these contracts were signed |
| Why 4 | Why werenβt legacy contracts reviewed when the policy was published in 2024? β The policy did not include a transition plan or requirement to review existing contracts |
| Why 5 | Why was no transition plan included in the policy? β The policy owner did not consider the impact on contracts already in place; the review process focused on new supplier engagements only |
| Root Cause | The absence of a legacy contract review process when the Supplier Security Policy was introduced. No mechanism existed to identify and remediate gaps in pre-existing supplier agreements. |
| Systemic Implication? | Yes β the root cause suggests that other existing supplier contracts may also lack security requirements. A full audit of all supplier contracts is required (not just the two identified). |
| Corrective Actions | 1. Draft a standard security contract clause template for use in all future and renewal contracts. 2. Conduct a full review of all existing supplier contracts to identify gaps. 3. Negotiate amendments with all Tier 1 suppliers to include mandatory security obligations. 4. Update the Supplier Security Policy to include a requirement to review existing contracts whenever the policy is materially revised. |
Example β NC-2026-003 (Minor NC: Overdue critical patch β now closed):
| Field | Response |
|---|---|
| NC ID | NC-2026-003 |
| Description | Critical vulnerability unpatched for 47 days; 30-day SLA exceeded |
| Immediate Containment Action | Apply the patch immediately; confirm no exploitation evidence in SIEM logs; monitor system for 72 hours |
| RCA Method | 5 Whys |
| Why 1 | Why was the patch not applied within 30 days? β IT Manager was unaware the vulnerability was rated critical until week 5 |
| Why 2 | Why was the IT Manager unaware? β The vulnerability scan output was not reviewed promptly; scanner ran but results sat in the queue |
| Why 3 | Why werenβt results reviewed? β No automated alerting was configured on scanner for critical-severity findings |
| Why 4 | Why was no alerting configured? β Scanner was deployed as a one-time setup; alerting was considered an optional future configuration |
| Why 5 | Why was it not made mandatory at deployment? β No minimum scanner configuration standard existed; no checklist for tool deployment |
| Root Cause | No automated alerting on critical vulnerability findings; scanner deployed without mandatory alerting configuration |
| Corrective Actions | 1. Configure automated email/SIEM alert for any Critical or High CVE findings immediately. 2. Create a minimum configuration standard for the vulnerability scanner. 3. Implement a patch compliance dashboard to provide visibility without relying on passive scanning review. |
4. Corrective Action Tracker
All corrective actions are recorded and tracked to verified closure. A corrective action is only marked βClosedβ when the ISM (or external auditor) has reviewed evidence and confirmed that the action is effective.
| CA ID | Linked NC | Action Description | Owner | Resources Required | Target Date | Completion Evidence Required | Status | Verified By | Verification Date |
|---|---|---|---|---|---|---|---|---|---|
| CA-2026-001 | NC-2026-001 | 1. Conduct an internal audit covering Clauses 6β8 and Annex A Theme 8 (scope not audited in 2025). 2. Produce a formal audit report. 3. Update the audit programme to add a quarterly calendar reminder and assign a backup auditor to prevent single-point dependency. | ISM | 2 days auditor time + 0.5 days report writing | 2026-06-30 | Signed audit report; updated audit programme with 2026-02 date confirmed; backup auditor assigned | Open | β | β |
| CA-2026-002 | NC-2026-002 | 1. Conduct the overdue finance system access review immediately; document findings; remove any inappropriate access. 2. Implement Entra ID Access Reviews to automate quarterly certification going forward β eliminates manual tracking dependency. | IT Manager | 4 hours (access review); 8 hours (Access Reviews configuration) | 2026-04-30 | Signed access review report with list of users reviewed and any removals documented; Access Reviews configuration screenshot showing quarterly schedule; test run completion confirmation | In Progress | β | β |
| CA-2026-003 | NC-2026-003 | 1. Configure automated SIEM alert for any Critical or High CVSSv3 finding from vulnerability scanner β alert to IT Manager and ISM. 2. Create minimum scanner configuration standard document. 3. Implement patch compliance dashboard (Tenable.io or Qualys dashboard) with SLA traffic-light view. | IT Manager | $1,500 (dashboard configuration); 8 hours internal | 2026-03-31 | SIEM alert rule screenshot with test trigger evidence; configuration standard document; patch compliance dashboard screenshot showing current status | Closed | ISM | 2026-03-28 |
| CA-2026-004a | NC-2026-004 | Draft a standard security contract clause library covering the 9 mandatory clauses defined in the Supplier Security Policy (ISMS-POL-006 Section 3). Review with legal counsel. Obtain CISO approval. | Legal / CISO | 8 hours internal + external legal review ($1,500) | 2026-04-30 | Approved security clause library document signed by CISO; legal review confirmation | In Progress | β | β |
| CA-2026-004b | NC-2026-004 | Conduct a full audit of all existing supplier contracts (all Tiers). Identify gaps against the Supplier Security Policy. Prioritise Tier 1 suppliers. Negotiate and obtain signed security addenda for all Tier 1 suppliers. Update Supplier Register. | Legal / ISM | 16 hours internal + external legal cost ($3,000 estimated) | 2026-05-31 | Signed addenda for all Tier 1 suppliers; updated Supplier Register with contract review date for each supplier; gap analysis log showing all contracts reviewed | In Progress | β | β |
| CA-2026-004c | NC-2026-004 β Systemic fix | Update the Supplier Security Policy to include a requirement: βWhen this policy is materially revised, the ISM must conduct a review of all existing supplier contracts within 90 days of policy publication and document any identified gaps.β | ISM | 2 hours | 2026-05-31 | Updated policy version (v1.1) with new clause; approved by CISO; distributed to all relevant staff | In Progress | β | β |
| CA-2026-005 | NC-2026-005 | 1. Immediately enrol the 3 January 2026 new starters in security awareness training; confirm completion. 2. Update the HR onboarding checklist to include βEnrol in security awareness training β due within 5 working days of start dateβ. 3. Configure the training platform to send automated enrolment notification to HR on each new user creation. | HR Manager | 3 hours | 2026-04-15 | Training completion certificates for all 3 new starters; updated onboarding checklist (v2) approved by HR Manager and ISM; training platform automation configuration screenshot | In Progress | β | β |
5. Effectiveness Review
After the corrective action target date (or at the next internal audit cycle, whichever is earlier), the ISM or an independent auditor verifies that:
- The action was completed as described β evidence is available and matches the agreed completion criteria.
- The root cause has been addressed β the action targets the root cause identified in the RCA, not only the visible symptom.
- The nonconformity has not recurred β a reasonable period of operation (typically one quarter) has passed with no recurrence.
- Evidence of closure is sufficient β the verifier is satisfied that the evidence demonstrates effective control, not just compliance on paper.
If the effectiveness review concludes that the action has not worked (the NC has recurred, the root cause was wrong, or the evidence is insufficient):
- Do not re-open the original NC.
- Raise a new NC referencing the original, with a note that it is a recurrence or ineffective corrective action.
- Apply the full NC/RCA/CA process again.
6. Escalation Procedure
Nonconformities that are not progressing through the corrective action process within expected timelines must be escalated.
| Trigger | Escalation Action |
|---|---|
| Minor NC corrective action overdue by more than 30 days | ISM notifies CISO; CISO engages with action owner and line manager |
| Major NC corrective action not closed within 90 days of due date | CISO escalates to Top Management; Major NC placed on Management Review agenda |
| Major NC with systemic implications affecting multiple processes not closed within 180 days | Board notification; emergency Management Review if required; consider engaging external ISMS consultant |
| Recurrence of a previously closed Major NC | Immediate CISO notification; escalate to Board; review whether ISMS is fundamentally effective |
| Corrective action owner leaves organisation before action is complete | ISM reassigns ownership within 5 business days; updates Corrective Action Tracker |
7. Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue |