Handling a Nonconformity and Corrective Actions

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
Listen 8.2
00:02
pending a nonconformity and its corrective actions.
00:08
In this lesson, we will cover what to document for a non conformity
00:12
as well as corrective action steps to be taken.
00:19
I'm sure I've mentioned it previously in one of the lessons,
00:23
but go and check out the I So forum for great tips and example documents for your ice amiss.
00:30
The link is provided on the screen,
00:33
but you can also Google them.
00:37
Nonconformity is maybe documented in the form of incidents that arise from your organization's incident management processes, ordered findings, complaints and so forth.
00:48
If you want to keep consistency within your organization,
00:51
having all of these transferred to nonconformity or corrective action reports
00:56
will be a way to go about that.
01:00
In addition to having a document for each nonconformity noted,
01:03
it could be useful to have a register of nonconformity ease,
01:08
basically a sort of index.
01:11
So when you are dealing with hundreds of nonconformity, ease
01:14
having a centralized register would make tracking and keeping on top of the corrective actions a lot easier.
01:21
You can also then neatly file and link all the evidence for a particular nonconformity within the register to make it easier to access.
01:30
This will especially help you during an audit when an auditor can pick and choose any of the nonconformity ease and they're supporting information that he wants to see
01:41
the final results awful. The corrective actions
01:45
should also be linked here,
01:46
where corrective actions have been successfully implemented and verified to be effective and addressing the root cause.
01:53
There should be some sort of sign off from an appropriate stakeholder demonstrating approval and close out off the non conformity.
02:02
So you're nonconformity Document,
02:06
which is also known as an N C a R form.
02:09
It's for non conformity and corrective action report
02:15
include the following information in this document
02:19
the nonconformity number.
02:22
This is a unique identify for a specific nonconformity
02:25
structure This number anyway you want but ensure that it is sequential
02:30
and then it generates a unique number For each nonconformity raised
02:36
the date that the nonconformity was discovered,
02:39
a description off the non conformity.
02:44
The source off the nonconformity in terms off where it was detected,
02:51
for example, was
02:53
yes. This nonconformity identified from an internal audit,
02:58
a process nonconformity a customer complaint,
03:01
etcetera.
03:05
What the immediate remedial action for the non conformity is
03:10
this means the immediate action
03:15
to prevent further damage from being caused from the non conformity.
03:21
So, for example,
03:23
if you're non conformity
03:24
is a virus outbreak on one of your computers,
03:29
the immediate remedial action would be to disconnect that device from the network to prevent it spreading.
03:38
You would also include details about the investigation into the root cause of the non conformity.
03:46
So in the anti virus example or the virus infection example. Rather,
03:51
you would want to find out what was the root cause
03:53
off that machine getting a virus. Was it because it was
03:58
running with out of date antivirus signatures?
04:01
Did the users stick a flash drive in that had
04:04
some sort of virus on it to the virus come by email? Where did it originate from?
04:11
Once you understand the root cause, you will understand how better to treat the nonconformity on ensure that it doesn't occur again.
04:20
The next thing that you would want to document is the proposed corrective action to address the root cause.
04:29
So, for example,
04:31
if the virus came from
04:33
a flash drive being plugged in,
04:36
you would probably want to go and make sure that all machines are in fact receiving updates from the anti virus engine as and when they should,
04:46
and also that it is configured to automatically scan removable media upon insertion and to not auto play any files.
04:56
A more stringent measure would be to disallow USB access altogether.
05:02
The approval of the proposed corrective action needs to be documented and formally signed off by an appropriate stakeholder.
05:11
And once the
05:12
corrective action has been implemented and completed,
05:15
you would go back to your nonconformity documentation
05:19
and ensure that it is updated with a confirmation that the corrective action was sufficient.
05:27
This is a post corrective action
05:29
implemented confirmation, and we would also require formal sign off from an appropriate designated stakeholder.
05:39
The main output, once a non conformity is detected, is the corrective action form that comes from it.
05:45
The shows that there are processes in place to detect when something within the ice Amis is not working as planned
05:50
and that steps have been taken to correct this.
05:54
This feeds into the continual improvement process,
05:57
although we'll get into that specific process in more detail in the next lesson,
06:01
as the creative action is making something better,
06:04
which will hopefully prevent the same nonconformity from occurring again in the future.
06:11
A corrective action can have both an immediate leg as well as a corrective action that might require some project planning and a lengthy affects.
06:24
Think about the virus example that we spoke about in the previous slide.
06:30
It is important to maintain old documentation pertaining to nonconformity. Ease
06:35
on the previous side, we spoke about what you need to document for a non conformity.
06:40
It is also important to maintain evidence pertaining to the corrective actions, whatever that may be.
06:46
In other words, the proof that the corrective action was carried out as it should.
06:53
Your auditors would usually test on a sample basis so they could pick any nonconformity
06:59
or multiple one. Conformity, ease
07:01
and want to see ALS the supporting evidence to get comfort that the process is operating as intended.
07:09
So what is the corrective steps to be taken once a non conformity is detected
07:15
thirsty,
07:15
you would want to determine if corrective action is required based on the non conformity severity.
07:23
Assess the nonconformity and determine if it is a repeat event.
07:29
Determine the impact as well as the implications off the non conformity
07:33
some will be more serious than others.
07:38
Performer Root cause analysis to identify all potential causes that led to the non conformity
07:45
analysis off any consequences that may arise on the ice mess and, if there is a possibility, possibility for similar nonconformity. Ease to occur in other areas.
07:58
Next, identify the creative actions to address the nonconformity immediately,
08:03
as well as those required to address the root cause.
08:07
Prioritize your corrective actions and implement according to your priority set.
08:15
Assess the corrective actions to ensure that the cause has been effectively remediated.
08:24
Just summarize.
08:26
In this lesson, we covered which components need to make up your noncompliance and corrective action report or your N C A R form.
08:37
We also covered what steps should be taken to plan and execute the identified corrective actions.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By