Clause 10 Improvement

Clause 10 Improvement

Version: 3.0

Valid until: 2025-03-11

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-20

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to Clause 10 Improvement from B01 Information security policy.

2022-12-07

2.0Edward RobinsonAdditions/changes as part of the annual review.

No changes have been made.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated the links for the internal and external audit reports under Administrations.

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe anDREa’s commitment to continual improvement.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • To ensure that nonconformities are properly handled (10.1).

  • To ensure continual improvement of the ISMS (10.2).

Scope

The scope of this document is described in Clause 4 Context of the organisation


Availability


This document is:

  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

10.1 Nonconformities and corrective action

“When a nonconformity occurs the organisation shall:

a) react to the nonconformity, and as applicable (1) take action to control and correct it; and (2) deal with the consequences.

b) evaluate the need for action the eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by (1) reviewing the nonconformity; (2) determining the causes of the nonconformity; and (3) determining if similar nonconformities exist, or could potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken; and

e) make changes to the information security management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

The organisation shall retain documented information as evidence of:

f) the nature of the nonconformities and any subsequent actions taken, and

g) the results of any corrective action.”


Nonconformities as a result from internal and external audits are registered in a ticket. In the ticket, a root cause analysis is detailed followed by a corrective action plan (CAP) and indication of when the corrective action is in place. Management shall approve that the root cause analysis and CAP is adequate, and that the ticket is completed according to the standard procedure mentioned above. anDREa retains documented information of all found nonconformities, CAPs and the results of the CAPs.

10.2 Continual improvement

“The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.”


anDREa is committed to continually improve the ISMS as described in Clause 4 Context of the organisation

Administration


    • Related Articles

    • Clause 8 Operation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 5 Leadership

      Version: 3.0 Valid until: 2025-03-14 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 9 Performance evaluation

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 7 Support

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 6 Planning

      Version: 3.0 Valid until: 2025-04-16 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...