Continual improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system
Nonconformity and corrective action, part a)
When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; and deal with the consequences.
Nonconformity and corrective action, part b)
When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: reviewing the nonconformity; determining the causes of the nonconformity; and determining if similar nonconformities exist, or could potentially occur.
Nonconformity and corrective action, part c)
When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: implement any action needed.
Nonconformity and corrective action, part d)
When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken.
Nonconformity and corrective action, part e)
When a nonconformity occurs, the organization shall: make changes to the information security management system, if necessary.
Nonconformity and corrective action, part f)
Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken.
Nonconformity and corrective action, part g)
Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: the results of any corrective action.