Clause 10 Improvement — Nonconformities and Continual Improvement

Understanding the Anatomy of Organizational Maturity

Here's a truth most auditors won't tell you: the maturity of an organization's ISMS isn't revealed in their policies, their risk assessments, or even their technical controls. It's revealed in how they handle their failures. Clause 10 is where I see the starkest divide between organizations that view ISO 27001 as a checkbox exercise and those that genuinely use it to improve their security posture.

I've audited organizations with pristine-looking documentation and zero recorded nonconformities. That's not impressive—it's suspicious. It tells me either they're not looking hard enough, or they're hiding what they find. Conversely, I've seen organizations with thick nonconformity logs and robust corrective action programs that I'd trust with my data any day. They understand that Clause 10 isn't about perfection; it's about honest assessment and systematic improvement.

The Structure and Intent of Clause 10

Clause 10 in ISO 27001:2022 is deceptively simple—just two sub-clauses—but don't let that fool you. Clause 10.1 establishes the requirement for continual improvement of the ISMS's suitability, adequacy, and effectiveness. Clause 10.2 provides the machinery for this improvement through nonconformity and corrective action processes.

The 2022 revision didn't fundamentally restructure Clause 10, but the enhanced Annex A controls (now 93 instead of 114) and the stronger emphasis on risk-based thinking mean your improvement processes need sharper focus. Organizations still treating improvement as an annual management review afterthought are missing the dynamic, continuous nature that modern threats demand.

What auditors look for isn't rocket science. We need evidence that you:

• Systematically identify when requirements aren't met
• Take immediate action to control and correct nonconformities
• Address consequences and prevent recurrence
• Evaluate root causes—not just symptoms
• Review the effectiveness of corrective actions
• Update your ISMS based on lessons learned

Simple in theory. Brutally difficult in practice when organizational politics, budget constraints, and the natural human tendency to avoid admitting mistakes come into play.

What Actually Constitutes a Nonconformity

Here's where organizations consistently trip up: they set their nonconformity threshold too high. A nonconformity is simply the non-fulfillment of a requirement—any requirement. That could come from the ISO 27001 standard itself, your own policies, legal obligations, contractual commitments, or your Statement of Applicability.

I audited a financial services firm last year that had experienced three "minor" data spills in six months—employees emailing sensitive data to wrong recipients. No external exposure, caught quickly through Control 5.14 (Information transfer) monitoring, but clearly indicating the control wasn't working as designed. When I asked to see their nonconformity records, there were none. "Those were just incidents," the ISMS manager explained. "Not nonconformities."

Wrong. An incident that reveals a control gap is a nonconformity. The control requirement wasn't fulfilled effectively. By not logging these as nonconformities, they robbed themselves of the opportunity to conduct proper root cause analysis. They were stuck treating symptoms instead of causes.

Hidden Sources of Nonconformities

Internal audits are obvious sources, but if that's your only input, your improvement program is anemic. Mature organizations find nonconformities everywhere:

Management reviews (Clause 9.3): When leadership reviews ISMS performance and identifies unmet objectives, that triggers nonconformity evaluation. If your Control 5.18 (Access rights) review completion target is 95% and you're hitting 70%, don't just note it and move on. Log it, analyze it, fix it.

Security incidents: Every incident that bypassed your controls should generate nonconformity review. Not every incident is a nonconformity—sometimes attacks succeed despite adequate controls—but many reveal implementation gaps or effectiveness issues.

Monitoring and measurement (Clause 9.1): When your security metrics show control degradation, that's nonconformity evidence. If Control 8.7 (Protection against malware) monitoring shows detection rates dropping or coverage gaps, investigate whether the control meets its documented objectives.

External assessments: Penetration tests, vulnerability scans, and supplier audits frequently reveal gaps. A pen test finding unpatched systems despite your Control 8.8 (Management of technical vulnerabilities) procedures represents a clear nonconformity.

Stakeholder feedback: Customer complaints about security, supplier security questionnaire failures, or regulatory observations all signal potential nonconformities requiring investigation.

The Root Cause Analysis Challenge

Here's where I see the biggest failures: organizations that treat corrective action like a paperwork exercise. They identify a nonconformity, implement an obvious fix, close the record, and call it done. Six months later, the same type of issue emerges elsewhere.

Effective root cause analysis for security nonconformities requires understanding both technical and human factors. When Control 8.2 (Privileged access rights) fails because someone granted excessive permissions, the root cause isn't "human error." It might be inadequate training, unclear procedures, missing approval workflows, or tools that make mistakes easy.

I use a modified "5 Whys" approach tailored for information security contexts:

1. What happened? (The observable nonconformity)
2. Where did controls fail? (Which control objectives weren't met)
3. When did it occur? (Timeline and trigger analysis)
4. Who was involved? (Not for blame, but for process understanding)
5. Why did it happen? (Systemic causes, not individual mistakes)

For complex nonconformities affecting multiple controls—like a data breach involving failures in access control, monitoring, and incident response—consider referencing ISO/IEC 27035 for incident management alignment and ISO/IEC 27037 for digital evidence handling.

What Auditors Actually Look For

When I audit Clause 10 compliance, I'm looking for specific evidence that improvement is happening systematically, not sporadically. Here's my checklist:

Nonconformity identification processes: Evidence that you're actively looking for nonconformities, not just waiting for them to surface. This includes monitoring programs, internal audit findings, incident analysis, and management review outputs.

Immediate response documentation: Records showing you took action to control and correct each nonconformity. For a Control 8.10 (Information deletion) failure involving retained data, I want to see evidence that the data was properly deleted and access was revoked.

Consequence management: Evidence that you assessed and addressed the impact. If personal data was exposed due to Control 5.33 (Protection of records) failure, show me the privacy impact assessment and stakeholder notification records.

Root cause analysis quality: Documentation that digs deeper than surface symptoms. I want to see analysis that considers people, process, and technology factors.

Corrective action effectiveness: Evidence that you followed up to verify fixes worked. If you implemented new Control 6.1 (Screening) procedures after a background check failure, show me metrics proving the enhanced process is effective.

ISMS updates: Records showing how lessons learned fed back into policies, procedures, and controls. The improvement loop must be closed.

Common Implementation Pitfalls

After fifteen years of auditing, I see the same mistakes repeatedly. Organizations that implement corrective action without addressing underlying systemic issues. Teams that focus on individual blame rather than process improvement. Management that rushes to close nonconformity records without verifying effectiveness.

The most dangerous pitfall is what I call "cosmetic compliance"—organizations that implement all the required documentation and processes but treat them as bureaucratic overhead rather than genuine improvement tools. They have nonconformity logs, conduct root cause analysis, and implement corrective actions, but nothing fundamentally improves because leadership doesn't believe in the process.

Tip: The best indicator of Clause 10 maturity isn't zero nonconformities—it's evidence that nonconformities are driving genuine improvements in security posture and operational effectiveness.

Building Effective Continual Improvement

Successful Clause 10 implementation requires shifting from reactive compliance to proactive improvement culture. Start by establishing clear criteria for what constitutes a nonconformity in your context. Train your teams to recognize control failures as improvement opportunities, not embarrassing mistakes.

Integrate nonconformity identification with your existing security operations. Link it to your Control 8.16 (Monitoring activities) outputs, incident response processes, and vulnerability management programs. When your SIEM identifies a security event that reveals a control gap, feed that into your Clause 10 processes automatically.

For organizations struggling with resource constraints—particularly relevant given the practical guidance in the ISO 27001 SME Guide—focus on systemic improvements that address multiple potential nonconformities. Improving change management processes, for instance, can prevent various control failures across technical, administrative, and physical domains.

Remember that Clause 10 connects directly to your risk management processes under Clause 6.1. As you identify and correct nonconformities, feed those lessons back into your risk assessment methodology. The controls that fail most frequently might need risk treatment plan updates or additional risk mitigation measures.

Clause 10 isn't just about fixing problems—it's about evolving your ISMS to meet changing threats and business needs. Organizations that master this clause don't just maintain compliance; they build genuine cyber resilience.

For deeper guidance on implementing effective improvement processes or preparing for Clause 10 audit activities, consider joining the discussion at the IX ISO 27001 Info Hub where practitioners share real-world implementation experiences.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

• Clause 4 Context of the Organization — Getting Your Scope Right
• Clause 5 Leadership — What Top Management Actually Has to Do
• Clause 6 Planning — Risk Assessment and Treatment Done Right
• What Is ISO 27001 and Why Should You Care
• ISO 27001 for Startups — When to Start and What to Skip