Corrective Action Procedure¶
Document ID: PROC-004 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (10.1, 10.2) | SOC 2 (CC4.2)
1. Purpose¶
This procedure defines how nonconformities are identified, investigated, and corrected to prevent recurrence. It supports the continual improvement of the ISMS.
2. Scope¶
All nonconformities arising from:
- Internal audits
- External certification audits
- Security incidents
- Management reviews
- Customer complaints
- Regulatory findings
- Monitoring and measurement results
3. Corrective Action Process¶
3.1 Identification¶
Nonconformities may be identified by any employee, auditor, or through automated monitoring. All nonconformities are recorded using the Corrective Action Template.
3.2 Root Cause Analysis¶
| Step | Action | Responsibility |
|---|---|---|
| 1 | Document the nonconformity clearly | Finder |
| 2 | Assess immediate impact and apply containment | Control Owner |
| 3 | Investigate root cause (use 5 Whys or similar) | Control Owner + Jan Marc Castlunger (ISO) |
| 4 | Document root cause findings | Jan Marc Castlunger (ISO) |
3.3 Corrective Action Planning¶
| Element | Description |
|---|---|
| Action | Specific steps to address root cause |
| Owner | Person responsible for implementation |
| Target date | Deadline for completion |
| Evidence | What evidence will demonstrate effectiveness |
3.4 Implementation¶
- Control Owner implements the corrective action
- Progress updates provided to ISO at agreed intervals
- Changes to policies, procedures, or controls follow the Change Management Policy
3.5 Verification¶
- ISO verifies corrective action has been implemented as planned
- Effectiveness is assessed — has the root cause been addressed?
- If ineffective, the corrective action is reopened and revised
- If effective, the corrective action is closed with evidence
4. Tracking and Reporting¶
4.1 Corrective Action Log¶
| Field | Description |
|---|---|
| CA ID | CA-YYYY-NNN (e.g. CA-2026-001) |
| Source | Audit / Incident / Review / Complaint |
| Nonconformity | Description of the issue |
| Root cause | Result of investigation |
| Action | Corrective steps planned |
| Owner | Responsible person |
| Target date | Deadline |
| Status | Open / In Progress / Closed |
| Closure evidence | Documentation of effectiveness |
4.2 Management Reporting¶
- Open corrective actions are reviewed at each management review
- Overdue corrective actions are escalated to the ISO
- Trends in nonconformities are analysed annually to identify systemic issues
5. Records¶
All corrective action records are retained for 3 years in Google Drive > Security > Corrective Actions.
6. Review¶
This procedure is reviewed annually or when the corrective action process requires improvement.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026