Initial commit
This commit is contained in:
Paul Jenkins
83
03-procedures/corrective-action-procedure.md
Normal file
83
03-procedures/corrective-action-procedure.md
Normal file
@@ -0,0 +1,83 @@
|
||||
Title: Corrective Action Procedure
|
||||
Document ID: [PROC-CAPA-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Corrective Action Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should record, investigate, assign, track, and close corrective actions arising from ISMS issues.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to corrective actions raised from incidents, audits, risk reviews, management review, testing, exceptions, and other control deficiencies within the ISMS scope.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure when:
|
||||
|
||||
- an issue requires formal remediation tracking
|
||||
- an audit finding or nonconformity is raised
|
||||
- an incident or exercise identifies improvement actions
|
||||
- management review requires follow-up actions
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Record the issue, source, impact, and required corrective action.
|
||||
2. Assign an owner, target date, and priority based on risk and business impact.
|
||||
3. Perform root cause analysis where appropriate to understand the underlying control or process weakness.
|
||||
4. Define the remediation plan, including actions, dependencies, and evidence needed for closure.
|
||||
5. Track progress and review overdue, blocked, or high-risk items regularly.
|
||||
6. Verify that the corrective action has been completed effectively.
|
||||
7. Close the action only when sufficient evidence exists and any residual risk is understood.
|
||||
8. Update related risks, procedures, controls, or registers where the issue has wider implications.
|
||||
|
||||
## Inputs
|
||||
|
||||
- finding, issue, or improvement record
|
||||
- supporting evidence
|
||||
- risk and impact information
|
||||
- proposed remediation plan
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- corrective action record
|
||||
- status updates and escalation notes
|
||||
- closure evidence
|
||||
- linked updates to other records where applicable
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- Action owners must deliver remediation and provide evidence.
|
||||
- [Role] must oversee tracking and escalation of corrective actions.
|
||||
- Reviewers must verify completion and effectiveness where required.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate where:
|
||||
|
||||
- an action is overdue or repeatedly deferred
|
||||
- remediation is ineffective or incomplete
|
||||
- the issue presents significant ongoing risk
|
||||
- cross-functional support is needed but not available
|
||||
|
||||
Exceptions to target dates or action scope must be documented and approved where required.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Incident Response Policy
|
||||
- Internal Audit Procedure
|
||||
- Management Review Procedure
|
||||
- Corrective Actions Register Template
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user