Title: Corrective Action Procedure
Document ID: [PROC-CAPA-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CISO (Paul Jenkins)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Corrective Action Procedure

## Purpose

This procedure defines how BlackDice should record, investigate, assign, track, and close corrective actions arising from ISMS issues.

## Scope

This procedure applies to corrective actions raised from incidents, audits, risk reviews, management review, testing, exceptions, and other control deficiencies within the ISMS scope.

## Trigger / When Used

Use this procedure when:

- an issue requires formal remediation tracking
- an audit finding or nonconformity is raised
- an incident or exercise identifies improvement actions
- management review requires follow-up actions

## Procedure Steps

1. Record the issue, source, impact, and required corrective action.
2. Assign an owner, target date, and priority based on risk and business impact.
3. Perform root cause analysis where appropriate to understand the underlying control or process weakness.
4. Define the remediation plan, including actions, dependencies, and evidence needed for closure.
5. Track progress and review overdue, blocked, or high-risk items regularly.
6. Verify that the corrective action has been completed effectively.
7. Close the action only when sufficient evidence exists and any residual risk is understood.
8. Update related risks, procedures, controls, or registers where the issue has wider implications.

## Inputs

- finding, issue, or improvement record
- supporting evidence
- risk and impact information
- proposed remediation plan

## Outputs / Records

- corrective action record
- status updates and escalation notes
- closure evidence
- linked updates to other records where applicable

## Roles and Responsibilities

- Action owners must deliver remediation and provide evidence.
- [Role] must oversee tracking and escalation of corrective actions.
- Reviewers must verify completion and effectiveness where required.

## Escalation / Exceptions

Escalate where:

- an action is overdue or repeatedly deferred
- remediation is ineffective or incomplete
- the issue presents significant ongoing risk
- cross-functional support is needed but not available

Exceptions to target dates or action scope must be documented and approved where required.

## Related Documents

- Incident Response Policy
- Internal Audit Procedure
- Management Review Procedure
- Corrective Actions Register Template

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |