84 lines
2.7 KiB
Markdown
84 lines
2.7 KiB
Markdown
Title: Corrective Action Procedure
|
|
Document ID: [PROC-CAPA-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Corrective Action Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should record, investigate, assign, track, and close corrective actions arising from ISMS issues.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to corrective actions raised from incidents, audits, risk reviews, management review, testing, exceptions, and other control deficiencies within the ISMS scope.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure when:
|
|
|
|
- an issue requires formal remediation tracking
|
|
- an audit finding or nonconformity is raised
|
|
- an incident or exercise identifies improvement actions
|
|
- management review requires follow-up actions
|
|
|
|
## Procedure Steps
|
|
|
|
1. Record the issue, source, impact, and required corrective action.
|
|
2. Assign an owner, target date, and priority based on risk and business impact.
|
|
3. Perform root cause analysis where appropriate to understand the underlying control or process weakness.
|
|
4. Define the remediation plan, including actions, dependencies, and evidence needed for closure.
|
|
5. Track progress and review overdue, blocked, or high-risk items regularly.
|
|
6. Verify that the corrective action has been completed effectively.
|
|
7. Close the action only when sufficient evidence exists and any residual risk is understood.
|
|
8. Update related risks, procedures, controls, or registers where the issue has wider implications.
|
|
|
|
## Inputs
|
|
|
|
- finding, issue, or improvement record
|
|
- supporting evidence
|
|
- risk and impact information
|
|
- proposed remediation plan
|
|
|
|
## Outputs / Records
|
|
|
|
- corrective action record
|
|
- status updates and escalation notes
|
|
- closure evidence
|
|
- linked updates to other records where applicable
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- Action owners must deliver remediation and provide evidence.
|
|
- [Role] must oversee tracking and escalation of corrective actions.
|
|
- Reviewers must verify completion and effectiveness where required.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate where:
|
|
|
|
- an action is overdue or repeatedly deferred
|
|
- remediation is ineffective or incomplete
|
|
- the issue presents significant ongoing risk
|
|
- cross-functional support is needed but not available
|
|
|
|
Exceptions to target dates or action scope must be documented and approved where required.
|
|
|
|
## Related Documents
|
|
|
|
- Incident Response Policy
|
|
- Internal Audit Procedure
|
|
- Management Review Procedure
|
|
- Corrective Actions Register Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|