Corrective Action Plan
Version: 1.1
Status: Approved
Last modified: April 2025
Next Review Date: October 2025
ISO Statement
oboloo is actively preparing for ISO/IEC 27001 certification and has established this Corrective Action Plan process in alignment with Clause 10 of the ISO/IEC 27001:2022 standard. This policy ensures that nonconformities and security issues are systematically addressed and prevented from recurring.
Purpose
The purpose of this policy is to define a structured process for identifying, documenting, and resolving nonconformities that may arise from internal audits, security incidents, risk assessments, or operational weaknesses.
Summary
When a nonconformity is identified, oboloo initiates a root cause analysis and documents a corrective action plan (CAP). The CAP includes specific actions, assigned owners, deadlines, and verification steps. Completion is tracked, and recurring issues are flagged for further review.
Scope
This policy applies to all oboloo departments, systems, processes, and third parties that fall under the scope of the Information Security Management System (ISMS). It includes:
Internal audit findings
Failed controls or incidents
Security risk remediation
Supplier or system-related failures
Corrective Action Process
Identification: Nonconformity or issue is logged
Analysis: Root cause is identified
Action Plan: Defined actions, deadlines, and owners are assigned
Implementation: Corrective actions are executed and documented
Verification: Closure is reviewed and confirmed by ISMS owner or audit lead
Tracking: Open actions are logged and monitored until resolved
Alignment with Risk and Compliance Priorities
This process supports continual improvement under ISO 27001 Clause 10 and ensures nonconformities do not undermine oboloo’s security, legal, or contractual obligations.
ISO/IEC 27001 Annex A Mapping
| Objective Area | ISO/IEC 27001 Control Ref | Description |
|---|---|---|
|
ISMS Auditing
|
A.18.2.1
|
Independent review of information security
|
|
Corrective Action
|
A.10.1.1 / A.10.2
|
Improvements based on audit findings
|
|
Governance Oversight
|
A.5.1.2
|
Management oversight of ISMS
|
Review and Update of the Methodology
Bi-Annual Review: This policy is reviewed every 6 months or after significant incidents, audits, or security events.
Updates: If significant risks, compliance requirements, or operational changes arise, this policy will be adjusted accordingly and documented here.
Document Control
Version: 1.1
Date: April 2025
Description: Initial publication of corrective action tracking policy aligned to Clause 10
Previous Versions:
None – this is the first published version of this policy