Corrective Action Plan Policy

Version: 1.1
Status: Approved
Last modified: April 2025
Next Review Date: October 2025

ISO Statement

oboloo Limited is actively preparing for ISO/IEC 27001:2022 certification and has implemented this Corrective Action Plan Policy in alignment with Clause 10 of the ISO/IEC 27001:2022 standard. This policy ensures nonconformities and security issues are systematically identified, documented, corrected, and prevented from recurring. It forms part of the continual improvement cycle of the Information Security Management System (ISMS).

Introduction

This Corrective Action Plan (CAP) Policy provides a standardised approach for the identification, documentation, resolution, and verification of nonconformities that may arise during audits, incidents, risk assessments, or operational weaknesses. It supports ongoing compliance and improvement of oboloo Limited’s ISMS and operational resilience.

Definitions

  • Nonconformity: Any failure to comply with ISO/IEC 27001, internal policies, or legal/security obligations.

  • Corrective Action Plan (CAP): A documented plan detailing remediation steps to address and prevent recurrence of a nonconformity.

  • Root Cause Analysis (RCA): A structured investigation to identify the origin of a problem.

  • CAP File: A centralised collection of records related to the lifecycle of a corrective action.

Who We Are and How to Contact Us

This policy is maintained by oboloo Limited, registered in England and Wales (Company No: 12420854).


Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact Email: hello@oboloo.com

Acceptance of Terms

All employees, contractors, and authorised third parties are expected to comply with this policy. By participating in any process governed by this policy, individuals accept their responsibilities under the ISMS.

Changes to This Policy

This policy is reviewed every 6 months or following a significant incident, audit, or security event. Updates are communicated to all stakeholders as appropriate.

Related Policies

This policy should be read in conjunction with:

  • Information Security Policy

  • Access Control Policy

  • Internal Audit Procedure

  • Risk Management Policy

  • Incident Response Plan

Purpose

The purpose of this policy is to:

  • Define the guidelines for initiating, managing, and closing CAPs.

  • Assign clear ownership and accountability for corrective actions.

  • Ensure continual improvement through root cause analysis and resolution.

  • Align with ISO/IEC 27001 Clause 10 for corrective action and Clause A.10.1 / A.10.2 for continual improvement.

Scope

This policy applies to:

  • All oboloo Limited departments, systems, and personnel.

  • All nonconformities arising under the ISMS scope, including:

    • Internal audit findings

    • Security incidents and control failures

    • Risk treatment actions

    • Supplier or third-party service noncompliance
      Exclusions: [To be defined – e.g., pre-contractual disputes or commercial disagreements]

Corrective Action Process

  • Identification

    • A nonconformity or security issue is detected during an audit, incident, risk review, or routine operation.

  • Root Cause Analysis (RCA)

    • The CAP owner completes an RCA using a documented method (e.g., 5 Whys, Fishbone).

  • Action Plan Development

    • Actions are documented including timelines, owners, dependencies, and required approvals.

  • Implementation

    • Corrective actions are implemented, and status is tracked.

  • Verification and Closure

    • The ISMS Owner or Audit Lead reviews the outcome and validates closure with evidence.

  • Monitoring and Escalation

    • Open CAPs are logged, tracked, and escalated if overdue or unresolved.

Appointment of a Corrective Action Manager

The Corrective Action Manager is responsible for:

  • Overseeing implementation and compliance with this policy.

  • Ensuring CAP files include RCA, actions, evidence, and correspondence.

  • Maintaining logs of open and closed CAPs.

  • Reporting on CAP trends and identifying systemic improvements.

  • Ensuring reassessment or escalation where issues persist.

Procedure and Authorisation

a) Documentation Requirements
Each CAP must include:

  • Documented CAP form

  • Root Cause Analysis

  • Assigned owners and deadlines

  • Evidence of implementation and closure

b) Review and Approval

  • Reviewed by the ISMS Owner or Audit Lead

  • Forwarded for management sign-off depending on risk severity

c) Signature Authority

  • CAPs must be signed by the Information Security Manager or a senior manager.

  • Approved CAPs are returned to the ISMS Manager for final recordkeeping.

Conflict of Interest

No employee may participate in identifying or resolving a nonconformity where doing so could present a conflict of interest. If a conflict is identified, an alternative reviewer will be assigned.

Training

Annual training is delivered to all staff on:

  • The CAP process

  • Their role in corrective actions

  • ISO/IEC 27001 continual improvement obligations

Records of participation are maintained by HR.

For More Information

Contact the HR team or the Information Security Manager at:
📧 hello@oboloo.com

ISO/IEC 27001 Annex A Mapping

Objective Area ISO/IEC 27001 Control Ref Description
ISMS Auditing
A.18.2.1
Independent review of information security
Corrective Action
A.10.1.1 / A.10.2
Improvements based on audit findings
Governance Oversight
A.5.1.2
Management oversight of ISMS

Review and Update of the Methodology

  • Review Frequency: Every 6 months or post-incident/audit

  • Owner: Information Security Manager

  • Distribution: Available to all staff under ISMS scope

Document Control

Version: 1.1
Date: April 2025
Description: Initial publication of corrective action tracking policy aligned to Clause 10

Previous Versions:
None – this is the first published version of this policy