NON-CONFORMANCE, CORRECTIVE AND PREVENTIVE ACTION POLICY
|
Document Identification |
HSNZ/POL/33 |
|
|
Document Name |
ISMS Internal Audit Policy |
|
|
Master Copy |
CISO |
|
|
Version Number |
1.3 |
|
|
Date Of Release |
15 Aug 2023 |
|
|
Prepared By |
Eparama Tuibenau |
CISO |
|
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
|
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
|
From |
To |
||||||
|
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
|
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
04 Aug 2021 |
Grammatical changes made |
|
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
|
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
|
Date |
Document Status |
|
14 Apr 2020 |
Modified |
|
04 Aug 2021 |
Reviewed |
|
28 Jul 2022 |
Reviewed |
|
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Responsibilities
4 Input
5 Output
6 Procedure
7 Records
1 PURPOSE
The purpose of this procedure is to provide a system and instruction and to assign responsibilities for identification/control/review/disposition of non-conforming system. The type of nonconforming system shall include such as workmanship/documentation/services as well as safety/accident or customer complaints.
To demonstrate the performance and to evaluate the effectiveness of this procedure through their related activities.
2 SCOPE
The scope of this procedure applies to all systems which are supplied to and used by the company.
3 RESPONSIBILITIES
All Staff
4 INPUT
NCR’s (Non-Conformance Report) from the audits.
5 OUTPUT
Corrective action
6 PROCEDURE
Following are possible reasons for initiating Non-Conformance:
During internal auditing by non-fulfillment of specified requirements, such as the following:
Due to the absence, or breakdown of a system to meet the requirement of a clause of the ISO 27001:2013, or other reference documents.
It’s either a failure to meet an aspect of the requirement of a clause of ISO 27001:2013, or other reference documents or a single observed lapse in following a company procedure.
A statement of fact made as part of an audit process and substantiated by objective evidence, where the auditor brings attention to a minor system failure.
System NCP: Any system deviations such as deviations from the procedures, use of obsolete, uncontrolled, unapproved forms and documents, shall be treated as Non-Conforming systems. Such deviations shall be documented in the “Non-Conformance Report” and specify the description of nonconformity detected such as requirements and deficiencies. Then forward the original NCR copy to the concerned department (Recipient) who will take the necessary action.
The department who initiate/originator Non-Conforming Report should register in “Non-Conformance Report” for records and monitoring.
The department against which the NCR has been issued shall investigate the cause of the non-conformance and shall propose suitable corrective action.
After the Recipient proposed the corrective action, the NCR should be signed and returned to the originator to review and monitor the proposed corrective action.
The originator should review and evaluate the cause and corrective action of NCR. The originator should decide if acceptable or unacceptable based on the action taken by the recipient.
If the proposed cause and corrective action of NCR are unacceptable, the Originator should discuss with the recipient for other alternative action to come-out with the best solution.
If the proposed cause and corrective action of NCR are acceptable, the Originator should follow up with the recipient concerning the correction done as per the agreed target date.
The recipient should implement the corrective action effectively and coordinate with Originator who shall verify the implementation and effectiveness of the action.
If the corrective action taken is inefficient, the originator should discuss with the recipient if the action taken can be improved to make it more effective, else initiate another NCR.
If the corrective action taken is effective, complete all the information required in the NCR and sign.
To close the NCR, the originator should fill up and complete all the information required in verification of corrective action and sign. The Original NCR should be filed.
A copy of all non-conformance reports should be forwarded to the Information Security Management Representative for monitoring and controlling all company NCR’S.
If the action(s) proposed for the closure of the NCR is not implemented, the MR will work with the responsible department head for a new closure date. If the NCR is not closed or actions implemented, it is raised in the Management Review Meeting, for further corrective action.
Preventive Action
The Functional Head shall plan to ensure the performance of the system to determine preventive action for elimination of the cause(s) of potential nonconformities, in order to prevent the occurrence.
To improve the effectiveness of management actions for better performance, the Functional Heads and CISO are encouraged to practice the Information Management System Principles.
Where necessary, risk assessment may be conducted by the Functional Heads before implementation of the intended preventive actions.
For preventive planning, the Department Head shall conduct assessment – for any new development, activity, process, service and/ or legal requirements – leading to intended prevention of non-conformity occurrence as planned.
The Assessment shall be analysed against data such as customer, legal and company requirements and past problems / controls – and be approved by the Functional Head / CISO.
Review of Preventive Actions
The status of preventive actions is evident in the ISMS / Improvement plans and records shall be reviewed by Top Management and all Functional Heads in conjunction with Management Review meeting.
Records for results of the preventive action(s) taken shall be kept.
7 RECORDS
Non-Conformance Report