Active Improvements

You will need to improve the suitability, adequacy and effectiveness of your ISMS. 

Continuous improvement is part of Lean Compliance. In our Compliance Framework we embedded continuous improvement at every level of procedures and our way of working. Every Improvement will be closed with an evaluation of the effectiveness and be part of the yearly Management Review. In this final yearly assessment the total effectiveness of the ISMS is being validated. 

In the ISO27001 standard and in compliance language there are multiple terminologies for improvements. Please find below a list of terms used in Compliance:

• Non-conformity : during 27001 external audit a non-conformity can be identified and action is needed, they will need to be addressed with a Corrective Action Plan. A template will be provided by the external auditor. In our Compleye Online we consider this as a finding and the Corrective Action Plan will be translated to an Improvement. 
• Internal Audit findings : your internal auditor can report findings during internal audit, they also will need to be addressed with an Improvement in Compleye Online. 
• Findings : During the planned  yearly assessment (supplier, ISRA, GDPR, DPIA etc) findings can be defined and need to be addressed with Improvements. 
• Improvements: In Compleye Online you can add an improvement at any time (e.g. during security meetings) If a risk occurs or an opportunity for the improvement arises. 

By aligning all of the opportunities for the improvement to 1 consistent Improvement process – we are more in control and have better oversight on what we are working on. 

The section improvements consists of 2 viewing lists:

1. Schedule View -with an overview selected on Deadlines
2. List View – with the possibility to select, sort or search specific improvements. 

You can choose the timeframe for the improvements, by making use of Start Month and End Month. 

In your Documentation Toolkit you can find the template for Improvement Procedure.  Make sure you add the Improvement Procedure in feature Procedure/Info. 

Tips for adding Improvements

• Give your Improvement a title that you and your ISMS team can recognize easily. (do not change once defined to rule out misunderstanding)
• It is mandatory to assign an owner, owners can change. 
• Finding: make sure that you use the same definition of finding as the original finding (of e.g. assessment) – so you will not get confused. 
• Origin – will refer to the where this improvement comes from.
• Add a Due Date, pick a date for your first milestone/task of this improvement, some improvements will take several months, however will need sooner attention. So Due Date is more next Attention Date.
• Other areas affect by the same finding. This is a mandatory ISO27001 requirements during Risk Treatment process. And a good question to ask yourself. Can this finding maybe also occur to other products, projects, team members etc.? and take that into account when writing your treatment plan. 
• Root Cause – also mandatory ISO27001 topic: Use e.g. the 5Why method. Before defining your treatment plan, perhaps you can dig deeper and find the real cause of this finding and address this on a different level/ approach. Always write down what you think the root cause is. 
• Treatment plan: high level solution/approach how to solve this problem. you can also add documents, screenshots as evidence for a plan. 
• the question “tech team involved” is an effectiveness/ISMS thing; check how many improvements have an impact on your tech team, and how much is non-tech. 
• keep track of the progress and add notes, even if there is no progress.. add what the reason is. 
• If your improvement is implemented – you can change the status from In progress to Ready for evaluation.
• Also if you think this improvement will have no longer an effect on the finding.. you can stop working on it and start evaluation process. 
• If you have organized regular security meetings, the improvements will be on the standard agenda. 
• Once you have saved the improvement – with at least an owner and deadline – the second screen will appear: Evaluation. 

• Make sure that the person reviewing the improvement is not the owner of the improvement. That is why we suggest you will evaluate during security meetings. 
• Address all topics in this part – as this will save you time in later stage, when you will need to define content for management review. 
• But first effectiveness. Try to keep is small and practical. E.g. finding related to assessments where defined to reduce the risks, is that true? or maybe it will save more time and has the impact on efficiency. (or integrity, accuracy)
• Not all improvements will have an effect on the finding. Circumstances might change… and perhaps other improvements already have solved the problem. make sure you note this. 
• Choose a topic on one of the ISO7001 mandatory Management Review chapters, where this improvement suits best. 
• And add short content telling what it is that you want to tell to the external auditor – or your C-Level.
  
  • These last two points are required to be filled in order to have your Management Review Report automated within Compleye Online. Content for the management report you include in the evaluation of the improvement will be prefilled when you generate the Management Review Report from Closed Improvements Subsection. Under Management Review topic you can read all about the report automation and instructions.
• Once improvement is closed it will be automatically moved to closed improvements section  

Add new Improvement

Evaluation of the improvement