Active Improvements
You will need to improve the suitability, adequacy and effectiveness of your ISMS.
Continuous improvement is part of Lean Compliance. In our Compliance Framework we embedded continuous improvement at every level of procedures and our way of working. Every Improvement will be closed with an evaluation of the effectiveness and be part of the annual Management Review . In this final annual assessment the total effectiveness of the ISMS is being validated.
In the ISO27001 standard and in compliance language there are multiple terminologies for improvements. Please find below a list of terms used in Compliance:
- Non-conformity : during 27001 external audit a non-conformity can be identified and action is needed, they will need to be addressed with a Corrective Action Plan. A template will be provided by the external auditor. In our Compleye Online we consider this as a finding and the Corrective Action Plan will be translated to an Improvement.
- Internal Audit findings : your internal auditor can report findings during internal audit, they also will need to be addressed with an Improvement in Compleye Online.
- Findings : During the planned yearly assessment (supplier, ISRA, GDPR, DPIA etc) findings can be defined and need to be addressed with Improvements.
- Improvements: In Compleye Online you can add an improvement at any time (eg during security meetings) If a risk occurs or an opportunity for the improvement arises.
By aligning all of the opportunities for the improvement to 1 consistent Improvement process – we are more in control and have better oversight on what we are working on.
The section improvements consists of 2 viewing lists:
- Schedule View -with an overview selected on Deadlines
- List View – with the possibility to select, sort or search specific improvements.
You can choose the time frame for the improvements, by making use of Start Month and End Month.
In your Documentation Toolkit you can find the template for Improvement Procedure. Make sure you add the Improvement Procedure in feature Procedure/Info.
Tips for adding improvements
- Give your Improvement a title that you and your ISMS team can recognize easily. (don’t change once defined to rule out misunderstanding)
- It is mandatory to assign an owner, owners can change.
- Finding: make sure that you use the same definition of finding as the original finding (of eg assessment) – so you will not get confused.
- Origin – will refer to the where this improvement comes from.
- Add a Due Date, pick a date for your first milestone/task of this improvement, some improvements will take several months, however will need sooner attention. So Due Date is more next Attention Date.
- Other areas affect by the same finding. This is a mandatory ISO27001 requirements during Risk Treatment process. And a good question to ask yourself. Can this finding maybe also occur to other products, projects, team members etc.? and take that into account when writing your treatment plan.
- Root Cause – also mandatory ISO27001 topic: Use eg the 5Why method. Before defining your treatment plan, perhaps you can dig deeper and find the real cause of this finding and address this on a different level/ approach. Always write down what you think the root cause is.
- Treatment plan: high level solution/approach how to solve this problem. you can also add documents, screenshots as evidence for a plan.
- the question “tech team involved” is an effectiveness/ISMS thing; check how many improvements have an impact on your tech team, and how much is non-tech.
- keep track of the progress and add notes, even if there is no progress.. add what the reason is.
- If your improvement is implemented – you can change the status from In progress to Ready for evaluation.
- Also if you think this improvement will have no longer an effect on the finding.. you can stop working on it and start evaluation process.
- If you have organized regular security meetings, the improvements will be on the standard agenda.
- Once you have saved the improvement – with at least an owner and deadline – the second screen will appear: Evaluation.
- Make sure that the person reviewing the improvement is not the owner of the improvement. That is why we suggest you will evaluate during security meetings.
- Address all topics in this part – as this will save you time in later stage, when you will need to define content for management review.
- But first effectiveness. Try to keep is small and practical. Eg finding related to assessments where defined to reduce the risks, is that true? or maybe it will save more time and has the impact on efficiency. (or integrity, accuracy)
- Not all improvements will have an effect on the finding. Circumstances might change… and perhaps other improvements already have solved the problem. make sure you note this.
- Choose a topic on one of the ISO7001 mandatory Management Review chapters, where this improvement suits best.
- And add short content telling what it is that you want to tell to the external auditor – or your C-Level.
- These last two points are required to be filled in order to have your Management Review Report automated within Compleye Online . Content for the management report you include in the evaluation of the improvement will be prefilled when you generate the Management Review Report from Closed Improvements Subsection. Under Management Review topic you can read all about the report automation and instructions.
- Once improvement is closed it will be automatically moved to closed improvements section
Add new Improvement
| Field Name | Description | Example |
| Title | free text field – descriptive name of the improvement | Add new Test Procedure to SDLC Procedure |
| Owner | select from the drop down list team member responsible for the implementation of the improvement | {name} |
| Finding | free text field – describe what the improvement is about, make sure you use consistent description/definition | testing takes to much time of the development process. |
| Due Date | pick a date from the calendar | {date} |
| Other areas affected by the same finding | free text field – note here if finding could also occur to other products, projects, team members or has impact on other parts of the ISMS etc. | no |
| Origin | select from a drop down list which part of ISMS does the improvement come from | Internal Audit |
| Route Cause | free text field – write by using 5Why method what caused and lead to the what the finding was about | This is a result of a change and upgrade of our development team, part of our development plan. |
| Treatment Plan | free text field – write high level solution/approach how to solve this problem | Tester will read, review and add new testing process. The result will be added as a pdf to this card – for evidence. The new test procedure will need to be explained in a training to the entire team. |
| Is a Tech Team involved in implementation | select a yes / no button – is this improvement tech related or requires tech team to contribute in resolving the finding | yes |
| Documents | +Upload a document | |
| Progress | free text field – add the note or remark on the status and progress of the improvement. | New evidence uploaded |
Evaluation of the improvement
| Field Name | Description | Example |
| Reviewed by | select from the drop down least the team member that is reviewing the improvement. Make sure this is not the same person as the owner of the improvement | {name2} |
| Does it have an effect on the finding? | free text field – how does the implemented improvement affect the finding, does it solve the problem and how | yes |
| if not or partly, is it motivated sufficiently | free text field – it can be that finding was already changed under the circumstances, so the improvement is not as relevant anymore | N/A |
| Management Review Topic | select from the Management Review Topics drop down list which topic does the improvement address the most | Opportunities for continuous improvement |
| Text for the management review | free text field – summarize the finding and improvement, choose and write the content you would like to present this to management team and external auditor | Project New Test protocol resulted in more automated testing and increased the speed of development. |
