Information Security Management System Improvement Standard

Purpose

To establish reaction to Nonconformities and evaluate the need for action to eliminate the cause of it when one occurs.

To outline the review of the corrective actions taken and changes to the ISMS if needed.

Scope

This Standard covers all Nonconformities that have a bearing on the Corporate Group’s ISMS.

Responsibility

All Employees are responsible for identification of Nonconformities and implementation of corrective actions within their work responsibilities.

Information Security Team is responsible for documenting the Nonconformities and keeping an ISMS Nonconformity Registry.

Nonconformities identified during the internal audits must be closed by the auditor who performed the audit.

Reaction to Nonconformity

Nonconformity can be identified by Employees or Third-parties, internal audits, or other sources.

All Nonconformities identified must be registered in the ISMS Nonconformities Registry.

Evaluation of Nonconformity

Identified Nonconformity must be evaluated:

• to identify the causes of Nonconformity

• to determine if similar Nonconformities exist or could potentially occur

• to analyze the impact that the Nonconformity may have had before it was discovered.

Information Security Team is responsible for evaluation of Nonconformities.

All information related to evaluation of Nonconformities must be documented in the ISMS Nonconformities Registry.

Implementation of Corrective Actions

Corrective actions appropriate to the impact, eliminating the causes, and preventing recurrence of a Nonconformity must be identified and documented.

Corrective actions must have a designated responsible person for implementation.

Responsible persons must update the implementation status of corrective actions.

Information Security Team must review the ISMS Nonconformity Registry every quarter, to assess the corrective actions implemented and close out the Nonconformities that have been successfully corrected and prevented from reoccurring.

A follow up audit shall be carried out by an internal auditor to verify the effectiveness of the corrective actions implemented to address the Nonconformities raised during the internal audits.

Information Security Team must report on Nonconformities, corrective actions, and possible improvements at the ISMS management review meeting.

Continual Improvement

Continual improvement of ISMS is achieved through internal audits, management reviews, corrective actions on Nonconformities, training, and continuous professional development, supervision, and monitoring of assessors.

Information Assets in the PCI DSS scope must be reviewed at least quarterly to confirm that the Employees are following the security policies and operational procedures. Reviews must cover the following processes:

• Daily log reviews

• Firewall rule-set reviews

• Applying configuration standards to new systems

• Responding to security alerts

• Change management processes

All PCI DSS scope reviews must be documented in the ISMS Nonconformity Registry and reported to the management.

Review and Update

This Process must be maintained in accordance with the Information Security Policy.

Revision History