Continual improvement
Plain English Translation
Clause 10.1 requires the organization to proactively enhance its Information Security Management System (ISMS) over time. It is not enough to simply maintain the status quo; you must actively identify opportunities to make security controls more suitable, adequate, and effective. This is achieved by analyzing data from audits, risk assessments, and management reviews to implement strategic changes that reduce risk or improve efficiency.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Track improvements as tasks in the engineering backlog labeled 'Security Improvement'
- Discuss potential improvements during annual management reviews
- Implement changes based on the results of the first internal audit
Required Actions (scaleup)
- Maintain a dedicated 'Continual Improvement Log' separate from bug tracking
- Set specific KPIs for process efficiency (e.g., reducing access request time)
- Link improvements directly to root cause analysis of past incidents
Required Actions (enterprise)
- Utilize a GRC platform to map improvements to strategic business objectives
- Conduct maturity assessments against industry benchmarks (e.g., CMMI)
- Automate the feedback loop from security metrics to improvement planning
The primary requirement is to continually improve the suitability, adequacy, and effectiveness of the ISMS. This means the system must get better over time at managing risks and meeting business needs.
Organizations demonstrate improvement through documented evidence such as completed corrective actions, updated policies, deployment of better security tools, and positive trends in security metrics/KPIs.
Steps typically include: 1) Analyzing performance data (audits, reviews), 2) Identifying opportunities, 3) Planning actions (resources/timelines), 4) Implementing changes, and 5) Verifying effectiveness.
The PDCA (Plan-Do-Check-Act) cycle is the engine of improvement. Clause 10.1 represents the 'Act' phase (or the result of the cycle), where lessons learned from 'Checking' are used to adjust and improve the 'Plan'.
Examples include automating manual access reviews, upgrading encryption standards, refining incident response times, or expanding the scope of the ISMS to cover new departments.
Internal audits identify non-conformities and gaps (inputs), while management reviews provide the strategic direction and resource authorization (decisions) needed to implement improvements.
Metrics might include the reduction in the number of non-conformities over time, improved scores in maturity assessments, faster incident response times (MTTR), or higher training completion rates.
Leadership (Clause 5.1) is responsible for promoting a culture of improvement, ensuring resources are available for enhancements, and ensuring the ISMS remains aligned with strategic direction.
"The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-18 | WatchDog Security GRC Team | Initial publication |
