Owner: CISO
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 10.1–10.2; ISO/IEC 42001:2023 cl. 10; SOC 2 (CC4.2 — corrective action)
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 10.1–10.2; ISO/IEC 42001:2023 cl. 10; SOC 2 (CC4.2 — corrective action)
Purpose
Ensure that nonconformities — in the ISMS, the AIMS, control operation, or legal/contractual compliance — are corrected, their causes addressed, and the management systems continually improved.What raises a corrective action
A corrective action (CA) is opened on any of:- An internal audit finding (see Internal Audit Procedure).
- An external audit finding (SOC 2 / ISO certification / customer audit).
- A security or privacy incident (see Incident Response Policy) or AI incident.
- A failed control test (e.g., a Vanta test in
NEEDS_ATTENTION) that indicates a process gap rather than a one-off. - A management-review decision or a missed objective (see ISMS Management Review).
- A risk-treatment action that is overdue or ineffective.
- A complaint, whistleblower report, or customer-reported issue indicating a systemic gap.
Corrective action workflow
- Record the nonconformity in the corrective-action register (Linear
#compliance/#security), including: source, description, the criterion or requirement not met, severity, date raised, and owner. - Contain — take immediate action to control and correct the nonconformity and deal with its consequences (e.g., revoke access, patch, notify).
- Analyze root cause — determine why the nonconformity occurred, and whether similar nonconformities exist or could occur elsewhere. Use a structured method (5 Whys / fishbone) proportionate to severity.
- Plan corrective action — define the action(s) needed to eliminate the root cause so the nonconformity does not recur, with an owner and due date. Distinguish correction (fix the instance) from corrective action (fix the cause).
- Implement the action.
- Verify effectiveness — confirm the action eliminated the cause (e.g., re-test the control, re-audit the area). A CA is not closed until effectiveness is verified.
- Update the management system — where the root cause is a policy/procedure/control gap, update the affected document (via PR through the appropriate CODEOWNERS), the risk register, the Controls Inventory, and the relevant Statement of Applicability as needed.
Severity and timelines
| Severity | Definition | Containment | Root cause + plan | Verification |
|---|---|---|---|---|
| Major | Systemic control failure / requirement not met / major audit nonconformity | Immediate | Within 10 business days | Before next management review |
| Minor | Isolated lapse | Within 5 business days | Within 20 business days | Next review cycle |
| OFI | Improvement opportunity, no nonconformity | N/A | Prioritized in the improvement backlog | Tracked to objective |
Continual improvement
Neuroscale continually improves the suitability, adequacy, and effectiveness of the ISMS and AIMS by:- Tracking information-security and AI objectives (see the ISMS Management-System Register) and acting on those not on track.
- Maintaining an improvement backlog of OFIs from audits, reviews, incidents, and risk assessments.
- Reviewing CA trends at each ISMS Management Review — recurring causes drive structural change, not just point fixes.
Records
- Corrective-action register (per CA: source, root cause, action, owner, dates, verification).
- Retained for 6 years. See the Records Retention Schedule.
Cross-references
- Internal Audit Procedure — primary source of nonconformities.
- ISMS Management Review Procedure — reviews CA status and trends.
- Incident Response Policy — incident-driven corrective action.
- Risk Management Policy — risk-treatment linkage.
- ISMS Management-System Register — objectives.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial corrective action & continual improvement procedure. | Cameron Wolfe | Ishan Jadhwani |