Вы находитесь на странице: 1из 11

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE K ING S AUD U NIVERSITY D

KING SAUD UNIVERSITY

DEANSHIP OF E-TRANSACTIONS & COMMUNICATION

K ING S AUD U NIVERSITY D EANSHIP OF E -T RANSACTIONS & C OMMUNICATION V

VERSION 1.1

INTERNAL USE ONLY

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

PREPARED BY

REVIEWED BY

APPROVED BY

ALTAMASH SAYED

NASSER A. AMMAR

DR. MOHAMMED A ALNUEM

REVISION HISTORY

 

Date of

         

Sr. No.

Revision

Ver.

Validity

Description of change

Reviewed By

Approved By

1

18/03/12

1.0

One Year

Initialization

Nasser A. Ammar

Dr. Mohammed A Alnuem

2

02/03/13

1.1

One Year

Department Ownership Changed

Mr. Toqeer Ahmad

Mr. Mohammed A. Alsarkhi

3

05/03/13

1.1

One Year

No Change

Mr. Toqeer Ahmad

Mr. Mohammed A. Alsarkhi

4

           

5

           

6

           

7

           

8

           

9

           

10

           

DISTRIBUTION LIST

Sr. No

Version Number

Name

Designation

Department

1

       

2

       

3

       
C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

TABLE OF CONTENTS

1. PURPOSE

4

2. SCOPE

4

3. RELATED POLICIES AND PROCEDURES

4

4. PROCEDURE ENFORCEMENT / COMPLIANCE

4

5. DOCUMENT OWNER

4

6. ROLES & RESPONSIBILITY

5

7. INVOCATION

5

8. PROCESS FLOWCHART

6

9. PROCEDURE DETAILS

7

10. OUTPUTS

9

11. RECORDS

9

12. ANNEXURE

10

12.1 FORM

10

12.2 CONTINUOUS IMPROVEMENT LOG

11

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

1. PURPOSE

King Saud University ETC Deanship has developed a procedure for corrective and preventative actions to continually improve the effectiveness of the Security. In order to take corrective and preventive actions base on the results of the internal/external audit and management review or other relevant information, to achieve continual improvement of security infrastructure.

2. SCOPE

This procedure applies to King Saud University (KSU) - eTransactions & Communication (ETC) Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process control systems, that are in possession of or using information and/or facilities owned by KSU-ETC Deanship.

This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of information assets owned by ETC Deanship.

3. RELATED POLICIES AND PROCEDURES

None

4. PROCEDURE ENFORCEMENT / COMPLIANCE

Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous compliance monitoring within their departments. Compliance with the statements of this procedure is a matter of periodic review by Risk & Information Security Department and any violation of the procedure will result in corrective action by the ISMS Steering Committee.

Disciplinary action will be depending on the severity of the violation which will be determined by the investigations. Actions such as termination or others as deemed appropriate by ETC Management and Human Resources Department will be taken.

5. DOCUMENT OWNER

ISMS Manager

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

6. ROLES & RESPONSIBILITY

Each role involved in this procedure shall have main responsibilities as follows:

1. ISMS Steering Committee Ensure that all steps within this procedure get executed correctly and timely. Reviews and/ or propos corrective / preventive action to ISMS Manager.

2. ISMS Manager

Take decisions for corrective / preventive actions as required.

Prepare reports on nonconformities and corrective/ preventive actions.

7. INVOCATION

This procedure shall be followed whenever there is:

Internal Audits The result of internal Audits.

External Audits The result of external Audits.

Effectiveness measurements After measuring the effectiveness of the controls and suggesting new controls to be implemented.

Risk Management Process Recommendation of Risk Management Process.

Incidents (Learning cycle) Actions to be taken to close certain incidents.

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

8. PROCESS FLOWCHART

Corrective and Preventive Actions Procedure Internal Audits External Audits Risk Management Process Incidents
Corrective and Preventive Actions Procedure
Internal Audits
External Audits
Risk Management Process
Incidents (Learning cycle)
Effectiveness measurements
Start
Step 1
Step 3
Identify Corrective/
Take Necessary
preventive actions
action
& its Cause
Corrective/
Step 4
Preventive action
Form
Update
Continuous
Yes
Improvement Log
Continuous
Improvement log
file
Step 2
Decision
No
Decide necessary
Step 5
action
Management
Review
Continuous
Improvement log
file
End
Start / End
Start and end of the procedure
Reference another to
procedure
Another related procedure
Output Input/
Input or output infomation
Step 1
Storage to file
Log/Record
Decision
An activity / step
A decision in a procedure
Form
1
Document / Form
Follow to step no.
Flow of 2 or more different decisions
Process
ISMS
Steering
ISMS Manager
Committee
C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

9. PROCEDURE DETAILS

This section reflects the broad activities/steps to be carried out in the procedure.

STEP 1: IDENTIFY CORRECTIVE / PREVENTIVE ACTION & ITS CAUSE

Responsibility

ISMS Manager

Input

Issue identified

Actions

A corrective/ preventive action could be identified through various ways (e.g. internal audit, external audit, review of performance indicators, etc.).

And a Form is prepared.

Output

Corrective or Preventive Actions Form

STEP 2: REVIEW AND DECIDE NECESSARY ACTION

Responsibility

ISMS Steering Committee

Input

Corrective/ Preventive Actions Form

 

Committee reviews the audit results, Risk Management recommendation and incidents reports and the proposed actions to be taken.

Actions

If ISMS Steering Committee determines that corrective/ preventive actions are valid and required Corrective/ Preventive Actions Form. Proceed to step 3.

Forward to ISMS Manger to Update Continues Improvement Log File.

Output

Corrective or Preventive Actions Form Continues Improvement Log File

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

STEP 3: TAKE NECESSARY ACTION

Responsibility

ISMS Manager

Input

Corrective/ Preventive Actions Form

 

ISMS Manger implements the corrective/ preventive action. If decided by ISMS Steering Committee to take action.

Once the action has been implemented, the ISMS Manger completes the Corrective & Preventive Action Form. Proceed to step 4.

Actions

If it was decided by ISMS Steering Committee not to take action; The ISMS Manger updates the Continues Improvement Log File and keeps the completed Corrective & Preventive Action Form in his records. Proceed to step 5.

Output

File containing records of Corrective & Preventive Action Forms

STEP 4: UPDATE CONTINUES IMPROVEMENT LOG

STEP 4: UPDATE CONTINUES IMPROVEMENT LOG

Responsibility

Input

Actions

Output

ISMS Manager

Continues Improvement Log File

ISMS Manger submits to the Committee a summary of the corrective and preventive actions that have been taken for evaluation of the effectiveness of the actions taken.

Management Review Log File

STEP 5: MANAGEMENT REVIEW

Responsibility

ISMS Steering Committee

Input

Corrective / Preventive Actions Form

Actions

Security Committee reviews the continuous improvement Log File.

 

Continues Improvement Log File

Output

File containing records of Corrective & Preventive Action Forms

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

10. OUTPUTS

The following activity will be an output of the process.

Audit findings Addressed.

Recommendation to improve the ISMS.

11. RECORDS

The following are the list of all applicable records that are the evidence of implementation of the Process. The records are maintained in hard and soft copy.

Corrective and Preventive Actions Form

Continuous Improvement Log File

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

12. ANNEXURE

12.1 FORM

CORRECTIVE AND PREVENTIVE ACTIONS FORM

Corrective Action

Preventive Action

Α. DESCRIPTION OF CORRECTIVE, PREVENTIVE ACTION

ISO 27001 Standard paragraph reference

B. ROOT CAUSE OF FINDINGS :

C. PROPOSED ACTIONS :

D. RESPONSIBLE FOR THE IMPLEMENTATION / TIME OF COMPLETION

ISMS MANAGER

Full Name:

Date:

Signature:

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

CORRECTIVE & PREVENTIVE ACTION PROCEDURE

C ORRECTIVE & P REVENTIVE A CTION P ROCEDURE

12.2 CONTINUOUS IMPROVEMENT LOG

CONTINUOUS IMPROVEMENT LOG FILE Action Type Non Responsible Target Cause of (Corrective Actual ISO Reference
CONTINUOUS IMPROVEMENT LOG FILE
Action Type
Non
Responsible
Target
Cause of
(Corrective
Actual
ISO Reference
Conformity
Identified by
Responsible
for
Completion
Signature
Date
Identification
or
Action to be
taken
Completion
Identification
Monitoring
date
Preventive)