To provide evidence of documented information about the nature of non-conformities, actions taken, and the results, you should maintain a variety of records and documents that capture all aspects of the non-conformity management process. Here’s a list of key documents and records that can be used as evidence:
1. Non-Conformity Reports
Report Forms: Standardized forms or templates documenting each non-conformity, including its nature, description, date identified, and the affected areas.
Incident Logs: Detailed logs that track all reported non-conformities, including the initial identification and any interim observations.
2. Root Cause Analysis Documentation
Analysis Reports: Documents detailing the methods used for root cause analysis, such as Fishbone Diagrams or the 5 Whys, and the findings from the analysis.
Evidence Collection: Records of evidence gathered during the analysis, including data, interviews, and observations.
3. Corrective Action Plans
Action Plans: Documents outlining the corrective actions planned to address each non-conformity, including specific actions, responsible persons, deadlines, and required resources.
Approval Records: Evidence that corrective action plans have been reviewed and approved by relevant management or stakeholders.
4. Implementation Records
Action Tracking Logs: Logs or project management tools tracking the implementation of corrective actions, including progress updates and completion status.
Implementation Reports: Detailed reports documenting the steps taken to implement each corrective action and any adjustments made during the process.
5. Effectiveness Review Records
Follow-Up Audit Reports: Reports from follow-up audits or reviews assessing the effectiveness of corrective actions and verifying that non-conformities have been resolved.
Performance Metrics: Data showing the impact of corrective actions on performance indicators related to the non-conformity.
6. Feedback and Communication Records
Feedback Forms: Records of feedback collected from stakeholders about the corrective actions and their effectiveness.
Communication Records: Documentation of communications related to the non-conformity and actions taken, including emails, meeting minutes, and internal memos.
7. Management Review Documentation
Management Review Minutes: Minutes from management review meetings where non-conformities and corrective actions are discussed, including decisions made and action items.
Review Reports: Summaries of management reviews, including the outcomes related to non-conformity management and any changes or improvements identified.
8. Continuous Improvement Records
Improvement Logs: Records of improvements made to the ISMS as a result of addressing non-conformities, including updates to policies, procedures, and controls.
Lessons Learned: Documentation of lessons learned from the non-conformity management process and how they have been applied to enhance the ISMS.
Example Documents and Records
Non-Conformity Report Form
Content: Nature of non-conformity, date, description, affected processes.
Purpose: Initial identification and documentation of the issue.
Root Cause Analysis Report
Content: Analysis method, findings, root cause(s).
Purpose: Detailed analysis of the underlying cause(s) of the non-conformity.
Corrective Action Plan
Content: Actions to be taken, responsible persons, deadlines.
Purpose: Outline of steps to correct the non-conformity and prevent recurrence.
Implementation Tracking Log
Content: Status of action items, progress updates.
Purpose: Track the execution of corrective actions.
Follow-Up Audit Report
Content: Audit findings, effectiveness of corrective actions.
Purpose: Verification of the effectiveness of implemented actions.
Feedback Form
Content: Stakeholder feedback on corrective actions.
Purpose: Collect input on the effectiveness and impact of actions.
Management Review Minutes
Content: Discussions on non-conformities, decisions, and action items.
Purpose: Evidence of management oversight and review.
Improvement Log
Content: Details of changes made to ISMS based on non-conformity management.
Purpose: Record of continuous improvement efforts.
Tools and Techniques
Document Management Systems: Use systems to organize, store, and manage records related to non-conformities and actions taken.
Project Management Tools: Track action items, progress, and implementation details.
Audit Software: Document and report on follow-up audits and effectiveness reviews.
By maintaining these documents and records, you can provide robust evidence of how non-conformities are managed, the actions taken, and the results achieved, ensuring transparency and accountability in the ISMS.
