# Clause 10: Improvement This section concerns itself with committing to continual improvement of the suitability, adequacy and effectiveness of the ISMS (10.1) ### Nonconformity and corrective action 10.2 > Identify nonconformities > treat them with controls > Make relevant changes to ISMS Organisations should react to nonconformities as they occur by following a simple process. They need to first take action to control or correct it, and then deal with the consequences (10.2a) (capture and metabolise the learning into the system). When action is taken to deal with consequences, we’re looking to eliminate the cause of the nonconformity to avoid recurrence or an occurrence in another part of the ISMS. We do this by (10.2b): 1. Reviewing the nonconformity 2. Determining the cause of the nonconformity 3. Determining if similar nonconformities exist or could occur We can then implement actions and review their effectiveness, and make any necessary changes to the ISMS (10.2cde). This process is required to be documented - capturing the nature of nonconformities, the actions taken, and results of corrective action (10.2fg) >💡 **Corrective actions need to be appropriate to the effects of the nonconformities encountered.** You cannot introduce a control and justify it based on a nonconformity that is not addressed by the control.