CORRECTIVE & PREVENTIVE

ACTION PROCEDURE

KING SAUD UNIVERSITY

DEANSHIP OF E-TRANSACTIONS & COMMUNICATION

VERSION 1.1

INTERNAL USE ONLY

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

PREPARED BY REVIEWED BY APPROVED BY

ALTAMASH SAYED NASSER A. AMMAR DR. MOHAMMED A ALNUEM

REVISION HISTORY
Date of
Sr. No. Ver. Validity Description of change Reviewed By Approved By
Revision

1 18/03/12 1.0 One Year Initialization Nasser A. Ammar Dr. Mohammed A Alnuem

Department Ownership Mr. Mohammed A.

2 02/03/13 1.1 One Year Mr. Toqeer Ahmad
Changed Alsarkhi
Mr. Mohammed A.
3 05/03/13 1.1 One Year No Change Mr. Toqeer Ahmad
Alsarkhi

10

DISTRIBUTION LIST

Sr. No Version Number Name Designation Department

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 2 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

TABLE OF CONTENTS

1. PURPOSE .................................................................................................. 4

2. SCOPE ...................................................................................................... 4

3. RELATED POLICIES AND PROCEDURES ...................................................... 4

4. PROCEDURE ENFORCEMENT / COMPLIANCE ............................................ 4

5. DOCUMENT OWNER ................................................................................ 4

6. ROLES & RESPONSIBILITY ......................................................................... 5

7. INVOCATION ............................................................................................ 5

8. PROCESS FLOWCHART .............................................................................. 6

9. PROCEDURE DETAILS ................................................................................ 7

10. OUTPUTS............................................................................................... 9

11. RECORDS ............................................................................................... 9

12. ANNEXURE .......................................................................................... 10

12.1 FORM.................................................................................................................. 10

12.2 CONTINUOUS IMPROVEMENT LOG ................................................................... 11

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 3 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

1. PURPOSE
King Saud University ETC Deanship has developed a procedure for corrective and preventative
actions to continually improve the effectiveness of the Security. In order to take corrective and
preventive actions base on the results of the internal/external audit and management review or
other relevant information, to achieve continual improvement of security infrastructure.

2. SCOPE
This procedure applies to King Saud University (KSU) - eTransactions & Communication (ETC)
Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process
control systems, that are in possession of or using information and/or facilities owned by KSU-ETC
Deanship.

This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC
Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of
information assets owned by ETC Deanship.

3. RELATED POLICIES AND PROCEDURES

None

4. PROCEDURE ENFORCEMENT / COMPLIANCE

Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous
compliance monitoring within their departments. Compliance with the statements of this procedure
is a matter of periodic review by Risk & Information Security Department and any violation of the
procedure will result in corrective action by the ISMS Steering Committee.

Disciplinary action will be depending on the severity of the violation which will be determined by the
investigations. Actions such as termination or others as deemed appropriate by ETC Management
and Human Resources Department will be taken.

5. DOCUMENT OWNER
ISMS Manager

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 4 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

6. ROLES & RESPONSIBILITY

Each role involved in this procedure shall have main responsibilities as follows:
1. ISMS Steering Committee
Ensure that all steps within this procedure get executed correctly and timely.
Reviews and/ or propos corrective / preventive action to ISMS Manager.

2. ISMS Manager
Take decisions for corrective / preventive actions as required.
Prepare reports on nonconformities and corrective/ preventive actions.

7. INVOCATION
This procedure shall be followed whenever there is:
Internal Audits
The result of internal Audits.
External Audits
The result of external Audits.
Effectiveness measurements
After measuring the effectiveness of the controls and suggesting new controls to be
implemented.
Risk Management Process
Recommendation of Risk Management Process.

Incidents (Learning cycle)

Actions to be taken to close certain incidents.

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 5 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

8. PROCESS FLOWCHART

Corrective and Preventive Actions Procedure

Internal Audits
External Audits
Risk Management Process
Incidents (Learning cycle)
Effectiveness measurements
ISMS Manager

Start

Step 1
Step 3
Identify Corrective/
preventive actions Take Necessary
& its Cause action
Process

Corrective/
Step 4
Preventive action
Form Update
Continuous
Yes Improvement Log
Continuous
Improvement log
file
Step 2

Decide necessary Decision No

Step 5
action
ISMS Steering

Management
Committee

Review

Continuous
Improvement log
file

End

Reference to
Start / End Start and end of the procedure Another related procedure Input/
another Input or output infomation
Output
procedure

Storage to file Step 1

L o g/R eco rd An activity / step A decision in a procedure
Decision

Form Document / Form

1 Follow to step no.
Flow of 2 or more different decisions

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 6 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

9. PROCEDURE DETAILS
This section reflects the broad activities/steps to be carried out in the procedure.

STEP 1: IDENTIFY CORRECTIVE / PREVENTIVE ACTION & ITS CAUSE

Responsibility ISMS Manager

Input Issue identified

A corrective/ preventive action could be identified through various ways

(e.g. internal audit, external audit, review of performance indicators,
Actions
etc.).
And a Form is prepared.

Output Corrective or Preventive Actions Form

STEP 2: REVIEW AND DECIDE NECESSARY ACTION

Responsibility ISMS Steering Committee

Input Corrective/ Preventive Actions Form

Committee reviews the audit results, Risk Management
recommendation and incidents reports and the proposed actions to be
taken.
Actions If ISMS Steering Committee determines that corrective/ preventive
actions are valid and required Corrective/ Preventive Actions Form.
Proceed to step 3.
Forward to ISMS Manger to Update Continues Improvement Log File.
Corrective or Preventive Actions Form
Output
Continues Improvement Log File

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 7 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

STEP 3: TAKE NECESSARY ACTION

Responsibility ISMS Manager

Input Corrective/ Preventive Actions Form

ISMS Manger implements the corrective/ preventive action. If decided

by ISMS Steering Committee to take action.
Once the action has been implemented, the ISMS Manger completes
the Corrective & Preventive Action Form. Proceed to step 4.
Actions
If it was decided by ISMS Steering Committee not to take action; The
ISMS Manger updates the Continues Improvement Log File and keeps
the completed Corrective & Preventive Action Form in his records.
Proceed to step 5.

Output File containing records of Corrective & Preventive Action Forms

STEP 4: UPDATE CONTINUES IMPROVEMENT LOG

Responsibility ISMS Manager

Input Continues Improvement Log File

ISMS Manger submits to the Committee a summary of the corrective and

Actions preventive actions that have been taken for evaluation of the effectiveness
of the actions taken.

Output Management Review Log File

STEP 5: MANAGEMENT REVIEW

Responsibility ISMS Steering Committee

Input Corrective / Preventive Actions Form

Actions Security Committee reviews the continuous improvement Log File.

Continues Improvement Log File
Output
File containing records of Corrective & Preventive Action Forms

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 8 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

10. OUTPUTS
The following activity will be an output of the process.
Audit findings Addressed.
Recommendation to improve the ISMS.

11. RECORDS
The following are the list of all applicable records that are the evidence of implementation of the
Process.
The records are maintained in hard and soft copy.
Corrective and Preventive Actions Form
Continuous Improvement Log File

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 9 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

12. ANNEXURE

12.1 FORM

CORRECTIVE AND PREVENTIVE ACTIONS FORM

Corrective Action Preventive Action

. DESCRIPTION OF CORRECTIVE, PREVENTIVE ACTION

ISO 27001 Standard paragraph reference

__________________________________________________________________________________________

__________________________________________________________________________________________

B. ROOT CAUSE OF FINDINGS :

__________________________________________________________________________________________

__________________________________________________________________________________________

C. PROPOSED ACTIONS :

__________________________________________________________________________________________

__________________________________________________________________________________________

D. RESPONSIBLE FOR THE IMPLEMENTATION / TIME OF COMPLETION

ISMS MANAGER

Full Name:

Date:

Signature:

ISMS/8_8.2_8.3/CPA/PRO/ V1.1 Page 10 of 11 Internal Use Only

 CORRECTIVE & PREVENTIVE ACTION PROCEDURE

12.2 CONTINUOUS IMPROVEMENT LOG

CONTINUOUS IMPROVEMENT LOG FILE

Action Type
Non Responsible Target
Cause of (Corrective Action to be Actual
ISO Reference Conformity Identified by Responsible for Completion Signature Date
Identification or taken Completion
Identification Monitoring date
Preventive)

ISMS/8_8.2_8.3/CPA/PRO/D1.1 Page 11 of 11 Internal Use Only