1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Delayed corrective action - what to do

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Devesh#89, Jan 7, 2025.

  1. Devesh#89

    Devesh#89 Member

    Joined:
    Jun 29, 2024
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    2
    if there is an audit observation that VAPT (penetration testing for servers and software) was not done and corrective action is taken that the VAPT will be conducted in December 2024 but the organization failed to conduct the VAPT due to some internal or budget issues, as a QMS person should I initiate planned deviation and how it will impact the future audit
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,330
    Likes Received:
    2,655
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Devesh: when you say audit “observation”, do you mean a non-conformity? What type of audit found this “observation”? What requirement was the audit being conducted against? This is posted in the ISO 9001 forum and it doesn’t mention penetration testing.
     
  3. Devesh#89

    Devesh#89 Member

    Joined:
    Jun 29, 2024
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    2
    Ok let me give a short brief, i know it is for ISO 9001 but this is as per ISO 27001 (ISMS) it is mandatory to conduct VAPT (Vulnerability Assessment and Penetration Testing) regularly (Annually in this case) this test ensure that all your servers or IP addresses are working as per standard and are secure from any potential cyber threat so a tester try to breach the security to test stability and security of these IPs.
    On the basis of this VAPT which organization failed to conduct at the time and certifying body issued a major non-conformity and organization took corrective action that they will conduct this in december 2024 but as per the changes in IT infrastructure it seems that it will not possible to conduct that test again before decemeber 2024 so that what happened.

    Now on the basis of above scenario i want your POV that can't we initiate a planned deviation as a proactive approach to save another critical or major observation
     
  4. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    653
    Likes Received:
    705
    Trophy Points:
    92
    Location:
    Maine
    Well do the test now.

    Adn then I would investigate why it wasn’t done in December 2024 as promised. Why the heck wouldn’t a company perform a test that is so protective to THEM? Let alone one that got you a major NC?

    I think there may be a lot bigger problems with this company….
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,330
    Likes Received:
    2,655
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Really? Can you point to the requirement so I can read it?
     
  6. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,363
    Likes Received:
    1,066
    Trophy Points:
    112
    Location:
    Laguna Philippines
    I think the factors that prevented the conduct of the VAPT as per the annual schedule also prevented the implementation of the rescheduled testing on December 2024. Actually, just rescheduling the test is not a corrective action. Your problem will just keep on persisting unless your organization address the factors preventing the implementation of the VAPT. As a QMS person, you need to have a good understanding of the definition of the term corrective action. Determine the factors mentioned then implement actions to eliminate them.
     
    Bev D likes this.
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,330
    Likes Received:
    2,655
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    In addition to Tony's great comment, I'm also wondering what the internal auditors were doing! How can any organization have allowed such a huge hole to develop in its ISMS, without an internal audit at least confirming the situation? My guess is...
     
  8. Devesh#89

    Devesh#89 Member

    Joined:
    Jun 29, 2024
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    2
    I know but what if organization having budget issues to conduct the VAPT on time how could we solve that then?
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,330
    Likes Received:
    2,655
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I don't understand your question...
     
    Bev D likes this.
  10. Devesh#89

    Devesh#89 Member

    Joined:
    Jun 29, 2024
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    2
    See i know there is a problem with organization in maintaining QMS or ISMS but my question is that organization issues budget to do these VAPTs but what if the Budget was the reason for that non conformity, so how should we handle that?
     
  11. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    653
    Likes Received:
    705
    Trophy Points:
    92
    Location:
    Maine
    What do you mean the budget was the reason? Did your company run completely out of money? Did they not budget for this required testing? Sound like they are giving lame-@$$ excuses and a corrective action won’ t change that
     
    tony s and Andy Nichols like this.
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,330
    Likes Received:
    2,655
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Who is running the company? Finance? Who budgeted for pen testing? Was the pen testing included in the pen testing but the funds not made available. Like any corrective actions, you have to a) determine the actual problem and write it down and b) work to find a root cause.

    "Problem: Budget for pen testing, required to ensure ISMS is not at risk of external hacks which can cost $XM to recover and should be completed annually and before ISMS certification audit (for example) wasn't...
     
  13. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    833
    Likes Received:
    409
    Trophy Points:
    62
    Simple. Go out back to the money tree and get some.

    Assuming this is an important test for your organization it seems you have a few things going on. You’ll obviously need to delay finishing your corrective action. You’ll want to note why the delay is necessary. You’ll also want to explore why this can’t be part of standard operating procedure and not subject to lack of budget. This is likely beyond your pay grade, so you’ll want to kick it up to the powers that be and get their input. Good luck.
     
  14. Devesh#89

    Devesh#89 Member

    Joined:
    Jun 29, 2024
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    2
    Thanks andy
     
  15. Devesh#89

    Devesh#89 Member

    Joined:
    Jun 29, 2024
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    2
    Thanks, golfman!!!