Does ISO 27001, the Information Security Management System, require unique CAPA procedures?

Marketing your ISO Certification

Generally, can CAPA procedures developed for ISO 9001, 13485, 14001, 18001, 20000 and/or AS9100 be used for ISO 27001, the Information Security Management System (ISMS)?

The 27001 standards appear to have many unique characteristics and requirements. Document Control, management responsibilities and internal auditing seem to be similar to other Quality Management System (QMS) requirements. It appears that a CAPA procedure for 27001 will still need:

  • Originator, origination date, issue or problem, immediate action, due date;
  • Assigned for remedy, date of action, root cause, status;
  • Completed by, date of completion, next step’
  • Verified by, date of verification, effective (yes/no), proof, next step;
  • Management review by, date reviewed, comments for continual improvement.

What else is required for an effective QMS or ISMA CAPA procedure?