Root cause analysis (RCA) is a systematic method for identifying the fundamental cause of an incident or problem. Common techniques include the 5-Why method and the Ishikawa (fishbone) diagram. In an ISMS, root cause analysis is a mandatory part of the corrective action process under ISO 27001 Clause 10.1. It ensures that corrective measures address the actual origin of a problem. Without RCA, you risk treating only symptoms and experiencing the same incidents repeatedly.