The CAPA register (Corrective and Preventive Actions) is where you document nonconformities, root cause analyses and corrective actions. Every finding needs a traceable chain: what was observed, why it happened, what was done immediately, and what prevents recurrence.
ISO 27001 Clause 10.1 (Nonconformity and Corrective Action) and Clause 10.2 (Continual Improvement) provide the normative basis. Auditors expect you to show, for every nonconformity, which corrective action was taken and whether it was effective.
What does it contain?
Each row documents one CAPA case. The columns:
- ID / Source / Date Raised — unique identifier, origin of the finding (audit, incident, review) and date recorded
- Finding / Nonconformity — description of what was observed
- Root Cause — result of the root cause analysis
- Correction (Immediate) — containment measure to limit damage
- Corrective Action — measure to eliminate the root cause
- Owner / Due Date / Status — responsible person, deadline and current state
- Effectiveness Check / Closure Date — result of the effectiveness verification and closure date
How to use it
Capture: As soon as a finding arises — from an internal audit, external audit, incident or management review — create a new row. Record the immediate correction and the responsible person straight away.
Root cause analysis and corrective action: Within a defined timeframe (typically two weeks), analyse the root cause and define a corrective action with a concrete deadline.
Effectiveness check: After a probation period (e.g. one quarter), sample-check whether the finding has recurred. Document the result in the Effectiveness Check column. Only then close the case.
| ID | Quelle | Erfasst am | Feststellung / Abweichung | Ursache | Sofortmaßnahme | Korrekturmaßnahme | Verantwortlich | Fällig | Status | Wirksamkeitsprüfung | Abschlussdatum |
|---|---|---|---|---|---|---|---|---|---|---|---|
| CAPA-2026-001 | Internes Audit 2026-Q1 | 2026-02-10 | Drei Joiner-Accounts wurden ohne Genehmigungsticket angelegt | Onboarding-Checkliste erzwingt Genehmigungsgate nicht | Accounts widerrufen und mit Genehmigung neu angelegt | Verpflichtendes Genehmigungsgate im HR-Onboarding-Workflow + monatlicher Abgleich | HR-Leitung | 2026-05-15 | In Bearbeitung | Audit-Stichprobe 2026-Q3 | |
| CAPA-2026-002 | Externes Audit 2025 | 2025-12-05 | SoA enthielt keine Begründung für Ausschluss von A 8.34 | Prüfer nutzte Vorjahres-SoA ohne Neuprüfung | Begründung ergänzt | Peer-Review des SoA vor Genehmigung verpflichtend | ISB | 2026-03-01 | Abgeschlossen | Nachprüfung 2026-03-15 bestanden | 2026-03-20 |
| CAPA-2026-003 | Vorfall INC-2026-004 | 2026-02-22 | Phishing-Mail umging Filter; eine Person klickte auf Link | Filterregel deckte neu registrierte Domains nicht ab | Domain geblockt + Zugangsdaten zurückgesetzt | Regel für neu registrierte Domains im Mailfilter aktivieren und gezielte Awareness durchführen | IT-Betriebsleitung | 2026-04-30 | In Bearbeitung | Phishing-Simulation 2026-Q3 | |
| CAPA-2026-004 | Management-Review 2026-Q1 | 2026-03-30 | SLA für Schwachstellenbehebung bei 4 High-Findings überschritten | Patch-Fenster zu kurz; keine Eskalationspfade | Patches eingespielt | Monatliches Patch-Fenster einführen + Eskalation an CTO nach 25 Tagen | IT-Betriebsleitung | 2026-06-30 | Offen | KPI-Review 2026-Q3 | |
| CAPA-2026-005 | Kundenbeschwerde | 2026-03-12 | Kunde meldete unverschlüsselten E-Mail-Anhang mit Vertrag | Mitarbeiter nutzte privaten Workaround nach Mail-Gateway-Problem | E-Mail zurückgeholt und über sicheres Portal erneut gesendet | Schulung zur Informationstransfer-Richtlinie auffrischen + externe Anhänge über 10 MB sperren | DSB | 2026-05-31 | In Bearbeitung |
| ID | Source | Date Raised | Finding / Nonconformity | Root Cause | Correction (Immediate) | Corrective Action | Owner | Due Date | Status | Effectiveness Check | Closure Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| CAPA-2026-001 | Internal audit 2026-Q1 | 2026-02-10 | Three joiner accounts were created without manager approval ticket | Onboarding checklist did not enforce approval gate | Revoked accounts and recreated with approval | Add mandatory approval gate in HR onboarding workflow + monthly reconciliation | HR Lead | 2026-05-15 | In progress | Audit sample 2026-Q3 | |
| CAPA-2026-002 | External audit 2025 | 2025-12-05 | SoA did not cite justification for excluding A 8.34 | Reviewer used prior-year SoA without re-check | Added justification | Require peer review of SoA before approval | ISO | 2026-03-01 | Closed | 2026-03-15 re-check passed | 2026-03-20 |
| CAPA-2026-003 | Incident INC-2026-004 | 2026-02-22 | Phishing email bypassed filter; one user clicked link | Filter policy did not cover newly registered domains | Blocked domain + reset user credentials | Enable newly-registered-domain rule in mail filter and run targeted awareness training | IT Operations Lead | 2026-04-30 | In progress | Phishing simulation 2026-Q3 | |
| CAPA-2026-004 | Management review 2026-Q1 | 2026-03-30 | Vulnerability remediation SLA breached for 4 high findings | Patch window too short; no escalation path | Applied patches | Introduce monthly patch window + escalation to CTO after 25 days | IT Operations Lead | 2026-06-30 | Open | KPI review 2026-Q3 | |
| CAPA-2026-005 | Customer complaint | 2026-03-12 | Customer reported unencrypted email attachment with contract | Staff used personal workaround after mail gateway issue | Retrieved email and re-sent via secure portal | Refresh training on Information Transfer Policy + block external attachments over 10MB | DPO | 2026-05-31 | In progress |
Sources
- ISO/IEC 27001:2022 Clause 10.1 — Nonconformity and Corrective Action
- ISO/IEC 27001:2022 Clause 10.2 — Continual Improvement