A Corrective Action Plan is a formal, documented response to non-conformities or findings identified during internal audits, external assessments or incident investigations. It specifies the root cause of each finding, the corrective actions to be taken, responsible parties, deadlines and verification criteria for confirming the issue has been resolved.
CAPs are a mandatory element of ISO 27001 compliance, as the standard requires organisations to address non-conformities and prevent their recurrence. Well-structured CAPs demonstrate to certification bodies that an organisation takes findings seriously and has a systematic approach to resolving them. Tracking CAPs in a centralised GRC platform ensures visibility, accountability and timely completion.