Corrective measures are actions taken to eliminate the root causes of identified non-conformities, security incidents or process failures, and to prevent their recurrence. Unlike corrective actions that simply fix the immediate problem, corrective measures address the underlying systemic issues that allowed the problem to occur in the first place.
ISO 27001 clause 10.2 specifically requires organisations to implement corrective measures when non-conformities are identified. This involves analysing the root cause, determining whether similar issues could exist elsewhere, implementing changes to processes or controls and verifying that the measures are effective. Documenting corrective measures provides valuable evidence of the organisation's commitment to continuous improvement during certification audits.