Continual Improvement, Nonconformities, and Corrective Actions | Interview with Carlos Cruz
In this Secure and Simple Podcast episode, host Dejan Kosutic from Advisera interviews Carlos Cruz, founder of Metanoia and an ISO 9001/ISO 14001 expert, about continual improvement in ISO standards and how the concepts apply to cybersecurity. They explain continual improvement through the PDCA cycle, using data and Pareto analysis to focus on key issues, then performing root cause analysis with tools like the fishbone (Ishikawa) diagram and the 5 Whys to avoid stopping at “human error.” They define nonconformities, clarify the difference between corrections (e.g., restoring operations) and corrective actions (i.e., removing root causes to prevent recurrence), and discuss when root cause analysis is warranted, including high-impact or recurring cybersecurity incidents. They also cover documenting and tracking nonconformities via approaches like ticketing systems, consultant do’s and don’ts, and practical ways to motivate management by translating issues into business impact.
Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining
Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining
- (00:00) - Interview with Carlos Cruz on continual improvement
- (01:27) - PDCA and Continual Improvement
- (05:52) - Improvement Beyond Problems
- (08:22) - Nonconformities Explained
- (11:47) - When to Do Root Cause Analysis
- (15:19) - Pareto and Fishbone Methods
- (17:39) - Using the Five Whys Method
- (21:27) - Building Root Cause Culture
- (25:00) - Who Reports Nonconformities
- (29:27) - Corrections vs Corrective Actions
- (34:25) - Documenting Without Bureaucracy
- (40:32) - Consultants Do and Don'ts
- (47:02) - Selling Improvement to Management
- (50:00) - Top Tips for Continual Improvement
- (54:39) - Resources for Consultants and Security Officers
Creators and Guests
