~2-page information security policy template on Corrective And Preventive Action.
 
There are structured processes to deal with problems relating to the way the Information Security Management System is being used (corrective actions) and deeper issues concerning the design of the ISMS itself (preventive actions).  Either way, the intention is to achieve gradual, systematic, appropriate improvements in the organisation’s management of information risk and security.
 
CAPA is, in effect, mandatory for a certified ISO/IEC 27001 ISMS (see clause 10 on continual improvement plus nonconformity and corrective action).
 
Supplied as an editable MS Word document, readily customised for your organisation's specific situation.