ISO 27001 Audit Findings: How to Respond to Nonconformities

Learn how to manage ISO 27001 audit findings: how to log, process and resolve nonconformities.

Contribute to the cybersecurity survey asking the questions others didn't dare to... Click here

Receiving a nonconformity from your ISO 27001 auditor is not a crisis. It is a structured event with a defined process, a clear timeline, and a straightforward set of requirements. Most organisations that respond well to nonconformities achieve certification — or maintain it — without significant difficulty. Most organisations that struggle do so not because the findings are too serious, but because their corrective action process is poorly structured.

This guide explains what audit findings mean, how to categorise and prioritise them, and how to write and close a corrective action plan that satisfies your certification body.

Types of Audit Finding

Not all findings require the same response. Understanding the difference between finding types is the starting point for managing them effectively.

Major Nonconformity

A major nonconformity represents a failure to meet a requirement of ISO 27001 that is systemic or significant — one that undermines the integrity of the ISMS or prevents the standard’s requirements from being fulfilled. Examples include:

  • A required ISMS element does not exist (no internal audit, no management review, no Statement of Applicability)
  • A fundamental process is broken (risk assessment has not been conducted, documented information cannot be located)
  • A previous major nonconformity has not been effectively resolved
  • Multiple related minor nonconformities that together indicate a systemic failure

Consequence for certification: For initial certification, a major nonconformity means Stage 2 certification cannot be completed until it is resolved. For surveillance or recertification, it means the certificate cannot be maintained until closure is confirmed. Certification bodies typically allow a defined window — often 30 to 90 days — for a major nonconformity to be remediated and verified.

Minor Nonconformity

A minor nonconformity is an isolated failure to meet a requirement — a single lapse, gap, or omission that does not indicate a systemic problem. It is a real finding that requires a real corrective action, but it does not prevent certification from proceeding.

Examples include: a document with an overdue review date, a specific control that is defined in policy but where evidence of implementation is missing for a limited period, a training record gap for a small number of individuals.

Consequence for certification: Minor nonconformities are typically recorded at the closing meeting. Evidence of corrective action must be submitted within a defined window (often 30 to 60 days for initial certification; by the next audit for surveillance). Certification proceeds — subject to satisfactory closure of the minor finding.

Observation

An observation (sometimes called an opportunity for improvement) is a finding that does not constitute a breach of the standard but indicates an area that could be improved or that may develop into a nonconformity if not addressed. Observations do not require formal corrective action, though acting on them is good practice.

The Corrective Action Process

ISO 27001 Clause 10.2 requires a structured approach to nonconformity and corrective action. The process has five stages.

ISO 27001 Audit Findings: Types and Response Process

Clause 10.2 requires a structured corrective action process — the five stages apply to every nonconformity

Major NC
Blocks cert
Systemic failure or missing ISMS element. Certification cannot proceed until resolved and verified.
Must close before certificate issued
Minor NC
Fix after cert
Isolated gap — single lapse, missing record. Cert proceeds; evidence of fix submitted within agreed window.
Typically 30–60 days to close
Observation
No formal action
Not a breach — but worth improving. May become a finding if not addressed before the next audit.
Address in ISMS improvement cycle
Step 1
Contain
Address the immediate gap
Stop the finding from getting worse. Schedule the overdue review, initiate the approval process, reinstate the missing control. This is not the fix — it stabilises the situation.
Immediate action Stabilise the gap Document what was done
Step 2
Root cause
Understand why — not just what
Ask "why did this happen?" at least twice. The root cause should be specific: unclear ownership, missing process, awareness gap, monitoring failure — not just "insufficient attention."
Why did this happen? Process gap? Ownership gap? Training gap?
Step 3
Correct
Implement a specific, assigned, time-bound action
"Improve document control" is not a corrective action. "Assign each ISMS document to a named owner with a calendar reminder and add overdue review checks to the quarterly ISMS review" is.
Named owner Specific action Target date Addresses root cause
Step 4
Verify
Confirm the action was effective
Implemented ≠ effective. Check that the gap is closed and unlikely to recur. An access review process is effective when the first cycle has completed and been recorded — not when the process has been written down.
Evidence the process ran Independent verification Not just "completed"
Step 5
Close
Document and submit evidence
Submit the completed response to your certification body: finding → root cause → action taken → evidence of effectiveness. Attach the evidence — don't describe it. The CA register entry is your audit trail.
Evidence attached CA register updated Submitted to cert body
The most common failure is fixing the symptom instead of the root cause. A corrective action that patches the visible gap without addressing why it occurred will produce the same finding at the next audit — and recurring findings are treated more seriously.

Stage 1: Contain

When a nonconformity is identified, the first step is to address the immediate issue — stopping it from causing further harm or getting worse. If an access review has not been completed, that review should be scheduled immediately. If a key policy has no approval record, the approval process should be initiated. Containment does not solve the root cause, but it stabilises the situation.

Stage 2: Investigate Root Cause

The most common mistake in corrective action is fixing the symptom rather than the cause. A corrective action that simply patches the immediate gap without understanding why it occurred will produce the same gap again.

Root cause analysis does not need to be complex. For most ISO 27001 nonconformities, asking “why did this happen?” two or three times is sufficient. The answer should be specific enough to point to a process improvement, a resource decision, a responsibility gap, or a training need — not a vague statement like “insufficient attention.”

Common root causes in ISO 27001 context: – Responsibility not clearly assigned (no one owned the task) – Process not documented (reliance on informal knowledge) – Process documented but not followed (awareness gap or competing priorities) – Process adequate but reviewed on wrong schedule (monitoring failure)

Stage 3: Determine and Implement the Corrective Action

The corrective action should address the root cause, not just the symptom. It should be specific, assignable, and completable within the agreed timeline.

A corrective action that says “improve access management” is not a corrective action. One that says “assign quarterly access reviews to the IT Manager with calendar reminders and a completion record template, and add access review evidence to the internal audit programme” is.

Stage 4: Verify Effectiveness

Implementing a corrective action is not the same as closing it. Closure requires verification that the action has been effective — that the gap identified no longer exists and is unlikely to recur.

Effectiveness verification might involve: – Checking the evidence that the corrected process has been followed (e.g. an access review record showing the new quarterly cycle has run once) – Confirming that revised training has been completed where training was the corrective action – Reviewing a document to confirm approval has been obtained

Where the finding was significant, the ISMS lead or an independent reviewer should verify effectiveness — not the person who took the corrective action.

Stage 5: Document and Close

The corrective action is formally closed when: the root cause has been identified, the corrective action has been implemented, and effectiveness has been verified. All of this should be documented in your corrective action register.

The record should show: the original finding, the root cause analysis, the action taken, who took it, when, and the evidence of effectiveness. This record is what your certification body reviews when assessing closure.

Writing a Corrective Action Plan

Certification bodies typically have their own format for submitting corrective action responses. Even where no specific format is prescribed, a well-structured response includes:

1. The nonconformity restated in your own words. Confirm that you understand what was found. Brief — one to two sentences.

2. Immediate containment action. What you did right away to address the immediate gap. Include what was done and when.

3. Root cause analysis. Your analysis of why the nonconformity occurred. This is the most important section — a superficial root cause leads to a superficial fix that recurs.

4. Corrective action. What you are doing to address the root cause. Specific, assigned, time-bound.

5. Evidence of implementation. What evidence demonstrates that the corrective action has been completed. Attach or reference the evidence directly — do not describe it; provide it.

6. Effectiveness verification. How you have confirmed that the action was effective and that the gap is unlikely to recur.

7. Completion date. When the action was completed and verified.

Corrective Action Plan: What Good Looks Like

Required elements and the difference between a response that gets accepted and one that gets returned

1
Restate the nonconformity in your own words
1–2 sentences
✗ Vague
"The auditor found a nonconformity with access control."
Doesn't show you understand what was actually found.
✓ Clear
"The audit found that quarterly access reviews defined in our Access Control Policy (clause 8.5) had not been completed or documented for Q3 2024."
Shows you understand the specific gap and the requirement it breaches.
2
Immediate containment action
What + when
✗ Vague
"We have begun addressing the access review issue."
No specifics on what was done or when.
✓ Specific
"The IT Manager completed the Q3 access review on 15 November 2024. All 47 active user accounts were reviewed. Three accounts with unnecessary privileges were revoked. The completed review record is attached."
Specific action, named owner, date, outcome, evidence referenced.
3
Root cause analysis
Most important section
✗ Superficial
"The root cause was insufficient attention to the access review schedule."
Points nowhere useful. A "fix" based on this will fail again.
✓ Specific
"The access review was not assigned to a named individual with a calendar reminder. The ISMS lead assumed the IT Manager was tracking this; the IT Manager had not been explicitly assigned ownership of the task. No overdue-review check existed in the internal audit programme."
Identifies the process failure: no owner, no reminder, no monitoring. Corrective action can now target each of these.
4
Corrective action (addresses root cause)
Specific, assigned, time-bound
✗ General
"We will improve our access management process to prevent this from happening again."
No action, no owner, no timeline. Not a corrective action.
✓ Specific
"(a) IT Manager assigned as owner of quarterly access reviews with calendar reminders for Q1/Q2/Q3/Q4. (b) Completion record template created and stored in SharePoint. (c) Overdue access review check added to ISMS lead's quarterly checklist. Completed by: 30 November 2024."
Each action targets a specific root cause. Named owner, completion date, three distinct fixes for three identified gaps.
5
Evidence of implementation
Attach — don't describe
Attach or reference these directly — a statement that something happened is not evidence:
📄 Completed access review record 📄 Updated procedure with owner assigned ✓ Calendar screenshot showing recurring reminders ✓ Quarterly checklist showing new control added ⚠ "The review has been completed" is NOT evidence
6
Effectiveness verification
Required for closure
✗ Premature closure
"The corrective action has been implemented. We are confident this issue will not recur."
Implementation ≠ effectiveness. This finding will reopen.
✓ Verified
"The Q4 2024 access review was completed on 12 January 2025 using the new process — on schedule, by the assigned owner, with the completion record filed. The ISMS lead reviewed and confirmed completion. Evidence: Q4 access review record attached."
Shows the new process has actually run once. The gap is closed and unlikely to recur.
📋
Log it
Record the full corrective action in your CA register with finding, root cause, action, owner, date, and effectiveness evidence.
🔍
Independent review
For significant findings, effectiveness verification should be done by someone other than the person who took the corrective action.
🔄
Feed back into ISMS
The root cause finding should inform your next internal audit scope — don't treat closure as the end.

Common Response Mistakes

Describing rather than evidencing. A corrective action response that says “the access review has been completed” without attaching the access review record is not a complete response. Evidence means the thing itself — not a statement that the thing happened.

Treating root cause analysis as a formality. Writing “the root cause was insufficient process” and then implementing the same process more carefully is not meaningful root cause analysis. Ask why the process failed, not just that it did.

Implementing the fix before understanding the root cause. It is tempting to fix the visible gap immediately and then construct a root cause to fit. This approach often means the underlying issue remains.

Closing actions prematurely. An action marked “complete” because it has been implemented but not yet verified as effective is not closed. Effectiveness verification is not optional.

Writing general improvement plans instead of specific corrective actions. “We will improve our document control processes” is not a corrective action. “We will add document review dates to the ISMS calendar, assign each document to an owner, and add an overdue-review check to the quarterly ISMS lead review” is.

Download link to free ISO 27001 document toolkit

My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant

Get The Free Toolkit

Managing Multiple Findings

When an audit produces several findings — which is not uncommon for first-time certification — prioritise by severity and interconnection.

Major nonconformities must be resolved before certification can proceed. These get first attention and the most resource.

Minor nonconformities with the same root cause should be treated as a single systemic issue. If three different findings all point to the same underlying failure — unclear document ownership, say — one comprehensive corrective action addressing the root cause is more effective than three separate patches.

Observations can be addressed in your regular ISMS improvement cycle rather than on the emergency corrective action track.

Track all findings in a single corrective action register with status, owner, and target completion date. This register is itself a piece of evidence that your ISMS improvement process is operating.

What Happens After You Submit the Response

How certification bodies handle corrective action closure varies. For most:

Minor nonconformities at first certification are reviewed by the auditor after submission. If the evidence is satisfactory and the root cause analysis is credible, the finding is closed. If not, the body may request additional evidence or revise the classification of the finding.

Major nonconformities typically require the auditor to verify closure directly — either through a follow-up visit or a structured remote review. The auditor is confirming that the fix is real and operational, not just documented.

Surveillance audits will check that all findings from the previous audit have been effectively closed. A finding that was reported as closed but where the underlying issue persists will reappear as a new (and more serious) finding.

Common Mistakes

Treating the corrective action as the end rather than the beginning. The corrective action response closes the specific finding. But the root cause analysis should inform improvements to your ISMS more broadly — if document control was found to be inadequate, your next internal audit cycle should include document control as a specific audit area.

Not involving the process owner in the corrective action. Corrective actions owned solely by the ISMS lead for processes that belong to other departments rarely produce lasting fixes. The department head whose process failed needs to be part of the solution.

Submitting incomplete evidence. Auditors cannot verify effectiveness from a description — they need the evidence itself. Incomplete submissions get returned for more information, extending the closure timeline unnecessarily.

FAQs

How long do we have to respond to a nonconformity?

Timelines vary by certification body and by finding severity. For initial certification, major nonconformities must typically be resolved before a certificate can be issued — often within 30 to 90 days of the Stage 2 audit. For minor nonconformities, the window is often 30 to 60 days for first certification, or by the next audit for surveillance. Your certification body will specify the timeline in the audit report.

Can we dispute a finding?

Yes. If you believe a finding is based on a misunderstanding of your processes or a misinterpretation of the standard’s requirements, you can raise this with the auditor or the certification body’s reviewer. Disputes should be fact-based — providing additional evidence that the requirement is being met, or citing the relevant standard clause. Disputes based on disagreement with the standard’s requirements are unlikely to succeed.

What if we can’t close a finding within the required window?

Contact your certification body before the deadline. Most bodies can accommodate reasonable extensions for genuine circumstances — a key person’s absence, a complex systemic fix that requires more time. Letting the deadline pass without communication is more problematic than requesting an extension.

Do minor nonconformities affect our certificate status?

No, for initial certification. A certificate can be issued with open minor nonconformities where the body is satisfied that a credible corrective action plan is in place. For surveillance, unclosed minor findings from a previous audit may be upgraded or impact the surveillance outcome if they remain unaddressed.

Can the same finding recur at the next audit?

Yes — and this is a common pattern. A finding that was technically closed but where the root cause was not genuinely addressed will recur. Recurring findings are viewed more seriously by auditors than first-time findings, as they indicate that corrective action was not effective. If the same area keeps producing findings, a fundamental review of the underlying process is needed.

Previous post

ISO 27001 Certification Without a Consultant: Is It Possible?

NEXT post

How to Pass Your ISO 27001 Audit First Time

Photo of author

Written by

Alan Parker

Alan Parker is an ISO 27001 consultant and founder of Iseo Blue Limited. He helps UK SMEs achieve certification in 90 days or less - often without a dedicated security team or a large budget. With over 30 years in IT governance and information security, Alan works with software companies, IT service providers, managed service providers, and professional services firms across the UK, Europe, and internationally. Qualifications: ITIL v3 Expert, ITIL v4 Bridge, PRINCE2 Practitioner. Named IT Project Expert of the Year (2024, UK). Alan writes in plain English for busy teams who need to get things done. Connect on LinkedIn or Bluesky, or explore his free ISO 27001 tools and templates at iseoblue.com. B.Sc (Hons) Information Systems, CISMP certified.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG