An ISO 27001 nonconformity is not a failure of your organisation. It is a finding — a gap between what your ISMS says it does and what it actually does, or between what ISO 27001 requires and what you have in place. Every organisation that goes through a certification audit encounters them. The question is not whether you will get nonconformities (spoiler alert, you will and you should), but how effectively you handle them when you do.
Understanding the difference between minor and major nonconformities, knowing what a corrective action actually requires, and being able to close findings with convincing evidence are core competencies for anyone managing an ISMS. This guide will explain all three.
What Is a Nonconformity?
ISO 9000 (the definitions standard referenced by ISO 27001) defines a nonconformity as the non-fulfilment of a requirement. In the context of ISO 27001, that requirement can come from three sources:
The standard itself — a mandatory clause requirement that your ISMS does not meet. For example, Clause 9.2 requires you to conduct internal audits at planned intervals. If you have not conducted one, that is a nonconformity against the standard.
Your own documented requirements — your policies, procedures and processes create requirements that you must meet. If your access control policy states that user access will be reviewed quarterly, and you have no evidence of those reviews, that is a nonconformity against your own requirements.
Legal and regulatory obligations — requirements flowing from legislation, contracts or regulations that form part of your compliance obligations as identified under Clause 6.1.3. This one is easy to overlook, so ensure you factor it in.
Nonconformities are raised by certification body auditors during Stage 1, Stage 2, surveillance and recertification audits. They are also raised — or should be raised — by your own internal auditors between external audits. The process for handling them is the same regardless of source.
Minor vs Major: What the Difference Actually Means
The distinction between minor and major nonconformities is one of the most practically important things to understand about the audit process. The two categories carry very different consequences.
Minor Nonconformity
A minor nonconformity is an isolated failure or lapse that does not indicate a systemic breakdown of your ISMS. The requirement exists and is broadly being met, but there is a specific gap in evidence, consistency or completeness.
Examples of minor nonconformities:
- Your supplier assessment procedure requires annual reassessments, and two out of fourteen suppliers are overdue
- The documented scope statement does not reflect a small change to your business made six months ago
- Training records exist for all staff but one new starter’s records are incomplete
- A control listed as applicable in your Statement of Applicability has implementation evidence that is thin or outdated
- Your internal audit plan was approved late, meaning one scheduled audit ran outside its planned window
What makes these minor is that the underlying system is functioning (mainly). The procedure exists, it is broadly followed, but there is a specific instance where it was not. The auditor can see the intent and the general compliance; the gap is an exception rather than the rule.
Consequence: The certification body will require you to submit a corrective action plan within a defined timeframe — typically 30 to 90 days. You do not lose certification, and in most cases you do not need an additional audit visit to close the finding. You submit documented evidence that the corrective action has been completed and verified, and the auditor closes it on review.
It is possible for an auditor to find enough minor NCs in an area to delcare that actually, upon inspection the process is so full of evidenced holes that it’s not actually working as intended, and then bump the group up to a major nonconformity.
Major Nonconformity
A major nonconformity is a significant failure that either represents the complete absence of a required element, or a systemic breakdown that calls into question whether your ISMS is functioning as a management system.
Examples of major nonconformities:
- No internal audit has been conducted since certification
- You have not performed a risk assessment, or the risk assessment has not been updated following significant changes to the business
- No management review has taken place in the certification period
- A critical control is listed as implemented in your Statement of Applicability but there is no evidence it exists or operates
- Your incident management process does not exist in any operational form, despite a procedure being documented
The test for a major nonconformity is typically: does this finding suggest that a core requirement of the standard is either completely absent, or so poorly implemented that the ISMS cannot be said to be functioning? If yes, it is major.
Consequence: A major nonconformity will prevent initial certification from being granted or will threaten an existing certificate.
You will be required to address it and in most cases demonstrate resolution to the certification body — often via an additional audit visit or at minimum a substantial documented evidence package — within a defined timeframe.
If a major nonconformity remains unresolved, certification can be suspended or withdrawn.
Minor vs Major Nonconformity
What each classification means, typical examples, and what happens next
Observations and Opportunities for Improvement
A third category that is not a nonconformity but is worth understanding: the observation or opportunity for improvement (OFI).
This is where an auditor notes something that could be improved but does not constitute a failure of a requirement. You are not obliged to act on these, but most ISMS managers treat them as the most valuable output of an audit — they reveal what an expert eye spotted before it became a finding. I’d certainly say if an auditor logs an OFI, it’s probably best to address it before their next review. Sometimes they are being a bit kind and dressing up an NC as an OFI.
Where Nonconformities Come From
Certification Body Audits
During a Stage 2 certification audit or a surveillance audit, the auditor has a defined scope of areas to review. When they find evidence of a gap, they will raise it as a nonconformity on the audit report. You will typically know about findings before the closing meeting, where the auditor presents the formal findings and their classification.
You do not have to accept a nonconformity if you believe it is incorrectly raised. If you have evidence that addresses the finding, present it at the closing meeting or through the formal appeals process. Auditors are human and occasionally misinterpret evidence. Politely disagreeing with a finding, backed by evidence, is entirely appropriate.
Internal Audits
Internal audits should generate nonconformities. If your internal audit programme concludes every cycle with no findings, one of two things is true: either your ISMS is genuinely flawless (unlikely) or your internal auditors are not looking hard enough.
Internal audit nonconformities follow the same corrective action process as certification body findings. The advantage of catching them internally is time — you can address root causes before an external auditor finds the same gap.
Self-Identification
Nonconformities can also be self-identified outside of the audit cycle — through incident review, management review, metric analysis, or simply because someone notices a gap. ISO 27001 does not require that nonconformities only be raised by auditors.
A culture in which staff and ISMS owners feel comfortable raising issues as potential nonconformities rather than quietly working around them is a sign of a mature ISMS.
The Corrective Action Process: Clause 10.1
Clause 10.1 of ISO 27001 sets out what you must do when a nonconformity occurs. The requirements are not complex, but they are specific — and auditors will check all of them.
Step 1: React to the Nonconformity
When a nonconformity is identified, your first obligation is to react. This means taking immediate action to control and correct it where applicable, and dealing with the consequences.
For a process failure — such as missing supplier assessments — the immediate reaction might be to conduct the overdue assessments. For a control gap — such as discovering that a critical system has no access review in place — the immediate reaction might be to conduct an emergency review and document it.
Not every nonconformity requires an immediate corrective action at this stage. If the nonconformity is the absence of a document, there is nothing to contain — the corrective action is to produce the document. The point is to consider whether there is an active risk or exposure that needs addressing before the root cause investigation begins.
Finding the Real Root Cause
Why "staff will be reminded" is never the answer — and what good root cause analysis looks like
Step 2: Evaluate the Need for Action
Clause 10.1 requires you to evaluate the need for action to eliminate the causes of the nonconformity. This is the root cause analysis step. You are not required to use a specific methodology — a simple five-whys analysis is often sufficient — but the investigation must be genuine.
The test of a good root cause analysis is whether the cause identified, if addressed, would prevent the nonconformity from recurring. Common root cause categories:
Process design failure — the procedure was unclear, impractical or contradicted by another process. The fix is to redesign the procedure.
Training and awareness gap — the requirement was not understood by the people responsible for it. The fix is targeted training, but also to check whether the procedure communicates requirements clearly.
Resource constraint — the person responsible lacked the time, tools or authority to complete the requirement. The fix may involve resourcing decisions that require management involvement.
Technology failure — a system or tool did not function as expected, leading to a gap. The fix involves technical remediation and potentially a process change.
Ownership gap — nobody was clearly responsible for the requirement, so it fell through the gaps. The fix is to assign clear accountability.
If your root cause analysis concludes that the cause was “the person forgot,” you have not found the root cause. Ask why they forgot, and whether the process should have a reminder, a control, a checklist or a different owner.
Step 3: Implement the Corrective Action
Once you have identified the root cause, implement an action that addresses it. Assign a named owner and a realistic target date. The action should be proportionate to the significance of the nonconformity — a major finding may require a substantial remediation effort; a minor finding may be resolved with a procedure update and targeted training.
Document what action was taken, by whom, and when. This documentation is evidence, not bureaucracy. If you are asked to demonstrate the corrective action at a future audit, this is what you will show.
Step 4: Verify Effectiveness
This is the step most organisations skip, and it is the step auditors specifically look for. Clause 10.1 requires you to review the effectiveness of any corrective action taken.
Effectiveness verification means confirming that the action worked — that the root cause has been addressed and the nonconformity is unlikely to recur. The method of verification should match the nature of the action:
- If the action was to train staff, verify effectiveness by assessing knowledge retention or monitoring behaviour over the following period
- If the action was to update a procedure, verify that the new procedure is being followed by checking records
- If the action was to implement a technical control, verify that the control is operating as intended
- If the action was to add a reminder or calendar event, verify that it has triggered and been actioned
Stating “corrective action complete” on a target date without verification evidence is not sufficient. The corrective action is only complete when you can demonstrate it worked.
Step 5: Update Risk Assessment and ISMS if Required
If the nonconformity reveals a risk that was not previously identified or assessed, Clause 10.1 requires you to update your risk assessment if needed. A nonconformity in a critical control area may also require an update to your Statement of Applicability or your risk treatment plan.
Documenting Corrective Actions
Clause 10.1 requires you to retain documented information as evidence of the nature of nonconformities, the actions taken, and the results. In practice, this means maintaining a corrective action log — commonly called a CAR (Corrective Action Register) or NC log.
Each entry in your log should capture:
- A unique reference number
- Date identified and source (internal audit, CB audit, self-identified, etc.)
- Description of the nonconformity
- Clause or requirement it relates to
- Classification (minor/major, or internal)
- Root cause analysis findings
- Corrective action agreed
- Owner and target date
- Evidence of completion
- Effectiveness verification method and result
- Date closed
This log is a primary document for your management review and a key piece of evidence at surveillance audits. An auditor reviewing your ISMS will often ask to see your corrective action register as one of their first requests.
Responding to Certification Body Nonconformities
When your certification body raises a nonconformity at a formal audit, the process for responding is usually governed by their own procedures. The general pattern:
Within the audit report: The auditor documents the finding, the evidence reviewed, and the clause it relates to. You will receive this report within a defined period after the audit, typically within two weeks.
Corrective action plan submission: You will be required to submit a corrective action plan within a set timeframe — often 30 days for minor nonconformities. This plan should describe the root cause, the proposed corrective action, the owner, and the target date. You are not required to have completed the action at this stage — you are proposing what you will do.
Evidence submission: Once the corrective action is complete, you submit evidence to the certification body for review. For minor nonconformities this is typically a documentary review — you send the evidence and the auditor confirms the finding is closed. For major nonconformities an additional audit visit may be required.
Closure: The auditor reviews your evidence and formally closes the nonconformity. Keep the written confirmation of closure — it is part of your audit trail.
Common Nonconformities to Know
Certain findings recur across organisations at surveillance audits. Being aware of them is useful both for internal auditors and for ISMS managers preparing for an external audit.
Risk assessment not updated following changes — when the business changes (new products, new systems, new suppliers, restructuring) and the risk assessment is not revisited, the ISMS is no longer reflecting reality. This is consistently one of the most common findings.
Internal audit programme not completed — either no internal audit has taken place, or the scope of audits conducted does not cover all areas within the ISMS scope over the certification period.
Management review inputs not fully addressed — the management review meeting took place but the minutes do not address all the required inputs from Clause 9.3, particularly changes in external and internal context, security performance data, or interested party feedback.
Leavers retaining access — perhaps the most operationally common finding. Clause 6.5 (Annex A) requires that access rights are removed or modified on termination. Access reviews often reveal former employees or contractors who still have active accounts.
Supplier assessments overdue — the process exists but reviews are not being conducted on the frequency the procedure specifies. Often a resource or ownership issue.
Training records incomplete — staff have received training, but evidence of completion is inconsistent or missing entirely for some individuals or roles.
Policy documents unsigned or undated — policies exist but lack evidence of approval. This is a procedural gap that is easy to fix but surprisingly common.
FAQs
Will a nonconformity at our surveillance audit affect our certificate?
A minor nonconformity at a surveillance audit does not suspend or withdraw your certificate. You will be required to submit a corrective action plan and evidence within the timescales your certification body sets — typically 30 to 90 days. Your certificate remains valid during this period provided you respond in good faith. A major nonconformity is more serious and may put your certificate at risk if not resolved within the required timeframe.
How many nonconformities are normal at a surveillance audit?
There is no standard number, and any answer from a certification body that implies a target is misleading. Small organisations with straightforward ISMS implementations sometimes have no nonconformities. Larger organisations with complex systems might have several minor ones. What matters more than the number is the nature — a single major nonconformity is more significant than three minor ones.
Can we raise our own nonconformities before an external audit?
Yes, and this is good practice. Self-identified nonconformities that already have corrective actions in progress demonstrate a functioning improvement process to an external auditor. If you find a gap before an audit and address it before the audit takes place, the auditor may note it as an observation rather than a finding, or not raise it at all. There is no downside to finding your own problems first.
What if we disagree with a nonconformity raised by the auditor?
Raise your disagreement politely at the closing meeting, supported by evidence. Auditors are not infallible, and if you have records that address the finding, present them. If the disagreement is not resolved at the closing meeting, certification bodies have a formal appeals process. Document your position clearly. That said, approach disagreements genuinely — if the auditor has a point, accepting the finding and acting on it is the more productive response.
How long do corrective actions typically take to close?
It depends on the finding. A minor nonconformity involving a missing document or an overdue review can often be closed within days. A corrective action that requires a process redesign, new training programme or system change may take two to three months. Certification bodies typically allow 30 to 90 days for minor nonconformities and may agree a longer timescale for more complex remediation — but you should always communicate proactively if you need more time rather than missing a deadline without notice.
