The word "nonconformity" tends to produce disproportionate alarm. Companies receiving their first nonconformity from a certification body assume the audit has failed, the certificate is at risk, and months of work are about to be undone. In most cases, that is not true. Nonconformities are a normal part of a mature ISMS, and how you handle them tells the certification body as much about your security culture as the nonconformity itself.
Understanding what a nonconformity is, how it is classified, and what Clause 10.2 requires you to do about it takes the alarm out of the process and replaces it with a clear, actionable path forward.
What a Nonconformity Is
ISO 27001 defines a nonconformity as non-fulfillment of a requirement. That requirement can come from the standard itself (a clause requirement), from your own ISMS documentation (a policy or procedure you have defined), or from a legal or contractual obligation that your ISMS is designed to address.
Nonconformities are usually expressed in a specific form: evidence of what was expected, evidence of what was observed, and the gap between the two. A well-written nonconformity statement does not just say "access reviews are missing." It says: Clause 9.2 and your own Access Management Policy require quarterly access reviews of all production systems. During fieldwork, the auditor requested evidence of access reviews for Q1 and Q2 2026. No records were produced for either quarter. This constitutes a failure to implement and maintain the access review control as described in your ISMS documentation.
That specificity matters. You cannot write an effective corrective action plan against a vague finding. And a corrective action plan against a specific finding demonstrates that you have understood the gap, identified the root cause, and addressed it at the right level.
Types of Nonconformity
Major Nonconformity
A major nonconformity is a failure that puts the ISMS's ability to achieve its intended outcomes at risk. This typically means a complete absence of a required control, a systemic breakdown in a critical control area, or evidence that the ISMS is not being implemented and maintained as a whole. A major nonconformity at Stage 2 will prevent the certificate from being issued until it is closed and verified by the certification body. A major nonconformity at surveillance can result in suspension or withdrawal of the certificate.
Minor Nonconformity
A minor nonconformity is an isolated or single occurrence of a failure to meet a requirement, where the overall control environment is not at risk. An overdue review that missed one quarter, a policy that has not been updated to reflect a minor process change, or a single instance where documentation was incomplete. Minor nonconformities must be closed within the timeline agreed with the certification body, typically 30 to 90 days, and evidence of closure must be submitted and accepted before the finding is formally closed.
Observation or Opportunity for Improvement
An observation is a finding that does not constitute a nonconformity but which, if left unaddressed, could become one. Certification bodies use observations to flag areas of potential weakness without raising a formal finding. Observations are not required to be closed on a specific timeline, but they are noted in the audit record and the certification body will look at them during the next surveillance or recertification audit to see whether you have addressed them.
Correction vs. Corrective Action: The Critical Distinction
ISO 27001 Clause 10.2 requires two things in response to a nonconformity: a correction and a corrective action. These are not the same thing, and confusing them is the most common mistake companies make when responding to findings.
A correction addresses the immediate effect of the nonconformity. It fixes the symptom. If the nonconformity is that Q1 and Q2 access reviews were not conducted, the correction is to conduct those reviews and document the results.
A corrective action addresses the root cause of the nonconformity so it does not recur. If the reviews were missed because no one owned the control, the corrective action is to assign an owner, create a recurring task, and establish a monitoring mechanism that will flag the review as overdue before the next audit. If the reviews were missed because the policy was unclear about scope, the corrective action is to revise the policy and ensure the relevant people understand their responsibilities.
Certification bodies close nonconformities based on the corrective action, not the correction. If your response addresses only the immediate symptom and not the root cause, the certification body will request additional information and the finding will remain open until the root cause is addressed.
Root Cause Analysis
Clause 10.2 requires the organization to evaluate the need for action to eliminate causes of nonconformities, with a view to preventing recurrence. That phrase, "eliminate causes," means root cause analysis is mandatory, not optional.
The depth of root cause analysis should match the severity of the nonconformity. For a simple isolated gap, the Five Whys technique is usually sufficient: ask why the problem occurred five times in sequence, and each answer points toward a more fundamental cause. For a systemic failure, a fishbone diagram or fault tree analysis may be more appropriate, mapping all the contributing factors that allowed the failure to occur.
A common mistake in root cause analysis for ISO 27001 nonconformities is stopping at the process level when the cause is at the management or governance level. If access reviews were not conducted because the control owner was not aware they owned that control, the root cause is not a missing calendar entry. It is a failure in ISMS onboarding or role documentation. The corrective action needs to address that failure, not just the calendar entry.
Writing a Corrective Action Plan That Certification Bodies Accept
Anatomy of a Defensible CAP
How Certification Bodies Verify Closure
Certification bodies do not close a nonconformity based on your CAP alone. They close it based on evidence that the corrective actions have been implemented and are effective. The evidence requirements vary by certification body and by the type of nonconformity, but the general pattern is: submit the CAP with supporting evidence, the certification body reviews and accepts it, and then confirms at the next audit that the corrective action has been sustained.
For a minor nonconformity, this might mean submitting a completed corrective action with supporting documentation and having the certification body accept it remotely. For a major nonconformity, this often requires a follow-up assessment, either on-site or through a documentary review, before the certificate is issued or renewed.
The most common reason nonconformities reappearThe corrective action addressed the specific instance but not the systemic cause. If the same nonconformity appears in a subsequent audit, the certification body will classify it more seriously than they did the first time, and your explanation about why it recurred will need to be more convincing.
Nonconformities as a Management Signal
A well-run ISMS should produce nonconformities. Not in every audit, and not at the major level, but an internal audit program that never finds a gap is either not looking hard enough or managing a trivially simple ISMS. Nonconformities are the mechanism by which the standard drives continual improvement. Finding them, addressing them properly, and confirming they do not recur is the operating cycle ISO 27001 is designed to produce.
The organizations that pass certification audits most smoothly are not the ones that have the fewest nonconformities. They are the ones whose corrective action processes are the most credible. A certification body that sees a mature corrective action process, with root cause analysis, named owners, documented timelines, and effectiveness verification, has confidence in the ISMS even when individual controls have gaps. That confidence is what a certificate is supposed to represent.