Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO Guide: Nonconformities and corrective actions

For ISO standards that are written around the Annex SL structure, such as ISO9001, ISO14001, ISO45001 and ISO27001, nonconformities can be found in Clause 10 – Improvement, and more specifically 10.2 – Nonconformity and corrective actions.

This clause states what actions the organization shall do when a nonconformity is found, and the resulting actions and documented evidence to be generated.

In this blog article, we look at the difference between major and minor nonconformities, observations and OFIs, and outline six steps to correcting a nonconformity.

So, what are nonconformities or observations?

There are only two types of nonconformity that relate to ISO management systems, these are major and minor nonconformities.

A Major Nonconformity is defined as an absence or complete breakdown of your management system, therefore affects the capability of the management system to achieve the intended results.

For example:

  • If there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements
  • Several minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity
  • Failure to carryout corrective action against minor nonconformity within a deadline
  • A finding against an item of legislation (typically within ISO 14001 and ISO 45001)

A Minor Nonconformity is defined as a one-off lapse or failure to follow a process as documented. The one-off lapse could be failing to sign-off reports or complete required paperwork, etc. It is a nonconformity that does not affect the capability of the management system to achieve its intended results.

An Observation is observed poor practices that do not currently constitute non-conformances, but which make conformance difficult or can provide opportunities for error.

An Opportunity for Improvement (OFI) is a situation that is not a non-conformance, but where the results are not optimal and could be improved.

The Registered Certification Body (RCB) carrying out your certification audit will decide when the number of minor nonconformities related to the same process becomes a major nonconformity, and this can be different depending on your chosen RCB. But a good rule of thumb is five minor nonconformities results in a major nonconformity and three major nonconformities results in a failed certification audit.

What to do when a nonconformity is found

There are six steps in correcting a nonconformity, these are:

  1. Identify the problem
  2. Establish a response team
  3. Identify the root cause(s)
  4. Take corrective action
  5. Prevent recurrence
  6. Monitor effectiveness

1. Identify the problem

Once a problem has been identified, on completion of the audit, it should be documented on a Nonconformity Report (NCR) or a Corrective Action Report (CAR). This will identify who or what is affected by the problem and the potential impact if not corrected. Identifying the problem should help the – what, who, where, when and how questions:

  • What (operations, processes, products etc) are affected that may characterise the problem
  • Who is concerned with the problem (reporting the problem, responsible for rectifying it, affected by it)
  • Where it is within the area (process, department, customer, etc.)
  • Where it originated from; is it a recurring problem or a one off; how long does it last (mid process for 10 minutes)
  • When does it happen – for example, upon start-up process on initiating machinery, etc.
  • How does it affect production or service

2. Establish a response team

It is important to include staff from the department that the problem was identified in, especially those who perform functions where the problem was discovered. These people will be invaluable in helping discover the root cause of the problem. Size the team to meet the problem, if it is minor problem, you shouldn’t need a big team, however, should the problem cross over departments or parts of a production line, then obviously more people will be needed.  It should be noted that studies have found that when your core team exceeds six to eight people, the outcome is less efficiency.

To have an effective team, you should try and cover:

  • Members with process or product understanding
  • Ensure that the team has the time and resources to complete the task
  • Authorised by executive management to investigate and implement any corrective actions and monitoring criteria
  • Expertise in the required areas
  • Identify a Team Leader

The team should provide an intermediate action to contain the problem and prevent it from impacting upon processes within the business without any further problems being introduced. Once achieved, the team needs to investigate further to find the reason the problem occurred in the first place.

3. Identify the root cause(s)

Some problems will be obvious, however for those that aren’t, root cause analysis should be used especially when an issue such as defects and failures are found.

The response team should carry out root cause analysis to discover the initial cause of the problem.  There are many methods available such as Failure Mode and Effect Analysis (FMEA), Pareto Analysis, Fish-bone Analysis and Change Analysis, to mention a few.

4. Take corrective action

Once the results of the RCA have been collated and the cause and their effects identified, it is time to implement corrective actions necessary to eliminate the problem. It is important at this stage to monitor the results of the corrective actions and if necessary, adjust those actions to achieve the permanent correction.

Consider the following steps to implement corrective actions:

  1. Implement the corrective actions
  2. Implement controls
  3. Monitor and evaluate corrective actions
  4. Amend actions if necessary
  5. Confirm with process/product/department owner that the problem has been fixed

5. Prevent recurrence

Once the permanent corrective action has been monitored and verified there may be a need to update any standard operating procedures, processes, policies or practices to ensure that the problem, or something similar doesn’t happen again. Ensure that all staff involved in the area that the problem occurred are briefed on any new changes to processes etc.

It is critical that any underlying symptoms related to the problem are addressed, and that the corrective action taken is monitored carefully to ensure that it is working. Failure to do so could see serious consequences later.

6. Monitor effectiveness

Any corrective actions, either temporary or permanent should be monitored to ensure effectiveness and that they haven’t just pushed the problem somewhere else in the business.

If the problem was identified during an internal audit, it will be followed up by the auditor to check that actions were instigated and that the ‘nonconformity’ has been rectified. However, the department should also establish a process to review on a regular basis to ensure that the problem has been solved and that no further problems are present.

If this is a problem that could occur in other areas of the organization, such as a similar production line, same equipment but at a different site, then these areas should be checked and if necessary, the corrective actions taken at the original problem should be implemented at these areas and monitored.


In summary, any problem identified, by whatever means, needs to be:

  • Contained
  • Investigated
  • Initial corrective actions taken
  • RCA to identify area(s) to correct and permanent corrective action(s)
  • Implement permanent corrective action(s) and monitor them
  • Amend relevant documented information


Written by Ted Spiller, CertiKit’s Compliance Consultant. Ted is an expert in many ISO management systems; he is a Lead Auditor for ISO9001 and ISO14001, and an Auditor for ISO45001 and ISO22301.

How can CertiKit help with your ISO compliance?

At CertiKit, ISO compliance is what we do best, and we have a range of solutions available to help businesses prepare for certification to the following standards:

  • ISO/IEC 27001
  • ISO/IEC 27701
  • ISO/IEC 20000
  • ISO 22301
  • ISO 9001
  • ISO 14001
  • ISO 45001

Whether you’re looking to do-it-yourself with the help of our toolkits, or you’re looking for additional assistance with our ISO consultancy and internal auditing services. Contact us to see how we can help you achieve compliance fast and efficiently.

We’ve helped more than 4000 businesses with their compliance


The documents are excellent in covering a vast number of key areas in terms of ISO. I particularly like the layout and the comprehensive nature of the documents provided.

GTI Group

View all Testimonials