What Is Clause 8.7 and Why Does It Matter?
If you have ever shipped a product that did not meet specifications, delivered a service that fell short of what was agreed, or caught a defect after it left your facility, you have already encountered the problem that ISO 9001 Clause 8.7 is designed to address. This clause sits within Section 8 of the standard, which covers operation, and it deals specifically with how your business identifies, controls, and resolves outputs that do not conform to requirements.
On this page
The term “nonconforming output” sounds technical, but it simply means anything your business produces, whether a physical product, a delivered service, or a process output, that does not meet the defined requirements. Those requirements might come from a customer contract, a product specification, a regulatory standard, or your own internal quality criteria. When an output fails to meet any of those requirements, Clause 8.7 kicks in.
This clause matters for one straightforward reason: uncontrolled nonconforming outputs reach customers. When that happens, you face warranty claims, rework costs, damaged relationships, and in regulated industries, potentially serious legal or safety consequences. A well-implemented Clause 8.7 process stops that from happening by building a systematic response into your quality management system.
This guide walks through the full requirements of Clause 8.7, what auditors look for, common mistakes businesses make, and how to build a process that actually works rather than just satisfying the checkbox.
The Full Requirements of Clause 8.7
The clause is structured around two sub-clauses: 8.7.1, which covers what you must do when a nonconforming output is identified, and 8.7.2, which covers the documented information you must retain. Understanding both is essential before you design your process.
Clause 8.7.1: Identifying and Controlling Nonconforming Outputs
The standard requires that your organisation identify and control outputs that do not conform to requirements, to prevent their unintended use or delivery. That phrase “unintended use or delivery” is important. The goal is not to prevent nonconformities from ever occurring. The goal is to make sure that when they do occur, they are caught, labelled, segregated, and handled deliberately rather than accidentally passed on.
Clause 8.7.1 then lists the actions your organisation must take based on the nature of the nonconformity and its effect on conformity of products and services. These actions include one or more of the following:
- Correction: Taking action to fix the nonconforming output, such as reworking a product or re-delivering a service.
- Segregation, containment, return, or suspension: Physically separating the nonconforming output from conforming stock to prevent it from being used or shipped.
- Informing the customer: Where a nonconforming output has already been delivered, the customer must be notified.
- Obtaining authorisation for acceptance under concession: In some cases, a nonconforming output may still be acceptable to the customer or for the intended purpose. This is called a concession or a use-as-is decision, and it must be formally authorised.
The clause also requires that when nonconforming outputs are corrected, they must be re-verified to confirm conformity with the requirements. This is a step many businesses skip, and it is one of the most common findings in audits. Fixing something and then shipping it without checking that the fix worked is not compliant.
It is worth noting that Clause 8.7 applies throughout the production or service delivery process, not just at the final inspection stage. Nonconformities identified during in-process checks, incoming inspection of materials, or even after delivery are all within scope.
Clause 8.7.2: Documented Information
The standard requires that your organisation retain documented information that describes the nonconformity, the actions taken, any concessions obtained, and the authority that decided what to do with the output. This documented information is your evidence trail. Without it, you cannot demonstrate to an auditor that you managed the nonconformity properly, and you cannot analyse trends over time to prevent recurrence.
In practical terms, this means you need a nonconformance report or NCR system. It does not have to be sophisticated. A simple form or a field in your quality management software is fine, as long as it captures the required information consistently. What it must include is the description of what went wrong, what decision was made, who authorised that decision, and what was done to verify the corrected output.
The Four Dispositions: What Can You Do With a Nonconforming Output?
When your team identifies a nonconforming output, there are four standard dispositions available. Knowing these clearly helps your team make faster, better decisions without escalating every single issue to management.
1. Rework or Repair
The output is corrected to bring it back into conformance with requirements. This is the most common disposition for manufacturing businesses. A machined part that is slightly out of tolerance might be re-machined. A document with errors might be revised and reissued. After rework, the output must be re-inspected to confirm it now meets requirements.
2. Use As Is (Concession)
The output does not fully meet requirements, but after evaluation it is determined to still be fit for its intended purpose. This disposition must be formally authorised, either by an internal authority such as an engineering manager or quality manager, or by the customer if the requirement originated from them. Concessions are common in industries like aerospace and defence, where the customer has formal concession processes built into contracts.
3. Scrap or Reject
The output cannot be reworked and is not acceptable for use. It must be disposed of in a controlled way to prevent it from re-entering the process. In practice, this often means physical labelling, a dedicated quarantine area, and a documented disposal record.
4. Return to Supplier
Where the nonconforming output is an incoming material or component that does not meet your specifications, it can be returned to the supplier. This disposition should trigger your supplier evaluation process as well, since repeated nonconformances from a supplier are a quality risk that needs to be addressed.
Practical Implementation: Building a Process That Works
Understanding the requirements is one thing. Building a process your team will actually use is another. Here is what works in practice, based on real implementation experience across manufacturing, construction, services, and professional services businesses.
Step 1: Define What Counts as a Nonconforming Output in Your Context
The most common gap I see in businesses attempting to implement Clause 8.7 is a vague or absent definition of what constitutes a nonconformity in their specific context. Your team cannot identify nonconforming outputs if they do not know what the requirements are in the first place.
Start by documenting the requirements that apply to your outputs. These might include customer specifications, drawings, product standards, service level agreements, regulatory requirements, or internal quality criteria. Once those requirements are clear and accessible, your team has a reference point for identifying when something falls short.
Step 2: Create a Simple Nonconformance Reporting Process
Your NCR process needs to be simple enough that people actually use it. If raising a nonconformance report takes 20 minutes and requires three approvals before anything happens, your team will avoid raising them. That means nonconformities go unrecorded, and you lose the data you need to identify systemic problems.
A good NCR process captures the following information quickly: what was found, where it was found, when it was found, who found it, and what was done with it. The disposition decision and the re-verification result can be added after the fact. Keep the form short. Keep the process fast.
Step 3: Establish a Physical or Logical Quarantine System
For businesses dealing with physical products, a quarantine area is essential. This is a designated space, clearly labelled, where nonconforming items are held until a disposition decision is made. Without a quarantine area, nonconforming items can be accidentally mixed with conforming stock and shipped to customers.
For service businesses, the equivalent is a logical quarantine, such as a document status flag, a workflow hold, or a system that prevents a nonconforming deliverable from being sent to the client until it has been reviewed and approved.
Step 4: Define Who Has Authority to Make Disposition Decisions
Clause 8.7 requires that the authority for disposition decisions be clear. In practice, this means defining in your procedure who can approve a rework, who can approve a concession, and who can approve a scrap decision. These are not always the same person. A quality manager might be able to approve rework, but a concession that affects a customer contract might require sign-off from the account manager or the customer themselves.
Documenting this authority matrix in your procedure saves time and prevents disputes when a nonconformance is identified under pressure.
Step 5: Close the Loop With Re-Verification
As mentioned earlier, re-verification after correction is a specific requirement of the standard and a common audit finding when it is missing. Build re-verification into your NCR process as a mandatory step before a reworked or repaired output can be released. The re-verification should be performed against the same requirements that the original output failed to meet, and the result must be recorded.
Step 6: Use NCR Data to Drive Improvement
Clause 8.7 does not exist in isolation. It feeds directly into Clause 10.2, which covers nonconformity and corrective action. If you are raising NCRs but not analysing them for trends, you are missing the most valuable part of the process. Regular review of NCR data, at minimum during your management review meetings, allows you to identify recurring issues, target root causes, and reduce the frequency of nonconformities over time.
For more detail on how performance data feeds into the broader quality management cycle, see our guide to ISO 9001 Clause 9 performance evaluation.
Common Audit Findings Under Clause 8.7
Having conducted and reviewed many ISO 9001 audits, there are several findings that come up repeatedly under this clause. Being aware of them before your audit will save you a lot of stress.
No Re-Verification After Rework
This is the single most common finding. The business reworks the product and ships it, but there is no record that the reworked item was re-inspected. The fix is straightforward: add a re-inspection step to your NCR form and make it mandatory before any reworked output can be released.
Concessions Granted Without Proper Authority
A production supervisor approves a use-as-is decision on a nonconforming product without any documented authority to do so. The standard requires that the person or role authorising a concession be defined. Check your procedure and make sure it names the roles, not just the individuals, who have concession authority.
Nonconformances Not Recorded
Verbal dispositions, informal fixes, and undocumented rework are all findings. If your team is fixing problems without raising NCRs, auditors will find evidence of this during interviews and process observations. The solution is cultural as much as procedural: your team needs to understand that raising an NCR is not a blame exercise, it is a quality improvement tool.
No Segregation of Nonconforming Stock
Walking a warehouse or production floor and finding nonconforming items mixed with conforming stock, or unlabelled items in a quarantine area, is a straightforward finding. Physical controls matter. Labels, tags, and dedicated areas are not optional.
Customer Notification Not Documented
Where a nonconforming product has been delivered to a customer, the clause requires that the customer be informed. If this happened verbally, there is no evidence. Document the notification, even if it is just a brief email record or a note in the NCR.
Clause 8.7 in Service Businesses: What It Looks Like in Practice
Many service businesses assume that Clause 8.7 does not really apply to them because they do not produce physical products. This is a misunderstanding. The clause applies to any output, including services, and the principles translate directly.
Consider a professional services firm that delivers a financial report to a client. If the report contains errors identified before delivery, the nonconforming output is the draft report. The disposition might be correction and re-verification before it is sent. If the errors are identified after delivery, the customer notification requirement applies.
For a software development company, a build that fails testing is a nonconforming output. The disposition is rework, followed by re-testing before release. The NCR might be a ticket in your project management system, as long as it captures the required information.
The principle is the same regardless of industry: identify what went wrong, prevent it from reaching the customer if it has not already, decide what to do with it, and record what you did.
If you are just getting started with ISO 9001 and want to understand the broader framework before diving into individual clauses, the beginner's guide to ISO 9001:2015 is a good starting point.
How Clause 8.7 Connects to Other Parts of ISO 9001
Clause 8.7 does not operate in isolation. It connects to several other parts of the standard in ways that are important to understand.
Clause 8.1 (Operational Planning and Control) sets the requirements for how your operations are planned and controlled, including the criteria for accepting outputs. If your acceptance criteria are not defined under 8.1, your team cannot identify nonconformities under 8.7.
Clause 8.4 (Control of Externally Provided Processes, Products and Services) applies when nonconforming outputs originate from suppliers. Your supplier control process and your NCR process need to be connected so that supplier nonconformances trigger appropriate supplier performance actions.
Clause 9.1 (Monitoring, Measurement, Analysis and Evaluation) relies on NCR data as a key input for quality performance measurement. Your NCR trends should feed into your quality objectives review and your management review agenda.
Clause 10.2 (Nonconformity and Corrective Action) is where Clause 8.7 hands off to the corrective action process. Not every NCR needs a full corrective action, but recurring or significant nonconformities should trigger a root cause investigation and a corrective action plan. The distinction between immediate correction (Clause 8.7) and corrective action to prevent recurrence (Clause 10.2) is important and often confused.
Understanding how your internal audits feed into this process is also valuable. Our guide on how to run ISO internal audits that actually find problems covers how to use audit findings to surface systemic issues before they become major nonconformances.
Documented Information Requirements: What You Need to Keep
To satisfy Clause 8.7.2, your documented information must be retained as evidence of conformity. This means your NCR records need to be stored, retrievable, and legible for the duration of your retention period. What that period should be depends on your industry, your customer contracts, and any applicable regulatory requirements. As a minimum, most businesses retain NCR records for at least three years to cover the full certification cycle.
Your documented information should include:
- A description of the nonconformity, including what the requirement was and how the output failed to meet it
- The disposition decision and the rationale for it
- The name or role of the person who authorised the disposition
- Any concession documentation, including customer authorisation where applicable
- The result of re-verification after correction
- Any customer notification records where the nonconforming output was already delivered
You do not need a dedicated software system to manage this. A well-designed form, consistently used and properly filed, satisfies the requirement. That said, if your business raises a significant volume of NCRs, a quality management system with built-in NCR functionality will make trend analysis and audit evidence retrieval much easier.
For broader guidance on how controlled documents work within a quality management system, see our article on what controlled documents are and how to implement them.
Preparing for Your Audit: What Auditors Will Check
When an auditor reviews your Clause 8.7 implementation, they will typically do three things: review your documented procedure, sample your NCR records, and observe or interview your team about how they handle nonconformances in practice.
For the procedure review, the auditor will check that your process covers all the required elements: identification, segregation, disposition options, re-verification, customer notification, and documented information. Gaps in the procedure are findings, even if your actual practice is sound.
For the records review, the auditor will pull a sample of your NCRs and check that they are complete. Missing re-verification records, undocumented disposition decisions, and NCRs with no resolution are all common findings at this stage.
For the process observation, the auditor may walk your production floor or office and ask staff how they would handle a nonconforming output. If your team cannot describe the process, or if their description does not match your procedure, that is a finding related to awareness and training rather than Clause 8.7 itself, but it will still be raised.
The ISO 9001:2015 standard published by ISO.org remains the definitive reference for the exact wording and intent of each clause, and reviewing the clause directly before your audit is always worthwhile.
Getting the Most Out of Clause 8.7
Businesses that treat Clause 8.7 as a compliance exercise tend to have NCR systems that are technically in place but not genuinely useful. Businesses that treat it as a quality improvement tool tend to see real reductions in defect rates, rework costs, and customer complaints over time.
The difference comes down to culture. If raising an NCR is seen as a blame mechanism, people will avoid it. If it is seen as useful data that helps the business improve, people will use it willingly. Leadership tone matters here. When managers respond to NCR data with curiosity rather than criticism, the system works as intended.
The data you collect through your NCR process is genuinely valuable. It tells you where your process is breaking down, which suppliers are causing problems, which products or services are most prone to nonconformance, and where your inspection and verification activities need to be strengthened. That is information worth having.
If you are working towards your first ISO 9001 certification or preparing for a surveillance audit and want to make sure your Clause 8.7 process is solid, getting an experienced consultant to review your documentation and walk your process is often the most efficient investment you can make. CertBetter connects businesses with verified ISO consultants and accredited certification bodies across Australia and globally. You submit one form, receive up to three competing quotes, and compare your options before committing to anything. The service is completely free for businesses seeking certification help.
