The Question Every Business Asks After an Audit
You have just finished your ISO certification audit. The auditor hands you a report with one or more nonconformities listed, and the first question out of your mouth is usually some version of: how long do I have to fix this?
On this page
It is a fair question, and the honest answer is that it depends on a few things, including the type of nonconformity raised, what your certification body requires, and how quickly your team can actually implement a genuine fix. This article walks you through realistic timeframes, what the closure process actually involves, and the most common reasons businesses take longer than they should.
If you are preparing for your first audit or trying to recover from findings at a surveillance audit, this is the practical breakdown you need.
What Is a Nonconformity and Why Does It Matter?
Before getting into timelines, it helps to be clear on what you are actually dealing with. A nonconformity is a failure to meet a requirement. That requirement might come from the ISO standard itself, your own documented procedures, or a legal obligation that your management system is supposed to address.
Nonconformities are not all equal. Most certification bodies classify them into two categories.
Major Nonconformities
A major nonconformity is a significant failure. It usually means that a key requirement of the standard has not been addressed at all, or that a systemic breakdown exists that undermines the integrity of your management system. Examples include having no internal audit programme in place, no evidence of management review, or a complete absence of documented procedures for a core process.
Major nonconformities are serious because they typically prevent your certificate from being issued or continued until they are closed. The certification body cannot certify a system that has a fundamental gap.
Minor Nonconformities
A minor nonconformity is an isolated lapse or a partial failure to meet a requirement. The requirement is addressed in principle, but there is a gap in implementation or evidence. For example, your calibration procedure exists and is mostly followed, but two pieces of equipment have not been calibrated within the required interval.
Minor nonconformities do not automatically block certification, but they still require a formal corrective action response and must be closed within the timeframe agreed with your certification body.
It is also worth understanding the difference between a nonconformity and an observation. If you are unsure where that line sits, the article what it means when an auditor raises an observation versus a nonconformance explains the distinction clearly.
Typical Timeframes for Closing Nonconformities
There is no single universal deadline set by ISO itself. The standard does not say “you have 30 days to close findings.” Timeframes are set by your certification body, and they vary. That said, there are well-established norms across the industry.
Major Nonconformities: Usually 30 to 90 Days
For major nonconformities raised during an initial certification audit, most certification bodies will give you between 30 and 90 days to submit evidence of corrective action. Some bodies allow up to six months in exceptional circumstances, but this is not common for initial certifications.
The clock starts from the date the audit report is formally issued, not the day of the audit itself. Keep that in mind when planning your response, because ISO audit reports can sometimes take several weeks to arrive after the audit concludes.
If the major nonconformity is raised during a surveillance audit and you are already certified, the certification body may require closure before your next scheduled surveillance visit, or they may set a specific deadline. In some cases, if the finding is severe enough, they can suspend your certificate while you address it.
Minor Nonconformities: Usually 30 to 60 Days
Minor nonconformities generally need to be closed within 30 to 60 days. Many certification bodies ask for a corrective action plan within two weeks and evidence of implementation within 30 days. Others allow the full 60 days for both.
The specific deadline will be written into your audit report or communicated directly by your certification body. Read that section carefully, because missing the deadline can escalate a minor finding into a more serious issue.
At Recertification Audits
Recertification audits happen every three years and are a full re-evaluation of your system. Nonconformities raised here follow the same general timelines as initial certification audits, but there is an added pressure: if major findings are not closed before your current certificate expires, you may face a gap in certification. This is a situation you absolutely want to avoid, particularly if your certificate is tied to client contracts or government tenders.
What Closing a Nonconformity Actually Involves
This is where a lot of businesses go wrong. Closing a nonconformity is not just about fixing the immediate problem. Certification bodies expect you to follow a proper corrective action process, and submitting a quick patch without addressing the root cause will almost certainly be rejected.
Step 1: Acknowledge and Contain the Problem
Your first task is to stop the bleeding. If the nonconformity relates to a process failure that is ongoing, you need to take immediate containment action to prevent further non-compliance. Document what you did and when.
Step 2: Identify the Root Cause
This is the step most businesses rush or skip entirely. The auditor is not just looking for evidence that you fixed the specific instance they found. They want to see that you understand why it happened. Common root cause analysis tools include the 5 Whys method, fishbone diagrams, or a simple cause and effect analysis. The method matters less than the quality of your thinking.
A weak root cause statement like “staff were not following procedure” is not enough. You need to ask why they were not following it. Was the procedure unclear? Was training inadequate? Was there no mechanism to check compliance? That deeper answer is what drives a genuine fix.
Step 3: Implement Corrective Actions
Based on your root cause analysis, you implement actions that address the underlying cause, not just the symptom. This might involve updating a procedure, conducting additional training, changing a monitoring process, or modifying a system or tool.
Be realistic about what you can implement within the deadline. If your corrective action plan is ambitious, break it into stages and document your progress. Certification bodies generally respond well to honest, well-structured plans, even if full implementation takes a little longer.
Step 4: Verify Effectiveness
Once the corrective action is in place, you need to verify that it actually worked. This might mean running the process again and checking the output, reviewing records from the past few weeks, or conducting a follow-up internal audit of the affected area. Your evidence submission needs to show both the action taken and some demonstration that it is working.
Step 5: Submit Evidence to the Certification Body
Your submission to the certification body should include a clear corrective action report that covers the finding, the root cause analysis, the actions taken, and the evidence of effectiveness. Keep it concise and well-organised. Auditors review many of these documents and appreciate clarity over volume.
Why Nonconformity Closure Takes Longer Than It Should
In practice, many businesses take longer than necessary to close findings. Here are the most common reasons, and what to do about them.
Underestimating the Root Cause Step
Businesses that rush through root cause analysis end up submitting corrective actions that address symptoms rather than causes. The certification body rejects the submission, asks for more information, and the clock keeps running. Taking an extra few days to do a proper root cause analysis upfront saves significant time overall.
Waiting for the Audit Report Before Starting
You do not need the formal audit report to begin your corrective action process. If findings were discussed during the closing meeting, you already know what they are. Start your root cause analysis immediately after the audit. By the time the report arrives, you may already have a draft corrective action plan ready.
Lack of Internal Ownership
Nonconformity closure requires someone to own the process. If it gets assigned to a committee or left as a general action item, it tends to drift. Assign a specific person to each finding, give them a clear deadline, and check in regularly. The same discipline that applies to running effective internal audits applies here: someone has to be accountable.
Confusing Documentation With Implementation
Updating a procedure document is not the same as implementing a corrective action. The certification body will look for evidence that the new process is actually being followed, not just that a document was revised. Records, training logs, monitoring results, and similar evidence are what demonstrate real implementation.
Poor Communication With the Certification Body
If you are running close to a deadline and need more time, contact your certification body proactively. Most will grant a short extension if you can demonstrate that genuine work is underway and explain why additional time is needed. What they will not respond well to is silence followed by a late or incomplete submission.
How Corrective Actions Feed Into Your Management System
Closing a nonconformity is not just an administrative task to get your certificate. Done properly, it is one of the most valuable improvement activities your management system can generate. Every finding is a signal that something in your system needs attention.
This is why ISO standards like ISO 9001 and ISO 45001 have explicit requirements around corrective action under Clause 10. The standard expects you to treat nonconformities as inputs to continual improvement, not just problems to be administratively closed.
Organisations that treat corrective actions seriously tend to find that their surveillance audits get easier over time. Those that treat them as box-ticking exercises tend to see the same types of findings recurring year after year.
It is also worth noting that corrective action records need to be retained for a defined period. Your certification body may ask to see evidence from previous cycles during surveillance or recertification audits, so keeping organised records from the start pays off later.
What Happens if You Miss the Deadline?
Missing a nonconformity closure deadline is not automatically catastrophic, but it does create complications. For minor nonconformities, your certification body will typically follow up and may raise the finding as a major nonconformity if it remains unaddressed. For major nonconformities, missing the deadline can result in suspension or withdrawal of your certificate.
If you are in a situation where you genuinely cannot meet the deadline, the worst thing you can do is go quiet. Contact your certification body, explain the situation, provide evidence of progress, and request an extension. Most bodies are reasonable if you are transparent and demonstrating genuine effort.
If you believe a finding was raised incorrectly or unfairly, you also have the right to dispute it. The process for doing that is covered in detail in the article on the formal process for disputing an ISO audit finding.
Practical Tips to Close Nonconformities Faster
- Start immediately after the closing meeting. Do not wait for the written report. Begin your root cause analysis while the audit is fresh.
- Use a simple corrective action template. A one-page format covering the finding, root cause, action, responsible person, target date, and evidence of closure is usually sufficient.
- Assign ownership clearly. One person per finding, with a clear deadline and regular check-ins from management.
- Separate quick fixes from systemic changes. Some actions can be done in days. Others take weeks. Document both and show progress on the longer items.
- Do not over-engineer your response. Auditors are looking for genuine, proportionate corrective actions, not elaborate reports. A clear, honest response that addresses the root cause will always score better than a lengthy document that dances around the real issue.
- Keep your evidence organised. Label documents clearly, use dates, and make it easy for the reviewer to follow the thread from finding to fix.
Choosing the Right Certification Body Matters Here Too
The experience of closing nonconformities varies significantly depending on which certification body you work with. Some bodies have clear, well-structured processes for submitting and reviewing corrective actions. Others are slow to respond, inconsistent in what they accept, and difficult to communicate with when you need guidance.
Before you engage a certification body, it is worth asking specifically how they handle nonconformity closure. What format do they require for submissions? What is their typical review turnaround? Who is your point of contact if you have questions during the process?
If you are still selecting a certification body, the 10 steps to select the best ISO certification body is a useful reference that covers the questions worth asking before you sign anything.
At CertBetter, we connect businesses with verified certification bodies and ISO consultants who have a track record of clear, professional communication throughout the audit and corrective action process. You submit one form, receive up to three competing quotes from vetted providers, and can compare their approach before committing. The service is completely free for businesses seeking certification help.
