What Is Nonconformity in ISO Standards? Definition and Examples

What Nonconformity Actually Means in ISO

If you have ever been through an ISO audit, you have probably heard the word nonconformity thrown around. It sounds serious, and depending on the context, it can be. But a lot of business owners and quality managers either misunderstand what it means or panic unnecessarily when one is raised against them.

A nonconformity in ISO standards is simply the failure to meet a requirement. That requirement could come from the standard itself, from your own documented procedures, from a legal obligation your organisation has committed to, or from a customer specification. If something was supposed to happen and it did not, or if something happened in a way that contradicts what was agreed or required, you have a nonconformity on your hands.

The formal definition comes from ISO 9000:2015, which defines nonconformity as the non-fulfilment of a requirement. That definition applies across virtually every ISO management system standard, including ISO 9001, ISO 14001, ISO 45001, and ISO 27001. The word is consistent because these standards all share the same foundational vocabulary.

Understanding nonconformity properly is important not just for passing audits, but for actually running a better business. When you treat nonconformities as useful signals rather than embarrassing failures, your management system starts to work the way it was designed to.

The Two Types of Nonconformity You Need to Know

Not all nonconformities carry the same weight. Auditors classify them into two categories, and the distinction matters because it affects how urgently you need to respond and what happens to your certification.

Major Nonconformity

A major nonconformity is a significant failure. It indicates either a complete absence of a required process, a systematic breakdown in how a requirement is being met, or a situation where the management system has clearly failed to achieve its intended outcome.

Examples of major nonconformities include:

• Having no documented procedure for a process that the standard explicitly requires you to control
• A complete lack of internal audits being conducted over a long period
• No evidence of management review taking place
• A legal compliance obligation that is being ignored entirely
• A critical safety control that has never been implemented under ISO 45001

A major nonconformity will typically prevent your certification from being granted or renewed until it is resolved. The certification body will require you to submit a corrective action plan and provide evidence that the issue has been addressed before they issue or continue your certificate.

Minor Nonconformity

A minor nonconformity is a smaller, isolated failure. It does not indicate a systemic breakdown, but it does show that something slipped through or was not done consistently. The requirement exists and is generally being met, but there is a lapse in a specific instance.

Examples of minor nonconformities include:

• A single training record that is missing for one employee
• A procedure that has not been reviewed within the timeframe your own system requires
• One piece of equipment that is overdue for calibration
• A documented risk that has not been updated following a change in the business

Minor nonconformities do not usually block certification, but they still require a corrective action response. If you accumulate multiple minor nonconformities in the same area across audit cycles, auditors may upgrade the concern to a major because the pattern suggests a systemic problem.

Nonconformity vs Observation vs Opportunity for Improvement

This is where a lot of people get confused. Auditors do not just raise nonconformities. They also note observations and opportunities for improvement, and these are distinctly different things.

A nonconformity means a requirement has not been met. Full stop. There is no grey area. Either the requirement exists and the evidence shows it is not being fulfilled, or it is not a nonconformity.

An observation is a concern the auditor wants to flag, but which has not yet crossed the line into a formal nonconformity. It might be something that looks like it could become a problem, or an area where the auditor noticed inconsistency but could not confirm it definitively. Observations are worth taking seriously even though they do not require a formal corrective action response.

An opportunity for improvement is exactly what it sounds like. The auditor is not saying you have failed a requirement. They are suggesting that your system could work better in a particular area. These are not binding, but they are genuinely useful if the auditor has real experience in your industry.

If you want a deeper breakdown of how these differ in practice, our article on what it means when an auditor raises an observation versus a nonconformance covers this in detail.

Real World Examples of Nonconformities Across Different Standards

Abstract definitions only go so far. Let us look at how nonconformities actually show up across the most common ISO standards.

ISO 9001 Nonconformity Examples

ISO 9001 is the most widely held ISO certification in the world, so most people will encounter nonconformities in this context first.

• Customer complaint with no corrective action: A customer formally complained about a product defect six months ago. The complaint was logged but no investigation was conducted and nothing changed in the process. This is a nonconformity against Clause 10.2, which requires corrective action when nonconformities occur.
• Supplier not evaluated: Your quality management system states that all suppliers must be evaluated before being approved. You have been using a materials supplier for eight months and there is no evaluation on file. This is a nonconformity against Clause 8.4.
• No management review records: ISO 9001 requires top management to review the quality management system at planned intervals. You cannot produce any records of this happening in the past 18 months. This is a major nonconformity against Clause 9.3.

ISO 14001 Nonconformity Examples

• Environmental aspect not identified: Your organisation generates chemical waste from a production process, but this has never been identified as an environmental aspect. This is a nonconformity against Clause 6.1.2.
• Legal compliance not monitored: A new environmental regulation came into effect and your organisation has no process for tracking regulatory changes. This is a nonconformity against Clause 9.1.2.

ISO 45001 Nonconformity Examples

• Hazard not assessed: Workers are regularly using a piece of equipment that has never been included in the hazard identification and risk assessment process. This is a nonconformity against Clause 6.1.2.
• Incident not investigated: A worker was injured on site three months ago. The incident was reported but no investigation was conducted and no corrective action was taken. This is a nonconformity against Clause 10.2.

ISO 27001 Nonconformity Examples

• Access control not reviewed: Your information security policy requires that user access rights be reviewed every six months. The last review was 14 months ago. This is a nonconformity against Annex A Control 5.18.
• Risk treatment plan not implemented: Your organisation identified a significant information security risk and documented a treatment plan, but none of the controls have been implemented. This is a nonconformity against Clause 6.1.3.

How Nonconformities Are Raised During an Audit

When an auditor identifies a nonconformity, they do not simply mark a box and move on. There is a process, and understanding it will help you respond more effectively.

First, the auditor will gather objective evidence. This means they need to be able to point to something specific, a missing record, a process that does not exist, a procedure that contradicts what is actually happening on the floor. An auditor cannot raise a nonconformity based on a feeling or a suspicion. They need evidence.

Once identified, the nonconformity is formally documented in the audit report. The report will describe the requirement that was not met, the evidence that supports the finding, and whether it is classified as major or minor.

You will then be asked to respond with a corrective action. This is not just about fixing the immediate problem. A proper corrective action response requires you to identify the root cause of the nonconformity and address that root cause, not just the symptom. This is where a lot of organisations struggle. Fixing the missing training record is easy. Understanding why the training record was never created in the first place, and putting something in place to prevent it happening again, is the real work.

Our guide on how to run ISO internal audits that actually find problems explains how to approach this kind of root cause thinking before your certification audit, so you can catch these issues yourself first.

Corrective Action: What You Are Actually Required to Do

Clause 10.2 of ISO 9001, and the equivalent clauses in other management system standards, sets out what you must do when a nonconformity occurs. The steps are worth understanding clearly.

1. React to the nonconformity: Take action to control and correct it. If a product went out that does not meet specification, contain the problem. Stop further defective product from shipping. Notify the customer if required.
2. Evaluate the need for action to eliminate the cause: This is where root cause analysis comes in. You need to understand why the nonconformity happened, not just what happened.
3. Implement the corrective action: Put in place whatever is needed to address the root cause. This might be a process change, additional training, a new control, or a revision to a procedure.
4. Review the effectiveness of the action: After a reasonable period, check whether what you did actually worked. Did the root cause get addressed? Has the nonconformity recurred?
5. Update risks and opportunities if needed: If the nonconformity revealed a gap in your risk thinking, update your risk register accordingly.
6. Make changes to the management system if needed: Sometimes a nonconformity reveals that the system itself needs updating.

All of this needs to be documented. The corrective action record is the evidence that you have taken the nonconformity seriously and addressed it properly. Auditors will check these records at your next surveillance audit.

It is also worth noting that the standard requires corrective actions to be proportionate to the effects of the nonconformity. A minor lapse in a low-risk area does not require the same level of response as a major failure in a critical process.

Nonconformities That Come From Within Your Own System

One thing that surprises many business owners is that nonconformities do not only come from external audits. They can and should also come from within your own organisation. This is actually a sign of a healthy management system.

Internal audits are supposed to find nonconformities. If your internal audits never find anything, that is usually a red flag that they are not being conducted properly. The whole point of an internal audit is to identify gaps before an external auditor does.

Nonconformities can also be identified through:

• Customer complaints
• Supplier performance issues
• Incidents and near misses
• Process monitoring and measurement results
• Employee observations and suggestions
• Management review discussions

When your team starts identifying and raising nonconformities internally, it means the culture around your management system is working. People understand what the requirements are and they are paying attention to whether those requirements are being met.

This connects directly to the concept of continual improvement, which is one of the core principles underpinning every ISO management system standard. You can read more about these foundations in our beginner's guide to ISO 9001:2015.

Common Mistakes Businesses Make When Dealing With Nonconformities

After years of auditing and consulting, certain patterns come up again and again when it comes to how businesses handle nonconformities badly.

Treating the Symptom, Not the Cause

The most common mistake is fixing the immediate problem without addressing why it happened. You update the missing training record but do not ask why the record was never created. Six months later, the same issue reappears because nothing actually changed.

Closing Out Corrective Actions Without Evidence

Saying you fixed something is not the same as proving you fixed it. Your corrective action records need to include evidence of what was done. A note that says “training completed” is not sufficient. You need the training records to back it up.

Not Reviewing Effectiveness

Many organisations implement a corrective action and then consider the matter closed. The standard requires you to review whether the action was effective. Build this step into your process and document the outcome.

Panic and Defensiveness During the Audit

When an auditor raises a nonconformity, the worst thing you can do is argue about it on the spot. If you genuinely believe the finding is incorrect, there is a formal process for disputing it. Our article on the formal process for disputing an ISO audit finding explains how to handle that situation properly. But in most cases, the finding is valid and the better approach is to understand it clearly and ask questions to make sure you know exactly what is required in the corrective action response.

Letting Minor Nonconformities Stack Up

Some businesses treat minor nonconformities as low priority and let them accumulate. This is a mistake. Auditors look at trends across audit cycles. Multiple minor nonconformities in the same area across two or three audits will eventually be treated as evidence of a systemic problem, and that changes the classification.

How Long Does Corrective Action Evidence Need to Be Kept?

This is a practical question that comes up frequently. The short answer is that you should retain corrective action records for as long as they are relevant to demonstrating the ongoing effectiveness of your management system. In practice, most organisations retain these records for the full three-year certification cycle at minimum, and many retain them longer. Our dedicated article on how long corrective action evidence needs to be kept provides specific guidance on this.

Getting Help When Nonconformities Feel Overwhelming

If you are facing a major nonconformity, or if your audit has surfaced multiple issues you are not sure how to address, working with an experienced ISO consultant can make a significant difference. A good consultant will help you conduct proper root cause analysis, write a corrective action plan that will satisfy the certification body, and put in place the process changes needed to prevent recurrence.

The challenge is finding a consultant who actually understands your industry and your specific standard, rather than someone who just produces generic documentation. If you are not sure where to start, CertBetter can help. Submit one form and receive up to three competing quotes from vetted ISO consultants and certification bodies. The service is completely free for businesses, and all providers on the platform have been verified. It is a straightforward way to find qualified help without spending hours researching providers individually.