The word ‘nonconformity’ strikes fear into first-time certifiers, conjuring images of failed audits. In reality, nonconformities are a normal, expected part of ISO 27001 — the mechanism by which the standard’s continual-improvement loop actually works. What matters is not whether you ever have one, but how you respond.
This guide explains what nonconformities are, the difference between major and minor, how corrective action works, and how to handle findings so they strengthen rather than threaten your iso 27001 certification.
What a nonconformity is
A nonconformity is a failure to meet a requirement — either a requirement of ISO 27001 itself or of your own documented ISMS. If a control that should operate is not operating, or a mandatory document is missing, that is a nonconformity.
Nonconformities are identified by audits (internal or external) and by your own monitoring. Far from being purely negative, they are how the ISMS detects where it falls short so it can improve — the ‘Check’ feeding the ‘Act’.
Every functioning management system produces nonconformities; a system that never does is usually one that is not looking.
Major vs minor nonconformities
Auditors classify nonconformities by severity. A minor nonconformity is an isolated lapse or partial gap — a single missed access review, say — that does not undermine the overall system. A major nonconformity is a significant failure: a whole requirement not met, a systemic breakdown, or a minor issue left unaddressed until it became serious.
The distinction matters because it affects certification. Minor nonconformities usually allow certification to proceed with a corrective-action commitment; major ones typically must be resolved before the certificate is issued or maintained.
Understanding the difference removes much of the fear around findings.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Why findings are normal
It is rare for any audit — internal or external — to be entirely clean, and that is expected. Auditors look hard precisely to find issues, and a small number of minor findings is a sign of a thorough audit, not a failing organisation.
A constructive auditor frames findings as improvements. What concerns them is not the existence of a minor finding but a pattern of systemic gaps or a failure to address known issues.
Reframing findings as useful feedback, rather than verdicts, changes how you experience the whole audit.
The corrective action process
When a nonconformity is raised, ISO 27001 requires you to act through a defined process. First you correct the immediate issue (the ‘correction’). Then you investigate why it happened (root-cause analysis) and take corrective action to prevent recurrence.
Finally, you verify that the corrective action worked. This sequence — correct, analyse, prevent, verify — is the heart of the improvement loop and is exactly what auditors expect to see for each finding.
Skipping the root-cause step, and just patching the symptom, is the most common corrective-action mistake.
Root-cause analysis
The most valuable part of handling a nonconformity is understanding its root cause. A missed access review might be caused by no defined owner, no reminder, or an unclear procedure — and only fixing the actual cause prevents recurrence.
Techniques like asking ‘why’ repeatedly help get past symptoms to causes. Good root-cause analysis turns a single finding into a systemic improvement that prevents a whole class of future issues.
Auditors reward genuine root-cause analysis because it shows the ISMS learning, not just patching.
Documenting nonconformities
Nonconformities and their corrective actions should be recorded — commonly in a nonconformity log or corrective-action register capturing the issue, its severity, the root cause, the action taken, the owner, and the verification of effectiveness.
This log is mandatory evidence and a genuinely useful management tool. A well-kept log reassures auditors that your system detects and resolves problems systematically.
Counterintuitively, a healthy log with closed findings is a positive signal, not a negative one.
Handling nonconformities at the certification audit
If the Stage 2 audit raises nonconformities, the path forward depends on severity. Minor nonconformities typically let certification proceed provided you submit a corrective-action plan within a set time. Major nonconformities usually must be resolved, and sometimes re-audited, before the certificate is issued.
This is why a genuine internal audit beforehand is so valuable: it surfaces would-be findings while you can fix them quietly, reducing the chance of a major nonconformity at the decisive audit.
Even at the external audit, a calm, structured response to findings reflects well on the ISMS. Getting this right is a significant part of a smooth path to iso 27001 certification.
Nonconformities in surveillance audits
Surveillance audits can also raise nonconformities, and the same severity logic applies. The auditor will additionally check that nonconformities from previous audits were genuinely closed — unresolved prior findings are a serious concern that can escalate.
So tracking findings to closure between audits is essential. A finding that recurs because the root cause was never addressed signals a management system that is not functioning, which endangers the certificate.
Consistent follow-through is what keeps surveillance audits routine.
Preventing nonconformities
While some findings are inevitable, many are preventable. Continuous evidence collection, scheduled recurring controls with named owners, current documentation, and regular internal audits catch issues before an external auditor does — turning potential external nonconformities into quietly resolved internal ones.
The goal is not zero findings (unrealistic and even suspicious) but no surprises: any issue the external auditor raises should be one you would have caught yourself. That is the mark of a mature ISMS.
Prevention is mostly a matter of good maintenance habits.
Nonconformities as improvement
The deepest point is that nonconformities are the engine of improvement, not a sign of failure. Each one, properly handled, makes the ISMS stronger by closing a real gap. Over time, a well-run corrective-action process steadily raises your security maturity.
Organisations that embrace this — treating findings as opportunities rather than embarrassments — build genuinely resilient systems. The continual-improvement requirement (Clause 10) exists precisely to harness this.
A healthy attitude to nonconformities is itself a marker of ISMS maturity.
Getting help with findings
If you are unsure how to classify a finding, perform root-cause analysis, or structure corrective action, experienced help is valuable — particularly before a first certification. A partner who has handled many audits knows what auditors expect and how to resolve findings convincingly.
This is part of how a good preparation partner de-risks certification: by anticipating likely findings and addressing them before the external audit. ISpectra supports clients through findings and corrective action, with free VAPT and a multi-framework discount included.
Expert support turns findings from a worry into a managed, routine process.
The bottom line
Nonconformities are gaps an audit identifies, classified as minor or major, and they are a normal part of ISO 27001 rather than a disaster. What matters is the response: correct the issue, find the root cause, take corrective action to prevent recurrence, and verify it worked.
Document findings in a corrective-action log, track them to closure, and prevent surprises through good maintenance and genuine internal audits. Major nonconformities must be resolved to certify; minor ones rarely block certification.
Embrace nonconformities as the engine of continual improvement, handle them well, and they strengthen your ISMS — exactly the outcome the standard intends and ISpectra helps deliver.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.