What is a Nonconformity in ISO 27001?

Overview

A Nonconformity is the non-fulfillment of a requirement in your ISMS. In ISO 27001:2022, Clause 10.2 requires organizations to identify, respond to, and correct nonconformities when they occur, then take corrective action to eliminate their root causes and prevent recurrence.

Nonconformities are discovered during internal audits, management reviews, external certification audits, or daily operations—and addressing them is critical for maintaining certification and improving your ISMS.

Nonconformities in Practice

A nonconformity exists when your ISMS fails to meet a requirement from:

• ISO 27001:2022 standard requirements (Clauses 4-10)

• Your own documented ISMS requirements (policies, procedures, objectives)

• Applicable legal, regulatory, or contractual obligations

Nonconformities can range from minor documentation gaps to major control failures that compromise information security.

Types of Nonconformities

Major Nonconformity

A significant failure that impacts the ISMS's ability to achieve intended outcomes or meet requirements.

Examples:

• Complete absence of a required process (e.g., no risk assessment conducted)

• Systematic failure of a control (e.g., access reviews haven't been performed for 18 months)

• Significant non-compliance with legal requirements (e.g., GDPR breach notification not followed)

• Multiple related minor nonconformities indicating systemic problems

Impact: Certification bodies typically require major nonconformities to be resolved before granting or maintaining certification.

Minor Nonconformity

An isolated incident or lapse that doesn't severely impact ISMS effectiveness.

Examples:

• Missing signature on a single policy document

• One instance of an employee not completing security awareness training on time

• Incomplete documentation for a recent management review

• A control implemented but not fully documented

Impact: Must be corrected but typically doesn't prevent certification if addressed within a reasonable timeframe.

Observation/Opportunity for Improvement

Not technically a nonconformity, but a finding that suggests potential future problems or areas for enhancement.

Examples:

• Security awareness training content is outdated (no current requirement violated)

• Risk assessment process works but could be more efficient

• Monitoring metrics don't align well with information security objectives

Impact: No immediate corrective action required, but should be considered for continual improvement.

Common Sources of Nonconformities

Internal Audits (Clause 9.2)

Your own audit program identifies nonconformities before certification audits.

Example: Internal audit finds backup restoration has not been tested in 14 months, violating your backup policy requirement for quarterly tests.

External Certification Audits

Certification bodies assess compliance during Stage 1, Stage 2, and surveillance audits.

Example: Certification auditor finds no documented evidence of management review in the past 12 months (Clause 9.3 violation).

Operational Monitoring (Clause 9.1)

Performance measurements reveal deviations from requirements.

Example: Monitoring shows incident response times averaging 8 hours, exceeding your 4-hour objective.

Security Incidents

Breaches or near-misses expose control failures.

Example: Successful phishing attack reveals employees haven't received security awareness training (Clause 7.2 and A.6.3 nonconformity).

Stakeholder Feedback

Customers, regulators, or employees report issues.

Example: Customer audit discovers third-party vendor assessments haven't been documented (A.5.19 nonconformity).

Responding to Nonconformities (Clause 10.2)

ISO 27001:2022 requires a structured response when nonconformities occur:

1. React to the Nonconformity

• Take immediate action to control and correct the situation

• Deal with the consequences (contain damage, notify affected parties)

Example: Access control nonconformity discovered. Immediate action: Revoke unauthorized access, notify security team, review all recent access grants.

2. Evaluate the Need for Action to Eliminate Causes

• Investigate why the nonconformity occurred (root cause analysis)

• Determine if similar nonconformities exist or could occur elsewhere

Example: Root cause: No automated reminder for quarterly access reviews. Similar risk: Other periodic tasks may lack reminders.

3. Implement Corrective Action

• Take action to eliminate the root cause and prevent recurrence

• Ensure actions are appropriate to the significance of the nonconformity

Example: Corrective action: Implement automated task scheduling for all periodic ISMS activities (access reviews, backup tests, policy reviews).

4. Review Effectiveness of Corrective Action

• Verify the action resolved the nonconformity and prevented recurrence

• Monitor to ensure the problem doesn't return

Example: After 6 months, audit confirms all scheduled tasks are being completed on time with automated reminders.

5. Update the ISMS if Necessary

• Revise documented information (policies, procedures, controls)

• Update risk assessment if new risks are identified

Example: Update change management procedure to include automated task tracking for all periodic activities.

Root Cause Analysis Techniques

Effective corrective action requires identifying true root causes, not just symptoms:

5 Whys

Ask "why" repeatedly to drill down to root cause.

Example:

• Why did the incident occur? → Employee clicked phishing link.

• Why did they click? → Didn't recognize it as suspicious.

• Why didn't they recognize it? → Lacked awareness training.

• Why lacked training? → New hires not enrolled automatically.

• Why no automatic enrollment? → No process integration with HR system.

• Root cause: Security training not integrated with onboarding process.

Fishbone Diagram (Ishikawa)

Categorize potential causes (people, process, technology, environment) to identify contributing factors.

Failure Mode and Effects Analysis (FMEA)

Systematically evaluate how processes can fail and the consequences.

Examples by ISO 27001 Clause

Clause 5.2 - Information Security Policy

Nonconformity: Policy not approved by top management or missing commitment to continual improvement.

Corrective action: Obtain CEO signature, add continual improvement clause, communicate updated policy.

Clause 6.1.2 - Risk Assessment

Nonconformity: Risk assessment hasn't been updated in 24 months despite significant business changes.

Corrective action: Conduct updated risk assessment, establish annual review schedule with calendar reminders.

Clause 7.2 - Competence

Nonconformity: No records showing IT staff have required security certifications or training.

Corrective action: Document current competencies, identify training gaps, enroll staff in required courses, maintain training records.

Clause 9.2 - Internal Audit

Nonconformity: Internal audit conducted by the same person responsible for the controls being audited (lacks independence).

Corrective action: Revise audit program to assign auditors independent of audited areas, provide auditor training on independence requirements.

Annex A.8.8 - Technical Vulnerability Management

Nonconformity: Critical vulnerabilities identified in scans but not patched within defined timeframe.

Corrective action: Patch vulnerable systems immediately, implement automated patch deployment, establish vulnerability SLA monitoring.

Documentation Requirements

Clause 10.2 requires documented information as evidence of:

• The nature of nonconformities and actions taken

• Results of corrective actions

Your nonconformity register should include:

• Nonconformity ID and date discovered

• Source (internal audit, external audit, incident, monitoring)

• Classification (major, minor, observation)

• Detailed description and affected requirement

• Root cause analysis findings

• Corrective action plan with responsibilities and deadlines

• Status tracking (open, in progress, closed)

• Effectiveness review results

Preventive Action in ISO 27001:2022

Unlike earlier versions, ISO 27001:2022 doesn't have a separate "preventive action" clause. Prevention is built into the standard through:

• Risk assessment identifying potential issues before they occur

• Continual improvement (Clause 10.1) proactively enhancing the ISMS

• Corrective action addressing root causes to prevent recurrence

Related Terms

• Internal Audit – Identifies nonconformities

• Continual Improvement – Goes beyond fixing nonconformities to optimize ISMS

• Management Review – Reviews nonconformity trends and corrective actions

• ISMS – What nonconformities indicate is not meeting requirements