Nonconformity Management (Clause 10.2)
Clause 10.2 is your ISMS's immune system—detecting problems, investigating causes, and preventing recurrence.
What is a Nonconformity?
A nonconformity occurs when your ISMS:
- Fails to meet ISO 27001 requirements
- Doesn't follow its own documented procedures
- Fails to achieve objectives
- Experiences control failures
Types of Nonconformities
Major Nonconformity
- Absence of a required process or control
- Complete failure of a process
- Systemic breakdown
- Could result in certificate suspension
Minor Nonconformity
- Isolated lapse in following procedures
- Incomplete implementation
- Limited scope of impact
- Must be corrected but less severe
Observation/Opportunity for Improvement
- Not technically non-conforming
- But could lead to issues
- Good practice suggestions
Clause 10.2 Requirements
When a nonconformity occurs, you must:
10.2.1 React
- Take immediate action to control and correct
- Deal with the consequences
- Contain the issue
10.2.2 Evaluate the Need for Action
- Review the nonconformity
- Determine root causes
- Assess if similar nonconformities exist elsewhere
- Decide if action is needed
10.2.3 Implement Action
- Implement any necessary corrective action
- Review effectiveness of controls
- Update the ISMS if needed
10.2.4 Review Effectiveness
- Ensure corrective action works
- Verify the issue doesn't recur
- Document results
10.2.5 Update Risks
- Revise risk assessment if needed
- Update controls as necessary
- Learn and adapt
10.2.6 Document Everything
- Nature of nonconformities
- Actions taken
- Results of corrective action
- Evidence of effectiveness
Sources of Nonconformities
| Source | Examples |
|---|---|
| Internal Audits | Process gaps, documentation issues |
| External Audits | Certification findings |
| Incidents | Security breaches, data loss |
| Monitoring | KPI failures, control weaknesses |
| Complaints | Customer or staff issues |
| Management Review | Strategic gaps identified |
Nonconformity Workflow
- Detection - Issue identified
- Documentation - Record in nonconformity register
- Containment - Immediate actions to limit impact
- Investigation - Determine root cause
- Corrective Action - Implement solution
- Verification - Confirm effectiveness
- Closure - Document and close
Key Principles
Blame-Free Culture
- Focus on process, not people
- Encourage reporting
- Learn from mistakes
- No punishment for honest errors
Systematic Approach
- Standard process for all nonconformities
- Consistent investigation methods
- Trackable from detection to closure
Prevention Focus
- Don't just fix symptoms
- Address root causes
- Update processes to prevent recurrence
Common Mistakes
- Treating symptoms - Not addressing root causes
- Delayed response - Letting issues persist
- Poor documentation - Can't prove corrective action
- Skipping verification - Don't check if fixes work
- Ignoring patterns - Missing systemic issues
Next Lesson: Create your Corrective Action Procedure to manage nonconformities systematically.