ucstoolkitucstoolkitucstoolkit
0
ISO Audit Nonconformity What to Do Next After a Finding

ISO Audit Nonconformity What to Do Next After a Finding

You received an audit report with a nonconformity, and now the pressure is real. Maybe your certification body called it a minor finding. Maybe it was marked major. Either way, the question is the same: ISO audit nonconformity what to do next? The good news is that a nonconformity is not automatically a disaster. It means the auditor found a gap between your management system and the ISO standard, your own procedure, or your actual practice. What matters now is how quickly, calmly, and clearly you respond.

This guide explains what the finding means, how serious it is, what to send back to the auditor, and how to prepare corrective action evidence that has a realistic chance of being accepted.

Quick Answer

If you receive an ISO audit nonconformity, first read the exact wording of the finding, confirm which clause or internal procedure was not met, and identify whether it is major or minor. Then contain the immediate issue, investigate the root cause, create a corrective action plan, collect evidence, and complete an effectiveness check before asking the auditor to close it.

Most minor ISO audit findings can be handled through an accepted corrective action plan and evidence submission. A major nonconformity is more serious and may prevent certification, suspension removal, or certificate renewal until the certification body verifies that the problem has been corrected.

In This Guide

What Does an ISO Audit Nonconformity Mean?

An ISO audit nonconformity means there is objective evidence that a requirement has not been met. The requirement could come from the ISO standard, your own documented procedure, a legal or regulatory obligation, a customer requirement, or the scope of your certified management system.

For example, an ISO 9001:2015 auditor may raise a finding because supplier evaluations were required by your purchasing procedure but were not performed. An ISO 27001:2022 auditor may raise a finding because access reviews were promised in your information security policy but there is no evidence they happened. An ISO 45001:2018 auditor may raise a finding because incident actions were recorded but never reviewed for effectiveness.

The key phrase is objective evidence. Auditors should not raise a nonconformity based on personal preference. They need to show what requirement was not met and what evidence proves the gap exists.

Can you still get certified with an ISO nonconformity?

Yes, you can sometimes still get certified with a minor ISO nonconformity, but it depends on the certification body’s process and the seriousness of the issue. A minor finding usually means the management system is broadly working, but one requirement has not been fully met.

A major ISO nonconformity is different. A major finding usually means there is a significant failure in the management system, repeated failure across several areas, or a gap that affects the system’s ability to achieve intended results. Certification bodies such as BSI, Bureau Veritas, DNV, SGS, LRQA, and Intertek typically require major findings to be corrected and verified before certification is granted or maintained.

Quick check: Do not respond to the audit report from memory. Open the exact ISO clause, your own procedure, and the auditor’s wording side by side. Many weak corrective actions fail because they answer the general topic, not the specific requirement that was missed.

What is an ISO audit finding compared with an observation?

An ISO audit finding is a formal result from the audit. It may be a nonconformity, opportunity for improvement, positive finding, or observation depending on the certification body’s terminology. A nonconformity requires corrective action. An observation usually does not require formal closure, but it may warn you about something that could become a nonconformity later.

Treat observations seriously, especially if the same theme appears in multiple audits. If an auditor repeatedly notes weak management review inputs, incomplete internal audit evidence, or late corrective actions, the next audit may not treat it as a friendly warning.

What Is the Difference Between ISO Major Nonconformity and ISO Minor Nonconformity?

The difference between an ISO major nonconformity and an ISO minor nonconformity is the scale, risk, and impact of the failure. Both need action. The difference is how urgent the issue is and whether it affects certification.

Factor ISO Minor Nonconformity ISO Major Nonconformity
Typical meaning A limited failure to meet one requirement A serious, repeated, or system-level failure
Example One training record missing from an otherwise controlled training process No effective training competence process exists across the business
Certification impact Certification may proceed if the corrective action plan is accepted Certification may be delayed until correction is verified
Expected response Correction, root cause, corrective action plan, and evidence Immediate containment, full root cause analysis, stronger evidence, and often verification
Common closure window Often 30 to 90 days, depending on the certification body Often shorter for containment and stricter for verified closure
Repeat risk Can become major if repeated or ignored Can lead to certification refusal, suspension, or withdrawal

How serious is an ISO major nonconformity?

An ISO major nonconformity is serious because it suggests the management system is not controlling a key requirement. This does not mean your organization is incompetent, but it does mean the certification body needs confidence that the issue is fixed before relying on the system.

Examples include no internal audit programme before certification, no management review, unresolved legal compliance gaps in ISO 14001:2015, no hazard evaluation process in ISO 45001:2018, or a missing risk treatment process in ISO 27001:2022. These are not small paperwork errors. They affect whether the management system can work.

Can a repeated ISO minor nonconformity become major?

Yes. A repeated minor nonconformity can become major if it shows that the previous corrective action did not work. This is why effectiveness checks matter. If the same issue appears in two audits, the auditor may reasonably conclude that the root cause was not understood or that management did not provide enough resources to fix it.

For example, if supplier evaluations are missing in one audit, that may be minor. If they are still missing at the next surveillance audit, the problem may no longer look isolated. It now looks like a process failure.

ISO Audit Nonconformity What to Do First After the Finding

When you are deciding what to do after an ISO audit finding, slow down before writing the corrective action. A rushed response often says, “We will retrain staff,” without proving why the issue happened or how it will not return. That rarely satisfies an experienced auditor.

  1. Read the exact finding: Identify the clause, the evidence cited, the process affected, and whether the auditor classified it as major or minor.
  2. Confirm the requirement: Check the ISO standard, your own procedure, customer requirement, or legal obligation that the finding refers to.
  3. Contain the immediate issue: Fix the visible problem now. For example, complete the missing record, stop using an uncontrolled form, or restrict access that should not have been active.
  4. Assess the scale: Check whether this is one isolated case or a wider issue across departments, sites, customers, suppliers, systems, or records.
  5. Find the root cause: Ask why the issue happened and why your management system did not prevent or detect it earlier.
  6. Write the corrective action plan: Define actions, owners, due dates, evidence, and the method you will use to verify effectiveness.
  7. Collect corrective action evidence: Prepare updated documents, completed records, screenshots, training records, meeting minutes, audit results, or system logs.
  8. Check effectiveness: Confirm the action worked after enough time has passed to generate evidence. This may be 30, 60, or 90 days depending on the issue.
  9. Submit the response clearly: Send the auditor a structured response that maps each piece of evidence to the finding.

How long do you have to close an ISO corrective action?

The closure deadline is set by your certification body, not by the blog you are reading. However, many organizations see response windows around 30 days for a corrective action plan and 60 to 90 days for full implementation evidence. Major nonconformities often need faster containment and stronger verification before the certification decision can move forward.

Check the audit report first. It should state the deadline, required response format, and whether evidence must be submitted remotely or verified through a follow-up audit.

Pro tip: If the audit report gives you 30 days, do not wait until day 29 to ask for clarification. If the finding wording is unclear, ask the lead auditor to confirm the requirement, evidence, and expected closure route immediately.

What should you do if you disagree with an ISO audit finding?

If you disagree with an ISO audit finding, stay factual. Do not argue that the auditor was “too strict.” Instead, show the requirement, show your evidence, and explain why the requirement was met. If the auditor missed evidence during the audit, provide it in a clear, dated, traceable format.

Sometimes the auditor is right about the evidence gap even if the process exists in real life. ISO certification audits are evidence-based. If your team performed a review but did not keep records, the auditor may still have a valid finding because there is no documented information to prove it happened.

How Do You Write an ISO Corrective Action Plan?

An ISO corrective action plan should show more than a promise to fix the issue. It should show that you understood the finding, corrected the immediate problem, found the root cause, changed the process, and will verify that the action worked.

Clause 10.2 in many ISO management system standards requires organizations to react to nonconformities, evaluate the need for action, implement action, review effectiveness, update risks and opportunities where needed, and change the management system if necessary. This logic applies across ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2022, and ISO 22301:2019, even though the exact operational evidence differs by standard.

What is root cause analysis for an ISO audit finding?

Root cause analysis is the process of identifying why the nonconformity happened and why the management system failed to prevent or detect it. The root cause is not “human error” unless you can explain why the person made the error and why the process allowed it.

Useful root cause methods include 5 Whys, fishbone analysis, process mapping, and review of previous audit findings. For a small organization, 5 Whys is often enough if it is done honestly.

For example:

  • Finding: Three employee training records were missing.
  • Weak root cause: The HR assistant forgot to upload them.
  • Better root cause: The onboarding procedure did not assign responsibility for uploading training evidence, and there was no monthly check to confirm records were complete.

The better root cause leads to a process fix. The weak root cause leads to blame and retraining, which may not stop the problem from returning.

What is an effectiveness check in ISO corrective action?

An effectiveness check confirms that the corrective action actually solved the problem. It is not the same as completing the action. Updating a procedure is an action. Checking whether the updated procedure is being followed is the effectiveness check.

Examples of effectiveness checks include sampling 10 records after 60 days, reviewing the next internal audit results, checking system access logs for two consecutive months, confirming that management review minutes include corrective action trends, or verifying that new supplier evaluations are completed before purchase approval.

If you need audit-ready forms to structure this work, UCS Toolkit’s Internal Audit Templates collection can help you document findings, evidence, audit trails, and follow-up actions in a consistent format.

Should ISO corrective actions be reviewed in management review?

Yes. Corrective actions should be reviewed in management review when they affect management system performance, risks, objectives, resources, audit results, customer satisfaction, environmental performance, health and safety performance, information security, business continuity, or laboratory competence.

Clause 9.3 management review is where top management checks whether the system is still suitable, adequate, and effective. Open findings, overdue corrective actions, repeated issues, and major nonconformities are exactly the kind of information leadership should see.

What Corrective Action Evidence Do Auditors Need to Close an ISO Nonconformity?

Corrective action evidence must prove three things: the immediate problem was corrected, the root cause was addressed, and the action was effective. A single updated procedure is rarely enough unless the finding was purely document-related.

Auditors want evidence that is dated, traceable, relevant, and linked to the finding. They should be able to follow the story from finding to root cause to action to verification without guessing.

What documents help close an ISO audit nonconformity?

The documents that help close an ISO audit nonconformity depend on the standard and the finding, but common examples include:

  • Corrective action form or nonconformity report
  • Root cause analysis record
  • Updated policy, procedure, work instruction, or form
  • Training attendance record and competence evaluation
  • Internal audit report or follow-up audit checklist
  • Management review minutes showing review of the issue
  • Risk assessment, risk register, or risk treatment update
  • Supplier evaluation, inspection record, test record, incident report, access review, or continuity exercise evidence

For ISO 9001:2015, corrective action evidence may include updated quality procedures, supplier performance reviews, calibration records, customer complaint analysis, or production inspection records. For ISO 27001:2022, evidence may include risk treatment updates, access review logs, incident records, awareness training, and Annex A control evidence. For ISO 15189:2022, evidence may relate to laboratory competence, examination processes, equipment, quality control, and handling of nonconforming work.

What corrective action evidence is weak or likely to be rejected?

Weak evidence is vague, undated, unrelated to the finding, or impossible to verify. Auditors often reject responses that say “staff were reminded,” “procedure updated,” or “issue fixed” without proof.

Better evidence includes the revised procedure with version control, a training record showing who was trained and when, a sample of completed records after the change, screenshots from the system, internal audit verification, and management review discussion where appropriate.

Quick check: Before you submit evidence, ask: “Could a person outside our company understand what changed, who did it, when it happened, and how we know it worked?” If not, the evidence package is probably too thin.

What happens if the same ISO nonconformity happens again?

If the same ISO nonconformity happens again, the auditor will usually look harder at root cause, leadership involvement, and effectiveness checks. A repeated issue suggests your previous corrective action treated the symptom, not the system weakness.

The response should not simply repeat the old corrective action. Review the previous action, identify why it failed, update the root cause analysis, and involve process owners or top management if resources, accountability, workload, system design, or competence contributed to the repeat issue.

For organizations still building their management system, it can help to understand how documentation packages fit into the wider certification process. This guide on how ISO toolkits work explains how policies, procedures, forms, and records connect across an ISO project.

What ISO Audit Finding Mistakes Should You Avoid?

Most failed corrective action responses are not rejected because the company did nothing. They are rejected because the response does not prove that the issue was understood and controlled.

What are the most common ISO corrective action mistakes?

The most common ISO corrective action mistakes are:

  • Treating correction as corrective action: Replacing a missing record fixes the immediate issue, but it does not explain why records were missing.
  • Blaming people instead of fixing the process: “Employee forgot” is rarely a strong root cause on its own.
  • Submitting only revised documents: Updated procedures need implementation evidence.
  • Ignoring the wider sample: If one file is wrong, check whether other files have the same issue.
  • Missing the effectiveness check: Auditors need confidence that the action worked after implementation.
  • Leaving management review out: Significant or repeated findings should be reviewed by leadership.
  • Using generic templates without customization: Templates help, but they must match your actual scope, processes, and evidence.

Why is “we retrained the employee” not enough for ISO corrective action?

Retraining may be part of the action, but it is rarely enough by itself. If the procedure was unclear, the workload was unrealistic, the form was hard to find, or no one checked the output, retraining one person will not fix the system.

A stronger response might include updated responsibility in the procedure, a mandatory field in the software, a monthly record review, training for all process owners, and a follow-up audit sample after 60 days. That shows process control, not just a reminder.

How do you avoid turning an ISO minor nonconformity into a major issue?

Close it properly the first time. Do not submit weak evidence, miss the deadline, or repeat the same issue at the next audit. If the finding affects several departments or sites, treat it as a system issue even if the auditor classified it as minor.

If your management system documents are incomplete or inconsistent, the broader ISO toolkit guide can help you understand which policies, procedures, and records should support certification instead of trying to patch each finding separately.

Pro tip: When a finding touches more than one clause, map the response to each clause. For example, a missing training record may involve Clause 7.2 competence, Clause 7.5 documented information, Clause 9.2 internal audit if it was not detected, and Clause 10.2 corrective action.

Can an ISO Documentation Toolkit Help Fix Audit Findings?

An ISO documentation toolkit can help fix audit findings when the nonconformity is linked to missing, weak, outdated, or inconsistent documented information. It will not magically close a finding by itself. You still need to customize the documents, implement the process, train the relevant people, and collect evidence.

The practical value of a toolkit is speed and structure. Instead of writing a corrective action form, internal audit procedure, management review template, risk register, policy, and process forms from scratch, you start with a professional framework and adapt it to your organization.

Can templates help prepare corrective action evidence?

Yes, templates can help prepare corrective action evidence if they are used correctly. A good template gives you the fields auditors expect: finding reference, clause, correction, root cause, corrective action, owner, due date, evidence, verification method, and effectiveness result.

Templates are especially useful for SMEs where the same person may be handling quality, compliance, operations, HR, and customer requirements. The risk is using a template as a blank formality. Auditors can tell when a document exists but the process behind it does not.

Which ISO standards need corrective action evidence?

Corrective action evidence is relevant across all major management system standards. ISO 9001:2015 uses it for quality issues, customer complaints, supplier problems, and process failures. ISO 14001:2015 uses it for environmental incidents, compliance obligations, operational controls, and monitoring gaps. ISO 45001:2018 uses it for incidents, hazards, consultation issues, and safety controls.

ISO 27001:2022 uses corrective action evidence for information security weaknesses, internal audit findings, control failures, incidents, and risk treatment issues. ISO 22301:2019 uses it for business continuity exercises, disruption response lessons, and BCMS failures. ISO 15189:2022 uses it for laboratory quality, competence, examination processes, and nonconforming work.

Can small businesses close ISO audit findings without a consultant?

Many small businesses can close ISO audit findings without a consultant if the issue is limited, the team understands the requirement, and the evidence is straightforward. A consultant may be worth considering for a major nonconformity, repeated failure, legal compliance concern, complex information security issue, or multi-site management system.

For smaller teams, this guide on how an ISO documentation toolkit helps small businesses explains why ready-made documents can reduce the workload without replacing ownership of the management system.

Frequently Asked Questions

What should I do if I get an ISO audit nonconformity?

If you get an ISO audit nonconformity, read the exact finding, confirm the clause or procedure involved, contain the immediate issue, and investigate the root cause. Then write a corrective action plan with owners, due dates, evidence, and an effectiveness check. Do not submit a vague promise to fix the problem. Auditors need proof that the issue was corrected and that the management system was improved to stop it returning.

Can I pass ISO 9001 certification with a minor nonconformity?

You may still pass ISO 9001:2015 certification with a minor nonconformity if the certification body accepts your corrective action plan and the issue does not show a serious system failure. The auditor will expect a clear response that includes correction, root cause analysis, corrective action, responsibility, deadline, and evidence. A minor finding should not be ignored because repeated minor issues can become major at a later audit.

What happens if I get a major ISO nonconformity?

If you get a major ISO nonconformity, certification may be delayed, suspended, or withheld until the certification body verifies that the issue has been corrected. You should act quickly to contain the problem, assess whether it affects other areas, perform root cause analysis, and provide strong corrective action evidence. Major findings usually require more than a document update; they need proof that the management system is now working.

How do I write a corrective action for an ISO audit finding?

To write a corrective action for an ISO audit finding, start by restating the finding and requirement. Record the immediate correction, the root cause, the planned corrective action, the owner, the target date, the evidence to be created, and the effectiveness check method. A strong corrective action explains how the process will change, not just how the missing document or record will be replaced.

What evidence is needed to close an ISO nonconformity?

Evidence needed to close an ISO nonconformity may include a corrective action form, root cause analysis, revised procedure, completed records, training evidence, system screenshots, internal audit results, management review minutes, risk register updates, or process performance data. The best evidence is dated, traceable, and directly linked to the finding. Auditors need to see that the problem was corrected and that the corrective action was effective.

How long do I have to respond to an ISO audit finding?

The deadline to respond to an ISO audit finding is set by the certification body and should be stated in the audit report. Many organizations are asked to submit a corrective action plan within about 30 days and provide implementation evidence within 60 to 90 days, but this varies. Major nonconformities may require faster containment and formal verification before certification, renewal, or suspension removal can proceed.

Can an ISO documentation toolkit help with corrective actions?

An ISO documentation toolkit can help with corrective actions by giving you ready-made forms, procedures, registers, and review templates that structure the response. It is especially useful when the finding relates to missing documented information, weak internal audit records, poor management review evidence, or inconsistent procedures. The toolkit still needs to be customized and implemented; auditors will not close a finding based on templates alone.

Next Steps

An ISO audit nonconformity what to do response should be calm, structured, and evidence-led. Start with the exact finding, confirm the requirement, contain the issue, identify the root cause, write the corrective action, and prove effectiveness. Minor findings are manageable when handled properly. Major findings need faster escalation, stronger evidence, and leadership attention.

If your audit finding exposed missing procedures, weak records, or inconsistent documented information, browse UCS Toolkit’s ISO documentation toolkits for ready-made templates covering ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2022, ISO 22301:2019, ISO 15189:2022, and other core standards.

How Long Does ISO Certification Take From Scratch? 2026Back to blog

Related Articles

How Long Does ISO Certification Take From Scratch? 2026

Can ChatGPT Write ISO Documentation for Certification? 2026

Client Asked for ISO Certification? What to Do Next in 2026

Can a One-Person Company Get ISO Certified? 2026 Guide

Which ISO Certification Do I Need for My Business? 2026 Guide

Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday
January,February,March,April,May,June,July,August,September,October,November,December
Not enough items available. Only [max] left.
Shopping cart

Your cart is empty.

Return To Shop

Enable cookies to use the shopping cart
Add Order NoteEdit Order Note
Add A Coupon
Subtotal:
$0.00

View cart

Add A Coupon

Coupon code will work on checkout page

Shop
Sidebar
0Cart
Filter
Search
Menu