Are ISO Nonconformities a Bad Thing?

If your organisation is certified to an ISO Standard, or you are thinking about achieving ISO Certification, then the threat of ‘nonconformities’ is probably playing on your mind.  

Nonconformities can represent weaknesses or deficiencies within your management system, so it’s understandable that no-one wants to receive one.

But remember that auditing is a sampling process and that your management system is made up of many moving parts, be it people, processes, customers, suppliers.

There are plenty of things outside of your control that can cause an ‘nonconformance’ to occur, but what’s important is how you deal with them.


What Are Nonconformities?

Much like the levels of our Internal Audit Findings, nonconformities can be raised by UKAS Accredited Certification at two levels of severity:

Minor Nonconformances

It’s not unusual for minor nonconformities to occur from time-to-time. This represents a small lapse or inaccuracy in your management system.

Often these are outside your control, and whether they are raised at all may depend on the style of auditor you are working with.

Examples of minor nonconformances might include:

  • One contract from a sample not being dated correctly,
  • One starter from a sample having no record of induction training,

The critical element of a minor nonconformance is that ‘compliance’ can be demonstrated. If there is evidence that a process is in place but there is a minor breakdown, that would usually just be raised as a minor noncompliance.

Major Nonconformances

As the name suggests, a major nonconformity occurs where there has been a larger issue that brings into question the integrity of the process, or the management system as a whole.

If the auditor can evidence a breakdown in the management system they will raise a major nonconformance, which will often require an additional audit visit to close out.

If you have worked with an ISO Consultant, like Assent, it is unlikely that a major nonconformance will occur. You will have implemented all the basic elements of a management system and the requirements of your chosen standard(s).


How Many Nonconformities is too many?

We are often asked if the external ISO Certification audit is like a driving test, and while it is not a perfect analogy, there are some similarities. 

Just like in your driving test, if a number of minor nonconformities are raised in the same area of the management system, this would indicate to the auditor that there is a breakdown in the system, and they may escalate to a single major nonconformance.

However, if the nonconformities are raised across different clauses or controls in the standard, then the likelihood is these are all good opportunities to improve and therefore not necessarily a bad thing. 


Is NOW the right time for an ISO Certification Audit?

If you are overly worried about nonconformities arising in your management system, then now might not be the right time to move to the ISO certification phase.

Internal audits are a requirement of management system standards (Annex SL Clause 9.2).

But a good programme of internal audits does more than just ‘tick a box’. It’s a great ‘dress rehearsal’ for the certification audits and it will identify potential weaknesses.

While internal audits can be completed by in-house auditors, many organisations outsource these to ISO Consultants, like Assent, to avoid the conflict of interest around auditing your own work.

It’s normal to feel anxious ahead of an external audit.  Our training team have developed a FREE online course that might help: Managing Audit Stress.


Corrective Action: Turning a Negative into a Positive

When a nonconformance arises, and over the years one inevitably will, the important thing is how you handle it.

All nonconformities should be seen as an opportunity to improve the management system, so our first advice is – don’t attribute ‘blame’.  

Things do go wrong sometimes and to make sure it doesn’t happen again you’ll need to understand the root cause of the problem. That will mean having open and honest discussions with people.  

Once you’ve corrected the consequences of the nonconformance and understood the root cause, you can start to plan a corrective action to ensure it does not reoccur.

That might mean changing a process or policy but remember that where you do make changes to the management system, all those affected will need to be informed and may need additional training.


Monitoring the Effectiveness of your Corrective Action

Hopefully your corrective action(s) above have fixed your weakness, but how do you know?

Management system standards require a ‘review of the effectiveness’ of the corrective action.  This should be documented (often within a log) and will demonstrate not only that the nonconformity has been resolved, but that the corrective action hasn’t affected other areas of the management system.

Internal auditing can also help to verify this.



In a perfect world management systems would run forever and operate 100% effectively. But with so many different factors involved in your organisation and management system, a nonconformance could occur in any area, at any time. 

Remember auditing involves sampling, which could mean that a system with NO nonconformities just has a smaller sample taken, or a system with many nonconformities had a larger sample.


If you need help managing nonconformities or preparing for an external audit Assent can help.  Contact Us.

You might also be interested in these blogs: 

Robert Clements
Robert Clements
Articles: 290