Nonconformity
A failure to fulfill a requirement of a standard, policy, procedure, regulation, or contractual obligation. In the context of management systems like ISO 27001, nonconformities are categorized as major (systemic failure or significant gap) or minor (isolated or partial failure).
Nonconformity is a formal term used in management system auditing to describe any instance where an organization fails to meet a specified requirement. In ISO 27001, nonconformities can arise from failing to implement a clause of the standard, not following documented procedures, not applying declared Annex A controls, or demonstrating a gap between documented policy and actual practice. Nonconformities are typically classified as major (significant failures that affect the ability of the management system to achieve its intended outcomes, or systematic failures across multiple areas) or minor (isolated or limited failures that do not represent a systemic issue).
The identification and handling of nonconformities is central to the Plan-Do-Check-Act cycle that drives management system improvement. During internal audits, auditors identify nonconformities by comparing observed practices and evidence against the requirements of the standard and the organization's own documented procedures. During external certification audits, auditors from the certification body identify nonconformities that may affect the certification decision. Major nonconformities typically must be resolved before initial certification can be granted or may trigger suspension of an existing certificate. Minor nonconformities must be addressed within an agreed timeframe, usually with evidence provided at the next surveillance audit.
Beyond formal audits, nonconformities can be identified through various channels: security incident investigations, management reviews, customer complaints, regulatory inspections, or employee observations. Organizations should maintain a nonconformity log that records each identified nonconformity, its classification, the corrective action taken, root cause analysis, and verification of effectiveness. This log serves as both an audit evidence artifact and a valuable input for trend analysis — patterns of nonconformities across multiple audit cycles may reveal systemic issues that require broader organizational changes. SOC 2 uses the concept of control deficiencies (design or operating effectiveness failures) analogously to nonconformities, and the remediation expectations are similar.
Related terms
Corrective Action
A documented action taken to eliminate the root cause of a detected nonconformity or other undesirable situation, preventing its recurrence. Corrective actions go beyond simply fixing the immediate problem to address the underlying systemic issue.
External Audit
An independent assessment conducted by a third-party auditor or certification body to evaluate an organization's compliance with a specific standard or framework, such as ISO 27001 certification audits or SOC 2 examinations.
Internal Audit
A systematic, independent evaluation conducted by an organization's own personnel or contracted auditors to assess the effectiveness of its management system, controls, and processes against defined criteria such as ISO 27001 requirements or internal policies.
Management Review
A formal, periodic evaluation by top management of the organization's information security management system to ensure its continuing suitability, adequacy, effectiveness, and alignment with strategic direction. Required by ISO 27001 Clause 9.3.
Surveillance Audit
A periodic audit conducted by a certification body between initial certification and recertification to verify that an organization continues to maintain and improve its management system in conformity with the standard. Surveillance audits typically occur annually during the three-year certification cycle.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment