Major vs. minor nonconformities in the certification audit

If your company is considering going for the certification, it is always a good thing to know what to expect. Since nonconformities are one of the most important outcomes of the certification audit (and the most unpleasant), it is probably in your best interest to understand what they are all about.

The issues I’m going to mention here are not only valid for ISO 27001 and ISO 22301 certification, but also for certification against any other ISO management standard – e.g., ISO 9001, ISO 14001, ISO 20000, etc.

What is a nonconformity?

The definition of nonconformity is “non-fulfillment of a requirement” (ISO 9001:2005) – this basically means that a nonconformity is when you do not fulfill what is required by the standard, by your own documentation, or by a third party.

Here are a couple of examples of nonconformities:

  • If you don’t have records of corrective actions, and the standard requires you to have them
  • If your procedure requires you to use a specific form for reporting the results of your internal audit; however, you use some other form
  • If you didn’t produce certain reports for your customers, even though you were obliged to do so according to the contract you signed with them

Why are nonconformities important?

Nonconformities are used both in internal and in external (certification) audits – they are a “tool” by which the auditor will be able to judge up to which level your management system is compliant with a standard. (See also Five Main Steps in ISO 9001 Internal Audit.)

In other words, the more nonconformities, the less compliant you are – and vice versa. Nonconformities must be reported through an audit report, and this part of the report is usually the lengthiest.

When reporting the nonconformity, the auditor must include the following elements:

  • Describe the nonconformity – general description of what is wrong in a sentence or two
  • Provide the audit evidence – e.g., refer to a concrete document or record that is missing or is used improperly, to the activity that is not performed or is performed in a wrong fashion, etc.
  • Refer to the exact requirement – e.g., concrete number of the clause in the standard, procedure, or the contract
  • Summarize the requirement – usually, rephrase what the standard, the internal document, or the contract requires to be done

The differences between major and minor nonconformities

Major and minor nonconformities (as separate categories) are generally used only in certification audits (not so often in internal audits), and the main purpose is the following: if the auditor raises a major nonconformity, a company cannot get certified. Read this article to learn what to do in such a situation: How to get certified against ISO 27001?

So, what is considered to be a major nonconformity? This would be a nonconformity that has any of these characteristics:

Major vs. minor nonconformities in the certification audit - 27001Academy

  • If a company completely failed to fulfill a certain requirement – e.g., it didn’t perform management review at all, although this was required by the standard.
  • If your process has completely fallen apart – e.g., your procedure required you to perform backup once a day, whereas the backup was performed only a couple of times per month, randomly.
  • If you have several minor nonconformities that are related to the same process or to the same element of your management system – e.g., you have several minor nonconformities related to your Human resources department: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc. – this becomes a major nonconformity because there is obviously something very wrong with this department.
  • If a certification mark is misused – e.g., you claim to your customers that your product is ISO certified (certification of ISO management standards covers only the processes and management systems, not the products themselves).
  • If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

Definition of minor nonconformity is easy: this is any nonconformity that is not major; for example, a minor nonconformity could be that the backup was performed every day except only one day of a particular month.

So, the point is – don’t get yourself in a position to get a major nonconformity. Make sure you implement the standard properly, and not only for the sake of certification – an experienced auditor will notice right away if your system is only a theoretical one, and you will easily get a couple of major nonconformities.

To keep track of and handle nonconformities, check out this Conformio compliance software.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.