Once you start implementing ISO 9001, ISO 14001, ISO 27001, or any other ISO management standard, you very soon realize these two facts: (1) no matter how hard you try, there will always be some mistakes in your system; and (2) ISO standards require you to record those mistakes in a formal way – i.e., as nonconformities.

So, what exactly do ISO standards require for recording nonconformities, and why is this important?

What are nonconformities?

First of all, what does “nonconformity” stand for? The official definition by the International Organization of Standardization is quite simple – a nonconformity is the “non-fulfillment of a requirement.” For example, if you don’t have a Quality Policy, this is a nonconformity against ISO 9001 because the standard requires this document; if you don’t have any record of environmental aspects, this is a nonconformity against the ISO 14001 requirement; if you have a Backup Policy and you didn’t perform the backup as required by this policy, again, this is a nonconformity.

Why is it so important to record all these nonconformities? Well, that’s easy: because people tend to forget about their mistakes. Knowing this, the authors of ISO standards have develop this concept of recording every mistake (i.e., nonconformity) so that they won’t be forgotten and the company will force itself to correct the problem.

ISO requirements for nonconformities

So, what exactly do ISO standards require regarding nonconformities? (By the way, ISO 9001, ISO 14001, ISO 27001, and other ISO management standards have exactly the same requirements.) Here are the requirements, as listed in clause 10 of the previously mentioned ISO standards – organizations need to do the following:

  • Correct nonconformities, and decide what to do with their consequences.
  • Evaluate whether there is a need to eliminate the cause of the nonconformity (to prevent it from happening again).
  • Implement all needed actions.

There are also some requirements that are related to corrective actions that I have left out of this list – I will describe corrective actions in a separate article.

How does this look in a tool?

Using a tool for handling nonconformities is not mandatory; you can simply use a Word or Excel file for that purpose. However, there are some benefits if you’re using a tool, especially if it is an online tool that is available to all of your team members.

Recording nonconformities. The best would be if a tool records the following information: description, date, who identified it, who is it assigned to, etc.; also not required, but very handy is if you have the status, because then you can know exactly which nonconformities you have resolved and which you have not – for example, in Conformio we did it like this:


Deciding whether you need to raise a corrective action. This is a very important point for each nonconformity, because this is where it is decided if you want to stop the problem once and for all, and where you have to decide how important this problem actually is. Best practice is to link the nonconformity directly to a separate form for corrective action, like this:


Implementing corrections and other activities. As opposed to corrective actions, these corrections and activities are usually minor tasks that handle the consequences of the nonconformity – you should list those next to your nonconformity so that it is clear what needs to be done, by whom, and what the deadlines are:


Convenience of online tools

So, why would you choose online tools instead of Word or Excel (or even paper-based records)? Because first of all, you can clearly see all of your nonconformities and with one glance know exactly which problems are resolved and which are still pending.

Besides, if your colleagues have access to this same tool, then there can be no hiding – it will be clear to everyone what the problem is and what needs to be done, and this will speed up the resolution of the problem.

Further, if you use an online tool it won’t really matter who reported these nonconformities – e.g., an internal auditor, an employee, perhaps a third party, etc. What is important is that it will be very easy for (almost) everyone to report this nonconformity through the tool and thereby start the process of its resolution.

So, in effect, you can consider this kind of system of recording nonconformities as a kind of organizational To-Do list – everything that needs to be corrected is listed in a single place, together with responsibilities and deadlines.

Quite a useful concept, isn’t it? (It’s also very usable for other problems in a company, not only ISO-related…)

Click here to open a free account at Conformio – you’ll have free access for 10 users to the unlimited features of a nonconformities module compliant with ISO 9001, ISO 14001, and ISO 27001.