Knowledge Hub

ISO 27001 Clause 10.2:Nonconformity and corrective action

A practical guide to ISO 27001 Clause 10.2 — what nonconformities are, how to classify findings, write corrective actions, and close them with evidence auditors will accept.

4 min read
ArticleGlobalGovernance & ComplianceISO 27001
If you're building or running an ISMS, problems will surface. Clause 10.2 is not the clause that prevents that — it's the clause that determines whether your organisation learns from it or repeats it.
Key Takeaways
01A nonconformity is any gap between what the standard (or your own procedures) requires and what actually happened.
02Correction stops the immediate damage. Corrective action prevents it from happening again. Both are required — neither replaces the other.
03Root cause analysis is the hinge. Without it, you are managing symptoms, not problems.
04Two records are mandatory: the nature of the nonconformity and the results of the corrective action

What is ISO 27001 Clause 10.2?

Clause 10.2 requires organisations to respond to nonconformities in a structured, documented way — identifying what went wrong, why it went wrong, fixing it, and proving it won't happen again. It sits inside Clause 10 (Improvement), which means its purpose is not just remediation. It is the mechanism through which your ISMS gets stronger over time.

An empty nonconformity log does not mean your ISMS is working. It means nothing is being recorded. Auditors know this, and it is one of the first things they check.

Nonconformity — What It Actually Means

A nonconformity occurs when a requirement is not met. That requirement can come from two places:

  • The standard itself — a clause of ISO 27001 that your ISMS fails to satisfy
  • Your own documented procedures — a process you defined that wasn't followed

Both count. If your access review procedure requires quarterly reviews and they ran eight months late, that is a nonconformity — even if the standard doesn't specify a frequency. You set the bar; you missed it.

The CAPA process is triggered by corrective actions arising from nonconformities, observations, and opportunities for improvement identified through:

  • Internal or external audits
  • KPI measurement
  • Management review
  • Other monitoring and review activities

Severity levels:

  • Major — a significant failure or complete absence of a requirement. The ISMS cannot be considered effective in this area and typically must be fixed within 3 months. Certification is at risk if left unresolved.
  • Minor — an isolated lapse or partial gap. The process exists but slipped or has a small weakness and typically must be fixed within 12 months, but a corrective action plan must be approved by the auditor.
  • Observation — not a failure, but a weakness or risk that could become a nonconformity if left unaddressed. No immediate action required but worth monitoring and logging.
  • Opportunity for Improvement (OFI) — a suggestion for doing something better, even where current practice meets the requirement. No corrective action needed; feeds into continual improvement.
  • Conformity — the requirement is met and evidence supports it.

Correction vs. Corrective Action — The Distinction That Matters

This is the most commonly confused point in Clause 10.2, and getting it wrong is one of the main reasons auditors push back on CAPA entries.

correction vs corrective action

A correction without a corrective action tells an auditor you dealt with the symptom but left the cause intact. They will raise it again at the next audit — because the same problem will resurface.

Root Cause Analysis — The Hinge of the Whole Process

Before you can write a corrective action, you need to know why the nonconformity happened. Not the surface reason — the underlying cause.

The simplest tool: 5 Whys. Ask why repeatedly until you reach something actionable.

Example:

Finding: Supplier security assessments were not completed before onboarding three new vendors.

Why? → The procurement team didn't complete them. Why? → They weren't aware it was required before onboarding. Why? → The supplier assessment procedure wasn't included in procurement onboarding.

Root cause: Process ownership gap — procurement not included in ISMS procedure communication.

That root cause gives you something real to fix. "Remind procurement to do assessments" is a correction. "Add supplier assessment requirements to procurement onboarding and assign a named owner" is a corrective action.

What the Standard Requires You to Do

When a nonconformity occurs, the process is:

  1. React — control and correct it; deal with any immediate consequences
  2. Investigate — determine the root cause; check whether similar nonconformities exist or could occur elsewhere
  3. Act — implement the corrective action needed
  4. Review — verify that the corrective action was effective
  5. Update — make changes to the ISMS if required; feed findings into management review

Corrective actions must be proportionate to the nonconformity. A minor procedural lapse does not require a full ISMS overhaul. A systemic control failure might.

Mandatory Documented Information

Two records are explicitly required:

  • The nature of the nonconformity and any actions taken
  • The results of the corrective action — evidence that it worked

In practice this means maintaining a Nonconformity and Corrective Action Log — a central register that tracks every finding from detection through to verified closure. An auditor will ask to see it. If it is empty, sparse, or full of entries marked closed with no evidence, expect findings.

What a complete CAPA entry contains:

  • Description of the nonconformity and its severity
  • Root cause (output of RCA — not the symptom)
  • Correction taken and date completed
  • Corrective action, named owner, and due date
  • Status: Open / In Progress / Closed
  • Closure evidence — what proves it is done and effective

What Auditors Actually Look For

Three things consistently get raised during audits:

Shallow root cause. "Human error" is not a root cause. It is a symptom. Push further — what process, training, ownership, or system gap allowed human error to occur?

No closure evidence. Marking a CAPA closed without evidence is the same as not closing it. Evidence means something verifiable: an updated procedure, a training record, a screenshot of a completed review, a re-test result.

Stale entries. Corrective actions sitting open with no activity signal that the ISMS is not being actively managed. Every open entry should have a current owner and a realistic due date.

Where Clause 10.2 Feeds Back Into the ISMS

Nonconformities do not live in isolation. They are a mandatory input to Clause 9.3 management review — leadership must be sighted on open findings, patterns, and whether corrective actions are effective. They also feed back into Clause 6 risk assessment — a recurring nonconformity may indicate a risk that was underestimated or a control that is not working as designed.

A well-run CAPA process does not just close findings. It improves the ISMS — which is the entire point of Clause 10.

Where to Go Next

Clause 10.2 connects directly backwards to Clause 9 (internal audit and management review — where most nonconformities are first surfaced) and forwards to Clause 10.1 (continual improvement — where patterns of findings drive ISMS-level change).

For the full picture of what each clause requires you to build, document, and evidence, see our complete guide: ISO 27001 Clauses 4–10: The First Steps in Setting Up Your ISMS.

ISO 27001 · A.5.9

Will your register hold up under audit?

An asset register that satisfies your team is not the same as one that satisfies an auditor.

  • By active auditors
  • 50+ Compliant clients
Book a free consultation
Share
Back to Knowledge Hub

Explore our services

Internal Audit

Independent audit of your ISMS by active lead auditors.

Gap Analysis

Map your controls to your target framework and get a roadmap.

Audit Readiness

Close every gap and walk into Stage 2 fully prepared.

Virtual CISO

Embedded security leadership, no full-time hire needed.