ISO 27001 Nonconformity

In the world of information security management systems, nonconformity is a term that refers to a situation where an organization’s ISMS fails to meet certain requirements.

ISO 27001 nonconformity refers to a circumstance where an organization’s information security management system (ISMS) does not meet the requirements for the ISO 27001 standard. Nonconformities can be identified at any time – Internal audits, external audits or through regular monitoring and/or review processes. 

Any instance where the organization is not meeting a requirement of the standard would constitute a nonconformity. Nonconformities are classified based on their severity and impact. Major nonconformities refer to serious issues that affect the capability of the management system to achieve its intended results. Minor nonconformities are issues that are less serious but still represent a failure to meet a standard requirement.

Examples of nonconformities are the following:

  • Failure to implement one or more of the required information security controls. 
  • Failure to follow the organization’s own information security policies and procedures. 
  • Failure to conduct regular risk assessments and risk treatment as required. 
  • Failure to implement adequate change management processes for changes that could affect information security. 
  • Failure to provide the necessary resources, such as budget, training and personnel, to meet the requirements of the information security management system. 

Corrective action 

When a nonconformity is discovered, it’s crucial to take corrective action immediately. This helps to ensure that the nonconformity is addressed and that the ISMS is brought back into compliance. The corrective action process involves creating a non-conformance report that documents the nonconformity in detail. This report outlines the details of the noncompliance, its impact on the ISMS, and the measures that are needed to rectify the situation. 

It’s worth noting that the ISO 27001 audit report may also include information regarding any identified nonconformities and the corresponding corrective actions. By addressing nonconformities, organizations can strengthen their controls, improve their overall security, and maintain compliance with the ISO 27001 standard. So, it’s important to take nonconformities seriously and to address them promptly to ensure the security of your organization’s information.

Identifying and resolving nonconformities is an important part of continually improving an organization’s information security and ISO 27001 system. Lessons learned from nonconformities can help drive improvements and strengthen security. 

Nonconformities should never be ignored. They must be documented, investigated, have corrective actions developed and implemented, followed by verification to confirm the issue has been resolved effectively. An organization’s approach to dealing with nonconformities can significantly impact their ISO 27001 certification and overall information security infrastructure.

Addressing ISO 27001 Nonconformities

When an ISO 27001 audit identifies nonconformities in your information security management system (ISMS), it’s important to take corrective action. Nonconformities mean your ISMS does not fully meet the ISO 27001 requirements, so addressing them will ensure you achieve or maintain certification.

As the person responsible for your organization’s ISMS, you’ll need to:

  • Review the nonconformity report from your ISO 27001 auditor. This will specify which areas of the standard you did not meet and why.
  • Determine the root cause(s) of the nonconformities. This could be inadequate resources, lack of employee awareness, incomplete documentation, etc. Identify all potential causes to prevent the issue from recurring.
  • Develop a corrective action plan. For each nonconformity, specify what steps will be taken to remedy it, who is responsible and deadlines for completion. Your plan should eliminate the root cause(s) to prevent future nonconformities.
  • Implement the corrective actions and provide objective evidence of completion to your auditor. This evidence may include updated procedures, training records, risk assessment reports, etc.
  • Review corrective actions to ensure effectiveness. Once the auditor has verified implementation, continue to monitor your ISMS to confirm nonconformities do not recur. Make any necessary tweaks to maintain conformance with ISO 27001.


By properly addressing ISO 27001 nonconformities and taking corrective action, you can get your ISMS back on track and ensure it meets all requirements of the standard. Be proactive and stay on top of continual improvement to avoid nonconformities in the future audits and maintain certification. Keep records of nonconformities and corrective actions taken to show the ongoing progress of your ISMS.