What to Do When You Have an ISO-Related Nonconformity
They say, “X marks the spot,” but in compliance, that’s not always a good thing.
You could argue that the entire point of certification against an ISO standard is to not find anything—after all, that would mean your management system meets all the requirements for security. And that in turn would mean you can assure your customers that you’re good stewards for their data.
Unfortunately, it doesn’t always happen that way.
There’s no treasure map to finding nonconformities (NCFs), but they can still crop up to complicate your ISO certification processes.
You dread them because if your assessor finds one, then you don’t meet a requirement for compliance and that could spiral in different ways if these things aren’t dealt with appropriately.
How do you avoid that spiral? What do you do when your assessor finds a nonconformity? What’s the protocol for fixing it so you do meet the requirements to become certified?
We’re going to cover all that in this article. As an ISO Certification Body, we’ve done almost 500 different ISO certification audits in just the last year alone, so we’ve seen plenty of nonconformities and guided enough organizations through them. Now, we want to help you.
Read on to learn how ISO classifies nonconformities and what each category means, along with the industry differences between “correction” and “remediation.” Because after reading, you won’t dread hearing “nonconformity” in the future so much. Rather, you’ll know exactly what to do if and when it does, thereby ensuring you still achieve certification.
Classifications of Nonconformities in ISO Standards
As we mentioned, your assessor will term it as a nonconformity if they find your organization does not meet a requirement of the standard they’re certifying you against. They will identify and record all nonconformities in one of three ways:
- Major: A nonconformity that affects the capability of the management system to achieve the intended results.
- Occurs if you fail to provide enough assurance that you’ve implemented a formal process control to satisfy the requirement in question. Your auditor will deem a nonconformity as Major if they determine that not only is there no procedure in place to mitigate the risk, but you have also not addressed the requirement.
- Minor: A nonconformity that does not affect the capability of the management system to achieve the intended results.
- Occurs if you have a lapse in a process. So, there is a procedure in place, yet there were instances where you did not execute it. Multiple Minor nonconformities related to the same requirement can also lead to a Major nonconformity.
- Opportunity for Improvement (OFI): An OFI is a process control that, should it go unaddressed, could result in more severe findings in subsequent reviews.
- Because they are just “opportunities,” corrective action is just recommended—not required.
What Should You Do After an ISO Nonconformity is Identified?
Together, you and your certifying body will review, discuss, and agree upon any findings during the closing meeting. At that point, your assessor will provide you with a nonconformity report, outlining the details for each of the findings.
They’ll also outline the terms and conditions for certification for you based on the severity of the finding(s).
For both Major and Minor NCFs, you must provide a completed nonconformity report within 14 days of the close of the review. That report should include your explanation of a corrective action plan (CAP), as well as the root cause of the finding, and plans (by when and how) to remediate.
With such similar but different verbiage, things can get misunderstood here, so let us clarify:
- Evidence of correction (EoC) is due from you for all Major and Minor NCFs within 30 days of the close of the review.
- This is your “immediate” fix to the problem, and part of your CAP. I.e., if something’s missing, put it in place and such.
- You must provide the completed CAP and EoC before the certifying body can issue you the certification and related report.
- You also must provide evidence of remediation. This is evidence to show your certifying body that you’ve now addressed those controls and the process has been fully implemented.
- Unlike EoC, remediation should address the aforementioned root cause that caused the NCF so that it will not happen again.
- For all Major NCFs, you must provide this evidence within 60 days of the close of the certification review.
- For all Minor NCFs, you must provide evidence of remediation in time for the subsequent review.
Here’s a chart for easier layout:
Corrective Action Plan
Due 14 days from the close of the review
Due 30 days from the close of the review
Due upon subsequent review
Due 14 days from the close of the review
Due 30 days from the close of the review
Due 60 days from the close of the review
What Is the Status of Your Nonconformity?
While you take all the appropriate action for any nonconformities (and OFIs) identified during your assessment, your certification body will also assign them a status in the meantime. The status classifications are defined as follows:
- Open – A nonconformity is “open” when your assessor has yet to review the corresponding CAP and EoC OR if either the corresponding CAP or EoC is unacceptable.
- Closed – A nonconformity is “closed” after your audit team reviews the corresponding CAP, EoC, and evidence of remediation and deems it acceptable (and if they received those items within the allotted timeframes as previously outlined for Major and Minor NCFs).
Simple enough, but please note that a nonconformity will remain open if you only submit an acceptable corrective action plan and evidence of correction but no evidence of remediation.
It may be obvious, but we’ll say it anyway: not providing evidence of remediation within the allotted timelines for your NCFs will derail your certification so it’s important to ensure you remain diligent and follow through with all the necessary redress for each finding.
Illustrating Different Nonconformities in ISO Standards and Their Solutions
Let’s try to demonstrate all this a little more using ISO 27001:2013 Annex A.8.1 (Asset Management – Responsibility for Assets).
The control objective is “to identify organizational assets and define appropriate protection responsibilities.” To meet that, there are four control areas that you must address:
- Inventory of Assets: Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
- Ownership of Assets: Assets maintained in the inventory shall be owned.
- Acceptable Use of Assets: Rules for the acceptable use of information and assets associated with information and information processing facilities shall be identified, documented, and implemented.
- Return of Assets: All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract, or agreement.
If your auditor found a potential nonconformity here, what could it look like?
- Hypothetical Minor nonconformity: If you didn’t securely maintain an Acceptable Use Policy outlining the rules for the appropriate handling of your organization’s assets.
- (That’s a failing of requirement #3.)
- A hypothetical Major nonconformity: If you failed to securely control and maintain a complete and accurate listing of all information assets while also failing to identify the asset owner within the inventory listing.
- (That would mean you failed two of the four requirements.)
How to rectify these theoretical NCFs? Here’s the difference between evidence of correction and remediation.
- The temporary fix—a.k.a. the EoC—would be to create a complete and accurate inventory identifying the owner of each asset within the listing.
- Thus, full remediation of the problem would be to not only create and maintain the listing correctly but also update it on a continual and ongoing basis.
Moving Forward in Your ISO Certification
We understand—no one wants to hear that there’s a problem, least of all when it’s compliance-related. Getting certified against an ISO standard takes a lot of work in preparation, and findings just mean more effort.
But with all this information now in hand, you’re more likely ready to take on any potential nonconformities should they arise in your ISO future. Knowing the standard classifications and requisite timelines for each will help minimize the effect these findings have on your certification process so that you’re more certain to find the success you need and seek.
To make sure you stay ahead of any other surprises, read our ISO content on the latest changes to some standards and other ways you can prepare:
About Matt Dougher
Matt Dougher is a Senior associate with Schellman based in Atlanta, GA. Prior to joining Schellman in 2016, Matt worked as an experienced Staff Consultant at a Big 4 audit firm. He performed numerous engagements spanning different service lines, but he found his true passion was in SarbanesOxley compliance, as well as any IT advisory work. He has performed the majority of his work through IT Risk Assurance and performing ITGC testing.