In this guide, I will show you exactly how to implement ISO 27001 Clause 10.2 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Clause 10.2 Nonconformity and Corrective Action
ISO 27001 Clause 10.2 requires organizations to react to nonconformities (deviations from policies, procedures, or the standard itself) and take corrective action to prevent them from recurring. This clause is the mechanism for “fixing things when they go wrong.” Whether it’s a failed audit finding, a security incident, or a missed training deadline, you must have a formal process to investigate the root cause and implement a permanent fix. This ensures your Information Security Management System (ISMS) is self-healing and resilient.
Core requirements for compliance include:
- Immediate Reaction: When a nonconformity occurs, you must first take action to control and correct it (the “Correction”) and deal with any immediate consequences (e.g., mitigating a data breach).
- Root Cause Analysis (RCA): You cannot just fix the symptom; you must evaluate the need for action to eliminate the cause. Techniques like the 5 Whys or Fishbone diagrams are essential here.
- Implementation of Corrective Action: Once the root cause is known, you must implement a specific action to prevent recurrence. This could involve updating a policy, changing a software configuration, or retraining staff.
- Verification of Effectiveness: You must review the corrective action after a set period to ensure it actually worked. Did the problem stop? If not, the action was ineffective.
- Documented Evidence: You must keep records of the nonconformity, the actions taken, and the results. This is typically managed in a Corrective Action Log.
Audit Focus: Auditors will look for “The Problem-Solving Trail”:
- The Log: “Show me your Nonconformity and Corrective Action Log. If it’s empty, I’ll be suspicious, no system is perfect.”
- Depth of RCA: “You identified a patching failure. Did you just patch the server (Correction), or did you find out why the auto-patching process failed (Corrective Action)?”
- Closure Evidence: “Show me the evidence (e.g., a re-test or follow-up audit) that proves this nonconformity is truly closed.”
Correction vs. Corrective Action (Audit Prep):
| Term | Definition | Example Scenario |
| Correction | The immediate “fix” to the problem. | Restoring a deleted file from backup. |
| Corrective Action | Eliminating the Root Cause to prevent recurrence. | Changing permissions so users can’t delete files. |
| Nonconformity | The failure to meet a requirement. | Backup policy states “Daily,” but logs show “Weekly.” |
Table of contents
- What is ISO 27001 Clause 10.2 and Why is it Important?
- What are minor nonconformities and major nonconformities?
- ISO 27001 Clause 10.2 Explained: A Complete Guide
- How to implement ISO 27001 Clause 10.2: Step-By-Step
- How to pass the ISO 27001 Clause 10.2 audit
- Top 3 ISO 27001 Clause 10.2 Mistakes and How to Fix Them
- Fast Track ISO 27001 Clause 10.2 Compliance with the ISO 27001 Toolkit
- ISO 27001 Clause 10.2 FAQ
- Related ISO 27001 Controls
- Further Reading
What is ISO 27001 Clause 10.2 and Why is it Important?
A nonconformity is a deviation from the requirements of your ISMS. This could be anything from a broken process, a missed security policy, an incident, or a failed audit finding.
It is important because things change and no management system is 100% effective 100% of the time, so you need a process to handle when things inevitably go wrong.
Purpose and Definition
The purpose of ISO 27001 Clause 10.2 Nonconformity and Corrective Action is to identify when things are not operating as expected and to make sure that when things go wrong they are corrected.
The ISO 27001 standard defines ISO 27001 Clause 10.2 Nonconformity and Corrective Action as:
When a nonconformity occurs, the organisation shall:
ISO 27001:2022 Clause 10.2 Nonconformity and Corrective Action
a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur
or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
Documented information shall be available as evidence of:
f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.
The requirement is that when a non conformity happens that the organisation:
- take action to control and correct it
- deal with the consequences
- review the nonconformity
- determine the causes of the nonconformity
- determine if similar nonconformities exist, or could potentially occur
- implement any action needed
- review the effectiveness of any corrective action taken
- make changes to the information security management system, if necessary
- keep documents and evidence for audit
1. React to the nonconformity
Reacting and responding to a nonconformity means taking action to control and correct what went wrong and dealing with the consequences.
2. Evaluate the nonconformity
Evaluation is about understanding what went wrong, why it went wrong and then deciding on the course of action to take so that it does not happen again.
3. Manage the nonconformity
What ever the non conformity was, you are going to correct it. It may be an isolated incident of it may be something more fundamental that requires a change to the information security management system (ISMS) and a continual improvement plan. It is about making changes that are appropriate to what you found and the evaluation you did.
4. Check the changes worked
You will correct the mistake and then you will review the effectiveness of the change that you made to make sure it is indeed, actually, effective. The usual way to do this is do an internal audit of the area that changed.
5. Document the nonconformity
The auditor is going to look for documentation of how you managed the nonconformity. It is also required by the standard. You are going to be able to evidence the nature of the nonconformity and the actions that you took as well as evidence that the changes were effective.
Non-conformity and corrective action are processes that fall within the scope of incident management. This framework can be structured as a Level 2 incident management process or as a dedicated sub-process. The critical first step is to identify that an event has a potential or actual impact on information security. Once this is established, you can invoke your formal processes for managing the non-conformity.
What are minor nonconformities and major nonconformities?
While a non-conformity is simply a failure to meet a requirement, auditors typically classify them into two main types: minor nonconformities and major nonconformities.
ISO 27001 has built in the distinction between things that on the whole work but on a couple of times it was found it did not work (minor nonconformities) and things that just do not work at all and may even not be implemented (major nonconformities).
This classification is a convention used during audits to determine the severity of the issue and the potential impact on certification.
Minor nonconformity
A minor nonconformity is a single, isolated lapse or a partial failure to meet a requirement that does not significantly impact the overall effectiveness of your management system (e.g., ISO 27001 or ISO 9001). It’s a localised issue that does not compromise the system’s ability to achieve its objectives.
An organisation can still achieve or maintain its certification with minor nonconformities, but it must have a clear plan and timeline for corrective action
Minor nonconformity examples
Here are some examples that I have seen:
- One person in ten has not done their mandatory information security training
- One person out of fifteen was seen to have anti virus disabled
- A document in the management system was found to have not been updated
Major nonconformity
A major nonconformity is a significant failure to meet a requirement that has or could have a serious impact on the management system’s effectiveness. It indicates a systemic or critical breakdown that could compromise the company’s ability to meet its objectives, customer expectations, or regulatory requirements.
A major nonconformity will result in a failed audit and a delay in certification until the issue is fully resolved and verified by the auditor.
Major nonconformity examples
- You said you do disaster recovery tests but in fact you have not
- You have policies and procures but no one follows them
- A previous nonconformity was not addressed, and the issue has recurred.
ISO 27001 Clause 10.2 Explained: A Complete Guide
In this tutorial video, How to implement ISO 27001 Clause 10 Improvement I show you how to implement nonconformity and corrective action as part of the wider requirement of continual improvement.
How to implement ISO 27001 Clause 10.2: Step-By-Step
Based on my experience and what I have seen work well the following are the best practice implementation steps to implement ISO 27001 Nonconformity and Corrective Action.
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 10.2 Nonconformity and Corrective Action
- Implement a Continual Improvement Policy
We need an ISO 27001 Continual Improvement Policy. Policies are statements of what we do, not how we do it which is covered in the process documents, but the policy sets out your approach to how we handle nonconformities and corrective actions.
- Implement an incident and corrective action log
Implement and use the ISO 27001 incident and corrective action log that includes the required fields and allows you to manage incidents and corrective actions. This is the main tool for the management of nonconformity.
- Implement an incident management process
The incident management process sets out how you deal with incidents. Incidents are one of the major sources of identifying nonconformities.
- Implement a continual improvement process
The ISO 27001 continual improvement process sets out how you make fundamental changes to prevent nonconformities from re occurring.
- Identify a Nonconformity
A nonconformity is usually identified by audit or the occurrence of incidents.
- Nonconformity from Incidents
Our first step is to handle the incident and to manage the consequences of that incident. We document everything as you go and best practice would be to use and incident management system or a help desk system. Many of these come with capability out of the box and at worst they require some minor tweaks.
This ensures we have a record of the incident and what happened.
Once this step has completed we then do an assessment of what happened. We are looking to see if this was a one off or if there is potential that the incident could happen either again or elsewhere.
We take appropriate actions to ensure that this does not and cannot occur again. This may include risk management and accepting that it may occur, if the cost of action is too high. That would require us to follow the risk management process and seek to get approval and sign off of the management review team.
We find the use of the ISO 27001 incident and corrective action log is ideal for managing this process. The benefits of having an effective log that meets the requirements of the ISO 27001 standard whilst also efficiently handling the process are worth it. - Nonconformity from Audits
When an audit results in a nonconformity we follow as similar process to handling incidents. The non conformity is recorded on the incident and corrective action log. A root cause analysis is conducted. Remediation is implemented under the guidance of the management review team.
- Report
The ISO 27001 Management Review Team provides the management oversight and decision making body. Be sure to report to the meeting and minute the meeting minutes.
ISO 27001 Continual Improvement Policy Template
The ISO 27001 Continual Improvement policy template sets out what must be done for continual improvement and specifically addresses improvement as a result of Non-Conformity as well as wider requirements on non conformity and corrective action. As a requirement of the standard, continual improvement is covered in ISO 27001 Continual Improvement: Clause 10.1
ISO 27001 Nonconformity and Corrective Action Policy Example
Let us take a look an example of an ISO 27001 Nonconformity and Corrective Action Policy. It is in fact covered in the continual improvement policy. This is a best practice example based on a real world application and use.
ISO 27001 Continual Improvement Process Example
The continual improvement process is include the ISO 27001 Toolkit but to see what it should include take a look at the following example.
ISO 27001 Incident and Corrective action Log Template
The ISO 27001 Incident and Corrective action Log Template is used track and manage incidents and corrective actions effectively. This log is an essential part of the ISO 27001 continual improvement process and managing non conformities and corrective actions.
ISO 27001 Incident and Corrective action Log Example
This ISO 27001 Incident and Corrective action Log Example shows the layout of a typical ISO 27001 Incident and Corrective action Log and the required columns and data captures needs. ISO 27001 non conformities and corrective actions are recorded in this log and the log used to manage them.
ISO 27001 Incident Management Process Example
ISO 27001 non conformities and corrective actions are managed via the ISO 27001 Incident Management process. This is a standard process and the following is an example of the ISO 27001 Incident Management process. As a requirement of the ISO 27001 standard it is covered in ISO 27001 Response To Information Security Incidents: Annex A 5.26
How to pass the ISO 27001 Clause 10.2 audit
You demonstrate compliance to ISO 27001 Clause 10.2 Nonconformity and Corrective Action by having effective policy and process in place and having documented evidence that those processes have operated effectively. What this means is that you need policy and process for the identifiers of nonconformities, being:
- Incident management
- Audit (both internal audit and external audit)
And you need policy and process to deal with the nonconformities being
To demonstrate evidence you will have a series of documents and records
- Incident tickets on your associated help desk systems
- Change tickets that support any changes that have been made
- The complete incident and corrective action log that is used to manage nonconformities
- Meeting minutes from the Management Review Team meetings where all of he above have been shared and minuted
What an auditor looks for
The auditor is going to check a number of areas for compliance with Clause 10.2. Lets go through them
1. That you have incident management in place
When a non conformity is identified we need to be able to manage it. Incident management is required to respond to incidents and manage them through to resolution. The auditor will look at the process and a sample of recent incidents to ensure they followed the process and they were managed effectively.
2. That you have internal audit in place
Internal audit is the main mechanism to identify non conformity. Through the process of internal audit we identify when things are not operating as expected. The auditor will look at the process of internal audit and sample internal audits over the last 12 months. They will examine how the internal audits were reported and what happened as a result, especially in relation to any identified non conformities.
3. That you have corrective action in place
When a non conformity is identified something needs to happen. This is the corrective action. The auditor will want to see the corrective action process and that you have followed it. They will sample corrective actions from the last 12 months and want you to walk through them and explain how you managed them.
Top 3 ISO 27001 Clause 10.2 Mistakes and How to Fix Them
In my experience, the top 3 mistakes people make for ISO 27001 Nonconformity and Corrective Action are:
- Not having independent internal audits
- Not having documented processes
- Not following your documented processes or not being able to evidence them in operation
Fast Track ISO 27001 Clause 10.2 Compliance with the ISO 27001 Toolkit
For ISO 27001 Clause 10.2 (Nonconformity and corrective action), the requirement is to react to nonconformities, evaluate the need for action to eliminate their causes (root cause analysis), and review the effectiveness of any corrective actions taken. This is a mandatory clause that ensures you handle deviations, like a failed audit or a security policy breach, systematically so they don’t recur.
While SaaS compliance platforms often try to sell you “automated nonconformity tracking” or complex “remediation dashboards,” they cannot actually conduct a “5 Whys” root cause analysis for you or decide if a “Major Nonconformity” requires a fundamental shift in your organisational structure, those are human governance and strategic tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the corrective action framework you need without a recurring subscription fee.
1. Ownership: You Own Your Nonconformity History Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your corrective actions and store your nonconformity logs inside their proprietary system, you are essentially renting your own organizational recovery history.
- The Toolkit Advantage: You receive the Continual Improvement Policy and Incident and Corrective Action Log templates in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as your specific definitions for Minor vs. Major Nonconformities), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Problem Solving
Clause 10.2 is about fixing what’s broken and preventing it from happening again. You don’t need a complex new software interface to manage what a well-run Management Review Meeting and a clear corrective action log already do perfectly.
- The Toolkit Advantage: Your team already solves problems and fixes errors. What they need is the governance layer to prove to an auditor that these fixes are formal, documented, and based on root cause analysis. The Toolkit provides pre-written policies and “Corrective Action Procedures” that formalize your existing problem-solving into an auditor-ready framework, without forcing your team to learn a new software platform just to log a policy deviation.
3. Cost: A One-Off Fee vs. The “Remiation” Tax
Many compliance SaaS platforms charge more based on the number of “tasks,” “remediation workflows,” or “users” involved in fixing nonconformities. For a clause that is triggered every time something goes wrong, these monthly costs can scale aggressively for very little added value.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you handle 2 nonconformities a year or 20, the cost of your Corrective Action Documentation remains the same. You save your budget for actual security upgrades or staff training rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Recovery Strategy
SaaS tools often mandate specific ways to report on and monitor “nonconformity and corrective action.” If their system doesn’t match your unique agile review process or your specialized industry requirements, the tool becomes a bottleneck to true recovery.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Corrective Action Procedures to match exactly how you operate, whether you use a formal steering committee or a lean, collaborative team approach. You maintain total freedom to evolve your ISMS without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Clause 10.2, the auditor wants to see that you have a formal process for handling nonconformities and proof that you are conducting root cause analysis (e.g., an updated corrective action log and evidence that changes were verified for effectiveness). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Clause 10.2 FAQ
The ISO 27001 standard requires that the organisation shall manage when things go wrong, manage the consequences of things going wrong, identify why it went wrong and put in place measures to stop it from happening again.
You evidence compliance to the ISO 27001 Clause 10.2 Nonconformity and Corrective Action by being able to demonstrate that you identify when things go wrong, put things right, identify why it went wrong and put in place measures so it does not happen again.
You can download ISO 27001 Clause 10.2 Nonconformity and Corrective Action templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 10.2 Nonconformity and Corrective Action can be in the ISO 27001 Toolkit.
Yes. Senior management and leadership are informed of non conformities. This is usually via the management review team meeting.
Yes. Non conformities require a root cause analysis to identify why they happened and to help to identify what can be done to prevent it from happening again.
You can classify non conformities to help you to prioritise the order in which to tackle them and the recommended actions you should take. This would be aligned with the risk management process.
Technically yes but by doing nothing you are accepting risk and therefore you would follow your risk management process with sign off and acceptance by the management review team.
Non conformities are reported via the incident management process.
Yes you can pass the ISO 27001 certification if you have non conformities as long as they are being effectively managed and reported.
A nonconformity is a failure to meet a requirement. In ISO 27001, this means not complying with a clause of the standard, a control from Annex A, your own established policies and procedures, or legal and regulatory requirements.
A nonconformity is a clear breach of a requirement. An observation (or opportunity for improvement) is not a direct nonconformity but suggests an area where the Information Security Management System (ISMS) could be strengthened or made more efficient.
Promptly addressing nonconformities is crucial for maintaining the effectiveness of your ISMS, preventing recurrence, demonstrating continuous improvement, and ensuring ongoing compliance with ISO 27001, which is essential for certification and maintaining trust.
Nonconformities can be identified by anyone within the organization, including employees, internal auditors, external auditors (during certification or surveillance audits), or even customers and other interested parties.
A corrective action is an action taken to eliminate the cause of a detected nonconformity or other undesirable situation and prevent its recurrence. It’s not just about fixing the immediate problem, but addressing its root cause.
The typical steps include:
a. Identifying and documenting the nonconformity.
b. Investigating the nonconformity and its root cause.
c. Planning and implementing a corrective action.
d. Verifying the effectiveness of the corrective action.
e. Making changes to the ISMS documentation as needed.
f. Reviewing the nonconformity and corrective action during management review.
Internal audits are a key mechanism for proactively identifying nonconformities and areas for improvement within the ISMS. They provide an independent assessment of your ISMS’s compliance and effectiveness.
Management review is a mandatory output of the ISMS and provides a formal opportunity for top management to review the status of nonconformities and corrective actions, ensuring they are being effectively managed and resourced.
Yes, significant or recurring nonconformities, especially if not adequately addressed, can lead to a suspension or withdrawal of ISO 27001 certification during surveillance or re-certification audits.
Related ISO 27001 Controls
ISO 27001 Clause 10.1: Continual Improvement
ISO 27001 Annex A 5.24: Information Security Incident Management Planning and Preparation
ISO 27001 Annex A 5.25: Assessment And Decision On Information Security Events
ISO 27001 Annex A 5.26: Response To Information Security Incidents
ISO 27001 Annex A 5.27 Learning From Information Security Incidents
Further Reading
Business Continuity Incident Action Log Template
