The Nonconformity (NC) Register provides a structured system for recording, tracking, and resolving nonconformities in your ISMS as required by ISO 27001 Clause 10.1 (Continual Improvement) and Clause 10.2 (Nonconformity and Corrective Action). Every nonconformity, regardless of source, must be recorded, investigated, corrected, and verified to demonstrate a functioning continual improvement process.
Creating a Nonconformity Record
Navigate to the Nonconformity Register from the ISO 27001 module navigation. Click "Add Nonconformity" to create a new record.
The NC Reference is auto-generated (e.g., NC-2026-001). Enter the title, description, and select the classification and source.
Assign a responsible person and set the target date for resolution. The status defaults to "Open".
Update the status to "Under Investigation" and document the root cause analysis in the Root Cause field.
Document the corrective action plan and optional preventive action. Update status to "Corrective Action Planned".
Once corrective actions are implemented, update status to "Corrective Action Implemented". After verification that the actions are effective, update to "Verified Effective" and finally "Closed".
Form Fields Reference
| Field | Type | Required | Description |
|---|---|---|---|
| NC Reference | Auto-generated | Automatic | Unique reference number automatically assigned by the system. Format: NC-YYYY-NNN (e.g., NC-2026-001). Cannot be edited. |
| Title | Text input | Required | A concise title summarising the nonconformity. Example: "Access review process not performed for Q4 2025" |
| Description | Textarea | Optional | Detailed description of the nonconformity including what was found, where, when, and by whom. State the objective evidence clearly. |
| Classification | Select dropdown | Optional | Severity classification: Major NC, Minor NC, Observation, OFI (Opportunity for Improvement). See classification definitions below. |
| Source | Select dropdown | Optional | Where the nonconformity was identified. Options: Internal Audit, External Audit, Incident, Management Review, Customer Complaint, Other |
| Status | Select dropdown | Optional | Current status in the workflow (see 6-status workflow below) |
| Clause Reference | Text input | Optional | The ISO 27001 clause or Annex A control that was not met. Example: "Clause 9.2", "A.5.18", "Clause 7.2" |
| Root Cause | Textarea | Optional | Root cause analysis results. Use techniques such as 5 Whys, fishbone diagram, or fault tree analysis. Document the underlying cause, not just the symptom. |
| Corrective Action | Textarea | Optional | The action(s) taken to eliminate the cause of the nonconformity and prevent recurrence. Must address the root cause, not just correct the immediate issue. |
| Preventive Action | Textarea | Optional | Additional actions taken to prevent similar nonconformities from occurring in other areas or processes. Demonstrates proactive improvement. |
| Responsible Person | User select / Text | Optional | The person accountable for investigating the NC and implementing corrective actions |
| Target Date | Date picker | Optional | The target date for completing all corrective actions |
| Completion Date | Date picker | Optional | The actual date corrective actions were completed |
| Verification Date | Date picker | Optional | The date the corrective actions were verified as effective |
| Verified By | Text input / User select | Optional | The person who verified the effectiveness of the corrective actions. Should be someone independent of the corrective action implementation. |
Classification Definitions
| Classification | Definition | Expected Response |
|---|---|---|
| Major NC | A significant failure to meet one or more requirements of the standard, or a situation that raises significant doubt about the ISMS capability. Systemic failures, entire missing processes, or a pattern of related minor NCs. | Immediate investigation required. Root cause analysis mandatory. Corrective action must be implemented and verified before certification can be maintained. Management body notification recommended. |
| Minor NC | A single observed lapse that does not affect the overall capability of the ISMS. Isolated instances of non-compliance, missing evidence for a single requirement, or incomplete documentation. | Corrective action required within the defined target date (typically 30–90 days). Root cause analysis recommended. Must be closed before next surveillance audit. |
| Observation | A potential concern that could develop into a nonconformity if not monitored. Not a current failure to meet a requirement. | Monitor and consider preventive action. Review at next internal audit. No mandatory corrective action timeline. |
| OFI | A suggestion for improvement beyond minimum standard requirements. Represents good practice or efficiency gains. | Consider for implementation as part of continual improvement. No mandatory action. Track for management review input. |
Source Options
| Source | Description | Typical Classification |
|---|---|---|
| Internal Audit | Identified during a planned internal ISMS audit (Clause 9.2) | All classifications possible |
| External Audit | Identified by the certification body during Stage 1, Stage 2, or surveillance audits | Typically Major or Minor NC |
| Incident | Arose from an information security incident investigation | Typically Minor or Major NC |
| Management Review | Identified during a management review meeting (Clause 9.3) | Typically Observation or Minor NC |
| Customer Complaint | Arising from a customer or stakeholder complaint about information security | Typically Minor NC |
| Other | Any other source: risk assessment, regulatory requirement, employee report, etc. | Varies |
Status Workflow
Every nonconformity follows a six-stage lifecycle. The status must progress through these stages in order:
| Status | Description | Next Status |
|---|---|---|
| 1. Open | NC has been identified and recorded. Initial details captured. Awaiting investigation. | Under Investigation |
| 2. Under Investigation | Root cause analysis is underway. The responsible person is investigating the underlying cause of the nonconformity. | Corrective Action Planned |
| 3. Corrective Action Planned | Root cause has been identified and a corrective action plan has been documented. The plan has been reviewed and approved. | Corrective Action Implemented |
| 4. Corrective Action Implemented | The corrective action has been carried out. Evidence of implementation is available. Awaiting verification. | Verified Effective |
| 5. Verified Effective | An independent person has verified that the corrective action has been effective in eliminating the root cause. The nonconformity has not recurred. | Closed |
| 6. Closed | The NC lifecycle is complete. All actions have been implemented and verified. The record is retained for audit trail and trend analysis purposes. | N/A (final status) |
Dashboard
The NC Register dashboard provides the following views:
Open / Closed Counts
Summary cards showing the count of nonconformities in each state: Open, Under Investigation, CA Planned, CA Implemented, Verified Effective, and Closed. Major NCs are highlighted separately.
Aging Chart
A chart showing how long open nonconformities have been in their current status. NCs approaching or exceeding their target date are highlighted in amber (warning) or red (overdue). This helps management identify stuck items that need attention.
Trend Analysis
A line chart showing the number of NCs opened and closed over time, revealing trends in your ISMS maturity. A consistently decreasing trend in new NCs indicates improving processes.