ISO 27001 Clause 10.2 requires organisations to handle nonconformities by taking corrective actions. The Nonconformity Register centralises all nonconformities and their resolution.
Logging a nonconformity
Go to ISO 27001 → Nonconformities and click Add Nonconformity.
| Field | Description |
|---|---|
| Title | Brief description of the nonconformity |
| Severity | Major or Minor |
| Source | Where it was found: Internal audit, External audit, Incident, Management review, etc. |
| Root Cause | Analysis of why the nonconformity occurred |
| Corrective Action | What action will be taken to prevent recurrence |
| Due Date | Deadline for completing the corrective action |
| Status | Open → In Progress → Closed |
Auditors will check that nonconformities are addressed with true corrective actions (preventing recurrence), not just corrections (fixing the immediate issue).