Nonconformity and corrective action

ISO 9001:2015 Clause 10.2 requires you to treat every nonconformity as a controlled event: contain and correct the issue, assess whether corrective action is needed to remove the cause, implement the action, and verify effectiveness. You operationalize it by running a single, auditable workflow from detection through root cause, action, verification, and documented learning. ¹

Key takeaways:

• You must both fix the immediate problem and decide whether to remove the underlying cause through corrective action. ¹
• Auditors will look for closed-loop evidence: containment, root cause, actions, effectiveness checks, and updates to risks/opportunities. ¹
• The fastest way to pass audits is a consistent CAPA record structure, clear ownership, and proof that recurrence risk was reduced. ¹

“Nonconformity and corrective action” is where your quality management system proves it can learn. Clause 10.2 is not asking for a perfect organization; it is asking for a repeatable method to respond when requirements are missed, processes break, or outputs don’t meet acceptance criteria. In practice, this clause is audited through your records: what you did when the issue occurred, how you decided what action was necessary, how you controlled impact, and how you confirmed the fix worked. ¹

For a Compliance Officer, CCO, or GRC lead, the operational win is to make nonconformities run like incidents: intake, triage, containment, root cause, corrective action plan, verification, and management visibility. The common failure mode is “we fixed it” with no evidence of root cause thinking, no consistent criteria for when corrective action is required, and no effectiveness review. Clause 10.2 explicitly expects those pieces, plus updates to risks and opportunities when the nonconformity reveals a broader control gap. ¹

This page gives you requirement-level implementation guidance you can put into a procedure, a workflow tool, and an audit binder without guesswork.

Regulatory text

ISO 9001:2015 Clause 10.2 states: “When a nonconformity occurs, the organization shall react, evaluate need for corrective action, implement actions, and review effectiveness.” ¹

Operator translation (what you must do, every time):

• React to the nonconformity by taking action to control and correct it, and address consequences. ¹
• Evaluate whether corrective action is needed to eliminate the cause so the issue does not recur or occur elsewhere. ¹
• Implement corrective action proportionate to the effects of the nonconformity. ¹
• Review effectiveness of actions taken and update risks and opportunities when the nonconformity changes your understanding of exposure. ¹

Plain-English interpretation (what the auditor expects)

A nonconformity is any failure to meet a requirement. Requirements can be customer requirements, internal procedures, specifications, legal/regulatory obligations you’ve adopted, or ISO 9001 process requirements.

Clause 10.2 expects a closed loop:

1. you stop the bleeding, 2) you understand what failed, 3) you decide whether to take corrective action (not every minor event needs a full CAPA), 4) you carry out actions to remove the cause when needed, 5) you prove the actions worked. ¹

Auditors usually test this clause by sampling a few nonconformity records and asking: “Show me the chain from detection to verification. Why did you choose these actions? How do you know it won’t recur?” If you cannot answer using your own documented artifacts, you will struggle in surveillance audits.

Who it applies to

Entity scope: Any organization operating an ISO 9001 quality management system. ¹

Operational scope (where it shows up):

• Production and service delivery (defects, missed SLAs, out-of-tolerance results)
• Document and record control (obsolete procedures used, missing approvals)
• Internal audits (audit findings are nonconformities or opportunities)
• Complaints and returns (external signals of failure)
• Supplier/third party issues (incoming nonconforming material, service failures)
• Training/competence failures (unqualified personnel performing controlled tasks)

If you run third-party risk management, treat third party-caused failures as first-class nonconformities. The corrective action may land on the third party, your onboarding controls, or your monitoring process. Your system still owns the outcome.

What you actually need to do (step-by-step)

1) Define what counts as a nonconformity (and where it can be raised)

Create a written definition and intake channels. Minimum inputs:

• Customer complaint, return, or escalation
• Internal audit finding
• Process KPI breach where a requirement exists
• Employee-identified issue (frontline reporting)

Make it easy to submit: a simple form, ticket type, or QMS record.

2) React: containment, correction, and consequence management

For each nonconformity record, require documentation of:

• Containment: actions to prevent further nonconforming output (hold, stop-ship, access restriction, temporary workaround).
• Correction: actions to fix affected outputs when possible (rework, replace, re-perform service).
• Consequences handled: what happened to impacted product/service, customers, or downstream processes. ¹

Decision point: If there is potential external impact (customer, safety, regulatory, contract), route to an immediate escalation path.

3) Decide if corrective action is required (use explicit criteria)

Clause 10.2 requires you to evaluate the need for corrective action. ¹

Operationalize the decision with a short matrix. Example criteria:

• Recurrence (same issue happened before)
• Severity/impact (customer impact, regulatory impact, financial exposure)
• Detection failure (controls didn’t detect it early)
• Breadth (could occur elsewhere, multiple lines/sites/teams)
• Third party involvement (systemic supplier failure risk)

Document the rationale either way. Auditors accept “no corrective action” if the justification is credible and recorded.

4) Perform root cause analysis (only to the level needed)

When corrective action is needed, require a root cause method appropriate to complexity:

• Simple process slips: 5 Whys with evidence
• Multi-factor issues: cause-and-effect categories, fault tree thinking, or structured investigation notes

The key is traceability: root cause must connect to the corrective action. “Operator error” is rarely an adequate root cause on its own; it usually points to training, procedure clarity, workload, or control design.

5) Plan and implement corrective actions (and assign accountable owners)

Your corrective action plan should include:

• Actions to remove or reduce the cause
• Owner and due date
• Dependencies (engineering change, procedure update, training, supplier change)
• Required approvals and change control steps

Keep actions proportional to the effect of the nonconformity. ¹

6) Verify effectiveness (don’t confuse it with completion)

Clause 10.2 requires review of effectiveness. ¹

Effectiveness checks should be defined at the time you create the action, such as:

• Targeted audit of the revised process
• Trend review of recurrence signals (complaints, defects, rework)
• Test/inspection evidence after a process change
• Supplier re-evaluation results if a third party was involved

Record the method, date, reviewer, and conclusion. If ineffective, reopen or create a new corrective action.

7) Update risks and opportunities, and captured knowledge

When a nonconformity reveals a systemic weakness, update:

• Risk register entries tied to the process
• Control narratives or SOPs
• Training/competence records
• Supplier controls (qualification, monitoring cadence, SLAs) ¹

This is where compliance and quality meet: you show learning, not just closure.

Required evidence and artifacts to retain

Keep a consistent “CAPA packet” for each nonconformity. Auditors want to sample and trace.

Minimum artifacts:

• Nonconformity intake record (what/where/when/who detected)
• Containment and correction actions, including disposition of affected outputs
• Impact assessment and consequence handling notes
• Corrective action decision record (why required or not required)
• Root cause analysis with supporting evidence
• Corrective action plan with owners, dates, approvals
• Change control records (procedure revisions, engineering changes, configuration updates)
• Training/communication records tied to the change
• Effectiveness review record (method, results, sign-off)
• Risk and opportunity updates tied back to the nonconformity ¹

Tooling note: Many teams run this in spreadsheets and shared drives. A system like Daydream can help by enforcing required fields, routing approvals, linking evidence, and producing an audit-ready trail without chasing screenshots across folders.

Common exam/audit questions and hangups

Auditors and certification bodies commonly probe:

• “Show me how you ensure nonconforming outputs are controlled.”
• “How do you decide whether corrective action is needed?”
• “Walk me from root cause to action. Why does this action prevent recurrence?”
• “What was your effectiveness check, and what evidence supports it?”
• “Did this nonconformity change your risks and opportunities?” ¹

Hangups that trigger findings:

• Closure based on task completion only (no effectiveness proof)
• Root cause statements that are opinions, not supported by evidence
• Repeated similar nonconformities with no systemic corrective action
• Actions taken but not reflected in controlled documents or training records

Frequent implementation mistakes (and how to avoid them)

1. Treating every issue as a full CAPA. Result: the system clogs, and teams rubber-stamp. Fix: implement the corrective-action decision criteria and document “no CA required” decisions. ¹

2. Root cause drift. Teams jump to solutions without showing causality. Fix: require “evidence” fields and a “cause-to-action mapping” section in the record.

3. Containment missing or weak. Fixing the defect but shipping more defects is a classic audit failure. Fix: make containment mandatory for any potentially ongoing issue.

4. Effectiveness checks that are vague. “Monitor” is not a method. Fix: define an effectiveness test at action-plan time with clear evidence types.

5. No linkage to risk management. Clause language expects risk/opportunity updates when relevant. Fix: add a checkbox and narrative field: “Risk register impacted? Yes/No; if yes, link the entry.” ¹

Enforcement context and risk implications

ISO 9001 is a voluntary standard, so “enforcement” usually occurs through certification outcomes, customer audits, and contract consequences. Operationally, weak corrective action increases recurrence risk, drives customer dissatisfaction, and can conceal systemic compliance failures (for example, training and document control breakdowns). Clause 10.2 is also one of the easiest for auditors to validate through sampling, which makes it a high-likelihood finding area.

Practical 30/60/90-day execution plan

First 30 days (stabilize the workflow)

• Publish a one-page procedure: definition, intake sources, roles, escalation, record requirements. ¹
• Implement a standard nonconformity/CAPA template (form or ticket fields) with mandatory containment and decision criteria.
• Train process owners and internal auditors on how to write a defensible nonconformity statement and what evidence to attach.
• Start a weekly triage meeting for new records and aging actions.

By 60 days (make it auditable)

• Add root cause guidance and minimum evidence rules by category (process, supplier/third party, documentation, training).
• Establish effectiveness review expectations (who can verify, acceptable methods, required sign-offs). ¹
• Build a simple dashboard: open vs closed, overdue actions, recurrence themes, and top processes affected.
• Run a mini internal audit on a sample of recent records to test traceability and completeness.

By 90 days (make it systemic)

• Link CAPA outcomes to risk and opportunity updates and management review inputs. ¹
• Formalize third party-related corrective actions: supplier notification, SCAR-style workflow if you use it, and verification steps.
• Calibrate the “corrective action required” threshold using actual workload and outcomes.
• If you use Daydream, configure required fields, approval routing, evidence libraries, and automated reminders so closure requires effectiveness proof.

Frequently Asked Questions

What’s the difference between correction and corrective action in ISO 9001 Clause 10.2?

Correction fixes the immediate nonconforming output (rework, replace, redo). Corrective action removes the cause to prevent recurrence, and it must include an effectiveness review when implemented. ¹

Do we need root cause analysis for every nonconformity?

No. You must evaluate the need for corrective action and document the decision. Root cause analysis applies when corrective action is needed to eliminate the cause. ¹

What evidence does an auditor typically expect for “effectiveness”?

Evidence depends on the issue, but it must show the action reduced recurrence risk (for example, an audit of the changed process or results from post-change inspections). Record the method, results, and reviewer sign-off. ¹

Can a customer complaint be handled outside the CAPA process?

You can use a separate complaints workflow, but you still must meet Clause 10.2 expectations when the complaint is a nonconformity: reaction, corrective-action decision, and effectiveness review when corrective action is taken. ¹

How do we handle nonconformities caused by a third party?

Document containment and impact first, then decide whether corrective action targets the third party, your selection/monitoring controls, or both. Keep the evidence trail on your side even if the third party performs the fix. ¹

What’s the minimum we must update in “risks and opportunities” after a CAPA?

Update risks and opportunities when the nonconformity changes your understanding of likelihood, impact, or control effectiveness. The key is traceable linkage from the CAPA record to the risk entry or a documented rationale for no update. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements