Sooner or later, every quality management system runs into a nonconformity: a supplier delivering out of spec, an outdated document on the floor, a customer complaint that exposes a process out of control. The question isn’t *whether* they’ll show up —they will— but whether your system knows how to detect, classify and record them without turning into chaos.
If nonconformities in your company are handled across emails, spreadsheets and the memory of whoever happened to be there that day, this guide is for you. We’ll cover what an ISO 9001 nonconformity is, what types exist, and how to manage them —from the moment you detect one to the point where it’s documented and ready to be treated. (The corrective action process itself we cover in depth in another guide; here we focus on the part almost nobody gets right: detection, classification and recording.)
Table of Contents
What a nonconformity is according to ISO 9001
ISO 9001 defines it simply: a nonconformity is the non-fulfilment of a requirement. That requirement can come from three places:
- The ISO 9001:2015 standard itself.
- Your internal procedures (what you said you’d do).
- Applicable customer or legal requirements.
In other words: if something was supposed to meet a criterion and didn’t, you have a nonconformity. It’s not a punishment or a personal failure —it’s information. A well-managed nonconformity is one of the best sources of improvement your QMS has, because it points to exactly where the system isn’t working as it should.
The standard addresses nonconformities mainly in clause 10.2, which asks you to react to them, evaluate whether they need corrective action, and retain documented information as evidence.
Types of nonconformity
Not all nonconformities carry the same weight. Classifying them well is what lets you prioritize and respond proportionally. In practice, three categories are used:
Major nonconformity
A non-fulfilment that breaks the system or jeopardizes the ability to meet requirements. For example: the complete absence of a process required by the standard, or a failure that directly affects the product or the customer. In a certification audit, a major nonconformity can halt certification until it’s resolved.
Minor nonconformity
An isolated or one-off non-fulfilment that doesn’t compromise the whole system. For example: an unsigned record, a document that skipped a review step. It needs correcting, but it doesn’t represent a systemic failure.
Observation / opportunity for improvement
Not strictly a non-fulfilment, but an early warning: something that complies today but could become a nonconformity if left unattended. Recording these is what separates a reactive QMS from a preventive one.
Consultant tip: define these criteria in writing and share them with your team. Most “is this major or minor?” debates resolve themselves when there’s a clear rule set in advance, not improvised on the spot.
Correction vs corrective action: the difference almost everyone confuses
Here’s the most common misunderstanding on the topic, and it’s worth making crystal clear:
- Correction: the immediate action to resolve the specific case. You found defective product → you segregate it. Put out the fire.
- Corrective action: the action to eliminate the root cause and prevent the problem from happening again. Why did it come out defective? What needs to change in the process?
Every nonconformity needs a correction. Not all need corrective action —that depends on their severity and whether they can recur. Deciding that is part of managing the nonconformity.
The full root-cause and corrective-action process is developed in our ISO 9001 corrective actions guide. This guide focuses on the step before: detecting, classifying and documenting the nonconformity properly.
How to detect nonconformities
Nonconformities aren’t “found” in a single place; they surface through several channels. A good QMS catches them from all of them:
- Internal audits — the most structured source (see our ISO 9001 internal audit guide).
- Customer complaints and returns.
- Indicators off target (a KPI that spikes usually hides a nonconformity).
- Product or service inspections.
- Supplier evaluation (deliveries out of spec).
- Your own staff, when they notice something wasn’t done per the procedure.
The key isn’t just detecting them, but having a clear channel to report them. If reporting a nonconformity is hard or punished, people stop doing it —and the problem stays there, invisible.
How to document and record a nonconformity
A nonconformity that isn’t documented doesn’t exist for the system (or for the auditor). A good nonconformity record includes, at minimum:
- Unique identification (NC number or reference).
- Objective description: which requirement was breached and with what evidence. No “purchasing failed”; yes “no evidence found of re-evaluation for three critical suppliers, breaching procedure PR-PUR-02”.
- Source (audit, complaint, indicator, etc.) and detection date.
- Classification (major, minor, observation).
- Owner responsible for follow-up.
- Correction applied and, where applicable, a reference to the associated corrective action.
- Status (open, in treatment, closed) and closure evidence.
That record is the backbone of traceability. When the external audit arrives and they ask “show me how you managed your nonconformities over the past year”, the difference between breaking into a cold sweat and opening a report is right here.
How to classify and prioritize without losing your mind
With clear type criteria, prioritize by impact and likelihood of recurrence:
1. Major and recurring first — they carry the most risk.
2. Isolated minor ones — correct and record, without overreacting.
3. Observations — schedule them for review; they’re your preventive radar.
The typical mistake is treating everything with the same urgency (and burning out the team) or, the other way around, leaving everything “for later” until it piles up. Consistent classification is what keeps the system in balance.
The full flow, at a glance
1. Detect the nonconformity (any of the sources).
2. Record it with an objective description and evidence.
3. Classify it (major / minor / observation).
4. Apply the immediate correction.
5. Decide whether it needs corrective action → if so, move to the corrective action process.
6. Follow up through to closure, with evidence.
How to stop managing nonconformities in Excel
Almost all the pain of nonconformities doesn’t come from the standard: it comes from tracking them by hand. One NC in an email, another in a spreadsheet, the evidence in a shared folder, the follow-up in the head of someone who already left the company.
A quality management software like QualityWeb 360 gives you one place for the whole cycle: raise the nonconformity with its evidence, classify it, link it to the correction and —where applicable— to the corrective action, and track it through to closure with full traceability. When the auditor arrives, you rebuild nothing: the history is right there.
Want to know how mature your nonconformity handling —and the rest of your QMS— is today? Take our QMS maturity assessment in a few minutes and get a report with your weak spots. And if you’d like to see the whole cycle inside the platform, book a demo.
Frequently asked questions
What’s the difference between a nonconformity and a defect?
A defect is the non-fulfilment of a requirement related to an intended or specified use of the product. A nonconformity is broader: the non-fulfilment of any requirement (of the standard, the procedure or the customer), not just the product. Every defect is a nonconformity, but not every nonconformity is a defect.
How many types of nonconformity are there in ISO 9001?
The standard doesn’t set a rigid classification, but in practice three levels are used: major (compromises the system), minor (isolated non-fulfilment) and observation or opportunity for improvement (preventive warning). What matters is defining your own criteria in writing and applying them consistently.
Does every nonconformity require a corrective action?
No. Every nonconformity requires a correction (resolving the specific case), but only those whose cause can recur or whose impact justifies it need corrective action. Evaluating that need is part of clause 10.2.
What happens if I have a major nonconformity in the certification audit?
A major nonconformity normally prevents granting or maintaining certification until it’s resolved and the effectiveness of the action taken is demonstrated. That’s why it pays to detect and close them in your internal audits, before the external body shows up.
Where should I record nonconformities?
They can be recorded in any medium that ensures traceability, but doing so in Excel and shared folders scales poorly and gets chaotic. A quality management software centralizes the record, classification, evidence and follow-up, which reduces the risk of unclosed nonconformities in the external audit.
