
An ISO 27001 non-conformity is a specific failure to meet a requirement of the standard, and it signals a gap in your information security management system (ISMS) that auditors will formally record. Non-conformities split into two categories: major, which represent a total absence or failure of a required ISMS element, and minor, which are isolated lapses that do not block certification. Understanding real ISO 27001 non-conformity examples is the fastest way to close gaps before your next audit, because abstract definitions rarely drive corrective action the way concrete cases do. This guide covers both types with practical context, remediation guidance, and the distinction between non-conformities and observations.
1. What are major ISO 27001 non-conformity examples?
A major non-conformity represents a total absence or failure of a required ISMS element that can prevent certification or trigger suspension. These are not documentation oversights. They indicate that a core part of your ISMS does not exist or has completely broken down.
The most common major non-conformities found in 2026 certification audits include:
- No internal audit program. The organization has never conducted an internal audit of its ISMS, or the audit program has not run in over a year. Clause 9.2 requires a planned, repeatable internal audit cycle.
- Missing or inadequate risk assessment. Risk assessments commonly fail due to missing asset identification, no documented methodology, absent risk ownership, or a Statement of Applicability (SoA) with outdated justifications. Clause 6.1.2 is explicit: every risk must be identified, analyzed, and owned.
- No management review. Top management has not reviewed the ISMS within the audit period. Clause 9.3 requires documented evidence of management review outputs, including decisions and resource commitments.
- Controls selected with no SoA linkage. The organization implements controls from Annex A but cannot demonstrate why each was included or excluded. Auditors treat this as a systemic failure of planning.
- No corrective action process. The organization has no mechanism for recording, investigating, or closing non-conformities. This directly violates Clause 10.2.
Certification bodies allow remediation windows of 30–90 days for major non-conformities in initial certification audits. That window sounds generous, but rebuilding a risk assessment methodology or standing up an internal audit program from scratch takes longer than most teams expect.
Multiple minor non-conformities linked by the same root cause can escalate to a major non-conformity, showing systemic failure rather than isolated gaps. Three separate findings about missing evidence across different controls, all caused by the same absent record-keeping process, will likely be aggregated by an experienced auditor.

Pro Tip: Before your Stage 2 audit, map every Annex A control to your SoA and confirm each has at least one piece of dated evidence. A control that exists on paper but has no operational record is treated the same as a control that does not exist.
2. Common minor ISO 27001 non-conformity examples
A minor non-conformity is an isolated lapse that requires a corrective action plan but does not block certification. Certification bodies typically allow 30–60 days for remediation of minor non-conformities in initial audits. The key word is “isolated.” The moment a pattern emerges across multiple minor findings, the classification changes.
Typical minor non-conformities include:
- Outdated security policies. The organization has an information security policy, but it has not been reviewed or approved within the period defined in the document itself. Clause 5.2 requires policies to be reviewed at planned intervals.
- Incomplete security awareness training records. Staff completed training, but attendance logs or completion certificates are missing for a subset of employees. The control exists; the evidence does not.
- Overdue supplier assessments. Third-party supplier security reviews are required annually per your ISMS, but two vendors have not been assessed in 18 months. Annex A control 5.19 requires ongoing supplier relationship management.
- Access reviews not completed on schedule. User access rights reviews were planned quarterly but were skipped for one quarter. The process exists; execution lapsed once.
- Vulnerability scan results not acted on. Scans were conducted, but remediation tickets were not created or tracked for medium-severity findings within the defined SLA.
Auditors look for evidence demonstrating consistent control operation over time, not only documentation existence. A policy document dated three years ago with no review record fails this test, even if the policy content is technically sound.
Root cause analysis matters even for minor findings. Saying “we forgot” does not satisfy Clause 10.2. You need to explain what in your ISMS allowed the lapse to occur and what systemic change prevents recurrence. For overdue supplier assessments, the root cause is often absent calendar reminders or unclear ownership, not negligence.
Pro Tip: Build a simple evidence calendar that maps each control to a review date and an owner. Review it monthly. This single practice prevents the majority of minor non-conformities before they appear on an audit report.
3. How do auditors differentiate non-conformities from observations?
Observations, or opportunities for improvement (OFI), differ from non-conformities. They do not signify ISO 27001 failures but suggest enhancements. Understanding this distinction helps you prioritize your response correctly.
Here is how auditors classify findings:
- Non-conformity (major). A required ISMS element is absent or has completely failed. Certification cannot proceed or continue without a formal corrective action plan and evidence of resolution.
- Non-conformity (minor). A specific requirement is partially unmet or shows an isolated lapse. Certification can proceed, but a corrective action plan with a defined closure date is mandatory.
- Observation or OFI. The auditor notes a weakness that does not yet breach a requirement. No formal corrective action is required, but the finding is recorded. Ignoring observations often leads to future non-conformities and audit risk.
- Positive finding. The auditor records a control or process that demonstrates good practice. These are rare in formal reports but signal areas of strength.
The practical difference between a minor non-conformity and an observation often comes down to whether a specific clause requirement is breached. An access review completed two weeks late is a minor non-conformity because the requirement specifies a schedule. A suggestion to automate that review is an observation because automation is not required by the standard.
Auditors also consider whether a finding is systemic or isolated. A single missed training record is an observation candidate. The same gap across 40% of staff is a non-conformity. Your job during an audit is to provide context that helps the auditor classify findings accurately, not to argue against legitimate findings.
4. Best practices for root cause analysis and corrective actions
Clause 10.2 of ISO 27001 requires organizations to investigate non-conformities, determine root causes, and implement corrective actions that prevent recurrence. The distinction between a correction and a corrective action is critical. A correction fixes the immediate problem. A corrective action fixes the system that allowed the problem to occur.
Skipping root cause analysis or blaming “human error” alone is a common mistake rejected by auditors. Root causes must explain the systemic ISMS gaps that allowed failures. “Someone forgot to run the supplier assessment” is a correction-level explanation. “The ISMS has no assigned owner for supplier review scheduling and no automated reminder process” is a root cause.
Common root causes behind ISO 27001 compliance failures include unclear control ownership, missing calendar-based reminders, training gaps for new staff, and no escalation path when deadlines slip. Each of these points to a process gap, not a people gap. Fixing the process is what auditors verify at closure.
Documenting corrective actions correctly matters as much as implementing them. Your corrective action record should include the non-conformity description, the root cause finding, the specific actions taken, the person responsible, the target closure date, and the evidence of verification. Auditors review this documentation at surveillance audits to confirm the fix held. For deeper guidance on remediation prioritization, structuring your response by control domain helps teams allocate effort where audit risk is highest.
Pro Tip: Use a five-whys analysis for every non-conformity, even minor ones. Ask “why did this happen?” five times in sequence. By the fourth or fifth answer, you almost always reach a process or governance gap that your ISMS can actually fix.
Key takeaways
ISO 27001 non-conformities are classified as major or minor based on whether they represent a total ISMS failure or an isolated lapse, and both require documented corrective actions under Clause 10.2.
| Point | Details |
|---|---|
| Major vs. minor classification | Major non-conformities block certification; minor ones require a corrective action plan but allow certification to proceed. |
| Cumulative minor findings | Multiple minor non-conformities sharing the same root cause can be aggregated into a major non-conformity by auditors. |
| Evidence over documentation | Auditors require proof that controls operated consistently over time, not just that policies exist on paper. |
| Root cause depth | Blaming human error alone fails Clause 10.2; root causes must identify the systemic ISMS gap that allowed the failure. |
| Observations carry risk | Observations require no formal response, but ignoring them consistently leads to future non-conformities. |
Why I stopped dreading non-conformity findings
Most compliance teams treat a non-conformity finding like a penalty card. I used to think the same way. After working through multiple ISO 27001 certification cycles, I changed my view entirely.
Auditors do not expect zero non-conformities. They expect a repeatable process for detecting and fixing gaps. An organization that finds nothing in its internal audits is not performing well. It is not looking hard enough. The teams that sail through surveillance audits are the ones that already found and closed their own gaps before the external auditor arrived.
The real risk is not getting a non-conformity. The real risk is getting the same non-conformity twice. That tells an auditor your corrective action process does not work. I have seen organizations lose certification not because of the original finding, but because their closure evidence was superficial and the issue recurred at the next surveillance visit.
My advice: treat your internal audit program as the most valuable part of your ISMS. Use it aggressively. Find your own common audit failures before the certification body does. Document your root causes with enough depth that a new team member could read the record and understand exactly what changed and why. That discipline is what separates organizations that maintain certification from those that scramble to keep it.
— Martin
Ismscalculator tools for ISO 27001 readiness
Identifying non-conformities before your audit is far less costly than responding to them under a 30–90 day remediation deadline.

Ismscalculator provides a structured ISO 27001 readiness assessment that maps your current ISMS maturity across all 14 ISO domains, flags control gaps, and produces a prioritized remediation plan. The platform also includes a free 2-minute readiness check for teams that want a quick baseline before committing to a full assessment. If your non-conformities point to deeper implementation gaps, the consultant finder connects you with vetted ISO 27001 implementers and lead auditors who can guide your corrective action process from root cause through closure.
FAQ
What is a non-conformity in ISO 27001?
A non-conformity in ISO 27001 is a specific failure to meet a requirement of the standard within your ISMS. It is classified as major if a required element is entirely absent, or minor if it represents an isolated lapse.
What are the most common major non-conformity examples?
The most common major non-conformities include no internal audit program, a missing or inadequate risk assessment, no management review, and controls with no documented SoA linkage. Each represents a complete failure of a required ISMS element.
How long do you have to fix a non-conformity after an audit?
Certification bodies typically allow 30–90 days to remediate major non-conformities and 30–60 days for minor ones during initial certification audits. The exact window depends on the certification body and audit stage.
What is the difference between an observation and a non-conformity?
An observation, or opportunity for improvement, does not breach a specific ISO 27001 requirement and requires no formal corrective action. A non-conformity directly violates a clause requirement and mandates a documented corrective action plan.
Can minor non-conformities become major?
Yes. Multiple minor non-conformities that share the same root cause can be aggregated by an auditor into a single major non-conformity, reflecting a systemic ISMS failure rather than isolated gaps.