Cybernion
← Insights

ISO 27001

ISO 27001 Nonconformities: Major vs Minor and How to Close Them

3 July 2026 · Updated 3 July 2026

Short answer: A nonconformity is a failure to meet an ISO 27001 requirement. A major is a serious or systemic breakdown that blocks certification until closed. A minor is an isolated lapse that usually does not. Clause 10.2 requires you to correct the issue, find the root cause, act to prevent recurrence, and prove the action worked.

Findings unsettle people more than they should. A minor nonconformity at a first certification audit is normal and rarely stops the certificate. A major is serious but recoverable if you handle it well. What matters is the response: correction, root cause, corrective action, and evidence. This explains the difference and how to close both.

What is a nonconformity in ISO 27001?

A nonconformity is a failure to meet a requirement. The requirement can be a clause of ISO/IEC 27001:2022, one of your own documented controls or policies, or a legal or contractual obligation the ISMS commits to meet. When an auditor finds a requirement that is not being met, they raise it as a nonconformity.

Clause 10.2 governs what happens next. You have to react to the nonconformity and correct it, evaluate whether action is needed to stop it recurring, implement that action, and review whether it worked. The clause also requires you to keep documented information as evidence of the nonconformity and the action taken. A finding is not a failure of the audit. It is the audit doing its job, and the standard assumes findings will happen.

What is the difference between a major and a minor ISO 27001 nonconformity?

The grading reflects severity and reach, and it determines whether the certificate can issue.

Major nonconformityMinor nonconformity
NatureSignificant or systemic failureIsolated lapse
ExampleA required process absent, or a control failing across the boardA single record missing where the process otherwise works
Effect on ISMSCasts doubt on whether the Information Security Management System (ISMS) is effectiveISMS is sound, one instance slipped
Effect on certificateUsually blocks certification until closedUsually does not block certification
VerificationOften a return visit or evidence review to confirm closureTypically verified at the next surveillance audit

The line between them is judgement, made by the auditor. A single missing access review is likely a minor. Access reviews never having been done is a systemic gap and likely a major. A cluster of related minors can be reclassified as a major because together they suggest the process does not really work.

Does a major ISO 27001 nonconformity stop the certificate issuing?

Usually, yes. A certification body will not issue or maintain a certificate while a major nonconformity is open, because a major casts doubt on whether the ISMS meets the standard at all.

The path to the certificate runs through a corrective action plan. You submit how you will fix the issue and prevent recurrence, close it within the deadline the certification body sets, and the body verifies the closure, often through evidence review or a return visit before granting the certificate. This is why a major found at Stage 2 delays certification rather than ending it. Handle the response well and the certificate follows once the fix is verified. A well run internal audit before the external one is how most teams catch majors early enough to fix them without the clock running.

How long do I have to close an ISO 27001 nonconformity?

The certification body sets the deadline, not the standard. Majors carry a short window, often around 90 days, with certification held until the issue is closed and verified. Minors usually allow more time and are commonly confirmed closed at the next surveillance audit.

Treat the deadline as firm. A major left open past its window can escalate to suspension or withdrawal of certification for an existing certificate, or a stalled certification for a first audit. The practical move is to acknowledge the finding fast, submit the corrective action plan early, and give the certification body clean evidence to verify against. The exact timeframes and verification method come from your certification body’s rules, which is one reason choosing a JAS-ANZ accredited body with a process you can work with matters.

What does it take to close an ISO 27001 nonconformity?

Clause 10.2 sets out four elements, and skipping any one is the usual reason a corrective action gets rejected.

  • Correction: fix the immediate issue so the requirement is met now
  • Root cause analysis: find why it happened, not just what happened
  • Corrective action: change the process or control so it cannot recur
  • Verification: gather evidence that the corrective action actually worked

The element teams skip is root cause. Fixing the one missing record without asking why it went missing leaves the process able to fail again, and an auditor rejects a corrective action that treats the symptom. Do the root cause analysis, act on it, and keep the evidence. Cybernion helps teams work through ISO 27001 corrective actions that satisfy clause 10.2 and the certification body. For where findings feed back into leadership decisions, see the clause 9.3 management review. The ISO 27001 readiness checklist and stage 1 vs stage 2 audit guide are useful reading before you reach an audit where findings are raised.

Frequently asked questions

What is a nonconformity in ISO 27001?

A nonconformity is a failure to meet a requirement, whether a clause of ISO 27001, one of your own documented controls, or a legal or contractual obligation the ISMS commits to. Auditors raise them as findings, and clause 10.2 requires you to react, correct and prevent recurrence.

What is the difference between a major and a minor ISO 27001 nonconformity?

A major nonconformity is a significant failure, such as a missing required process or a systemic breakdown, that puts the ISMS in doubt. A minor is an isolated lapse against a requirement that is otherwise in place. Majors usually block certification until closed, minors typically do not.

Does a major ISO 27001 nonconformity stop the certificate issuing?

Usually yes. A certification body will not issue or maintain a certificate while a major nonconformity is open. You have to submit a corrective action plan, close the issue, and have the certification body verify the fix, often through evidence review or a return visit, before the certificate is granted.

How long do I have to close an ISO 27001 nonconformity?

The certification body sets the deadline. Majors are typically given a short window, often around 90 days, with certification held until closed. Minors usually allow more time and are verified at the next surveillance audit. The exact timeframes come from your certification body, not the standard.

What does closing an ISO 27001 nonconformity require?

Correction to fix the immediate issue, root cause analysis to find why it happened, corrective action to stop it recurring, and evidence that the action worked. Clause 10.2 requires all four. A fix without root cause analysis is usually rejected because it does not prevent recurrence.


Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us.

Sources:

  1. ISO/IEC 27001:2022, iso.org, 2022

Last updated: 3 July, 2026

Talk to us about your engagement

A scoped proposal within one business day.