Nonconformity and Corrective Action Explained for ISO 42001
ISO 42001 Clause 10.2
The corrective action process is what turns a problem into improvement. The standard sets out a structured response to nonconformity that any management system should follow.
ISO 42001 Clause 10.2 - Nonconformity and Corrective Action Explained
Clause 10.2 follows the standard Annex SL nonconformity and corrective action requirements. The clause applies to nonconformities of the AI management system itself, identified through internal audit, external audit, monitoring activity, incident handling, customer feedback or any other route. AI system performance problems are managed through the operational controls in Clause 8 and the Annex A.6 life cycle controls, which feed nonconformities back into Clause 10.2 when management system implications arise.
What ISO 42001 Clause 10.2 requires
When a nonconformity occurs, the organisation must react to the nonconformity by taking action to control and correct it and dealing with the consequences. The organisation must evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere. This evaluation involves reviewing the nonconformity, determining its causes, and determining whether similar nonconformities exist or could potentially occur. The organisation must implement any action needed, review the effectiveness of corrective action taken, and make changes to the AI management system if necessary.
Corrective actions must be appropriate to the effects of the nonconformities encountered. Documented information must be available as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action.
The corrective action process step by step
The structured response to nonconformity has six recognisable steps. First, react - control the immediate nonconformity and deal with the consequences. Second, review - examine what happened to understand the scope and severity. Third, root cause - identify the underlying causes that allowed the nonconformity to occur. Fourth, similar issues - check whether similar nonconformities exist elsewhere or could occur in similar circumstances. Fifth, action - implement the corrective actions needed to eliminate the causes. Sixth, verify - review the effectiveness of the corrective actions to confirm they have worked.
Each step generates documented information. The reaction is recorded as the immediate response. The review captures the scope and severity. The root cause analysis records the underlying causes. The similar-issues check confirms whether wider action is needed. The corrective action records the planned and completed actions. The verification confirms effectiveness.
Distinguishing correction from corrective action
Correction is the immediate response that addresses the nonconformity. Corrective action is the deeper response that addresses the cause. The two are different and both are required. Correction without corrective action means the same problem will likely recur. Corrective action without correction means the immediate consequences are unaddressed.
For an AI nonconformity, an example illustrates the distinction. If an internal audit finds that the impact assessment for a specific AI system is six months out of date, the correction is to perform the impact assessment now. The corrective action is to review why the impact assessment review schedule was missed, fix the underlying scheduling or accountability issue, and check whether other impact assessments are similarly behind.
Updating the management system
Where corrective action identifies that the AI management system itself needs to change - through updated procedures, additional controls, revised responsibilities or new documented information - those changes are made under Clause 6.3 Planning of Changes and reflected in the management system documentation. Closing the corrective action without making the necessary management system changes is a common gap that audits pick up.
When auditing Clause 10.2, I trace nonconformities through to closure. I want to see the immediate correction, the root cause analysis, the corrective action plan, the implementation evidence and the verification of effectiveness. Closure without verification is a common finding.
I also look at trends. A pattern of nonconformities in the same area suggests that previous corrective actions have not been effective and the underlying issue has not been addressed. Trend analysis at the management review under Clause 9.3 is what catches this.
The integration with the issues and actions register is what makes this work in practice. Every nonconformity goes on the register with the date, description, cause analysis, planned action, owner and target date. The register tracks closure and verification, and the register feeds the management review. One operational document supports the whole corrective action process.
The discipline of distinguishing correction from corrective action takes time to embed. Many organisations naturally focus on the immediate fix and skip the cause analysis. The standard requires both, and audits will find the gap.
Every nonconformity goes on the register, AI or not. Same form, same root cause approach, same verification. The only difference for AI is that the IMS lead reviews the cause analysis to check whether the management system itself needs updating, not just the local correction.
Practical Compliance Guidance
The IMS1 Manual Section 5.2 Control of Nonconforming Outputs, Problems and Complaints/IMS1-5-2-1 Control of Non-conforming Outputs documents the procedure for managing nonconformities across the management system, including the AI-specific nonconformities arising from ISO 42001 activities. All problems, issues and improvement ideas are logged on the issues and actions register, with significant problems also documented through a problem form.
The following alphaZ documents support compliance with ISO 42001 Clause 10.2.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including IMS1 where the nonconformity and corrective action procedure is defined. |
| ER1 Issues and Actions Register | Records nonconformities, the actions taken in response, the root cause analysis, the corrective actions, the verification of effectiveness and the closure of each item. |
| F-Q3 Management Review | Provides the format for reviewing trends in nonconformities and corrective action effectiveness at the management review. |
Note - all the above files can be downloaded with an alphaZ subscription.
