Managing Nonconformities and Corrective Actions Under ISO 9001
ISO 9001 Clause 10.2
This clause requires that the organisation has a formal process in place to address and deal with any non-conformances that occur within the quality management system.
What Does ISO 9001 Clause 10.2 Require?
Clause 10.2 of ISO 9001:2015 covers what the organisation must do when a nonconformity occurs - including those arising from customer complaints. The clause distinguishes between the immediate response to the nonconformity and the longer-term corrective action process aimed at preventing recurrence.
The Immediate Response
When a nonconformity occurs, the organisation must react to it - controlling and correcting the specific instance and dealing with the consequences. This is the containment response, and it links directly to Clause 8.7, which covers the control of nonconforming outputs at the point of production or service delivery.
Root Cause Analysis and Corrective Action
Clause 10.2 then requires the organisation to go further - evaluating whether corrective action is needed to prevent recurrence. This means reviewing and analysing the nonconformity, determining its root cause, and assessing whether similar nonconformities exist or could occur elsewhere. Where corrective action is warranted, the actions must be implemented and their effectiveness reviewed.
The standard is clear that corrective actions must be proportionate to the effects of the nonconformity. Not every minor issue requires a full root cause investigation and process redesign. Common root cause analysis techniques include five whys, fishbone (Ishikawa) diagrams, and failure mode analysis. The method matters less than the discipline of genuinely asking why something happened rather than just fixing the symptom.
Where a nonconformity reveals risks or opportunities not previously identified, the F-IMS23 Risks and Opportunities Register should be updated. If the QMS itself needs to change as a result, those changes should be made under Clause 6.3.
Documented Information Required
The organisation must retain documented information describing the nature of the nonconformity and any subsequent actions taken, and the results of any corrective action. This creates the audit trail showing that nonconformities are being properly managed and that the QMS is learning from them.
When I'm auditing against Clause 10.2, I look at the nonconformance register and ask three questions: are nonconformities being captured, are root causes being investigated rather than just individual instances being patched, and are the corrective actions actually closing the problem? A register that shows the same type of nonconformity appearing repeatedly without root cause action is the clearest sign that corrective action isn't working. I'll also check that customer complaints are going through the same process - the standard explicitly includes those.
The root cause analysis step is where the value is. Correcting the specific instance is the easy part. Understanding why it happened - and what needs to change to stop it happening again - is what the clause is actually asking for. Simple techniques like five whys work well for most nonconformities. What matters is that the reasoning is documented, not just the action. A corrective action record that says "retrained staff" without explaining why the training gap existed doesn't demonstrate the root cause has been addressed.
We log everything through our issues register - internal audit findings, customer complaints, production problems. It took some discipline to build the habit but it's worth it. When the external auditor comes, you can show a year's worth of issues, the actions taken, and the outcomes. That's a much better position than scrambling to remember what happened six months ago.
Log it, find out why it happened, fix it, check the fix worked. The ER1 register handles the documentation. The bit organisations skip is the "find out why" step - they fix the immediate problem and move on without addressing the cause, then wonder why the same thing keeps coming back.
Practical Compliance Guidance
To comply with Clause 10.2, the organisation needs a defined process for documenting nonconformities, analysing root causes, implementing corrective actions, and verifying their effectiveness.
The alphaZ documents below support compliance with Clause 10.2.
| alphaZ document | How it supports Clause 10.2 |
|---|---|
| ISO 9001 Management System Toolkit | The complete toolkit including the issues and actions register and all supporting documents for nonconformity and corrective action management. |
| ER1 Issues and Actions Register | The primary tool for recording nonconformities, root cause analysis, corrective actions and verification of effectiveness - directly meeting the documented information requirements of Clause 10.2.2. |
| F-Q10 Significant Problem, Incident and Complaint Form | A structured form for documenting individual significant nonconformities, incidents and complaints in detail, capturing the problem description, investigation, root cause and corrective action in one record. |
| F-IMS23 Opportunities and Risks Register | Should be updated where a nonconformity reveals risks or opportunities not previously identified, as required by Clause 10.2.1. |
Note - all the above files can be downloaded with an alphaZ subscription
