A non-conformity (NC) is a structured way of saying: “We did not meet a requirement we were supposed to meet.” The requirement might come from ISO 27001, your own policy, a customer contract, or applicable law—what matters is that the gap is recorded, owned, and closed with evidence.
NC vs observation vs opportunity for improvement
Auditors use different language on reports:
- Non-conformity — evidence shows a requirement is not fulfilled. You are expected to analyse root cause, plan corrective action, implement it, and verify effectiveness (exact steps depend on your process and the auditor’s criteria).
- Observation — a risk or weakness noted without claiming a hard failure against a requirement. Still worth tracking if you do not want it to become an NC next year.
- Opportunity for improvement (OFI) — something could work better even if it already “passes.” Good ISMS cultures log OFIs as positive backlog, not as blame.
Major and minor (common usage)
Certification bodies often classify NCs by severity. A major NC may threaten certificate continuity; a minor NC still needs a credible fix and follow-up. Your registrar defines how it uses those terms—internal dashboards should mirror their definitions so leadership sees the same picture the auditor does.
Why NCs belong next to risk and controls
Findings are proof that controls failed or were missing. Linking NCs to the affected control or risk scenario helps you answer: “Did residual risk change?” and “Do we need treatment or SoA updates?” ISMSVision keeps non-conformities in the same Risk Management workspace as risks and controls so that story stays connected.
For ISO’s broader risk expectations, see ISO 27001 risk requirements. For a tour of the workspace, see managing risks in ISMSVision (detailed).
Track findings with ownership
Use configurable statuses and sources so every NC has a clear path from open to verified closure.
Risk Management module