Why are non-conformities such a big problem?
Non-conformity refers to a condition that deviates from the specified norm. In a management system, non-conformity represents a significant deviation. It should be noted that auditors are generally allowed to differentiate between small and large deviations. In English it is represented more clearly by the distinction “Major Nonconformity” and “Minor Nonconformity” (=minor deviation).
Why does ISO certification fail due to the non-conformities identified?
With ISO certification, auditors have to check a management system and its accompanying circumstances (e.g. evidence, samples, recognized working methods in operational practice) for conformity with the relevant standard (e.g. ISO 9001, ISO 27001). There is always the possibility that an auditor will detect a deviation (non-conformity). Here he must assess the degree of influence of this non-conformity. Is the deviation strong enough to completely weaken the effectiveness of the management system? A meaningless management system cannot be certified. A weakness that temporarily renders the management system ineffective can also have a negative impact on the auditors’ report.
Why do audits fail because of minor nonconformities?
During the audit, auditors may identify discrepancies. In doing so, they show the company why the identified non-conformity represents a problem for the management system being assessed. According to UKAS specifications, auditors are not allowed to provide advice during the audit. However, you can still talk to the auditor about this identified problem, without him getting in trouble with the UKAS accreditation body. It is very important to take the identified problem areas in the management system seriously. These weaknesses in the management system must be remedied. If too many minor non-conformities accumulate, they will combine into one significant non-conformity and the ISO certification will fail.
How long do you have to correct non-conformities in the management system?
After the audit or towards the end of the audit date, the lead auditor presents the non-conformities he has identified. Minor non-conformities can be resolved by the next surveillance audit (in 12 months). Significant or serious non-conformities must be fully resolved within 2-4 weeks. If the serious deviations are not remedied in a timely manner, the auditor of the certification body cannot prove that the identified weaknesses have been subsequently remedied. This means that the veto office in the certification body must reject the company’s documents for issuing the ISO certificate.
How can you resolve the identified non-conformity in the management system?
First, you should put together your own list of deviations (e.g. in Excel). You note the expected time required to resolve the respective problem. Each deviation must also be prioritized, because some deviations can be the cause of other subsequent rejections. You then determine who will take care of the respective point and who you need to get additional help (e.g. contact person in sales or IT security).
Each individual problem must then be examined in detail and the possible solutions must be checked for their effectiveness and conformity to standards. Once this problem area has been resolved, the solution must be documented and the effectiveness of the solution demonstrated. This documentation is important because it also helps the auditor convince the veto body of the certification body that the nonconformity no longer exists.