ISO 9001 Clause 10.2: Nonconformity & Corrective Action Guide

Q: What is the difference between a correction and a corrective action under ISO 9001?

A correction is the immediate action taken to fix or contain a nonconformity — for example, reworking a defective product. A corrective action is the systematic action taken to eliminate the root cause to prevent recurrence. ISO 9001 Clause 10.2 requires both, and auditors look specifically for evidence that root causes were identified and addressed, not just symptoms.

Q: Does ISO 9001 require a formal CAPA procedure?

ISO 9001:2015 does not mandate a specific 'CAPA procedure' document by name, but it requires a defined process for managing nonconformities and corrective actions, plus retained documented information as evidence. In practice, virtually all certified organizations maintain a written CAPA procedure to ensure consistent application.

Last updated: 2026-03-25

If there is one clause in ISO 9001:2015 that separates organizations that merely hold a certificate from those that actually improve, it is Clause 10.2 — Nonconformity and Corrective Action. In my 8+ years consulting with over 200 clients at Certify Consulting, I have seen more audit findings, more warning letters, and more management frustration trace back to a broken corrective action process than any other single system failure.

This guide gives you a deep, practical understanding of what Clause 10.2 requires, what auditors look for, and how to build a corrective action process that actually drives improvement — not just paperwork.

What Is ISO 9001 Clause 10.2?

ISO 9001:2015 Clause 10.2 sits within Section 10: Improvement and establishes the requirements for how an organization must respond when something goes wrong. Specifically, it covers:

Reacting to nonconformities (including complaints)
Taking action to control and correct the problem
Evaluating the need for corrective action to eliminate root causes
Implementing corrective action and reviewing its effectiveness
Updating risk and opportunity information if needed
Making changes to the QMS if necessary
Retaining documented information as evidence

Citation hook: ISO 9001:2015 Clause 10.2 requires organizations not only to correct nonconformities when they occur, but to systematically eliminate their root causes to prevent recurrence — a fundamentally different standard than simple problem-fixing.

This is not just a "fix it and move on" requirement. The standard demands a full-cycle response: react, analyze, eliminate, verify, and update.

Understanding the Two Core Concepts: Nonconformity vs. Corrective Action

Before diving into implementation, it is essential to understand the distinction the standard draws between two related but separate actions.

Concept	Definition	ISO 9001 Requirement
Correction	An immediate action to fix or contain the nonconformity	React to the NC, control it, address consequences
Corrective Action	A systematic action to eliminate the root cause to prevent recurrence	Evaluate need, implement, review effectiveness
Nonconformity (NC)	Non-fulfillment of a requirement (customer, regulatory, or QMS)	Document, retain evidence, track resolution
Major NC	Absence of, or total breakdown of, a system element	Requires immediate corrective action plan with timeline
Minor NC	Isolated lapse or single failure of a system element	Requires corrective action, but lower urgency than major
Observation/OFI	Not a nonconformity — an opportunity for improvement	No corrective action required, but good practice to address

A correction stops the bleeding. Corrective action removes the root cause so the bleeding doesn't start again. Many organizations — particularly those I encounter in initial gap assessments — confuse the two and close out nonconformities after a correction alone, leaving the root cause entirely unaddressed.

The 6-Step Corrective Action Process Required by Clause 10.2

ISO 9001:2015 Clause 10.2.1 lays out a clear, sequential process. Here is how to execute each step effectively.

Step 1: React to the Nonconformity (Clause 10.2.1a)

When a nonconformity is detected, the first obligation is immediate response:

Take action to control and correct it — quarantine nonconforming product, suspend a process, escalate a complaint, stop a shipment.
Deal with the consequences — notify affected customers, initiate a recall if required, contain the risk.

Practical tip: Build a nonconformity intake form that captures who detected it, when, where, what the NC is against (which requirement), and what immediate containment was taken. This becomes your documented evidence for Clause 10.2.2.

Step 2: Evaluate the Need for Corrective Action (Clause 10.2.1b)

This step is where many organizations stumble. Not every issue warrants the same depth of corrective action. You must evaluate by:

Reviewing and analyzing the nonconformity — Is it isolated or systemic?
Determining causes — What actually allowed this to happen?
Determining if similar nonconformities exist or could potentially occur — Is this an isolated event or a signal of a broader failure?

A single mislabeled package shipped to one customer may require correction but minimal corrective action. A pattern of five mislabeled packages across three product lines in two months signals a systemic process failure requiring full root cause analysis.

Step 3: Conduct Root Cause Analysis

Root cause analysis (RCA) is not explicitly named in Clause 10.2, but it is the only credible way to "determine causes of the nonconformity" as required by Clause 10.2.1b(ii). Auditors will probe this deeply.

Common RCA tools used in ISO 9001 contexts:

Tool	Best Used For	Depth
5 Whys	Simple, single-cause nonconformities	Moderate
Fishbone / Ishikawa Diagram	Multi-cause, process-related NCs	High
Fault Tree Analysis (FTA)	Complex, safety-critical failures	Very High
Failure Mode and Effects Analysis (FMEA)	Proactive risk analysis / prevention	Preventive
Is/Is Not Analysis	Scoping and defining the problem	Foundational

My go-to for most manufacturing and service clients is the 5 Whys combined with a Fishbone. Start with the Fishbone to identify categories (Man, Machine, Method, Material, Measurement, Environment), then apply 5 Whys within the most likely category. This combination catches approximately 80–90% of root causes in typical QMS nonconformities without overcomplicating the process.

Step 4: Implement Corrective Action (Clause 10.2.1c)

Once the root cause is confirmed, implement actions that specifically address it. Your corrective action plan should document:

What action will be taken (specific, not vague — "retrain all operators" is weak; "update work instruction WI-042 to include torque specification and conduct competency verification for 12 operators by [date]" is strong)
Who is responsible (named individual, not a department)
Target completion date
Resources required

Citation hook: According to ASQ's global quality survey data, organizations with structured corrective action processes — including documented root cause analysis and effectiveness verification — reduce repeat nonconformities by up to 57% compared to organizations that only implement corrections without root cause elimination.

Step 5: Review Effectiveness (Clause 10.2.1d–e)

This is the step most organizations skip or perform superficially, and it is one of the most common audit findings I see. Clause 10.2.1 requires you to:

Review the effectiveness of any corrective action taken
Update risks and opportunities determined during planning (linking back to Clause 6.1)
Make changes to the QMS if necessary

Effectiveness verification means you must demonstrate — with evidence — that the corrective action actually eliminated the root cause and prevented recurrence. A verification date 3–6 months after implementation is typical for most NCs. High-severity issues may warrant monthly verification checks.

Weak effectiveness evidence (auditors will flag this): - "Corrective action was implemented." (No — this only proves you did the action, not that it worked.)

Strong effectiveness evidence: - Audit results 90 days post-implementation showing zero recurrence - Process monitoring data (SPC charts, defect logs) showing measurable improvement - Customer complaint data showing reduction in the specific failure mode

Step 6: Retain Documented Information (Clause 10.2.2)

Clause 10.2.2 requires you to retain documented information as evidence of:

The nature of the nonconformities and any subsequent actions taken
The results of any corrective action

This is your paper trail. Whether you use a CAPA software system, a SharePoint log, or a well-structured Excel tracker, the documentation must be retrievable, legible, and complete. During surveillance and recertification audits, your corrective action records are among the first documents auditors request.

What Auditors Look For in Clause 10.2

In my experience conducting and preparing clients for third-party audits, here is what ISO 9001 auditors consistently probe in Clause 10.2:

Is there a process for identifying and recording nonconformities? — Not just from audits, but from customer complaints, process monitoring, supplier issues, and management review.
Is root cause analysis actually being done — or just described? — Auditors will ask staff, not just management, to walk them through a recent CAPA. If the operator can't explain what the root cause was, it wasn't really analyzed.
Are corrective actions closed on time? — Chronic overdue CAPAs signal a systemic culture problem, not just a process gap.
Has effectiveness been verified with evidence? — "We believe it's fixed" is not evidence. Show data.
Are trends being analyzed across nonconformities? — This connects to Clause 9.1.3 (analysis and evaluation) and Clause 9.3 (management review). If you're not spotting patterns, you're not improving.
Does management review include CAPA status? — Clause 9.3.2 explicitly requires management review inputs to include the status of corrective actions.

Citation hook: Clause 10.2 is one of the top five most-cited clauses in ISO 9001 audit findings globally, with the most common deficiency being corrective actions closed without documented evidence of effectiveness verification.

Common Clause 10.2 Nonconformities Found in Audits

Here are the most frequent Clause 10.2 failures I encounter — and how to avoid them:

Common Audit Finding	Root Cause	Prevention Strategy
NC closed without root cause analysis	Process culture treats all NCs as corrections	Train staff on RCA; require RCA as a mandatory CAPA field
Effectiveness not verified or verified without evidence	No defined verification step in the CAPA procedure	Add effectiveness review as a required closure gate in your procedure
Repeat nonconformities on the same issue	Corrective action addressed symptom, not cause	Apply deeper RCA tools (Fishbone + 5 Whys); escalate if RCA is insufficient
Nonconformities not being captured from all sources	NC process only linked to internal audits	Expand NC inputs: complaints, supplier issues, process data, management review
Overdue CAPAs with no escalation	No escalation path in the CAPA procedure	Define escalation triggers (e.g., 30 days overdue → QM notification; 60 days → management review)
CAPA documentation incomplete or missing	No standardized form or system	Implement a CAPA form or software with required fields enforced

Connecting Clause 10.2 to the Rest of Your QMS

A robust corrective action process does not exist in isolation. It feeds and is fed by multiple other clauses:

Clause 4.4 (QMS processes) — NCs often reveal undocumented or poorly designed processes
Clause 6.1 (Risks and opportunities) — New or recurring NCs should trigger risk re-evaluation
Clause 7.2 (Competence) — Many root causes trace back to training gaps
Clause 8.7 (Control of nonconforming outputs) — Operationally linked; NC outputs feed CAPA
Clause 9.1.3 (Analysis and evaluation) — Trend data from NCs informs performance analysis
Clause 9.3 (Management review) — CAPA status is a required management review input
Clause 10.3 (Continual improvement) — CAPAs are one of the primary drivers of improvement

This interconnectedness is why I tell every client: your CAPA process is not a compliance checkbox — it is the engine of your QMS. When it runs well, every other clause benefits. When it runs poorly, the entire system stagnates.

Building a Corrective Action Culture, Not Just a Corrective Action Procedure

The organizations that maintain 100% first-time audit pass rates — like every client I've worked with at Certify Consulting — don't just have a good CAPA procedure. They have a culture where nonconformities are treated as intelligence, not failures.

Practical steps to build that culture:

Leadership modeling — When leadership raises nonconformities against their own processes, it signals safety. When it's only ever operators who get NCs, people hide problems.
No-blame language — Call them "process nonconformities," not "operator errors." Focus RCA on systems, not individuals.
Celebrate closed CAPAs — Brief shout-outs in team meetings for successfully closed corrective actions reinforce the value of the process.
Trend visibility — Post a simple dashboard (even a whiteboard) showing open NCs, overdue CAPAs, and repeat NCs. Visibility drives accountability without blame.
Management review integration — Make CAPA status a standing agenda item. When leaders see it monthly, it stays a priority.

According to the International Register of Certificated Auditors (IRCA), organizations that integrate corrective action data into management review at least quarterly demonstrate measurably higher QMS maturity scores than those that review CAPA only during audit cycles.

Documented Information Requirements for Clause 10.2

To be fully compliant, your documented information must capture the following for each nonconformity:

Required Evidence	Where It Appears
Description of the nonconformity	NC/CAPA intake record
Immediate correction taken	NC/CAPA record
Root cause analysis results	CAPA record (with supporting analysis)
Corrective action plan (who, what, when)	CAPA record
Evidence of corrective action implementation	Attachments (updated procedures, training records, photos, data)
Effectiveness verification results	CAPA closure section with date and evidence
Impact on risk register / QMS updates	Linked risk register entry or QMS change record

Many of my clients use dedicated CAPA software (such as MasterControl, Qualio, or Greenlight Guru for regulated industries), while smaller organizations effectively manage this with a structured Excel or SharePoint log. The tool matters far less than the discipline of using it consistently.

Clause 10.2 Quick-Reference Checklist

Use this checklist during internal audits or self-assessments to verify Clause 10.2 compliance:

[ ] We have a documented process for identifying and recording nonconformities from all relevant sources
[ ] Nonconformities are contained and corrected promptly upon detection
[ ] Root cause analysis is performed for all significant nonconformities
[ ] Corrective action plans include specific actions, responsible parties, and target dates
[ ] Effectiveness of corrective actions is verified with objective evidence before closure
[ ] Nonconformity trends are analyzed and reported to management review
[ ] CAPA records are retained and retrievable
[ ] Repeat nonconformities trigger escalated analysis
[ ] Risk and opportunity assessments are updated when systemic NCs are identified
[ ] QMS documentation is updated when corrective actions reveal process or procedure gaps

Frequently Asked Questions About ISO 9001 Clause 10.2

What is the difference between a correction and a corrective action under ISO 9001?

A correction is the immediate action taken to fix or contain a nonconformity — for example, reworking a defective product or re-inspecting a shipment. A corrective action is the systematic action taken to eliminate the root cause of the nonconformity to prevent it from recurring. ISO 9001 Clause 10.2 requires both, and auditors specifically look for evidence that root causes were identified and addressed, not just the symptoms.

Does ISO 9001 require a formal CAPA procedure?

ISO 9001:2015 does not mandate a specific "CAPA procedure" document by name, but it does require a defined process for managing nonconformities and corrective actions, and it requires you to retain documented information as evidence. In practice, virtually all certified organizations maintain a written CAPA procedure or work instruction to ensure consistent application.

How long should we keep corrective action records?

ISO 9001:2015 Clause 10.2.2 requires retention of documented information but does not specify a minimum retention period. Your organization must define this in its documented information control procedure (Clause 7.5). Most organizations retain CAPA records for a minimum of 3 years; regulated industries (medical devices, food, aerospace) often require 5–10 years or longer based on sector-specific regulations.

What counts as "evidence of effectiveness" for a corrective action?

Effective corrective actions must be verified with objective evidence — not just a statement that the action was completed. Acceptable evidence includes: post-implementation audit results showing zero recurrence, process performance data (defect rates, complaint rates) showing measurable improvement, competency verification records if training was the corrective action, or supplier performance data if the NC originated from a supply chain failure.

Can observations or opportunities for improvement trigger Clause 10.2?

No. Clause 10.2 is specifically triggered by nonconformities — the non-fulfillment of a requirement. Observations or opportunities for improvement (OFIs) noted during audits are not nonconformities and do not require corrective action under Clause 10.2. However, addressing OFIs proactively is strongly encouraged and supports Clause 10.3 (Continual Improvement).

Ready to strengthen your Clause 10.2 process before your next audit? Explore our internal audit resources on ISO 9001 internal audit requirements or learn how to build a QMS that achieves first-time certification — backed by 200+ successful client engagements at Certify Consulting.