8.2 Grading Nonconformities: Major, Minor, Conformity & Opportunities for Improvement
Key Takeaways
- A MAJOR nonconformity involves the total breakdown or absence of a required process, a nonconformity likely to result in product or service failure, or an accumulation of minor nonconformities against one requirement showing a systemic failure.
- A MINOR nonconformity is a single lapse or isolated slip that does not represent a systemic failure of the process.
- Neither ISO 9001 nor ISO 19011 defines 'major' and 'minor' — the grading scheme is set by the certification body under its ISO/IEC 17021-1 obligations, but the definitions above are the industry-standard convention taught on IRCA courses.
- Grading affects the certification decision directly: an unresolved major nonconformity blocks certification or recertification; minor nonconformities typically allow certification to proceed against an accepted correction and corrective-action plan.
Why Grading Matters
A nonconformity by itself only says a requirement was not met. Grading tells the organization, the certification body, and eventually the accreditation body how serious the gap is and how urgently it must be closed. Get the grade wrong in either direction and the consequence is real: over-grade a trivial slip as major and you can needlessly block a client's certificate; under-grade a systemic failure as minor and you let a real risk to product or service conformity through to certification.
Neither ISO 9001:2015 nor ISO 19011:2018 formally defines "major" and "minor." The grading scheme is a certification-body responsibility under ISO/IEC 17021-1, which requires every certification body to operate documented, objective rules for classifying nonconformities so that grading is consistent across auditors and clients. The definitions below are the convention taught on CQI/IRCA courses and used by the great majority of accredited certification bodies.
Major Nonconformity — Three Triggers
A nonconformity is graded major if any one of the following applies:
- Total breakdown or absence of a required process. The organization has no process at all where ISO 9001 requires one — for example, no internal audit programme has ever been run, or a required documented procedure simply does not exist.
- Likely to result in product or service failure. The gap is severe enough, on its own, to create a real risk that the product or service delivered to the customer will not conform — for example, a final-inspection step is being skipped entirely on a safety-critical component.
- Accumulation of minor nonconformities against one requirement. Several isolated minor nonconformities, none individually severe, are raised against the same clause or requirement across the audit. Taken together they show the process is not systematically effective — the pattern itself is the evidence of a systemic failure, even though no single instance would qualify as major alone.
Minor Nonconformity — The Isolated Slip
A nonconformity is graded minor when it is a single lapse or an isolated instance that does not indicate the process itself is broken. The process exists, is generally followed, and generally works — but on this occasion, in this instance, it wasn't. One missed calibration date out of a large, otherwise-compliant sample; one record missing a required signature; one employee unable to explain the quality objective relevant to their role while colleagues on the same shift can.
The dividing question an auditor should always ask is: does this evidence describe a broken process, or a single crack in a process that otherwise works? A broken process is major. A single crack is minor — until enough cracks appear against the same requirement that they describe the same broken process, at which point Trigger 3 escalates the grading.
Grading at a Glance
| Signal in the evidence | Typical grade |
|---|---|
| No documented procedure exists where one is required | Major |
| One of several similar records is deficient; the rest are compliant | Minor |
| A gap that could plausibly reach the customer as a nonconforming product or service | Major |
| Multiple minors raised against the same clause across different areas or shifts | Major (escalated) |
| Requirement is met, but a smarter or more efficient approach exists | OFI (not a nonconformity at all) |
Grading and the Certification Decision
Grading is not academic — it drives what happens after the audit:
- Major nonconformity, initial or recertification audit: certification is withheld until the organization submits evidence of correction and corrective action, and in most schemes the effectiveness of that evidence must be verified — often through a focused on-site follow-up — before a recommendation to certify can be made.
- Major nonconformity, surveillance audit: the certificate is typically placed at risk (suspension is possible) until objective evidence of effective correction is verified.
- Minor nonconformity: certification can usually proceed on the strength of an accepted correction and corrective-action plan; the certification body verifies implementation and effectiveness, commonly at the next scheduled audit, though it may request earlier documented evidence.
- Multiple minors left ungraded as a pattern: if an auditor fails to notice that five minors trace to the same requirement, the audit understates the real risk — this is why consolidating findings by clause (Section 8.1) before grading is essential.
Conformity and OFI Are Not "Lesser" Nonconformities
It's worth restating: conformity and OFI sit outside the nonconformity grading scale entirely — they are not "grade zero" nonconformities. A conformity finding confirms a requirement is met and needs no further classification. An OFI does not allege any requirement was breached; it is a suggestion the organization may act on voluntarily, with no corrective-action obligation and no bearing on the certification decision. Mislabeling an OFI as a minor nonconformity — or downgrading a real nonconformity to an OFI to avoid conflict with the client — undermines the integrity principle that underpins ISO 19011:2018's seven audit principles (Section 6.1).
An auditor finds that a document control procedure exists and is generally followed, but during the audit finds one obsolete work instruction still posted at a single workstation while every other workstation checked has the current revision. How should this be graded?
During a recertification audit, the audit team raises three separate minor nonconformities against ISO 9001:2015 clause 9.2 (internal audit) — one in the finance department's audit programme, one in operations, and one in the warehouse — each showing the internal audit schedule was not followed. How should the audit team grade this?