ISO Management of Nonconformities
Effective: March 17, 2026 · DCF-566
1. Purpose
This document establishes the procedure for managing nonconformities and corrective actions within the H33.ai Information Security Management System (ISMS), as required by ISO 27001:2022 Clauses 10.1 (Continual improvement) and 10.2 (Nonconformity and corrective action). It ensures that when nonconformities are identified, appropriate actions are taken to control and correct them, deal with their consequences, evaluate the need for action to eliminate root causes, and review the effectiveness of corrective actions taken.
2. Definitions
| Nonconformity | Non-fulfilment of a requirement of the ISMS (ISO 27001 clauses, Annex A controls, internal policies, regulatory requirements, or contractual obligations). |
| Major Nonconformity | A nonconformity that: (a) results in a significant failure of the ISMS to achieve its intended outcomes, (b) renders a process or control entirely ineffective, or (c) raises significant doubt about the ISMS's ability to protect information assets. |
| Minor Nonconformity | A nonconformity that: (a) is an isolated or partial failure of a control, (b) does not result in complete failure of a process, and (c) does not significantly impact the ISMS's effectiveness. |
| Observation | A situation that is not a nonconformity but could become one if not addressed, or represents an opportunity for improvement. |
| Corrective Action | Action to eliminate the root cause of a detected nonconformity and prevent its recurrence. |
| Root Cause | The fundamental underlying reason why a nonconformity occurred. Addressing the root cause prevents recurrence (as opposed to treating symptoms). |
| CAR | Corrective Action Request — the formal document used to track nonconformities from identification through resolution and verification. |
3. Nonconformity Identification Sources
Nonconformities may be identified through any of the following sources:
- Internal audits (DCF-165) — Findings from scheduled and ad-hoc ISMS audits
- External audits — Findings from SOC 2 Type II audits, ISO 27001 certification audits, or regulatory examinations
- Management reviews (DCF-164) — Issues identified during quarterly ISMS management reviews
- Security incidents — Post-incident reviews revealing control failures or gaps
- Drata monitoring — Automated compliance monitoring alerts indicating control failures
- DataDog alerts — Infrastructure monitoring revealing security configuration deviations
- Risk assessments — Newly identified risks indicating inadequate existing controls
- Personnel reports — Staff-reported concerns or observations about security practices
- Customer feedback — Security-related complaints or concerns from customers
- Vendor assessments — Gaps identified during supplier security reviews
4. Nonconformity Response Procedure
1 React to the Nonconformity
Upon identification of a nonconformity, the following immediate actions are taken:
- Take action to control and correct the nonconformity (containment)
- Deal with the consequences of the nonconformity (impact mitigation)
- Assign a CAR reference number and log in the nonconformity register
- Classify as Major or Minor nonconformity
- Assign an owner responsible for resolution (CEO/CISO or delegate)
- Determine if the nonconformity has regulatory notification implications (HIPAA breach, etc.)
Timeline: Within 24 hours of identification for Major; within 5 business days for Minor.
2 Evaluate the Need for Action
Evaluate whether action is needed to eliminate the cause(s) of the nonconformity so that it does not recur or occur elsewhere:
- Review the nonconformity to understand its nature and extent
- Determine if similar nonconformities exist or could potentially exist in other areas
- Assess the impact on ISMS objectives, information security, and compliance obligations
- Decide whether corrective action is required (corrective action is always required for Major nonconformities)
3 Perform Root Cause Analysis
For all nonconformities requiring corrective action, determine the root cause using one or more of the following methodologies:
- 5 Whys Analysis: Iteratively ask "Why?" to trace the chain of causation from the observed nonconformity to its root cause. Minimum 3 iterations, typically 5.
- Fishbone (Ishikawa) Diagram: Categorize potential causes across dimensions: People, Process, Technology, Policy, Environment, Measurement. Identify the most likely root cause within each category.
- Fault Tree Analysis: For complex or safety-critical nonconformities, construct a logical diagram tracing failure modes to root causes.
The selected methodology and analysis must be documented in the CAR.
4 Implement Corrective Action
Design and implement corrective actions that address the root cause:
- Define specific, measurable corrective actions with clear deliverables
- Assign owner and target completion date
- Ensure corrective actions are proportionate to the impact of the nonconformity
- Consider whether changes to policies, procedures, controls, or training are needed
- Implement changes through the change management process (A.8.32)
- Document all actions taken with evidence
Timelines: Major: corrective action plan within 10 business days, implementation within 30 calendar days. Minor: corrective action plan within 10 business days, implementation within 60 calendar days.
5 Review Effectiveness
Verify that corrective actions have been effectively implemented and the nonconformity has been resolved:
- Verify corrective action implementation through evidence review
- Confirm the root cause has been addressed (not just symptoms)
- Assess whether the nonconformity has recurred or could recur
- Evaluate whether the corrective action has introduced any new risks
- Update risk register if applicable
- Close the CAR with documented verification evidence
Timeline: Major: verification within 45 calendar days. Minor: verification at next scheduled audit or within 90 calendar days, whichever is sooner.
5. Corrective Action Request (CAR) Form Template
6. Nonconformity Register
| CAR # | Date | Description | Classification | Owner | Status |
|---|---|---|---|---|---|
| No open nonconformities as of March 17, 2026. The ISMS was established in Q1 2026; initial internal audits are scheduled for Q2 2026 (see DCF-165). | |||||
7. Escalation Criteria
Nonconformities must be escalated under the following circumstances:
- To management review: All Major nonconformities and any Minor nonconformities that remain open beyond their target completion date are reported at the next management review (DCF-164).
- To external auditor: Any nonconformity that may affect the scope or conclusion of an ongoing or upcoming external audit (SOC 2 or ISO 27001) must be disclosed.
- To regulatory authority: Any nonconformity that constitutes a HIPAA breach, a violation of state breach notification law, or a failure of a control that resulted in unauthorized access to protected data must trigger the authority contact procedure (DCF-744).
- Recurrence: A nonconformity that recurs after corrective action has been verified and closed must be automatically elevated to Major classification and reassessed with enhanced root cause analysis.
8. Tracking and Reporting
All nonconformities and corrective actions are tracked in the Drata compliance platform:
- CARs logged with all required fields and evidence attachments
- Status tracked through lifecycle: Open → In Progress → Verification → Closed
- Monthly summary report generated for CEO/CISO review
- Quarterly metrics reported at management review:
- Total nonconformities identified (by source, classification)
- Average time to resolution (by classification)
- Corrective action effectiveness rate (recurrence analysis)
- Open nonconformity aging report
- Trend analysis (improvement or degradation over time)
9. Record Retention
| Retention Period | Minimum 3 years from CAR closure date |
| Storage Location | Drata compliance platform (evidence library) |
| Access Control | Restricted to CEO/CISO and authorized auditors |
| HIPAA Requirement | 6-year retention for any nonconformity related to HIPAA Security Rule or Privacy Rule compliance |
10. Approval
| Prepared By | Eric Beans, CEO/CISO |
| Approved By | Eric Beans, CEO/CISO |
| Approval Date | March 17, 2026 |
| Next Review | March 17, 2027 |
| Signature | /s/ Eric Beans |
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945