A nonconformity occurs when a requirement from a standard, contract, or internal policy is not fulfilled. ISO 27001 Clause 10.2 describes how to handle nonconformities and corrective actions. When you identify a nonconformity, you should react (correction), analyze the root cause (root cause analysis), and take action to prevent recurrence (corrective action). Nonconformities are classified as major or minor. Maintain a register of all nonconformities with their status, responsible person, and deadline so you can track progress and provide evidence during audits.