Nonconformity Management & Corrective Action (ISO 9001:8.5)¶
Document ID: BD-QMS-NONCONF-001 Version: 1.0 Effective Date: 2026-03-17
1. Purpose¶
This procedure defines how BeDefended identifies, documents, analyzes, and corrects quality nonconformities to prevent recurrence and drive continuous improvement.
2. Nonconformity Classification¶
2.1 Severity Levels¶
| Severity | Definition | Examples | Response Time |
|---|---|---|---|
| Critical | Customer/regulatory impact, data breach risk, safety concern | Finding reported but unverified; data modified in client system; service disruption | 24 hours |
| Major | Process failure, missed requirement, significant quality gap | Report delivered >1 day late; <90% CSAT; compliance mapping missing; rework required | 3 days |
| Minor | Documentation gap, process deviation, low-impact quality issue | Formatting error in report; missing screenshot; typo in finding description | 1 week |
2.2 Categories¶
- Product/Service Nonconformity: Finding errors, report quality issues
- Process Nonconformity: Testing steps skipped, peer review not performed
- Compliance Nonconformity: Non-destructive rules violated, scope exceeded
- Documentation Nonconformity: Procedure missing, records incomplete
3. Detection & Reporting¶
3.1 Detection Sources¶
Internal: - Peer review findings (during Phase 6) - Internal audits (quarterly) - Management review analysis - Process monitoring (KPI deviation) - Employee suggestion program
External: - Client complaint (post-delivery) - Client dispute (finding accuracy) - Audit finding (third-party assessment) - Regulatory feedback (compliance inquiry)
3.2 Reporting Process¶
Immediate Actions: 1. Detect: Any staff member observes potential nonconformity 2. Report: Notify QA Lead or Quality Manager immediately (do not delay) 3. Document: Log in Nonconformity Register (spreadsheet or database)
Nonconformity Record Template:
┌─────────────────────────────────────────────────────────────┐
│ Nonconformity ID: NC-2026-001 │
│ Date Reported: 2026-03-17 │
│ Reported By: [Name] │
│ Severity: [ ] Critical [ ] Major [ ] Minor │
│ │
│ Description: │
│ [What was wrong? Which engagement? Which process?] │
│ │
│ Root Cause (Hypothesis): │
│ [Initial thought on why this happened] │
│ │
│ Immediate Containment: │
│ [What was done immediately to prevent harm?] │
│ │
│ Classification: │
│ [ ] Product/Service [ ] Process [ ] Compliance [ ] Doc │
│ │
│ Category: │
│ [ ] Finding Error [ ] Report Quality [ ] Testing [ ] Auth │
│ │
│ Assigned To: [Owner for investigation] │
│ Target Resolution Date: [Based on severity] │
└─────────────────────────────────────────────────────────────┘
4. Investigation & Root Cause Analysis¶
4.1 Investigation Process (2-5 days for major, 1-2 weeks for critical)¶
- Interview: Talk to person who detected the nonconformity + directly involved staff
- Data Collection: Gather evidence (test logs, code review comments, CSAT survey, client email)
- Timeline Reconstruction: Map exact sequence of events
- Impact Assessment: How many engagements affected? How many clients impacted?
4.2 Root Cause Analysis (5 Whys)¶
NC-2026-001 Example: Finding reported but PoC unverified
Why 1: Why was the finding reported without PoC verification?
→ Pentester ran out of time in the testing phase
Why 2: Why did the pentester run out of time?
→ Scope was larger than estimated (10 endpoints instead of 5)
Why 3: Why was scope underestimated?
→ No detailed scope walkthrough during intake; client provided high-level description
Why 4: Why didn't QA catch the unverified finding during peer review?
→ Reviewer did not check evidence files; assumed all findings verified
Why 5: Why was evidence file check not enforced?
→ Peer review checklist did not explicitly list "verify PoC evidence"
Root Cause: Insufficient peer review process + missing checklist items
Corrective Action: Add explicit "Evidence Verification" step to peer review checklist
5. Corrective Action Planning¶
5.1 Corrective Action Selection¶
Choose actions to: - Fix the Immediate Problem: Get the specific finding/report/process back in compliance - Prevent Recurrence: Address root cause to prevent same issue in similar situations - Prevent Related Issues: Strengthen similar processes at risk
5.2 Corrective Action Plan Template¶
┌──────────────────────────────────────────────────────────────┐
│ Nonconformity: NC-2026-001 (Finding unverified in report) │
│ │
│ Root Cause: Peer review checklist missing PoC verification │
│ │
│ Immediate Action (Fix This Instance): │
│ • Re-verify the finding's PoC │
│ • Contact client if finding needs clarification │
│ • Re-submit report if finding was incorrect │
│ Timeline: 3 days | Owner: QA Lead │
│ │
│ Corrective Action 1 (Prevent Recurrence): │
│ • Add "Verify PoC Evidence" to peer review checklist │
│ • Require reviewer to spot-check 3+ findings' evidence │
│ • Update PeerReviewChecklist.md │
│ Timeline: 1 week | Owner: Quality Manager │
│ │
│ Corrective Action 2 (Prevent Related Issues): │
│ • Add scope walkthrough requirement to intake procedure │
│ • Use detailed scope template (expected endpoints, roles) │
│ • Retrain all pentester on accurate scoping │
│ Timeline: 2 weeks | Owner: Training Lead │
│ │
│ Preventive Controls: │
│ • Monthly audit of 10% of reports for PoC verification │
│ • Track nonconformities by type (trending) │
│ • Q2 2026: No similar findings (success criteria) │
│ │
│ Measurement of Effectiveness: │
│ • Same engagement type tested again → finding verified │
│ • Next 10 reports peer-reviewed → 100% pass checklist │
│ • CSAT feedback → no accuracy complaints │
└──────────────────────────────────────────────────────────────┘
6. Implementation & Verification¶
6.1 Implement Corrective Actions¶
- Timeline: Per plan (immediate = 3 days, CA1 = 1 week, CA2 = 2 weeks)
- Tracking: Update Nonconformity Register with progress
- Communication: Inform affected staff of new procedures/checklists
- Training: If new process, conduct brief training session
6.2 Verify Effectiveness¶
Corrective action is NOT complete until verified to work:
- Repeat the Scenario: Similar test scenario → no recurrence
- Check Metrics: KPI improved (e.g., peer review pass rate increased)
- Get Feedback: Ask team member: "Does this fix prevent the issue?"
- Time-Based: Wait 2-4 weeks, monitor for recurrence
Verification Criteria: - No similar nonconformity reported in the next 30 days - Process metrics trending in the right direction - Team confirms new process working as intended
7. Documentation & Communication¶
7.1 Nonconformity Register¶
Maintain spreadsheet (or database) with columns:
| NC-ID | Date | Severity | Description | Root Cause | Status | Close Date | Verified |
|---|---|---|---|---|---|---|---|
| NC-2026-001 | 2026-03-17 | Major | Finding unverified | Inadequate peer review | Closed | 2026-04-14 | ✅ Yes |
| NC-2026-002 | 2026-03-18 | Minor | Typo in report | Spell-check skipped | Closed | 2026-03-22 | ✅ Yes |
7.2 Trends & Reporting¶
Monthly: - Report number of nonconformities by severity - Summary of top 3 root causes - Corrective actions in flight
Quarterly (Management Review): - Nonconformity trending (increasing, stable, decreasing) - Effectiveness of corrective actions - Systemic improvement opportunities
8. Prevention (Proactive Approach)¶
8.1 Preventive Measures¶
Even without nonconformity, identify potential risks & implement controls:
Example: - Risk: SSL/TLS misconfiguration goes unnoticed - Preventive Action: Add automated TLS check to CI/CD pipeline - Verification: All deployments verified for TLS compliance
8.2 Preventive Action Log¶
| Measure | Risk | Action | Owner | Target Date | Status |
|---|---|---|---|---|---|
| Cert expiration monitoring | Expired cert causes outage | Add 30-day alert in CI/CD | Infra | 2026-Q2 | Planned |
| Dependency audit | Unpatched CVE in production | Enforce code review on Dependabot PRs | Dev Lead | 2026-Q2 | Planned |
9. Closure Criteria¶
Nonconformity is CLOSED when:
✅ Immediate Action completed (reported finding fixed, report re-submitted if needed) ✅ Corrective Action(s) implemented (procedure updated, training done, checklist revised) ✅ Effectiveness Verified (no recurrence in 30 days, metrics improved, team feedback positive) ✅ Documentation Updated (procedure, checklist, or training material reflecting change) ✅ Nonconformity Register updated with closure date & verification evidence
10. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Any Staff | Detect and report nonconformities immediately |
| QA Lead | Initial assessment, severity determination, assignment |
| Process Owner | Root cause investigation, corrective action plan |
| Quality Manager | Oversight, effectiveness verification, closure approval |
| Management | Approve major CAs, resource allocation, prevent systemic issues |
11. Related Documents¶
- Quality Policy:
docs/qms/quality-policy.md - Peer Review Procedure:
docs/operations/testing-methodology.md(Section: Phase 5 Verification) - Change Management:
docs/operations/change-management.md - Quality Objectives:
docs/qms/quality-objectives.md(QO-5: Peer Review Pass Rate)
Approval & Review¶
| Role | Signature | Date |
|---|---|---|
| Quality Manager | _____ | 2026-03-17 |
| CISO | _____ | 2026-03-17 |
Review Schedule: Annually Next Review: 2027-03-17 Status: Approved
Document Control - Owner: Quality Manager - Last Updated: 2026-03-17