ISO 9001 Clause 8.7 Control of Nonconforming Outputs Explained

What Clause 8.7 Actually Requires

Clause 8.7 of ISO 9001:2015 deals with one of the most practical and visible parts of any quality management system: what you do when something goes wrong with a product or service before it reaches the customer. The clause sits within Section 8, which covers all operational processes, and it addresses the specific situation where an output does not meet its intended requirements.

The core obligation is straightforward. When an output is identified as nonconforming, the organisation must ensure it is identified and controlled to prevent its unintended use or delivery. That sounds simple, but the detail of how organisations actually implement this is where auditors find a significant number of nonconformities.

The clause applies to any output: physical products, delivered services, software, documents used in processes, and anything else that results from your operational activities. If it does not conform to requirements, Clause 8.7 applies.

The Four Permitted Dispositions

ISO 9001 does not leave organisations guessing about what to do with a nonconforming output. The standard specifies four acceptable dispositions, and the organisation must apply at least one of them based on the nature of the nonconformity and the circumstances.

Correction

Correction means taking action to eliminate the detected nonconformity. You rework the product, redo the service step, or fix whatever is wrong. This is the most common disposition for physical products where the defect can be repaired or brought back into specification. After correction, the output must be re-verified to confirm it now conforms. This re-verification step is one that auditors specifically look for, and it is frequently missing in practice.

Segregation, Containment, Return or Suspension

Where correction is not possible or not yet decided, the nonconforming output must be physically or logically separated from conforming product. In a warehouse or production environment this typically means a dedicated quarantine area, clearly labelled, with restricted access. For services, it might mean suspending a particular process step or placing a hold on a deliverable. The key is that the nonconforming output cannot be accidentally used or delivered while its disposition is being decided.

Concession

A concession is an authorisation to use, release, or accept a nonconforming output. Under ISO 9001, a concession must be authorised by the relevant authority, which may be internal or, more commonly, the customer. If the customer has specified the requirements, they generally need to authorise any concession against those requirements. Auditors look carefully at whether concessions are properly documented and whether the authorisation came from the right person or organisation. A verbal agreement with a customer does not constitute documented evidence of a concession.

Informing the Customer

Where a nonconforming output has already been delivered, the organisation must inform the customer. This is not optional. The standard is explicit that when nonconforming outputs are detected after delivery, the organisation must take action appropriate to the effects or potential effects of the nonconformity. That might mean a formal notification, a product recall, a service credit, or some other response. What it cannot mean is doing nothing and hoping the customer does not notice.

What Must Be Documented

Clause 8.7.2 specifies the documented information that must be retained. This is one of the few places in ISO 9001 where the standard explicitly mandates records rather than leaving it to the organisation to determine what documented information is necessary.

The required records must describe the nonconformity, describe the actions taken, describe any concessions obtained, and identify the authority that decided the action. This means a properly completed nonconformance report or equivalent record must exist for every identified nonconforming output.

In practice, many organisations have a nonconformance register or a quality alert system that captures this information. The auditor will sample these records and check that each entry includes the required elements. Missing fields, incomplete descriptions, or records that show a disposition was decided but do not identify who authorised it are common findings.

If you want to understand how to write these records in a way that actually drives improvement rather than just satisfying the documentation requirement, the article on how to write a nonconformity report that actually gets fixed covers the practical side of this in detail.

The Link Between Clause 8.7 and Clause 10.2

Clause 8.7 handles the immediate response to a nonconforming output. It is about containment and disposition. Clause 10.2 handles corrective action, which is about investigating the root cause and preventing recurrence. These two clauses work together, but they are not the same thing.

A common misunderstanding among quality teams is treating the nonconformance report as the corrective action. Fixing the defective batch and recording it in the register satisfies Clause 8.7. It does not satisfy Clause 10.2 unless there is also a root cause investigation and evidence that action has been taken to prevent the same nonconformity from recurring.

Auditors will follow the trail from the nonconformance register to the corrective action system. If they find a pattern of the same nonconformity appearing repeatedly with no corresponding corrective action, that is a finding against Clause 10.2, not Clause 8.7. But it is the Clause 8.7 records that reveal the pattern, which is why thorough documentation matters beyond just compliance.

Common Audit Findings Against Clause 8.7

After conducting hundreds of certification and surveillance audits, certain patterns emerge repeatedly. These are the areas where organisations most commonly fall short of the clause requirements.

No Physical Segregation

The quarantine area exists on paper but nonconforming product is stored alongside conforming product in practice. Sometimes the area is labelled but the label has faded, or the area has been repurposed. An auditor walking the floor will look for clear, maintained segregation and will ask operators where they put nonconforming product when they find it.

Re-verification Not Performed or Not Recorded

After rework, the product goes back into the production flow without any documented check that the correction was effective. This is extremely common. The person who did the rework may have checked it informally, but there is no record. The standard requires re-verification, and re-verification requires evidence.

Concessions Without Proper Authorisation

An internal supervisor approves using a product that does not meet customer specifications without obtaining customer agreement. Or a concession is granted verbally and never documented. Auditors will ask to see the concession records and will check whether the authorising person had the authority to grant the concession under the circumstances.

Nonconformance Records Missing Required Fields

The register shows that a nonconformity was found and that action was taken, but does not describe the nature of the nonconformity in enough detail, does not identify who authorised the disposition, or does not record what the actual disposition was. Incomplete records are a straightforward nonconformity against Clause 8.7.2.

No Process for Post-Delivery Nonconformities

The organisation has a clear process for catching nonconformities before dispatch, but no defined process for what happens when a customer reports a problem after delivery. Customer complaints land in the sales team's inbox and get resolved commercially without ever being recorded as nonconforming outputs. This means the quality system never sees the data, corrective action is never triggered, and the same problem keeps happening.

Operators Unaware of the Process

The procedure exists and the quarantine area exists, but when the auditor asks a production operator what they do when they find a defective item, the answer reveals they have no idea where the procedure is or what the process requires. Awareness is a real issue in this clause. The people most likely to identify nonconforming outputs are often the ones least familiar with what to do next.

How Auditors Assess Clause 8.7 in Practice

When auditing this clause, an experienced auditor does not just review the procedure and tick a box. The audit of Clause 8.7 is primarily an operational audit, which means it happens on the floor, in the warehouse, in the service delivery area, wherever outputs are produced.

The typical approach involves walking the production or service area and looking for the quarantine zone. What is in it? Is everything in it labelled? Is there anything that looks like it should be in quarantine that is not? The auditor will then pull records from the nonconformance register and trace a sample of entries through to their documented disposition. Were they reworked? Was re-verification recorded? Were any concessions obtained, and if so, from whom?

The auditor will also interview operators and supervisors. What do you do when you find a defective part? What do you do if a customer calls to say the last delivery had a problem? These conversations often reveal gaps between the documented procedure and what actually happens day to day.

For a broader understanding of what auditors look for across the entire quality management system, the article on what auditors look for in an ISO 9001 quality management system provides useful context.

Clause 8.7 in Service Organisations

Many quality managers in service industries assume Clause 8.7 is primarily relevant to manufacturing. That is not correct. Services produce outputs too, and those outputs can be nonconforming.

Consider a consulting firm that delivers a report containing errors identified before it is sent to the client. That is a nonconforming output. What is the process for identifying it, correcting it, and re-verifying it before delivery? Consider a training provider that discovers a module contains incorrect information. What is the process for withdrawing it from use, correcting it, and re-releasing it?

In service organisations, the nonconforming output process often needs to address digital outputs, documents, advice, and service deliverables rather than physical products. The principles are identical, but the practical controls look different. Auditors working in service environments will adapt their questions accordingly, asking about document version control, approval workflows, and how errors in delivered services are managed.

Clause 8.7 and Risk Based Thinking

ISO 9001 is built on risk based thinking, and Clause 8.7 is no exception. The disposition decision for a nonconforming output should be informed by the risk associated with that output reaching the customer or being used in a subsequent process.

A minor cosmetic defect on a product that does not affect function carries a different risk profile than a dimensional nonconformity in a safety critical component. The controls applied, the level of authorisation required for a concession, and the urgency of corrective action should all reflect that risk assessment.

Auditors will look for evidence that the organisation has considered risk in its approach to nonconforming outputs. A flat, one-size-fits-all process that treats all nonconformities identically regardless of their potential consequences is a sign that risk based thinking has not been applied in this area.

Practical Steps to Strengthen Your Clause 8.7 Process

If you are preparing for a certification audit or reviewing your system ahead of an internal audit, the following areas are worth examining before an auditor does.

• Check your quarantine controls physically, not just on paper. Walk the floor and confirm that nonconforming product is actually being segregated in the way your procedure describes.
• Review a sample of recent nonconformance records and confirm each one contains all required fields: description of the nonconformity, actions taken, any concessions obtained, and the authorising person.
• Confirm your re-verification process is documented and being followed. Every reworked item should have a record showing it was checked after correction.
• Check that your customer complaint process feeds into the nonconformance system. Post-delivery nonconformities must be captured and managed, not just resolved commercially.
• Talk to the people who identify nonconformities. Do they know the process? Do they know where the quarantine area is? Do they know who to notify?
• Review your concession records. Are they complete? Was the right authority involved? If customer concessions were granted, is there documented evidence of customer agreement?

These steps will surface most of the common gaps before an external auditor finds them. The how to audit Clause 8.7 nonconforming outputs article walks through the auditor perspective in more detail if you want to understand exactly what questions will be asked.

How Clause 8.7 Connects to the Broader QMS

Clause 8.7 does not operate in isolation. It connects to several other parts of the quality management system, and understanding those connections helps quality managers build a more coherent system rather than a collection of separate procedures.

The connection to Clause 10.2 corrective action has already been discussed. But Clause 8.7 also connects to Clause 8.5, which covers production and service provision, because the controls applied during production should prevent nonconformities from occurring in the first place. It connects to Clause 8.4, which covers the control of externally provided processes, products, and services, because nonconforming inputs from suppliers often generate nonconforming outputs. And it connects to Clause 9.1, which covers monitoring, measurement, analysis, and evaluation, because nonconformance data is one of the key inputs to performance analysis.

A quality manager who understands these connections will build a system where nonconformance data flows naturally into improvement activity, rather than sitting in a register that nobody reads until the next audit.

For those looking to deepen their understanding of how ISO 9001 clauses fit together, the ISO 9001 clauses explained in plain English article provides a useful overview of the full standard structure.

Building Competence in Auditing Clause 8.7

Whether you are an internal auditor preparing to audit your own organisation's nonconforming output process, or a quality manager wanting to understand what a certification auditor will examine, practical training makes a real difference. Reading the standard tells you what is required. Practising audit techniques in realistic scenarios tells you how to find out whether requirements are actually being met.

At Audit Workshop, our ISO 9001 Internal Auditor and Lead Auditor courses cover Clause 8.7 in the context of real audit scenarios, including how to plan the audit of operational clauses, how to conduct floor walks effectively, and how to write findings that are clear, evidence-based, and actionable. Our trainer Dilawar Laghari has conducted over 500 external ISO certification audits and brings that direct experience into every session. If you are working towards your auditor credentials or simply want to audit more effectively, our courses are designed for practitioners who want skills they can use immediately.