Addressing non-conformities

Gaining certification

External audit stage 1: Review of AIMS documentation External audit stage 2: Certification audit for AI systems Addressing non-conformities Running a surveillance audit ISO 42001 recertification

Addressing nonconformities in ISO 42001 follows Clause 10.2, which requires you to react, control, evaluate root causes, implement corrective actions, and review effectiveness to prevent recurrence. Auditors classify findings as observations (advisory), minor nonconformities (isolated gaps), or major nonconformities (systemic failures that block certification), with 90 days typically allowed to close minor nonconformities post-audit. Step-by-step process Follow this structured response to turn findings into certifiable fixes, documenting each step for evidence.

Acknowledge and categorize: Review the audit report immediately, logging each finding with its clause/control reference, description, and impact. Prioritise majors first.
Contain immediate issues: Take quick actions to limit harm (for example, pause a biased model), documenting containment steps and rationale.
Root Cause Analysis (RCA): Use tools like 5 Whys, Fishbone Diagrams, or AI-specific questioning (for example, data drift? oversight failure?) to identify underlying causes, not symptoms.
Develop corrective actions: Plan specific, measurable fixes proportional to severity (for example, update procedure, retrain model, add HITL gate), assign owners, timelines, and resources.
Implement and verify: Execute actions, re-test controls (for example, rerun bias tests), and gather new evidence such as updated logs or model cards.
Review effectiveness: Monitor for recurrence over 30–90 days, document the results, and adjust as needed; incorporate lessons into management reviews and the risk register.

Evidence to submit Submit a formal response package to your certification body within deadlines, structured per finding.

Finding type	Key evidence required
Minor	RCA report, action plan with dates/owners, proof of implementation (screenshots, logs), and effectiveness check.
Major	Same as minor + interim mitigations, full re-audit readiness plan, leadership sign-off.
Observation	Optional action log or acceptance justification (with risk rationale).

Running a surveillance audit

Download the SOC 2 prepkit for free.

We’ve consolidated all the basics. Check where you stand, and access ready-made templates to kickstart your SOC 2 journey.

The Sprinto advantage

The SOC 2 certification process can feel overwhelming. Sprinto simplifies this journey by automating up to 80% of the work, making it up to 5X faster and saving up to 60% of costs. Beyond just passing the audit, it maintains continuous compliance through real-time monitoring of security controls with 200+ integrations.

With Sprinto doing the heavy lifting, you can focus on growing your business with the confidence that your security and compliance are always one step ahead.

Schedule Demo Start Now

SOC Frameworks Overview

SOC 2 Basics

SOC 2 Compliance Process

Sprinto: Your ally for all things compliance, risk, governance

Schedule Demo