When a gap between the system’s actual state and its declared compliance state is identified, whether through monitoring, assessment, or incident, the Conformity Assessment Coordinator logs it, assesses it, assigns it to an owner, tracks it to closure, and verifies the fix. This process applies to non-conformities identified during formal assessment and to gaps identified through continuous monitoring between assessment cycles.

The non-conformity management process within the QMS framework is distinct from the assessment-specific remediation workflow, though both follow the same seven-step pattern. The QMS process applies continuously; the assessment workflow applies during and immediately after formal assessment events. In practice, the same Non-Conformity Register serves both purposes, with entries categorised by their source (formal assessment, continuous monitoring, incident response, deployer complaint).

Jira or ServiceNow with pre-configured non-conformity workflows support this process. The non-conformity register is itself a compliance artefact demonstrating the organisation’s ability to identify and resolve gaps.

Key outputs

• Continuous non-conformity management (not assessment-only)
• Single register serving both assessment and ongoing monitoring
• Per-entry source categorisation
• QMS documentation and compliance evidence