Major vs. Minor Finding During external ISO audit - Definitions

OK, I skimmed through several posts regarding the definition of major vs minor findings. I understand the definitions. The one area of my concern is where a number of minor nonconformances can rack up to one major. Who makes the decision on how many minors equal one major? Does each registrar define this, or is this an auditor preference/judgement?

My previous ISO auditor used his own judgement. My current ISO auditor insists that 3 minors in the same area automatically equals one major. I recently had a substitute auditor (from the same registrar) that said a major finding should result from multiple minors where the system breakdown can effect our performance with our customer.

I’ve heard of companies getting 99 minor findings but no majors. I get 3 minor findings and get slapped with a major. To me a major should indicate a system breakdown or the probable shipment of noncompliant product. I’ve taken major findings where there has been no breakdown but rather working with a system still young on the maturity cycle.

Some registrars might have established policies on this subject, but at the end of the day, it should be a judgement call by the audit team leader. Only s/he can make a sound decision if a non-conformity is severe enough that should be categorized as a major.

To have a pre-established threshold would be stupid. For example, if I find 6 obsolete documents being used during an audit, my conclusions would be different if I were auditing a small mom & pop shop with a few procedures, compared to a scenario if I were auditing a major manufacturing plant with thousands of command media documents.


The detmination of severity has to be risk based to be its most effective. Regardless of number the basic question “What could happen if…?” needs to be asked.

If there is a small number of “minor” NC’s in doc control and there is an indication of an increased probability of loss of total control, not meeting requirements, failure achieve customer expectations and an so on then a higher level of severity may be appropriate (Major).

On the other hand even if there are quite a few NC’s in doc control found but there is little potential for a ‘critical event’ then maybe the “minor’s” would be appropriate.

Ultimately if there is no specific guidance the decision rests with the Lead Auditor most of the time.

Think “risk”