Every quality manager knows the moment: the auditor closes the quality manual, looks up, and says "show me a customer complaint from the last twelve months and take me through what happened." Whatever your procedure document says, the audit is decided by what you can show next.
This article translates the two clauses that govern that moment — 8.7 (control of nonconforming outputs) and 10.2 (nonconformity and corrective action) — into plain language, walks through the evidence an auditor actually samples, and lays out a complaint-handling workflow that satisfies both. It's a teaching article: if you're past learning the requirements and evaluating software for an ISO organisation, our ISO 9001 complaint management page covers that side.
1. Where complaints sit in ISO 9001
ISO 9001:2015 never uses the phrase "complaint management system", which is why some organisations convince themselves an inbox is enough. But complaints appear in three places, and together they define a complete loop:
- Clause 8.7 — control of nonconforming outputs. When a customer complains that a product or service doesn't conform, that output must be identified, controlled, dispositioned and — if corrected — re-verified. This is the containment and disposition half.
- Clause 10.2 — nonconformity and corrective action. The standard explicitly includes nonconformities "arising from complaints". This is the react, root-cause, correct, verify effectiveness half — and the clause auditors spend the most time on.
- Clause 9.1.2 — customer satisfaction. You must monitor customers' perceptions of whether their needs and expectations are being met, and decide how you obtain and review that information. Complaint volumes, resolution feedback and a Customer Satisfaction Index are exactly the kind of evidence this clause expects.
Notice what that list implies: a compliant complaint process doesn't end when the customer stops shouting. It ends when the root cause is corrected, the correction is verified as effective, the records are retained, and the customer's satisfaction is measured afterwards.
2. Clause 8.7 in plain language — control of nonconforming outputs
Clause 8.7.1 says outputs that don't conform to requirements must be identified and controlled so they aren't used or delivered unintentionally. For a complaint, "identified and controlled" starts the moment the complaint is logged: the affected product, order or service is flagged, and the organisation takes one or more of the actions the clause lists:
- Correction — repair, rework, redo the service;
- Segregation, containment, return or suspension — stop the nonconforming output from going anywhere else;
- Informing the customer — tell them what happened and what you're doing about it;
- Obtaining authorisation for acceptance under concession — where the customer formally accepts the output as-is or with agreed deviation.
Two further requirements are where audits are won or lost. First: when a nonconforming output is corrected, conformity must be verified again — someone has to check the fix, and that check must be a deliberate step, not an assumption. Second, clause 8.7.2 requires retained documented information that describes the nonconformity, describes the actions taken, describes any concessions obtained, and identifies the authority who decided the disposition. That last item is the one email trails almost never capture: who, by name and role, decided this complaint was resolved?
3. Clause 10.2 in plain language — nonconformity and corrective action
Clause 10.2.1 sets out what must happen when a nonconformity occurs — and it names complaints explicitly. Read as a checklist, the clause requires you to:
| 10.2.1 | Requirement | What it means for a complaint |
|---|---|---|
a |
React & deal with consequences | Take action to control and correct the nonconformity — contain the problem, fix or replace what the customer received, and handle the fallout (credit note, replacement dispatch, apology). |
b |
Evaluate the need for corrective action | Review and analyse the nonconformity, determine its root cause, and check whether similar nonconformities exist or could occur elsewhere. This is where an 8D investigation and fishbone analysis live. |
c |
Implement the action needed | Actually carry out the corrective action — a process change, a design change, a supplier action — not just record an intention. |
d |
Review effectiveness | Come back later and confirm the action worked — the defect hasn't recurred, the complaint category hasn't spiked again. Closing the ticket is not reviewing effectiveness. |
e |
Update risks & opportunities | If the complaint revealed a risk your planning missed, update your risk register or planning outputs accordingly. |
f |
Change the QMS if needed | If the root cause was a weakness in the management system itself — a missing check, an ambiguous procedure — change the system, not just the product. |
Then clause 10.2.2 adds the record-keeping duty: retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action. In complaint terms: the complaint, its classification, the investigation, the root cause, the action, and the effectiveness check must all be recorded — and retrievable years later.
One nuance worth teaching your team: the standard says corrective actions must be appropriate to the effects of the nonconformity. Not every complaint needs a full 8D. A one-off delivery grievance can be corrected and closed; a repeated field failure demands the full root-cause treatment. What matters is that the decision — "corrective action needed / not needed, and why" — is itself recorded.
4. Clause 9.1.2 — customer satisfaction and the CSI
Clause 9.1.2 requires you to monitor customers' perceptions of the degree to which their needs and expectations have been fulfilled, and to determine the methods for obtaining, monitoring and reviewing that information. Complaint-handling feedback is one of the most defensible methods available, because it's tied to real events rather than an annual survey nobody answers.
In practice, organisations satisfy 9.1.2 by scheduling a feedback request after each complaint or service ticket is resolved, capturing a rating, and rolling the ratings into a Customer Satisfaction Index (CSI) that management review can track over time. We've written a full guide to measuring and improving CSI — for this article, the point is simply that satisfaction monitoring is part of the same complaint loop, not a separate initiative.
5. What an auditor actually asks for
Certification and surveillance audits follow a predictable pattern on complaints. The auditor samples — they pick two or three complaints, often deliberately choosing an old one and a serious one — and then walks the trail. Expect questions like these:
- "Show me your complaint register." They want to see that every complaint is captured in one place, with an identity — a number, a date, a customer, a description.
- "Take me through this one." Who received it, how was it classified, who was assigned, what was the due date?
- "Where is the disposition?" What happened to the nonconforming product or service — corrected, returned, concession? Who informed the customer?
- "Where is the root cause?" For significant complaints: show the investigation, not just a free-text sentence. Fishbone, problem-solving report, cause categorisation.
- "Who verified closure?" Evidence that someone with authority checked the resolution before the ticket was closed — and that the handler didn't close their own work unreviewed.
- "How do you know the action was effective?" Recurrence data by category, past-trouble records, follow-up checks.
- "How does this feed your satisfaction monitoring and management review?" Complaint trends, feedback ratings, CSI — the 9.1.2 link.
Every one of those questions maps to a record. If the record exists as a by-product of how you work, the audit is a walkthrough. If it has to be reconstructed from inboxes the week before, it's a scramble — and experienced auditors can tell the difference immediately.
6. Why email and spreadsheet records fail audits
Most organisations that receive a complaint-handling nonconformity aren't ignoring complaints. They're handling them in tools that can't produce evidence. The failure modes are consistent:
| Auditor's question | Email / spreadsheet reality | What the clause expects |
|---|---|---|
| Is every complaint captured? | Complaints live in personal inboxes; whether one becomes a spreadsheet row depends on who received it | A single register where every complaint gets an identity on arrival |
| Who owns this complaint? | "Forwarded to Rajesh" — ownership is implied, not assigned | A named owner recorded on the record, with reassignments visible |
| When did the status change? | No status exists; progress is inferred from reply timestamps | A retained status history — each lifecycle step, dated |
| Who authorised closure? | The thread just… stops; spreadsheet cell changed to "Closed" by anyone | A verification step by an identified authority before closure (8.7.2) |
| Where is the root cause? | A free-text cell: "operator error" | A structured corrective-action record with cause analysis (10.2.1 b) |
| Can the record be altered? | Rows can be edited or deleted without trace | Retained documented information — protected, attributable, retrievable |
| Was the action effective? | Nobody looks back; the same defect reappears in a new thread | An effectiveness review, recorded (10.2.1 d) |
None of this means spreadsheets are forbidden — ISO 9001 is tool-agnostic. It means that with a spreadsheet, discipline is manual: every capture, every status note, every approval depends on a person remembering to write it down. Retained documented information that depends on memory is precisely what clause 7.5's control requirements exist to prevent.
7. A compliant complaint-handling workflow, step by step
Here is a workflow that satisfies 8.7, 10.2 and 9.1.2 together. It's the same eight-step lifecycle we describe in our complaint management pillar guide, annotated with the clause each step evidences:
| # | Step | What happens — and which clause it satisfies |
|---|---|---|
1 | Capture | Every complaint — phone, email, WhatsApp, walk-in — becomes a numbered record with customer, item/order link, description and attachments. (8.7.1 identification; 10.2.2 nature of the nonconformity) |
2 | Classify & prioritise | A category and priority set the due-date expectation and make later trend analysis possible. (10.2.1 b — "do similar nonconformities exist?" is only answerable if complaints are classified) |
3 | Assign | A named owner takes responsibility; the assignment is recorded. (supports 8.7.2 — identifiable authority and actors) |
4 | Contain & disposition | The nonconforming output is corrected, segregated, returned or accepted under concession; the customer is informed. (8.7.1 actions, recorded per 8.7.2) |
5 | Investigate root cause | Significant complaints escalate into a structured 8D / CAPA investigation — fishbone analysis, cause categorisation, past-trouble lookup. (10.2.1 b) |
6 | Correct & deploy | The corrective action is implemented and, where relevant, deployed horizontally to similar products or processes. (10.2.1 c, and f where the QMS changes) |
7 | Verify & close | A supervisor — not the handler — verifies the resolution before the record moves to closed. Effectiveness is reviewed against recurrence. (8.7.1 re-verification; 10.2.1 d; 8.7.2 authority) |
8 | Capture feedback | Feedback is scheduled and captured after resolution; ratings roll into the CSI reviewed by management. (9.1.2) |
One complaint lifecycle, three clauses: 8.7 governs containment and disposition, 10.2 governs corrective action, 9.1.2 governs the satisfaction loop afterwards.
8. How Fast Complaint Software produces the evidence
Everything above can, in principle, be done on paper. The reason ISO organisations use complaint software is that it makes the evidence a by-product of doing the work rather than a separate documentation task. Here is how Fast Complaint Software maps to the clause requirements:
- Numbered tickets. Every complaint entered — or auto-logged from an inbound IVR call — becomes an auto-numbered ticket against the customer, linked to the item or order it concerns, with the problem description and photo attachments. That's clause 8.7 identification and the 10.2.2 "nature of the nonconformity" record, created at the moment of capture.
- Status history. The ticket carries a lifecycle status, and the status trail is retained — so "when did this move from in-progress to completed, and who moved it?" is answered by the record, not by memory.
- Supervisor Release verification. Closure runs through a controlled Release Complaint approval step: a supervisor verifies the resolution before the ticket closes, instead of the handler self-closing. That is 8.7's re-verification and the "authority deciding the disposition" evidence in one step.
- 8D / CAPA records. A complaint that reveals a real defect escalates into a structured investigation — fishbone diagram, problem-solving report, cause categorisation, past-trouble database and horizontal deployment — all referenced back to the originating ticket. That's 10.2.1 (b), (c) and the recurrence check, documented as it happens.
- Due dates, follow-up and escalation. Priority and due-date driven follow-up scheduling, with pending/ageing views and email/SMS alerts, evidences that you react in a controlled, timely way rather than when someone remembers.
- Retained feedback and CSI. After resolution, feedback is scheduled and captured with ratings, and the Feedback MIS rolls it into a Customer Satisfaction Index — your standing clause 9.1.2 evidence for management review.
Walk into the audit with the records already written
Fast Complaint Software runs the whole loop this article describes — numbered complaint tickets, retained status history, supervisor-verified closure, linked 8D corrective-action records and post-resolution feedback rolled into a CSI. When the auditor says "show me a complaint", you open the ticket and read down the screen.
This article teaches the requirements — what clauses 8.7, 10.2 and 9.1.2 ask of any organisation. If you're an ISO-certified (or certifying) organisation comparing tools, the ISO 9001 complaint management page shows how Fast Complaint Software delivers each requirement, screen by screen.
9. Frequently asked questions
- React to the nonconformity and deal with its consequences
- Evaluate the need for corrective action — review, root-cause, and check for similar nonconformities
- Implement the action needed
- Review the effectiveness of the corrective action
- Update risks and opportunities if necessary
- Change the quality management system if necessary
See the audit trail on your own complaints
A 30-minute demo — your complaint categories, your workflow, and the exact records an auditor would ask you for, on screen.
