Every quality manager knows the moment: the auditor closes the quality manual, looks up, and says "show me a customer complaint from the last twelve months and take me through what happened." Whatever your procedure document says, the audit is decided by what you can show next.

This article translates the two clauses that govern that moment — 8.7 (control of nonconforming outputs) and 10.2 (nonconformity and corrective action) — into plain language, walks through the evidence an auditor actually samples, and lays out a complaint-handling workflow that satisfies both. It's a teaching article: if you're past learning the requirements and evaluating software for an ISO organisation, our ISO 9001 complaint management page covers that side.

1. Where complaints sit in ISO 9001

ISO 9001:2015 never uses the phrase "complaint management system", which is why some organisations convince themselves an inbox is enough. But complaints appear in three places, and together they define a complete loop:

Notice what that list implies: a compliant complaint process doesn't end when the customer stops shouting. It ends when the root cause is corrected, the correction is verified as effective, the records are retained, and the customer's satisfaction is measured afterwards.

2. Clause 8.7 in plain language — control of nonconforming outputs

Clause 8.7.1 says outputs that don't conform to requirements must be identified and controlled so they aren't used or delivered unintentionally. For a complaint, "identified and controlled" starts the moment the complaint is logged: the affected product, order or service is flagged, and the organisation takes one or more of the actions the clause lists:

Two further requirements are where audits are won or lost. First: when a nonconforming output is corrected, conformity must be verified again — someone has to check the fix, and that check must be a deliberate step, not an assumption. Second, clause 8.7.2 requires retained documented information that describes the nonconformity, describes the actions taken, describes any concessions obtained, and identifies the authority who decided the disposition. That last item is the one email trails almost never capture: who, by name and role, decided this complaint was resolved?

3. Clause 10.2 in plain language — nonconformity and corrective action

Clause 10.2.1 sets out what must happen when a nonconformity occurs — and it names complaints explicitly. Read as a checklist, the clause requires you to:

10.2.1RequirementWhat it means for a complaint
a
React & deal with consequences Take action to control and correct the nonconformity — contain the problem, fix or replace what the customer received, and handle the fallout (credit note, replacement dispatch, apology).
b
Evaluate the need for corrective action Review and analyse the nonconformity, determine its root cause, and check whether similar nonconformities exist or could occur elsewhere. This is where an 8D investigation and fishbone analysis live.
c
Implement the action needed Actually carry out the corrective action — a process change, a design change, a supplier action — not just record an intention.
d
Review effectiveness Come back later and confirm the action worked — the defect hasn't recurred, the complaint category hasn't spiked again. Closing the ticket is not reviewing effectiveness.
e
Update risks & opportunities If the complaint revealed a risk your planning missed, update your risk register or planning outputs accordingly.
f
Change the QMS if needed If the root cause was a weakness in the management system itself — a missing check, an ambiguous procedure — change the system, not just the product.

Then clause 10.2.2 adds the record-keeping duty: retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action. In complaint terms: the complaint, its classification, the investigation, the root cause, the action, and the effectiveness check must all be recorded — and retrievable years later.

One nuance worth teaching your team: the standard says corrective actions must be appropriate to the effects of the nonconformity. Not every complaint needs a full 8D. A one-off delivery grievance can be corrected and closed; a repeated field failure demands the full root-cause treatment. What matters is that the decision — "corrective action needed / not needed, and why" — is itself recorded.

4. Clause 9.1.2 — customer satisfaction and the CSI

Clause 9.1.2 requires you to monitor customers' perceptions of the degree to which their needs and expectations have been fulfilled, and to determine the methods for obtaining, monitoring and reviewing that information. Complaint-handling feedback is one of the most defensible methods available, because it's tied to real events rather than an annual survey nobody answers.

In practice, organisations satisfy 9.1.2 by scheduling a feedback request after each complaint or service ticket is resolved, capturing a rating, and rolling the ratings into a Customer Satisfaction Index (CSI) that management review can track over time. We've written a full guide to measuring and improving CSI — for this article, the point is simply that satisfaction monitoring is part of the same complaint loop, not a separate initiative.

"The auditor doesn't ask whether you resolved the complaint. They ask you to prove who verified the resolution — and when." — Fast Technology Team

5. What an auditor actually asks for

Certification and surveillance audits follow a predictable pattern on complaints. The auditor samples — they pick two or three complaints, often deliberately choosing an old one and a serious one — and then walks the trail. Expect questions like these:

  1. "Show me your complaint register." They want to see that every complaint is captured in one place, with an identity — a number, a date, a customer, a description.
  2. "Take me through this one." Who received it, how was it classified, who was assigned, what was the due date?
  3. "Where is the disposition?" What happened to the nonconforming product or service — corrected, returned, concession? Who informed the customer?
  4. "Where is the root cause?" For significant complaints: show the investigation, not just a free-text sentence. Fishbone, problem-solving report, cause categorisation.
  5. "Who verified closure?" Evidence that someone with authority checked the resolution before the ticket was closed — and that the handler didn't close their own work unreviewed.
  6. "How do you know the action was effective?" Recurrence data by category, past-trouble records, follow-up checks.
  7. "How does this feed your satisfaction monitoring and management review?" Complaint trends, feedback ratings, CSI — the 9.1.2 link.

Every one of those questions maps to a record. If the record exists as a by-product of how you work, the audit is a walkthrough. If it has to be reconstructed from inboxes the week before, it's a scramble — and experienced auditors can tell the difference immediately.

6. Why email and spreadsheet records fail audits

Most organisations that receive a complaint-handling nonconformity aren't ignoring complaints. They're handling them in tools that can't produce evidence. The failure modes are consistent:

Auditor's questionEmail / spreadsheet realityWhat the clause expects
Is every complaint captured?Complaints live in personal inboxes; whether one becomes a spreadsheet row depends on who received itA single register where every complaint gets an identity on arrival
Who owns this complaint?"Forwarded to Rajesh" — ownership is implied, not assignedA named owner recorded on the record, with reassignments visible
When did the status change?No status exists; progress is inferred from reply timestampsA retained status history — each lifecycle step, dated
Who authorised closure?The thread just… stops; spreadsheet cell changed to "Closed" by anyoneA verification step by an identified authority before closure (8.7.2)
Where is the root cause?A free-text cell: "operator error"A structured corrective-action record with cause analysis (10.2.1 b)
Can the record be altered?Rows can be edited or deleted without traceRetained documented information — protected, attributable, retrievable
Was the action effective?Nobody looks back; the same defect reappears in a new threadAn effectiveness review, recorded (10.2.1 d)

None of this means spreadsheets are forbidden — ISO 9001 is tool-agnostic. It means that with a spreadsheet, discipline is manual: every capture, every status note, every approval depends on a person remembering to write it down. Retained documented information that depends on memory is precisely what clause 7.5's control requirements exist to prevent.

7. A compliant complaint-handling workflow, step by step

Here is a workflow that satisfies 8.7, 10.2 and 9.1.2 together. It's the same eight-step lifecycle we describe in our complaint management pillar guide, annotated with the clause each step evidences:

#StepWhat happens — and which clause it satisfies
1
CaptureEvery complaint — phone, email, WhatsApp, walk-in — becomes a numbered record with customer, item/order link, description and attachments. (8.7.1 identification; 10.2.2 nature of the nonconformity)
2
Classify & prioritiseA category and priority set the due-date expectation and make later trend analysis possible. (10.2.1 b — "do similar nonconformities exist?" is only answerable if complaints are classified)
3
AssignA named owner takes responsibility; the assignment is recorded. (supports 8.7.2 — identifiable authority and actors)
4
Contain & dispositionThe nonconforming output is corrected, segregated, returned or accepted under concession; the customer is informed. (8.7.1 actions, recorded per 8.7.2)
5
Investigate root causeSignificant complaints escalate into a structured 8D / CAPA investigation — fishbone analysis, cause categorisation, past-trouble lookup. (10.2.1 b)
6
Correct & deployThe corrective action is implemented and, where relevant, deployed horizontally to similar products or processes. (10.2.1 c, and f where the QMS changes)
7
Verify & closeA supervisor — not the handler — verifies the resolution before the record moves to closed. Effectiveness is reviewed against recurrence. (8.7.1 re-verification; 10.2.1 d; 8.7.2 authority)
8
Capture feedbackFeedback is scheduled and captured after resolution; ratings roll into the CSI reviewed by management. (9.1.2)
Capture Classify Assign Disposition Root cause Correct Verify & close Feedback
Diagram mapping the eight complaint-handling steps to ISO 9001 clauses — capture to disposition under clause 8.7, root cause to verified closure under clause 10.2, and post-resolution feedback under clause 9.1.2

One complaint lifecycle, three clauses: 8.7 governs containment and disposition, 10.2 governs corrective action, 9.1.2 governs the satisfaction loop afterwards.

8. How Fast Complaint Software produces the evidence

Everything above can, in principle, be done on paper. The reason ISO organisations use complaint software is that it makes the evidence a by-product of doing the work rather than a separate documentation task. Here is how Fast Complaint Software maps to the clause requirements:

For ISO 9001 organisations

Walk into the audit with the records already written

Fast Complaint Software runs the whole loop this article describes — numbered complaint tickets, retained status history, supervisor-verified closure, linked 8D corrective-action records and post-resolution feedback rolled into a CSI. When the auditor says "show me a complaint", you open the ticket and read down the screen.

Every complaint captured as an auto-numbered ticket with attachments and an audit trail
Controlled Release step — a supervisor verifies before anything closes
8D, fishbone and past-trouble records linked to the originating complaint
See the ISO 9001 solution page
Which page do you need?

This article teaches the requirements — what clauses 8.7, 10.2 and 9.1.2 ask of any organisation. If you're an ISO-certified (or certifying) organisation comparing tools, the ISO 9001 complaint management page shows how Fast Complaint Software delivers each requirement, screen by screen.

9. Frequently asked questions

What does ISO 9001 clause 8.7 require for customer complaints?
That nonconforming outputs are identified and controlled so they aren't used or delivered unintentionally. The organisation must act — correction, segregation/containment/return, informing the customer, or acceptance under concession — and re-verify conformity after any correction. Clause 8.7.2 requires retained records describing the nonconformity, the actions taken, any concessions, and the authority who decided the disposition.
What does clause 10.2 require after a complaint?
Clause 10.2.1 requires you to:
  • React to the nonconformity and deal with its consequences
  • Evaluate the need for corrective action — review, root-cause, and check for similar nonconformities
  • Implement the action needed
  • Review the effectiveness of the corrective action
  • Update risks and opportunities if necessary
  • Change the quality management system if necessary
What records does clause 10.2.2 require?
Retained documented information evidencing the nature of the nonconformities and the actions taken, and the results of any corrective action. Practically: the complaint record, classification, investigation and root cause, the corrective action, the effectiveness review and the closure decision — all retrievable on demand.
Why do email and spreadsheet complaint records fail audits?
Because they can't prove capture completeness, ownership, status history, closure authority or corrective-action effectiveness. Inboxes are personal, spreadsheet rows are editable without trace, and neither produces the retained, attributable evidence clauses 8.7.2 and 10.2.2 demand — so audit preparation becomes manual reconstruction.
Does ISO 9001 require complaint management software?
No — the standard requires a controlled process and retained evidence, not any specific tool. But software makes the evidence automatic: numbered tickets, retained status history, supervisor-verified closure, linked 8D records and captured feedback. See what complaint management software does for the full picture.

See the audit trail on your own complaints

A 30-minute demo — your complaint categories, your workflow, and the exact records an auditor would ask you for, on screen.