Why has it been decided to issue a new version of ISO 9001?

Business needs and expectations have changed significantly since the last major revision of ISO 9001 in the year 2000. Examples of these changes are ever more demanding customers, the emergence of new technologies, increasingly more complex supply chains and a much greater awareness of the need for sustainable development initiatives.

Does ISO 9001 still apply to all organizations ?

The concept of the standard has not changed; it's applicable to any type of organization, regardless of the size, type or its core business.

How has the structure of the standard changed?

The structure has been changed to align with the common 10-clause high level structure developed by ISO to ensure greater harmonization among its many different management system standards.  The new revision to ISO 14001 will also adopt this same structure, which is built around the PDCA (Plan-Do-Check-Act) sequence. All ISO management system standards are now required to adopt this structure. This will make it easier for organizations to address the requirements of more than one ISO Management System Standard within a single, integrated system.

What are the main differences in content between the old and new version?

  • The adoption of the high level structure as set outin Annex SL of ISO Directives Part 1
  •  An explicit requirement for risk-based thinking to support and improve the understanding and application of the process approach
  • Fewer prescriptive requirements
  • More flexibility regarding documentation
  • Improved applicability for services
  • A requirement to define the boundaries of the QMS
  • Increased emphasis on organizational context
  • Increased leadership requirements
  • Greater emphasis on achieving desired process results to improve customer satisfaction

How have the documentation requirements changed?

Specific documented procedures are no longer mentioned; it is the responsibility of the organization to maintain documented information to support the operation of its processes and to retain the documented information necessary to have confidence that the processes are being carried out as planned. The extent of the documentation that is needed will depend on the business context.

The standard does not mention a quality manual. Is it still required?

A quality manual is no longer specifically required. The new standard requires the organization to maintain documented information necessary for the effectiveness of the quality management system (QMS). There are many ways to do this and a quality manual is just one. If it is convenient and appropriate for an organization to continue to describe its quality management system in a quality manual then that is perfectly acceptable.

Why has management review been moved to performance evaluation? (9.3)

The sequence of the new version of ISO 9001 is based on the Plan, Do, Check, Act cycle and so, in order to evaluate quality management system performance, it makes sense for management review to follow the measurement of the system performance.

The title of management representative has been removed. How is the performance of the system reported to top management?

Although the prescriptive title of a management representative has been deleted, it is up to top management to ensure that the roles and responsibilities are assigned for reporting on the performance of the QMS. Some organizations might find it convenient to maintain their current structure, with a single person carrying out this role. Others might take advantage of the additional flexibility to consider other structures depending on their organizational context.

Why has product been changed to products and services?

ISO 9001:2008 already made it clear that the term product in the previous version of the standard also includes service, so there is no impact in practical terms. The term products and services is now used throughout the standard to reflect the far greater use of the standard outside of the manufacturing sector, and to emphasize its applicability in the service industries.

What is risk-based thinking and why has it been introduced into the standard?

The phrase risk-based thinking is used to describe the way in which ISO 9001:2015 addresses the question of risk. The concept of risk has always been implicit in ISO 9001, by requiring the organization to plan its processes and manage its business to avoid undesirable results. Organizations have typically done this by putting greater emphasis on planning and controlling processes that have the biggest impact on the quality of the products and services they provide. The way in which organizations manage risk varies depending on their business context (e.g. the criticality of the products and services being provided, complexity of the processes, and the potential consequences of failure). Use of the phrase risk-based thinking is intended to make it clear that while an awareness of risk is important, formal risk-management methodologies and risk assessment are not necessarily appropriate for all business situations and organizations. 

What has been changed in terms of planning?

ISO 9001:2015 requires the organization to address risks and opportunities, quality objectives and planning of changes throughout the organization. As new products, technologies, markets and business opportunities arise, it is to be expected that organizations will want to take full advantage of these opportunities. This has to done in a controlled manner, and be balanced against the potential risks involved, which could lead to undesirable side-effects.

Are organizations still allowed to exclude requirements of ISO 9001?

ISO 9001:2015 no longer refers to “exclusions” in relation to the applicability of its requirements to the organization’s quality management system. However, an organization can determine the applicability of requirements. All requirements in the new standard are intended to apply. The organization can only decide that a requirement is not applicable if its decision will not affect its ability or responsibility to ensure the conformity of products and services and the enhancement of customer satisfaction.

What is the process approach and is it still applicable to ISO 9001:2015? 

The process approach is a way of obtaining a desired result, by managing activities and related resources as a process. Although the clause structure of ISO 9001:2015 follows the Plan-Do-Check-Act sequence, the process approach is still the underlying concept for the QMS. 

What are the benefits of the new version of ISO 9001?

  • Less prescriptive, but with greater focus on achieving conforming products and services
  • More user friendly for service and knowledge-based organizations
  • Greater leadership engagement
  • More structured planning for setting objectives
  • Management review is aligned to organizational results
  • The opportunity for more flexible documented information
  • Addresses organizational risks and opportunities in a structured manner
  • Addresses supply chain management more effectively
  • Opportunity for an integrated management system that addresses other elements such as environment, health & safety, business continuity, etc.

specific clauses in the standard

What is meant by the context of the organization? (4)

This is the combination of those internal and external factors that affect an organization's approach to the way in which it provides products and services that are delivered to its customer.  External factors can include, for example, cultural, social, political, legal, regulatory, financial, technological, economic, and competitive environment, at the international, national, regional or local level.  Internal factors typically include the organization’s corporate culture, governance, organizational structure, technologies, information systems, and decision-making processes (both formal and informal).

 What are the needs and expectations associated with interested parties? (4.2)

The organization will need to determine the interested parties that are relevant to the quality management system and the requirements of those interested parties, as outlined in clause 4.2. This does not extend past the quality management system requirements and the scope of this International Standard.  As stated in the scope, this International Standard is applicable where an organization needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.

What is meant by organizational knowledge? (7.1.6 )

Organizational knowledge is knowledge specific to the organization; it is generally gained by experience. It is information that is used and shared to achieve the organization’s objectives. Requirements regarding organizational knowledge were introduced for the purpose of safeguarding the organization from loss of knowledge and encouraging the organization to acquire new knowledge as its business context changes.

Documents and records have been replaced by documented information.  What does this mean? (7.5)

Documentation, documents and records are now collectively referred to as documented information. Where that documented information might be subject to change (as in the case of procedures, work instructions, etc), organizations are required to MAINTAIN the information up-to-date; where the information is not normally subject to change (for example records) the organization is required to RETAIN that information. 

Why has Purchasing changed to ‘Control of externally provided processes, products and services’? (8.4)

This change reflects the fact that not all products, services or processes that an organization acquires are necessarily purchased in the traditional sense. Some may be acquired from other parts of a corporate entity, for example, as part of a shared pool of resources, products donated by benefactors or services provided by volunteers.

What has happened to validation of processes or what used to be called special processes? (8.5)

Although there is no longer a standalone sub-clause, this requirement continues, and has been incorporated into the sub-clause on control of production and service provision. (Ref. 8.5.1)

What is meant by post delivery activities and what is the extent of an organization’s responsibility? (8.5.5)

This means that based on customer agreements or other requirements, the organization may be responsible for providing support for their products or services after delivery. This could include, for example, technical support, routine maintenance, or in some cases recall.

What is the difference in the standard between improvement and continual improvement?  (10)

ISO 9001:2008 used the term continual improvement to emphasize the fact that this is an ongoing activity. However, it is important to recognize that there are a number of ways in which an organization may improve. Small step continual improvement is only one of these. Others may include breakthrough improvements, re-engineering initiatives or innovation. ISO 9001:2015 therefore uses the more general term improvement, of which continual improvement is one component, but not the only one. 

1. What are ISO 9000 Quality Management Standards?

The ISO 9000 standards are internationally recognized management concepts, principles and practices that have been formalized into a set of standardized requirements for a quality management system (QMS). These standardized requirements define controls that focus on improving an organization’s ability to deliver products or services that:

Consistently meet customer’s quality requirements Meet applicable regulatory requirements Enhance customer satisfaction Achieve continual improvement of its performance in pursuit of these objectives. The ISO 9001 standard focuses on improving an organization’s management sytem and processes. It does not specify any requirements for product or service quality. Customers typically set product and service quality requirements. However, the expectation is that an organization with an effective ISO 9001 based QMS will indeed improve it’s ability to meet customer and regulatory requirements.

ISO 9001requirements are complementary to contractual and applicable regulatory requirements. Those implementing a QMS conforming to ISO 9001 must ensure that the specific requirements of their customers and regulatory agencies are met.

2.0 What are the ISO 9000 family of standards?

The ISO 9000 QMS series comprise the following three documents:

ISO 9000:2005 Quality management systems - Fundamentals and vocabulary. This is a guidance document that defines the concepts, principles, terms, definitions and relationships that form the basis for quality management. ISO 9001:2008 Quality management systems - Requirements. This document is the standard that defines a generic set of requirements for organizations wishing to develop a quality management system.This is the only standard to which an organization may obtain certification. Because requirements are generic and not specific, organizations have flexibility in tailoring their quality management systems to fit their business, culture and risks. To get an in-depth understanding of this key standard, read this free eBookUnderstanding ISO 9001:2000. ISO 9004:2000 Quality management systems - Guidelines for performance improvements. As the title indicates, this is a guidance document for organizations wishing to move beyond the requirements of ISO 9001, in pursuit of continual improvement of overall business performance. Its use is not intended for certification or contractual purposes. 3.0 Who does ISO 9001 apply to? The ISO 9001 standard is generic and meant to be applied to all organizations, without regard to their business, size, profit or no-profit, or whether in the private, or public sector.

In the past few years, industry groups have developed sector specific applications of the ISO 9001 standard. These include the automotive, aerospace, environmental, telecommunications, health and safety, etc. All these sector-specific standards incorporate the full requirements of ISO 9001 as their foundation and then add new requirements or amplify ISO requirements.

4.0 What are the benefits of implementing aneffective QMS based on the ISO 9001 standard?

Benefits include: External Improves customer confidence and satisfaction in an organization’s QMS capability and consistency in meeting requirements. Improves conformity to quality requirements Increases competitive edge and market share Increasingly recognized as a requirement for contractual relationships in the global arena. Internal Improves business efficiency and productivity Reduces organizational waste, inefficiencies, and defects Facilitates continual improvement in business processes and customer satisfaction Improves process consistency and stability Facilitates employee competence and consistency of performance Improves employee motivation and empowerment through improved participation
communication and interaction Generates objective evidence to support the assessment of QMS conformity and effectiveness Improves supplier performance by developing relationships that foster cooperative interaction in understanding and fulfilling customer requirements.

5.0 Why is ISO 9001 Important?

It is a powerful business tool for organizations to significantly improve the effectiveness and efficiency of their operation leading to enhanced customer satisfaction and profitability. However, to reap the benefits listed above, an organizations top management must adapt it as a strategic initiative in achieving its business goals.

This means providing the leadership, commitment, resources, structure, policies, decision-making, culture and environment for QMS deployment and maintenance. Additionally, the standard was designed to be used as a tool for continual improvement in conjunction with technology and other business improvement tools.

6.0 What Are ISO 9001 Requirements?

The standard covers five broad categories or clauses, each of which include several sub-clauses. The five categories are:

Quality Management System - sets requirements to identify, plan, document, operate and control an organization’s QMS processes and to continually improve QMS effectiveness.

Management Responsibility - sets requirements for top management to demonstrate its leadership and commitment to develop, implement and continually improve the QMS.

Resource Management - sets requirements to determine, provide and control the various resources needed to operate and manage QMS processes; to continually improve QMS effectiveness; and to enhance customer satisfaction by meeting customer requirements

Product Realization - sets requirements to plan, operate and control the specific QMS processes that determine, design, produceand deliver an organization’s product and services.

Measurement, Analysis and Improvement - sets requirements to plan, measure, analyze and improve processes that demonstrate product and QMS conformity and continually improve QMS effectiveness.

7.0 How and why is the ISO 9001:2000 standard generic?

“Generic” means that the standard can be applied to any organization without regard to an organization’s business, size, profit or no-profit, or whether it’s in the private or public sector.

“Generic” also signifies that no matter what the organization’s nature and scope of activity, the standard provides the organization flexibility to develop a QMS that meets applicable requirements of the standard.

8.0 What is Quality management?

“Quality management” refers to a management system that focuses on the policies and controls established by an organization to ensure that its products or services satisfy the customer’s quality requirements and comply with any regulations applicable to those products or services.

9.0 How can ISO 9001 help you select and manage a supplier?

When you purchase products or services from a supplier, you have two risks to consider:

The risk in the quality of the product or service you are purchasing The risk in the supplier’s ability to consistently provide the quality desired. For the first risk - as the customer, you must specify criteria and quality objectives for the product. Through the use of your own QMS, you then verify that delivered product conforms to your specifications.

For the second risk - you may want the supplier to have management system controls. How much control? To answer this, you need to consider the following questions:

What specific products (goods or services) do you wish to purchase? What impact do these products have on the products you make? What are the risks to your business if you experience problems with these products? What do you know about the reputation and past performance of your supplier?

ISO 9001 provides requirements for the purchasing process that your organization can implement, to develop and improve relationships with suppliers. These requirements relate to:

Establishing criteria and quality objectives for the specific products or services you wish to purchase And QMS controls that you may want your supplier to develop. The standard allows flexibility in the nature and scope of product and system controls you wish to impose on each supplier.

The above considerations help you in establishing appropriate supplier selection and approval ranging from selective ISO 9001 controls being imposed to full third party certification. This is in addition to initially establishing criteria and quality objectives for the product or services you wish to buy.

There are various ways in which your supplier can claim that its quality management system meets the requirements of ISO 9001:2000. These include:

Supplier’s declaration of conformity: Your supplier makes a declaration affirming that its QMS meets ISO 9001 requirements, usually supported by legally-binding signatures. This declaration can be based on your supplier’s internal audit system, or on second party or third party audits;

Second party assessment: your supplier is audited directly by its customer (e.g., by you, or by another customer, whose reputation you respect) to check if its QMS meets ISO 9001 requirements and your own requirements - sometimes used in contractual “business-to-business” transactions;

Third party certification: your supplier uses an accredited Certification Body (Registrar) to audit and verify it’s conformity to ISO 9001:2000 requirements. This third party then issues a certificate to your supplier describing the scope of its QMS, and confirming that it conforms to ISO 9001:2000.

11.0 Does ISO 9001:2000 certification ensure you get quality product on a consistent basis from your suppliers?

When an organization is certified to ISO 9001:2000,this means that the Certification Body (CB) has verified the organizations QMS’s conformity to ISO 9001 requirements. The objective is to provide the organization’s management and its customers, confidence that it is in control of its operations. While this confidence logically extends to the products and services provided,ISO 9001:2000 does not define product-specific requirements. Therefore, QMS certification does not translate into a product guarantee.

The onus remains on an organization to verify product quality. Work with your suppliers to improve their QMS and consequently leading to improved product quality performance. In the meantime, you may have to perform some verification of purchased product based on past history of the suppliers performance.

12.0 How should you handle a complaint with your supplier?

There are several steps that an organization may take with increasing levels of escalation:

Notify your supplier through your QMS corrective action process of the specific issues underlying your complaint. Work with them in getting a speedy resolution to the complaint. Your supplier is obliged to investigate your complaint, and should take appropriate actions to avoid or reduce the chances of it reoccuring.

If, however, your supplier continues to provide non-conforming products, does not address your complaint, or does not take appropriate corrective actions, then this may be an indication of problems with their quality management system. Work with their quality management representative in resolving the complaint and QMS issues.

If you are still not satisfied with your suppliers response, and if they are certified, notify their Certification Body (CB) of your complaint. You can find the certification body’s name by looking at your supplier’s certificate. The CB will investigate the problems during their surveillance audits of your supplier’s QMS, or, in critical cases, may decide to carry out an additional specific investigation.

If you do not receive a satisfactory response from the CB, and if it is accredited, you should complain to the relevant accreditation body. Details of any such accreditation will appear on your supplier’s ISO 9001:2000 certificate. If you have difficulty in getting this information, you can consult the list of accreditation bodies who are members of the International Accreditation Forum on the IAF website ().

Note that as a purchaser, you can take legal action against your supplier concurrently with the above actions.

Remember that whenever possible, you should consider having alternative suppliers as part of your risk management or contingency planning. Then if all else fails with your specific complaint, the use of an alternative supplier is your safety net.

13.0 What is ISO 9001 Certification?

ISO 9001:2000, “certification” refers to the issuing of written assurance (the certificate) by an independent, external body (the Certification Body) that has audited an organization’s QMS and verified that it conforms to the requirements specified in the standard. “Registration” means that the auditing body then records the certification in its client register.

The organization’s QMS has therefore been both certified and registered. For practical purposes, the difference between the two terms is not significant and both are acceptable for general use. “Certification” is the term most widely used worldwide, although registration (from which “registrar” as an alternative to certification body) is more commonly used in North America, and the two are also used interchangeably.

14.0 What is Accreditation?

Accreditation refers to the formal recognition by a specialized body - an accreditation body (AB)- that a certification body (CB) is competent to perform ISO 9001:2000 certification in specified business sectors. In simple terms, accreditation is certification of the CB. Certificates issued by accredited CB’s, known as “accredited certificates”, may be perceived on the market as having increased credibility. Therefore, it is okay to state that your organization has been “certified” or “registered”, but inaccurate to state that it has been “accredited” (unless your organization is a certification/registration body).

15.0 What is the ISO 9001 certification process for an organization?

Most Certification Bodies (CB’s) use the following process with slight variations:

1. Pre-assessment Before the actual certification audit, a CB auditor makes a preliminary visit of your facilities, briefly reviews your QMS documentation and conduct an informal check of the QMS implementation. In essence, this preliminary audit intended to uncover areas in your QMS that might need special attention. During the initial visit the audit scope and audit program is agreed upon, as well.

A Pre-assessment is an optional activity. It adds value in that it provides an organization with a clear view of the gaps in its state of readiness, a few months prior to the formal certifiction audit. More and more organizations now prefer experienced consultant auditors to do the Pre-assessments as they not just identify the gaps, but also provide solutions to correcting them. CB auditors may only report on the gaps, but are not allowed to provide solutions.

2. Documentation review The CB audit team evaluates your QMS manual to determine the adequacy of its scope and conformity to the requirements of the standard. The documentation review report summarizes any findings from this process. The report indicates if your organization is ready to proceed with the certification audit.

3. Certification audit During the certification audit, the CB audit team conduct interviews, examinations and observations of the system in operation. It provides the team essential information required for the certification process and assesses the degree of conformity of the QMS with the requirements of the standard. When found conforming, the CB issue the certificate of conformity to ISO 9001.

4. Surveillance audits Each issued certificate has a three-year life period. Upon certification, the CB create a periodic audit schedule for surveillance audits over the three-year period. These audits confirm the on-going compliance of the QMS with specified requirements of the standard. At least one periodic audit per year is required.

5. Re-certification audit After the three years are up, your certification will be extended through a re-certification audit.

16.0 Is ISO 9001 Certification compulsory?

ISO 9001 is a voluntary standard. Your organization can implement it solely for the internal benefits it brings in increased effectiveness and efficiency of your operations, without incurring the investment required in a certification programme.

Getting certification is a business decision that may be based on:

A contractual requirement from a customer as a condition for doing business Your organization’s overall risk management strategy Recognition of an organization’s efforts in developing an effective QMS A marketing tool for gaining a competitive edge in the marketplace Also review the benefits of having an effective QMS earlier on in this FAQ.

17.0 Who is authorized to carry out certification of organizations to ISO 9001?

The ISO organization is responsible for developing, maintaining and publishing the ISO 9000 and other families of standards. The ISO organization does not audit or issue certificates for conformity to any ISO standard.

The auditing and certification of QMS’s is carried out (independently of the ISO organization) by hundreds of certification bodies (CB’s) around the world. These CB’s issue ISO 9001:2000 certificates under their own responsibility and ISO does not control the activities of CB’s.

CB’s may in turn be accredited by Accreditation Bodies (AB’s). AB’s may in some countries, be the national standards institutes that make up ISO’s membership. AB’s carry out accreditation assessments, either on behalf of their respective governments, or as a business operation. The ISO organization has no authority to control such accreditation activities.

Note: Not all CB’s are accredited. Read our article on “ How to select a Certification Body”.

However, ISO’s Committee on conformity assessment, ISO/CASCO, develops standards and guidelines covering various aspects of accreditation/certification/conformity assessment activities for AB’s and CB’s. The voluntary criteria contained in these standards and guides represent an international consensus on what constitutes good practice. Their use contributes to the consistency and coherence of conformity assessment worldwide and so facilitates trade across borders.

18.0 What is the process for implementing ISO 9001?

The following is an overview of the key steps:

1. Get a copy of the ISO 9001 and ISO 9004 standards Familiarize yourself with the requirements and determine if certification to this standard makes good business sense for your organization.

2. Educate yourself There is a variety of training courses available to gain deeper insight into the requirements for system development, implementation and auditing. Also read up on the subject matter. The more you read, the more informed you will be in making choices and developing your QMS.

  1. Review consultant options Experienced and expert consultants can fast track your QMS program development and implementation with realistic and effective strategies and solutions in a cost effective and timely manner. We have the expertise to assist you. Call us for a no-obligation discussion of your needs.

4. Do a ‘Gap Assessment” A gap assessment is an audit of your current management system practices, controls and documentation, to determine the extent to which it conforms to those required by the ISO 9001 standard. While a trained in-house quality practitioner can do this, it is best done by an consultant (ex CB auditor), with the experience of hundreds of such audits. The audit findings are presented in an audit report along with recommendations to address the gaps. The Gap Assessment is the starting point for planning your management system development.

5. Plan - strategy, resources and project The adoption of an QMS is a strategic decision for the organization. It is vital that your top management provides leadership, resources, involvement and support. In addition, you need to assemble a team to develop and implement your QMS. You also need to plan your implementation steps, time line, responsibilities and resources needed.

6. Determine training needs Training will be needed at various levels of the organization. The nature and scope of training will vary according to each level. There are a wide range of courses, workshops, and seminars available designed to meet these needs. We provide a number of these training courses. Call us for more information.

7. Develop a QMS manual Your QMS manual should describe the QMS policies and processes and their interaction. Through the manual, you will provide an accurate description of the organization and the best practice adopted to consistently satisfy customer expectations.

8. Develop procedures and needed documentation Procedures describe the processes and activities of your organization, and the best practice for effective planning, operation and control of these processes.

9. Implement your QMS Work to your implementation project plan. Communication and training are key to a successful implementation. Monitor progress and get management support to overcome hurdles along the way.

10. Consider a pre-assessment Consider having a preliminary evaluation of the QMS documentation and implementation by a Consultant or certification body. The purpose of this is to identify areas of non-conformity and allow you to correct these areas before you begin the formal certification process.

11. Select a certification body Your business relationship with the certification body will be in place for many years, as your certification has to be maintained. Read our article on “Tips on selecting a Certification Body” before you select your CB.