Blog ISO Guide – Clause 9: Performance Evaluation

Welcome to Clause 9 – Performance Evaluation

This clause plays a pivotal role in ISO management systems, as it centres on performance evaluation – the cornerstone of continual improvement. The clause includes the following subclauses:

• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal Audit
• 9.3 Management Review

Before we look at each of these in a little more detail, it’s worth familiarizing ourselves with key concepts such as monitoring, measurement, compliance, internal audit, and management review.

Key Concepts

It is important to note that the specific content and structure of clause 9 may vary slightly depending on the individual ISO management system standard. However, there are a number of key concepts that are commonly found within clause 9.

These concepts include:

1. Monitoring, Measurement, Analysis, and Evaluation (MMAE): Clause 9 often emphasizes the need for organizations to establish processes for systematically monitoring, measuring, analysing, and evaluating their performance. This includes performance related to the management system and its objectives.
2. Data and Information: Organizations are expected to collect relevant data and information to support their performance evaluation processes. This data may come from various sources, including internal and external factors.
3. Performance Indicators and Metrics: ISO standards typically require organizations to define key performance indicators (KPIs) and metrics to assess the effectiveness and efficiency of their processes and the achievement of objectives.
4. Internal Audit: Clause 9 includes requirements for conducting internal audits. These are essential for assessing compliance with the management system’s requirements and identifying opportunities for improvement.
5. Management Review: the standards include a requirement for top management to periodically review the organization’s performance and the effectiveness of the management system. These reviews help in making informed decisions and driving continuous improvement.

Since the specific requirements and details of clause 9 can vary from one ISO management system standard to another, organizations implementing a specific ISO standard should refer to that standard’s specific requirements and guidelines for this clause.

So let’s now look at each of the subclauses.

Clause 9.1 Monitoring, measurement, analysis and evaluation

This subclause varies a little across the standards, for example in ISO9001 there is an extra subclause that deals with customer satisfaction, ISO14001 has a subclause that deals with evaluation of compliance, and in ISO27001 and ISO22301 there are no subclauses at all.

Monitoring and measurement are the bedrock of performance evaluation.  They involve systematic data collection and analysis to gauge the performance of processes, products, or services.

Monitoring involves the systematic and ongoing collection of data about your processes, products, or services. It’s like having a real-time view of what’s happening. On the other hand, measurement involves quantifying this data to make it meaningful, for instance measuring customer satisfaction using a numerical scale. Monitoring and measurement together ensure that you have accurate information to make informed decisions and identify areas for improvement.

Clause 9.1 generally requires the organization to determine:

• What needs to be monitored and measured
• The methods for monitoring, measurement, analysis and evaluation needed to ensure valid results
• When the monitoring and measuring is performed
• Who does the monitoring and measuring
• When the results are analysed and evaluated
• Who does the analysing and evaluating

But some of the standards go into more detail in specific areas. ISO9001 requires you to also look at:

• Conformity of products and services
• Degree of customer satisfaction
• Performance and effectiveness of the QMS
• If planning has been implemented effectively
• Effectiveness of actions taken to address risks and opportunities
• Performance of external suppliers
• The need for improvement to the QMS

ISO9001 adds in requirements to do with customer satisfaction, which is a critical factor in evaluating the effectiveness of an organization’s quality management system. This involves understanding the needs and expectations of customers, monitoring their perceptions, and taking necessary actions to enhance their satisfaction levels. This subclause (9.1.2 in ISO9001) emphasizes the importance of establishing processes for obtaining and using customer feedback to drive improvements, such as:

• Understanding Customer Needs: Identify and comprehend the requirements, preferences, and expectations of customers regarding products or services.
• Feedback Collection: Establish systematic methods for collecting feedback from customers. This can include surveys, complaints, comments, or any other relevant channels.
• Feedback Analysis: Analyse the collected feedback to identify trends, recurring issues, and areas of improvement.
• Customer Perception Monitoring: Regularly assess how customers perceive the organization’s performance in meeting their needs and expectations.
• Response to Feedback: Implement processes for addressing customer feedback, including handling complaints, resolving issues, and implementing corrective actions where necessary.
• Continuous Improvement: Use customer feedback as a basis for making improvements to products, services, and processes.
• Link to Overall Performance: Recognize that customer satisfaction is a key indicator of the overall performance of the quality management system.
• Documentation and Records: Maintain records of customer feedback, actions taken, and improvements made. This documentation is crucial for demonstrating compliance with ISO 9001.

Some of the ISO standards (ISO14001 and ISO45001 particularly) require you to evaluate your compliance. This process involves systematically checking your organization’s adherence to legal and regulatory requirements. This requires you to evaluate compliance with applicable legal requirements and other requirements relevant to your products and services. This might involve conducting regular reviews of your organization’s compliance documentation, identifying gaps, and ensuring corrective actions are taken when necessary.

Clause 9.2 Internal Audit

This clause is much more uniform across the various standards, and is divided into two subclauses:

• 9.2.1 General
• 9.2.2 Internal audit programme

Internal audits are a critical component of performance evaluation and are explicitly outlined in Clause 9.2. This clause requires organizations to conduct internal audits at planned intervals to provide information on whether the management system conforms to the organization’s own requirements, the requirements of the ISO standard, and whether it’s effectively implemented and maintained. For instance, an internal audit might involve assessing whether your quality management system complies with the ISO standard and your organization’s specific quality procedures. Nonconformities discovered during the audit should trigger corrective actions.

There is a mandatory requirement that you document an audit programme.

Let’s look at the subclauses themselves.

Clause 9.2.1 General

This subclause simply states that the organization must carry out internal audits at planned intervals to provide data on whether the management system:

• Conforms to the organization’s requirements for its management system, which include its Policy and Objectives and the requirements of the standard
• Is effectively implemented and maintained

So this sets the scene in terms of what you’re trying to achieve.

Clause 9.2.2 Internal Audit Programme

Under the requirements of this subclause, the organization must:

• plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits
• define the audit criteria and scope for each audit
• select auditors and conduct audits to ensure objectivity and the impartiality of the audit process
• ensure that the results of the audits are reported to relevant management
• take appropriate correction and corrective actions without undue delay
• retain documented information as evidence of the implementation of the audit programme and the audit results

This means that we’re planning out our audits, and we have a process for carrying them out efficiently, whilst acting on their findings.

9.3 Management Review

Management review is a systematic process and a pivotal aspect of performance evaluation, and it’s specified in Clause 9.3. This clause mandates that top management reviews the organization’s management system at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with strategic direction. During these reviews, you might assess the achievement of the management system’s objectives, customer feedback, and the performance of your processes. This information is invaluable for making data-driven decisions and ensuring that your management system remains aligned with your organizational goals.

The clause is common across all the standards, however some of the inputs and outputs vary depending upon the actual management system and in the case of ISO14001 and ISO45001, the sub-clauses are rolled into a single subclause.

For the other standards, particularly ISO9001 and ISO27001, the requirements are split across three sub-clauses:

• 9.3.1 General
• 9.3.2 Management review inputs;
• 9.3.3 Management review results or outputs.

Clause 9.3.1 General

Top management must review the organization’s management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization (the latter part of that sentence is a variation specifically within ISO9001).

For an organization that is just certifying to an ISO standard, it is generally recommended to conduct a management review meeting at least twice a year for the first full cycle of your certification. This will give you the chance to ensure that objectives and internal audits are on track and identify any trends that my impact upon the management system. After your recertification, then if you want, go to an annual review, but ideally not the week before your surveillance or recertification audits!

Clause 9.3.2 Management Review Inputs

These inputs vary across the standards as there are specific items to review that are pertinent to them. However there are some common inputs across all the standards and these include:

• Status of actions from previous management reviews
• Changes in external and internal issues that are relevant to the management system
• Extent to which objectives have been achieved
• Information on the performance and effectiveness of the management system and any trends
• Adequacy of resources
• Risks and opportunities

Clause 9.3.3 Management Review Outputs

The outputs from the management review include:

• Opportunities for improvement
• Any needs for changes to the management system
• Resources needed
• Actions, if needed

There are of course some variations on outputs that are dependent upon the actual management system. For example, in ISO22301 (Business Continuity Management Systems) there are output requirements such as:

• Variations to the scope of the BCMS
• Update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans
• Modification of procedures and controls to respond to internal or external issues that may impact the BCMS
• How the effectiveness of controls will be measured

This information must be documented and retained as evidence of the reviews.

Let’s Summarise

So, in summary clause 9 drives you to examine your management system, analyse its efficiency and effectiveness, and identify opportunities for improvement, thus giving you confidence that you are on the right track.  Remember that applying the principles of performance evaluation within ISO management systems can lead to substantial improvements in your organization’s efficiency and effectiveness.

Written by Ken Holmes and Ted Spiller. 

Ken is CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Ted is CertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.

How can CertiKit help with your ISO Implementation?