Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO9001 Gap Analysis – How To Guide

Ok, so you’ve decided that this is the year that you implement ISO9001 within your company. Maybe it’s because your customers are demanding it, maybe it’s because you believe it will make your company better, or perhaps it’s due to the fact that all of your competitors seem to have it. Whatever the reason, now’s the time. But where do you start? The chances are your company is already doing many of the things that ISO9001 requires, and you don’t want to waste time reinventing the wheel. But equally, there are bound to be areas that you just haven’t got round to yet, and these could be a problem if you went for certification to ISO9001 right away. How do you find out? Enter the ISO9001 Gap Analysis.

Clipboard on yellow background to represent ISO9001 gap analysis

The ISO9001 Gap Analysis

A gap analysis (also called a gap assessment) is a way of measuring the difference between a current state and a desired future state. In this case the desired future state is conformity with the requirements of the ISO9001 standard. This means you’re going to need a copy of the standard document itself (see the ISO website) or the Certikit ISO9001 Enhanced Gap Assessment Tool which includes all of the requirements in a handy spreadsheet format.

In essence, you then need to go through each of the clauses of the standard and each of the requirements within them and give an opinion as to whether you currently do what it’s asking for. You will then be able to tot up the number of positive answers at the end and get a general idea of how compliant your organization is to ISO9001 at the moment. Not only that, but the list of requirements that you were not able to say you already meet will form a starting action plan of things you need to do to get ready for certification. Sounds simple, but there are a number of issues that often crop up when doing an ISO9001 gap analysis yourself.

Common Issues

As you go through the standard, you may encounter some of the following concerns:

• Do the requirements apply to all of our organization, or just some parts of it?
• How can I be sure what the requirements mean when they are written in ISO-speak rather than plain English?
• How should I split the individual requirements out so that I can measure our conformity?
• What if we’re partially meeting a requirement?
• Are all of the requirements mandatory, or are some optional?

The answers to these questions could make a big difference to the end result and therefore the conclusions from your gap analysis. Let’s look at each of these points in turn.

Do the requirements apply to all of our organization, or just some parts of it?

This is referred to as “scope” of your quality management system (QMS) and it is up to you to define. Our previous blog on ISO9001 scope covers this, so I won’t go into more detail here, but suffice to say that you need to decide what your scope is before performing your gap analysis otherwise it will get very confusing, very quickly.

How can I be sure what the requirements mean when they are written in ISO-speak rather than plain English?

The language used in ISO standards has improved over time to the point where it is almost understandable. However, if you haven’t worked on a QMS previously and seen how the requirements relate to real life situations, then it can be frustratingly mystifying. Statements such as:

“The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6, by:”

become clearer as you work with the standard, but for someone who is new to ISO9001 the requirements can seem rather cryptic. For this reason, we would recommend that a gap analysis is carried out by someone with experience of ISO9001 who can act as an interpreter when needed.

How should I split the individual requirements out so that I can measure our conformity?

Beyond being grouped into clauses, the requirements of ISO9001 are not individually numbered, so it can be difficult to work out how to separate them out for a gap analysis. The key word to look for is “shall” as this indicates a mandatory requirement, but be aware that there are also many lists within the standard which stretch the requirements out into multi-faceted action points. This means that there are many more requirements than uses of the word “shall” because each item on a list is effectively a requirement too. There’s really no choice but to split them all out onto individual lines on a spreadsheet and assess each one in turn.

What if we’re partially meeting a requirement?

Of course, the requirements are not necessarily true or false and it’s possible that you’re partially meeting them to varying degrees. Because of this it’s tempting to include a “partial” answer in addition to “yes” and “no” when considering conformity to the standard. You could go further and include a numerical scale from 1 (not compliant) to 5 (fully compliant) if you chose to. However, if the intention is to assess whether you would be successful in certification to ISO9001 then this may not be that helpful as you either pass the auditor’s conformity test or you don’t (in which case a nonconformity would be raised). So unless you’re experienced with ISO9001 we’d recommend keeping it simple.

Are all of the requirements mandatory, or are some optional?

There are some requirements that may be flagged as “non-applicable” because they simply don’t make sense in your organization. These are fairly limited and you can’t simply choose which clauses you want to comply with without watertight justification. The common areas for non-applicability are around measurement traceability in Clause 7 and identification and traceability in Clause 8, but theoretically there could be others, depending on what your organization does.

Who Should Do It? – You Have Options

In considering how to achieve the gap analysis you usually have two main options. Either you perform it inhouse or you bring in a consultant to help you. Both options have advantages but remember that you will need a reasonable knowledge of the ISO9001 standard to make the exercise worthwhile and the results meaningful. If sufficient expertise and experience doesn’t exist inhouse then the external option may be the best for you. The alternative is to invest in some training but that may delay things and only take your knowledge so far.

Conducting the ISO9001 Gap Analysis

Once you’ve decided how you’re going to approach it, the gap analysis needs to be carried out at a stated point in time so that there is a reference point for later progress to be measured against. It may be appropriate to repeat the exercise at key stages within your QMS implementation, or to at least update it regularly as part of project reporting. If you’re calculating a rough percentage conformity as part of your gap analysis, then you may not need to wait until it’s 100% before going for certification. The auditor doesn’t have time to find every remaining gap so as long as the main aspects of the standard are in place you’re likely to achieve certification, even if it’s with the odd minor nonconformity raised.

Final Thoughts

An ISO9001 gap analysis can be a useful tool to kick off your QMS implementation and to keep track of progress on the way to certification. But achieving a balance between accuracy and complication is essential if the results are to remain credible within your team. Keeping the quality management principles laid out in the introduction of the ISO9001 standard (customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making and relationship management) in mind at all times will help to create a QMS that doesn’t just meet the requirements, but genuinely benefits your organization and its stakeholders.

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 


More ISO9001 Resources

CertiKit is a provider of the ISO9001 toolkit, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO9001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO9001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I like the fact that the documents are very comprehensive and more than sufficient for compliance.

Infoslips
South Africa

View all Testimonials