When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
When listening to people talking about ISO9001 and the “quality management system” (QMS), you’ll often hear references to the Quality Policy (and other policies) and the need for procedures. Sometimes you could be forgiven for thinking that this is all ISO9001 is about (it isn’t) but it is true that this kind of documentation does play a central role in getting a QMS in place and making sure it runs effectively. So what are policies and procedures, why do we need them, and what do they look like?
There’s no two ways about it, ISO9001 says you must have a quality policy. In fact there’s a whole sub-clause about it (Clause 5.2) which helpfully tells you the areas it is required to cover. It has to:
The quality policy must be available as “documented information” (often a document such as a Word or PDF file, but it doesn’t have to be) and you must make sure everybody that needs to (your interested parties), knows about it has access to it, and that changes to it are controlled (for example using version numbering).
There are many other areas you can choose to cover in the quality policy, and we’ve previously written a blog on the ISO9001 Quality Policy, so I won’t repeat myself here. The point is that your quality policy should be your “shop window” for quality within your organization and clearly state the level of top management commitment to doing things to the right standard.
There are other topics you can create policies for within your QMS, and this is commonly done. This raises the question “what is a policy?”. In general terms it’s an opportunity for top management to state their intentions and direction in a particular area, but more specifically it may be thought of as the set of rules governing that area. So a policy covering responsible sourcing of raw materials might start with a statement of the organization’s commitment to fair trade and reducing environmental impact, and then go on to say that certain types of raw materials may only be bought from suppliers who are members of a fair trade alliance, or who meet certain conditions in areas such as worker rights.
In general, policies are mandatory and not following the rules they describe can be cause for disciplinary action against an employee. Because of this, they must be written in clear language that emphasises those parts that are indeed mandatory, and those that allow for a degree of discretion or choice. Careful use of words such as “must”, “may” and “should” is required. Due to this need for clarity policies are usually written down in a Word document (or similar) and communicated explicitly to the people that are expected to follow them.
So if a policy sets out the rules, what does a procedure do? In essence, the policy is the “what” (as in what must be done) and the procedure is the “how” (as in how should it be done). Achieving a set task will usually consist of a number of steps, each of which may need to be performed in a particular order, and often by a specified role. This makes writing down the procedures (that is documenting them formally) desirable for a number of reasons:
The sometimes-quoted impression that ISO9001 leads to lots of “red-tape” and unnecessary documentation is generally unfair, as making procedures more formal has big benefits once the initial pain of writing them down has passed.
One other useful component of your QMS, in addition to policies and procedures, is forms. Whereas policies and procedures are intended to define what and how something should be done, a form exists to capture the specific details of a run of a procedure and to create a record that something was done. Not all of your procedures will need a form and the information may be captured in many different ways, such as in computer applications instead, but there will be cases where having a separate document that can act as a form is useful. A form is effectively a template that can be used over and over again as particular transactions, guided by policies and procedures, occur. Going back to our earlier example of choosing a supplier according to our policy on responsible sourcing of raw materials, there may be a procedure that tells us how this is done, and a form that records the details of the supplier, who carried out the assessment, the findings of the assessment and the end result. This provides us with lasting evidence that an assessment was carried out and constitutes part of the audit trail.
Once you have decided which policies and procedures you need for your QMS, (see our blog on ISO9001 Document Control for a list of required documented information) you will need to go about creating them. If you’re using the Certikit ISO9001 Toolkit as a starting point then much of the heavy lifting has already been done for you, but if not you will need to consider basic issues such as:
Once these have been decided you will need to get the most appropriate people involved in the document writing effort. For policies this is likely to be various levels of management, and for procedures the right people will be those currently performing the procedure at the moment. Writing skills vary, so you will need to decide how best to coordinate the creation of the documents, either by asking people to write them directly, or by using interviews to extract the information for an author to create the documents for review and approval.
Policies and procedures are key parts of a QMS and it is a worthwhile investment of time to get them right. Whilst it may seem like an uphill struggle to get people to write down activities they have been doing for many years, the value to the organization is significant, and provides the framework on which quality improvements are built.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
CertiKit is a provider of the ISO9001 toolkit, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO9001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.