The ISO9001 Quality Management Standard is by far the most popular of the management system standards produced by ISO, with around a million organizations certified to it worldwide. It provides an assurance both to the organization itself and to its customers and regulators that quality is at front and centre of the way things are done and that continual improvement is at work. In this blog we look at the requirements of ISO9001 and summarise what must be done to become certified to this well-regarded standard.
Since its last update in 2015, ISO9001 has followed what is known as the “Annex SL” structure of management system standards. After a foreword and introduction, the ISO9001 standard document is organized into clauses numbered 1 to 10. The requirements themselves are contained in clauses 4 to 10 (clauses 1 to 3 are basically supporting information) and can generally be recognised by the use of the word “shall”, for example “The organization shall establish, implement, maintain and continually improve a quality management system,” (from Clause 4.4).
Annex SL is a common definition of headings and wording that must be used across all standards that have a management system at their heart, such as ISO14001 (environmental management), ISO27001 (information security) and ISO45001 (occupational health and safety). This structure dictates that the requirements of the standard (the things that must be complied with if certification is to be achieved) are contained under the following major headings:
In order to understand the requirements of ISO9001 let’s take a look at each of these clauses of the standard in turn.
This clause is about understanding as much as possible about the organization itself and the environment in which it operates. The key point about the QMS is that it should be appropriate and relevant to the specifics of the business it relates to. To ensure this, the people implementing and running the QMS must be able to answer questions about what the organization does, where, how and who for (plus many others). Within this clause, ISO9001 requires that four items are defined.
First, the external and internal issues that affect the success of its objectives; for example, an external issue might be the economic outlook and an internal issue might be employee relations.
Second, the interested parties of the quality management system (QMS) and how they interact with it.
Third, the scope of the QMS – that is what’s included and excluded, such as offices and departments. This needs careful consideration. If your organization is small, it usually makes sense to place everything it does within the scope because often it can be more difficult to manage a limitation to the scope than to simply cover everything.
Lastly, this clause asks you to define the processes involved in the QMS and what’s needed to make them run smoothly.
The leadership clause of the standard is about showing that top management are serious about the QMS and are right behind it. They may do this in various ways. The first is by demonstrating management commitment; partly this is by simply saying that they support the QMS in meetings, in articles in internal and external magazines, in presentations to employees and interested parties etc. and partly by making sure the right resources and processes are in place to support the QMS, for example people, budget, management reviews, plans etc.
The second way for top management to show they are serious about the QMS is to ensure that there are appropriate policies in place. These need to be signed off by top management and distributed to everyone that they might be relevant to. Generally, most organizations take one of two approaches to policy creation; they either go for a single, all-encompassing quality policy or they go for a more modular approach with individual policies used to address specific issues. There isn’t a single right answer for information security policies in the context of the ISO9001 standard; the main point is that whatever you do choose to state in your policies, you can show that it is being communicated, understood and followed within the organization.
Lastly, top management need to make sure that everyone involved in the QMS knows what their role(s) and associated responsibilities and authorities are. Remember to ensure that quality is included in the day-to-day responsibilities of existing roles rather than trying to create a parallel organization structure just for quality management; it needs to be business as usual not an add-on.
Remember also that demonstrating leadership is an ongoing process, not a one-off activity solely during implementation.
Top management is required to show that they support the QMS and the standard provides a list of ways that they can do this, with customer focus being given special emphasis.
The general ethos of the ISO9001 standard is to be proactive in managing quality and a central concept to this is risk-centred approach. This involves considering what could go wrong and then taking steps to do something about it in advance rather than waiting for it to happen. The standard points out that not everything that happens is necessarily negative and that there may be positive “opportunities” along the way too.
A risk assessment needs to be conducted to analyse and evaluate the impact and likelihood of various events occurring. This will give you the opportunity to do something about those risks that are both likely and have a significant impact i.e. to treat the risks. Once the risks have been identified, assessed and evaluated, an action plan to address the risks is created. The key point to remember in treating risk is that it is a trade-off. Few organizations have limitless funds and so the money spent in treating risk needs to result in a larger benefit than the cost.
Within the planning clause of the standard we also need to set out what the QMS is intended to achieve and how it will be done. In terms of the QMS there are two main levels of objectives. The first is the high-level objectives set out when defining the context of the QMS. These tend to be quite broad and non-specific in order to describe why the QMS is necessary in the first place and these objectives probably won’t change much. The second level of objectives is more action-oriented and will refer to a fixed timeframe. The plan sets out specific objectives, including how success will be measured, the timeframe and who is responsible for getting it done.
It’s important to keep the QMS up to date, so changes to it need to be thought about and implemented carefully. Changes could be as a result of unexpected events such as a pandemic, or based on reasonable notice, for example with amended legislation or regulation.
Covering resources, competence, awareness, communication and documented information, this clause describes some of the background areas that need to be in place for the QMS to function properly. The standard simply requires that adequate resources are provided for the QMS to function effectively. This is really a test of the level of management commitment as described earlier.
You will need a method of defining the competences needed, possibly by conducting a survey of the people involved in the implementation and running of the QMS, collating the results and then reporting on those areas in which further training or knowledge needs to be gained. You will need to ensure that appropriate records of training are kept and are available to view by the auditor.
The required quality awareness programme may be delivered in various ways, including at specially arranged events or at regular team meetings, depending on the timescale required and the opportunities available. Note that the focus of this is awareness rather than detailed training and that anyone with a more involved role to play in the QMS may need more in-depth training.
Specific procedures may be required relating to business-as-usual communication with internal and external parties about quality-related issues.
Documented information required by the standard must be controlled which basically means keeping it secure, managing changes to it and ensuring that those that need it have access to it.
Clause 8 is where the main part of the ISO9001 standard sits, and a long list of requirements covers how products and services are defined, designed and developed, produced, released and managed. This will take some effort to interpret in the context of your specific organization and its products and services, to understand exactly what is needed for conformance to the standard. But in essence you will need a fully thought-through end-to-end process in which customer requirements are effectively turned into finished product or service. And don’t forget the role of external parties in that process too. This clause is where you’re likely to (justifiably) spend the most time and likely get the most benefit.
The performance evaluation clause of the standard is about how you determine whether the QMS is doing what it is supposed to do. The ISO9001 standard does not tell you what you should measure. It simply requires that you be precise about what it is you have decided to measure and that you do something about it if your measurements show problems. It’s a good idea to create a documented procedure for the collection and reporting of each measurement because if it is done differently each time then the results will not be helpful.
Having chosen your measurements you need to decide what does “good” look like; what numerical values would mean that performance is in line with expectations? Again, the definition of your objectives may need tweaking over time as you gain experience with taking the measurements and your QMS moves from implementation mode into ongoing operation mode.
The standard requires that there is an internal auditing programme in place which audits all aspects of the QMS within a reasonable period. If you embrace the idea of internal auditing as a useful early warning of any issues at external audit, then you won’t go far wrong. Internal audits should ensure that there are no surprises during the annual certification/surveillance audit which should allow everyone a higher degree of confidence in the QMS.
Management review is another key part of the QMS which, if you get it right, will hold together everything else and make audits (internal and external) a relatively straightforward experience. The ISO9001 standard is specific about what these reviews should cover but it is less forthcoming about how often they should take place. This is one of those areas where you will need to try it and see what works for your organization; too often and it becomes an unacceptable administrative overhead; too infrequent and you risk losing control of your QMS. In all cases, every management review must be minuted and the resulting actions tracked through to completion.
Continual improvement used to get a lot more attention in previous versions of this and similar standards, but the requirements have now become considerably watered down, with only a general commitment needed to show conformity.
Despite the clause heading of “Improvement”, this section of the standard talks mostly about nonconformities and corrective actions. The ISO definition of a nonconformity is the rather general “non-fulfilment of a requirement” and since a requirement can be pretty much anything, it is best to bring any actions, requests, ideas etc. together in a single place and manage them from there.
If you’re feeling that this sounds like a lot of work then you’re not wrong – it is. But there must be a reason why that million organizations worldwide have gone to all of this effort, surely? Well, leaving aside the benefits of reassuring your customers about quality, there are many ways in which a QMS transforms your organization for the better and makes the effort seem worthwhile. Having a detailed look at what you do and how (and why) you do it will inevitably generate a lot of creative thought, out of which will come efficiencies, new ways of working, improved customer satisfaction and ultimately, more sales. The trick in meeting the requirements is to think carefully about how they apply to your situation specifically, and how they will improve what you do. Chances are, if they don’t improve things, then you haven’t understood the requirements correctly.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, and has helped to implement, operate and audit ISO certifications over a varied 30-year career.
Published in June 2023 and updated in November 2023.
For more guidance on implementing the ISO9001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.