The ISO9001 quality management standard is by far the most popular of the management system standards produced by ISO, with around a million organizations certified to it worldwide. It provides an assurance both to the organization itself and to its customers and regulators that quality is at front and centre of the way things are done and that continual improvement is at work. In this blog we look at the requirements of ISO9001 and summarise what must be done to become certified to this well-regarded standard.
Since its last update in 2015, ISO9001 has followed what is known as the “Annex SL” structure of management system standards. This is a common definition of headings and wording that must be used across all standards that have a management system at their heart, such as ISO14001 (environmental management), ISO27001 (information security) and ISO45001 (occupational health and safety). This structure dictates that the requirements of the standard (the things that must be complied with if certification is to be achieved) are contained under the following major headings:
In order to understand the requirements of ISO9001 let’s take a look at each of these clauses of the standard in turn.
Within this clause, ISO9001 requires that four items are defined. First, the external and internal issues that affect the success of its objectives; for example, an external issue might be the economic outlook and an internal issue might be employee relations. Second, the interested parties of the quality management system (QMS) and how they interact with it. Third, the scope of the QMS – that is what’s included and excluded, such as offices and departments. Lastly, this clause asks you to define the processes involved in the QMS and what’s needed to make them run smoothly.
Top management is required to show that they support the QMS and the standard provides a list of ways that they can do this, with customer focus being given special emphasis. There is then a need for a quality policy and a clear definition of the roles involved in the QMS and what they do.
Risk assessment is a key part of the ISO9001 standard and this clause requires that risks to the QMS (and also opportunities for it) are identified and actions taken to address them. There is also a need to set objectives and plan how they will be achieved, as well as carrying out changes in a planned way.
This clause covers a wide variety of requirements, including the resources needed to operate the QMS (such as people, infrastructure and monitoring), making sure that people are competent to carry out their roles, general awareness of the QMS and communication about it, through to how documentation should be created and maintained.
Clause 8 is where the main part of the ISO9001 standard sits, and a long list of requirements covers how products and services are defined, designed and developed, produced, released and managed. This will take some effort to interpret in the context of your specific organization and its products and services, to understand exactly what is needed for conformance to the standard. But in essence you will need a fully thought-through end-to-end process in which customer requirements are effectively turned into finished product or service. And don’t forget the role of external parties in that process too. This clause is where you’re likely to (justifiably) spend the most time and likely get the most benefit
Once you’ve completed the hard work of defining your processes, this clause asks you to consider how you will be able to tell if they are working properly. It also requires you to pay attention to what your customers think.
You’ll need to put an internal audit programme in place and hold regular management reviews to look at how your QMS is performing.
Having defined everything, there is a strong requirement to ensure that your QMS gets better over time and that anything that goes wrong (a “nonconformity”) is addressed promptly.
If you’re feeling that this sounds like a lot of work then you’re not wrong – it is. But there must be a reason why that million organizations worldwide have gone to all of this effort, surely? Well, leaving aside the benefits of reassuring your customers about quality, there are many ways in which a QMS transforms your organization for the better and makes the effort seem worthwhile. Having a detailed look at what you do and how (and why) you do it will inevitably generate a lot of creative thought, out of which will come efficiencies, new ways of working, improved customer satisfaction and ultimately, more sales. The trick in meeting the requirements is to think carefully about how they apply to your situation specifically, and how they will improve what you do. Chances are, if they don’t improve things, then you haven’t understood the requirements correctly.
For more detail on the requirements of the standard, download our free 30-page implementation guide.