Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Ten Steps to Defining Your ISO9001 Scope

You will hear the term “scope” often used in relation to ISO9001, particularly when implementing a QMS (Quality Management System), when discussing what should appear on a certificate, and when evaluating suppliers’ ISO9001 claims. Scope is a fundamental concept which needs to be fully understood, as early mistakes in this area can have serious consequences further down the line.

ISO9001 scope checklist with pencil and clipboard

What Do we Mean by “ISO9001 Scope”?

The first point to be clear about is that there are several different areas in which the word “scope” is used in relation to ISO9001, and they all refer to slightly different things. The main ones are:

  • Scope of the ISO9001 standard – this is the heading of Clause 1 of the standard itself, which describes what the standard may be used for, and the fact that it is intended to apply to all organizations, large and small, and of all different types (such as private companies, public bodies and charities).
  • Scope of the quality management system – defines what’s covered by the QMS in terms such as the functions of the organization, geographical locations and products and services. This is the main area we’ll be addressing in this article.
  • Scope of ISO9001 certification – refers to what it says on the ISO9001 certificate, and what the certification body audits against. Often this is the same as the scope of the QMS, but it doesn’t have to be.
  • Scope of ISO9001 audit – when an audit (internal or external) is carried out it’s important that the areas covered are defined, perhaps in terms of business processes or clauses of the standard. It’s technically acceptable to spread audits over three years, so the scope of an individual audit may be quite limited.

In the rest of this article, we’ll be talking mainly about the scope of the QMS, but we’ll also touch on the scope of ISO9001 certification too.

So in basic terms, scope refers to the definition of what’s included and, by implication, what’s excluded from the QMS. Surprisingly, “scope” is not a defined term in the ISO9000 QMS – Fundamentals and vocabulary guidance standard that accompanies ISO9001, but the closest reference available is in the definition of the term “management system”:

3.4.3 management system

Note 3 to entry: The scope of a management system can include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.

Clause 4.3 of ISO9001 is where you’ll find the requirements you need to meet with regard to determining your scope, and the first three of our suggested steps below relate specifically to those requirements.

Hopefully we’re a bit clearer about what scope is, but if you’re just starting your ISO9001 journey how should you go about defining it for your organization? To be truly confident that you’ve got it right, we’d suggest that going through the following ten steps will help.

Step 1 – Consider External and Internal Issues

The standard is clear that you will need to consider relevant external and internal issues when determining your scope, so this is a good place to start. This means thinking about what’s going on both outside your organization and within it and considering whether these issues affect how you should define your scope. Some hypothetical examples could be:

  • One of your international offices is in a country that is experiencing significant ongoing economic and political unrest, so you decide to exclude it from your scope until the issues are resolved (an external issue).
  • A business unit within your organization is being wound down and all the staff are being redeployed or made redundant; it doesn’t make sense to include this part of the company in your scope (an internal issue).
  • A product division is in the process of being sold to another company, so implementing a QMS within it at the moment is undesirable as the new owners may have their own plans (an internal issue).
  • Energy price rises are putting enormous pressure on the finances of the company, so resources are limited for a wider implementation of a QMS; a smaller scope may be more advisable at the moment (an external issue).

There are many other issues that could affect your decision about the scope of your QMS depending on the countries you operate in, your industry and the size of your organization, plus many other factors. Give these some serious thought.

Step 2 – Think About Interested Parties and their Requirements

The second factor the ISO9001 standard requires you to consider when defining scope is that of interested parties and their needs. To do this it’s useful to put yourself in the position of each interested party and think about what they would want to see included in the scope. For example, customers may want to see the products and services they buy from you included, while suppliers might want to see the supplier management process covered. Similarly, a regulator might take the view that the whole organization should be included so that overall quality is improved. This step is important to ensure that all the effort you put in to become certified means something to others.

Step 3 – Make Sure You Understand the Products and Services of your Organization

The only explicit requirement in Clause 4.3 of the ISO9001 standard for what must be included in the scope statement is the “types of products and services”. This means you will need to have a clear understanding of what your organization does and, in conjunction with the conclusions from the previous two steps, which products and services should be included. If the products and services provided are many and complex, then it may take some time to decide how to define the “types” that are within the scope of the QMS. Consider also whether the type definitions used internally within your organization are ones that interested parties such as customers will recognise, or do they know them as something different?

Step 4 – Assess Geographical Considerations

Related to Step 1, think carefully about whether you want to include all or some of your organization’s sites within the scope of your QMS. These could be within the same country, or there could be international considerations, as well as varying types of sites such as offices, depots and factories. If your organization is international there could be language considerations as well as internal resourcing, political and cultural differences that might affect whether it is desirable to include these sites within your initial QMS scope.

Step 5 – Ponder Any Organizational and Process Considerations

Your organization will have a structure, possibly consisting of discrete teams for areas such as human resources, information technology, finance, operations or product management. You don’t have to include all of these within the scope of your QMS and there may be good reasons to start with a subset of areas and possibly expand the scope out at a later date. Perhaps the management appetite for such an innovation is greater in some areas more than others, maybe resources are more available in particular teams, or quality is felt to need improving more in one area than another. This is also true of business processes; these may cut across organizational boundaries so be careful when deciding to exclude specific processes that you don’t fully understand.

Choose a scope that is most likely to give you a greater chance of success both in introducing a QMS and in running it long term.

Step 6 – Write a Draft Scope Statement

Ok, so you’ve considered all of the above factors in designing the scope of your QMS – what next? Well, you’ll need to write it down, if only because the ISO9001 standard requires you to maintain your scope as “documented information”. But putting it down on paper (or more likely, electronically) has the effect of distilling all of your thoughts and inputs into a defined form that can then be discussed, debated and improved.

As a simple example, here is CertiKit’s ISO9001 scope statement:

“The provision of document toolkit and related management services: email support, update and consultancy.”

Now we’re a small company with a single location and a focussed product range; if we were larger, had products in multiple languages and had offices in other countries it could look like this:

“The provision of English language document toolkits and related management services: email support, update and consultancy from offices in the UK.”

This would make it clear that our Spanish and French language toolkits were not covered by the QMS, nor were our offices in Madrid and Paris (remember this is an example, so don’t try to buy our French toolkit or visit our office in Madrid!)

Step 7 – Identify Non-Applicable ISO9001 Requirements

Once you have a draft of your QMS scope, it may be possible to identify specific requirements of the ISO9001 standard that are not applicable to that scope. This means that they are simply not relevant to your QMS as you have defined it, often because you have no need to carry out the processes involved. A common example is the need for measurement traceability (Clause 7.1.5.2) in the case that your organization simply doesn’t conduct activities that need to be measured using physical equipment, so there’s no need to calibrate or verify its accuracy. Another requirement that is often not applicable is product traceability (for example using serial numbers) as in some industries this simply doesn’t make sense.

Step 8 – Run it Past Your Chosen Certification Body and Top Management

If there’s going to be a problem with your chosen scope, it’s probably going to be raised by your certification body once you get to stage one of the external audit process. By then you will have put in a significant amount of work in getting your QMS in place so it’s not an ideal time to make adjustments. Instead, we suggest you approach the certification body you have selected as early as possible to check that there are no obvious issues with the scope you have defined. An approval will likely come with valid caveats that they don’t know your organization very well yet, but it’s still worth the discussion in order to head off any significant errors sooner rather than later.

Top management will play a big part in your QMS, so it’s important that they understand and agree with the scope of it. It will be worth explaining the thought process behind your definition so that they have a chance to question it. Once agreed, get some form of written confirmation such as an email so there’s no dispute later.

Step 9 – Make Sure Everyone Knows What the Scope is

The scope of your QMS is an important piece of information that needs to be communicated to everyone involved, including interested parties, those fulfilling roles within it and employees in general. This will be part of the awareness activities carried out in accordance with Clause 7.3 of the standard. Remember that it may be just as important to talk to those areas that are not included in your scope so that they understand why, and what the future plans are.

Step 10 – Stick to the Scope!

Lastly, having put all this effort into getting your QMS scope right, it’s vital that you avoid “scope creep” where gradually those areas you deliberately excluded start to drift into the QMS. If you become aware that this is happening it may be wise to formalise discussions about whether they should be included, either now or at a defined future time.

In Conclusion

By following these ten steps you should be able to define a scope statement for your QMS that accurately reflects what you’re trying to achieve by complying with the ISO9001 standard. Remember that what you leave out is often as important as what you include, and always keep the quality management principles (see Clause 0.2 of the standard) at the forefront of your mind.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 


More ISO9001 Resources

CertiKit are a provider of ISO toolkitsconsultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO9001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO9001 Resources

We’ve helped more than 4000 businesses with their compliance

Testimonials

Love the product, love the style, and especially the presentation. Every time I show it to executive levels, they are impressed with the overall view, and how it translates easily.

Net Road Show
USA

View all Testimonials