ISO 9001 Requirements FAQ – Explains the 2015 revision
The ISO 9001 standard incorporates internationally recognized management concepts, principles and practices into a set of standardized requirements for a quality management system (QMS). These standardized requirements define controls that focus on improving an organization’s ability to deliver products or services to:
- Consistently meet customer’s quality requirements
- Meet applicable regulatory requirements
- Enhance customer satisfaction
- Improve its performance in pursuit of these objectives.
The ISO 9001 standard focuses on improving an organization’s management system and processes. It does not specify any requirements for product or service quality. Customers typically set product and service quality requirements. However, the expectation is that an organization with an effective ISO 9001 based QMS will indeed improve its ability to meet customer and regulatory requirements. ISO 9001requirements are complementary to customer’s contractual and applicable regulatory requirements. Those implementing a QMS conforming to ISO 9001 must ensure that the specific requirements of their customers and regulatory agencies are met. In the past few years, industry groups have developed sector specific applications of the ISO 9001 standard. These include the automotive, aerospace, environmental, telecommunications, health and safety, etc. All these sector-specific standards incorporate the full requirements of ISO 9001 as their foundation and then add new requirements or amplify ISO requirements. The following ISO 9001:2015 FAQ will explain broadly the changes, timeline for transition & other details.
Who Is responsible For revising the ISO 9001 Requirements standards?
The ISO Technical Committee no.176, Sub-committee no.2 (ISO/TC 176/SC2) is responsible for the revision process in collaboration with quality and industry experts nominated by ISO Member bodies, and representing all interested parties.
Why the need to issue a new version of ISO 9001 requirements?
ISO 9001 is subject to periodic review to determine whether it is still relevant in its application to the business environment and its needs. The review process determines what requirements need to be added, updated or discarded. The last review and update was in 2008. That change was considered minor and dealt with clarification of points already in the standard rather than the inclusion of new requirements. This latest edition of the ISO 9001 standard ISO 9001:2015, Quality Management System – Requirements is the 5th edition of the ISO 9001 standard since it was first published in 1987. This change is considered major and some of the reasons given include:
- The need to reflect and adapt to the increasingly dynamic and complex business environments in which organizations operate.
- Increasing cultural diversity of the workforce.
- The emergence of new technologies
- More complex supply chains.
- To ensure the new standard reflects the needs of all relevant interested parties
- Decrease the emphasis on documentation.
- Increase the emphasis on providing value for the organization and its customers.
- Recognize the risk management thinking underlying the preventive focus of previous versions of the standard to achieve objectives.
- Organizations that use multiple management system standards are increasingly demanding a common format and language that is aligned between those standards.
- Greater awareness of the need for sustainable development initiatives towards a consistent foundation for the future.
What are the potential benefits expected from the new version of ISO 9001?
- Less prescriptive, but with greater focus on achieving conforming products and services.
- More user friendly for service and knowledge-based organizations
- Greater leadership engagement
- More structured planning for setting objectives
- Management review is aligned to organizational results
- The opportunity for more flexible documented information
- Addresses organizational risks and opportunities in a structured manner
- Addresses supply chain management more effectively
- Opportunity for an integrated management system that addresses other elements such as environment, health & safety, business continuity, etc.
Does ISO 9001 still apply to all organizations – big, small, different sectors and different items – products, services?
The concept of the standard has not changed; it’s applicable to any type of organization – manufacturing, service and non-manufacturing; for profit or not for profit businesses, regardless of the size, type or its core business.
What are the key changes in the new ISO 9001 requirements standard?
- The adoption of a 10-clause structure and core text consistent with all other ISO management systems.
- Better compatibility with the service sector and non-manufacturing users;
- A need to clearly understand the organization and its context to avoid a “one size fits all” approach to QMS application and implementation;
- The recognition that while preventive action was implicit throughout the standard, there was need to make it more explicit through the application of risk-based thinking, i.e. the identification and associated mitigation, both at the strategic and operational levels.
- The need to consider additional factors in determining the boundaries and applicability of the QMS to establish its scope.
- Improving the understanding and application of the process approach through the application of risk-based thinking in conjunction with the context of the organization;
- Greater emphasis on achieving desired process results to improve customer satisfaction;
- A somewhat contentious change to the use of the term “documented information” from the terms “documents” and “records”; and secondly providing greater flexibility in the need for providing documented information;
- A change in terminology from the use of the terms “purchasing” and “outsourcing” to the term “externally provided products and services”;
- A wider scope has been put on seeking opportunities for improvement. While continual improvement still remains a requirement at the operational level to enhance customer satisfaction, the need for strategic improvements through break-through change, innovation, use of new technologies, reorganization and other means to significantly improve products, performance and customer satisfaction, has been added;
- The wording of Leadership requirements have been beefed up to put more specificity and emphasis on leadership requirements;
- More emphasis on change management throughout the standard;
- The need to establish and maintain the continuity of organizational knowledge;
- More specificity in requirements related to post-delivery activities;
- The scope of requirements to analyze and evaluate the data and information gathered from monitoring and measurement, while not widened, has been made more specific;
- The need to track trends in operational performance and customer satisfaction for management review;
- Further dampening down of manufacturing sector terminology for greater application and acceptability by the services and non-manufacturing sectors.
How has the structure of the standard changed?
The new structure is designed to align with the uniform 10-clause high level structure developed by ISO to facilitate greater harmonization among the many different ISO management system standards. The next revision to ISO 14001 will also adopt this same structure, which is based on the PDCA (Plan-Do-Check-Act) methodology. All ISO management system standards will now adopt this structure. This will make it easier for organizations to integrate the common requirements of more than one ISO management system standard within a single system. This should provide significant economies in terms of effort and cost in system development, implementation, maintenance and costs of certification. The following chart illustrates so me of the key structural differences between ISO 9001:2015 and the current ISO 9001:2008:
|Structure Comparison Chart|
|ISO 9001:2015||ISO 9001:2008|
|2. Nominative References||Nominative References|
|3. Terms and definitions||Terms and definitions|
|4. Context of the organization||Quality Management System|
|5. Leadership||Management responsibility|
|6. Planning||Resource management|
|7. Support||Product realization|
|8. Operation||Measurement, analysis, and improvement|
|9. Performance evaluation|
Do we have to change our QMS structure and terminology to reflect the changes in the revised standard?
There is no requirement for the structure and terminology used in this Standard, to be applied in developing and documenting an organization’s quality management system. Organizations can choose to use structure and terminology that suits their operations (e.g. using “records”, “documentation” or “procedures” rather than “documented information”; or “supplier”, “subcontractor” or “vendor” rather than “external provider”). The following table shows the major differences in terminology between this new edition of the Standard and the 2008 edition.
|Products and services||Products and services|
|Exclusions||Not used (See clause A.5 for clarification of applicability)|
|Management Representative||Not used (Similar responsibilities and authorities are assigned but no requirement for a single management representative)|
|Documentation, quality manual, documented procedures, records||Documented information|
|Work environment||Environment for the operation of processes|
|Monitoring and measuring equipment||Monitoring and measuring resources|
|Purchased product and services||Externally provided product and services and services|
The structure of clauses is intended to provide a logical presentation of requirements, rather than a model for documenting an organization’s policies, objectives and processes. It can be more relevant to the organization’s users if the structure and content of QMS documented information relates to the processes operated by the organization and information maintained for other purposes.
How has the ISO 9001 documentation requirements changed?
Specific documented procedures are no longer mentioned; it is the responsibility of the organization to maintain documented information to support the operation of its processes and retain the documented information necessary to have confidence that the processes are being carried out as planned . The extent of the documentation that is needed will depend on the business context.
The standard does not mention a quality manual. Is it still required?
The new standard does not specifically mention a quality manual, however it requires the organization to maintain documented information necessary for the effectiveness of the quality management system (QMS). A quality manual is one of many ways to do this. An organizations may find it quite convenient and appropriate to describe its quality management system in a quality manual.
Why has management review been moved to performance evaluation? (9.3)
The sequence of the new version of ISO 9001 is based on the Plan, Do, Check, Act methodology. Management review is a tool to evaluate the overall performance of the quality management system. So it makes sense for management review to come under performance evaluation after requirements for analysis and evaluation of quality management system performance.
The title of management representative has been removed. How is the performance of the system reported to top management?
Although the specific requirement for a management representative has been removed, top management must still ensure that roles and responsibilities are assigned for reporting on the performance of the QMS. Some organizations might find it convenient to maintain their current set-up and designations, with a single person carrying out this role. Others might take advantage of the additional flexibility to consider divvying up the responsibilities depending on their organizational setup.
Why has product been changed to product and service?
ISO 9001:2008 had already made it clear that the term product also includes service, so there is no impact in practical terms. The change is more to reflect the far wider use of the standard outside the manufacturing sector and to emphasize its applicability in the service industries.
What is risk-based thinking and why has it been introduced into the standard?
The phrase risk-based thinking is used by ISO 9001:2015 to introduce the requirement for addressing the question of risk and its control. The concept of risk has always been implicit in ISO 9001, by requiring the organization to plan and implement its processes and manage its business to avoid unwanted results. Organizations have typically done this by putting greater emphasis on planning and controlling those processes that have the biggest impact on the quality of the products and services they provide. The way in which organizations manage risk varies depending on their business context (e.g. the criticality of the products and services being provided, complexity of the processes, and the potential consequences of failure). Use of the phrase risk-based thinking is intended to make it clear that while addressing risk is important, formal risk-management methodologies and risk assessment are not needed for all business situations and organizations. For further information about risk-based thinking (see Annex A).
What has been changed in terms of planning? ISO 9001:2015 has widened the scope of planning and now requires the organization to address risks and opportunities, quality objectives and planning of changes throughout the organization. As new products, technologies, markets and business opportunities arise, it is to be expected that organizations will want to take full advantage of these opportunities. This has to done in a controlled manner, and be balanced against the potential risks involved that could potentially lead to undesirable side-effects.
Are organizations still allowed to exclude requirements of ISO 9001?
ISO 9001:2015 no longer has a specific reference to “exclusions” in relation to the applicability of its requirements to the organization’s quality management system. However, an organization is still allowed to determine the applicability of requirements. All requirements in the new standard are intended to apply. Conformity to this standard can only be claimed if the requirement determined by the organization as not being applicable does not affect its ability or responsibility to ensure the conformity of products and services and the enhancement of customer satisfaction.
What is the process approach and is it still applicable to ISO 9001:2015?
The process approach is a methodology for obtaining a desired result, by managing activities and related resources as a process. Although the clause structure of ISO 9001:2015 follows the Plan-Do-Check-Act sequence, the process approach is still the underlying concept for the QMS. For further guidance, please refer to the Support Package module: Guidance on the Concept and Use of the Process Approach for management systems.
Alignment of the revised standard to the PDCA format (Plan, Do, Check, Act)
|PLAN||Clause 4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning for the QMS Clause 7 – Support|
|DO||Clause 8 – Operations|
|CHECK||Clause 9 – Performance evaluation|
|ACT||Clause 10 – Improvement|
What is meant by the context of the organization?(4.1)
This is the combination of relevant internal and external factors that affect an organization’s ability and approach to providing products and services to its customer. External factors can include, e,g. cultural, social, political, legal, regulatory, financial, technological, economic, and competitive environment, at the international, national, regional or local level. Internal factors typically include the organization’s corporate culture, governance, organizational structure, technologies, information systems, and decision-making processes (both formal and informal). The standard requires that an organization determine which of these factors could impact its purpose, direction and quality management system and accordingly monitor and review these factors and use this information in determining the scope of the quality management system.
What are the needs and expectations associated with interested parties? (4.2)
The organization will need to determine the interested parties that are relevant to the quality management system and the requirements of those interested parties, as outlined in clause 4.2. However, there is no intent in this standard to broaden the scope of the quality management system to include meeting the needs and requirements of interested parties, other than customer and applicable regulatory requirements. Such a change would require a change to the scope of the standard which is not permitted by the mandate for this revision. The organization is required to identify these interested parties, monitor and review information about their needs and requirements that are relevant to the QMS and consider it in determining the scope of the QMS. The relevant interested parties other than customers, external providers or suppliers and regulatory bodies can include investors, top management, employees and their unions, the community and environment around the organization depending on it. The organization needs to interact with these parties on a periodic basis to understand their needs and expectations As stated in the scope (clause 1), this standard is applicable to an organization when it needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.
|Interested Party||Needs and expectations|
|Customers||Quality, price, delivery, services|
|Regulatory bodies||compliance with legal requirements|
|Employees||Good job environment; job security; recognition and reward|
|External Providers||Mutually lasting beneficial relationship|
|Community/Society||Environmental protection; ethical behavior|
What is meant by organizational knowledge? (7.1.6 )
Organizational knowledge is knowledge specific to the organization; it is the accumulation of know-how and useful information relevant to the organization obtained through experience, improvement achieved, lessons learned and the application of technology and research. It is information that is used and shared to achieve and further the organization’s objectives. Requirements regarding organizational knowledge were introduced for the purpose of safeguarding the organization from loss of knowledge and encouraging the organization to acquire new knowledge as its business context changes.
Documents and records have been replaced by documented information. What does this mean? (7.5)
Documentation, documents and records are now collectively referred to as documented information. Where that documented information might be subject to change (as in the case of procedures, work instructions, etc), organizations are required to maintain the information up-to-date; where the information is not normally subject to change (for example records) the organization is required to retain that information. There is no requirement for the terms used by an organization to be replaced by the terms used in ISO 9001:2015 to specify quality management system requirements. Organizations can choose to use terms which suit their operations, e.g., records, documentation, protocols, etc. rather than documented information.
Why has Purchasing changed to ‘Control of externally provided processes, products and services’? (8.4)
This change reflects the fact that not all products, services or processes that an organization acquires are necessarily purchased in the traditional sense. Some may be acquired from other parts of a corporate entity, for example, as part of a shared pool of resources, products donated by benefactors or services provided by volunteers. Even with the changed and beefed up wording, the control requirements of this standard are essentially the same as in the 2008 version.
What has happened to validation of processes or what used to be called special processes? (8.5)
Although there is no longer a standalone sub-clause, this requirement continues, and has been incorporated into the sub-clause on control of production and service provision. (Ref. 8.5.1)
What is meant by post delivery activities and what is the extent of an organization’s responsibility? (8.5.5)
This means that based on customer agreements or other requirements, the organization may be responsible for providing support for their product or service after delivery. This could include, for example, technical support, training, on-site testing and start up and commissioning, field service, routine maintenance, or in some cases recall. All of these would typically be part of the contractual requirements agreed to with customers or in some cases may be required by regulatory bodies.
What is the difference in the standard between improvement and continual improvement? (10)
ISO 9001:2008 used the term continual improvement to emphasize the fact that this is an ongoing activity. However, it is important to recognize that there are a number of ways in which an organization may improve. Small step continual improvement is only one of these. Others may include breakthrough improvements, reorganization, re-engineering initiatives or innovation. ISO 9001:2015 therefore uses the more general term improvement, of which continual improvement is one but not the only component.
What is the transition time frame to comply with this revision?
There will be a three year transition period from the publication date of ISO 9001:2015. Eighteen (18) months after publication of ISO 9001:2015 all accredited new certifications issued (initial certifications) shall be to ISO 9001:2015. Three years after publication of ISO 9001:2015, any existing accredited certifications issued to ISO 9001:2008 shall not be valid.
Guidance for transition
For the average ISO 9001:2008 certified company, the impact of the revised standard should be minimal and quite manageable. One of ISO’s goals is to seek greater inclusion for the ISO 9001 standard. They want to see it expand into new sectors and be more user friendly than it is now. Requiring a company to aggressively overhaul their current ISO 9001:2008 system is not consistent with this goal . For any organization the degree of change necessary will be dependent upon the maturity and effectiveness of the current management system, organizational structure and practices, therefore an impact assessment is strongly recommended in order to identify realistic resource and time implications.
How will the revision affect my current certification? Organizations using ISO 9001:2008 a) Current users
Organizations that are already certified to ISO 9001:2008 should contact their certification/registration bodies (CB/RB) to agree a program for analyzing the clarifications in ISO 9001:2015 in relation to their individual quality management systems and for upgrading their certificates. Certified organizations should bear in mind that ISO 9001:2008 certificates have the same status as new ISO 9001:2015 certificates during the co-existence period. Organizations in the process of certification to ISO 9001:2008 should change to using ISO 9001:2015 and apply for certification to it.
b) New users
New users should start by using ISO 9001:2015.
c) Industry Sector Schemes
All of the major sector specific standards, including TS 16949, AS9100, and TL9000 have indicated their intentions to transition and continue their alignment with ISO 9001. The timelines for these other standard updates are not fully known at this time, bu t a 2016 publication date seems likely for all three. At present the only major standard that is not planning to continue its alignment to ISO 9001 is ISO 13485, which is in the midst of its own update with a targeted publication of early 2016. Users of specific sector schemes are recommended to refer to the organization that is responsible that sector scheme’, e.g. for:
- ISO/TS 16 949 refer to the IATF (www.iatfglobaloversight.org)
- TL 9000 refer to the QuEST Forum (www.questforum.org)
- AS9100/EN9100 refer to IAQG (iaqg.org ).
When do certification bodies (CB’s or Registrars) need to update their accreditation to audit their clients to the ISO 9001:2015?
The revised IAF Accreditation Rules 20 and 21 were published July 22, 2015. Each includes a timeline indicating when CBs need to complete required actions after publication of ISO 9001:2015:
|Critical Date||CB Required Action||Consequences of Failure|
|3 months after publication||Apply for transition||Suspension|
|6 months after publication||Achieve transition||Recommend suspension|
|9 months after publication||Achieve transition||Recommend withdrawal|
|Before or at the end of 3-year transition||All ISO 9001:2008 certificates expire.|
CB’s are allowed to use the FDIS ISO 9001:2015 version of the standard to begin the transition process. However, no CB can grant or date an accredited certification to the new standard before the date on which the CB transitions its accreditation.
How should a certified organization prepare for the transition to the revised standard?
Until the revised standard’s projected publication date (target – September 23, 2015), organizations currently holding ISO 9001 certification should track the progress of the revision process as well as information regarding important changes to the standard. Once the revised standard has been published, certified organizations will need to carefully review changes in the standard and map out a process for implementing modifications to their existing quality management system to meet the new requirements. Organizations certified to ISO 9001:2008 are recommended to take the following actions:
- Top management should conduct a full QMS review to identify organizational gaps which need to be addressed to meet new requirements,
- Develop an implementation plan with assigned responsibilities,
- Provide appropriate training and awareness for all parties that have an impact on the effectiveness of the organization,
- Update existing quality management system (QMS) to meet the revised requirements and provide verification of effectiveness,
- A full system internal audit followed by a management review should be completed.
- Corrective Actions for all internal audit findings should be in process or complete.
- Where applicable, contact your certification body for transition arrangements.
How will the revised standard affect the employees of an organization?
This will depend on the extent of revisions that an organization may need to make to its quality management system, but generally it will be expected to provide some form of transition training to its staff. At a minimum, awareness training of the new standard sh ould be provided, as well as an assessment of the new standard’s impact on the various processes and personnel. However, it is entirely possible that the majority of organization’s workforce will feel little or no effect from the organizations transition to ISO 9001:2015.
How will this revised standard affect auditors and their skills?
Moving from a prescriptive approach to a process based approach requires new thinking on how to audit. Even though the process based approach to QMS auditing was advocated as early as the ISO 9001:2000 edition, unfortunately, many certification body (registrar) auditors continue to use checklists aligned with the clauses from the standard. The writers of the ISO 9001:2015 standard are hoping that with the strengthening of the process based requirements, aligning the clauses to the PDCA methodology and addition of risk-based thinking, audits will take place through a series of in-depth discussions and analyses focused on the evaluation of risk identification of the QMS and its processes and related mitigation of risk to determine whether customers consistently receive their expected outputs or services. All QMS auditors, internal and external, must beef up their skills by receiving new training in the concepts, tools and methods for risk management and use this knowledge to investigate and evaluate conformity and effectiveness of processes and QMS outcomes in consistently meeting customer requirements. The training should also focus on the significant changes to the standard and highlight key areas such as the process approach, customer focus, interested parties, outcomes, and the integration of clauses when auditing a process. For more information on ISO 9001:2015, please visit this page ” Understanding ISO 9001:2015 eCourse”. This course will teach you to understand, implement, audit & train this standard like an expert.