ISO 9001 Low Res

Report
ISO 9001:2015
Understanding the International Standard
ISO 9001:2015 is set to be particularly
significant as a result of fundamental
changes to both its structure and its
contents.
Complying with the revised requirements

will present new challenges for quality and
audit professionals alike
© 2018 Chartered Quality Institute. All Rights Reserved
With support from Ideagen
Ideagen provides industry-leading electronic compliance

management solutions for use by quality and compliance
professionals around the world.
Ideagen is dedicated to promoting enterprise-wide quality

management through compliance of standards such as ISO 9001
and many more. Discover more at www.ideagenplc.com
ISO 9001:2015 I Understanding the International Standard v1.1

Contents
1. Introduction
2. Interpretation
3. Clause by clause evaluation
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
5. Annexes
6. Conclusion
www.quality.org
Introduction
For more than 20 years, the International Organization for
Standardization (ISO) has regularly conducted a survey that is designed
to provide an insight into the worldwide adoption of ISO’s management
system standards.
The latest edition (2014) reveals a healthy growth across the board for all management system standards
as at the end of 2013, with a total of 1.6 million certifications globally. Of these, 1.1 million were against ISO
9001, exceeding the total issued against all other ISO management system standards combined by a factor
of 3 to 1. Accordingly, any revision of ISO 9001 will have global implications based simply on numbers alone.
The 2015 release, however, is set to be particularly significant as a result of fundamental changes to both its
structure and its contents. Complying with the revised requirements will present new challenges for quality
and audit professionals alike.
Purpose of this report

This report examines the contents of the International Standard (ISO 9001:2015), translating each clause into
‘plain language’ before moving on to consider the implications of the clause from the perspective of those
entrusted with overseeing the operation of their quality management systems and those engaged in the audit
of quality management systems.
It is intended to assist both the Chartered Quality

Institute (CQI) and the International Register of
Certificated Auditors (IRCA) members in preparing “The changes arising as a result
for the new standard – preparation that can and of the adoption of Annex SL
should begin now. The changes arising as a result of the have been incorporated into ISO
adoption of Annex SL (previously known as ISO Guide 9001:2015”
83) have been incorporated into ISO 9001:2015, and
it is these changes that we believe will have the most
significant impact for both quality and audit professionals.
By raising awareness now, organizations and individuals can begin to develop their migration strategies.
What has happened?

The CQI was awarded Category A liaison status to ISO/TC 176, the Technical Committee responsible for
developing the new standard. This special recognition permitted the CQI to provide a collective response
on both the CD and the DIS directly to ISO/TC 176 on behalf of all of its members. In order to inform this
response, the CQI surveyed its members during July and August 2013 and July 2014 respectively.
The International Standard, ISO 9001:2015, was published in September 2015.
www.quality.org
Executive summary
The CQI has had direct access to ISO/TC 176, the Technical Committee responsible for updating the current
version of the standard, ISO 9001:2008. As such, we have had a specific insight into not only the content of
the new version but also the intention behind the content.
There has been some debate internationally about the implications of the proposed changes for both quality
and audit professionals. Some regard the changes as insignificant, taking the view that ISO 9001:2015 simply
introduces a number of requirements that were previously implied in ISO 9001:2008 but that were not
mandated.
The CQI and IRCA do not share this position. We remain convinced that those leading, managing and
auditing quality management systems will need to revise their current thinking and work in different ways in
order to maintain organizational compliance.
What has led us to this conclusion?

The changes incorporated into ISO 9001:2015 can essentially be divided into those that have arisen as a
result of the adoption of Annex SL as the basis for the standard and those that have arisen as a result of the
desire to improve current quality management specific requirements.
In the preface to the CQI and IRCA Annex SL Briefing Note (available free of charge to CQI and IRCA
members), we describe the introduction of Annex SL as “the most important management system event
since the introduction of ISO 9001”. Its adoption has implications for all those using management system
standards, be they standard writers, management system implementers, auditors or training providers.
Life has become easier for management system standard writers. They can now concentrate their efforts on
developing the discipline-specific requirements that will be focused on Clause 6 - Planning and Clause 8 –
Operation. Will this lead to shorter development times for ISO standards? Hopefully yes, but we will need to
wait to see if this proves to be the case in practice.
Implementers of management systems should find life easier too. Those seeking to introduce multiple
management systems (eg Energy, Environmental, Health and Safety) will have less work to do because the
structure and the core requirements of these are identical. This will simplify both the initial implementation
and the ongoing maintenance of such systems.
For management system auditors, the adoption of Annex SL means there is a generic set of requirements
that need to be assessed when conducting management system audits, irrespective of the discipline that is
being audited.
6 ISO 9001:2015 Understanding the International Standard

As a result of the above, we expect to see training organizations start to offer generic management system
auditing courses as alternatives to their currently offered discipline-specific ones. Those auditors wishing to
achieve sector-specific registration would then complete secondary modules to top up their earlier generic
training.
IRCA has already advised IRCA-Approved Training Organizations to adopt such an approach when designing
auditor transition training courses, and has reviewed and re-issued its core Foundation, Internal Auditor,
Auditor/Lead Auditor and Auditor Conversion courses in July 2015.
While the adoption of Annex SL will ultimately benefit all those who make active use of management system
standards, in the short term there will be challenges for those concerned with establishing, implementing,
managing or auditing against ISO 9001:2015.
The impact is likely to be greatest for practitioners and auditors rather than the organization itself, as many
of the new and enhanced requirements are things that organizations should be doing already – for example,
understanding the needs and expectations of stakeholders (referred to as “interested parties”).
The difference will be that these activities will have to be transparent and demonstrable, so organizations may
need to make some activities more evident than they currently are.
For those organizations already operating by the spirit

of ISO 9001:2008, the transition to ISO 9001:2015 “In the short term there will be
should prove relatively straightforward. Whereas, for challenges for those establishing,
those organizations that are simply complying with the
implementing, managing or
requirements of ISO 9001:2008 at the most basic level,
work will be required to address the current culture and auditing against ISO 9001:2015”
operation of the organization.
Culture can be described as “the way things are done around here”. However, this culture will have to
be reviewed and revised if necessary as a consequence of the adoption of Annex SL as the basis for ISO
9001:2015. This includes the behaviours of everyone connected with the quality management system, and, in
particular, of those operating at the most senior level within an organization.
Culture change can be notoriously difficult to effect and it is primarily for this reason that the CQI and IRCA
have taken the position that ISO 9001:2015 represents such a significant revision.
www.quality.org
Summary of principal changes – ISO 9001:2008 to
ISO 9001:2015
• ANNEX SL The new standard adopts the format and terminology of Annex SL. Annex SL was
developed to ensure all future ISO management system standards would share a common format,
irrespective of the specific discipline to which they relate. Annex SL prescribes a high-level structure,
identical core text, and common terms and core definitions. This means that even when requirements are
essentially unchanged between ISO 9001:2008 and ISO 9001:2015, these are frequently found under a
new clause/sub-clause heading.
• LEADERSHIP Clause 5, previously “Management Responsibility”, now becomes “Leadership”.

Top management are required to demonstrate that they engage in key quality management system
activities as opposed to simply ensuring that these activities occur. This means that there is a need for
top management to be actively involved in the operation of their quality management system. The
removal of all references to the role of “management representative” reinforces the requirement to see
quality management systems embedded into routine business operations, rather than operating as an
independent system in its own right with its own specialist management structure and processes.
• CONTEXT Two new clauses (4.1 and 4.2) are introduced relating to the context of the organization.
The organization is required to identify explicitly any external and internal issues that may impact their
quality management system’s ability to deliver its intended results. They must also understand the needs
and expectations of “interested parties” (or stakeholders) – those individuals and organizations that can
affect, be affected by, or perceive themselves to be affected by, the organization’s decisions or activities.
• SCOPE ISO 9001:2015 places a greater emphasis on the definition and content of the scope of the
quality management system than ISO 9001:2008 did. The scope sets the boundaries for, and identifies the
applicability of, an organization’s quality management system. Clause 4.3 requires scope to be determined
in consideration of the organization’s context.
• PROCESS APPROACH While ISO 9001:2008 promoted the adoption of a process approach
when developing, implementing and improving the effectiveness of a quality management system, clause
4.4 of ISO 9001:2015 sets out specific requirements considered essential to the adoption of a process
approach.
• RISK-BASED THINKING References to preventive action have disappeared. However, the core
concept of identifying and addressing potential mistakes before they happen very much remains. ISO
9001:2015 now talks in terms of risk and opportunities. The organization must evidence that they have
determined, considered and, where necessary, taken action to address any risks and opportunities
that may impact (either positively or negatively) their quality management system’s ability to deliver its
intended results or that could impact customer satisfaction.

• SERVICES The term “product” has been replaced by “products and services”. Previously, the inclusion
of services as products was implicit. By including explicit reference to services, the standard writers are
attempting to reinforce that ISO 9001:2015 is applicable to all organizations, not just those that provide
tangible products.
• IMPROVEMENT ISO 9001:2015 clause 10 recognises that incremental (continuous) improvement

is not the only improvement profile. Improvement can also arise as a result of periodic breakthroughs,
reactive change or as a result of reorganization. Thus, the title of this clause is now “Improvement” (ISO
9001:2008 8.5.1 was “Continual improvement”).
• EXTERNAL PROVISION The phrase “externally provided processes, products and services”
replaces “Purchasing” and “Outsourcing”. Clause 8.4 addresses all forms of external provision, whether
it is by purchasing from a supplier, through an arrangement with an associate company, through the
outsourcing of processes and functions of the organization, or by any other means. An organization is
required to take a risk-based approach to determine the type and extent of controls appropriate to each
external provider and all external provision of products and services.
• DOCUMENTATION References to requirements for a documented quality manual, documented

procedures and to quality records have been removed. Instead, throughout ISO 9001:2015 there are
specific references to “documented information”. This is information that the organization is required
to control, maintain and retain. How it wishes to record this information is up to the organization itself;
formats and storage methods are not prescribed in the standard.
• CLARITY There has been a conscious attempt to revisit the wording of the standard with a view
to making the requirements easier to understand and to aid its translation. Where requirements were
previously implied, the wording of the standard has been amended to make them explicit. Understanding
the organization and its context, the adoption of a process approach, and risk-based thinking are perhaps
the most significant examples but these are not the only instances, as a detailed examination of the
clauses confirms.
• TERMINOLOGY As in the 2000 and 2008 editions, the terms and definitions remain in the separate
standard - ISO 9000:2015. ISO has also made the terms and definitions available online: http://www.iso.
org/obp.
• ANNEXES ISO 9001:2015 has two informative annexes. Annex A provides clarification on the new
structure, terminology and concepts underpinning the standard. Annex B details the other International
Standards on quality management and quality
management systems developed by ISO/TC 176. “There has been a conscious
These are designed to provide assistance to an attempt to revisit the wording with
organization seeking to establish, implement, improve a view to making the requirements
or audit their quality management performance.
easier to understand”
www.quality.org
Key changes you do not need to make
Organizations do not need to:
• REMOVE their management representatives. While there is no requirement in ISO 9001:2015 for a
management representative, this does not prevent the organization from choosing to retain this role if
they so wish. Be aware, however, that some of the duties (responsibilities) traditionally assigned to the
management representative by top management will, in future, need to be undertaken directly by top
management themselves.
• RELEGATE their Quality Manuals and Documented Procedures to the dustbin. While ISO 9001:2015
has no requirement for the organization to have and use either a Quality Manual or Documented
Procedures, if this documentation is in place, needed and working well, there is no need for it to be
withdrawn.
• RENUMBER or rename existing QMS documentation to correspond to the new clause references.
Although an organization may choose to carry out a renumbering/renaming exercise, it is down to them
to determine whether the benefits gained from renumbering/renaming will exceed the effort involved in
actioning the change.
• RESTRUCTURE their management systems to follow the sequence of requirements as set out in the
standard. Providing all of the requirements contained in the standard are met, the organization’s system
will be compliant.
• REFRESH existing documentation to use the new terms and definitions contained within ISO
9000:2015. Once again, the organization is free to make the judgement as to whether this effort would
be worthwhile. If the organization is more comfortable using their own terminology, eg “records”
instead of “documented information”, or “supplier” rather than “external provider” then this is perfectly
acceptable.

Interpretation
The interpretations of requirements contained within this document are those of the CQI and IRCA – other
organizations may interpret the requirements of ISO 9001:2015 differently.
As such, this document should not be viewed as the definitive reference source for this International
Standard; indeed, only documentation sourced by ISO/TC 176 can fulfil this purpose.
Clause by clause evaluation

This next section of the report sets out to:
• simplify the requirements of each clause of ISO 9001:2015 into language that is easier to understand;
• identify whether each requirement is a new requirement or an amended version of an existing ISO
9001:2008 requirement;
• identify the implications of the requirement for quality professionals (quality managers, quality directors,
system implementers);
• identify the implications of the requirement for audit professionals.
Note: neither the CQI nor IRCA are permitted to reproduce the exact wording of the standard due
to copyright restrictions. Those individuals who need access to the exact wording should make their
own arrangements to source the standard from a legitimate supplier.
www.quality.org
Clause by clause evaluation
ISO 9001:2015
Foreword
While there have been only minor changes to the wording of the foreword, the most significant point to
note in this section are statements in the respective standards that set in context the magnitude of the
change we are about to experience in moving from ISO 9001:2008 and ISO 9001:2015.
• ISO 9001:2008 was issued “to clarify points” in the text of ISO 9001:2000 and to “enhance its
compatibility with ISO 14001:2004”.
• ISO 9001:2015, however, has been technically revised, through the adoption of a revised clause sequence
and the adaptation of the revised quality management principles and new concepts.
The detail of this report reinforces the fact that this is a major upgrade to the current version of ISO
9001; indeed, it is arguably the most significant revision since the standard was first published in 1987.
Introduction
0.1 General
The adoption of a quality management system is a strategic decision for the organization; it is not something
an organization is compelled to do.
Organizations face an increasingly dynamic and complex environment and consistently meeting requirements,
as well as trying to address future needs and expectations, poses a challenge. Adopting various forms of
improvement, such as breakthrough change, innovation and re-organization (in addition to the familiar
correction and continual improvement) should help organizations attain this objective.
Possible benefits of a QMS based on ISO 9001:2015 include the organization being able to:
• consistently provide products and services that meet customer and applicable statutory and regulatory
requirements;
• demonstrate conformity to specified QMS requirements;
• address opportunities to enhance customer satisfaction;
• address both risks and opportunities associated with its context, objectives and strategic direction.
We are reminded that the standard does not prescribe how the organization’s quality management system
should look. In particular it stresses that the organization does not need to use the language and structure of
the standard. Instead, the organization can address the requirements in the way that suits them best.

We are also reminded that the standard complements product and service standards and may be used by
both internal and external parties.
ISO 9001:2015 employs the process approach, which incorporates the Plan-Do-Check-Act (PDCA) cycle
and risk-based thinking.
0.2 Quality management principles

The standard states unequivocally that it is based on the seven Quality management principles. These reside
within ISO 9000:2015 where each is addressed in a standard template of: Statement, Rationale, Key benefits
and Possible actions.
0.3 Process approach

0.3.1 General
The emphasis placed on the process approach is significantly greater in the 2015 version of the standard than
in the 2008 version. ISO 9001:2015 still promotes the adoption of a process approach when developing,
implementing and improving the effectiveness of a quality management system, to enhance customer
satisfaction by meeting customer requirements.
Adopting a process approach enables an organization to plan and control its processes and their interactions
to enhance its overall performance. Holistic management of the system and its processes can be achieved
using the PDCA cycle (0.3.2) with an overall focus on risk-based thinking (0.3.3).
Using the process approach in a QMS facilitates:

• understanding and consistency in meeting
requirements;
“Risk-based thinking enables an
• viewing processes in terms of value-add; organization to address those things
that might cause the QMS to deviate
• achieving effective process performance;
from planned results”
• improving process performance based on analysis
and evaluation of the data and information.
0.3.2 Plan-Do-Check-Act cycle

The PDCA cycle enables an organization to ensure that its processes and management system as a whole
are adequately resourced and managed and that opportunities for improvement are determined and acted
on.
www.quality.org
The model of a process-based QMS in Figure 1 of ISO 9001:2008 has been superseded by Figure 2,
representing the structure of ISO 9001:2015 in the PDCA cycle. Figure 1 was first introduced in ISO
9001:2000 and remained unchanged in the 2008 edition. It has been extensively revised and now references
the clause numbers used in the standard. Box titles have also been changed to reflect the new terminology
(eg “5 Leadership” replaces “Management responsibility”, “6 Planning” replaces “Resource management”, etc).
In addition to customers and their requirements, inputs to the system now include the organization and its
context as well as the needs and expectations of relevant interested parties. The QMS outputs also include
services as well as products.
0.3.3 “Risk-based thinking”

Risk based thinking is an extension of preventive action. It requires organizations to determine risks to
processes, products and services as well as the QMS overall and to take proportionate action to address
these. It also considers opportunities in the same light to maximise benefits (see Annex A A.4).
ISO 9001:2015 acknowledges that risk-based thinking has always been implicit in ISO 9001. ISO 9001:2015
makes the requirement for risk-based thinking explicit at certain points throughout the standard; however, it
does not prescribe a risk methodology that the organization must adopt. Instead, the organization is free to
decide its own approach. The robustness of the risk approach must be proportionate to the consequences,
should the risk be realized.
0.4 Relationship with other management system standards

ISO 9001:2015 confirms the adoption of Annex SL, which has been introduced to ensure a level of
consistency across all ISO management system standards. It points to Annex A.1 of where some of the key
changes introduced in this version of the standard are detailed and Annex B which lists the portfolio of ISO
quality management standards.
Users of the standard are reminded they do not need to follow a clause structure that mirrors ISO
9001:2015 or adopt its terminology when establishing or updating their own quality management systems.
There is a reminder that ISO 9001:2015 does not include any requirements specific to other management
systems (eg environmental management, health and safety management or asset management), ISO
9001:2015 facilitates the alignment or integration of its QMS with other managements systems by using
a process approach, PDCA and risk-based thinking. Sector documents based on this standard (which can
contain guidance or additional requirements) are mentioned. However, editions using ISO 9001:2015 will
need to be developed.
Finally, there is a link to a freely available matrix showing the correlation between the clauses of this edition
and the previous edition on the ISO/TC 176/SC 2 open access web site at: bit.ly/2CxZ1hX.

1 Scope
The overall purpose of the standard is unchanged from ISO 9001:2008. It is still intended as a means by
which organizations can demonstrate their ability to consistently supply products and services that meet
customer and applicable statutory and regulatory requirements. It is also for use where an organization is
seeking to enhance its customers’ satisfaction as a result of it operating a quality management system.
All references to “exclusions” in ISO 9001:2008 sub-clause 1.2 “Application” have been removed. This is
because all of the requirements in ISO 9001:2015 are intended to be applicable to all organizations and any
products and services.
However, ISO 9001:2015 Annex A A.5 recognises that there may be circumstances where it is impossible for
an organization to conform to a specific requirement – for example, where it does not operate a “required”
process. In these instances, the organization can deem the requirement “not applicable” providing this does
not affect its ability to supply conforming products or services, or compromise its aim to enhance customer
satisfaction. Clause 4.3 requires the QMS scope to contain the justification for any requirement that the
organization determines is not applicable to the scope of its QMS. Furthermore, the organization cannot
claim conformity to ISO 9001:2015 if this impacts the organization’s ability or responsibility to ensure the
conformity of its products and services and the enhancement of customer satisfaction
Within Note 1, the ISO 9001:2008 reference to “output resulting from product realisation” has been
removed. This reflects the change to the definition of process and output.
2 Normative references
ISO 9001:2008 cited ISO 9000:2005 quality management systems – fundamentals and vocabulary as a
normative reference. This means that these two documents were intended to be used as a pair. This situation
continues – ISO 9001:2015 cites ISO 9000:2015 as a normative reference.
3 Terms and definitions

The terms and definitions for ISO 9001:2008 were contained within the supporting standard, ISO 9000.
Terms and definitions are available via the ISO Online Browsing Platform (OBP).
Note that some of the current definitions have changed, that there are some terms which were
not defined in ISO 9000:2005 but used in ISO 9001:2008 (eg top management, monitoring and
performance) that are now defined in ISO 9001:2015, and that there are definitions for some of the
new terms used in 9001:2015 (eg risk, innovation).
www.quality.org
4 Context of the organization
4.1 Understanding the organization and its context
»» INTERPRETATION:
ISO 9001:2015 requires the organization to identify, monitor and review external and internal issues that
are relevant to its purpose and strategic direction, and, most importantly, that have the ability to impact the
quality management system’s intended results. This is the first example of the use of “relevant”. It is vital for all
to understand that it is the organization who determines who or what is relevant. Also, the idea of currency is
important to understand. The organization must not just do this once; it must continue to do it, as and when
it is needed to keep current. These two items – relevance and currency – will recur throughout the standard.
»» Implications for quality professionals:

This is the first of two new clauses introduced into ISO 9001:2015 relating to “Context”. With clause 4.2, this
can be considered the “heart” of context.
Most organizations will already be successfully monitoring external and internal issues that have the potential
to affect not only their quality management system, but also the very existence of the organization itself. They
will now need to evidence this process to their auditors.
»» Implications for audit professionals:

Auditors will need to allow additional time to prepare for audits in order to establish their understanding
of the context that auditee organizations are operating in. They will need to understand the external and
internal issues typically experienced in organizations of that type, and must be prepared and able to challenge
an organization if they believe the organization’s interpretation of their context is deficient or incorrect. For
that they need to have objective evidence.
Evidence needs to be obtained to provide “The scope needs to state the products
assurance that organizations are reviewing and services covered by the quality
external and internal issues at periodic intervals. management system”

4.2 Understanding the needs and expectations of interested parties
The organization is required to determine “the relevant requirements” of “relevant interested parties”.
Once determined, the organization must then monitor and review the information it holds about these
parties and their requirements.
Again, it is up to the organization to decide relevance.

This is another new clause introduced for ISO 9001:2015.
“Relevant interested parties” are groups or individuals who have the ability to impact (or potentially impact)
the organization’s ability to consistently supply products and services that meet customer and applicable
statutory and regulatory requirements. Customers, shareholders, board members, staff and competitors
would all fit into this classification. Each organization will have its own set of relevant interested parties (with
their own requirements – some relevant, some not) and this set will probably change over time.
Few of the relevant interested parties’ total requirements will be relevant to the operation of a particular
organization’s quality management system. These very few are the ones that the organization needs to
capture.
Again, the organization must not just do this once; it must continue to do it, as and when it is needed to keep
current.

As for clause 4.1 above, auditors will need additional time to prepare for audits in order to establish their
view of the relevant requirements of relevant interested parties. If this differs from the organization’s
perception, then auditors must be prepared to challenge this. Again, objective evidence will be needed to
support this position.
Auditors will need to ensure that the organization has been through a process initially to identify these
groups and/or individuals and then to identify their requirements that are relevant to the organization’s quality
management system.
They will also need to ensure that this process is revisited periodically because the relevant requirements of
relevant interested parties may change over time.

4.3 Determining the scope of the quality management system
The scope of a quality management system sets its boundaries, identifying what the requirements of the
quality management system are applicable to, and to what they are not.
The scope of the quality management system is determined by the organization.
When determining the scope of its QMS, the organization needs to take into account its context (eg the
internal and external issues it faces and the relevant requirements of relevant interested parties).
The scope must be made available and be maintained as documented information.
The scope needs to state the products and services covered by the quality management system and must
also include any justifications or instances where specific elements of ISO 9001:2015 cannot be applied (for
example, where a required process is not undertaken). There is a new and extremely powerful statement
about applicability. If, by determining that a requirement is not applicable, that impacts the organization’s ability
or responsibility to ensure the conformity of its products and services and the enhancement of customer
satisfaction, then the organization being cannot claim conformity to ISO 9001:2015.

The organization has always been required to specify the scope of its quality management system. However,
this must now be done in explicit consideration of the organization’s context, as well as in terms of the
products and services it intends to supply.
ISO 9001:2015 makes it clear that if a requirement of the standard can be applied, given the organization’s
determined scope, then it must be included. Only in cases where meeting the requirement is impossible (and
where the absence of meeting the requirement does not adversely impact the organization’s ability to supply
conforming products and services) is it permissible not to apply it.
This replaces “exclusions”, which are referenced in ISO 9001:2008 clause 1.2 (Application) which
acknowledges that there may be instances where it is impossible to apply a specific requirement, but limited
these to requirements in clause 7 “Product realisation”.

Auditors will need to verify that the organization’s scope exists as documented information. They must gather
evidence that it has been produced in consideration of the organization’s context and products and services.
www.quality.org
Auditors should review any “exclusions” applied under ISO 9001:2008 for ongoing suitability. They will need
to ensure legacy issues, where an organization has previously sought to limit its scope and excluded activities
that can affect its ability or responsibility to ensure conformity of products or services, are not perpetuated.
If exclusions have been applied by the organization, auditors must ensure that they are recorded and that the
rationale for the exclusion is stated and justified.
4.4 Quality management system and its processes

4.4.1
ISO 9001:2015 requires the organization to establish a process-based quality management system. The
phrase “establish, implement, maintain and continually improve” is familiar from both the 2000 and 2008
editions of ISO 9001 (clause 4.1) so its use here should cause no difficulty. Once in place and operating, the
QMS needs to be maintained and continually improved. Clause 4.4 sets out high-level requirements for the
design of a process-based management system.

The principal change from ISO 9001:2008 is a greater focus on processes, which is something that appears
throughout the standard. Whereas ISO 9001:2008 “promoted” the adoption of a process approach, ISO
9001:2015 strengthens this.
The organization needs to determine required process inputs and expected outputs, assign responsibilities
and authorities for processes and identify risks and opportunities for processes, and plan to address these.
ISO 9001:2008 required the organization to determine the process methods and criteria for effective
operation and control. The methods now explicitly include monitoring, measurements and related
performance indicators.
The requirements relating to outsourcing in ISO 9001:2008 clause 4.1 have moved to clause 8.1 and 8.4 in
ISO 9001:2015.
For an organization already applying ISO 9001:2008, the key factor(s) in meeting these requirements will be
the extent to which the process approach has truly been embraced and adopted already. This includes the
effectiveness of quality management system planning carried out under ISO 9001:2008 sub-clause 5.4.2, the
effectiveness of planning of processes needed for product realization carried out under ISO 9001:2008 clause
7.1, and the effectiveness of process monitoring, measurement, analysis and improvement carried out under
ISO 9001:2008 sub-clause 8.2.3. For management system implementers, these will be key areas for review.

Audit professionals should note the additional requirements regarding process management. They should
look for process responsibilities and authorities. This may typically reside in a process owner, although be
careful as alternative ways to demonstrate conformance can exist. Also, each process requires inputs and
expected outputs to have been determined; although there is no requirement for them to be evidenced in
documented information. If risks and opportunities relating to processes have been determined in clause 6.1,
auditors should look for how these have been addressed.
Auditors should be cautious and note that the performance indicators required here relate solely to
monitoring and measurements and that they should not expand this requirement to other areas.
Auditors should be looking for the linkages of process inputs and expected outputs, adherence to process
criteria and achievement of performance indicators relating to monitoring and measurements with the
various requirements of clause 9 Performance evaluation.
4.4.2
The ISO 9001:2008 requirement simply stated that ”The organization shall … document … a quality
management system”. This has been clarified to address the documented information necessary to support
the process operations.
In addition, documented information (records) needed to show that the planned process operation is in line
with the actual operation is required.

The organization is required to have both types of documented information – to effectively plan, control,
operate, monitor and measure and improve the QMS processes. This could include plans, procedures,
checklists, standards, criteria, menus, websites and designs as well as evidences.
Existing operational procedures, work instructions and flow charts remain valid (provided they meet ISO
9001:2015 requirements) and can be used to evidence that the requirement for documented information to
support the operation of processes is being met. If these are working well for the organization then there is
no need to replace them.

Audit professionals should keep an open mind in seeking evidence of conformance to process management
requirements.
www.quality.org
5 Leadership
5.1 Leadership and commitment
5.1.1 General
ISO 9001:2015 replaces “Management responsibility” with “Leadership”.
Sub-clause 5.1.1 identifies specific aspects of the quality management system where top management are
expected to demonstrate both leadership and commitment.
This starts with their taking accountability for the effectiveness of their organization’s quality management
system. They must ensure that their organization’s quality policy and quality objectives are consistent with
the organization’s overall strategic direction and the context in which the organization is operating. They
must also work alongside their people in order to ensure that the quality objectives are achieved. In addition,
top management must ensure that the quality policy is communicated, understood and applied across the
organization.
Top management must also ensure that quality management system requirements are integral to the
organization’s business processes – that is, the quality management system must not be just a “bolt on”.
They must promote awareness and the adoption of the use of both the “process approach” and “risk-
based thinking”, and must make sure that the resources required for the effective operation of the quality
management system are made available.
Top management must stress the importance of effective quality management and of conforming to the
requirements of the quality management system. They must make sure that the quality management system
is achieving the results intended and must lead people to contribute to the effective operation of the system.
They must drive continual improvement and develop leadership in their managers.

The move from management commitment to “Leadership” and commitment is perhaps the most significant
and far-reaching change contained within ISO 9001:2015, although the actual impact will depend very much
on where each organization is starting from.
For those where the most senior members of the organization currently play an active role in driving its
quality management system forward, the changes will simply be a formalisation of what is happening now.
However, for those organizations where top management have effectively devolved responsibility for their
quality management system to their Management Representative, the ramifications of the ISO 9001:2015
changes will be significantly greater.
www.quality.org
ISO 9001:2015 requires top management to be much more “hands on” with respect to their quality
management systems than ISO 9001:2008 does. Where the word “ensuring” is used in sub- clause 5.1.1, top
management may still assign this task to others for completion ie delegation plus confirmation. Where the
words “promoting”, “taking”, “engaging” or “supporting” appear, these activities cannot be assigned and must
be undertaken by top management themselves. Implementers will need to make top management aware of
the new requirements, and the fact that they will now be audited as a matter of routine.
Note: when ISO 9001:2015 uses the term “top management”, it is referring to a person or a group
of people at the highest level within an organization, ie the people who coordinate, direct, and
control the organization.

Auditors must seek evidence that top management has a “hands-on” approach to the management of their
quality management system.
Auditors must understand which ISO 9001:2015 requirements top management can delegate and which
they cannot.
Auditors must ensure that they are equipped to challenge top management in respect of their commitment
to their quality management systems. Auditing at this level is likely to be a new experience for many. To
be effective and gain the respect of top management, auditors will need to have a good understanding
of management activities, be able to engage with top management on a range of subjects, and speak
the language of top management. For many auditors, this will involve developing new and enhanced
competencies.
5.1.2 Customer focus

Sub-clause 5.1.2 requires top management to take the lead in demonstrating the organization’s commitment
to its customers.
They must ensure that customer and applicable statutory and regulatory requirements are identified,
understood and consistently met. They must consider and address any risks that threaten the ability of the
organization to provide conforming products and/or services, or which may negatively impact customer
satisfaction.
In addition, top management must also ensure the organization remains focused on delivering conforming
products and services, on meeting its statutory and regulatory obligations, and on enhancing its customers’
satisfaction.

Sub-clause 5.1.2 expands on ISO 9001:2008 clause 5.2 by requiring top management now to ensure that
risks and opportunities that could affect the organiszation’s ability to supply conforming products and services,
and to enhance customer satisfaction, are identified and addressed.
Top management are now explicitly required to “maintain” a focus on consistently providing products
and services that conform to customer requirements and that meet applicable statutory and regulatory
requirements, as well as maintaining a focus on enhancing customer satisfaction. This is not a ‘one-off ’ activity.

Auditors will need to seek evidence that top management are ensuring that any risks and opportunities with
the potential to impact the organization’s ability to supply products and services that conform to customer
requirements and applicable statutory or regulatory requirements, or that may affect customer satisfaction,
are being identified and addressed. Opportunities must also be considered too.
Note: the requirement is to “maintain” a customer focus – this activity must therefore be evidenced
as ongoing.
5.2 Policy
5.2.1 Developing the quality policy
Sub-clause 5.2.1 sets out the requirements of top management in respect of the organization’s quality policy.
Top management must establish a quality policy that is appropriate to the purpose and context of the
organization and crucially, it must support its strategic direction. It must additionally provide a framework for
the setting and review of quality objectives, and include commitments to satisfy any applicable requirements
and to continually improve their quality management system.
It is the responsibility of top management to implement and maintain the quality policy.
www.quality.org
ISO 9001:2008 requires top management to “establish” the quality policy (5.1), and to “ensure” that it is
reviewed for continuing suitability. ISO 9001:2015 requires that the top management “establish, implement
and maintain” a quality policy.
ISO 9001:2015 requires that the quality policy is also appropriate to the context of the organization, not
just its purpose. This will require the review and possible update of the organization’s quality policy if there
is any change in the context of the organization or the relevant requirements of the relevant interested
parties. Another reinforcement of the concept that the QMS is not just an add-on to business is a crucial
requirement that the quality policy is in tune with the organization’s strategic direction. Any change in strategic
direction will now require a rethink of the quality policy.
The policy must include a commitment to continually improve the QMS. ISO 9001:2008 required a
commitment to continual improve the effectiveness of the QMS.
The policy must now provide a framework for the setting and reviewing of quality objectives.

Auditors should seek evidence that top management have created the quality policy, and are implementing
and maintaining it. Auditors should ensure that the policy is appropriate to the context of the organization as
well as its purpose and that there is a commitment to improve the organization’s quality management system.
They should also seek evidence that the organization’s quality objectives are consistent with the policy.
The requirement to determine that the quality policy is appropriate to the purpose and context of the
organization reinforces the need for auditors to establish their personal understanding of the context that the
auditee is operating in. However, from an audit
perspective it is important that top management “Top management must establish a
can demonstrate that the policy is compatible quality policy that is appropriate to the
with the strategic direction and context of the
purpose of the organization”
organization, as required by sub-clause 5.1.1 b).
5.2.2 Communicating the quality policy

Sub-clause 5.2.2 sets out specific requirements in respect of the organization’s quality policy communication.
As in the 2008 edition the policy must be available as documented information. It must be communicated
(see 7.4 Communication), understood and applied inside the organization and must be available to relevant
interested parties as appropriate.

As an item of documented information, the quality policy can now be held in any manner that meets the
requirements of ISO 9001:2015 clause 7.5.
Quality professionals should note that there is now an explicit requirement for the quality policy to be
applied throughout the organization. How this is done is up to the organization, but linkage to quality
objectives, process design, acceptance criteria, monitoring and measurement data and management review
should be considered.
The new requirement for the quality policy to be available to relevant interested parties, as appropriate,
means that organization will need to consider how this is done – on a website, social media, literature and
flyers.

Auditors should note that the ISO 9001:2008 requirement for “documented statements of quality policy and
quality objectives” has now been removed. Instead, ISO 9001:2015 requires the policy to be maintained as
documented information.
Auditors should ensure that the quality policy is being

applied throughout the organization and that the
organization is making the policy available to relevant “ISO9001:2015 requires that
interested parties where it is appropriate to do so. not only are responsibilities
and authorities assigned, but
It is vital to remember that documented information they are also communicated
can be in any medium; so a video clip on social media, and understood within the
a metal plaque or even a mosaic on the wall in the organization”
organization’s entrance hall are all acceptable
www.quality.org
5.3 Organizational roles, responsibilities and authorities
This is largely a clarification of requirements given in clause 5.5 of ISO 9001:2008 with some enhancements.
The top management of the organization need to ensure assignment of the necessary responsibilities and
authorities to the organizational roles within the organization to carry out quality-related activities (and
provide the individuals to fill these roles in 7.1.2 People).
• specifically, they need to assign responsibility and authority to relevant roles for ensuring that:
• the requirements set out in ISO 9001:2015 are met;
• quality management system processes are delivering their intended outputs;
• reporting on the operation of the quality management system and identifying any opportunities for
improvement is taking place;
• a customer focus is promoted throughout the organization;
• whenever changes to the quality management system are planned and implemented, the integrity of the
system is maintained.
Top management need to ensure that responsibilities and authorities relating to an organization’s quality
management system are communicated within the organization and that they are understood within the
organization.

ISO 9001:2015 requires that not only are responsibilities and authorities assigned, but that they are also
communicated and understood within the organization. The role of Management Representative has
disappeared in ISO 9001:2015. This is an attempt to ensure that ownership of and accountability for the
quality management system does not centre around a single individual. Duties assigned to the Management
Representative in ISO 9001:2008, including ensuring QMS processes are established and maintained, the
reporting of QMS performance and promotion of customer requirements across the organization can now
be assigned to any role or split across several roles.
Note: there is a new requirement for top management to ensure that someone is tasked with
preserving the integrity of the quality management system while planning and undergoing change.

The quality professionals within the organization may have to revisit the existing responsibilities and
authorities with regards to the QMS, especially the responsibilities of top management. The review may
identify gaps, including gaps of knowledge and skills, which will then need to be addressed before a compliant
system can be established.

Auditors must seek evidence that an organization’s people have not only been advised of their quality
management system responsibilities and authorities, but that they also understand these in the context of
what the quality management system is trying to achieve.
Auditors should note that there is no longer a requirement for an organization to have an identified
Management Representative, though the duties currently assigned to the Management Representative in ISO
9001:2008 must still be undertaken.
Auditors must seek evidence that top management have assigned responsibility and authority for preserving
the integrity of the organization’s QMS while planning and undergoing change.
ISO 9001:2015 gives both the organization and auditors opportunity to re-evaluate the effective assignment
and communication of authority, as well as responsibility; in practice authority is often vague and unclear.
www.quality.org
6 Planning
6.1 Actions to address risks and opportunities
6.1.1
Sub-clause 6.1.1 is a new and key requirement – the organization is required to consider their context when
planning for their quality management system. This means thinking about the internal and external issues they
face and the relevant requirements of their relevant interested parties, and how this may impact on their
quality management system
The organization must then move on to determine the risks and opportunities that need to be addressed
for its given context. This is in order to provide assurance that the quality management system can achieve its
planned result(s). In addition it needs to increase positive effects, to avoid or minimise negative effects, and to
achieve improvement.
Although determining and addressing risks (and opportunities) is now a requirement, undertaking formal risk
management is not. However, the organization may want to consider this (see ISO 31000:2011 for details).

This sub-clause introduces a new requirement for the organization to determine those risks and
opportunities that have the potential to impact the operation and performance of their quality management
system, both positively and negatively.
While no specific risk management approach or methodology is prescribed, the organization may want to
consider using ISO 31000:2011. It is important to note that while risk is a new and possibly difficult topic, the
organization should also focus on opportunity.
The organization needs to have some form of systematic approach or methodology in place to determine
risk and opportunities. This may be combined with the follow-on activities relating to planning actions to
address them (see 6.1.2).
Note: that ‘risk’ is specifically defined (see ISO 9000:2015 3.7.9).

Auditors should seek evidence that confirms that an organization has a systematic approach or methodology
in place that enables them to effectively identify and address both risks and opportunities in respect of the
planning of their quality management system.
The role of the auditor is not to carry out their own determination of risks and opportunities, but to ensure
that the organization is applying their systematic approach or methodology consistently and effectively.
However, where the auditor’s knowledge of the context of the organization reveals that the organization
has failed to identify an obvious or familiar known risk or opportunity, and can provide objective evidence to
support this, they may call into question the organization’s approach.
It is important to note that the organization is free to choose a particular approach or methodology to
address this requirement and it need not be integrated with the approach or methodology for planning the
actions to address the risks and opportunities in 6.1.2.
6.1.2
Once the organization has identified the risks and opportunities it faces, it must then determine how it needs
to address them.
There is a statement regarding proportionality to the effect that actions taken to address risks and
opportunities should be in line with the potential impact of the risk or opportunity on the conformity of
products and services. The first note sets out potential strategies for mitigating risks, and recognises that not
all risks and opportunities need actions. For example, the organization may take an informed decision to keep
the risk, in effect taking no action beyond identifying and evaluating the risk or opportunity. The second note
gives examples of possible opportunity outcomes.
Sub-clause 6.1.2 requires a planned approach with respect to these actions, with them being integrated
into the quality management system and a subsequent evaluation to determine whether the actions were
effective in reducing the risk or realising the opportunity.
www.quality.org
This new requirement requires quality professionals to ensure that their organization has some form of
systematic approach or methodology in place to plan actions to address risks and opportunities. This may be
combined with the previous activities relating to determining risks and opportunities (see 6.1.1).
Actions need to be taken to address the risk or to realise the opportunity. The standard requires the extent
of this action to be proportionate to the risk or opportunity itself, ie major risks or opportunities requiring
major action(s).
Subsequently, the organization needs to evaluate how effective the action that they took was.
The organization is free to choose the most appropriate systematic approach or methodology for their
purpose.
This clause is related to several other clauses within the standard with regards to its outcomes (ie what are
the risks and opportunities for the organization, and how are they to be addressed?). Consequently the
organization needs to understand it and apply it effectively.

Auditors should ensure that the organization is taking a planned approach to addressing risks and realising
opportunities, For those actions that have been completed, auditors should ensure that each action’s
effectiveness (or otherwise) has subsequently been assessed. They should also ensure that the action taken
was proportionate to the risk or opportunity.
It is important to note that the organization is free

to choose a particular approach or methodology “Sub-clause 6.2.1 is an enhancement
to address this requirement and it need not be and extension of ISO 9001:2008
integrated with the approach or methodology for requirements”
determining the risks and opportunities in 6.1.1.

6.2 Quality objectives and planning to achieve them
6.2.1
Sub-clause 6.2.1 is an enhancement and extension of ISO 9001:2008 requirements. It requires an
organization to set quality objectives for relevant functions, levels and processes within its quality management
system. It is for the organization itself to decide which functions, levels and processes are relevant.
The quality objectives must be consistent with the organization’s quality policy and be relevant to the
conformity of products and services, and the enhancement of customer satisfaction.
Quality objectives must be measurable, take into account applicable requirements, and be monitored in order
to determine whether they are being met. They must also be monitored (see 9.1 monitoring, measurement,
analysis and evaluation), communicated across the organization and be updated as and when the need arises.
An important change from 2008 is the deletion of the qualifier that quality objectives are “within the
organization”. This recognises that externally provided processes, products and services may also need quality
objectives assigned.
Information on the quality objectives needs to be maintained by the organization as documented information.

This is an extension of ISO 9001:2008 sub-clause 5.4.1“Quality objectives”. The requirement for quality
objectives to be measurable and consistent with the organization’s quality policy is carried across, as is the
requirement for objectives to be set for relevant functions and levels.
New for ISO 9001:2015 are requirements to set quality objectives for relevant processes and to monitor
progress against the achievement of objectives. Also new is the need for the quality objectives to be relevant
to product and service conformity as well as the enhancement of customer satisfaction.

For organizations that simply created the minimum amount of quality objectives necessary to conform to the
requirements of ISO 9001:2008, this clause will mean some additional work to demonstrate the value of the
quality objectives at relevant functions, levels and processes within the organization.
www.quality.org
Additional requirements have been included in the standard as set out above. A new focus is on the quality
objectives to be relevant to product and service conformity (and the enhancement of customer satisfaction).
This means that objectives which are not relevant to product and service conformity are not necessarily
invalid, they are just not quality objectives. Auditors should ensure that the organization is able to evidence
that they are complying with these new requirements.
6.2.2
Sub-clause 6.2.2 is an enhancement of ISO 9001:2008 sub-clause 5.4.2, which now clearly states requirements
that were previously inferred within ISO 9001:2008.
The organization must undertake planning in order to determine how its quality objectives will be achieved.
Sub-clause 6.2.2 requires an organization to determine the activities required in order to realise its quality
objectives, the necessary resources, who will be responsible for the activities and when the activities will be
completed.
Additionally, the organizations must determine how it will evaluate the work done.

Sub-clause 6.2.2 focuses not just on what needs
to be done, but also asks organizations to identify “The organization needs to be clear as
what resources will be required to do it, who will to what it is attempting to achieve by
do it, when it will be completed and how it will be
implementing the proposed change”
evaluated in order to determine if it has realised
the objective.
The target set on completion of quality objectives means more robust monitoring of the objectives will need
to take place.
It may be necessary for the organization to revisit its existing quality objectives in order to ensure that the
enhanced planning requirements of clause 6.2.2 have been applied.

Auditors should look for evidence that effective planning is taking place to support the achievement of the
organization’s quality objectives. They should ensure that this takes into consideration the new requirements
set out above.
6.3 Planning of changes

Clause 6.3 is an enhancement of ISO 9001:2008 clause 5.4.2b. When the organization determines there is
a need to change the quality management system, clause 6.3.3 of ISO 9001:2015 requires such changes to
be carried out in a planned and systematic manner. Changes need to be planned first and then methodically
enacted. The organization needs to be clear as to what it is attempting to achieve by implementing the
proposed change and what the consequences (both positive and negative) of proceeding may be. It needs to
assess whether the integrity of the quality management system could be compromised (or indeed improved)
as a result of making the change. The organization must also consider whether there are sufficient resources
available to effect the change and whether any changes in responsibilities or authority levels are necessary to
drive the changes through.
The role(s) for ensuring that the integrity of the quality management system is maintained will have already
been assigned in 5.3; previously this was for top management.
The organization is required to retain documented information relating to planned changes that impact its
quality management system.

This is an extension of ISO 9001:2008 sub-clause 5.4.2 b), which requires the integrity of the quality
management system to be preserved whenever changes to it are planned or implemented.
The new requirements in ISO 9001:2015 build on this, adding in specific considerations that an organization
must undertake when planning and implementing QMS changes.

Auditors should ensure that the organization is able to evidence that it has taken into account the
considerations detailed in ISO 9001:2015 clause 6.3 when planning and implementing changes to its quality
management system.
www.quality.org
7 Support
7.1 Resources
7.1.1 General
Sub-clause 7.1.1 updates ISO 9001:2008 clause 6.1 “Provision of resources”.
It requires an organization to determine and then provide all the resources necessary to establish, implement,
maintain and continually improve its quality management system. Resources include people (7.1.2),
infrastructure (7.1.3), the environment for the operation of processes (7.1.4), monitoring and measuring
resources (7.1.5) and organizational knowledge (7.1.6).
In doing so, the organization is required to consider both the capabilities and constraints on its existing
internal resources as well as what needs to be sourced from external providers.

The explicit reference in ISO 9001:2008 clause 6.1 b) to “identifying resources needed to enhance customer
satisfaction” has been deleted from sub-clause 7.1.1. (although this is implicit).
There is now an explicit requirement to consider both internal and external QMS resource requirements.

Auditors must now evidence that organizations have considered their need for external resources in addition
to their need for internal ones.
www.quality.org
7.1.2 People
Sub-clause 7.1.2 requires an organization to provide those people necessary for the effective operation of its
quality management system and its processes in order that it can consistently meet customer and applicable
statutory and regulatory requirements.

This is essentially an existing requirement separated out from ISO 9001:2008 clause 6.1 “Provision of
resources”.

No change in audit approach required.
7.1.3 Infrastructure
»» INTERPRETATION: “ISO 9001:2015 requires the
organization to “determine, provide
Sub-clause 7.1.3 updates ISO 9001:2008 clause and maintain” a suitable environment
6.3 “Infrastructure”. for the operation of processes”
As is the case for ISO 9001:2008, the
requirements for infrastructure in ISO 9001:2015 are centred around identifying, providing and maintaining
the means to enable processes to operate effectively.
The examples of infrastructure appearing in the standard are essentially the same as those in ISO 9001:2008,
with some minor revisions to wording. “Buildings, workspace and associated utilities” becomes “buildings
and associated utilities”; “process equipment (both hardware and software)” becomes “equipment including
hardware and software”; and “supporting services (such as transport, communication or information
systems)” becomes “transportation, and information and communication technology”.

No new action required.

No changes to audit approach required.

7.1.4 Environment for the operation of processes
Sub-clause 7.1.4 updates ISO 9001:2008 clause 6.4 “Work environment”.
ISO 9001:2015 requires the organization to “determine, provide and maintain” a suitable environment for
the operation of processes. This is a little more prescriptive than the ISO 9001:2008 wording, which simply
required the organization to “determine and manage” their work environment.
The note gives examples of environments for the operation of processes. The examples include physical,
social, psychological environmental and other factors, including temperature, cleanliness and others.

The key change here is that “work environment” now becomes “environment” necessary for the operation
of processes reflecting an increased focus throughout the standard on a process-based approach. It also
implicitly acknowledges that work can be undertaken by automation (eg robots) and not just human activity.
As is the case for sub-clause 7.1.3 “Infrastructure” in ISO 9001:2015, the purpose of maintaining the process
environment is to assure conformity of products and services.
The note to sub-clause 7.1.4 ISO 9001:2015 explains that an environment for the operation of processes
can include physical, social, psychological, environmental and other factors, such as temperature, humidity,
ergonomics and cleanliness.

Auditors will need to audit the organization’s process environment, not its work environment. As well as
physical factors, this now includes social and psychological factors too.
When auditing an organization currently operating to ISO 9001:2008, auditors will want to see evidence
that the auditee is applying this updated requirement to all processes determined necessary for the quality
management system.
It is important to realise that the items in the note are only examples and that the list is not exclusive and,
most importantly, not mandatory.
www.quality.org
7.1.5 Monitoring and measuring resources
7.1.5.1 General
Sub-clause 7.1.5.1 updates ISO 9001:2008 clause 7.6 “Control of monitoring and measuring equipment”.
Where an organization uses monitoring or measuring to demonstrate that its products and services conform
to requirements, it must make sure that it provides the necessary resources to ensure that its monitoring and
measuring results are both valid and reliable.
These resources need to be suitable to the type of monitoring or measurement being undertaken and must
be maintained in order to ensure they remain fit for purpose
The organization must retain appropriate documented information (records) as evidence that monitoring
and measuring resources are fit for purpose.

ISO 9001:2015 sub-clause 7.1.5 relates to monitoring and measuring “resources” whereas ISO
9001:2008 clause 7.6 is concerned solely with monitoring and measuring “equipment”. This change is an
acknowledgement that, in certain instances, humans also carry out monitoring or measurement activity
without reliance on equipment, eg a chef releasing food to be served in a restaurant.
The organization is now required to retain documented information (records) as evidence that the
measuring and monitoring resources are fit for purpose, not just the monitoring or measuring equipment.

No changes to audit approach required.

7.1.5.2 Measurement traceability
Sub-clause 7.1.5.2 updates ISO 9001:2008 clause 7.6 “Control of monitoring and measuring equipment” with
respect to calibration.
In instances where measurement traceability has been identified as a requirement or is considered by the
organization as essential in order to provide confidence in the measurement results, measuring equipment
must be verified or calibrated against international or national measurement standards at specific intervals or
prior to their use.
If no such standards exist, the organization must keep the basis it is using for calibrating or verifying the
measuring instrument in the form of documented information (records).
Measuring instruments must be identified in such a way that their calibration status can be determined.
They must also be protected to prevent them being adjusted, damaged or subjected to deterioration
indeed anything that would invalidate their correct calibration status and therefore jeopardise any future
measurement results.
If measuring equipment is found to be defective, previous results need to be revisited and any necessary
corrective action implemented.

If measurement traceability is required then measuring equipment is subject to additional controls. These are,
however, just a reworking of those currently contained in ISO 9001:2008 clause 7.6 “Control of monitoring
and measuring equipment”.

Auditors should note that where measurement traceability is required, measuring instruments are subject to
additional controls. These are commensurate with the current requirements of ISO 9001:2008 clause 7.6.
If measurement traceability is not required then auditors must satisfy themselves that the monitoring and
measuring resources are suitable and fit for purpose, as per 7.1.5.1 General.
Auditors should also ensure that documented information (records) is being retained by the organization to
demonstrate that monitoring and measuring resources are fit for purpose.
www.quality.org
7.1.6 Organizational knowledge
This is a new requirement aimed at ensuring that an organization takes steps to capture and preserve
knowledge, which is necessary for the effective operation of their processes and for ensuring the
conformity of their products and services.
This is a broad requirement directed primarily at ensuring the organization either has or obtains the
knowledge necessary to respond to changing business environments referred to in clause 4.1, changing
customer and relevant interested party needs and expectations referred to in clause 4.2 and, where
applicable, related improvement initiatives. As such, this requirement has strong links with management
review activities.
This knowledge needs to be maintained and made available to the extent necessary. The organization can
choose how best to do this; there is no explicit requirement for organizational knowledge to be held as
The organization must re-assess the extent of its organizational knowledge if it is considering making
changes to its quality management systems in response to changing needs or trends in its operational
environment. The organization needs to keep organizational knowledge current and if it is deemed
insufficient then the organization must take steps to enhance it. This is an attempt to ensure that
organizations make informed decisions in respect of updates to their quality management systems.
Note 1 identifies types of organizational knowledge while Note 2 identifies potential sources of
organizational knowledge.

This is a new requirement. Quality professionals should ensure that they introduce appropriate activities
and/or mechanisms to address the requirements above.
The notes to clause 7.1.6 give good examples of what “organizational knowledge” can include as well as to
how additional knowledge can be obtained.

“A new requirement aims at
This is a new requirement. Auditors should ensure that ensuring that an organization
the organization has taken steps to identify and acquire takes steps to capture and
the organizational knowledge necessary to establish the preserve knowledge”
continuing conformity of their products and services.

Auditors should ensure that organizational knowledge has been communicated as necessary within the
organization and that it is being maintained and protected.
They should also ensure that an assessment of organizational knowledge has taken place prior to any changes
made to the quality management system in response to changing needs or trends.
7.2 Competence
Clause 7.2 is essentially an amalgamation of ISO 9001:2008 sub-clause 6.2.1 “Human Resources – General”
and sub-clause 6.2.2 “Competence, training and awareness” (save for requirement 6.2.2 d), which now
transfers to ISO 9001:2015 clause 7.3 “Awareness”.
The organization must determine the competency requirements for those people performing work under
its control. Once these competency requirements have been determined, the organization must then ensure
that those people possess the necessary competencies, either on the basis of appropriate education, training
or experience. The organization is required to take action to acquire the necessary competence. Actions
taken need to be evaluated for effectiveness.
The Note in this clause gives examples of applicable actions, such as training, recruitment or use of external
people.
If there is a competency deficiency, action must be

taken to achieve competence or to gain the necessary “Competence is defined as the
competencies from other sources, for example, “ability to apply knowledge and
recruitment or use of external people. An assessment skills to achieve intended results”
needs to be subsequently undertaken to determine
whether this has been successful in raising competence
to the required level.
Organizations must retain appropriate documented information (records) to evidence competence.
Note: clause 7.2 refers to “People performing work under its control”. This embraces contract and
agency people, as well as people performing processes and functions that have been outsourced to
external providers. These are operating under the control of the organization, recognised in ISO
9001:2015 by a specific reference in clause 8.4.3 to the need to communicate to external providers,
competence and qualification requirements as applicable. In practice this requirement is likely to be
addressed through procurement.
www.quality.org
Competence is defined as the “ability to apply knowledge and skills to achieve intended results”. Competence
now needs to be considered in terms of its potential impact on “the performance and effectiveness of the
QMS”, as opposed to “its ability to affect conformity to product requirements”.
The organization is still required to take action to address any competency issues and subsequently to
check that this action has been effective. Additionally, organizations are still required to maintain evidence to
demonstrate that people doing work under its control are competent. This evidence needs to be retained as
documented information (records).
While clause 6.2.2 of 9001:2008 requires records of education, training, skills, and experience, clause 7.2.5 ISO
9001:2015 requires documented information (records).as evidence of competence.

No substantive change. Attention is drawn to the related requirements for control of externally provided
processes, products and services within ISO 9001:2015 clause 8.4.1.
Also, some organizations’ documented information (records) regarding clause 6.2.2 may have to be reviewed
to assess whether they can also constitute evidence of competence. If not, documented information of
evidence of competence needs to be identified and retained (eg a clean driving licence can be evidence of
competence for a driver)
7.3 Awareness
Awareness has now been elevated from a constituent element of sub-clause 6.2.2 “Competency, training and
awareness” in 9001:2008 to a separate sub-clause in its own right.
The requirements contained in the new clause 7.3 now apply to all “persons doing work under the
organization’s control”. This is more expansive than under ISO 9001:2008 where the organization needed to
ensure that “its personnel” were aware.
In respect of what individuals need to be aware of, this too has been extended. Under ISO 9001:2008, the
awareness requirement for personnel was quite limited; necessitating only an awareness of the relevance
and importance of the work they were conducting, and an appreciation as to how this contributed to the
organization’s quality objectives.
Now, however, there are explicit requirements for people doing work under the ’s organization’s control to

be aware of the organization’s quality policy, any quality objectives that are relevant to them, how they are
contributing to the effectiveness of the QMS and what the implications are of them not conforming to QMS
requirements.

Clause 7.3 contains expanded requirements. Quality professionals should note that the people who need
to be made aware now extends to all persons doing work on the organization’s behalf (previously this was
limited to the organiszation’s personnel). Quality professionals should also note that additional information as
set out above must be communicated to these individuals.
The important factor here is the addition of the requirement to make persons doing work under the
organization’s control aware of the implications of not conforming to the QMS.

ISO 9001:2015 has enhanced requirements for awareness both in terms of who needs to be made aware
and also in terms of what they need to be made aware of. The latter is now detailed explicitly within this
clause. Audit professionals must ensure that the organization is able to provide evidence that these enhanced
requirements are being met.
7.4 Communication
This expands on the current ISO 9001:2008 sub-clause 5.5.3 by extending its scope to include all
communications not just internal ones.
Clause 7.4 “Communication” encompasses all internal and external communication relating to an
organization’s QMS. Each organization must determine those QMS-related matters on which it wishes
to communicate. Once this has been done, consideration must then be given as to the timing of such
communications, their target audience and their method of delivery.
Note: reference to external communication in this clause does not encompass specific customer
communication requirements of ISO 9001:2008 sub-clause 7.2.3, which are largely retained in
ISO 9001:2015 sub-clause 8.2.1 and specific requirements for communication with external of ISO
9001:2008 sub-clause 7.4.2, which are largely retained in ISO 9001:2015 sub-clause 8.4.3.

The new clause is more prescriptive in respect of the mechanics of the communication; ISO 9001:2008 sub-
clause 5.5.3 refers to the need for “communication to take place” whereas ISO 9001:2015 clause 7.4 requires
www.quality.org
the organization to determine on what it will communicate, when it will communicate, with whom it will
communicate, how it will communicate and who communicates. Quality professionals should be prepared to
evidence these considerations.

Auditors should ensure that the organization is identifying both the external communications as well as
the internal communications that need to take place in respect of the operation of its quality management
system. They should also ensure that the organization has determined what it needs to communicate, when it
will communicate, with whom it will communicate, how it will communicate and who communicates.
7.5 Documented information

7.5.1 General
Sub-clause 7.5.1 confirms that an organization’s quality management system includes both documented
information identified as required in ISO 9001:2015 and documented information identified by the
organization as necessary for the effective operation of its quality management system.
There is no longer an explicit requirement for a quality manual. However, if the organization still finds it useful,
there is no reason to delete it. Similarly, the requirement for the six mandatory documented procedures from
the 2008 edition has also been deleted. Again, if the organization finds them useful it can keep them.
The note to the clause (carried over from ISO 9001:2008) advises that the extent of documented
information can differ between organizations due to their size, complexity, the products and services as well
as the competency of their people.

No change – these requirements are already contained in ISO 9001:2008 clause 4.2.

No change in audit approach is required.
7.5.2 Creation and updating

When documented information is created or updated, the organization must ensure that it is appropriately
identified and described (eg title, date, author, reference number). It must be in an appropriate format (eg

language, software version, graphics) and on appropriate media (eg paper, electronic).
Documented information must be reviewed and approved for suitability and adequacy.

No further action is required as these requirements are already contained within the sub-clauses that
comprise ISO 9001:2008 clause 4.2.
There is useful information provided in Appendix A.6 Documented information.
Simplistically the organization “maintains” documented information (documents) and “retains” documented
information (records).

No change in audit approach is required. It must be noted that the classification of a “record” as a special type
of document (in the 2008 edition) has been deleted; everything is now documented information. However,
the organization can still refer to items as “documents” or “records”.
7.5.3 Control of documented information

7.5.3.1
The organization is required to control documented information in order to ensure that it is available where
and when needed and that it is suitable for use. It must also be adequately protected against improper use,
loss of integrity and loss of confidentiality.

“Clause 7.4 Communication
Quality professionals should note that, while the encompasses all internal and
requirement for a documented procedure setting out external communication relating
how documents are to be controlled has been removed, to an organization’s QMS”
the need to control documented information remains.
The requirements in sub-clause 7.5.3.1 mirror current requirements in ISO 9001:2008.

Auditors should note that, while the requirement for a documented procedure specifying how documents
are to be controlled has been removed, the requirements above are unchanged from ISO 9001:2008.
www.quality.org
7.5.3.2
The organization must determine how it will distribute, access, retrieve and use documented information.
It must decide how it will store and preserve documented information, and how it will control any changes to
the documented information. It must also decide its retention and disposal arrangements.
The organization is also required to identify any documented information of external origin to the
organization that it considers necessary for the planning and operation of the organization’s quality
management system. Such documentation must be identified and controlled.

While ISO 9001:2008 contains requirements for controls in respect of the distribution and retrieval of
documents, ISO 9001:2015 extends these also to cover the “access” and “usage” of documented information
required by the organization’s quality management system and by ISO 9001:2015.
Where organizations chose to hold their documented information in electronic forms, there may be a need
to revisit access controls (passwords/logins) and authorisation levels in order to ensure current controls
are appropriate. The organization will need to consider how such systems are to be protected when
passwords are lost and how access to the documented information can be preserved in the event of system
unavailability. They will also be required to demonstrate how the integrity of their documented information is
maintained.
The Note in clause 7.5.3.2 states access can imply “permission to view only”, or “permission to view and
authority to change”.
With most organizations moving to electronic documents that are maintained and accessed remotely using
passwords, etc, this can mean more controls need to be demonstrated if claiming compliance.

Auditors will increasingly find themselves having to access and use electronic systems in order to evidence
how the organization is controlling their documented information. This could require a technical upskilling.
Auditors will need to establish, prior to commencing an audit, whether an electronic system is in place and
will need to make the necessary arrangements with the organization to ensure that they can access and use
such systems.

www.quality.org
8 Operation
8.1 Operational planning and control
Clause 8.1 requires the organization to plan, implement and control those processes that it has previously
identified (see clause 4.4) as necessary in order for it to meet the requirements for product and service
delivery. It must additionally plan how it will address any risks and opportunities that may impact these
processes (see clause 6) and, therefore, its ability to achieve these requirements.
The planning commences with the organization establishing its product/service requirements. Once this
has been completed, the organization must then consider its processes and for each it must establish the
criteria for the process, namely; how it will control the process, the product/service acceptance criteria
and the resources necessary for product/service conformity. This means that the inputs (triggers for the
process), outputs (products and/or services), resources and controls (to ensure that the required outputs are
achieved) should be determined. In addition, what makes the output acceptable also needs to be determined
– this can be targets, measures, values, KPIs, specifications and other criteria as relevant to the output. There is
an explicit requirement for the organization to then control the processes using the criteria above.
The organization is required to create and keep documented information to the extent it determines is
necessary to allow it to ensure that its processes are being carried out as planned, and that the products and
services that are being produced conform to the identified requirements and acceptance criteria.
The extent of planning for the provision of products and services must be proportionate to the size, nature
and complexity of the organization’s operations.
The output from operational planning and control must be suitable for the organization’s operation.
The organization must control planned changes to the provision of product and services (see 8.5.6
“Control of changes”), and must review the consequences of any unintended changes. Where necessary, the
organization should mitigate any adverse effects.
Any outsourced processes must be controlled in accordance with clause 8.4 “Control of externally provided
products and services”.

The requirement to plan and develop processes is not new. For ISO 9001:2015, however, this has been
extended also to include “implementation and control”.

The term “product realization” has been withdrawn and replaced by “operation”, and the requirement for
“Planning of product realization” has been replaced by “Operational planning and control”.
The ISO 9001:2008 clause 7.1 a) requirement to determine quality objectives for products or services has
been relocated to ISO 9001:2015 sub-clause 6.2.1, which calls for quality objectives to be established at
relevant functions, levels and processes.
ISO 9001:2008 clause 7.1 b) refers to providing “resources specific to the product”. ISO 9001:2015 refers to
“resources needed to achieve conformity to product and service requirements”.
The requirement for the output from operational planning and control to be in a form that is suitable for use
by the organization comes straight across from ISO 9001:2008.
The new control-focused requirements centre on ensuring that processes are implemented as planned,
including actions to address risks and opportunities. This needs to be evidenced to the extent necessary by
means of documented information.

This section should be read in conjunction with guidance given to audit professionals under clauses 4.4 and
6.1. The increased focus on the process approach makes properly understanding clauses 4.4, 6.1 and 8.1 a
fundamental requirement for auditors.
Audit professionals should note that this clause now includes implementation and control requirements, not
just planning and development requirements as per ISO 9001:2008. They should also note the change of
terminology – “Product realization” has been replaced by “Production and service provision”.
Clause 4.4, together with clause 8.1, makes it very clear that the organization is required to determine and
plan (design) its processes to meet requirements. As such, auditors need to evidence that this has been done,
ie evidence that the process (including process inputs, outputs, resources, controls, criteria, process monitoring
and measuring as well as performance indicators) has been planned. The fact that they exist is not in itself
evidence that they have been planned.
There is also a clear link and, hence, audit trail, from clause
6.1 “Actions to address risks and opportunities” through
to clause 8.1. For those risks and opportunities that the “The organization is required to
organization has determined need to be addressed, determine requirements for the
auditors should gather evidence that these actions have products and services it intends to
been integrated into the management system; as such, offer to customers”
these actions should be verifiable at process level – for
example, evidence of controls, acceptance criteria and
resources.
www.quality.org
Auditors also need to evidence that processes have been implemented and controlled as planned, and
in so far as they relate to process planning and control, evidence that the organization has evaluated the
effectiveness of actions taken to address risks and opportunities.
Auditors should also gather and evaluate evidence relating to planned changes and to any unintended
changes.
8.2 Requirements for products and services

8.2.1 Customer communication
Sub-clause 8.2.1 requires an organization to communicate effectively with its customers. This covers product
and service information, enquiry, contract or order handling (including amendments); customer feedback
relating to the organization’s products and services (including complaints), the management of customer
property and specific requirements for contingency actions when relevant.

Quality professionals should note that these requirements are essentially the same as for ISO 9001:2008
sub-clause 7.2.3 “Customer communication”, but with the addition of new requirements to communicate in
respect of the management of customer property and specific requirements for contingency actions when
relevant. Note also that the communication about enquiries, contracts or orders now extends to how they
are handled.
A change here that may have implications for quality practitioners is that the clause on customer
communication now appears before the determination and reviewing of requirements. This is to demonstrate
the importance of communicating with the customer before determining what the organiszation intends to
offer them.

Auditors should note the additional requirements set out above.

8.2.2 Determining the requirements related to the products and services
The organization is required to determine requirements for the products and services it intends to offer to
customers. In doing so, the organization has to ensure that the requirements are defined. This includes the
capture of any applicable statutory and regulatory requirements as well as any requirements the organization
considers necessary.
The organization must then ensure that it can meet claims it is making for the products and services it
intends to offer
The ISO 9001:2008 note relating to post-delivery activities has moved to sub-clause 8.5.5.

This replaces ISO 9001:2008 sub-clause 7.2.1. The new clause represents a subtle change in emphasis in the
nature of the interaction between supplier and customer in respect of determining customer requirements.
In ISO 9001:2008, the organization determines customer requirements before reviewing these and then
proceeding to design or develop a product or service. ISO 9001:2015 starts from the position that the
organization has already determined the products and services it intends to offer to customers, taking into
account customer requirements. This reflects the way that much of business takes place these days, with
organizations effectively setting out their product portfolios from which customers must choose or configure.
An organization will need to be able to substantiate any claims it makes about its products or services in
respect of them meeting defined requirements.

Auditors should evidence that the organization is able to substantiate any claims it is making for the products
and services it offers.
8.2.3 Review of requirements related to products and services

8.2.3.1
The organization must ensure that it can meet product and service requirements it offers to customers.
The organization is required to review product and service requirements for customer offerings before it
commits to supply.
www.quality.org
This review needs to consider requirements set by the customer, including any relating to delivery and
post-delivery activities. It must also include consideration of any requirements not expressly stated by the
customer but that the organization knows to be necessary for the product or service to be suitable for the
customer’s specified or intended use (when known).
In addition, the review must also consider requirements stated by the organization, any applicable statutory or
regulatory requirements relating to the product or service, and any contract or order requirements that differ
from those previously stated.
The organization must resolve contract or order requirements that differ from those previously defined.
If the customer does not provide a documented statement of their requirements then the organization must
confirm the customer’s requirements prior to acceptance. The note (unchanged from the 2008 edition)
clarifies that in some circumstances, the review can cover relevant product information such as catalogues or
advertising material; this is typical for internet-based transactions.

Quality professionals should note that this is sub-clause 7.2.2 of ISO 9001:2008.
There is no substantive change to content, though there is recognition that when reviewing requirements
relating to products or services, these requirements could now include those for delivery and post-delivery
activities.

Audit professionals should ensure that requirements for delivery and post-delivery activities are considered in
the organization’s product and service requirement review.
8.2.3.2
The organization must keep documented information (records) relating to requirement reviews including
the results of the reviews and any new requirements for the products and services. The need to have
documented information (records) on any actions arising from the review has been deleted.

Quality professionals should note that these requirements are essentially unchanged from ISO 9001:2008
sub-clause 7.2.2.

8.2.4 Changes to requirements for products and services

This is a new clause; however it is just an extract from ISO 9001:2008 clause 7.2.2 Review of requirements
related to the product. There is no change to the requirements.

Quality professionals should note that these requirements reflect the change from documents to

8.3 Design and development of products and services

8.3.1 General
The organization has to establish, implement and maintain a design and development process that is
appropriate to ensure the subsequent provision of products and services.

Sub-clause 8.3.1 is a new clause that mandates a design and development process.
Note however, that this may be a candidate for the “applicability” requirements of clause “4.3
Determining the scope of the quality management system”.

Audit professionals should ensure that a design and development process exists and is being operated.
Increased knowledge of the products and services, and methods of arriving at them, will be required by
auditors in order to be able to verify whether the organization’s QMS should or should not include design
and development.
www.quality.org
8.3.2 Design and development planning
The organization is required to plan the design and development of its products and services.
The design and development process will comprise a number of stages, each of which will be subject to
controls. When determining the stages and controls to be applied to its design and development process, the
organization must consider:
• the complexity, nature and duration of the design and development activities;
• the required stages (including applicable design and development reviews);
• the required design and development verification and validation activities;
• the responsibilities and authorities of those involved in the design and development process;
• the required resources (both internal and external);
• the need to control interfaces between individuals involved in the design and development process;
• whether it is necessary to involve the customer and users in the design and development process;
• requirements for subsequent provision of products and services;
• how much control customers and other relevant interested parties expect for the design and
development process;
• the documented information that will be necessary to confirm the design and development requirements
have been met.
ISO 9001:2015 sub-clause 8.3.2 builds on the existing ISO 9001:2008 sub-clause 7.3.1 “Design and
development planning”.
Sub-clause 8.3.2 is more thorough than its

predecessor in terms of what needs to be taken
into consideration when planning the design and
“There are two new requirements
development process. However, it is likely that an “committed standards and codes of
organization complying with ISO 9001:2008 will practice” and “potential consequences
already be undertaking these activities anyway. This of design or development failure”

could be, for example, by involving the customer and users in the design and development process where
appropriate, and in ensuring that the organization’s design and development process takes into account
requirements for specific stages, such as design or a development review, verification and validation.
Note however, the requirement is to consider the need for interface control and involvement; this
may be decided by the organization to be “none”.
The requirement to consider the documented information required to confirm that the design and
development requirements have been met is a new addition to this clause.

Audit professionals should ensure that organizations are able to evidence that they have taken into
consideration the explicitly referenced considerations relating to the design and development process set out
above.
They should also ensure that the organization has considered the documented information required to
confirm that the design and development requirements have been met.
8.3.3 Design and development inputs

ISO 9001:2015 sub-clause 8.3.3 requires the organization to determine the essential requirements for the
types of products and services that it will design and develop. It needs to consider the following inputs:
• both functional and performance-related requirements;
• information from previous design and development activities that are similar;
• statutory or regulatory requirements;
• any standards or codes of practice the organization has committed to implement;
• any possible impacts of failure due to the nature of the products and services;
• the potential consequences of failure due to the nature of the product or service.
The organization must ensure that design and development inputs are adequate, complete and unambiguous.
If there are any conflicts between design inputs, then these must be resolved.
www.quality.org
These are amended requirements building on the previous requirements of ISO 9001:2008 sub-clause 7.3.2
“Design and development inputs”.
There are two new requirements “committed standards and codes of practice” and “potential consequences
of design or development failure” based on the nature of the product or service.
The remaining ISO 9001:2008 design and development input requirements are essentially unchanged.

Auditors need to verify that the organization has addressed the specific new requirements set out in ISO
9001:2015 sub-clause 8.3.3 – specifically, those relating to committed standards and codes of practice as well
as the potential consequences of design or development failure.
8.3.4 Design and development controls

The organization must apply controls to its design and development process in order to ensure that:
• the results needed from undertaking the design and development are defined;
• reviews are conducted to evaluate the ability of design and development results to meet requirements;
• verification activities are conducted to ensure that the design and development outputs meet the input
requirements;
• validation activities are conducted to ensure that the resulting products and services are fit for their
specified application or intended use;
• any necessary actions are taken on problems determined during the reviews, or verification and validation
activities;
• documented information (records) of these activities (reviews, verification, validation and actions) is kept.
This sub-clause draws in a number of existing requirements from ISO 9001:2008 sub-clauses “7.3.4 Design
and development review”, “7.3.5 Design and development verification” and “7.3.6 Design and development
validation”. Also, the note from sub-clause “7.3.1 Design and development planning” of ISO 9001:2008 has
been included.

Some requirements have been deleted, such as “Participants in such reviews shall include representatives of
functions concerned with the design and development stage(s) being reviewed” and “Wherever practicable,
validation shall be completed prior to the delivery or implementation of the product”. Added is the
requirement for the definition of results to be achieved

8.3.5 Design and development outputs

The organization must ensure that the outputs from design and development meet the input requirements
for design and development, and are suitable for provision of products and services.
Design and development outputs must include or reference monitoring and measuring requirements and
acceptance criteria, as appropriate.
Finally, the organization must ensure that the design and development outputs specify the product and
service characteristics that are essential for their intended purpose and their safe and proper provision.
The organization is required to keep documented information (records) on design and development outputs.

Quality professionals should note that this sub-clause corresponds to ISO 9001:2008 sub-clause 7.3.3 “Design
and development outputs”. It is mostly unchanged; with some additions and deletions as noted above.

Auditors should note the additional and deleted requirements.
8.3.6 Design and development changes

If changes are made either during or after design and development that have an adverse impact on
conformity to requirements then the organization must identify, review and control those changes.
The requirements apply at all stages during the design and development of products or services and also
subsequently; for example, post-delivery.
www.quality.org
The organization is required to keep documentary information (records) relating to design and development
changes, the review results and change authorization.

This sub-clause is essentially unchanged from ISO 9001:2008 sub-clause 7.3.7 “Control of design and
development changes”.
The order of “review” and “identify” has been reversed in ISO 9001:2015, with review taking place first.
“Control” has been added.
“Control” has replaced the ISO 9001:2008 requirements to “review, verify, validate and, as appropriate,
approve design changes before implementation”.
The requirement “The review of design and development changes shall include evaluation of the effect of the
changes on constituent parts and product already delivered” has been deleted.
Note that the “authorization of the changes” need not necessarily be done by a person; it could be a
trigger such as the successful completion of an activity or a computer system process step.

Auditors should not necessarily look for a person who “authorized” the changes.
8.4 Control of externally provided processes, products and services

8.4.1 General
The organization must ensure that externally provided processes, products or services meet requirements.
The organization must employ controls to enable it to verify that externally provided processes, products or
services meet these requirements
These controls must be put into effect when the organization is seeking to obtain:
• products and services from external providers for incorporation into the organization’s own products
and services;
• products and services to be provided directly to the customer by the external provider on the
organization’s behalf;

• outsourced processes or parts of processes from an external provider based on the organization’s
decision.
The organization must determine and put in place criteria that allow it to evaluate and select external
providers that allow it to monitor their performance and to subsequently re-evaluate them based on their
ability to provide processes, products and services that conform to requirements.
Documented information (records) needs to be retained evidencing the results of external provider
evaluations, re-evaluations, the monitoring of their performance and any actions necessary from the
evaluations.

The implications of this sub-clause are broadly in line with the requirements of ISO 9001:2008 sub-clauses
7.4.1 and 7.4.3; however, ISO 9001:2015 sub-clause 8.4.1 now explicitly sets out those instances in which the
organization must apply controls to external providers (see the bullet points above).
The new requirement here is to establish criteria to monitor the performance of external providers and to
have the results of the evaluation, re-evaluation as well as any necessary actions as documented information
(records).
In ISO 9001:2008 sub-clause 7.4.1, it is required to keep records of the “criteria” for selection, evaluation and
re-evaluation of the suppliers. Whereas, in ISO 9001:2015, the organization is required to record not only the
criteria, but also the results of these activities, including performance monitoring. This has many implications
for quality practitioners. If previously the organization has not maintained records of the “results” of these
activities, now they need to do so.
Note: an “external provider” is a provider external to the scope of the quality management system.
As such, if a QMS scope covers a single plant in a wider group structure then anything sourced from
other members of the group would be “externally provided” and hence subject to the requirements
of clause 8.4.

Auditors should note the new requirement for the organization to establish criteria to allow it additionally to
monitor the performance of external providers. This must be kept as documented information (records).
They should also note the requirement for the organization to provide documented information (records) of
the results of their monitoring of the external provider’s performance as well as any necessary actions arising
from evaluation, selection, monitoring of performance, and re-evaluation.
www.quality.org
8.4.2 Type and extent of control
The organization must determine the type and extent of controls that it wishes to apply to external
providers.
In deciding the nature and extent of these controls, the organization needs to make sure that there is no
negative impact that the externally provided processes, products or services could have on its ability to
supply conforming products and services to its customers. The organization must ensure that any outsourced
processes stay within the control of organization’s QMS.
The organization must define the controls for both the external provider and resulting outputs. The
organization must consider both the possible impact any externally provided process, product and service has
on its ability to consistently meet customer, statutory and regulatory requirements and the effectiveness of
the controls it applies to the external provider.
Finally, the organization must determine verification (or other) activities necessary to ensure conformance to
requirements.

This clause brings in elements from ISO 9001:2008 sub-clauses 7.4.1 “Purchasing process” and 7.4.3
“Verification of purchased product”.
In ISO 9001:2008 sub-clause 7.4.1, when determining the nature and extent of controls to be applied to
suppliers, the organization needed to consider “the effect of the purchased product on subsequent product
realization or the final product”. However, in ISO 9001:2015 this has been amended to “the potential impact
of the externally provided processes, products or services on the organization’s ability consistently to meet
customer and applicable statutory and regulatory requirements”.
The requirement to verify externally provided processes, products or services remains in sub-clause 8.4.2.
However, in ISO 9001:2008 the verification was to ensure “the purchased product met specified purchase
requirements”. In ISO 9001:2015, the verification is to ensure “the externally provided processes, products
and services meet requirements”.

Auditors should note the revised requirements as set out above, including those relating to outsourced
processes.
www.quality.org
8.4.3 Information for external providers
Sub-clause 8.4.3 sets out the information that the organization is required to communicate to external
providers of processes, products and services.
The organization is required to ensure that the requirements it intends to communicate to the external
provider are reviewed for adequacy prior to their being communicated.
This communication must include the organization’s requirements for the following:
• the processes, products and services to be provided;
• the approval of the product and service;
• the approval of methods, processes and equipment;
• the approval of the release of products and services;
• the competence of personnel, including any necessary qualifications ;
• the interactions between the organization and the external provider;
• how the external provider’s performance will be monitored and controlled by the organization;
• verification or validation activities that the organization (or its customer) intends to perform at the
external provider’s premises.
ISO 9001:2015 sub-clause 8.4.3 draws in existing requirements from ISO 9001:2008 sub-clauses 7.4.2
“Purchasing information” and 7.4.3 “Verification of purchased product”.
Essentially, these requirements are unchanged. There is an acknowledgement that the organizations need to
communicate not just the requirements for products and services but also processes.
The requirement for the organization to

communicate, where appropriate, the necessary “Organizations need to communicate
qualification of personnel has been expanded not just the requirements for products
to cover the competency and any necessary and services but also processes”
qualification of personnel.

The requirement for the organization to communicate, where appropriate, any “quality management system
requirements”, has been expanded to “the external providers’ interactions with the organization”.

8.5 Production and service provision

8.5.1 Control of production and service provision
Sub-clause 8.5.1 requires the organization to control the way in which they produce their products and
provide their services.
These controlled conditions must include, as applicable, ensuring that:

• documented information that defines the characteristics of the product or service is available or
documented information that defines the activities that need to be performed to produce the product
or deliver the service is available
• documented information that defines the results that are to be achieved is available;
• suitable monitoring and measurement resources are available and used;
• monitoring and measurement takes place at appropriate points to ensure that either the processes or
outputs meet acceptance criteria;
• monitoring and measurement takes place at appropriate points to ensure that products and services
meet acceptance criteria;
• suitable process environment and infrastructure are used;
• suitable monitoring and measurement resources are made available;
• competent personnel are used and, where necessary, are appropriately qualified;
• for processes where the results cannot be verified by subsequent monitoring or measurement (also
known as “special processes”), the process itself is initially validated and then periodically re-evaluated;
• actions to prevent human error are implemented;
• product and service release, delivery and post-delivery activities are implemented.
www.quality.org
This sub-clause is an amalgamation and expansion of ISO 9001:2008 sub-clauses 7.5.1 “Control of production
and service provision” and 7.5.2 “Validation of processes from production and service provision”.
The reference to “work instructions” has been replaced by a reference to “documented information that
defines the activities to be performed or the results achieved” thus giving two options.
“The results achieved” is an important addition; these may not appear in existing documentation describing
the activities to be performed or in records generated from them.
There is now an explicit requirement to ensure monitoring and measurement activities are undertaken at
appropriate points. This is in order to verify processes are being controlled and that outputs, products and
services are meeting their acceptance criteria. This is an expansion on ISO 9001:2008 sub-clause 7.5.1e.
The “use of suitable equipment” has been replaced by the “use and control of suitable infrastructure and
process environment”.
Reference is made to monitoring and measuring “resources” as opposed to “monitoring and measuring
equipment”, reflecting the fact that monitoring may be being carried out by humans.
The ISO 9001:2008 sub-clause 7.5.2 b) reference to the “qualification of personnel” has been modified to
“competent persons, including any required qualification” emphasising competency over qualification”.

Auditors should note the changed requirements as set out above.
8.5.2 Identification and traceability

The organization is required to put arrangements in place to allow its outputs to be identified where this is
necessary, in order for it to be able to demonstrate that they conform to requirements.
The organization must be able to identify the status of outputs in respect of any monitoring and
measurement requirements it has set, at all stages of production or service provision.
In cases where traceability is a requirement, the organization must additionally ensure that its outputs are
uniquely identifiable. Documented information (records) that enables outputs to be traced back through the
quality management system must be retained only when traceability is a requirement.

The ISO 9001:2008 note to the sub-clause stating that some sectors used configuration management for
identification and traceability has been deleted.

Essentially, this sub-clause is unchanged from ISO 9001:2008 sub-clause 7.5.3 “Identification and traceability”.
ISO 9001:2015 sub-clause 8.5.2 states that identification and traceability is to be employed “when necessary
to ensure the conformity of products and services”. However, ISO 9001:2008 simply states that it is to be
employed “where appropriate”.
There are terminology changes. ISO 9001:2015 refers to “outputs”, the “provision of products and services”
and “documented information”, whereas ISO 9001:2008 refers to “products”, “product realization” and
“records”. However, the substance of the requirements is identical.

No change in audit approach is necessary. Note that traceability is not always a requirement.
8.5.3 Property belonging to customers or external providers

Sub-clause 8.5.3 requires the organization to take care of property owned by customers or by external
providers while it is being used by the organization or under its control.
The organization must ensure that any such property provided for the organization’s use or for to be
included in the organization’s products and services is identified, verified, protected and safeguarded.
If the property is lost, damaged or otherwise found to be unsuitable for use, the organization must make sure
that this is reported back to the customer or external
provider. What has occurred must be evidenced in
documented information (records). “There are terminology changes.
However, the substance of the
A note provides examples of the types of property that requirements is identical”
this clause can cover.
www.quality.org
This requirement is essentially unchanged from ISO 9001:2008 sub-clause 7.5.4. However, it has now been
extended to cover not just customer property, but also property belonging to the external providers that has
been provided to the organization for use or incorporation into the products and services. As such, existing
arrangements must be revised to reflect this.
For an organization that uses external providers’ property, this can impact on their QMS in relation to gaps
in controls needed, and, hence, there are implications for the quality practitioners of such an organization to
ensure compliance with this requirement.

Evidence is required to confirm that the controls appearing in ISO 9001:2008 relating to customer property
have been extended to cover property from external providers and documented information (records) need
to be sought detailing any occurrence.
8.5.4 Preservation
Sub-clause 8.5.4 requires the organization to take appropriate measures during production and service
provision to safeguard outputs, in order to maintain their conformity to requirements.
The note to sub-clause 8.5.4 provides examples of “preservation”. These include identification, handling,
contamination control, packaging, storage, transmission or transportation and protection.

Notwithstanding that this sub-clause refers to “outputs” as opposed to “product”, its requirements are
essentially the same as for ISO 9001:2008 sub-clause 7.5.5 “Preservation of product”.
Examples of what preservation could include (eg identification, handling, packaging, storage and protection)
now appear in a note to sub-clause 8.5.4 instead of in the body of the sub-clause itself.
“Contamination control”, “transportation” and “transmission” have been added to the original ISO 9001:2008
preservation examples. The implications for quality professionals of this latter addition means that if their
organization’s products are data and information, they will need to look at the risks of loss of data and
security issues during transmission (eg website subscriptions, web-based information, data attached to emails,
information in emails). This is something that previously might have not been considered a “quality issue”.

No substantive change to current audit practice.
8.5.5 Post-delivery activities
Sub-clause 8.5.5 requires the organization to determine the nature and extent of any post-delivery activities it
needs to undertake.
When doing this, the organization must consider statutory or legal requirements, any possible unwanted
consequences associated with the particular product or service, the nature of the product or service, how
the product or service will be used and what the product or service’s intended lifetime is.
In addition, consideration of any post-delivery activities also needs to take into account customer
requirements and customer feedback.

Quality professionals should be aware that these are much expanded requirements; coming from ISO
9001:2008 sub-clauses 7.5.1 Control of production and service provision f) and 7.2.1 Determination of
requirements related to the product a) and the Note.
They should ensure that their quality management system is amended to address this clause.
They should also note the necessary considerations relating to possible unwanted consequences, the nature
of the product or service, its intended lifetime, customer requirements and feedback and statutory or legal
requirements.
This can potentially require some work for the quality practitioners if the organization’s products or
services can have possible unwanted consequences or have a long or indefinite lifetime (eg medical devices,
aerospace, research results or test results).

Auditors should be aware that these are expanded “The organization is required
requirements. They should ensure that the organization to control any changes that are
has taken into account the necessary considerations
necessary”
when determining the nature and extent of post-delivery
activities.
www.quality.org
8.5.6 Control of changes
The organization is required to control any changes that are necessary in order to ensure that products or
services continue to meet their specified requirements.
In such instances, the organization must retain documented information (records) describing the results of
the review of the changes, the person(s) authorizing the changes and any necessary actions arising from the
review.

Quality professionals should be aware that this is a new clause. If the organization determines that it must
make changes to production or service provision in order to ensure its products or services continue to
conform to their specified requirements, then these changes must be made in a controlled manner and the
changes must also be reviewed. There are several implications for quality practitioners of an organization that
is regularly making changes as a result of market or customer needs, lack of external provider performance or
other causes.

Auditors should evidence that the organization has controlled and reviewed any changes to production or
service provision in accordance with the requirements set out above.
8.6 Release of products and services

Clause 8.6 requires the organization to carry out predetermined arrangements at appropriate stages of the
production/service delivery in order to verify that products and services meet all requirements (including
acceptance criteria).
Products or services must not normally be released to the customer until all of the planned activities, tests
and checks have been satisfactorily completed, unless a relevant authority approves their early release. Where
applicable, approval for early release must also be obtained from the customer
Documented information (records) must evidence acceptance criteria conformity. It must also provide
traceability to the individual(s) who authorized the release.

Clause 8.6 refers to “products and services” instead of “products”, and to the need to retain “documented
information” as opposed to “evidence” of conformity. This clause now explicitly mandates that all planned
arrangements must be completed prior to release, with the caveats from ISO 9001:2008. Apart from this, it is
otherwise equivalent to ISO 9001:2008 sub-clause 8.2.4.

No substantive change. Auditors should note the refreshed terminology – “products and services” replaces
“products”, and “documented information” replaces “record”.
8.7 Control of nonconforming outputs

8.7.1
The organization is required to identify any outputs that do not conform to their intended requirements and
controls need to be established and implemented to ensure that these “nonconforming outputs” are not
delivered to the customer or their unintended use is prevented.
Where nonconforming outputs are identified, the organization is required to take appropriate action based
on the nature of the nonconformity and its effect on the conformity of products and services. This again is the
application of risk-based thinking. This requirement also applies to nonconforming products or services that
are detected after delivery of products, during or after the provision of services.
The organization is required to deal with nonconforming outputs in one or more of the following ways:
• by correcting the fault;
• by segregation or containment of the output, product or service;
• by securing the return of the output, product or service;
• by suspension of the provision of products and “Products or services must not

services; normally be released to the
• by informing the customer; customer until all of the planned
activities, tests and checks have
• by obtaining authorization for acceptance under a been satisfactorily completed”
concession.
www.quality.org
If the organization decides to correct a nonconforming output, product or service then it must verify that the
corrective action it has taken has restored the output, product or service’s conformity to requirements.
The organization is required to retain documented information (records) of actions taken where
nonconforming outputs, products or services have been identified. This needs to include details of any
concessions obtained and details of the authority that made decisions in respect of dealing with the
nonconformity.

This clause contains minor changes in requirements from ISO 9001:2008 clause 8.3 “Control of
nonconforming product”.
ISO 9001:2015 focuses on all “outputs” (while referencing “services” as well as “products”).
There is no longer a requirement for a documented procedure that defines the controls and related
responsibilities and authorities for dealing with nonconforming products.

Auditors should note the removal of the requirement for a documented procedure covering control of
nonconforming products.
8.7.2
The documented information (records) requirement equates to the existing ISO 9001:2008 requirement to
retain records of nonconformities and resultant actions. It must now identify the authority deciding the action.

Note that the “authority” is not necessarily a person; it could be a trigger such as the successful completion of
an activity or a computer system process step.

Auditors should not necessarily look for a person as the “authority”.

www.quality.org
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
Sub-clause 9.1.1 requires the organization initially to determine what it needs to monitor and measure.
Once this has been done it must then decide how it is going to carry out these activities in order to ensure
that the results obtained are valid. The requirement for methods to ensure valid results also extends to
the organization’s analysis and evaluation activities. In addition, the organization must also determine when
monitoring and measurement should be carried out and at what stage the results of monitoring and
measurement should be analysed and evaluated.
They must ensure that where monitoring and measurement takes place, documented information (records)
is retained to evidence the results.
Finally, there is a requirement for the organization to evaluate the quality performance and effectiveness of
their quality management systems.

The decision on whether to monitor or to measure, and what to monitor and measure, can have a significant
impact on the effectiveness of the QMS, its implementation and its results. Inevitably the decision will be
based on:
• the degree of confidence that the organization has in the operational controls that it has established for
its processes, and their effectiveness (this can use historical data on performance to establish what should
be monitored and what should be measured)
• the degree of confidence that the organization needs to have in the operational controls that it has
established for its processes, and their effectiveness (this can use the output from the organization’s
approach to addressing risks and opportunities; as well as the needs and expectations of its customers
and interested parties)
Inevitably, in the absence of data for either of the above points, the organization may have to have a
comprehensive set of monitoring and measurement activities until such time that it can build enough
information and/or data to help inform its decision making for future monitoring and measurement activities.
An example is where certification bodies carry out more frequent surveillance visits of those organizations
newly certified, and once confidence is achieved through these visits and their results, they can reduce the
frequency of future surveillance visits. Ultimately, this is all about risk-based thinking.

Auditors should note the additional requirement for the organization to evidence evaluation of the results of
monitoring and measurement, not just their analysis.
They should confirm that the organization has considered what, how and when to measure and that the
outcomes from this decision result are ensuring appropriate process control.
They should also note a new requirement to monitor the quality performance and effectiveness of the
organization’s quality management system.
9.1.2 Customer satisfaction

Sub-clause 9.1.2 requires the organization to put in place arrangements to monitor the degree to which
customers believe their requirements for products and services have been met.
The organization needs to identify how this information is to be secured and the way in which it is to be
used.
Guidance is provided by means of the Note similar to that in 9001:2008 clause 8.2.1 as to the methods that
could be employed to obtain customer views.

This clause supersedes ISO 9001:2008 sub-clause 8.2.1.
The principal change here is the degree (ie how much) to which the customer perceives the organization has
met the customer’s needs and expectations.
The organization still needs to decide how it is going to obtain and use customer satisfaction information.

“The decision on whether to
Auditors should ensure that the organization has met monitor or to measure, and what
the additional requirements to seek customer perception to monitor and measure, can
about the degree to which the organization has met
have a significant impact on the
customer’s needs and expectations.
effectiveness of the QMS”
www.quality.org
9.1.3 Analysis and evaluation
Sub-clause 9.1.3 requires the organization to analyse and evaluate appropriate data and information that it
has obtained either internally or externally for a variety of pre-defined purposes.
These include: to demonstrate that the organization’s products and services conform to requirements; to
assess customer satisfaction; to ensure the conformity and effectiveness of the quality management system;
and to demonstrate that planning has been successfully implemented. Additionally, it is to be used to evaluate
the performance of external providers, and to determine the need for improvements within the quality
management system.

Sub-clause 9.1.3 now refers to analysis “and evaluation” of data, rather than just “analysis” as in ISO 9001:2008
clause 8.4.
Quality professionals should note the new requirement for data and information to demonstrate that
planning has been effective.
The ISO 9001:2008 clause 8.4 c) reference to the characteristic and trends of processes and preventive
action has been removed.
The ISO 9001:2008 clause 8.1 reference to “statistical techniques and the extent of their use” has been
removed.

Auditors should note that the organization now needs to evidence both analysis and evaluation of data and
information. It is not sufficient just to carry out an analysis without interpreting the results.
They should ensure that the organization is able to evidence through analysis and evaluation that planning has
been effective.
Note the removal of references to the characteristic and trends of processes, preventive action and
statistical techniques.

9.2 Internal audit
9.2.1
Sub-clause 9.2.1 confirms the requirement for the organization to carry out internal audits at planned
intervals in order to provide information as to whether the quality management system conforms to both
the organization’s own requirements and the requirements of ISO 9001:2015.
Internal audits must also identify whether the quality management system is being effectively implemented
and maintained.

Quality professionals should note that whilst the requirements are essentially unchanged from ISO 9001:2008
sub-clause 8.2.2 the purpose of internal audit has now changed. It is no longer to determine whether the
QMS meets both the organization’s own requirements and the requirements of ISO 9001 but to simply
provide information as to whether this is the case. The determination is carried out by top management as
part of a management review.

Auditors should note the change in internal audit purpose.
9.2.2
Sub-clause 9.2.2 sets out a series of requirements relating to how audit programmes must be structured,
what audits must cover, who should undertake audits and how audits are to be reported.
When designing an audit programme, the organization needs to consider their quality objectives, the
importance of the processes concerned, customer feedback, changes within the organization, risks and
opportunities, and the results of previous audits.
Each audit needs to have a defined scope and its own

audit criteria. Audits and auditors need to be impartial The organization still needs to
and objective. decide how it is going to obtain
and use customer satisfaction
Finally, the findings from audits need to be fed back to information
the relevant management with any required corrections
or corrective actions being taken in a timely manner.
www.quality.org
Documented information (records) needs to be retained to provide evidence that the audit programme has
been implemented as well as the results of audits.

There is no longer a requirement for the organization to establish a documented internal audit procedure.
However, the organization may still chose to operate one if they so wish.
Quality professionals should note the need to retain documented information (records) evidencing the
implementation of an audit programme and also the audit results.
They should also note that when designing the internal audit programme, organizational changes, and quality
objectives now need to be considered explicitly.
Note that the results of the audits should be reported to the relevant management versus 9001:2008
where the “nonconformities are reported to the management of the area audited”.

Auditors should not necessarily expect to find a documented internal audit procedure in place. However,
they must be able to access documented information confirming the implementation of an audit programme
by the organization. Documented information must also be available to evidence the results of audits.
When determining how the audit programme has been designed, auditors should ensure that customer
feedback, organizational changes, and risks and opportunities have been brought into consideration.
9.3 Management review

9.3.1 General
Sub-clause 9.3.1 requires reviews of the quality management system to be undertaken by top management
at planned intervals in order to ensure the quality management system’s continuing suitability, adequacy and
effectiveness. This is essentially unchanged from the existing ISO 9001:2008 sub-clause 5.6.1.

ISO 9001:2015 requires management reviews additionally to consider the degree of alignment between the
quality management system and the strategic direction of the organization.

Auditors should be looking for the integration of the QMS in the business and top management engagement
via the alignment of the organization’s strategic direction and the QMS.
9.3.2 Management review inputs

Sub-clause 9.3.2 details the items that top management must (as a minimum) consider during a management
review. This has seen significant change. Previously the requirement was simply for information on a list of
items; this list has been modified and expanded. In addition sub-clause 9.3.2 c) requires information on trends
in a list of items.
The initial requirement is to revisit the status of any actions identified at previous reviews. The second
requirement calls for consideration of any changes in the organization’s context.
The third requirement is for consideration of the QMS performance and effectiveness. Here, specific
reference is made to the need for trends relating to nonconformities and corrective action, monitoring and
measurement results, audit results, customer satisfaction as well as relevant interested parties’ feedback,
process performance and conformity of products and services; also external providers’ performance and how
well quality objectives are being achieved.
Finally, management reviews must consider information on opportunities for improvement, the adequacy of
resources and if the actions to address risks and opportunities have been effective.

This sub-clause supersedes ISO 9008:2008 sub-clause 5.6.2 “Review input”. While the overall purpose of
management reviews remains unchanged, there are now new “strategic” items relating to context, risk and
opportunities to be included on the agenda. In addition, there is a requirement that “trends” be used to
monitor specific elements of QMS performance and effectiveness. This contrasts with ISO 9001:2008, where
the requirement is simply to “include information” on
these items. “ISO 9001:2015 requires
management reviews consider
The implication for the organization is a more the degree of alignment between
comprehensive review process. It should be noted that
the quality management system
a lot of the information listed will already be available in
some organizations, but may not have been addressed and the strategic direction of the
under ‘quality management’ in the past. organization”
www.quality.org
Auditors should expect to evidence a more strategically focused management review. Context, risks
and opportunities need to be considered, as well as the alignment of the quality management system to
the organization’s overall strategic objectives. Auditors should also note the explicit requirement for the
organization to use “trends” to monitor the performance and effectiveness of the QMS.
9.3.3 Management review outputs

Sub-clause 9.3.3 sets out specific requirements in respect of the outputs from management reviews.
The organization must retain documented information (records) to provide evidence of the results of
management reviews.

Quality professionals should note that this sub-clause supersedes ISO 9001:2008 sub-clause 5.6.3 “Review
output”. The requirements of both sub-clauses are, essentially the same; however there is no longer an explicit
need to address improvement of product related to customer requirements.
The organization is now, however, required to retain documented information as evidence of the results of
the management reviews (rather than records of management review as stated in 9001:2008).

Auditors should expect to evidence the similar “The organization should be
outputs from management reviews as at present. addressing unwanted effects by fixing
However, they should note that the results of them, stopping them happening or
management reviews can now be held in any minimising them”
format that the organization chooses.

10 Improvement
10.1 General
Clause 10.1 is a new clause. It sets out the headline requirement for the organization actively to seek out and
realise improvement opportunities that will better enable the organization to meet customer requirements
and enhance their customers’ satisfaction.
When looking to improve, the organization should be addressing unwanted effects by fixing them, stopping
them happening or minimising them. They should also seek to improve their products and services, as well as
improving their QMS’ performance.
The associated note reminds us that improvement can come in different ways; not just on an ongoing basis.
Sometimes it occurs as a result of fixing a problem as well as corrective action; sometimes through innovation
and sometimes as a result of re-organization.
Preventive action no longer exists as a concept in ISO 9001:2015 – all references to it have been removed.
Instead, it has been replaced by risk-based thinking.
Also, the explicit requirement to improve the quality management system through the use of the quality
policy, quality objectives, audit results, analysis of data and corrective actions, and management review
that appears in ISO 9001:2008 sub-clause 8.5.1 “Continual improvement” has been removed from ISO
9001:2015.

Quality professionals should note the new requirements. The organization should review their products
and services, as well as the effectiveness and performance of their QMS as a whole, with the goal of making
improvements. A new requirement is to address unwanted effects, whatever they are and whatever the
cause. The organization can do this by correction, prevention or reduction.
Note: there are no longer any requirements to be fulfilled relating to preventive action (previously
ISO 9001:2008 sub-clause 8.5.3). As a result, it is no longer necessary to have a documented
procedure for preventive action.
Pay attention to improving products and services not only to meet today’s, but also tomorrow’s requirements.
www.quality.org
Auditors should continue to seek objective evidence that improvement is taking place. They should note,
however, that while improvement does not need to be continual, it does need to be evidenced as occurring.
It is important to remember that there is no need for the organization to improve all of these all the time.
Auditors should look for evidence that the organization is considering improvement in respect of its products
and services, and the performance of the QMS overall. In the case of products and services, this is to meet
not just current requirements, but also future requirements.
They should note that there is no longer a requirement to audit preventive action as a distinct activity.
Auditors should also note the removal of the explicit requirement for the organization to improve its quality
management system through the review of the quality policy, quality objectives, audit results, analysis of data
and corrective actions, and management review.
10.2 Nonconformity and corrective action
10.2.1
Sub-clause 10.2.1 sets out how the organization is required to act when a nonconformity occurs. This
includes those resulting from complaints.
In such instances, the organization is required to take whatever action is necessary to control and correct the
nonconformity, and to deal with any resultant consequences.
Once this is done, the organization can then move on to consider whether any further action is required
to prevent a similar nonconformity occurring at some point in the future or elsewhere. This requires the
organization to review and analyse the nonconformity, to determine what caused it and then to consider if
the problem exists elsewhere or the potential for a similar problem to occur in the future exists.
The organization is then required to implement any actions identified as needed, to subsequently review the
result for effectiveness and to make changes to the QMS if necessary.
Finally this has to be reflected in updating the risk and opportunities from planning (see clause 6.1) if
necessary.
This clause also recognises that the actions the organization takes on nonconformities should be appropriate
to the effect of those nonconformities.
The title of this sub-clause has changed – it was previously ISO 9001:2008 sub-clause 8.5.2 “Corrective
action”.

The ISO 9001:2008 sub-clause 8.5.2 requirement for a documented corrective action procedure has been
removed. On the occurrence of a nonconformity, there is now an explicit requirement for the organization to
determine whether other similar nonconformities actually do or potentially could exist.
There is also a requirement for the organization to determine whether changes are required to the wider
QMS in order to prevent a reoccurrence.
The note recognises that for certain circumstances it may be impossible to eliminate the cause of a
nonconformity.
www.quality.org
Auditors should evidence that, where nonconformities have been identified by an organization, an
investigation has been conducted to determine whether other similar nonconformities actually do or
potentially could exist.
They should also evidence that where a nonconformity has occurred, the organization has considered
whether it needs to make changes to the wider system to prevent a reoccurrence.
10.2.2
The organization needs to keep documented information (records) detailing the nature of any nonconformity
identified and the action that the organization decided to take to address it. This documented information
must include the results of any corrective action taken.

The documented information (records) required not only need to evidence what the problem was and how
it was fixed but also the results – was the action successful?
An organization may want to keep their existing documented corrective action procedure. If so, it now needs
to meet the requirements of sub-clause 10.2.2.
Note that in addition to the results of any action taken, the documented information (records) now requires
the nature of the nonconformities to be recorded and any actions taken – this is an additional requirement
to ISO 9001:2008 sub clause 8.5.2.

Auditors should no longer expect to find a documented corrective action procedure. The organization may
elect to provide evidence that it is fulfilling the requirements of this sub-clause by other means, for example
by the use of computer-based records.
Note the new requirement regarding the “Sub-clause 10.2.1 sets out how the
recording of the nature of nonconformities, any organization is required to act when a
action taken and in particular, the results – was the nonconformity occurs”
action effective?

10.3 Continual improvement
Clause 10.3 requires the organization to work continually to improve its quality management system in terms
of its suitability, adequacy and effectiveness. Suitability and adequacy are new. Effectiveness is ‘doing the job it’s
meant to do’. Suitability means – is it right for the job? Adequacy means – is there too much, too little or is it
just right? If there is too much, then it needs to be cut back; too little and it needs enhanced.
As part of continual improvement, the organization is specifically required to use the outputs from analysis
and evaluation (see sub-clause 9.1.3) and from management review (see clause 9.3.3) to determine areas of
underperformance and to identify any opportunities for improvement.
Tools and methodologies should be employed as appropriate by the organization to investigate the cause of
underperformance and to support continual improvement.

The ISO 9001:2008 sub-clause 8.5.1 requirement was prescriptive, but not helpful: improving through the
use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions, and
management review. This has been dropped.
The organization will now need to demonstrate that they are using the outputs from their analysis and
evaluation processes to identify areas of underperformance and opportunities for improvement.

Auditors should evidence that the organization is
“Auditors should no longer expect
using the outputs from their analysis, evaluation and
management review activities to identify improvement
to find a documented corrective
opportunities and quality management system action procedure”
underperformance.
www.quality.org
Annexes
Annex A (Informative) – Clarification of new

structure, terminology and concepts
ISO 9001:2008 contained a single informative annex (Annex A). Within this was a table that mapped
each ISO 9001:2008 clause to its ISO 14001:2004 (The Environmental Management System Standard)
counterpart and another that detailed the changes between ISO 9001:2000 and ISO 9001:2008. There are
no such tables in ISO 9001:2015. However, there is a document published by ISO/TC 176/SC 2, which gives
a clause by clause correspondence between firstly ISO 9001:2015 and ISO 9001:2008 and secondly ISO
9001:2008 and ISO 9001:2015.
Annex A instead introduces the new Annex SL-based structure that underpins the standard as well as
the core concepts on which it is built. These include “Context of the organization” as well as a “risk-based
approach”.
The method by which exclusions are handled also appears here. ISO 9001:2015 contains no reference to
exclusions (clause 1.2 “Application” in ISO 9001:2008) and the default position is that an organization is
expected to meet all of the requirements of the standard unless it is impossible for them to do so. There is
no option to “opt out” of specific requirements that an organization may simply be uncomfortable with.
An explanation is provided in respect of “documented information”. This term replaces “documented

procedure” and “records”, and has been incorporated throughout ISO 9001:2015 to align with other
international standards. There is now much more freedom for the organizations themselves to determine the
nature and extent of their document holdings.
Organizational knowledge is a new requirement (sub-clause 7.1.5). The organization is now required to
determine and maintain the knowledge they possess, which is critical in respect of ensuring their products
and services conform to requirements. This includes not just knowledge held in documents or on IT systems,
but also in people’s heads.
The final concept addressed is control of externally provided processes, products and services. This combines
and supersedes ISO 9001:2008 outsourcing in clause 4.1 “General requirements” and clause 7.4 “Purchasing”.
It covers any “external” provision where external is outside the scope of the quality management system. This
could be a traditional third-party supplier or another organization in the same group or company. It addresses
purchasing from a supplier, an arrangement with an associate company or outsourcing processes.

Annex B Information – Other International
Standards on quality management and quality
management systems developed by ISO/TC 176
Annex B provides details of the ISO 10000 series of quality management standards as well as ISO 19011,
which relates to management system audits.
The ISO reference and title of each standard is given, as well as a short summary of what each standard is
about.
Table B.1 cross-references each 10000 series standard to one or more specific clause(s) of ISO 9001:2015.
ISO 9000, ISO 9004 and ISO 19011 are similarly cross-referenced to ISO 9001:2015.
www.quality.org
Conclusion
When ISO 9001:2015 was published in September 2015, it signalled the start of a three-year transition
period during which those organizations wishing to move to the new version of the standard will need to
make changes to their existing quality management systems.
The extent of the work involved will very much depend on each organization’s starting point. Those who
have embraced both the substance and the spirit of the 2000 edition will have respectively less work
compared to those who are simply meeting the base requirements at present.
Irrespective of the starting position, the migration process should begin now. ISO’s survey data shows a
significant dip in ISO 9001 registrations immediately following the last major revision in the year 2000. While
it is unclear exactly why this was the case, at least some of the reduction has been attributed to organizations
leaving it too late to align their systems to the 2000 edition’s requirements, and, as a consequence, their
certificates were withdrawn. For organizations that rely on ISO 9001 certification to demonstrate their
competency as a supplier, the loss of such certification will invariably have a direct impact on profitability. By
starting now you can ensure you effect your transition in a controlled and timely manner well ahead of the
September 2018 deadline.
Quality practitioners should start by familiarising themselves with the revised requirements as set out in this
report and should then prepare plans to modify their existing quality management systems as necessary.
Top management need to understand their new obligations and must be prepared to evidence leadership
(in addition to management) of their QMS. Finally, both internal and external auditors will need to upskill,
to equip themselves to assess a standard where old friends such as the management representative, the
quality manual and documented procedures have disappeared and where new evidence sources have been
introduced in their place.
The CQI and IRCA recognise that the proposed changes may seem a little daunting. That is why we have
committed to running a series of roadshows, webinars, technical articles and briefings aimed at supporting
our members.
Whatever your role in the quality profession and whatever sector your organization may operate in, the CQI
and IRCA will be on hand to provide informed and impartial advice to facilitate your transition.
Please note: the content written in this report has not been changed from the previous 9001:2015
report, the design layout however, has been.

The CQI would like to thank the authors and reviewers for their work on this report.
Richard Green: CQI Head of Professional Networks
Colin MacNee: Duncan MacNee, Secretary and UK delegate to ISO/TC 176/SC 2/WG 24
Andrew Holt: CQI Technical Content Executive
The Chartered Quality Institute (CQI)
The CQI is the chartered body for quality management professionals.
It exists to benefit the public by advancing education in, knowledge of and the practice of quality in
industry, commerce, the public sector and the voluntary sectors. www.quality.org
The International Register of certificated Auditors (IRCA)
IRCA is a division of the CQI and is the leading professional body of management system auditors
www.quality.org
Report published (September 2015) by:
The Chartered Quality Institute (CQI)
2nd Floor North, Chancery Exchange
10 Furnival Street
London EC4A 1AB
United Kingdom
T: +44 (0) 20 7245 6722 I F: +44 (0) 20 7245 6788
www.quality.org
Incorporated by Royal Charter and registered as a charity
number 259678
© 2018 Chartered Quality Institute. All Rights Reserved

ISO 9001 Low Res

Uploaded by

Copyright:

Available Formats

ISO 9001 Low Res

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 9001 Low Res

Uploaded by

Copyright:

Available Formats

Report

Complying with the revised requirements

With support from Ideagen

Ideagen provides industry-leading electronic compliance

Ideagen is dedicated to promoting enterprise-wide quality

ISO 9001:2015  I Understanding the International Standard v1.1

3. Clause by clause evaluation

3 Terms and definitions

4 Context of the organization

Purpose of this report

It is intended to assist both the Chartered Quality

What has happened?

The International Standard, ISO 9001:2015, was published in September 2015.

What has led us to this conclusion?

6 ISO 9001:2015 Understanding the International Standard

For those organizations already operating by the spirit

• LEADERSHIP Clause 5, previously “Management Responsibility”, now becomes “Leadership”.

8 ISO 9001:2015 Understanding the International Standard

• IMPROVEMENT ISO 9001:2015 clause 10 recognises that incremental (continuous) improvement

• DOCUMENTATION References to requirements for a documented quality manual, documented

10 ISO 9001:2015 Understanding the International Standard

Clause by clause evaluation

• identify the implications of the requirement for audit professionals.

• demonstrate conformity to specified QMS requirements;

• address opportunities to enhance customer satisfaction;

12 ISO 9001:2015 Understanding the International Standard

0.2 Quality management principles

0.3 Process approach

Using the process approach in a QMS facilitates:

0.3.2 Plan-Do-Check-Act cycle

0.3.3 “Risk-based thinking”

0.4 Relationship with other management system standards

14 ISO 9001:2015 Understanding the International Standard

3 Terms and definitions

»» Implications for quality professionals:

»» Implications for audit professionals:

16 ISO 9001:2015 Understanding the International Standard

Again, it is up to the organization to decide relevance.

»» Implications for quality professionals:

»» Implications for audit professionals:

18 ISO 9001:2015 Understanding the International Standard

The scope of the quality management system is determined by the organization.

The scope must be made available and be maintained as documented information.

»» Implications for quality professionals:

»» Implications for audit professionals:

4.4 Quality management system and its processes

»» Implications for quality professionals:

20 ISO 9001:2015 Understanding the International Standard

»» Implications for quality professionals:

»» Implications for audit professionals:

»» Implications for quality professionals:

»» Implications for audit professionals:

5.1.2 Customer focus

24 ISO 9001:2015 Understanding the International Standard

»» Implications for audit professionals:

»» Implications for audit professionals:

5.2.2 Communicating the quality policy

26 ISO 9001:2015 Understanding the International Standard

»» Implications for audit professionals:

Auditors should ensure that the quality policy is being

ISO 9001:2015 I Understanding the International Standard v1.1