The most valuable Helpful PDF file that extremely can boost your ability to understand well the New version of QMS in accordance to ISO 9001:2015 as well as ease the documentation transition process toward ISO 9001:2015
Eng. Akram Malkawi
ISO 9001 is the international standard that specifies requirements for a quality
management system (QMS). Organizations use the standard to demonstrate the
ability to consistently provide products and services that meet customer and
regulatory requirements. This Document helps you to understand the new
standard and ease transition.
A. Understanding ISO 9001:2015
ISO 9001 is the international standard that specifies requirements for a quality management system
(QMS). Organizations use the standard to demonstrate the ability to consistently provide products
and services that meet customer and regulatory requirements. It is the most popular standard in the
ISO 9000 series and the only standard in the series to which organizations can certify. Successful
businesses understand the value of an effective Quality Management System that ensures the
organization is focused on meeting customer requirements and they are satisfied with the
products and services that they receive. ISO 9001 is the world’s most recognized management
system standard and is used by over a million organizations across the world. The new version has
been written to maintain its relevance in today’s marketplace and to continue to offer organizations
improved performance and business benefits.
ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an
international agency composed of the national standards bodies of more than 160 countries. The
current version of ISO 9001 was released in September 2015. ISO 9001:2015 applies to any
organization, regardless of size or industry. More than one million organizations from more than 160
countries have applied the ISO 9001 standard requirements to their quality management
systems. Organizations of all types and sizes find that using the ISO 9001 standard helps them
organize processes, improve the efficiency of processes and continually improve. With the 2015
version of ISO 9001 you can have an integrated approach with other management system
standards. Bring quality and continual improvement into the heart of the organization. Increase
involvement of the leadership team. Introduce risk and opportunity management. It’s much less
prescriptive than the 2008 version and can be used as a more agile business improvement tool. This
means that you can make it relevant to the requirements of your own organization to
gain sustainable business improvements. One of the major changes to ISO 9001 is that it brings
quality management and continual improvement into the heart of an organization. This means that
the new standard is an opportunity for organizations to align their strategic direction with their
quality management system. The starting point of the new version of ISO 9001 is to identify internal
and external parties who support the QMS. This means that it can be used to help enhance and
monitor the performance of an organization. The new standard will help you become a more
consistent competitor in the marketplace. It will provide better quality management that helps you
to meet present and identify future customer needs. It increases efficiency that will save you time,
money and resources. It improves operational performance that will cut errors and improves profits.
It will motivate, engage and involve staff with more efficient internal processes. It will help you win
more high value customers, and achieve improved customer retention with better customer service.
It will broaden business opportunities by demonstrating compliance
2All ISO management system standards are subject to a regular review under the rules by which they
are written. Following a substantial user survey the committee decided that a review was
appropriate and created the following objectives to maintain its relevance in today’s marketplace:
Integrate with other management systems
Provide an integrated approach to organizational management
Provide a consistent foundation for the next 10 years
Reflect the increasingly complex environments in which organizations’ operate
Ensure the new standard reflects the needs of all potential user groups
Enhance an organization’s ability to satisfy its customers
1. Structure and terminology
The most significant change we will see in ISO 9001:2015 is the new structure. ISO 9001:2015 is
based on Annex SL – the new high level structure. This is a common framework for all
ISO management systems. This helps to keep consistency, align different management system
standards, offer matching sub-clauses against the top level structure and apply common language
across all standards. It will be
easier for organizations to incorporate their QMS into core business processes and get more
involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all
processes and to the quality management system as a whole. The reason for the change is to adopt
the common approach outlined in Annex SL, the new document that all ISO management system
standards, including ISO 9001, ISO 14001 and the recently released ISO 27001, must follow.
Currently, ISO 9001 contains 8 sections, of which four attempt to approximate “Plan, Do, Check, And
Act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “plan,
do, check, and act.” All new management system standards will have this common structure.
This section describes the scope of the management system standard and will be unique to the
individual standard. Clause 1 details the scope of the standard and there has been very little
change to this clause from ISO 9001:2008.
2. Normative References
This section references other relevant standards, which are indispensable for the application of
the document and will also be unique. ISO 9000, Quality Management System – Fundamental
and vocabulary is referenced and provides valuable guidance.
3. Terms and Definitions
Section three contains definitions, and while some of these are common terms related to Annex
SL, other definitions will be unique to the management system standard. All the terms and
definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and
4. Context of the Organization
This part is about understanding the organization’s purpose, the management system and who
the stakeholders are. It describes how to set up the management system and is similar in some
respects to the old section 4 except that it explicitly requires a broader understanding of the
situation and needs of the business. This is a new clause that establishes the context of the QMS
and how the business strategy supports this. The ‘context of the organization’ is the clause that
underpins the rest of the new standard. It gives an organization the opportunity to identify and
4 understand the factors and parties in their environment that support the quality management
system. Firstly, the organization will need to determine external and internal issues that are
relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact
on what the organization does, or that would affect its ability to achieve the intended outcome(s)
of its management system. It should be noted that the term “issue” covers not only
problems which would have been the subject of preventive action in previous standards, but also
important topics for the management system to address, such as any market assurance and
governance goals that the organization might set. Secondly an organization will also need to
identify the “interested parties” that are relevant to their QMS. These groups could
include shareholders, employees, customers, suppliers, and even pressure groups and regulatory
bodies. Each organization will identify their own unique set of “interested parties” and over time
these may change in line with the strategic direction of the organization. Next the scope of the
QMS must be determined. This could include the whole of the organization or specific identified
functions. Any outsourced functions or processes will also need to be considered in the
organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to
establish, implement, maintain and continually improve the QMS in accordance with
the requirements of the standard. This requires the adoption of a process approach and although
every organization will be different, documented information such as process diagrams or
written procedures could be used to support this
4.1 Understanding the organization and its context.
A new requirement; one of several that might suggest a greater union between the QMS and
wider business planning activities. Requires organizations to ascertain, monitor and review both
internal and external issues that are relevant to its purpose and strategic direction, and have the
ability to impact the QMS and its intended results.
4.2 Understanding the needs and expectations of interested parties.
A broadening of scope beyond just customers. Requires the organization to determine “the
relevant requirements” of “relevant interested parties” e.g. a person or organization that can
affect, be affected by, or perceive themselves to be affected by a decision or activity.
4.3 Determining the scope of the QMS.
The scope statement must state the products and services covered.
4.4 The QMS and its processes.
A major change that specifies a number of factors to be considered when planning the processes
that make up the QMS. Although a process-planning approach has been previously expressed in
earlier standards, this greatly reinforces the requirement.
This section provides requirements for commitment, policy and responsibilities. This section is
similar to the old section 5 on Management but the emphasis is perhaps more on leadership than
just management. This clause places requirements on “top management” which is the person or
group of people who directs and controls the organization at the highest level. It is no longer the
responsibility of an individual or to have a “Management Representative” who is responsible for
the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual.
The purpose of these requirements is to demonstrate leadership and commitment by leading
from the top. Top management now have greater involvement in the management system and
must ensure that the requirements of it are integrated into the organization’s processes and that
the policy and objectives are compatible with the strategic direction of the organization.
The quality policy should be a living document, at the heart of the organization. To ensure this,
top management are accountable and have a responsibility to ensure the QMS is made available,
communicated, maintained and understood by all parties. There is also a greater focus on top
management to enhance customer satisfaction by identifying and addressing risks
and opportunities that could affect this. Top management need to demonstrate consistent
customer focus by showing how they meet customer requirements, regulatory and statutory
requirements, and also how the organization maintains enhanced customer satisfaction. In the
same context, they need to have a grasp of the organization’s internal strengths and weaknesses
and how these could have an impact to deliver products or services. This will strengthen
the concept of business process management. In addition, top management need to demonstrate
an understanding of the key risks associated with each process and the approach taken to
manage, reduce or transfer the risk. Finally, the clause places requirements on top management
to assign QMS relevant responsibilities and authorities, but must
remain accountable for the effectiveness of the QMS.
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top management to
“demonstrate leadership and commitment”, and suggests that a more hands-on approach is
Policy requirements are enhanced. A requirement is introduced that the quality policy is
appropriate to the context of the organization, and that it is applied throughout the organization.
5.3 Organizational roles, responsibilities and authorities.
The requirement for a Management representative is no longer specified. The duties previously
assigned to that role may now be assigned to any role or split across several roles.
Planning is now a section on its own. Planning was always covered by the current standard in
sections 4.1, 6.1, 7.1 and 8.1 but the new structure includes risk (which is now a clear
requirement) and opportunities, the setting of goals and objectives to achieve plans, and
resources. Interestingly, risk was introduced in AS9100 (the aerospace version of ISO 9001) in a
similarly limited manner. In the latest version of AS9100, however, risk was expanded and defines
a number of specific requirements/activities for a risk process. It will be interesting to see whether
ISO will leave the requirement for risk as a general requirement as defined in Annex SL or whether
it will take AS’s lead and expand it. This planning section also requires a greater application of
goals and objectives to integrate with the management system’s planning and operation to
generally facilitate success of the organization.
Planning has always been a familiar element of ISO 9001, but now there is an increased focus on
ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2
‘interested parties’. The first part of this clause concerns risk assessment whilst the second part is
concerned with risk treatment. When determining actions to identify risks and opportunities
these need to be proportionate to the potential impact they may have on the conformity of
products and services. Opportunities could for example include new product launches,
geographical expansion, new partnerships, or new technologies. The organization will need to
plan actions to address both risks and opportunities, how to integrate and implement the actions
into its management system processes and evaluate the effectiveness of these actions. Actions
must be monitored, managed and communicated across the organization. Another key element of
this clause is the need to establish measurable quality objectives. This clause retains some of
the requirements contained in Clause 5.4 of the 2008 version but is more specific. Quality
objectives now need to be consistent with the quality policy, relevant to the conformity of
products and services as well as enhancing customer satisfaction. The last part of the clause
considers planning of changes which must be done in a planned and systemic manner. There is a
need to identify the potential consequences of changes, determine who is involved, when
changes are to take place, what resource needs to be allocated.
7 6.1 Actions to address risks and opportunities.
A major change introduced to require a risk-based approach. In addition to this clause, reference
to the terms ‘risk’ and ‘opportunity’ are made throughout the standard.
6.2 Quality objectives and planning to achieve them.
Requirements for objective planning are tightened up. An objective should include a description
of who is responsible, what is the target, when is it planned to be achieved. Progress must be
monitored. Also, requires objectives to be set for relevant processes.
6.3 Planning of changes.
The clause lists items to be considered in change management.
The support section includes most of the expected support processes that exist in an organization
and which are covered in the current ISO standard. Clause 7 ensures there are the right resources,
people and infrastructure to meet the organizational goals. It requires an organization to
determine and provide the necessary resources to establish, implement, maintain and continually
improve the QMS. Simply expressed, this is a very powerful requirement covering all QMS
resource needs and now covers both internal and external resources. Clause 7.1 builds on Clauses
6.1, 6.2, 6.3 and 7.6 from 2008 and splits into 5 sub-clauses. There are additional requirements to
meet applicable statutory and regulatory requirements. The sub-clauses continues to cover
requirements for infrastructure and environment for the operation of processes. Monitoring and
measuring has been changed to include resources, such as personnel or training. Organizational
knowledge is a new requirement which deals with requirements for competence, awareness, and
communication of the QMS. Personnel must not only be aware of the quality policy, but they
must also understand how they contribute to it and what the implications of not conforming
are. There is a key requirement to maintain the knowledge held by an organization to ensure
conformity of products and services. This could include the knowledge held by an individual as
well as for example, the intellectual property of an organization. Organizations are required to
examine whether the current knowledge they have is sufficient when planning changes and
whether any additional knowledge is required. Finally there are the requirements for
“documented information”. This is a new term, which replaces the references in the 2008
standard to “documents” and “records”. Organizations need to determine the level of
documented information necessary to control the QMS. This will differ between organizations due
to size and complexity. In line with the increased importance of information security
in organizations, there is also greater emphasis on controlling access to documented information
such as use of passwords. Organizations should also have systems in place to provide a back-up
should IT systems crash. Human resources is renamed as “competence”, and communication,
which will require a new approach in most organizations, is given its own section rather than a
8 mention as a management responsibility. Finally, document control has been renamed
“documented information.” It now covers both procedure/document control and records control.
There is an expansion of application from “personnel” to “persons doing work under the
Now includes external communication about the QMS.
7.5 Documented information.
New requirement to determine, make available, and maintain knowledge. No requirement for
quality manual or procedures. “Documents”, “Documentation” and “Records” are combined to
become “Documented information”.
Requirements are expanded to mention issues such as confidentiality, access, and (data) integrity.
This suggests an adoption of information security considerations in recognition of the increasing
use of electronic documents/data.
This is a relatively short section, which essentially says “Do a good job” at whatever your
management system is trying for. This clause deals with the execution of the plans and processes
that enable the organization to meet customer requirements and design products and services. It
includes much of what was previously referred to in Clause 7 of the 2008 version, but there is
greater emphasis on the control of processes especially planned changes and review of
the consequences of unintended changes, and mitigating any adverse effects as necessary. The
revised version of the standard acknowledges the trend towards greater use of subcontractors and
outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the
performance of these parties in addition to keeping records used to establish selection criteria. The
Clauses continue to cover ‘Requirements for products and services’ which remains largely
unchanged from the 2008 version. However, it now requires communication with regards to
contingency actions where required and also the treatment of customer property. A
new requirement for communicating with ‘potential’ customers is also included, useful for bringing
new offerings or solutions to the market. There are more explicit requirements in terms of the
standards or codes of practice that the organization has committed to implement; internal and
external resource needs for the design and development of products and services and finally the
potential consequences of failure due to the nature of products and services. There is also a new
clause which covers post-delivery activities. This could include activities such as maintenance
9 programmes or work carried out under warranty, and activities covering final disposal or recycling
of the product.
When determining the extent of these activities organizations must consider the risks associated
with a product or service, customer requirements, customer feedback, and any
statutory requirements. In a welcome change of terminology, the rather clumsy ‘Product
realization’ becomes ‘Operations’
8.1 Operational planning and control.
8.2 Requirements for products and services.
8.3 Design and development of products and services.
This may be interpreted that more organizations do some form of design and development.
8.4 Control of externally provided processes, products and services.
An expansion of scope – from just suppliers to also include other external providers of products
and services. Purchasing” and “Purchased product” become “Externally provided products and
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to specify intended results,
and to determine the nature and extent of any post-delivery (after-sales) activities.
8.6 Release of products and services.
8.7 Control of nonconforming outputs.
9. Performance Evaluation
The section on evaluation includes monitoring, measurement and analysis, internal audits and
management review. All familiar topics with some subtle changes. Performance evaluation covers
many of the areas previously featured in Clause 8 of the 2008 version. Requirements for monitoring,
measurement, analysis and evaluation are covered and you will need to consider what needs to be
measured, methods employed, when data should be analysed and reported on and at
what intervals. Documented information that provides evidence of this must be retained. There is
now an emphasis on directly seeking out information that relates to how customers view the
organization. Organizations must actively seek out information on customer perception. This can
be achieved in a number of ways including satisfaction surveys, analysis of market share, and
through complaints logged. There is now an explicit requirement that organizations must show how
the analysis and evaluation of this data is used, especially with regards to the need for
improvements to the QMS. Internal audits must also be conducted and this is largely unchanged
from those in the 2008 version.
10 There are additional requirements relating to defining the ‘audit criteria’ and ensuring the results
of the audits are reported to ‘relevant’ management’. Management reviews are still required but
there are additional requirements including the consideration of changes in external and internal
issues that are relevant to the QMS.
Documented information must be retained as evidence of management reviews.
9.1 Monitoring, measurement, analysis and evaluation.
There is a new requirement to obtain information relating to customer views and opinions of the
9.2 Internal audit.
Audit schedule must take customer feedback into account.
9.3 Management review.
Expanded requirements for management review inputs or agenda.
Improvement covers nonconformity and corrective action, as well as continual improvement, all
of which are outlined in section 8 of the current standard. There is no preventive action section
any more as effectively it is replaced by “risk” under planning – improvement is now defined as a
proactive planning activity. This clause starts with a new section that organizations
should determine and identify opportunities for improvement such as improved processes to
enhance customer satisfaction. There is also a need to actively look for opportunities to improve
processes, products and services, and the QMS, especially with future customer requirements in
mind. Due to the new way of handling preventive actions, there are no preventive action
requirements in this clause. However, there are some new corrective action requirements. The
first is to react to the nonconformities and take action, as applicable, to control and
correct the nonconformities and deal with the consequences. The
second is to determine whether similar nonconformities exists or
could potentially occur. The requirement for continual improvement has been extended to cover
the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how
an organization achieves this.
10.2 Nonconformity and corrective action.
Specific reference to preventive action is removed.
Now includes an additional requirement to record the nature of nonconformities.
On discovering a nonconformity, an explicit requirement is introduced for organizations to
determine whether other similar nonconformities actually exist, or could potentially exist.
10.3 Continual improvement.
11B. Comparison between ISO 9001:2015 and ISO 9001:2008 & Interpretations
ISO 9001:2015 ISO 9001:2008
4 Context of the organization 1.0 Scope
4.1 Understanding the
organization and its context
4.2 Understanding the needs and
expectations of interested parties
4.3 Determining the scope of the
quality management system
4.2.2 Quality manual
4.4 Quality management system
and its processes
4 Quality management system
4.1 General requirements
5 Leadership 5 Management responsibility
5.1 Leadership and commitment 5.1 Management commitment
5.1.1 General 5.1 Management commitment
5.1.2 Customer focus 5.2 Customer focus
5.2.1 Developing the quality
5.2.2 Communicating the quality
5.3 Quality policy
5.3 Organizational roles,
responsibilities and authorities
5.5.1 Responsibility and authority
6 Planning 5.4.2 Quality management
6.1 Actions to address risks and
5.4.2 Quality management
8.5.3 Preventive action
6.2 Quality objectives and
planning to achieve them
5.4.1 Quality objectives
6.3 Planning of changes 5.4.2 Quality management
7 Support 6 Resource management
7.1 Resources 6 Resource management
7.1.1 General 6.1 Provision of resources
7.1.2 People 6.1 Provision of resources
7.1.3 Infrastructure 6.3 Infrastructure
7.1.4 Environment for the
operation of processes
6.4 Work environment
7.1.5 Monitoring and measuring
7.6 Control of monitoring and
7.1.6 Organizational knowledge New
12 7.2 Competence 6.2.1 General
6.2.2 Competence, training and
7.3 Awareness 6.2.2 Competence, training and
7.4 Communication 5.5.3 Internal communication
7.5 Documented information 4.2 Documentation requirements
7.5.1 General 4.2.1 General
7.5.2 Creating and updating 4.2.3 Control of documents
4.2.4 Control of records
7.5.3 Control of documented
4.2.3 Control of documents
4.2.4 Control of records
8 Operation 7 Product realization
8.1 Operational planning and
7.1 Planning of product
8.2 Requirements for products
7.2 Customer-related processes
8.2.1 Customer communication 7.2.3 Customer communication
8.2.2 Determination of
requirements related to products
7.2.1 Determination of
requirements related to the
8.2.3 Review of requirements
related to the products and
7.2.2 Review of requirements
related to the product
8.2.4 Changes to requirements
for product and services
8.3 Design and development of
products and services
7.3 Design and development
8.3.1 General New
8.3.2 Design and development
7.3.1 Design and development
8.3.3 Design and development
7.3.2 Design and development
8.3.4 Design and development
7.3.4 Design and development
7.3.5 Design and development
7.3.6 Design and development
8.3.5 Design and development
7.3.3 Design and development
8.3.6 Design and development
7.3.7 Control of design and
8.4 Control of externally provided
7.4.1 Purchasing process and
13 8.4.1 General 7.4.1 Purchasing process
8.4.2 Type and extent of control 7.4.1 Purchasing process
7.4.3 Verification of purchased
8.4.3 Information for external
7.4.2 Purchasing information
8.5 Production and service
7.5 Production and service
8.5.1 Control of production and
7.5.1 Control of production and
8.5.2 Identification and
7.5.3 Identification and
8.5.3 Property belonging to
customers or external providers
7.5.4 Customer property
8.5.4 Preservation 7.5.5 Preservation of product
8.5.5 Post-delivery activities 7.5.1 Control of production and
8.5.6 Control of changes 7.3.7 Control of design and
8.6 Release of products and
8.2.4 Monitoring and
measurement of processes
7.4.3 Verification of purchased
8.7 Control of nonconforming
8.3 Control of nonconforming
9 Performance evaluation New
9.1 Monitoring, measurement,
analysis and evaluation
8 Measurement, analysis and
9.1.1 General 8.1 General
9.1.2 Customer satisfaction 8.2.1 Customer satisfaction
9.1.3 Analysis and evaluation 8.4 Analysis of data
9.2 Internal audit 8.2.2 Internal audit
9.3 Management review 5.6 Management review
9.3.1 General 5.6.1 General
9.3.2 Management review inputs 5.6.2 Review inputs
9.3.3 Management review
5.6.3 Review outputs
10 Improvement 8.5 Improvement
10.1 General 8.5.1 Continual improvement
10.2 Nonconformity and
8.3 Control of nonconforming
8.5.2 Corrective action
10.3 Continual Improvement 8.5.1 Continual improvement
14The structure is based on the mandate that Annex SL from the ISO Directives be applied to
management system standards. The clause structure and some of the terminology in ISO 9001:2015 is
different than ISO 9001:2008 to improve alignment with other management system standards. The
structure is to provide a presentation of requirements. It is not a model for document for documenting
the organization’s policies, objectives and processes. There is no requirement for the structure of an
organization’s quality management system documentation to mirror that of this International
Major differences in terminology between ISO 9001:2008 and ISO 9001:2015
ISO 9001:2008 ISO 9001:2015
Products Products and services
Work Environment Environment for the operation of
Purchased Product Externally provided products and services
Supplier External provider
2. Products and services
ISO 9001:2008 used product to include all output categories such as products, services, processed
materials, and hardware. In ISO 9001:2015 the term product have been replaced by term product and
services and includes all output categories such as hardware, services, software and processed
materials. The term services is to highlight the difference between products and services in the
application of some requirements. In most cases, the terms are used together. In some cases, the word
product is only used to specify a certain requirement.
3. Context of the organization
An organization’s context involves its “operating environment.” The context must be determined both
within the organization and external to the organization. To establish the context means to define the
external and internal factors that the organizations must consider when they manage risks. An
organization’s external context includes its outside stakeholders, its local operating environment, as
well as any external factors that influence the selection of its objectives (goals and targets) or its ability
to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to
governance, its contractual relationships with its customers, and its capabilities and culture.
The internal context may include, but is not limited to:
15 Product and service offerings
Governance, organizational structure, roles, and accountability.
Policies and goals, and the strategies that are in place to achieve them.
Assets like facilities, property, equipment and technology
Capabilities, understood in terms of resources and knowledge like capital, time, people, processes,
systems, and technologies.
Information systems, information flows, and decision-making processes (both formal and informal).
Relationships of the staff/volunteers/members and the perceptions and values of their internal
stakeholders including suppliers and partners.
Standards, guidelines, and models adopted by the organization and
Form and extent of the organization’s contractual relationships.
The external context’s micro-environment consists of the organization’s immediate operations and
how they affect its performance and decision-making. Some of the micro-environmental context
Customers – Organizations must attract and retain customers by offering products services that
meet their needs along with providing excellent customer service
Employees/Members/Volunteers – There must be availability of people with the motivation to
remain as contributing members of the organization and develop the skills necessary to provide a
Suppliers – Suppliers provide organizations with the resources they need to carry out their
activities. If a supplier provides bad service, this affects the way the organization operates. Close
supplier relationships are an effective way to remain competitive and secure the resources needed
Investors – All organizations require investment to grow. They may borrow the money from a bank
or have people invest in their work. Relationships with investors need to be managed carefully as
problems can detrimentally affect the long term success of the organization
Media – Positive media attention can bring success to the organization by maintaining its
reputational strength. Managing the media (including the presence in social media) is a challenge.
Competitors – Members of the organization need to have a sense of belonging. Can the
organization offer benefits that are better than those offered by the competitors? Is there a strong
value proposition? Competitor analysis and monitoring is crucial if an organization is to maintain or
improve its position in the competitive landscape of the community. The organization must always
be aware of its competitor’s activities. The landscape can change quickly.
There are two new clauses relating to the context of the organization, 4.1 Understanding the
organization and its context and 4.2 Understanding the needs and expectations of interested parties.
16Together these clauses require the organization to determine the issues and requirements that can
impact on the planning of the quality management system. Interested parties cannot go beyond the
scope of ISO 9001.There is no requirement to go beyond interested parties that are relevant to the
quality management system. Consider impact on the organization’s ability to consistently provide
products and services that meet customer and applicable statutory and regulatory requirements or
the organization’s aim to enhance customer satisfaction. Organizations can go beyond the minimum
requirements to determine additional needs and expectations for interested parties that would not be
“relevant” at the discretion of organization and should be clear in quality management system.
Clause 4.1 Understanding the Organization and its context
The organization should determine external and internal issues for the organization relevant to its
purpose, strategic planning and which affect the organization’s ability to achieve its objectives. The
Organization should monitor and review the information about external and internal issues.
Management Review required the monitoring of external and internal issues. The organization must
consider issues related to values, culture knowledge and performance of the organization for
understanding of internal issues. The organization must consider issues related to arising from legal,
technological, competitive, market, cultural, social, and economic environments, whether
international, national, regional or local for understanding of external context.
Clause 4.2 Understanding the needs and expectations of interested parties
The organization shall determine relevant interested parties and requirements of relevant interested
parties. Interested parties include Customers, Partners, Persons in the organization, External providers.
Relevant interested parties to be considered are those that potentially could impact the organization’s
ability to provide products and services that meet requirements. Monitor and review information
related to interested parties and relevant requirements. Management Review requires the monitoring
of relevant interested parties.
Clause 4.3 determining the scope of the quality management system
The organization must establish scope of the quality management system by determining the
boundaries and applicability of the quality management system. While determining the scope the
organization must consider the internal and external issues determined in 4.1, the requirements of
relevant interested parties in 4.2. And the products and services of the organization.
Requirements that can be applied by the organization shall be applied. Requirements that cannot be
applied cannot affect the organization’s ability to provide product and services that meet
requirements. The organization must maintain scope as documented information. Stating the Products
and services covered by the QMS and any Justification where a requirement cannot be applied.
17Any interested party which is not relevant to the quality management system need not be considered
and similarly any requirement of the interested party need not be considered. Determining what is
relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability
to consistently provide products and services that meet customer and applicable statutory and
regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization
can decide to determine additional needs and expectations that will meet its quality objectives.
However, it is at the organization’s discretion whether or not to accept additional requirements to
satisfy interested parties beyond what is required by this Standard.
4. Risk-based approach
The main objectives of ISO 9001 is to provide confidence in the organization’s ability to consistently
provide customers with conforming goods and services and to enhance customer satisfaction. The
concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.
This International Standard makes risk-based thinking more explicit and incorporates it in
requirements for the establishment, implementation, maintenance and continual improvement of the
quality management system. Organizations can implement a formal risk management program such
as 31000, but there is no requirement to do so. The concept of risk has always been implicit in ISO
9001, this revision makes it more explicit and builds it into the whole management system. Risk-based
thinking is already part of the process approach. Risk-based thinking makes preventive action part of
the routine. Risk-based thinking can also help to identify opportunities. Organizations are required to
understand the context of the organization and any external and internal issues (clause 4.1).Risks and
opportunities are determined in clause 6.1.One of the key purposes of a quality management system
is to act as a preventive tool.
ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive
action is controlled through risk-based thinking and managing risks and opportunities identified in
Clause 6.1 Actions to address risks and opportunities
Consider the issues determined in clause 4.1 and consider the requirements for relevant interested.
The organization should determine risks and opportunities to assure that that the quality
management system can achieve its objective, prevent or reduce undesired effects, and for continual
improvement. Intended results cannot be achieved. Organization shall plan actions to address risks
and opportunities which should be appropriate to the potential impact. The action of risk and
opportunities must be integrated and implemented into the QMS processes. The effectiveness of
these action must be evaluated.
NOTE: No formal risk management program is required.
The revised standard will focus on application and not exclusions. There are no limits to which
clauses where application can be determined. Justification will be required as documented
information to ensure that limited application does not affect the organization’s ability to provide for
the provision of product and services. The application of requirements may vary. Where a
requirement can be applied within the scope of its quality management system, the organization
cannot decide that it is not applicable. Where a requirement cannot be applied (for example where
the relevant process is not carried out) the organization can determine that the requirement is not
applicable. However, this non-applicability cannot be allowed to result in failure to achieve
conformity of products and services or to meet the organization’s aim to enhance customer
satisfaction. A manufacturing organization that does not have any monitoring and measuring
resources could determine requirements in 7.1.5 do not apply. Organizations that build from a
customer provided design could determine requirements for design in 8.3 do not apply.
Organizations could not determine that requirements such as competence are not applicable since
this directly affects the ability to provide product that meets requirements.
6 Documented information
The term “documented procedure” and “record” have both been replaced by “documented
information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define,
control or support a process) this is now expressed as a requirement to maintain documented
information. Where ISO 9001:2008 would have referred to records this is now expressed as a
requirement to retain documented information. The current draft of ISO 9001 does not require a
quality manual or documented procedure as Annex SL does not require documented procedures or a
quality manual. The requirements in 7.5 are similar to ISO 9001:2008 – 4.2.3 Control of documents and
4.2.4 Control of Records.
As discussed earlier, documents and records now come under documented information.
The requirements for documented information are spread throughout the standard. In summary
4.3 Scope of the QMS
4.2 Support operation of its processes and needed for confidence.
5.2.2 a) Quality policy
6.2.1 Quality objectives
184.108.40.206 Monitoring and measuring resource – ﬁtness for purpose
220.127.116.11 Basis used for calibration or veriﬁcation
7.2 d) Evidence of competence
19 7.5.1 b) Documented information determined by the organization as being necessary for the
effectiveness of the QMS
8.1 e) Extend necessary (for confidence in processes and product/service conformity)
18.104.22.168 Review of requirements related to products and services
8.2.4 Amended documented information
8.3.2 Design and development requirements met
8.3.3 Design and development inputs
8.3.4 Design and development control activities
8.3.5 Design and development outputs
8.3.6 Design and development changes/results of reviews etc.
8.4.1 Results of evaluations, monitoring, re-evaluations of external providers
8.5.1 a) Characteristics of the products/services, activities to be performed , and result achieved.
8.5.2 Maintain traceability
8.5.3 Reports on what has occurred
8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions
8.6 Release of products and services – traceability of person(s) authorizing release, evidence of
8.7.2 Describes nonconformity, actions taken, concessions, authority
9.1.1 Evidence of the monitoring and measurement results
9.2 f) Evidence of the audit programme (s) and the audit results
9.3.3 Evidence of the results of management reviews
10.2.2 Evidence of the results of any corrective action and the, nature of the nonconformity.
7. Organizational knowledge
The organization shall determine the knowledge necessary for the operation of the QMS, ensure
conformity of products and services, and enhance customer satisfaction. The organization is
responsible for maintaining, protecting and making sure the knowledge is available (as
necessary). Knowledge is to be considered when making changes to the organization. Depending on
the size and complexity of the organization, the risks and opportunities it needs to address, the need
for accessibility of knowledge, the process for considering and controlling past, existing and additional
knowledge needs is to be considered. As long as the conformity of products and services can be
achieved, balance between knowledge held by competent people and knowledge made available by
other means is at the discretion of the organization. Consideration can be given to whether competent
employees have this knowledge
8. Control of externally provided products and services
20The term “Supplier” and “Outsourcing” have been replaced by the term “external provider” and
includes Purchasing from suppliers, Arrangement with an associate/sister company, Outsourcing of
processes and functions. The term “Purchased products” has been replaced with the term “externally
provided products and services”. Clause 8.4 Control of externally provided products and services
addresses all forms of external provision, whether it is by purchasing from a supplier, through an
arrangement with an associate company, through the outsourcing of processes and functions of the
organization or by any other means. The organization is required to take a risk-based approach to
determine the type and extent of controls appropriate to particular external providers and externally
provided products and services.
C. Seven principles of Quality management
This fifth edition (ISO 9001:2015) cancels and replaces the fourth edition ( ISO 9001:2008). This
document was being prepared by Technical committee of ISO “ISO/TC 176/SC 2-Quality Management
and Quality Assurance/ Quality Systems” also known as ISO/TC 176 in short. The process of preparing
the ISO 9001:2015 went through a six stage process. Organizations have been granted a three-year
transition period after the revision has been published to migrate their quality management system to
the new edition of the standard.
The key changes in the standards are
1. There is no quality manual.
2. It emphasis on organization context and risk based thinking,
3. There is no requirement of management representative
4. The standard does not include a specific clause for “Preventive Actions”.
5. The terms “document” and “records” have been replaced with the term “documented
information”. Documented procedure in iso 9001:2008 have been replaced by maintained
documented information and Documented record in iso 9001:2008 have been replaced by
retained documented information.
6. In 2008 version of the standard the term “product” was used. This term also included services.
This term has been changed to Product and Services
7. In addition to the term “continual improvement” another term “improvement” have been
8. Outsourcing is now an external provision.The term “purchased product” has been replaced with
“externally provided products and services”.The term “supplier” has been replaced with “External
provider”.Control of external provision of goods and services address all forms of external
219. The new standard does not make any reference to the exclusions which was for only for clause 7
in ISO 9001:2008, but in ISO 9001:2015 after proper justification any of the requirement of this
international standards may not be included in the scope, provided it does not affect the
organization’s ability or responsibility to ensure the conformity of its product and services and the
enhancement of customer satisfaction
10. The term “work environment” used in ISO 9001:2008 has been replaced with “Environment for
the operation of processes”.
The ISO 9000:2015 and ISO 9001:2015 standard is based on the following seven principles of QMS.
1 – Customer Focus
The primary focus of quality management is to meet customer requirements and to strive to exceed
Sustained success is achieved when an organization attracts and retains the confidence of customers
and other interested parties on whom it depends. Every aspect of customer interaction provides an
opportunity to create more value for the customer. Understanding current and future needs of
customers and other interested parties contributes to sustained success of an organization
This is the first of the seven principles of Quality management and there is no change in the heading
of this principle. The Eight principle definition stated “Organizations depend on their customers and
therefore should understand current and future customer needs, should meet customer requirements
and strive to exceed customer expectations.” The Seven principle definition states “The primary focus
of quality management is to meet customer requirements and to strive to exceed customer
expectations. “. Customer focused means putting your energy into satisfying customers and
understanding that profitability comes from satisfying customers.
There should be researching, establishing and understanding current and future customer needs and
expectations. The organization should ensure that the objectives of the organization are linked to
customer needs and expectations. The top Management should communicate customer needs and
expectations throughout the organization. There should be measuring customer satisfaction and acting
on the results.
The organization should ensure a balanced approach between satisfying customers and other
2 – Leadership
Leaders at all levels establish unity of purpose and direction and create conditions in which people
are engaged in achieving the quality objectives of the organization.
Creation of unity of purpose, direction and engagement enable an organization to align its strategies,
policies, processes and resources to achieve its objectives.
This is the second of the Seven principles of Quality management and there is no change in the heading
of this principle. The Eight principle definition stated “Leaders establish unity of purpose and direction
of the organization. They should create and maintain the internal environment in which people can
become fully involved in achieving the organization’s objectives.” The Seven principle definition states
“Leaders at all levels establish unity of purpose and direction and create conditions in which people are
engaged in achieving the quality objectives of the organization. “Leadership is providing role model
behaviors consistent with the values of the organization. Behavior that will deliver the organizations
objectives. Internal environment includes the culture and climate, management style, shared, trust,
motivation and support. The leadership should consider the needs of all interested parties including
customers, owners, employees, suppliers, financier, local communities and society as whole. The
leadership should establish a clear vision of the organization’s future. The leadership should set a
challenging goals and targets. The leadership should create and sustain a shared values, fairness and
ethical role models at all levels of the organization. The leadership should Establish trust and eliminate
23fear. The leadership should provide people with the required resources training and freedom to act
with responsibility and accountability. The leadership should Inspire, encourage and recognize people
3 – Engagement of People
It is essential for the organization that all people are competent, empowered and engaged in
delivering value. Competent, empowered and engaged people throughout the organization
enhance its capability to create value.
To manage an organization effectively and efficiently, it is important to involve all people at all levels
and to respect them as individuals. Recognition, empowerment and enhancement of skills and
knowledge facilitate the engagement of people in achieving the objectives of the organization.
This is the third of the seven principles of Quality management and the term “Involvement of
People” has been change to “Engagement of People“. The Eight principle definition stated “People at
all levels are the essence of an organization and their full involvement enables their abilities to be
used for the organization’s benefit.” The Seven principle definition states “It is essential for the
organization that all people are competent, empowered and engaged in delivering value. Competent,
empowered and engaged people throughout the organization enhance its capability to create
value.” Engaging people means employees are committed to their organization’s goals and values,
motivated to contribute to organizational success, and are able at the same time to enhance their own
sense of well-being. An engaged employee experiences a blend of job satisfaction, organizational
commitment, job involvement and feelings of empowerment. When we talk of engagement of people
it means that all the employees are competent, empowered and they are delivering value. An engaged
employee will have a better perception of job importance. An engaged employee will have better
clarity of job expectation. There will be more improvement opportunities. There will be regular
feedback and dialog with supervisors. The Quality of working relationships of an engaged employee
with peers, superiors, and subordinates is much improved. There is effective employee
4 – Process Approach
Consistent and predictable results are achieved more effectively and efficiently when activities are
understood and managed as interrelated processes that function as a coherent system.
The quality management system is composed of interrelated processes. Understanding how results
are produced by this system, including all its processes, resources, controls and interactions, allows
the organization to optimize its performance.
This is the fourth of the seven principles of Quality management and there is no change in the heading
of this principle. The Eight principle definition stated “A desired result is achieved more efficiently when
activities and related resources are managed as a process.” The Seven principle definition states
“Consistent and predictable results are achieved more effectively and efficiently when activities are
understood and managed as interrelated processes that function as a coherent system.” Processes are
dynamic-they cause things to happen. Processes within an organization should be structured in order
to achieve a certain objective in the most efficient and effective manner.
It helps us in systematically defining the activities necessary to achieve/obtain desired results.
It helps us in establishing clear responsibility and accountability for managing key activities.
It helps us in analyzing and measuring of the capabilities of key activities.
It helps us in identifying the interfaces of key activities within and between the functions of the
It helps us in evaluating risks, consequences and impacts of activities on customers, suppliers
and other interested parties.
Quality Management System are constructed by connecting interrelated processes together to deliver
the system objectives which is the satisfaction of the interested parties.
This helps us in structuring a system to achieve the organizations objectives in the most
effective and efficient way and understanding the interdependencies between the processes
of the system.
It also helps us in providing a better understanding of the roles and responsibilities necessary
for achieving common objectives and thereby reducing cross functional barriers and targeting
and defining how specific activities within a system should operate.
5 – Improvement
Successful organizations have an ongoing focus on improvement.
Improvement is essential for an organization to maintain current levels of performance, to react to
changes in its internal and external conditions and to create new opportunities.
This is the fifth of the seven principles of Quality management and can be mapped to the sixth of the
Eight Quality principle which is “Continual Improvement”. The term “Continual Improvement” has
been change to “Improvement“. The fifth principle of the Eight Quality principle “System approach to
management” no longer exist in the seven principle of quality management. The Eight principle
definition stated “Continual improvement of the organization’s overall performance should be a
permanent objective of the organization.” The Seven principle definition states “Successful
organizations have an ongoing focus on improvement.” Improvement is the improvement in
organizational efficiency and effectiveness. The organization should employ a consistent organization-
wide approach to improvement of the organizations’ tools of improvement. The organization should
provide people with the training in the methods and tools of improvement. The organization should
make improvement of products, processes, and the system an objective for every individual in the
“The organization should establish the goals to guide and lead”
6 – Evidence-based Decision Making
Decisions based on the analysis and evaluation of data and information are more likely to produce
Decision-making can be a complex process, and it always involves some uncertainty. It often involves
multiple types and sources of inputs, as well as their interpretation, which can be subjective. It is
important to understand cause and effect relationships and potential unintended consequences. Facts,
evidence and data analysis lead to greater objectivity and confidence in decisions made.
This is the sixth of the seven principles of Quality management and can be mapped to the seventh of
the Eight Quality principle which is “Factual approach to decision making “. The term “Factual
approach to decision making “has been change to “Evidence-based Decision Making“. The fifth
principle of the Eight Quality principle “System approach to management” no longer exist in the
seven principle of quality management. The Eight principle definition stated “Effective decisions are
based on the analysis of data
and information” The Seven principle definition states “Decisions based on the analysis and
evaluation of data and information are more likely to produce desired results.” Evidence is
information that shows or proves that something exists or is true.
Evidence can be collected by performing observations, measurements, tests, or by using any other
suitable method. Any decision making should away be based on evidences. The organization should
26ensuring that data/information is sufficiently accurate and reliable. The organization should make data
accessible to those who need them. The organization should analyze data using appropriate tools. The
organization should make decision and take actions based on analysis of data, balanced with
experience and intuition.
7 – Relationship Management
For sustained success, organizations manage their relationships with interested parties, such as
Interested parties influence the performance of an organization. Sustained success is more likely to be
achieved when an organization manages relationships with its interested parties to optimize their
impact on its performance. Relationship management with its supplier and partner network is often
of particular importance.
This is the seventh of the seven principles of Quality management and can be mapped to the eighth of
the Eight Quality principle which is “Mutually beneficial supplier relationships “. The term “Mutually
beneficial supplier relationships “has been change to “Relationship Management“. The fifth principle
of the eight Quality principle “System approach to management” no longer exist in the seven principle
of quality management.
The Eight principle definition stated “An organization and its suppliers are interdependent and a
mutually beneficial relationship enhances the ability of both to create value“ The Seven principle
definition states “For sustained success, organizations manage their relationships with interested
parties, such as suppliers. “An interested party is a person or group that has a stake in the success or
performance of an organization. Interested parties may be directly affected by the organization or
actively concerned about its performance. Interested parties can come from inside or outside of the
organization. Examples of interested parties include customers, suppliers, owners, partners,
employees, unions, bankers, or members of the general public. Interested parties are also referred to
as stakeholders. Relation management with interested parties meaning sharing knowledge, vision,
values, understanding and suppliers are not treated as adversaries. The organization establishes a
relationships that balance short-term gains with long term considerations. There is pooling of expertise
and resources with partners. The Organization identifying and selecting key suppliers. There is clear
and open communication with the stake holders. There is sharing of information and future plans. The
organization establishes a joint development and improvement activities. The organization inspiring,
encourages and recognize improvements and achievement by suppliers.
All organizations use processes to achieve their objectives. As per ISO definition
set of interrelated or interacting activities that use inputs to deliver an intended result
NOTE: Inputs and outputs may be tangible (e.g. materials, components or equipment) or intangible
(e.g. data, information or knowledge).”
The process approach is the foundation upon which your QMS must be developed. The ISO 9001
Standard promotes the adoption of a process approach when developing, implementing and
improving the effectiveness of a quality management system, to enhance customer satisfaction by
meeting customer requirements. ISO 9001:2008 promoted the adoption of a process approach when
developing, implementing and improving the effectiveness of a quality management system. ISO
900:2015 makes this more explicit (in 4.4) by expanding the requirements around QMS Processes –
specifying requirements considered essential to the adoption of a process approach. For example,
determining the inputs required and outputs expected from these processes , then after determining
the-risks and opportunities and plans to address these in 6.1 – integrate these into its QMS
processes(4.1.f – plan and implement actions), related performance indicators (4.4.1c.), assignment
of responsibilities and authorities for these processes (4.4.1 e).
For an organization to function effectively, it has to identify and manage numerous linked activities.
Any activity, using resources and managed in order to enable the transformation of inputs into
outputs, can be considered a process. Often the output from one process directly forms the input to
the next. The application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management, can be referred to as the
An advantage of the process approach is the ongoing control that it provides over the linkage
between the individual processes within the system of processes, as well as over their combination
When used within a quality management system, such an approach emphasizes the importance of:
An understanding of the intended results and requirements
Consideration of processes in terms of adding Value and effective performance
Improvement of processes based on evaluation of data and information
Consistent and predictable results
Meeting requirements and customer satisfaction
Activity understanding and management of interrelated processes
The model of a process-based quality management system shown in figure illustrates the process
linkages presented in clauses 4 to 10. This illustration shows that customers’ requirements, the needs
and expectations of relevant interested parties along with the organization and its context plays a
significant role in defining requirements as inputs. The output of the process is the result of the QMS
that includes product and service the organization provides, which should result in Customer
satisfaction. The model shown in figure covers all the requirements of this Standard, but does not show
processes at a detailed level.
Understanding Process :
Let’s understand some basics about processes.
All work generally involves a process – things go in (inputs); get worked upon (conversion); and
come out differently (output). The value-adding conversion activity within a process transforms
inputs into outputs, e.g. takes raw materials (the input) and manufactures (the value-adding
conversion activity using various resources) a product (the output).
Process inputs and outputs can be tangible such as raw materials or finished product or
intangible like INFORMATION – e.g. computerized drawing or specification.
All processes have a supplier and a customer. These suppliers and customers may be internal
processes or external to your organization. Each process must have an accountable owner, i.e.,
having defined responsibility and authority to operate, control and improve their process.
All processes require the use of resources, e.g. – people, equipment, materials, technology etc.
These resources can be used as inputs (raw materials or information such as a customer
specification) as well as for the value-adding conversion activity (e.g. use of machinery, equipment,
29 computers, technology, people, etc.) to transform raw material (input) into finished product
All processes must meet customer, organizational and applicable regulatory requirements. The
performance of all processes can be monitored and measured. Gather performance data that can
be analyzed to determine process effectiveness and whether any corrective action or improvement
As an example, the below process contains a set of activities that are interrelated (showing links
from/to), interacting (showing inputs/ outputs), and the transformation of process inputs into
Schematic Representation of the elements of single process
Procedures are typically used to control deviation where risk/hazards are present. It is defined as a
specified way to carry out an activity or a process’, which may be a documented set of instructions,
or simply an established way of doing a specific task that itself forms part of a larger process. In ISO
9001:2015 this might be considered captured, in the main, by’the availability of documented
information that defines: the characteristics of the products to be produced, the services to be
provided, or the activities to be performed.
An organization’s QMS processes may be grouped or categorized in many ways. One logical way
would include the following:
31Customer Oriented Processes (COP’s):
These are product realization processes that determine customer requirements (inputs), design, make,
deliver and service product (outputs) to customers and determine customer satisfaction. These
processes generally have the greatest degree of interaction with external customers. COP’s includes
marketing and sales, design and development, production, shipping, packaging, servicing/ warranty,
customer satisfaction etc., whether performed onsite or off-site.
Support Oriented Processes (SOP’s):
These processes provide the necessary resources to COP’s to facilitate product realization. These
processes generally have the greatest degree of interaction at an operational level with COP’s and to
a lesser degree with other internal QMS processes. SOP’s includes human resources, information
technology, purchasing and receiving, laboratory, maintenance, tooling, facility management etc.,
whether performed onsite or off-site.
Management Oriented Processes (MOP’s)
These processes provide the commitment, leadership, resources, review and decision-making by top
management. These processes generally interact with all QMS processes at the QMS planning and
review level. MOP’s includes business planning, management review, quality planning, resource
planning, communication, etc., whether performed offsite or on-site.
Quality Management Processes (QMP’s):
It includes all process which are used to document, measure, analyze and improve all processes. These
processes provide quality management support to and interact with all QMS processes. QMP’s includes
document control, records control, monitoring and measurement of processes and product, internal
audits, control of nonconforming product, corrective and preventive action, continual improvement,
etc. whether performed onsite or off-site.
Outsourced Processes (OP’s):
An “outsourced process” is a process that the organization has identified as being needed for its quality
management system (QMS), but one which it has chosen to be carried out by an external party outside
the managerial control of your facility and not subject to the your QMS. These could include MOP’s,
COP’s or SOP’s. They may be performed onsite or off-site. These processes may include – strategic
planning done at head office; purchasing or design done at head office or another location; heat
treating; painting; welding, calibration; testing; sort; HR; etc., done by an outside organization.
32Implementing QMS using Process Approach
QMS is made up of a network of these value-adding processes that link, combine and interact with one
another to collectively provide product or service. These processes are inter-dependent and can be
defined by complex interactions. For example, any of the COP processes, could interact with some or
all of the MOP’s, SOP’s, QMP’s. Also note that resources (SOP’s) and QMP’s may also be applied to all
Interactions between QMS processes may occur at any of the three process stages (input, output or
conversion activity). The interaction may occur in many different ways – physical, documentary, verbal,
electronic, etc. For each process, we must identify these interactions, assess the risks of problems that
may occur and implement appropriate controls to prevent them, e.g., if orders are communicated
verbally by sales personnel to production, what is the risk that production errors will occur?
Therefore, in general, in order to plan and implement your QMS using the ‘Process Approach’, you
Identify the processes needed for the QMS.
Determine their sequence and interaction(show the sequence and interaction of your COP’s). There
are many ways to document this, e.g., a high level flowchart or a process map.
Determine the application of QMS processes throughout the organization (show how MOP’s; SOP’s
and QMP’s are applied to each COP and to each other). There are many ways of documenting this.
A popular way is through graphical representation, e.g. process maps.
Determine (plan) the criteria, methods, information, controls and resources needed for each QMS
Identify the internal/external customer-required output.
Describe the process activity that produces the output.
Identify the resources needed for the process activity.
Identify the inputs for the process – information, materials, supplies, etc.
Define the process methods, procedures, forms etc., that may be needed to produce the output.
Define the controls to prevent or eliminate risk of errors, omissions, or nonconformities in process
activity. controls may come from the IS standards; customer; regulatory and your own
Interaction with sources that provide the inputs (internal process or external supplier), uses the
output (internal process or external customer), or provide the resources (internal support process)
to perform the process activity.
Implement your QMS according to your plan.
Monitor, measure and improve each QMS process and its interaction with other processes.
Performance indicators to monitor and measure process performance may come from the IS
33 standard, customer, regulatory and your own organizational requirements.Performance indicators
may relate to the process output as well as the process activity.
Performance indicators for process output must focus on meeting customer and regulatory
requirements. Performance indicators for process activity should focus on measuring process
effectiveness and efficiency.
It is useful to point out that while we do need to identify all QMS processes and describe their
interaction, not all identified QMS processes need to be documented or documented in the detail
In addition, the methodology known as “Plan-Do-Check-Act” (PDCA) can be applied to all processes.
PDCA can be briefly described as follows.
Plan: Establish the objectives and processes necessary to deliver results in accordance with customer
requirements and the organization’s policies.
Do: Implement the processes
Check: Monitor and check processes and product against policies, objectives and requirements for
the product and report the results
Act: Take actions to continually improve process performance
PLAN-DO-CHECK-ACT (PDCA) is a very effective tool for business management and the ISO 9001
standard strongly recommends its use.
PDCA is a dynamic cycle that can be applied to each of the organization’s processes, and also to the
system of processes as a whole. It may be used to plan, implement, control and continually improve
both product realization and other QMS processes.
Maintenance and continual improvement of QMS processes can be achieved by applying PDCA to
processes at all levels within the organization right from the executive high-level strategic processes,
34as business planning or management review to operational processes such as product realization or
For each QMS process you must establish:
Process owner and his/her accountability.
Process inputs, outputs, value adding or conversion activities and sequence/interaction of these
activities (sub-processes) within the process. Many of the COP’s and SOP’s may have sub-
Process policies, responsibilities and accountability.
Process objectives and performance indicators and methods to monitor and measure process
performance to these objectives and indicators.
Resources such as facility, equipment, labor, materials, time, etc needed.
Preventive and detective controls needed for process activity, input, output and resources used.
Process documentation such as procedures, forms, work instructions, specification, etc.
The nature, method, frequency and timing of interaction with other processes and where this
interaction will occur – input, output, use of resources, conversion activity, etc.
You must pay a lot of attention to this stage of your QMS development. Planning must also
consider how you will meet customer, applicable regulatory, and your own organizational
requirements, in addition to ISO 9001 requirements.
Deploy and implement your QMS processes and manage and control them according to your plan as
Monitor and measure the effectiveness of your QMS processes against policies and objectives that
you established under PLAN. Monitoring and measuring activity may focus on any or all of a process’s
inputs; outputs; use of resources for conversion; and interaction with other processes.
Collect and analyze your monitoring and measurement information and use it to determine the
effectiveness of each process as well as your overall QMS in meeting requirements. Use the
information to correct problems and continually improve individual processes.
CONTINUOUS IMPROVEMENT PROCESS MODEL
The above figure shows the macro level application of the PDCA model to an entire organization. The
organization’s QMS as depicted by the processes within the circle is used to PLAN the controls over all
inputs, resources, value-adding activities and outputs. We DO implement our plan by using various
resources to convert customer inputs (requirements) into outputs (product) that meet customer
requirements. We CHECK – by monitoring and measuring QMS performance and through customer
feedback. We ACT by using this information to continually improve QMS effectiveness. At the micro
level, this same model can be applied to each QMS process.
The process approach in ISO 9001:2015
**(Taken from white paper at ISO.org website)
36The process approach includes establishing the organization’s processes to operate as an integrated
and complete system.
The management system integrates processes and measures to meet objectives
Processes define interrelated activities and checks, to deliver intended outputs
Detailed planning and controls can be defined and documented as needed, depending on the
These three concepts together form an integral part of the ISO 9001:2015 standard. Risks that
may impact on objectives and results must be addressed by the management system. Risk‐based
thinking is used throughout the process approach to:
Decide how risk (positive or negative) is addressed in establishing the processes to improve process
outputs and prevent undesirable results
Define the extent of process planning and controls needed (based on risk)
improve the effectiveness of the quality management system
maintain and manage a system that inherently addresses risk and meets objectives
PDCA can be used to manage processes and systems.
Plan: set the objectives of the system and processes to deliver results (“What to do” and “how to
Do: implement and control what was planned
Check: monitor and measure processes and results against policies, objectives and requirements
and report results
Act: take actions to improve the performance of processes
PDCA operates as a cycle of continual improvement, with risk‐based thinking at each stage.
STEPS IN THE PROCESS APPROACH WHAT TO DO? GUIDANCE
37 Define the context of the
The organization should
identify its responsibilities,
the relevant interested
parties and their relevant
requirements, needs &
expectations to define the
Gather, analyze and determine
external and internal
responsibilities of the
organization to satisfy the
relevant requirements, needs
and expectations of the relevant
interested parties. Monitor or
communicate frequently with
these interested parties to
ensure continual understanding
of their requirements, needs and
Define the scope, objectives and
policies of the
Based on the analysis of
the requirements, needs
and expectations establish
the scope, objectives and
policies that are relevant
for the organization’s
The organization shall determine
the scope, boundaries and
applicability of its management
system taking into consideration
the internal and external context
and interested party
requirements. Decide which
markets the organization should
address. Top management
should then establish objectives
and policies for the desired
Determine the processes in the
Determine the processes
needed to meet the
objectives and policies and
to produce the intended
Management shall determine
the processes needed for
achieving the intended outputs.
These processes include
analysis and improvement.
Determine the sequence of the
Determine how the
processes flow in
sequence and interaction.
Define and describe the network
of processes and their
interaction. Consider the
The inputs and outputs of
each process (which may be
internal or external).
Process interaction and
interfaces on which
processes depend or enable.
Optimum effectiveness and
efficiency of the sequence.
Risks to the effectiveness of
38 Note: As an example, realization
processes (such as those needed
to provide the products or
services delivered to a customer)
will interact with other processes
(such as the management,
measurement, procurement in
the provision of resources).
Process sequences and their
interactions may be developed
using tools such as modeling,
Define people who take process
ownership and accountability
Assign responsibility and
authority for each process.
Top Management should
organize and define ownership,
accountability, individual roles,
responsibilities, working groups,
remits, authority and ensure the
competence needed for the
and improvement of each
process and its interactions. Such
individuals or remits are usually
referred to as the Process
Owners. To manage process
interactions it may be useful to
also establish a management
system team that has a system
overview across all the processes
and may include representatives
from the interacting processes
Define the need for documented
processes that need to be
formally defined and how
they are to be
Processes exist within the
organization. They may be formal
or informal. There is no catalogue
or list of processes that have to
be formally defined. The
organization should determine
which processes need to be
documented on the basis of risk‐
based thinking, including, for
39 The size of the organization
and its type of activities.
The complexity of its
processes and their
The criticality of the
The need for formally
Processes can be formally
documented using a number of
methods such as graphical
stories, written instructions,
checklists, flow charts, visual
media or electronic methods
including graphics and
systemization. However, the
method or the technology
chosen are not the goals. They
can be used to describe
processes, which are the means
to achieve the goals. Effective
and organized processes can
then deliver consistent and
accountable operations and the
desired objectives and results
which can then be improved.
activities needed to
achieve the intended
outputs of the
process and risks of
Define the required outputs and
inputs of the process.
Determine the risks to
conformity of products, services
and customer satisfaction if
unintended outputs are
Determine the activities,
measures and inherent
controls required to transform
the inputs into the desired
outputs. Determine and define
the sequence and interaction of
the activities within the
process. Determine how each
40 activity will be performed.
Ensure that the management
system as a whole takes account
of all material risks to the
organization and users.
Note: In some cases the
customer may specify
requirements not only for the
outputs but also for the
realization of a process.
Determine where and
how monitoring and
measuring should be
applied. This should
be both for control
and improvement of
the processes and the
outputs. Determine the
need for recording results.
Identify the validation necessary
to assure effectiveness and
efficiency of the processes and
system. Take into account such
Monitoring and measuring
Reviews of performance
Interested parties satisfaction.
On time delivery and lead
Failure rates and waste.
Other measures of conformity
Implement Implement actions
necessary to achieve
planned activities and
The organization should perform
activities, monitoring, measures
and controls of defined processes
(which may be automated),
outsourcing and other
methods necessary to achieve
resources needed for
operation of each
Examples of resources include:
Natural resources (including
41 Verify the
Confirm that the
process is effective
and that the
characteristics of the
consistent with the
purpose of the
The organization should
compare outputs against
objectives to verify that all the
satisfied. Processes are needed
to gather data. Examples include
reviews, audits and
D. Annex SL
Annex SL is not a standard, but rather a guide to help standards developers write management systems
standards. It forms part of the ‘ISO Directives, Part 1 — Consolidated ISO Supplement — Procedures
specific to ISO document, which is currently in its 6th edition. ISO has over the years published many
management system standards for topics ranging from quality and environment to information
security, business continuity management and records management. Despite sharing common
elements, ISO management system standards come in many different shapes and structures. The guide
was developed in response to standard users criticism that while current standards have many
common components, they are not sufficiently aligned, making it difficult for organizations
to rationalize their systems and to interface and integrate them. This, in turn, results in some confusion
and difficulties at the implementation stage .Many organizations have implemented multiple
management system standards such as ISO 9001 along with ISO 14001 and ISO 18001, or ISO 9001
along with ISO 27001 and ISO 20000 or ISO 9001 along with TS 16949. This has led to the need to easily
combine or integrate them in an effective and efficient manner. To date subtle and not so subtle
differences in requirements and terminology across Management Standard System have made such
integration difficult. ISO has produced Annex SL with the objective of delivering consistent and
compatible management system standards in an attempt to make this process easier. Annex SL
describes the framework for a generic management system. However, it will require the addition of
discipline-specific requirements to make a fully functional quality, environmental, service
management, food safety, business continuity, information security and energy management system
standard. Annex SL is freely available; it is contained within the ISO Supplement, Procedures specific
In future all new management system standards will have the same overall ‘look and feel’.
Current management system standards will migrate during their next revision. This should be
completed within the next few years. For management system implementers this will provide an
overall management system framework within which they can pick and choose what discipline-specific
42standards they wish to include. Gone will be the conflicts and duplication, confusion and
misunderstanding arising from different management system standards. In future all ISO management
system standards should be consistent and compatible. For management system auditors, it will mean
that for all audits there will be a core set of generic requirements that need to be addressed no matter
which discipline is being examined.
The HLS (High Level Structure) is the outcome of the work of the ISO/TMB/JTCG ‘Joint
technical Coordination Group on MSS’.
The structure has been mandated by the ISO TECHNICAL MANAGEMENT BOARD (TMB) (based on
ISO/TMB Resolution 18/2012) and the belief is that this will enhance consistency, make it
more generic and more easily applicable to service industries. Accordingly, ISO 9001:2015 has adopted
this. The HLS is based on published information related to Annex SL and not directly the result of
any particular published study or survey. ‘The aim of the HLS is to enhance the consistency and
alignment of ISO MSS by providing a unifying and agreed upon high level structure, identical core text
and common terms and definitions. The aim being that all ISO Type A MSS (Requirements) and Type B
where appropriate (Guidance) are aligned and the compatibility of these standards is enhanced. It is
envisaged that individual MSS will add additional ‘discipline-specific’ requirements as required. The
intended audience of this HLS is the ISO Technical Committees (TC), Subcommittees (SC) and Project
Committees (PC) and others involved in the development of MSS.'(SL 9.1). This approach is intended
to increase value of such standards to users: particularly those operating multiple MSS simultaneously
contained within one MSS (Integrated) The HLS forms the nucleus of future and revised ISO Type ‘A’
MSS and Type ‘B’ MSS (where possible). The primary intention is for organizations to have one
management system (ISO supports this approach). Annex SL, Appendix 2 will make it easier to work
with more than one management.
System standard simultaneously; as it has standardized terminology and requirements
for fundamental Management Systems and provides a l0-clause high-level structure,
common definitions and text for all management system standards. Annex SL addresses the
requirements for proposals for management system standards. It consists of 9 clauses and 3
appendices. The audience for this annex is primarily ISO technical committees who develop
management system standards; however the impact of Appendix 2 of Annex SL will be felt by all users
of management system standards in the future. Appendix 2 is in three parts:
• High level structure,
• Identical core text,
• Common terms and core definitions.
43In future all management system standards will need to have these elements. In addition, there will
be less confusion and inconsistency because common terms will all have the same definition and there
will be common requirements across all the management system standards, for example the
requirement to establish, implement, maintain and continually improve the management system. So
what changes can and cannot be made? The high level structure (i.e. major clause numbers and titles)
cannot be changed, however sub-clauses can be added. Discipline-specific text can also be added;
• New bullets
• Discipline-specific explanatory text (e.g. Notes or Examples)
• Discipline-specific new paragraphs to sub-clauses
• Adding text that enhances (but does not modify) the existing requirements
The common terms and core definitions cannot be changed. However, terms and definitions may
be added as needed and Notes may be added or modified to serve the purpose of each standard. To
facilitate the adoption of the core text the device ‘XXX’ is used. Throughout Annex SL for ‘XXX’ the
appropriate reference needs to be inserted; for example in ISO 22000 ‘XXX’ needs to be replaced by
“food safety” and in ISO 14001 the ‘XXX’ needs to be replaced by “environmental”. In addition the term
discipline is used to describe the nature of the management system i.e. quality, environmental, service
management, food safety, business continuity, information security or energy.
This Annex applies to all Management System Standards – full ISO standards, Technical Specifications
(TS) and Publicly Available Specifications (PAS) – but not to International Workshop Agreements (IWA).
Examples of standards that it applies to are:
ISO 14001:2004 Environmental management systems – Requirements with guidance for use.
ISO/TS 16949:2009 Quality management systems – Particular requirements for the application of
ISO 9001:2008 for automotive production and relevant service part organizations
Examples of standards that it does not apply to are:
ISO 19011:2011 Guidelines for auditing management systems
IWA 2:2007 Quality management systems – Guidelines for the application of ISO 9001:2000 in
High level structure
The major clause numbers and titles of all management system standards will be identical They are:
2. Normative references
3. Terms and definitions
4. Context of the organization
9. Performance evaluation
Example of identical definitions:
Example of identical requirements:
“Establish, implement, maintain and continually improve the management system.”
“Top management shall ensure that the responsibilities and authorities for relevant roles are
assigned and communicated within the organization.”
The Introduction, Scope and Normative references will have content that are specific to each discipline
and each standard can have its own bibliography. Overall there is a reorganizing of management
system requirements into this structure that may be unfamiliar to those using and assessing current
MSS. However, some management system standards (such as ISO 22301:2012 Societal security –
Business continuity management systems – Requirements) have already successfully migrated to this
For management system auditors, it will mean that for all audits there will be a core set of generic
requirements that need to be addressed, no matter which discipline. There are subtle language
changes such as the change from document and records to documented information. The new text
recognizes the use of the broad concept of risk and the need to understand risk in the context of the
management system. It also encourages everyone to view preventive action as a broader concept than
simply preventing an incident from occurring. The term preventive action has been replaced
45with “actions to address, risks and opportunities” and features earlier in the standard. The concept of
preventive actions is very much embedded in the risk assessment. The new HLS does not require an
organization to renumber existing documents’
Identical core text
There are 45 “shall” statements (generating 84 requirements) in Annex SL Appendix 2,
therefore there must be at least 45 “shall” statements with 84 requirements in all future
management system standards. Obviously each discipline will have their own requirements, so the
total for any new standard will have more – this is the minimum.
The detailed content is:
The Scope should define what the ‘intended outcome(s)’ are of the discipline. The term ‘expected
outcome’ will not be used. Auditors should expect alignment between what the organization has
determined in clause 4 with what is stated here.The scope sets out the intended outcomes of the
management system. The outcomes are industry specific and should be aligned with the context of
Clause 2: Normative references
Provides details of the reference standards or publications relevant to the particular standard.
Clause 3: Terms & definitions
Details terms and definition applicable to the specific standard in addition to any formal related
terms and definitions standard.
4. Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the XXX management system
4.4 XXX management system
As the flagstone of a management system, clause 4 determines why the organization is here. As part
of the answer to this question, the organization needs to identify internal and external issues that can
impact on its intended outcomes, as well as all interested parties and their requirements. It also needs
to document its scope and set the boundaries of the management system – all in line with the business
objectives. At first glance, clause 4 is radical and daunting, but on further consideration it makes sense