Welcome to my blog for all things related to business quality (processes, systems and ways of working), products and product quality, manufacturing and operations management.

This blog is a mixture of real-world experience, ideas, comments and observations that I hope you'll find interesting.



ISO 9001:2015 – what has changed?

The latest version of the international standard for Quality Management Systems, ISO 9001:2015 was published in September 2015. There will be a transition period until September 2018 for organisations that are certified to ISO 9001:2008 to upgrade to the new version.


What is different about the new standard and what will have to change? In overall terms the new standard has a greater emphasis on:

  • Leadership from top management, and broader business awareness including the requirements of stakeholders and changes in the business environment
  • Planning, setting objectives, measuring results and responding to changes (plan-do-check-act, more explicit than before)
  • Risk and opportunity management
  • Communication and involvement of people throughout the organisation, including collecting and sharing ‘organisational knowledge’ across the business
  • Reducing the number of mandatory requirements and procedures
  • Including services and third parties within the quality management system.

Expanding on the differences in a little more detail:

  1. Structure and Overview

ISO 9001:2015 looks rather different – some of the content from the 2008 version has moved around and there are significant new sections. There is also a change in terminology.

The main reason for the rearrangement is to align its structure with other international standards so they read similarly and are more easily compared or cross-referenced; it doesn’t imply that an organisation’s quality management system, or the terminology that an organisation uses, needs to change in a similar way.

There is also a reduction in the number and degree of prescriptive approaches that should be taken for different aspects of quality management, i.e. more freedom is now given in how to meet certain requirements such as document and record control.

ISO 9001 has taken a process approach for some time. This is now more explicitly enshrined in the new version but is unlikely to make a great deal of difference to most businesses although some tightening up of processes and performance measures may be appropriate.

  1. Management and Leadership

There has been work done on the standard to both push quality management up the corporate agenda and make it integrated into ‘business as usual’ rather than standing apart from it.

Hence there isn’t a Management Representative any more; the quality management system – and ensuring customer satisfaction and meeting other corporate requirements – becomes the responsibility of all top management not a single person. The need for leadership is stressed.

  1. Context and Scope

A new clause has been introduced to address the ‘context’ of the organisation.

Organisations will need to identify, understand, monitor and review relevant internal and external ‘issues’ that may have an impact on what the organization does and how it delivers its intended results. These issues can include risks and opportunities, legal, regulatory, financial, political or social issues and changes, market trends and changes, competitor activity, technology changes, etc., i.e. the broader business environment that is sometimes asked about during ISO 9001 audits (“what has changed recently in your business environment”).

Organisations will also need to define, then understand and monitor the needs and expectations of, ‘interested parties’, i.e. stakeholders (organisations or individuals including investors, staff, customers and suppliers) that can be affected by, or can affect, the organisation’s activities.

These contextual issues will require a strategic understanding by top management and should be considered as part of on-going risk and opportunity management processes as well as during the design and maintenance of the quality management system.

The scope of the quality management system (i.e. what parts of the business are included or excluded from the system and why) has often seemed to be of more interest to the auditing body than to the organisation itself. In the 2015 version the scope has been made more important still, and now needs to take context into account and justify any exclusions.

  1. Quality Objectives

The quality policy should be aligned with the organisation’s strategic direction. The quality objectives now need to be more detailed, specific and measurable, and need to relate directly to the quality policy. They may need to be distributed to different parts of the organisation; there certainly needs to be good awareness of them throughout the business.

Plans on how the organisation will achieve the objectives will need to be produced and resources allocated (i.e. objectives are no longer merely laudable aims) and they must be kept updated.

The QMS itself also needs to have planned (as opposed to solely ad-hoc) changes.

  1. Risk Management versus Corrective & Preventive Actions

Corrective Actions stay, but Preventive Actions are effectively replaced by ‘risk-based thinking’. Taking a risk-based approach to quality management is a fundamental change to the old standard in that it elevates its importance and distributes risk-based thinking throughout the business’s operations.

Specifically, organisations must now take opportunities to identify and take appropriate actions on both risks and opportunities that affect the organisation’s ability to meet its aims and satisfy its customers. Risk management is a key theme that is referenced in several parts of the new standard and is explicitly covered, for instance, in the Management Review.

However, in keeping with the intent to have fewer prescribed processes, there is no prescribed risk management process, it is simply stated as a requirement that risks and opportunities are identified and acted upon i.e. that risk-based thinking is adopted by the organisation; it is left to the organisation to determine how. Is this a weakness in the standard?

Risk management is very important to the new standard and the auditors will need to see an effective process in place, not token gestures. However, in the absence of a prescribed approach in ISO 9001, organisations are left to either devise their own methods (with what guarantee of effectiveness?) or to follow a prescribed approach such as one of those described in the guidelines on formal risk management Standard, ISO 31000, which may appear difficult, complex and confusing to many organisations.

  1. Design and Development Processes

These are quite similar to the 2008 version, although the wording is more comprehensive and rather clearer than before and now more clearly includes work done by third parties.

  1. Products and Services

ISO 9001 used to be written around products; its applicability to services had to be implied. ‘Products and services’ are now extensively referenced and the applicability of the standard to both goods and services is made clear.

New clauses cover post-delivery activities (warranty, service and recycling) and control of changes in production (to complement the control of changes in design and development).

  1. Awareness and Communications

In the early days of ISO 9001 it was not unheard of for auditors to quiz random auditees about the company’s quality policy and objectives, the relevance of their work to the quality management system (and vice versa) and the implications of not following processes.

Those days may be returning as the need for staff to be aware of these things is now explicit and may, therefore, be tested (this may help to help bring stray sheep back into the fold…).

The need, timing, scope and process for making internal and external communications is now an explicit clause in the standard; there will need to be a communications plan.

There is also a new clause to cover the ‘Environment for the operation of processes’ which includes not just the physical environment (as with :2008) but also ‘soft HR’ social and psychological issues such as stress reduction, emotional protection, the provision of a non-confrontational environment, etc.

  1. Purchasing

‘Purchasing’ has gone; it is now replaced by the wordier – but more helpful – ‘Control of externally provided products and services’. This is helpful for those organisations that outsource parts of their processes, or even manufacturing as a whole, e.g. to a Chinese contract manufacturer, as the applicability of ‘Purchasing’ (as was) to third-party manufacturing management was always tenuous.

Now a more thorough and, as with the rest of the standard, risk-based approach is to be taken, including being used to determine the controls that are appropriate for the organisation’s various external providers. Similarly, management of non-conforming product has now been extended to cover non-conforming process outputs and services not just materials or products.

  1. Documentation and Information

The requirements for formal documentation have been made simpler and more flexible… but, arguably, more vague. The Quality Manual has gone, as have the six mandatory procedures.

The rather artificial separation of documents from records has been removed and replaced by stated requirements to maintain and retain documented information.

There is more freedom given to the organisation to determine how information is captured and managed. Documented information must be maintained as necessary to have confidence the processes are working as planned – the organisation will need to decide what this means and must be able to justify it. Some prescribed types of documented information must be retained (similar to the previous reference to Records).

Also, there is a new and explicit requirement for the organization to obtain, maintain, and make available the ‘Organisational Knowledge’ necessary for the operation of its processes and to ensure that its products and services meet all requirements, i.e. ensuring not just good documentation, but also the sharing of information, mutual exchange of informal but important knowledge, etc.

  1. Appendices

An annoying characteristic of many international standards is the extensive cross-referencing that implies the need to buy many different documents to be able to properly read just one of them.

ISO 9001:2015 has moved a little way towards helping with this by adding two appendices that:

  • Provide an explanation, in summary, of the changes made since the 2008 version and clarifying the new structure, terminology and concepts
  • List the other documents in the ISO 10000 portfolio of quality management standards that provide further information if required, and providing a short description of their content (to give the reader a little help in deciding if they are really needed for cross-referencing).


Clearly this depends on your business and its existing Quality Management System; I will talk about the implications for typical SMEs in a future blog. In the meantime, if you need help in understanding, interpreting and applying the new standard in a beneficial, pragmatic, low-bureaucracy way please get in touch with us at Primilis (http://www.primilis.com).

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>