ISO 9001 Revision

The Need for Change

There has been little change in ISO 9001 since the 2000 version which, in many instances, has led to:

  • Complacency and inertia by the clients and the Certification Bodies – it has been virtually the same audits carried out by the same people for the last 15 years
  • Compliance [Doing what you said/wrote you were going to do] being the ultimate goal for the CB and the Organization's Quality Manager. Despite the clause for Continual Improvement in the 2008 version, the audits were mostly about compliance and the value to the organization was and still is questionable
  • Only sporadic use of "Value Added Auditing" or "VAA". ISO 17021-2015 [the rules by which a Certification Body must comply] forbids an auditor from doing consultancy but suggestions, ideas, recommendations, improvements can help clients improve – very little evidence of this being actively promoted by the Accreditation Bodies

Side note: The Directors of GH Certification Sdn. Bhd. have always practiced VAA and expected auditors to give that extra guidance or help. There were 2 concepts that fuelled this:

  • The clients were happy and could see the benefits these suggestions made in their businesses
  • The value of the audit was greatly increased; no longer seen as "acting like policemen" and finding faults. The results were that they happily remained as clients - "same team thinking"

What are the changes in 9001:2015?

The first major change in the 2015 version is that the structure (High Level Structure or HLS) has been change so that ALL Management Systems will follow in the same way. For those with more than 1 standard it saves duplication and therefore saves time and effort. Comparing ISO 9001:2015 with ISO 14001:2015 the structure and wording for the first 7 clauses is almost identical but the emphasis on the relevant standard.


The Changes

0.3 Process Approach


There is much greater emphasis on the Process Approach which enhances customer satisfaction by meeting customer requirements. This means that the organization has to understand the interaction of its processes so that it can be effective and efficient in achieving its results.


0.3.2 Re-emphasis on Plan, Do, Check, Act [PDCA] Cycle



0.3.3 Risk Based Thinking


Risk Based Thinking [RBT] is the formalization of the implied requirements in 2008 and 2000 of Preventive Actions, analysis of Non-Conformances. There is no requirement to any method or techniques though we advise client that ISO 31000:2009 is a great foundation to a good understanding of Risk Management – See Clause 6 Planning


Clause 4.0 Context of the Organization


This clause is all about the organization understanding about its self. What are the interaction process? what are its strengths and weaknesses? who can affect the Quality Objectives? what are their needs and expectations? how do we define the scope of the organization?

Who is involved in this process? See Clause 5.0 Top Management Commitment but also the involvement of all the employees of the company. The collective knowledge of all the employees can far outweigh that of the Top Management if channelled and used in the right way. ISO 9001:2015 involves all.


Clause 5.0 Leadership and Commitment


One of the most talked about and most argued about clauses in 2015. Under ISO 9001:2008, the responsibility and ownership was firmly with Middle Management [QMR} as delegated by the Top Management. The Quality Manager was ultimately responsible for the success or failure of the external audit but had little or no authority to make any changes. Too often the Top Management were only present at the Opening and Closing meeting but otherwise had little or no input into the QMS.

That has all changed in 2015!

The authority and responsibility has been returned to the Top Management which in turn means their full commitment to ISO 9001 must be demonstrated through:

  • Focussing on Customer requirements
  • The establishment and communication of the Quality Policy
  • Assigning, communicating and understanding of the roles and responsibilities in the organization


Clause 6 Planning


When understanding the Context of the Organization and the Requirements of Interested Parties, the organization needs to understand what risks and opportunities may affect the:

  • Quality Management System
  • Increase the positive contributions
  • Decrease the negative effects
  • Create improvements

To do the above, the organization must "Risk Assess" these opportunities and threats to understand how the actions can be:

  • Integrated and implemented within the processes
  • Understand and evaluate what effect these actions will have on the business

It is recommended that each organization understands the methodology of carrying out a Risk Assessment as described in ISO 31000:2009

In the previous versions of ISO 9001, it seemed as if the standard ran in parallel to the business requirements. Occasionally the two met but ISO, was seen as having to be implemented as a client requirement, regulatory or statutory requirement and mostly separate from the needs of the "core business".

ISO 9001:2015 is now totally integrated into the needs of the organization. Objectives and Targets are no longer “soft” but 100% related to needs of the strategic direction of the organization such as:

  • Decrease wastage by 5%
  • Increase sales by 15% in a particular sections
  • Withdraw from loss making markets and increase profits by 20%

The question is: How to set targets?

The answer is relatively easy to say but more difficult to do!

  • Define the internal and external strengths and weaknesses of an organization
  • Identify what Opportunities and Threats could affect the Organization
  • Risk Assess these Threats and Opportunities – remember a Threat could become an Opportunity
  • From these Threats and Opportunities, decide what Targets and Opportunities

These targets then become part of the Strategic Plan for the organization which will need to be measurable, relevant to customer satisfaction, monitored, communicated and updated. Then the targets must be planned.

There are many clauses in 2015 that have been re-worded but remain essentially the same.


Clause 7 Support – Additions and changes


Organizational Knowledge is the external and internal knowledge required for the running of the processes. There is a new requirement for the organization to determine what it needs to retain and how to obtain updates.

Documented Information is the new name for Documents and Records and despite the early claims that there is no ned to keep documents – that contrary is true.


Clause 8 Operation – Additions and changes


Externally provided process, products and service remain inside the quality management system and requires the organization to have much tighter control.

Non-Conforming outputs identified and controlled to stop unintended use.


Clause 9 Performance Evaluation


Monitoring Measurement and Analysis requirement to decide what, methods, when performed and when analysed and evaluated

Internal Audit essentially the same and process approach to be used

Management Review 13 points covered in the standard which is a good starting agenda – the outputs are defined too


Clause 10 Improvement removal of Preventive Action as now covered in RBT Clause 6.1


In conclusion, the changes in ISO 9001:2015 are far ranging especially for Top Management. The introduction of Understanding the Organization, increased emphasis on the leadership requirements and the direction towards Strategic Planning has propelled ISO 9001:2015 into the 21st Century. It has directed SME's to use tools that big organizations used on their path to become big businesses.


Steps a business can take to get ISO 9001:2015


There are some simple steps and organization can take:

  • Involve the Top Management as soon as you can. After all ISO 9001 has been mostly the responsibility of Middle Management for the last 15 years. Water trickles downhill much easier than trying to push it back up the hill
  • The internet is a great source of materials now the standard has been out for a while – a consensus seems to be happening on what is required – READ UP AS MUCH AS YOU CAN
  • Unless you have the free resource of a knowledgeable employee, find a good consultant or talk to your exiting Certification Body
  • Involve EVERYONE you can in your organization. This is a standard that will affect every employee in every department – get them on your side
  • DON'T think the changes are small – if your Consultant says this or your CB says this it is time to find somebody new. It's like adding a turbo-charger to your vehicle. Will things be the same? You know they will be different!
  • Don't wait until the last minute to transition from the 2008 version. Experience has taught us that the sooner you adopt the new standard, the sooner you will gain the benefits. The queue for consultants will get extremely long as we head towards the cut-off date of September 2018. If you don't transition by then – you will lose you certificate!