ISO 9001 REQUIREMENTS
ISO 9001:2015 Quality Management System is a framework for setting up a QMS that works best for your company.
With the release of the ISO 9001:2015 standard came an update to the structure of all ISO standards. ISO 9001, along with all other ISO standards, now follows the new Annex SL – Structure. This means that that ISO 9001 has the following structure:
- Normative References
- Terms and Definitions
- Context of the Organization
- Performance Evaluation
The first 3 sections in the standard are really setting the intent for what the standard is trying to accomplish. The true requirements of ISO 9001:2015 starts with Section 4.
Here is a quick breakdown of each section 4-10 and what the standard is trying to accomplish with these sections.
We often get asked what the Context of the Organization is because the wording is not intuitive. This section really is the foundation of your Quality Management System and the foundation of the business.
This section asks a few core questions:
- Who are my interested parties? In other words, who is impacted by what we do? This can include customers, employees, stakeholders, regulatory agencies, etc. Ultimately, you want to identify what you need to do to make all these groups happy.
- What are my internal and external concerns? These concerns are your true business risks. What you are trying to identify here is what are the concerns for each of the interested parties you identified. You want to identify risks where you could fall short on these concerns and close those gaps. That will be further discussed in Section 6.
- What is included in my ISO 9001 Quality Management System?
- What is the scope of my QMS: What processes, equipment, products, services, etc. are part of my QMS.
- Is there any part of the standard that doesn’t apply? If there is a section of the standard that doesn’t apply to you, you are able to exclude it. For example, if your company doesn’t do design, you can exclude it from your QMS scope for certification.
- What are the boundaries of my QMS: What buildings, locations, etc. are included in my QMS. You are able to decide if you only want one location included or possibly even one piece of equipment. It’s up to you to decide.
With the ISO 9001:2015 standard, there is much greater emphasis on ensuring leadership is involved in the management system and responsible for the areas under their control.
Previous versions of the standard often required a QMS Management Representative to be in charge of the Quality Management system. The problem with this is that in many cases, that person ended up being responsible for the entire Quality Management System. They would often manage the QMS with little to no involvement from other managers or leaders within the organization. The QMS became an isolated system that ultimately ran separate from the business operations.
ISO 9001:2015 aimed to fix this issue by requiring leadership to be more involved. The ISO 9001 standard sets certain commitments that leadership must meet and there is no longer a requirement to have a management representative.
Leadership is expected to be fully involved in the QMS and responsible for their department’s role in the QMS. This is further identified through the Quality Policy and Roles & Responsibilities identified in Section 5.
Once you have identified what should be included in your quality management system, who the interested parties are and what their concerns are, it’s time to evaluate the risks or opportunities they present.
The ISO 9001 standard does not require a formal risk assessment process, such as a Failure Mode & Effects Analysis (FMEA), but it does require you to evaluate the organizations internal and external concerns to identify relevant risks and opportunities.
The main thing here is to determine what controls you have in place to address these risks and what controls may need to be implemented. The more significant risks are the ones that should feed into your Quality Objectives. The idea here is to continually improve over time by continuing to reduce the potential impact of the highest risks. Once those risks are controlled, you move on to the next highest risks.
As changes occur within the organization, from changes to processes, adding equipment or changes to production volume, it’s important to evaluate the impacts that these changes can have on the business. This is where the management of change process comes into place.
This section of the standard is all about making sure you have the resources necessary to cover the management system. It starts with the proper facility resources, including internal environment, space, etc. From there, the standard ensure the employees are aware of the necessary quality requirements and trained on their applicable responsibilities.
ISO 9001 requires proper communication with all relevant parties. What needs to be considered is how quality requirements are effectively communicated to anybody who either has the potential to impact the quality management system or can be impacted by it.
The last part of this section requires the quality management system documentation to be controlled. The organization needs to ensure that the documentation in use by employees is the most current and is controlled at the point of use. Records from the quality management system need to be maintained for a specific period of time.
The controls identified in Section 6: Planning are implemented here in Section 8. Section 8 focuses on operational planning and controls. It address all operational requirements including, sales, design, production, quality assurance and quality checks, delivery, customer satisfaction, etc.
This section also addresses how externally provided product / services are handled (outsourcing) and how the company addresses nonconforming product.
This section is considered the “Do” portion of the PDCA cycle for continual improvement.
Once you have set-up your quality management system and implemented it, now it’s time to see how effective your QMS. This section puts in place the requirements to evaluate the effectiveness of the many requirements of the management system.
One of the main things the ISO 9001:2015 standard is concerned with is customer satisfaction. So it makes sense that this is the first thing the standard wants you to evaluate. From there, we want to evaluate how effective each process is. To do this, you need to identify the key metrics for each process that will be measured.
To evaluate the effectiveness of the quality management system as a whole, an internal audit needs to be conducted. This requirement is often mis-understood ad many people think a full system audit needs to be conducted every year. It’s true that an internal audit needs to be conducted at least annually, but it doesn’t necessarily have to be a full system audit.
The idea behind the internal audit schedule is to audit the areas that have the biggest concerns, previous issues or recent changes. Many companies will audit the entire system each year, but it’s not necessarily required. Companies can choose to conduct one full audit or break up the audit into specific processes. Ultimately, all processes need to be audited over a 3 year cycle. This aligns with the 3 year certification cycle.
Another way to evaluate the overall effectiveness of the management system is through the Management Review process. The management review is meant to look at where the quality management system has been effective, where gaps have been identified and where improvements can be made. Management reviews are typically required at least annually, but it’s beneficial for them to be conducted a little more frequently so companies can more effectively evaluate the quality management system on an ongoing basis.
All ISO standards are built off the premise of continual improvement. A companies quality management system is never expected to be perfect. There is always room to improve as companies continue to grow. The process takes into account all improvement activities identified throughout the management system. Outputs of the improvement process drives changes back through the planning process as part of the PDCA cycle.
Frequently Asked Question
ISO certification follows the same process, regardless of the ISO standard you are seeking:
- Establish, implement and verify your ISO management system
- Stage 1 audit – Documentation Review
- Stage 2 audit – Full system audit
- Closure of any findings
The standards that best suit your company vary by the industry you are in. In order to identify the standards that will provide your company with the greatest benefits, we recommend the following:
- Talk to your customers – many of them may require certain ISO standards.
- Evaluate your companies risks – see where your companies great liabilities are what needs to be controlled (e.g. quality, environmental aspects, health & safety hazards, IT security, etc.).
- Be proactive and identify new business opportunities – evaluate new areas / industries you want to grow your business. Often times, these new industries may require some sort of certification in order to enter. Certification takes time, so being proactive and having the certifications before bidding on projects can put you ahead of your competition.
The time to become ISO certified really depends on a few different factors:
- The resources you have available to support the ISO process
- Your own internal timeframe that you need / want to be certified by
- The standard’s requirement for how much evidence you need to support certification
Certification requires you to show through objective evidence that you have an effective ISO management system in place. In order to do this, you need to show that you have sufficient evidence available to support this claim. At a minimum, most standards will require 3 months of evidence of implementing your management system in order to be certified.
Some standards, such as IATF 16949, may require a minimum of one year of evidence to support certification.
The cost for certification can vary greatly from one company to another. There are typically several factors that go into the costs for certification:
- Certification body fees
- Certification body audit day rates
- Auditor travel costs
- Standard license fees (e.g. R2, RIOS, eStewards license fees)
- Consulting Fees
Audit time and consulting time is typically based on the following factors:
- Number of employees
- Number of processes and the risks associated with those processes
- Number of locations
We have the experience to help you navigate the certification body costs and possible discounts they can offer.
ISO certification shows your customers that you follow industry best practices and that your business is well structured and ready for growth.
Each ISO standard has its own benefits, for example:
- ISO 9001 – Ensures you provide your customers with a quality product or service
- ISO 27001 – Protects your information, data and reputation
- ISO 14001 – Reduces your environmental impact
- ISO 45001 – Protects your workers
- Responsible Recycling (R2) – ensures responsible management of used electronics
Common benefits across all ISO standard include:
- Increased efficiency
- Reduced costs
- Improved customer satisfaction
- More engaged employees
- Reduced risks
- Reduced insurance premiums
- Helps with project bidding
By achieving and maintaining an ISO certification, you are showing your company’s commitment to achieving your objectives, improving your business and increasing the credibility and customer confidence in your product or service.
Yes. We have been providing remote auditing and consulting services for years. We have found remote auditing and consulting to be just as effective as on-site. We use a variety of tools to ensure we are thorough in our remote services, while saving you time and money.
The great thing about working with Glacier consulting is that you don’t need anything in place to get started. We will work with you ever step of the way to ensure you have everything you need to get certified.
Most companies have far more in place than they realize. Just because it may not be documented, doesn’t mean you don’t have processes in place. We will work with your team to improve, streamline and formalize these processes.
One of the most common questions we get is how much time and effort does it take to get and maintain certification. The bulk of the effort should be at the beginning to get your management system established and implemented. To do this, we take what you already do and formalize it to meet the standard requirements. There may be some minor tweaking done, but this typically only improves and streamlines your process.
Once your ISO management system is in place, maintaining it should be as easy as breathing because it should become part of your culture and everyday operations. At the end of the day, you shouldn’t think of it as your ISO system, you should think of it as simply your way of operating your company.
We work with countless ISO standards. We’ve only listed the most common ISO standards typically sought after. We have a diverse team with tremendous knowledge in many of the ISO standards. Contact us and let us know what standard you are interested in. If we don’t offer that service, we can find you someone who can.
We can tailor a service specific to your needs to help you along your ISO journey. We can provide basic guidance to full “White Glove” support. If it’s business or ISO related, we’ve got you covered. A few of our services include:
- General ISO Consulting
- Documentation Prep
Contact us with any questions you have or for services not listed here.