ISO 9001:2015

Quality Management Systems

What is ISO 9001:2015?

ISO 9001:2015 is the most recognized international standard for quality management systems (referred to as QMS) standard. It’s benchmarked internationally with more than a million certificates issued worldwide.

In simple words, this standard is a set of international best practices in regard to quality management systems, thereby helping businesses and organizations to be systematic, bring efficiency and effectiveness into their processes that in turn will continually enhance customer satisfaction.

Which sectors ISO 9001:2015 is suitable for?

ISO 9001:2015 is a generic standard and applicable to any organization regardless of its size, products &/or services, and location. One of its major strengths is its wider appeal for all types of organizations, as it focuses on processes and customer satisfaction rather than procedures; thereby achieving a certification, for example, is equally applicable and beneficial to service providers and manufacturers.

To which this standard contributes
When things don’t work as they should, it often means that standards are absent.
ISO 9001:2015


This means an audit(s) by a renowned accredited certification body of the quality management systems that have been developed and implemented against ISO 9001:2015 which is a set of best practices (requirements) for systems, (quality management systems: QMS). upon successfully conducting the audit, a certificate of conformance is issued for a period of 03 years meaning the company is operating under systems that have been audited and certified by a third party.

There are a total of 10 clauses in iso 9001:2015; however, the audit is carried out against clause 4 to 10. these are described as follows:

4) Context of the organization

The main requirements include

  • Context (background)
  • Needs and expectations of the interested parties
  • Scope of the QMS
  • Processes, both for production and service provision as well as the processes for QMS itself e.g. management review, internal audit, corrective action etc.

5) Leadership

The main requirement include

  • General requirements pertaining to leadership and commitment
  • Customer focus
  • Policy
  • Organizational roles, responsibilities and authorities

6 planning

The main requirement include

  • Risks and opportunities and actions to address them
  • Objectives, targets, and planning to achieve them
  • Management of change

7 Support

The main requirement include

  • Resources: human, infrastructure, and environment for the operation of processes, monitoring and measuring resources, organizational knowledge
  • Competence
  • Awareness
  • Communication
  • Documented information

8 Operation

The main requirement include

  • Planning and control of operations including ‘requirement for products and services
  • Design and development of products and services
  • Third-party services including processes
  • Production and service provision
  • Identification and traceability
  • Controls for the property belonging to customers or external providers
  • Preservation
  • Post-delivery activities
  • Product release
  • Control of nonconforming product

9 performance evaluation

The main requirements include

  • monitoring and measuring
  • analysis
  • evaluation
  • customer satisfaction
  • internal audit
  • management review

10 Improvement

improvement in management systems comes through the following (but not limited to)

  • effective (thorough and in-depth) internal audit
  • root cause analysis and corrective action
  • data analysis and evaluation
  • effective management review
  • awareness and training etc.










please make sure to tailor it to the context of your organization toward an effective audit.

Internal audit checklist

The benefits are huge and the return on investment is quite high provided the systems are developed in the context of an organization and then owned & implemented by all the process owners with the aim of bringing about efficiency and effectiveness in their processes. Some of these benefits are

  • enhanced corporate image and reputation.
  • the context of the organization is determined to define as to who might be affected by your work and what they expect from you; this enables you to clearly state objectives and identify new business opportunities.
  • put your customers first, making sure you consistently meet their needs and enhance their satisfaction; this in turn will lead to repeat customers.
  • work in a more efficient and effective way as all your processes will be aligned and understood by everyone in the organization; this increases productivity and brings internal costs down.
  • meet the necessary statutory and regulatory requirements.
  • expand into new markets, as some sectors and clients require ISO 9001 for registration and/or participation in the tendering process.
  • identify and address the risks and opportunities pertaining to your business.
  • better communication and awareness among staff through process mapping, defined hierarchy, and job descriptions; this improves the working atmosphere, reduces the pressure of work and hence more involvement of staff.
  • through monitoring, measurement, analysis, and evaluation, you’ll have data on your hands that will help you in facts-based decision-making.
  • continual improvement is inherent in this standard.

The cost of certification against iso 9001 depends mainly on the audit duration which in turn is calculated according to the IAF MD 5:2019. In this document, the relationship between the audit time (auditor days) and an effective # of personnel has been tabulated. However, this can be adjusted based on the other factors as follows:

Increase in audit time of all management systems:

  • complicated logistics involving more than one building or location where work is carried out
  • staff speaking in more than one language, hence requiring an interpreter
  • very large site for the number of personnel e.g. a forest
  • high degree of regulation
  • highly complex processes

Decrease in audit time of management systems:

  • the is no design function or the client is not design responsible
  • a relatively small site for the number of personnel e.g. office complex only
  • maturity of the management systems
  • prior knowledge of the client management systems e.g. already certified to another standard by the same certification body
  • client preparedness for certification e.g. already certified

Note: if the audit is conducted in accordance with IAF MD 11 this justification is invalid as reduction will be calculated from the level of integration.

  • high level of automation (not applicable for OH&SMS)
  • staff includes a number of people who work “off location” e.g. salespersons, drivers, service personnel, etc. and it is possible to substantially audit compliance of their activities with the system through review of records (not applicable for OH&SMS).

The reduction of audit time of management systems shall not exceed 30% of the times established initially as per IAF MD 5.

Selection of an ISO consultant is very critical as the quality of developed systems and the approach to implementing and maintaining those systems truly depend on the quality of the consultancy provider. So price alone should never be the criteria, rather balance it with the following factors

  • competency of the consultant(s): academic & professional qualifications, memberships & certifications, # of years in consultancy work, experience in a particular standard, sector experience.
  • time and human resource allocation: development and implementation of management of systems in the context of an organization are time taking, so make sure they commit sufficient time (days).
  • methodology e.g. a system that is a copy/paste or developed in an isolation or in consultation with a single person can never be effective as most probably it will not be owned in letter & spirit by the process owner; it is therefore, important to do one-on-one consultation while developing the systems.
  • independence: choose the certification body yourself and not upon recommendation of certification as this will have a check on the ‘quality’ of work done by the consultant
  • check the market reputation e.g. google reviews, testimonials of their previous clients


Once the system is in place, the certificate is issued usually within one month of the last day of the audit (audit duration is calculated in line with the IAF MD 5:2019).

The certification cycle is usually 3 years with surveillance audits at the end of 1st and 2nd years. upon completion of the cycle, the company has to go for re-certification again.

This can be verified through the “certificate number” on the official website of the certification body.

The process to become certified against ISO 9001:2015 is as follows;

  1. Gap analysis: evaluation of the current systems against the standard and identifying gaps.
  2. Awareness training: brief all the process owners and those who will be involved in the development and/or implementation of the systems, on the requirements of the standards.
  3. Documentation: based on the gap analysis report, develop the documentation; make sure that it is developed in the context of the organization as every organization is unique and therefore copy/paste approach is going to help at all and the systems are bound to fail! the best approach is to keep the documentation brief and to the point, however, it can be as much detailed as needed for a large organization e.g. multiple sites, large multinational workforce, and complex and/or high-risk processes. This should be in consultation with the process owners at all levels so that all of them own it later on while implementing those management systems.
  4. Implementation: Once documented, the process of implementation will start. The best way is to implement the aforesaid documented systems that the third party consultant provides one on one consultation to all the process owners so that they will be able to understand truly the right way for effectiveness and efficiency which is one of the objectives.
  5. Internal audit: after implementation, conduct the internal audit to check the compliance i.e. are there any gaps with regards to documentation and implementation status
  6. Corrective action: do the root cause analysis for all the non-conformities identified and take corrective action.
  7.  Certification audit: now it’s time to select and invite the accredited third-party certification body (also called CAB) that will audit your systems, issue an audit report and if all is well, issue a certificate valid for three years
  8. Maintenance of the systems: these systems now have to be maintained internally through the process owners and relevant staff so that you are able to pass the surveillance audits at the end of 1st and 2nd years.

Note: A system is a set of (2 or more) processes and a process is a set of activities; whereas ISO 9001:2015 is a set of requirements for systems (not system).

The gap analysis is conducted at the development stage while the internal audit is performed after implementation however, the criteria are essentially the same, only the approach is different.

Guidance notes

These should be

  • developed at all levels and functions within the organization
  • SMART: specific, measurable, achievable, relevant, and time-bound
  • developed in consultation with all those who are concerned
  • review frequency defined
  • those who participate in the establishment and/or review and the minutes of review to be recorded
  • communicated

The following should be formed as the basis for establishing the objectives

  • quality policy
  • views of interested parties e.g. feedback including complaints
  • process performance data
  • service delivery performance data
  • legal and contractual requirements
  • the outcome of the ‘risks and opportunities analysis

These should not be confused with the objectives pertaining to departmental performance e.g.

  • tally employees’ records with Immigration
  • achieve budget revenue and profit for the current fiscal year

These should not be confused with routine things i.e. tasks that are required to be done in routine e.g.

  • review policies and procedures in line with the legal requirements
  • HR structure and management system review.
  • initiate and complete all projects within the allocated budget, time, and quality, as desired.
  • follow up with the procurement department on the changes in the standard contracts.
  • deliver trainings according to the training plan.
  • introduce new products
  • increase in resources for the QMS
  • timely execution of internal audits and management review meetings for the maintenance of QMS
  • increase in “compliance by the suppliers”

The objectives should be set in a way that aims to enhance the quality of the processes, and products.

The objectives should be set that aim to enhance the quality of the processes; and products. Typical examples include

  • an increase in the satisfaction index
  • reduction in complaints
  • in a transport company, the percentage of buses running to the schedule within the set time limits
  • in a production setup, the maximum rejection rate that is acceptable on an hourly basis.
         Title QMS objectives and targets
Objective Description Target Timeframe
Customer satisfaction Increase in customer satisfaction index by 10 % of the last quarter 31st Dec 2023

reference: clause 6.1

the intent of this clause is to determine the risks and opportunities while

  • defining the processes e.g. developing process maps (use all the steps in the process as a checklist)
  • internal and external issues
  • needs and expectations of the interested parties

ISO 9001 doesn’t specify any formal risk management in determining and addressing risks and opportunities, so, you can choose any method that best suits your needs. refer to IEC 31010 which provides a list of risk assessment tools and techniques.

The actions that an organization can take to address risks will depend on the nature of the risk, for example:
a) avoiding the risk, by no longer performing the process where the risk can be encountered;
b) eliminating the risk, for example, by using documented procedures to assist persons in the organization with less experience;
c) taking the risk to pursue an opportunity, such as investing in new capital equipment to launch a product line where the return on investment is unknown;
Examples of actions to address opportunities include adopting new technologies and seeking new customers or markets.
d) sharing the risk, for example, by working with the customer to facilitate the advance purchase of raw materials when production levels are unknown;
e) taking no action, where the organization accepts the risk itself, based on its potential effect or the cost of the needed action.

Example ‘Risks and Opportunities’

8.3.1 General

The intent of this sub-clause is to ensure that the organization has the design and development process in place, to ensure that it has the ability to meet the requirements for the products and services it offers.

In some cases, the requirements are applicable in full while in other cases these apply only partly e.g. changes in the products or communicating with the customer.

An organization engaged in the manufacturing of a variety of bicycles should treat it as a new product and apply all the requirements. On the other hand, the one who is into the manufacturing of a product as specified by a customer should apply these requirements only when the customer wants a modification to the existing design and or when there is a need to communicate in regard to the changes in the product.

Similarly, in order for a coffee shop to operate as a franchise needs fewer design and development requirements as compared to one that decided to operate on its own hence making its own decisions about the range of its products, branding, etc.

Examples where design and development is needed include

  • a tailoring shop that receives a request to modify the suit;
  • a mechanical workshop that is engaged in the manufacturing of a standard part; however, one of its customers requires customization;
  • an educational institute that designs and develops its curricula.

8.3.2 Design and development planning

The intent of this sub-clause is to do planning in regard to design and development.

The following should be considered while doing this planning

  • how complex the products and services are i.e. new or repeat design, the purpose of product and service, physical characteristics including specifications and requirements pertaining to delivery
  • design stages and review of the design
  • verification e.g. to make sure all dimensions are adequately specified on a technical drawing
  • validation e.g. trial production or service tests
  • responsibilities and authorities for those who will be involved in the design and development process;
  • resource needs e.g. organizational knowledge, equipment, technology, competence, support from customers or third-party services providers, temporary workers, codes or standards
  • communications among the personnel involved and the best ways for sharing information
  • the possibility of involving customer(s) and user(s) at various stage e.g. on-site visit by a customer, test(s) to be witnessed, consumer experience
  • other things that are required for the delivery of products and services such as technical drawings, raw materials, acceptance criteria
  • requirements about documented information e.g. project plans, minutes of the meeting, performance reports, test reports, drawings, work instructions, or process flow diagrams.

8.3.3 Design and development inputs

The purpose of this sub-clause is to make sure that the inputs as one of its activities are determined while planning design and development projects. Furthermore, these inputs should be clear, complete, and consistent with the product or service requirements.

The following should be considered

  • the requirements as defined by the customer, due to market needs or decided internally based on experience that pertain to functionality and performance e.g. a lamp to provide lighting at a specified level for 5 years.
  • previous information including project files (drawings, specifications), and lessons learned, will help the organization build on good practices and avoid mistakes.
  • legal requirements that link directly to the product or service e.g. hygiene requirements for a restaurant.
  • the consequences of failure of products and services e.g. poor planning of road traffic safety in an event that might result in accidents, unsatisfied customers e.g. color fading in a fabric

8.3.4 Design and development controls

The purpose of this subclass is to ensure that once the inputs are defined, all the activities should occur as planned.

The design and development process is controlled through review, verification, and validation activities, which can be implemented as a single process or separately.

For ISO 9001:2015, 8.3.4, bullets a) to f), the organization should ensure:

  • persons involved in design and development understand in full the requirements of the customer or end-user; any deviations from these requirements aimed to enhance product performance should be based on the cost and benefits e.g. ease of use analysis.
  • the reviews have taken place, problems are highlighted and appropriate solutions are suggested; persons who are not involved in the specific stage can be involved in its review, as well as those who are involved in the manufacturing of product or service and where relevant customers, end-users and external providers depending upon the complexity.

A formal meeting might be conducted for the review of a complex design and minutes recorded

  • verification is conducted to ensure that requirements identified at the start of the design and development process are fulfilled; for larger projects, the process can be in many stages and the verification is carried out at the end of each stage. Verification activities can include alternative calculations; comparing the new design with a similar proven design, undertaking tests and demonstrations, checking documented information at a particular design stage before its release for the next stage,
  • validation is carried out to ensure that the final product or service will meet customer or end-user needs for the intended use; examples of validation activities can include marketing trials, operational testing, simulations and testing under intended user conditions e.g. to simulate the ability of a building to withstand earthquakes, customer or end-user tests which provide feedback;
  • upon review, verification, and validation activities, if problems are found, actions to resolve should be determined and implemented, the effectiveness of these actions should be evaluated and discussed during the next review; and
  • documented information on the review, verification and validation activities should be retained as evidence that the design and development activities were carried out as planned, e.g. meeting minutes, inspection and test reports, and customer approval etc.

8.3.5 Design and development outputs

The intent of this subclass is to ensure that the outputs give the information as required for all the processes (including purchase; production) needed for the intended products and services; there should be clear to make sure that those involved understand what to do and in what sequence.

Outputs will vary depending on the nature of the process for design and development and the products and services requirements.

Moreover, these outputs will be key inputs for the production and service provision processes.

For ISO 9001:2015, 8.3.5, bullets a) to d), the following should be considered.

  • ensure that the outputs are in sufficient detail to make sure that all subsequent processes can be carried out, considering who will use the output and in what circumstances;
  • clear information is provided in regards to monitoring and measuring, including any criteria for the acceptance of processes, products, and services that are provided externally, and the release of the products and services;
  • product and service characteristics should be complete, to ensure the products can be produced or service provided safely and suitably, as well as details on the use of a product or service e.g. use of medicine, food storage, or product cleaning.

‍In some cases, the design output can be the actual product of the organization, for example in the case of an architect, design engineer, or graphic definer.

Design outputs should be retained as documented information e.g.

  • drawings, product specifications, material specifications, test requirements, and quality control plans;
  • process parameters;
  • details of necessary production equipment;
  • technical calculations e.g. strength, earthquake resistance;
  • menus, recipes, cooking methods, and service manuals; and
  • a marketing campaign designed by an advertising agency.

8.3.6 Design and development changes

The intent of this clause is to review and controls changes during and subsequent to the design and development process.

Changes can occur at any stage, including, but not limited to:

  • while implementing the process of design and development;
  • after the outputs have been released;
  • consequent upon the feedback of customer satisfaction and the performance of external providers.

ISO 9001:2015 standard

all 9001:2015 standard requirements are outlined in the attached gap analysis checklist.

ISO 9001:2015 gap analysis checklist

ISO 9002:2016 provides guidance on the intent of the requirements in ISO 9001:2015, with examples of possible steps an organization can take to meet the requirements.

however, this is only guidance and it does not make it binding on any organization to adopt the suggested approaches in order to implement the quality management systems.

A survey result shows that small companies employing between 3 and 48 people think that the ISO standards helped their business in various ways.

through the implementation of ISO standards, the benefits achieved were

  • the quality of the products and services improved
  • the standards helped cut costs and increase profits
  • the standards have given a competitive edge
  • helped open up new export markets
  • helped acquire new customers and strengthen existing business
  • helped compete with bigger organizations
  • helped standardize the business processes and hence increase efficiency
  • helped comply with applicable regulations


Although, ISO 9001:2015 is quite flexible and lenient in regard to documentation and its extent as compared to its previous versions; however, it specifies requirements at various places within it, as follows:

clause 4.4.2 a): documented information eg process maps for the execution of processes (both management systems as well as technical and managerial);

clause 4.4.2 b): documented information e.g. monitoring and QC results for the aforesaid processes;

clause 4.3: scope of the quality management system;

clause 5.2.2 a): quality policy;

clause 6.2.1: quality objectives and action plans;

clause evidence of fitness for the purpose of monitoring and measuring resources;

clause documented information of ‘basis used for calibration or verification’;

clause 7.2 d): documented information as evidence of competence that includes qualification, experience, training, and skills;

clause a) and b): documented information on the results of the review of the requirement for products and services and on any new requirements for the products and services, respectively;

8.3.2 j): documented information needed to demonstrate that design and development requirements have been met;

8.3.3: documented information on design and development inputs;

8.3.4): design and development controls;

8.3.5: design and development outputs;

8.3.6: documented information for a) design and development changes b) the results of reviews c) the authorization of the changes and d) the actions taken to prevent adverse impacts;

8.4.1: documented information for ‘criteria for the evaluation, selection, performance monitoring, and re-evaluation of external providers, in regard to the provision of processes, products, and services in accordance with requirements’;

8.5.1 a): documented information that defines characteristics of the products and services to be provided, and results to be achieved;

8.5.2: documented information to enable traceability, when unique identification of the output is a requirement for traceability;

8.5.3: records of a property belonging to a customer or third-party provider e.g. should it be lost; damaged, or otherwise found to be unsuitable for use;

8.5.6: documented information describing the results of the review of changes in regard to production and provision of service e.g. the person(s) authorizing the changes, and any necessary actions arising out of the review of these changes;

8.6: documented information on the release of products and services e.g. evidence of conformity to criteria for acceptance, and traceability to the person(s) authorizing the release;

8.7.2: documented information that a) describes the nonconformity b) describes the actions taken c) describes any concessions obtained d) identifies the authority deciding the action in respect of a nonconformity;

9.1.1: documented information in regard to monitoring, measurement, analysis, and evaluation e.g. what needs to be monitored and measured, methods used; frequency of monitoring and measuring, and frequency of the analysis and evaluation;

9.2.2: documented information as evidence of the implementation of the audit program and the audit results;

9.3.3: management review meeting minutes; and

10.2.1: documented information as evidence of a) the nature of the nonconformities and any subsequent actions taken; b) the results of any corrective action.

However, all ‘real world’ systems require more than the mandatory requirements in order to be robust and reliable. Again, this depends on the context of an organization. some of the additional procedures pertaining to the below topics are suggested as follows

4.1; 4.2: determine the context of the organization;

7.2; 7.3; 7.4: competence, awareness, communication, and training;

7.5: control of documents and records;

7.1.5: monitoring and measurement;

9.2: internal audit; and

10.2: nonconformity and corrective action.

To determine what additional documentation you require, it is often just enough to ask yourself the question; do we need a documented procedure to ensure consistency among employees?

However, a right-hand rule is that the documentation that is simple, brief, and to the point is more effective than the one that is complicated with the aim to standardize the processes to ensure that all employees can deliver repeatable outcomes.

Moreover, don’t forget that procedure can be written, in the form of a flowchart, along with the use of pictures, etc. – choose the most effective!

The intent of this subclause is to determine the extent of documented information in the context of the organization.

The extent of documented information will depend on the context of the organization i.e. factors such as size, activities e.g. # of projects, locations/geographical spread, types of products and services e.g. applicable regulations, the complexity of processes, human resources e.g. their competence and languages they speak and potential impact on business in case of non-conformities. The right-hand rule is that the process owners should evaluate their own needs by applying risk-based thinking and reviewing the information e.g. procedures, work instructions, information and communication systems, drawings, specifications, visual aids, progress reports, key performance indicators [KPIs], minutes of meetings, representative samples, and verbal conversations.

In addition to documented information, as required by the standard, the other types may be needed for effective control of its processes e.g. website, computer software, apps, work instructions, manuals, forms, guides, regulations, and standards, to control the operation of its processes.

For example, documented information needed for a small bakery will be simpler and less extensive than that needed by an automotive parts manufacturer that has a very specific customer.

The term “maintain documented information” means that the information is reviewed periodically and revised to keep it up to date.

The term “retain documented information”, means that it is protected against any deterioration or unauthorized change unless an agreed correction is made.

7.5.2 Creating and updating

The intent of this subclause is to ensure appropriate identification, format, media, review, and approval.

Documented information should include an identification and description. There can be many ways for this e.g. title, date, author, or document ref number (a combination of two or more of these can be used).

The information can be in any media, hard copy, electronic, or both to provide documented information.

Consideration should be given when using software, as all the users might not have access to the same version. Sometimes documentation might be needed in more than one language due to cultural diversity.

The persons should be authorized and methods defined in regard to the review and approval of documented information e.g. login and password. Availability and protection of the documented information

Once decided on the documented information, it should be made available at relevant points then.

Control of documented information includes media, distribution, availability, and protection e.g. loss of data; confidentiality; improper use, and unintended changes.

This can be done in many ways e.g. electronic systems with read-only access and specified permissions, password protection, or identification (ID) entry.

The level of control varies e.g. increased access restrictions for external parties. Information security issues and data backup should also be taken into consideration. Distribution, access, retrieval and use, storage and preservation, control of changes, retention, and disposition.

Distribution can be controlled by different methods. Once the system for distribution and access is established, the organization should then consider how the documented information could be stored, maintained, and disposed of.

With time, as the quality management system improves and matures, the documented information should simplify and hence squeezed.

There is also a need to consider how historical documented information is maintained, stored, and retrieved as necessary for subsequent use.

Version control should also be considered to make sure that only the current documented information is used.

The storage of obsolete information can be important e.g. historical data required for the investigation of complaints after a long period or for organizational knowledge management purposes. The documented information should be maintained in an appropriate medium to ensure its preservation and legibility.

The retention time for documented information can be as required by law; contract; or organization itself depending on the lifetime of its products and services.

For the disposal of obsolete and unnecessary documented information, the organization should consider the control of sensitive data (e.g. personal or confidential information) during the disposal process.

Documented information of external origin e.g. from a customer or external provider such as drawings, sampling plans, standards, test methods, or calibration reports should be identified and controlled in line with other documented information.

Competence requirements 

clause 7.2 requires that competence is determined for the jobs that can affect conformity of products and services or customer satisfaction, and persons who are responsible to carry out those jobs are competent to perform them.

The competence of persons shall be based on their education, training, and experience. Those who are able to demonstrate their competence will be referred to as qualified. The information resulting from process mapping can be considered as input to determine the competence requirements.

Where employees have a formal certified education e.g. a university degree such certification can be used to demonstrate that they have acquired part, or all, of the knowledge required to carry out their work, but not necessarily they are able to apply that knowledge. Other forms of vocational training can also include the ability to apply knowledge and skills.

Competence evaluation methods

The competency assessment shall be through one or more of the following

  • Reviewing resumes, records of academic qualifications e.g. degrees, and professional qualifications e.g. memberships and certifications;
  • Evaluating previous experiences and training;
  • On-the-job observation of skills and techniques; and
  • Interviewing i.e. asking questions in regard to the understanding of the process.

When a person does not meet or no longer meets the competence requirements, actions shall be taken which include but are not limited to, mentoring the employee, provision of training, simplification of the process, or re-assigning the employee to another position.

Records of competence

Appropriate documented information that provides evidence of an employee’s competence shall be maintained e.g. resumes, degrees, diplomas, licenses, completion of trainings, and performance reviews.

clause 7.3 requires that relevant persons are aware of the quality policy, relevant quality objectives, their contribution to the effectiveness of the quality management system and the implications of not conforming to quality management system requirements.

The actions for creating awareness will depend on the nature of the work that the persons perform; so, it can be created in many ways, such as

  • clarifying what is expected e.g. visual tools such as pictures of acceptable and unacceptable products and services;
  • clearly communicating the requirements for products and services;
  • designing processes in a way that nonconforming outputs are clearly segregated;
  • communicating the complaint process in a clear manner and the step for escalating internally in case of nonconforming outputs.

Communication of all kinds is important to ensure awareness and can include regular review meetings, meeting with customers and third-party service providers, collecting feedback, and making sure this becomes known to relevant persons.

Awareness is attained when persons understand their responsibilities and authorities and how their actions contribute to the achievement of quality objectives.

Awareness is created through communication as well. Persons can demonstrate their awareness in day-to-day activities by distinguishing between what is acceptable and what is not, and by taking appropriate action when processes, products, and services do not meet agreed specifications. These persons should understand what the implications are if there are nonconformities in the quality management system e.g. rework, scrap, customer dissatisfaction, and legal implications.

clause 7.4 requires that the internal and external communications that are needed and which are relevant to the quality management system are established.

The communication process should facilitate to

  • transmit and receive information quickly and to act on it;
  • build trust amongst each other;
  • transmit the importance of customer satisfaction, process performance etc; and
  • ‍identify opportunities for improvement.

With whom to communicate

The internal and external parties should be identified with whom there is a need to communicate, to ensure the effective operation of the quality management system. This can include relevant persons within the organization at all levels and relevant interested parties such as customers, external providers used to source products and services, or regulatory bodies.

Communication methods

Different communication methods are often required for different situations. More formal communication, such as reports, specifications, invoices, or service level agreements, might be required for external relevant interested parties.

For internal communication, methods such as daily contact, regular department meetings, briefing sessions, email or an intranet may be used. More formal methods such as written reports or job specifications could also be required for internal communication, depending on the nature of the information and how critical the issues are that need to be communicated.

Who will communicate

The organization should also determine who will communicate. This will depend on the nature of the communication and with whom the organization is communicating. For example, top management might communicate with persons in the organization while the owner of the purchasing process might communicate with external providers.

What to communicate

The organization should determine what it needs to communicate. This will be different for internal and external parties. For example, the results of an internal audit will be communicated internally, but revised terms and conditions on purchase orders are to be communicated with a third party.

Training needs analysis (TNA)

The following shall be considered as input to the process of training needs analysis

  • Evaluation of legal compliance
  • Risk mitigation plan and opportunity pursuit plan
  • employees with a new role
  • Changes in process, procedure, technology, software etc.
  • Results of audits and inspections
  • Feedback from stakeholders e.g. customer complaints
  • Results of review of objectives and targets
  • KPIs related to process performance
  • Data pertaining to product and service non-conformity
  • Enforcement actions, if any
  • Requirements pertaining to suppliers, contractors, and third party service providers e.g. induction
  • Annual appraisal employees

All the identified trainings are documented in the training matrix.

Training calendar

HR manager in liaison with the other process owners should formulate an annual training calendar to include trainings along with the tentative schedule and communicated to all.

Training plan

Then the trainings should be planned to include the information as follows

  • course title and contents
  • competency requirements (Learning outcomes)
  • Type as to whether internal or external
  • target audience
  • frequency of training, if any e.g. refresher training requirements
  • venue, date, and time
  • delivery method e.g. classroom-based, orientation, demonstration, toolbox talk, on-the-job, workshop etc.
  • competency of trainer
  • method for the training assessment

Training design, delivery, and assessment

Course materials, delivery, and assessment should be reviewed by the competent person(s) for quality assurance.

Feedback from the participants

Upon completion, regardless of the mode of delivery, the participants should be asked to give feedback on the quality of the training.

Process map for training


clause 4.1 requires that the external and internal issues are determined.

clause 4.2 requires that the relevant interested parties and their needs and expectations are determined.

The external and internal issues are used as input for determining relevant interested parties and their needs and expectations.

The information resulting from these activities should be considered in planning the quality management system (ref: clause 6.1).

Review of external and internal issues

External and internal issues can change over time, therefore, this information should be monitored regularly and reviewed e.g. in a management review meeting. Moreover, the interested parties and their relevant requirements can vary among different products and services.

Therefore, the organization should have robust systems in place to monitor and review the relevant requirements of its interested parties. Monitoring and reviewing can be done by using the organization’s processes related to customer requirements, design and development of products and services, and (at a more strategic level) during management review.

Sources of information

Information about external and internal issues can be found from many sources, such as through internally documented information including minutes of meetings, in the local and international media, websites, professional and technical publications, conferences, through interaction with customers and regulators, and other stakeholders.

Tools used for determining external and internal issues

The tools that can be used include:

  • brainstorming;
  • strengths, weaknesses, opportunities, and threats analysis (SWOT);
  • political, economic, social, technological, legal, environmental analysis (PESTLE), and
  • asking “what if” questions.

Examples of external and internal issues

These include (but are not limited to):

Examples of external issues
Factor Issues
Economy exchange rates, economic situation, inflation rate forecast, credit availability
Social unemployment rates at the local level, how safety is perceived, education levels, public holidays, and working days
Political political stability, public investments, infrastructure and its quality, trade agreements at the international level
Technological updates in technology; materials and equipment
Market competition, market leader trends, customer growth trends, market stability, supply chain relationships
Statutory and regulatory requirements Regulations pertaining to the workforce, work environment, and licenses/approvals
Examples of internal issues
overall performance of the organization
Resource needs infrastructure, environment for the operation of the processes, organizational knowledge
Human resources competence of persons, organizational behavior and culture, relationships with unions
Operational needs Capabilities in regard to production and service provision, quality  management system performance, customer satisfaction
Governance of the organization organizational hierarchy and rules and procedures for decision making

Examples of relevant interested parties

Relevant interested parties can be e.g. customers, end users or beneficiaries, partners, franchises, intellectual property owners, parent and subsidiary organizations, owners, shareholders, banks, unions, third-party service providers, employees, legal authorities, trade and professional associations, local community groups, non-governmental organizations, and competitors.

Methods to understand the needs and expectations of relevant interested parties

The examples include reviewing orders received, reviewing statutory and regulatory requirements with legal compliance departments, lobbying and networking, participating in events arranged by the relevant associations, benchmarking, market surveillance, reviewing supply chain relationships, conducting customer and or user surveys, and monitoring customer needs and expectations.

Examples of relevant interested party requirements

These can be:

  • customer requirements regarding conformity, price, availability, and delivery;
  • contracts (which have been entered into with customer or external providers);
  • industry codes and standards;
  • agreements with community groups or non-governmental organizations;
  • legal requirements for the product or service provided;
  • memoranda of understanding;
  • permits, licenses, or other forms of authorization;
  • orders issued by regulatory agencies, treaties, conventions, and protocols;
  • agreements with public authorities;
  • voluntary principles or codes of practice;
  • voluntary labeling or environmental commitments, and
  • policies concerning employees.

SWOT Analysis

Process approach

ref clause: 4.4.1

The intent is to determine and map out the processes needed for the production and provision of services as well as those processes that are needed for the effective implementation of QMS.

For example, if the process for monitoring and measuring resources is needed, this will have to meet the requirements as outlined in clause 7.1.5.

Examples of processes related to QMS can be an internal audit, management reviews, corrective action, analysis & evaluation of data, and processes that are performed by third parties.

The extent to which processes should be detailed will

  • depend on the context of the organization, and
  • through the application of risk-based thinking

i.e. considering the ability of an organization to achieve its intended results, the likelihood of occurrence of problems with the process, and the consequences should these problems occur.

4.4.1 a) The process owner in consultation with relevant staff should determine steps, inputs, and outputs at each step, and the sequence and interaction of the steps.

What is required to implement the processes should be considered for determining inputs, and what is expected by customers or subsequent processes should be considered for determining outputs.

Inputs and outputs can be tangible e.g. materials, equipment, components, or intangible e.g. data, knowledge, or information.

The typical inputs include reference to a ‘standard operating procedure, work instruction, technical standard, guidelines equipment, and machinery. The typical output is documentation including technical information. Sometimes, the output is the actual product and/or service to be delivered to the customer e.g. engineering consultancy.

4.4.1 b) The process owner in consultation with relevant staff can best describe the steps along with their sequence and interaction. The outputs of the previous and inputs of subsequent processes should be considered while determining the sequence and interaction. Any method e.g. in the most simple case, verbal instruction can be used for providing the above information.  A flow diagram and a process map can be used and a value steam map can be used for a sophisticated case.

4.4.1. c) for making sure that the processes deliver results as planned, the criteria for the process control and methods should be determined and applied; criteria can be parameters of the process, or product and service specifications; process performance indicators should relate to monitoring and measurement.

4.4.1. d) the needs for the resources should be determined in regard to persons, infrastructure, environment for the operation of the processes, organizational knowledge, and resources for monitoring and measuring; what’re the capabilities as well as constraints of both internal and external resources should be considered.

4.4.1 e) responsibilities and authorities can be assigned in any suitable way e.g. verbal instructions (in the most simple form), organizational charts, RACI matrices, procedures, operational policies, and job descriptions.

4.4.1 f) through consultation, the process (at each step) should be analyzed for risks and opportunities and the resulting actions should be implemented.

4.4.1 g) the data pertaining to process performance should be analyzed and evaluated and implement any change(es) needed.

4.4.1 h) the results of analysis and evaluation can be used for continual improvement.; the improvement can be at the process level e.g. reducing the variation around the target or at the management system level e.g. reducing paperwork so that the concerned persons can focus on the management of the process.

ref clauses: ISO 9001:2015, 6.1.1 and 6.1.2

The intent of these clauses is that while planning QMS processes, risks and opportunities are determined and actions are planned to address them appropriately. The purpose is to prevent non-conforming outputs and determine and exploit opportunities that can enhance customer satisfaction. The use of risk-based thinking can help an organization develop a culture focused on doing things better and improving how work is done in general.

Inputs to identifying risks and opportunities

The following shall be utilized as input to identify the risks and opportunities

  • internal and external issues
    interested parties and their requirements

Examples of the risks that QMS is unlikely to achieve its objectives include

  • failure of processes, products, and services in meeting their requirements;
  • customer satisfaction not being achieved.

Examples of opportunities include

  • potential to identify new customers;
  • new offerings;
  • determine the need for the development of new products/services and introduce them into market;
  • determine the need for revising/replacing a process with the introduction of new technology for making it more efficient.


There is no provision in ISO 9001 to conduct a formal risk assessment in regard to determining and addressing risks and opportunities. Any method that best suits the needs of an organization can be chosen. However, according to ISO/IEC 31010 a list of risk assessment tools and techniques is provided that can be considered and selected depending again on the organizational context.
SWOT or PESTLE are quite useful tools in this regard. alternate techniques are

  • failure mode and effects analysis (FMEA);
  • failure mode, effects, and criticality analysis (FMECA);
  • hazard analysis and critical control points (HACCP).

Other relatively simple approaches are techniques such as brainstorming, structured what-if technique (SWIFT), and probability/consequences matrices.


Risks and opportunities should be considered in various situations e.g. strategic meetings, management review meetings, internal audits, meetings for setting and reviewing quality objectives, design and development at planning stages, and production at planning stages.

Actions to address risks

This will depend on the nature of the risk, for example

  • Avoid the risk i.e. abandon the process altogether e.g. outsourcing;
  • eliminate the risk e.g. use of a documented procedure to assist a less experienced person; and
  • pursue an opportunity i.e. take the risk e.g. investing in new equipment to launch a product for which the return on investment is unknown.

Risks examples

Finance: profit risk, capital availability, asset risk, interest rate risk, currency risk, accounting risk, investment risk, tax risk, systemic risk, credit risk.
Procurement: cost increase/financial imbalance, unreliable vendors, conflict of interest, cost increase, extra costs.

What is an audit

An ‘audit’ is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which requirements are fulfilled and to identify opportunities for improvement.

Audit independence

To ensure an independent audit, those carrying out internal audits must be free from responsibility for the activity being audited. In other words, auditors cannot audit their own work.

Audit objectives

These can be

  • determine the extent to which the quality management system conforms to the audit criteria
  • ascertain the efficiency and effectiveness of the system
  • identification of areas for improvement e.g. best practices

Audit criteria

Audit criteria are usually the requirements related to the quality management system, customer, contract, and regulations.

Audit methodology

This can be one or more of the following ways for finding objective ‘evidence’ of conformity that must be factual

  • review of documents and information;
  • interviewing selected staff;
  • discussion with the process owner;
  • witnessing a test; and
  • onsite observation of work practices, facilities; and equipment.

Audit finding

An audit finding is a summary of audit evidence and can be

  • conformity or non-conformity with reference to the audit criteria, or
  • opportunities for improvement which can be sought against best practices


A non-conformity is an instance where evidence does not fully comply with the requirements.

Major non-conformity

A major non-conformity is

  • when there is a total breakdown of a system to meet the requirements e.g. system does not exist or is not implemented;
  • a large number of related minor non-conformities may collectively be classed as a single major non-conformity;
  • a non-conformance that has a high business impact;
  • it relates to legal compliance; and
  • when a minor non-conformity is not resolved within the agreed timeframe it may become a major non-conformity.

Minor non-conformity

It is a single instance or set of single instances, that shows a requirement has not been met.

Audit frequency

ISO 9001:2015 requires that an internal audit shall be conducted at least annually unless otherwise necessitated e.g. data showing a decreasing trend, or there is an increase in complaints, however, it’s strongly recommended to conduct it more frequently i.e. quarterly or monthly, if possible.

    Contact us through any of the below channels

    For Further Information
    00971 50 406 5134