ISO 9001. Quality management

ISO 9001 is the most popular management system standard in the world and over 1.000.000 organizations worldwide are certified to ISO 9001. It defines the requirements for a QMS (Quality Management System) and can be implemented by any organization, regardless of size or activity.

 

RIGCERT provides accredited ISO 9001:2015 certification that ensures global recognition and demonstrates your commitment to fulfil requirements accepted at international level.

 

ISO 9001. The standard

First edition was published in 1987 and it was based on the requirements of a British standard (BS 5750).

From its first publication this standard has been revised four times – in 1994, 2000, 2008 and, most recently, in 2015. Standards revision is a normal process, meant to keep them relevant for the changes in technology, business environment and international trade.

ISO 9001 is in fact part of a family of standards that also includes ISO 9000 (standard that defines vocabulary, principles and fundamentals of quality management), ISO 9004 (applicable to organizations that want to use quality management in the pursuit of sustainable success), ISO 19011 (a guide for auditing management systems) or ISO/TS 9002 (published in 2016 as guidelines for the implementation of a quality management system).
Starting from the requirements of ISO 9001 other standards have been developed to define quality management requirements for specific industries. Some examples are ISO/TS 16949 (today IATF 16949 for the automotive industry); ISO 13485 (for the manufacture, storage, distribution, installation and service of medical devices); AS 9100 (specific to the aerospace industry) or ISO/TS 29001 (for the oil and gas sector).

The requirements of ISO 9001:2015

ISO 9001 defines a series of requirements that an organization has to fulfil in order to have a functional quality management system (QMS) and obtain certification.
Below we explain the requirements of ISO 9001:2015 but it’s important to highlight that, although the requirements are generic, they have to be applied to the specifics of the organization, its products and services.
The requirements are grouped into 7 major chapters: context of the organization, leadership, planning, support, operation, performance evaluation and improvement.


Context of the organization
– The organization is required to identify internal and external issues relevant for its purpose and strategic direction. Examples of internal issues can be: the structure and governance of the organization, resources and capabilities, organizational culture, existing contractual relations, etc while external issues can be related to political and economic situation, financial markets, availability of key resources and workforce, etc;
– Interested parties and their relevant needs and expectations are to be determined by the organization. Some examples of interested parties are: customers, suppliers, employees, community, partners, final users of products and services, etc.
– ISO 9001 requires to define the scope of the QMS – activities and locations included in the management system and, if any, the requirements of the standard that, given the specifics of the organization’s activities, are not considered applicable (e.g. requirement 8.3. Design and development – in case no design and development activities are performed by the organization);
– The processes in the organization as well as their succession and interaction have to be identified (a process transforms input elements into outputs and outputs from one process can become input elements into the next – e.g. outputs from the purchasing process (i.e. products and services purchased) are inputs into the manufacturing or service provision process).
Defining the context of the organization is meant to ensure that the organization is aware of the external and internal realities of its environment, the interested parties and their requirements and takes into consideration those elements in its operations.


Leadership
– Top management needs to support the QMS, to demonstrate commitment for the continual improvement of the system as well as to ensure the organization maintains the focus on its customers.
– Top management should define and communicate inside the organization a quality policy and
– to define roles, responsibilities and authorities for personnel, including roles and responsibilities for the administration and improvement of the quality management system.
In order to have a functional QMS and get benefits from its implementation the involvement and support from top management are key.


Planning
– Starting from the internal and external issues as well as needs and expectations of interested parties (identified as part of the context) the organization has to identify and treat relevant risks and opportunities to give assurance that the QMS achieves intended results, to enhance desirable effects, prevent or reduce undesired effects and achieve improvement.
ISO 9001:2015 does not require specifically for a certain approach to identification of risks and opportunities nor does it require a formal risk assessment. Still the organization has to demonstrate that it uses risk based thinking and there are actions meant to address the risks and opportunities identified. Obviously those actions have to be proportionate to the potential impact on the conformity of products and services.
– The organization is required to establish quality objectives, to plan their achievement and to monitor the achievement of quality objectives.
– When it plans to make changes to its QMS the organization is required to implement the changes in a planned manner.


Support
– The resources needed for the implementation of the QMS as well as for the operation and control of processes shall be available.
– The organization must provide and maintain the needed infrastructure (buildings, utilities, equipment, software, IT&C,etc) depending of course on its activities, products and services.
– The environment for the operation of processes (including here physical factors like temperature, humidity, hygene, light, etc; psychological factors – ex. stress-reduction, burnout prevention and social factors like non-discriminatory and non-confrontational attitude) shall be available. Obviously the environment for operation of processes varies depending on the specifics of the organization and its activities.
– The organization has to identify, provide and maintain the appropriate measuring and monitoring resources needed to verify the conformity of its products and services. If for this purpose the organization uses measuring and monitoring equipment that require calibration/ verification then this equipment shall be available as required.
– The organization shall have access to the relevant knowledge needed to operate its processes and to achieve conformity of its products and services. Sources to obtain this knowledge differ according to the specifics of every organization (e.g. experience, intellectual property, industry standards, academia are just a few examples).
– ISO 9001 requires that the organization identifies the needed competence for persons doing work under its control and ensures that those persons are competent. Whenever appropriate, the organization should act to ensure people acquire the needed competence using different methods (training being the most popular but mentoring or re-assigning responsibilities represent other options).
– Personnel shall be aware of the quality policy and objectives, their contribution to the effectiveness of the QMS as well as the implications of not conforming to requirements.
– Effective communication (internal and external) processes shall be in place.
– The quality management system shall be supported by documented information. The extent of the documentation differs depending on the structure and size of the organization, on its activities, products and services. The organization shall establish controls for creating and updating the QMS documented information (defining a format for the documents, the media – paper and/ or electronic, controls for the review and approval of documents). Also the standard requires controls of documented information with regards to access, distribution, retrieval, use, storage, preservation, control of changes, retention and disposition. Those controls refer to both documents elaborated inside the organization and documents of external origin (e.g. documents from clients, external suppliers, etc).


Operation
– ISO 9001:2015 requires the organization to plan, implement and control the processes needed for the provision of products and services to its customers.
– Outsourced processes (subcontracting) that have an impact on the conformity of products and services shall also be controlled.
– Proper communication with customers shall be in place with regards to: providing information relating to products and services; handling enquiries, contracts and orders including changes; obtaining customer feedback including customer complaints; handling or controlling customer property and establishing requirements for contingency actions when requred depending on the specifics of products and services.
– The organization shall ensure that the requirements for products and services it intends to place on the market are established and it can meet the claims for the products and services offered.
– It is required that, before committing to supply products and services to a customer, the organization performs a review that confirms it has the capability to provide the respective products and services as required.
– In case the organization performs design and development activities this process needs to be appropriately controlled to ensure its results are adequate. The following aspects are required by ISO 9001:2015: planning of design and development; identification of input elements to design and development (essential requirements for products and services designed) as well as output elements from design and development; implementing controls to the design and development process (including reviews, verification and validation of design and development); identification and review of changes to design and development.
– The organization is required to ensure that processes, products and services purchased from external providers conform to requirements. ISO 9001:2015 requires to define and apply criteria for the evaluation/ re-evaluation, monitoring and selection of suppliers and to implement controls for products and services obtained from external providers taking into consideration the potential impact on the organization’s own products and services.
– The organization must use suitable means to identify products and services in order to ensure traceability.
– Property of customers or external providers (including here both tangible and intangible property) that is under the control of the organization shall be adequately protected.
– The standard requires that, depending of course on the specific of its products and services, the organization provides adequate preservation conditions (including here aspects like identification, handling, packaging, contamination control and transport).
– Post-delivery activities shall be planned and performed as required (depending on the products and services post-delivery activities may refer to warranties, legal and contractual obligations, maintenance services, recycling or final disposal, etc).
– ISO 9001 requires that prior to the release of its products and services the organization performs all needed verifications to ensure requirements have been fulfilled.
– When nonconforming outputs (products and services) are identified the organization shall take appropriate actions based on the nature and effect of the nonconformities. Such actions include: correction, segregation, containment, return or suspension of provision, informing the customer, etc.


Performance evaluation
– ISO 9001:2015 requires the organization to evaluate the performance and effectiveness of its QMS.
– Information on customer satisfaction (the customers’ perception of the degree to which their needs and expectations have been fulfilled) shall be obtained and reviewed. The methods to obtain customer satisfaction information are at the choice of the organization (e.g. customer surveys, meetings with customers, warranty claims, market-share analysis, etc).
– At planned intervals the organization shall perform internal audits of the quality management system to ensure it conforms to the requirements of ISO 9001:2015, it is implemented and maintained.
– Top management is required to review periodically the QMS to ensure it continues to be adequate, effective and in line with the strategic direction of the organization.


Improvement
– The organization has to identify opportunities for improvement and act to improve the products and services in order to enhance customer satisfaction.
– Whenever nonconformities are identified (including those arising from complaints) the organization needs to apply corrections (aimed to control the nonconformity and its consequences) and corrective actions (meant to eliminate the cause of the nonconformities).
Those are in short the requirements of ISO 9001:2015. As mentioned at the beginning the requirements have to be understood and adapted in relation to the specifics of the organization, of its products and services.

ISO 9001 certification

Being applicable to any kind of organization, ISO 9001 has been adopted by more than 1.000.000 entities around the world as shown by the ISO Survey.


The standard can be implemented and certified in state institutions, private companies or not for profit organizations.

ISO 9001 can be implemented and certified individually or integrated with other management system standards (most common choices being ISO 14001, OHSAS 18001 or ISO/IEC 27001).

 

If you are interested in certification please contact us at office@rigcert.org.

If you want to understand the requirements of this standard and how they can be implemented and audited you can check out our online course on this page.

To review your knowledge of ISO 9001:2015 you can take the simple quiz below.

Interested?

Get in touchs with us!

Test your knowledge with the ISO 9001:2015 quiz!

Take the quiz

Which are the components of the P-D-C-A cycle?
What represents a requirement determined as not applicable to the QMS as per ISO 9001:2015?
Which of the following can be considered post-delivery activities according to ISO 9001:2015?
What is the frequency for internal audits required by ISO 9001:2015?
Which of the following statements is true?

1. What is the relation between environmental aspects and impacts?
2. Which statement is true according to ISO 14001:2015?
3. The corrective action is?
4. As per ISO 14001:2015 compliance obligations refer to:
5. For determining environmental aspects purposes, the life cycle of a product may include stages like:

1. The occupational health and safety policy
2. What represents a “near-miss”?
2. OHSAS 18001 requires:
4. Which of the following statements is false?
5. As per OHSAS 18001 the health and safety of visitors to the workplace represents the responsibility of the organization?

1. What represents the Statement of Applicability?
2. In case the same person is responsible for both initiating and approving specific transactions, what information security control is not respected?
3. In case the organization decides to outsource software development does it have any responsibility to monitor the activity of its subcontractor(s) in terms of information security?
4. The decision to accept a security risk represents an option for treatment?
5. What is the principle of independence related to internal audits referring to?