Understanding ISO 9001:2015 Quality Management System.
ISO 9001 is the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements. It is the most popular standard in the ISO 9000 series and the only standard in the series to which organizations can certify. Successful businesses understand the value of an effective Quality Management System that ensures the organization is focussed on meeting customer requirements and they are satisfied with the products and services that they receive. ISO 9001 is the world’s most recognized management system standard and is used by over a million organizations across the world. The new version has been written to maintain its relevance in today’s marketplace and to continue to offer organizations improved performance and business benefits.ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an international agency composed of the national standards bodies of more than 160 countries. The current version of ISO 9001 was released in September 2015. ISO 9001:2015 applies to any organization, regardless of size or industry. More than one million organizations from more than 160 countries have applied the ISO 9001 standard requirements to their quality management systems. Organizations of all types and sizes find that using the ISO 9001 standard helps them organize processes, improve the efficiency of processes and continually improve. With the 2015 version of ISO 9001, you can have an integrated approach with other management system standards. Bring quality and continual improvement into the heart of the organization. Increase the involvement of the leadership team. Introduce risk and opportunity management. It’s much less prescriptive than the 2008 version and can be used as a more agile business improvement tool. This means that you can make it relevant to the requirements of your own organization to gain sustainable business improvements. One of the major changes to ISO 9001 is that it brings quality management and continual improvement into the heart of an organization. This means that the new standard is an opportunity for organizations to align their strategic direction with their quality management system. The starting point of the new version of ISO 9001 is to identify internal and external parties who support the QMS. This means that it can be used to help enhance and monitor the performance of an organization. The new standard will help you become a more consistent competitor in the marketplace. It will provide better quality management that helps you to meet present and identify future customer needs. it increases efficiency that will save you time, money and resources. It Improves operational performance that will cut errors and improves profits. It will motivate, engage and involve staff with more efficient internal processes. It will help you win more high-value customers, and achieve improved customer retention with better customer service. It will broaden business opportunities by demonstrating compliance
All ISO management system standards are subject to a regular review under the rules by which they are written. Following a substantial user survey the committee decided that a review was appropriate and created the following objectives to maintain its relevance in today’s marketplace:
- Integrate with other management systems
- Provide an integrated approach to organizational management
- Provide a consistent foundation for the next 10 years
- Reflect the increasingly complex environments in which organizations’ operate
- Ensure the new standard reflects the needs of all potential user groups
- Enhance an organization’s ability to satisfy its customers
The structure is based on the mandate that Annex SL from the ISO Directives is applied to management system standards. The clause structure and some of the terminology in ISO 9001:2015 is different than ISO 9001:2008 to improve alignment with other management system standards. The structure is to provide a presentation of requirements. It is not a model for the document for documenting the organization’s policies, objectives and processes. There is no requirement for the structure of an organization’s quality management system documentation to mirror that of this International Standard.
Structure of ISO 9001:2015
The most significant change we will see in ISO 9001:2015 is the new structure. ISO 9001:2015 is based on Annex SL – the new high-level structure. This is a common framework for all ISO management systems. This helps to keep consistency, align different management system standards, offer matching sub-clauses against the top level structure and apply common language across all standards. It will be easier for organizations to incorporate their QMS into core business processes and get more involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all processes and to the quality management system as a whole. The reason for the change is to adopt the common approach outlined in Annex SL, the new document that all ISO management system standards, including ISO 9001, ISO 14001 and the recently released ISO 27001, must follow. Currently, ISO 9001 contains 8 sections, of which four attempts to approximate “plan, do, check, act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “plan, do, check, act.” All new management system standards will have this common structure. Here is the new structure:
This section describes the scope of the management system standard and will be unique to the individual standard. Clause 1 details the scope of the standard and there has been very little change to this clause from ISO 9001:2008.
This section references other relevant standards, which are indispensable for the application of the document and will also be unique.ISO 9000, Quality Management System – Fundamental and vocabulary is referenced and provides valuable guidance.
Terms and Definitions
Section three contains definitions, and while some of these are common terms related to Annex SL, other definitions will be unique to the management system standard. All the terms and definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and vocabulary.
Major differences in terminology between ISO 9001:2008 and ISO 9001:2015
Products Products and services Exclusions Applications Documentation, records Documented information Work Environment Environment for the operation of processes Purchased Product Externally provided products and services Supplier External provider
Products and services
ISO 9001:2008 used product to include all output categories such as products, services, processed materials, and hardware. In ISO 9001:2015 the term product has been replaced by term product and services and includes all output categories such as hardware, services, software, and processed materials. The term services are to highlight the difference between products and services in the application of some requirements. In most cases, the terms are used together. In some cases, the word product is only used to specify a certain requirement.
An organization’s context involves its “operating environment.” The context must be determined both within the organization and external to the organization. This part is about understanding the organization’s purpose, the management system and who the stakeholders are. It describes how to set up the management system and is similar in some respects to the old section 4 except that it explicitly requires a broader understanding of the situation and needs of the business. This is a new clause that establishes the context of the QMS and how the business strategy supports this. The ‘context of the organization’ is the clause that underpins the rest of the new standard. It gives an organization the opportunity to identify and understand the factors and parties in their environment that support the quality management system. To establish the context means to define the external and internal factors that the organizations must consider when they manage risks. An organization’s external context includes its outside stakeholders, its local operating environment, as well as any external factors that influence the selection of its objectives (goals and targets) or its ability to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to governance, its contractual relationships with its customers, and its capabilities and culture. Firstly, the organization will need to determine external and internal issues that are relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact on what the organization does, or that would affect its ability to achieve the intended outcome(s) of its management system. It should be noted that the term “issue” covers not only problems which would have been the subject of preventive action in previous standards, but also important topics for the management system to address, such as any market assurance and governance goals that the organization might set. Secondly, an organization will also need to identify the “interested parties” that are relevant to their QMS. These groups could include shareholders, employees, customers, suppliers, and even pressure groups and regulatory bodies. Each organization will identify their own unique set of “interested parties” and over time these may change in line with the strategic direction of the organization. Next, the scope of the QMS must be determined. This could include the whole of the organization or specifically identified functions. Any outsourced functions or processes will also need to be considered in the organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to establish, implement, maintain and continually improve the QMS in accordance with the requirements of the standard. This requires the adoption of a process approach and although every organization will be different, documented information such as process diagrams or written procedures could be used to support this
There are two new clauses relating to the context of the organization, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact on the planning of the quality management system. Interested parties cannot go beyond the scope of ISO 9001. There is no requirement to go beyond interested parties that are relevant to the quality management system. Consider the impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. Organizations can go beyond the minimum requirements to determine additional needs and expectations for interested parties that would not be “relevant” at the discretion of the organization and should be clear in the quality management system.
4.1 Understanding the organization and its context.
It is a new requirement. One of several that might suggest a greater union between the QMS and wider business planning activities. Requires organizations to ascertain, monitor and review both internal and external issues that are relevant to its purpose and strategic direction, and have the ability to impact the QMS and its intended results. The organization should determine external and internal issues for the organization relevant to its purpose, strategic planning and which affect the organization’s ability to achieve its objectives. The Organization should monitor and review the information about external and internal issues. Management Review required the monitoring of external and internal issues. The organization must consider issues related to values, culture knowledge and performance of the organization for the understanding of internal issues. The organization must consider issues related to arising from the legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local for the understanding of external context.
The internal context may include, but is not limited to:
- Product and service offerings
- Governance, organizational structure, roles, and accountability.
- Regulatory requirements
- Policies and goals, and the strategies that are in place to achieve them.
- Assets like facilities, property, equipment, and technology
- Capabilities understood in terms of resources and knowledge like capital, time, people, processes, systems, and technologies.
- Information systems, information flows, and decision-making processes (both formal and informal).
- Relationships of the staff/volunteers/members and the perceptions and values of their internal stakeholders including suppliers and partners.
- Organization’s culture.
- Standards, guidelines, and models adopted by the organization and
- Form and extent of the organization’s contractual relationships.
The external context’s micro-environment consists of the organization’s immediate operations and how they affect its performance and decision-making. Some of the micro-environmental context factors
Customers – Organizations must attract and retain customers by offering products services that meet their needs along with providing excellent customer service
Employees/Members/Volunteers – There must be the availability of people with the motivation to remain as contributing members of the organization and develop the skills necessary to provide a competitive edge
Suppliers – Suppliers provide organizations with the resources they need to carry out their activities. If a supplier provides bad service, this affects the way the organization operates. Close supplier relationships are an effective way to remain competitive and secure the resources needed
Investors – All organizations require investment to grow. They may borrow the money from a bank or have people invest in their work. Relationships with investors need to be managed carefully as problems can detrimentally affect the long term success of the organization
Media – Positive media attention can bring success to the organization by maintaining its reputational strength. Managing the media (including the presence in social media) is a challenge.
Competitors – Members of the organization need to have a sense of belonging. Can the organization offer benefits that are better than those offered by the competitors? Is there a strong value proposition? Competitor analysis and monitoring are crucial if an organization is to maintain or improve its position in the competitive landscape of the community. The organization must always be aware of its competitor’s activities. The landscape can change quickly.
4.2 Understanding the needs and expectations of interested parties.
A broadening of scope beyond just customers. Requires the organization to determine “the relevant requirements” of “relevant interested parties” e.g. a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
The organization shall determine relevant interested parties and requirements of relevant interested parties. Interested parties include Customers, Partners, Persons in the organization, External providers. Relevant interested parties to be considered are those that potentially could impact the organization’s ability to provide products and services that meet requirements. Monitor and review information related to interested parties and relevant requirements. Management Review requires the monitoring of relevant interested parties.
4.3 Determining the scope of the QMS.
The scope statement must state the products and services covered. The organization must establish the scope of the quality management system by determining the boundaries and applicability of the quality management system. While determining the scope the organization must consider the internal and external issues determined in 4.1.,the requirements of relevant interested parties in 4.2. and the products and services of the organization.
Requirements that can be applied by the organization shall be applied. Requirements that cannot be applied cannot affect the organization’s ability to provide product and services that meet requirements. The organization must maintain scope as documented information. stating the Products and services covered by the QMS and any Justification where a requirement cannot be applied. Any interested party which is not relevant to the quality management system need not be considered and similarly, any requirement of the interested party need not be considered. Determining what is relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization can decide to determine additional needs and expectations that will meet its quality objectives. However, it is at the organization’s discretion whether or not to accept additional requirements to satisfy interested parties beyond what is required by this Standard.
The revised standard will focus on application and not just the exclusions. There are no limits to which clauses where the application can be determined. Justification will be required as documented information to ensure that limited application does not affect the organization’s ability to provide for the provision of product and services. The application of requirements may vary. Where a requirement can be applied within the scope of its quality management system, the organization cannot decide that it is not applicable. Where a requirement cannot be applied (for example where the relevant process is not carried out) the organization can determine that the requirement is not applicable. However, this non-applicability cannot be allowed to result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction. A manufacturing organization that does not have any monitoring and measuring resources could determine requirements in 7.1.5 do not apply. Organizations that build from a customer provided design could determine requirements for design in 8.3 do not apply. Organizations could not determine that requirements such as competence are not applicable since this directly affects the ability to provide a product that meets requirements.
4.4 The QMS and its processes.
A major change that specifies the number of factors to be considered when planning the processes that make up the QMS. Although a process-planning approach has been previously expressed in earlier standards, this greatly reinforces the requirement. The standard requires the organization to establish a process-based management system. This is required to be maintained and continually improved. The clause sets out high-level requirements for the design of such a process-based management system. These processes are integral and also there are support processes that underpin the operation of the entire QMS. It does not mean that you have to fill your quality manual with flowcharts. If flowcharts work for you then use them.
The process is a set of interrelated activities that transform activity inputs into outputs. For example, Installation: The process of converting a box of components into a working security system.
The process approach is a management strategy that requires organizations to manage their processes and the interactions between them. Thus you need to consider each major process of the company and their supporting processes.
All processes have:
- operational control;
- appropriate measurement & monitoring
Each process will have support processes that underpin and enable the process to become realized. So, for example, a typical alarm company will take inquiries/sales and convert them into working alarm systems. Below is a block diagram of a typical alarm company processes with support processes and other considerations.Example support processes and considerations: Example of other processes and considerations: Questions to ask:
- What are the inputs to the process?
- Where do the inputs come from?
- What are the outputs to the process?
- Where do the outputs go to?
- Is there an effective inter-relationship between processes?
- Who plans the process?
- Who conducts the process?
- Are responsibilities and authorities defined?
- Who monitors and measures the process?
- What resources are required for the process? – Materials, people, information, environment, infrastructure, etc.
- What documented information is required for the operation and control over the process?
- What competences & training are required?
- What awareness and knowledge is required?
- What methods are used to control and run the process?
- What are the risks and opportunities for the process?
- What happens when the process goes wrong or does not yield the correct output or result?
- How can the process be improved?
- Is the process part of the management review process?
Is the process subject to internal audit? The answers to the questions above form the basis of the process, its control, measurement, and improvement.
This section provides requirements for commitment, policy, and responsibilities. This section is similar to the old section 5 on Management but the emphasis is perhaps more on leadership than just management. This clause places requirements on “top management” which is the person or group of people who directs and controls the organization at the highest level. It is no longer the responsibility of an individual or to have a “Management Representative” who is responsible for the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. Top management now has greater involvement in the management system and must ensure that the requirements of it are integrated into the organization’s processes and that the policy and objectives are compatible with the strategic direction of the organization. The quality policy should be a living document, at the heart of the organization. To ensure this, top management is accountable and have a responsibility to ensure the QMS is made available, communicated, maintained and understood by all parties. There is also a greater focus on top management to enhance customer satisfaction by identifying and addressing risks and opportunities that could affect this. Top management needs to demonstrate consistent customer focus by showing how they meet customer requirements, regulatory and statutory requirements, and also how the organization maintains enhanced customer satisfaction. In the same context, they need to have a grasp of the organization’s internal strengths and weaknesses and how these could have an impact to deliver products or services. This will strengthen the concept of business process management. In addition, top management needs to demonstrate an understanding of the key risks associated with each process and the approach taken to manage, reduce or transfer the risk. Finally, the clause places requirements on top management to assign QMS relevant responsibilities and authorities but must remain accountable for the effectiveness of the QMS.
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top management to “demonstrate leadership and commitment”, and suggests that a more hands-on approach is expected. ISO 9001:2015 requires top management to be much more “hands-on” with respect to their QMS. Where the word “ensuring” is used in sub-clause 5.1.1, top management may still assign this task to others for completion. Where the words “promoting”, “taking”, “engaging” or “supporting” appear, these activities cannot be delegated and must be undertaken by top management themselves. Top management must:
- have accountability for the effectiveness of their organization’s quality management system;
- ensure that their organization’s quality policy and quality objectives are consistent with the organization’s overall strategic direction and the context in which the organization is operating;
- work alongside their people in the organization in order to ensure that the quality objectives are achieved;
- ensure that the quality policy is communicated, understood and applied across the organization;
- make sure that the quality management system is achieving the results that are intended;
- lead people to contribute to the effective operation of the system;
- drive continual improvement and innovation and develop leadership in their managers.
The top management is required to ensure that:
- the requirements set out in ISO 9001:2015 are met;
- QMS processes are delivering their intended outcomes;
- reporting on the operation of the QMS and identifying any opportunities for improvement is taking place;
- a customer focus is promoted throughout the organization;
- whenever changes to the QMS are planned and implemented, the integrity of the system is maintained.
The top management should ensure that the organization should have the Knowledge of the law and is aware of the customer’s expectations and is delivering. Knowing what can go wrong with what you are selling and providing and what opportunities you also have when you deliver this; opens doors, for example, to other work streams; They should be making sure that the customer is happy.
Understanding the customer specification/needs. Ensure you know exactly what the customer wants and documenting this from initial inquiry to commissioning paperwork.
Policy requirements are enhanced. A requirement is introduced that the quality policy is appropriate to the context of the organization and that it is applied throughout the organization. Write the policy to include:
- making sure it reflects your business size, ethos and what you are trying to achieve;
- how you will decide what you are going to achieve and how you will check this;
- committing to doing it the right way (e.g. in line with standards and best practice);
- committing to try to continually improve.
Tell everyone about it.
- Making sure it is written.
- Making sure people know it and understand it.
- Giving it to people who have an interest in your business (e.g. clients/suppliers/manufacturers/staff).
- Publishing it on your website.
The example includes written Quality policy, company induction, basic training, toolbox talks.
The requirement for a Management representative is no longer specified. The duties previously assigned to that role may now be assigned to any role or split across several roles. The top Management must ensure that responsibilities are allocated across the organization to maintain the management system to make sure what is supposed to happen is happening. While allocating Roles, Responsibilities, and authorities, the organization must remember the customer at all times and the outcome of the business processes and how it can be improved. Remembering to update the system as and when you change how you work or the intended process is amended. The organization must be defining job roles prior to recruitment, allocating job descriptions to personnel and linking this to the processes within the business. For eg A sales administrator might be expected to have 12 months’ experience of writing quotations. When they join there would be a period of training and reinforcing this through a written job description. The output would be a more senior colleague reviewing quotes, confirming they are correct and ensuring that the customer is being quoted for what they asked for. If a form or process is amended along the way advising the sales administrator and ensuring the new versions are applied.
Planning is now a section on its own. Planning was always covered by the current standard in sections 4.1, 6.1, 7.1 and 8.1 but the new structure includes risk (which is now a clear requirement) and opportunities, the setting of goals and objectives to achieve plans, and resources. Interestingly, the risk was introduced in AS9100 (the aerospace version of ISO 9001) in a similarly limited manner. In the latest version of AS9100, however, the risk was expanded and defines a number of specific requirements/activities for a risk process. It will be interesting to see whether ISO will leave the requirement for risk as a general requirement as defined in Annex SL or whether it will take AS’s lead and expand it. This planning section also requires a greater application of goals and objectives to integrate with the management system’s planning and operation to generally facilitate the success of the organization. Planning has always been a familiar element of ISO 9001, but now there is an increased focus on ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2 ‘interested parties’. The first part of this clause concerns risk assessment whilst the second part is concerned with risk treatment. When determining actions to identify risks and opportunities these need to be proportionate to the potential impact they may have on the conformity of products and services. Opportunities could, for example, include new product launches, geographical expansion, new partnerships, or new technologies. The organization will need to plan actions to address both risks and opportunities, how to integrate and implement the actions into its management system processes and evaluate the effectiveness of these actions. Actions must be monitored, managed and communicated across the organization. Another key element of this clause is the need to establish measurable quality objectives. This clause retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific. Quality objectives now need to be consistent with the quality policy, relevant to the conformity of products and services as well as enhancing customer satisfaction. The last part of the clause considers the planning of changes which must be done in a planned and systemic manner. There is a need to identify the potential consequences of changes, determine who is involved when changes are to take place, what resource needs to be allocated.
The main objectives of ISO 9001 are to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives. This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. Organizations can implement a formal risk management program such as 31000, but there is no requirement to do so. The concept of risk has always been implicit in ISO 9001, this revision makes it more explicit and builds it into the whole management system. Risk-based thinking is already part of the process approach. Risk-based thinking makes preventive action part of the routine. Risk-based thinking can also help to identify opportunities. Organizations are required to understand the context of the organization and any external and internal issues (clause 4.1). Risks and opportunities are determined in clause 6.1. One of the key purposes of a quality management system is to act as a preventive tool.ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive action is controlled through risk-based thinking and managing risks and opportunities identified in clause 6.1
6.1 Actions to address risks and opportunities.
A major change introduced to require a risk-based approach. In addition to this clause, the reference to the terms ‘risk’ and ‘opportunity’ are made throughout the standard. Consider the issues determined in clause 4.1 and consider the requirements for relevant interested. The organization should determine risks and opportunities to assure that that the quality management system can achieve its objective, prevent or reduce undesired effects, and for continual improvement. Intended results cannot be achieved. The organization shall plan actions to address risks and opportunities which should be appropriate to the potential impact. The action of risk and opportunities must be integrated and implemented into the QMS processes. The effectiveness of these actions must be evaluated.
NOTE: No formal risk management program is required.
Actions to address the risks – simply understanding what the risks are best capturing this in a business plan. Plan how all the elements come together, the business plan and how it will be run, and a means of checking these things work and the business plan is on track. Use risk methodologies here to ensure you apply things appropriately. The greater the risk and the impact on the business, the greater the control measures, planning, management, etc. ‘If necessary, have a Plan B’. Consider how an understood risk can be used in a positive way to look at other ways of doing things or other products.
6.2 Quality objectives and planning to achieve them.
Requirements for objective planning are tightened up. An objective should include a description of who is responsible, what is the target, when is it planned to be achieved. Progress must be monitored. Also, requires objectives to be set for relevant processes. Ensure that whatever objectives you implement they are SMART
Other key rules:
- Make sure they comply with the law and industry standards (e.g. don’t cold call out of hours, respond with 4 hours to callouts).
- Make sure they conform with the products and services to make them better.
- Monitored – check what you are doing.
- Tell the staff what they are and what you expect of them.
- Updated when the management changes something.
Keep records of this. This should be included in the customer SLA and planning should be in place to ensure you can resource this response rate. An example could be Understanding the total number of planned maintenance, the number of reactive maintenance to ensure you calculate the appropriate levels of resource. Organizations need to clearly understand how these will be realized. For example, if your aim is to provide national coverage, how will this be achieved? What resources will you allocate, recruiting staff countrywide? Who will manage it? Have you understood when it needs to be achieved and what will you do to check it is effective?
6.3 Planning of changes.
The clause lists items to be considered in change management. When a business changes something, the impact of the change needs to be considered before a change is made. You will need to demonstrate that you have:
a) considered why are you changing it and what could happen when you make the change;
b) ensured that the QMS doesn’t get affected negatively, e.g. something can’t be done any longer once you have changed a process, e.g. you stop recording the number of quotes you are doing and therefore you don’t have an ability to review conversion rates;
c) thought about what you need to achieve it (e.g. people/technology, etc.);
d) considered what changes need to be made in the organization to make it happen.
The support section includes most of the expected support processes that exist in an organization and which are covered in the current ISO standard. Clause 7 ensures there are the right resources, people and infrastructure to meet the organizational goals. It requires an organization to determine and provide the necessary resources to establish, implement, maintain and continually improve the QMS. Simply expressed, this is a very powerful requirement covering all QMS resource needs and now covers both internal and external resources. Clause 7.1 builds on Clauses 6.1, 6.2, 6.3 and 7.6 from 2008 and splits into 5 sub-clauses. There are additional requirements to meet applicable statutory and regulatory requirements. The sub-clauses continues to cover requirements for infrastructure and environment for the operation of processes. Monitoring and measuring have been changed to include resources, such as personnel or training. Organizational knowledge is a new requirement which deals with requirements for competence, awareness, and communication of the QMS. Personnel must not only be aware of the quality policy, but they must also understand how they contribute to it and what the implications of not conforming are. There is a key requirement for maintaining the knowledge held by an organization to ensure the conformity of products and services. This could include the knowledge held by an individual as well as for example, the intellectual property of an organization. Organizations are required to examine whether the current knowledge they have is sufficient when planning changes and whether any additional knowledge is required. Finally, there are requirements for “documented information”. This is a new term, which replaces the references in the 2008 standard to “documents” and “records”. Organizations need to determine the level of documented information necessary to control the QMS. This will differ between organizations due to size and complexity. In line with the increased importance of information security in organizations, there is also a greater emphasis on controlling access to documented information such as the use of passwords. Organizations should also have systems in place to provide a back-up should IT systems crash. Human resources are renamed as “competence”, and communication, which will require a new approach in most organizations, is given its own section rather than a mention as a management responsibility. Finally, document control has been renamed “documented information.” It now covers both procedure/document control and records control.
There is now has a greater expectation for an organization to consider the resources needed to deliver services and products. There is an expectation to provide a clear understanding of:
- what an organization has in house and whether this is sufficient/fit for purpose to achieve the business plan;
- what additional support might be needed externally (e.g. subcontractors that provide specialism outside of their field (e.g. fire, or out of area)).
For example Specialist skills that are better outsourced due to the size of the organization (e.g. security screening, health, and safety advice). Regular meetings to discuss the contract and planned work. Include a review of type work to ensure that, if the right skills sets aren’t in-house, you get the right subcontract support.
This standard expects an organization to determine and provide the appropriate number of personnel to effectively implement the QMS and for the operation and control of its processes. Allocation of staff in order to achieve the required outcome. This means determining that you have someone to carry out a specific process (e.g. recruitment, screening and training of staff). Dependent on the size of the organization this may be one or two people or a team. The senior management will need to determine the resource needed and maintain this. This will be about ensuring you have the right number of engineers or security officers to provide the service that you have quoted. This will depend on the specifics set out in the contract and terms. (e.g. ensuring you have sufficient engineers to respond within 4/24 hours. Ensuring you have sufficient trained security officers to replace those who may be sick or on holiday).
Essentially a company needs to consider all the things they will need in order to deliver a service/product to the customer/client. This needs to include:
- buildings / water / gas / electric, etc.
- equipment – for example computers / operating systems (e.g. alarm master);
- vehicles – for engineers /management/sales and survey staff;
- information – standards that have to be applied, mobile phones/tablets, etc.
The standard now specifically makes reference to the environment that you work in
- Equality Opportunities / whistleblowing / anti-bullying policy
- Violence at work /counseling support / lone working
- Office based risk assessment, space, noise levels
The organization needs to decide what tools it uses to measure business performance. It also needs to consider whether these tools will give them everything they need as a result. You may use commissioning paper trail and or electronic processes. For eg to monitor Customer Service, you may take feedback after installing via phone call. Other organizations may have a CRM in place. Some of the Suitable measuring tools may be equipment that is used to test and commission systems such as multimeters, insulation testers, sound pressure level meters, etc. You may be required to do calibration of all the test equipment that you use.
You need to establish whether this is relevant to you and meeting all applicable requirements for the product and services. How do you determine this?
- Is it required to be calibrated?
- Allocated unique reference numbers and listed on a register of some sort.
- Allocated to personnel as and when needed and a clear process in place to ensure all staff knows how to use it properly.
Organizations expected to check results from calibration to ensure they are comfortable they have not been tampered with. You may have Maintenance Register. A sampling of commissioning paperwork to ensure the readings are consistent with expectations and or parameters set.
The organization shall determine the knowledge necessary for the operation of the QMS, ensure conformity of products and services, enhance customer satisfaction. The organization is responsible for maintaining, protecting and making sure the knowledge is available (as necessary). Knowledge is to be considered when making changes to the organization. Depending on the size and complexity of the organization, the risks and opportunities it needs to address, the need for accessibility of knowledge, the process for considering and controlling past, existing and additional knowledge needs is to be considered. As long as the conformity of products and services can be achieved, the balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization. Consideration can be given to whether competent employees have this knowledge
The organization needs to determine the necessary competence of its employees, and ensure those employees are competent on the basis of appropriate education, training, and experience. This means that the organization will need to have a process for determining the necessary competence and achieving it through training and other means. Determining competence is a necessity in any organization. Working out the skills your team has and the skills they don’t yet have. Skills they will need to achieve the company’s objectives. for example Increase in sales = need for additionally trained surveyors.
There is an expansion of application from “personnel” to “persons doing work under the organization’s control”. Awareness is closely related to competence in the standard. Employees must be made aware of the Quality Policy and its contents, any current and future impacts that may affect their tasks, what their personal performance means to the QMS and its objectives, including the positives or improved performance, and what the implications of poor performance may be to the QMS. There is a greater focus on not just communicating the policy but ensuring that it is understood, how it affects work, especially if they deviate from it. Staff should understand what they contribute and how this can make the business better. From a QMS point of view, businesses should look to explain policies more clearly so that the staff understands their meaning. It may useful to capture this on a training record:
- Read and understood = insufficient
- Understand companies aim = Yes
- Understand the company’s processes in which they are involved = Yes
- Understand their impact = Yes
- Understand they can have a positive effect = Yes
- Understand they can have a negative effect = Yes
It now includes external communication about the QMS. Processes for internal and external communication need to be established within the QMS. The key elements that need to be decided and actioned are what needs to be communicated, when it needs to be communicated, how it should be done, who needs to receive the communication, and who will communicate. It should be noted here that any communication outputs should be consistent with related information and content generated by the QMS for the sake of consistency. This is a straightforward clause and is simply about effectively communicating to all those within the business and those affected by it. Internal communications can include briefings to staff on:
- new policies;
- new or amended objectives;
- new of amended strategies;
- new clients;
- new or amended technology;
- new products;
- issues with suppliers;
- anything that will have an impact on them.
Designate a person responsible for updates: either department heads, leaders in the business. For External communication designated person can be an Allocation of key account managers. Implement review meetings, etc.
New requirement to determine, make available and maintain knowledge. No requirement for quality manual or procedures. Requirements are expanded to mention issues such as confidentiality, access, and (data) integrity. This suggests the adoption of information security considerations in recognition of the increasing use of electronic documents/data. The term “documented procedure” and “record” have both been replaced by “documented information”.“Documents”, “Documentation” and “Records” are combined to become “Documented information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or support a process) this is now expressed as a requirement to maintain documented information. Where ISO 9001:2008 would have referred to records this is now expressed as a requirement to retain documented information. The current draft of ISO 9001 does not require a quality manual or documented procedure as Annex SL does not require documented procedures or a quality manual. The requirements in 7.5 are similar to ISO 9001:2008 – 4.2.3 Control of documents and 4.2.4 Control of Records.
As discussed earlier, documents and records now come under the documented information. The requirements for documented information are spread throughout the standard. In summary, they are:
- 4.3 Scope of the QMS
- 4.2 Support operation of its processes and need for confidence.
- 5.2.2 a) Quality policy
- 6.2.1 Quality objectives
- 188.8.131.52 Monitoring and measuring resource – ﬁtness for purpose
- 184.108.40.206 Basis used for calibration or veriﬁcation
- 7.2 d) Evidence of competence
- 7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the QMS
- 8.1 e) Extend necessary (for confidence in processes and product/service conformity)
- 220.127.116.11 Review of requirements related to products and services
- 8.2.4 Amended documented information
- 8.3.2 Design and development requirements met
- 8.3.3 Design and development inputs
- 8.3.4 Design and development control activities
- 8.3.5 Design and development outputs
- 8.3.6 Design and development changes/results of reviews etc.
- 8.4.1 Results of evaluations, monitoring, re-evaluations of external providers
- 8.5.1 a) Characteristics of the products/services, activities to be performed, and result achieved.
- 8.5.2 Maintain traceability
- 8.5.3 Reports on what has occurred
- 8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions
- 8.6 Release of products and services – traceability of person(s) authorizing release, evidence of conformity
- 8.7.2 Describes nonconformity, actions taken, concessions, authority
- 9.1.1 Evidence of the monitoring and measurement results
- 9.2 f) Evidence of the audit programme (s) and the audit results
- 9.3.3 Evidence of the results of management reviews
- 10.2.2 Evidence of the results of any corrective action and the nature of the nonconformity
This is a relatively short section, which essentially says “Do a good job” at whatever your management system is trying for. This clause deals with the execution of the plans and processes that enable the organization to meet customer requirements and design products and services. It includes much of what was previously referred to in Clause 7 of the 2008 version, but there is greater emphasis on the control of processes especially planned changes and review of the consequences of unintended changes, and mitigating any adverse effects as necessary. The revised version of the standard acknowledges the trend towards greater use of subcontractors and outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the performance of these parties in addition to keeping records used to establish selection criteria. The Clauses continue to cover ‘Requirements for products and services’ which remains largely unchanged from the 2008 version. However, it now requires communication with regards to contingency actions where required and also the treatment of customer property. A new requirement for communicating with ‘potential’ customers is also included, useful for bringing new offerings or solutions to the market. There are more explicit requirements in terms of the standards or codes of practice that the organization has committed to implement; internal and external resource needs for the design and development of products and services and finally the potential consequences of failure due to the nature of products and services. There is also a new clause which covers post-delivery activities. This could include activities such as maintenance programmes or work carried out under warranty, and activities covering final disposal or recycling of the product. When determining the extent of these activities organizations must consider the risks associated with a product or service, customer requirements, customer feedback, and any statutory requirements. In a welcome change of terminology, the rather clumsy ‘Product realization’ becomes ‘Operations’
8.1 Operational planning and control.
In order to meet the requirements for the delivery of products and services, the organization needs to plan, implement, and control its processes. The first step is to determine the requirements for products and services, meaning what features the product or service will have. Then, the organization needs to define how processes will be performed and what criteria the product or service needs to meet to be accepted for release. Finally, the organization needs to determine the resources needed for the processes and the records needed to demonstrate that the processes were carried out as planned. Businesses are expected that, once they have done their planning for what they are going to sell, they then plan the detail of how this can be done operationally.
- Set up supplier accounts/trade accounts.
- Purchase stock.
- Ensure staff have the correct skills and understand the process.
- Purchase tools and vehicles.
- Make sure you have enough staff.
- Issue clear instructions, drawings, procedures risk assessments to enable them to do the job.
The organization needs to show clear control of the process. They will be expected to check that delivery is as expected and when there are deviations that this is managed and negative impacts controlled. The same control should be applied to subcontractors.
8.2 Requirements for products and services.
Requirements for products and services are closely related to communication with customers. This communication must include information related to the products or services, handling inquiries, contracts or orders, customer feedback, handling and controlling customer property and, if needed, establishing specific requirements for contingency actions. Before offering the product or service to the customer, the organization needs to ensure that the requirements for the products and services are defined and that the organization is able to deliver such products or services. Requirements for products and services include any applicable legislation and the requirements that the organization considers being necessary. After receiving the order, the organization must, prior to delivery, review the requirements related to the product and keep records about the review. If the customer changes its requirements, these also must be reviewed and recorded. In case of changes, the organization must ensure that all documented information is amended and all relevant persons are aware of the changes.
This is essentially about how you relate to the customer, to include:
a) what you are selling;
b) how they can expect to be dealt with (e.g. formal quote/email/letter/terms you will work under/within);
c) getting feedback from the customer;
d) looking after their property (e.g. premises whilst you are in there);
e) what plans you put in place for if something goes wrong.
Ensuring the customer has a clear written quotation and specification relating to the services they want. Allocating a specific person/manager to the customer so that they have one key contact for all communication; that way, positive and negative feedback is captured and dealt with. For eg Both engineers and security officers are used to working in and around customers’ sites and therefore their property. Ensure you have a process in place to protect your staff from allegations of damage or theft and that your employees know what not to touch and what to report. Set these processes up before you work on a client’s site through a site survey/risk assessment and reports that support and evidence this.
Organizations need to be clear about what is required in order to sell their products and services:
- for legal and industry norm;
- elements the organization determines as necessary for their own needs.
The organization must be able to deliver what it is selling. Liaise with suppliers, attend open days, read the product literature.
Organizations are expected to review whether they can provide what they intend to sell. This review must include taking into account:
a) what the customer orders, the install and any after work, e.g. maintenance / follow up / servicing;
b) elements that need to be completed to ensure the job is fitted correctly – meter reading tests / commissioning forms / standard operational check;
c) anything else the company need to implement;
d) legal and industry standards
e) any variations. If the customer has changed their order, this needs to be defined and the customer must accept this change if they haven’t already confirmed it in writing.
Reviews must be documented. If they want to use new products and services, this should be captured. Customers should be made aware of the impact of changing products and services, etc. For systems organizations, a contract review should be in place either using paper or electronic documents, confirmation emails, quote proposals, etc. In addition, capturing any change to technology you might use on the site (e.g. change of DVR and making them aware of this). For Guarding organizations, a review would be captured via the production of a site survey and compilation of assignment instructions. The initial requirement might be for one security officer, but the site survey highlights that this may not be sufficient given the duties the clients want to be undertaken.
If any orders change, this needs to be tracked and documented. Someone in the organization who is responsible for stock and install needs to ensure these two elements are aligned.
This clause refers to design and development management, from the initial idea to final acceptance of the product. ISO 9000 explains that the terms “design” and “development” are often used as synonyms, and sometimes define different phases of overall design and development. This means that design can’t be used apart from development and that they represent one single process. During design and development planning, all its phases must be defined with appropriate activities of review, verification, and validation for each phase. Considering that ISO 9001 refers to the design and development of the product (not design and development of processes), design and development inputs relate to product requirements that include:
- Functional requirements and product performance requirements
- Legal and regulatory requirements for product
- Information from previous similar projects
- Other requirements relevant to design and development, usually customer requirements, market information, package, etc.
Design and development outputs must be in a form suitable for verification related to input elements and must be approved before acceptance. They can be in the form of a drawing, engineering documentation, plans, etc. The organization also needs to define design and development review activities. The purpose of these activities is to determine whether the design and development process goes in the intended direction. The review can be done in appropriate phases or at the end of the project. The review identifies problems during design and development and suggests actions to resolve them; it can include other interested parties. The design and development review must be documented. Also, the company needs to identify, review, and control changes during the design and development of products and services. Documented information should be kept regarding the changes, results of reviews, authorization of the change, and actions taken to prevent adverse effects.
8.4 Control of externally provided processes, products, and services.
An expansion of scope – from just suppliers to also include other external providers of products and services. Purchasing” and “Purchased product” become “Externally provided products and services”. The term “Supplier” and “Outsourcing” have been replaced by the term “external provider” and includes Purchasing from suppliers, Arrangement with an associate/sister company, Outsourcing of processes and functions. The term “Purchased products” has been replaced with the term “externally provided products and services”. This robust title of the clause refers to purchasing. The purchasing includes products and services you acquire from suppliers and outsourced processes. The organization needs to establish and document criteria for suppliers selection, which includes how crucial the purchased product or service is to the quality of your product. Results of the supplier evaluation must be kept. Clause 8.4 Control of externally provided products and services addresses all forms of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, through the outsourcing of processes and functions of the organization or by any other means. The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services. In order to ensure that externally provided processes, products, and services do not have an adverse effect on the conformance of the organization’s products and services, the organization needs to establish controls including verification and other activities. As part of the controls, the organization needs to communicate to external providers its requirements for:
- the processes, products, and services to be provided
- the approval of methods, processes, and equipment
- verification or validation activities that the organization intends to perform
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to specify intended results and to determine the nature and extent of any post-delivery (after-sales) activities. The production and services provision process need to be performed under controlled conditions that will ensure that the product or service delivered is compliant with initial requirements. This includes a sufficient level of documentation, like procedures, work instructions, and records, monitoring and measurement equipment, appropriate infrastructure, etc. The organization must use suitable means to identify outputs when it is necessary to ensure products and services conformance. When the traceability is a requirement, the organization needs to control the unique identification of outputs and retain documented information necessary to enable traceability. In cases when the organization uses property belonging to a customer or external provider, it is required to identify, verify, protect, and safeguard this property. When the property of the customer or external provider is lost or damaged, the organization will have to report to the owner and retain documented information on what has occurred. The decision on the extent of post-delivery activities will be affected by the following:
- statutory and regulatory requirements
- potential undesired consequences related to products and services
- lifetime, use, and the nature of the products and services
- customer requirements and feedback.
In case of changes in the production and service provision process, the organization must review and control the changes in order to ensure continuing conformity with the requirements.
Release of the products and services shouldn’t be performed until the organization ensures that the products and services are conforming to the requirements. Demonstrating the conformance can be done by documenting evidence of the conformance, which includes criteria for the acceptance and information about the person who authorized the release of the product or service. Just ensure you implement checks that the product and service are delivered as expected (e.g. commissioning paperwork, customer satisfaction/feedback and signatures).
Nonconforming outputs must be prevented from unintended use or delivery, so the organization must identify and control nonconforming outputs that emerge from any phase of production or service delivery. Depending on the nature of the nonconformity, the organization can take one or more of the following actions:
- segregation, containment, return, or suspension of the provision of products and services
- informing the customer
- obtaining authorization for acceptance under concession
Conformity to the requirements must be verified when the nonconforming output is corrected. The organization also needs to keep documented information that describes the nonconformity, the action taken, concessions obtained, and the authority deciding the action with respect to the nonconformity. You do not need a documented procedure any longer to detail how you will deal with things that go wrong but you do need to do the following:
- Fix it.
- Remove it if necessary.
- Tell the customer.
- Ask them to accept it.
You should record what you do when things go wrong:
- About what is wrong;
- what you did as a result;
- What concessions you gave (e.g. did the customer accept it but you altered the cost?)
- Who had the authority to make the change?
The section on evaluation includes monitoring, measurement, and analysis, internal audits and management review. All familiar topics with some subtle changes. Performance evaluation covers many of the areas previously featured in Clause 8 of the 2008 version. Requirements for monitoring, measurement, analysis, and evaluation are covered and you will need to consider what needs to be measured, methods employed, when data should be analyzed and reported on and at what intervals. Documented information that provides evidence of this must be retained. There is now an emphasis on directly seeking out information that relates to how customers view the organization. Organizations must actively seek out information on customer perception. This can be achieved in a number of ways including satisfaction surveys, analysis of market share, and through complaints logged. There is now an explicit requirement that organizations must show how the analysis and evaluation of this data are used, especially with regards to the need for improvements to the QMS. Internal audits must also be conducted and this is largely unchanged from those in the 2008 version. There are additional requirements relating to defining the ‘audit criteria’ and ensuring the results of the audits are reported to ‘relevant’ management’. Management reviews are still required but there are additional requirements including the consideration of changes in external and internal issues that are relevant to the QMS. Documented information must be retained as evidence of management reviews.
9.1 Monitoring, measurement, analysis and evaluation.
There is a new requirement to obtain information relating to customer views and opinions of the organization. This requirement should not be equated with the requirement for managing equipment for monitoring and measuring from clause 7.1.5 of the standard. This is about a wider aspect of monitoring and measuring. Information derived from monitoring, measurement, and analysis represents inputs in the process of improvement and management review. The organization needs to determine what needs to be monitored and measured, how, and when, as well as when the results will be analyzed. It is required to measure your own performance as a supplier in order to get information about users observations, and the extent to which you fulfilled their requirements. Monitoring customer satisfaction levels must be constant activity in order to determine trends, and because opinions about your performance can change. Information about customer satisfaction can be collected via phone, interview or questionnaire, direct contact with the user on the field, etc. Once the monitoring and measuring is performed and the results are gathered, the organization needs to analyze the results in order to evaluate conformity of products and services, degree of customer satisfaction, performance of the QMS, effectiveness of actions taken to address risks and opportunities, performance of external providers, and need for improvements to the QMS.
9.2 Internal Audit.
There continues to be a need to carry out internal audits and to do it effectively. The goal of an internal audit is not to determine nonconformity; its goal is to check whether your QMS:
a) complies with the requirements of ISO 9001 and the requirements of your organization
b) is effectively implemented and maintained
There is no need for an internal audit procedure but it may be useful to keep it. You do need to define audit criteria. There is no more detail on the arrangements expected for carrying out internal audits. Not significantly different but more emphasis on how they are done, how they are feedback and now a clear reference to audits being corrected in a reasonable time to fix non-conformances identified. Ensuring that all the right people are included in the audit outcome. At the end of the audit, you will get audit results by evaluating the data you collected during the audit. Audit results can be manifested as praise, recommendations for improvements, and nonconformities (major and minor). Verification of actions taken may be needed, and in that case, the next step is a follow-up audit. Audit schedule must take customer feedback into account.
9.3 Management review.
Consider the QMS and ‘alignment’ with the strategic direction of the business. This essentially means ensuring that what the organization has determined that they want to achieve the QMS will help this happen. Most organizations work to a business plan whether this is written or not and the direction of the business should be developed into the QMS. If a business decides it wants to grow, e.g. in guarding, keyholding, install of fire systems, then the QMS needs to be equipped to deal with this. It might be you decide that quotations for this work will be completed more quickly than others, or that you will seek out tenders of this type to support the business strategy and this should come through the QMS. At least once a year, the top-level management must review the QMS in order to determine its:
- Appropriateness – does it serve its purpose and satisfy the needs of the organization?
- Adequacy – does the QMS conform to standard requirements?
- Applicability – are activities performed according to procedures?
- Effectiveness – does it accomplish the planned results?
This review must evaluate possibilities for improvement and needs for changing the QMS, Quality Policy, and objectives. Considering the inputs for the management review, such as the results of the previous management reviews, changes in the context, customer satisfaction survey results, performance of the QMS and suppliers, etc., the top management must make decisions regarding opportunities for improvement, need for changes in the QMS, and resources needed for the upcoming
Improvement covers nonconformity and corrective action, as well as continual improvement, all of which are outlined in section 8 of the current standard. There is no preventive action section anymore as effectively it is replaced by “risk” under planning – improvement is now defined as a proactive planning activity. This clause starts with a new section that organizations should determine and identify opportunities for improvement such as improved processes to enhance customer satisfaction. There is also a need to actively look for opportunities to improve processes, products and services, and the QMS, especially with future customer requirements in mind. Due to the new way of handling preventive actions, there are no preventive action requirements in this clause. However, there are some new corrective action requirements. The first is to react to the nonconformities and take action, as applicable, to control and correct the nonconformities and deal with the consequences. The second is to determine whether similar nonconformities exists or could potentially occur. The requirement for continual improvement has been extended to cover the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how an organization achieves this.
Based on the results of the management review, the organization must make decisions and take actions that will drive it towards continual improvement. Those actions can be in the form of corrective actions, training, reorganization, innovation, and so on. There is now a requirement for organizations to focus clearly on customer satisfaction and customer needs, not only that but to look for ways to improve:
a) products and services, now and for the future;
b) fixing and controlling business issues to reduce things going wrong;
c) improving the QMS.
No requirement for a procedure on preventive action. This term is removed.
10.2 Nonconformity and corrective action.
Any nonconformity needs to be reacted upon by taking actions to control it and deal with the consequences. Once identified, a nonconformity should trigger a corrective action in order to remove the cause of the nonconformity and prevent its recurrence. The effectiveness of actions taken must be evaluated and documented, along with the originally reported information about the nonconformity / corrective action and the results achieved. Now includes an additional requirement to record the nature of nonconformities. On discovering a nonconformity, an explicit requirement is introduced for organizations to determine whether other similar nonconformities actually exist, or could potentially exist.
When something goes wrong you must:
- react to it by
- do something / take action / fix it;
- deal with the impact it had (e.g. upset customer).
- evaluate what went wrong to prevent it happening again and check there are no other similar issues that could happen.
Key now is to update risks and opportunities. Keep records of all non-conformities, what you did to resolve them, implement additional measures, the etc.No requirement for a corrective action procedure now.
Continual improvement is a key aspect of the QMS, to achieve and maintain the Quality Management System’s suitability, adequacy, and effectiveness regarding the organizations’ objectives. There is now a clearer expectation for organizations to use data from monitoring and measuring to review the business performance and that of the QMS. Organizations should be clear to use this information, by analyzing it and ensuring that the QMS is adequate for the organization. It might be that, during a review, the control measures within a process are insufficient and do not give the level of assurance perhaps that the Directors want to know that processes are being followed correctly, e.g. sales process does not include a deadline or record of when a quote is sent out so you do not have a clear idea of how productive your team are being. Essentially the data you use must be for improving the business and identifying underperformance.
Comparison between ISO 9001:2015 and ISO 9001:2008
|ISO 9001 2008 to ISO 9001 2015 Gap Checklist|
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org or call Pretesh Biswas at +96565019055. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.