From ISO9001:2008 to ISO

9001:2015 - The likely

impact

Title
Version
Author
Issue Date

Page 1

VI-404684-TM
6
Michael Shuff
13 Mar 2015

From ISO9001:2008 to ISO 9001:2015 - The likely impact

Summary

ISO 9001:2015 is set to be a far-reaching (and some would say controversial) revision to the well established and respected standard: BS EN ISO 9001 Quality Management Systems - Requirements.
A new common format has been adopted, really a standardized core text and structure for all ISO
management system standards, widely known as Annex SL or the High Level Structure. In addition,
while the fundamental objectives of the standard remain the same, i.e. "...to provide confidence in
the organizations ability to consistently provide customers with conforming goods and services, and
to enhance customer satisfaction" [BSI White Paper], this revision represents a big change to ISO
9001.
The wording provides a foundation for the integration of a QMS with other management systems.
For example, ISO 14001 - Environmental Management Systems (an updated version of which is
expected by the end of 2015) and ISO 27001 - Information Security Management (a revised version
based on Annex SL was published in 2013). It is a development that is often viewed with a degree of
distrust by quality managers and consultants, who are concerned to maintain the integrity of the
QMS.
However, Annex SL is by no means the only change that the 2015 version will bring to the 9001
standard. ISO 9001:2015 also sets out to align the QMS policy and objectives with the organization's
strategy. It places strong emphasis on the role of "top management" in ensuring that the company
meets its quality objectives. The days of the "management representative" are passing, as the
transfer of responsibility is moving upwards.
Thanks in part to the introduction of Annex SL, there will be greater flexibility with Documentation.
Even to the point where the Quality Manual is no longer mandated, providing an opportunity (if you
choose to see it as such) to ask yourself the question "How should we document quality processes?
Even this change, however, has caused fewer heated debates than that of "risk based thinking".
Although the wording requires that risks and opportunities be "determined and addressed", there
remains no requirement for formal risk management processes, such as those found in ISO 31000.
Notwithstanding this fact, risk is considered qualitatively (and, depending on the organizations
context), quantitatively from the beginning and throughout the standard; making, to quote the ISO,
"preventive action part of strategic planning as well as operation and review". Risk-based thinking,
therefore, means you must consider risk when defining the rigour and degree of formality needed to
plan and control the quality management system, as well as its component processes and activities.
The problem that I envisage is simply that organizations may well have difficulty in demonstrating
risk-based thinking to ISO 9001 assessors unless they have documented risk management processes.

Page 2

Table of Contents
1

Introduction ..................................................................................................................................... 4

How will the new version affect ISO 9001:2008 registrations? ...................................................... 4

What are the most notable changes in the 2015 version? ............................................................. 5

3.1

High Level Structure ................................................................................................................ 5

3.2

Risk-based thinking .................................................................................................................. 6

3.3

Documented Information ........................................................................................................ 6

3.4

Knowledge management......................................................................................................... 7

3.5

Training records ....................................................................................................................... 7

3.6

Responsibility of Top Management ......................................................................................... 7

The likely impacts of 'risk-based thinking' ....................................................................................... 7

4.1

How does ISO 9001 help you to achieve your business goals? ............................................... 8

4.2

Why should your organization adopt Risk-based Thinking? ................................................ 9

4.3

What should you do in order to adopt "Risk-based thinking"?............................................. 12

What 'documented information' is required by ISO 9001:2015? ................................................. 12

5.1

What does the 2014 committee draft of ISO 9001 actually say? .......................................... 13

5.2

Out with the old... in with the new ISO 9001 terms and definitions..................................... 14

5.3

How should you manage your required documented information? .................................... 14

Appendix: Sources referenced plus recommended reading................................................................ 17

Page 3

1 Introduction
From its beginnings in the 1980s, each version of the ISO 9001 standard has tried to bring about
changes. ISO 9001:2000 was a big paradigm shift, with important changes in emphasis on process,
involvement of senior management, continuous improvement and customer satisfaction. The ISO
9001:2008 standard that followed was more of an evolution, with an emphasis on clarifying the
requirements in its predecessor.
What about the forthcoming ISO 9001:2015? What can we expect? Based on the Draft International
Standard (DIS) published in May 2014, and information published in the form of white papers by
leading standards organizations including BSI, this paper looks at the likely impact.

How will the new version affect ISO 9001:2008 registrations?

According to BSI, publication of the new standard is likely to occur in September 2015. From the
date of publication, organizations holding a valid ISO 9001:2008 certificate will have three years to
make the transition to the new version of the standard. The old version will continue to be
recognised and companies can be audited against it until the end of the three-year transition for ISO
9001:2015 (expected to last until September 2018).
Some people have asked what to do in the interim,
i.e. does it make sense in 2015 to certify to the
9001:2008 version? Most experts advise that it does.
First, there is the 3-year transition period, which
gives companies until 2018 to update their system to
the new version. Second, it is possible to append the
additional requirements from 9001:2015 to the
current requirements. Third, the restructuring
changes should remind all users that it is not a good
idea to base a company's QMS just on the ISO
structure, but rather it should map to the latter as
appropriate. If you must use the ISO structure, then
yes, it is better now to use that of 9001:2015.
Another frequently asked question is should holders
of 9001:2008 certificates re-certify to the 2015
version? There is no reason to do so in the short term, apart from the fact that they may want to
look contemporary.
Accredited Certification Bodies (e.g. BSI) will stop issuing new certificates to ISO 9001:2008 twelve
months after ISO publish the 2015 version. This means that if you are developing a quality
management system based on the requirements of the current, 2008, version of the standard, you
have until late 2016 to gain a certificate issued to ISO 9001:2008. If your organization's QMS is
already certified ISO 9001:2008 compliant, you may wish to look at your processes to see if they are
in line with the new high-level structure. However, your system must remain compliant with ISO
9001:2008 until the release of ISO 9001:2015.

Page 4

3 What are the most notable changes in the 2015 version?

3.1 High Level Structure

A key fact to know about the ISO 9001:2015 DIS draft document is that the text has been prepared
using the new high-level structure (i.e. clause sequence, common text and terminology) provided
in Annex SL, Appendix 2 of the ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013. ISO
intends for this to enhance alignment among ISOs management system standards, and to facilitate
their implementation for organizations that need to meet the requirements of two or more
standards simultaneously.
Annex SL defines the framework for what is a generic management system. All new ISO
management system standards (MSS) will adhere to this framework and all current MSS will migrate
at their next revision.
The major clause numbers and titles of all MSS will be identical. They are:
Introduction
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Scope
Normative references
Terms and definitions
Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement.

Referencing the DIS, the following structure comparison chart illustrates some of the differences
between ISO 9001:2015 and the ISO 9001:2008 standard:
ISO/DIS 9001:2015
1. Scope
2. Nominative References
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

ISO 9001:2008
Scope
Nominative References
Terms and definitions
Quality Management System
Management responsibility
Resource management
Product realization
Measurement, analysis, and improvement

Table 1: Structure Comparison Chart

Page 5

The new harmonised approach that ISO 9001:2015 will fit into allows for the addition of disciplinespecific (in this case quality-specific) text, applied in the wording of the DIS through the following:
a) Specific quality management system requirements considered essential to meet the scope
of the ISO 9001 standard;
b) Text to reflect the use of the Quality Management Principles that form the basis for ISOs
quality management system standards;
c) Requirements and notes to clarify and ensure consistent interpretation and implementation
of the common text in the context of a quality management system.
You should keep the Annex SL changes to the 2008 structure in mind when building your quality
management system processes in the future. The familiar Plan-Do-Check-Act (PDCA) methodology
will continue in the new version of the standard; however, there will be an overall focus on Riskbased thinking" aimed at preventing undesirable outcomes - see below.

3.2 Risk-based thinking

There will be a much greater emphasis in ISO 9001:2015 on risk-based thinking incorporated in
requirements for the establishment, implementation, maintenance and continual improvement of
the quality management system. ISO 9001:2015, like its cousin ISO 27001:2013, does not mandate a
particular risk assessment method - not even ISO 31000!

3.3 Documented Information

Following Annex SL, gone are the terms documents, documentation and records. In comes
'Documented Information'. However, the requirements for the management of documented
information are not new or excessive.
Section 4.2.3 Control of documents in the 2008 version has effectively moved to Section 7.5
Documented Information, under Section 7.5.2 Creating and updating and 7.5.3 Control of
documented Information.
The list of six mandatory procedures has gone but it will still be necessary to document the required
processes. Management of the processes and the system as a whole can be achieved using a PlanDo-Check-Act (PDCA) methodology (see 0.4) with an overall focus on Risk-based thinking" aimed at
preventing undesirable outcomes (see 0.5). However, we should always remember that processes
have to be controlled, which will mean creating and maintaining documented information. The term
"documented information" in this regard is repeated throughout the draft version.
Section 4.4 makes the need for a QMS less explicit. That has begged the question in discussion
forums: "What is a QMS anyway?. For some, the Quality Manual describes the quality management
system in the form of a printed document in a ring binder. For others, it is one of many documents in
an electronic document management system (DMS). How best to 'do the QMS' is a more central
issue now. The graphical QMS developed by CogniDox is one answer to this need.

Page 6

3.4 Knowledge management

Section 7.1.6 talks about Organizational Knowledge. This requires an organization to ensure that it
has or obtains the knowledge resources necessary to respond to changing business environments,
changing customer and interested party needs and expectations and, where applicable, related
improvement initiatives. It points to important issues affecting quality, as for example how the
organization accesses internal knowledge, and how the organization's IP is stored and protected.

3.5 Training records

One of the popular "crystallizations" of the 2008 version was the training records register. It's not
clear to me whether Section 7.2 Competence requires the same. The catch-all mandate in 7.2 d) to
"retain appropriate documented information as evidence of competence" would suggest that it
does; although we will have to wait and see just how this is interpreted.

3.6 Responsibility of Top Management

ISO 9001:2015 signals more of a hands-on role for top management. Section 5 Leadership makes it
clear that there is now a responsibility for top management to take accountability for the
effectiveness of the QMS.
New requirements for leadership and accountability include ensuring that:
a) quality policy and objectives are compatible with strategic direction;
b) quality policy is applied, not just communicated and understood;
c) quality system requirements are integrated into business processes.
Top management will be actively involved in the operation of the QMS. The removal of all references
to the role of management representative reinforces a need to see the QMS embedded into your
routine business operations. The days of the QMS operating as an independent system in its own
right with its own dedicated management structure are numbered.

4 The likely impacts of 'risk-based thinking'

Risk-based thinking and the resulting actions to address risk are what business is arguably all about.
Now it is officially a requirement of ISO 9001 in the much-anticipated revised version due to be
published in 2015.
Just to recap: among the key changes almost certain to be coming in the ISO 9001:2015 quality
management system standard, and available to read in the Draft International Standard (DIS)
published in May 2014, are:

Page 7

The emphasis on leadership

The focus on risk management

There are many good reasons for your organization to invest in a quality system. I suggest that the
'top ten' reasons are:
1.
2.
3.
4.
5.
6.
7.
8.
9.

Cutting costs
Saving time
Increasing customer satisfaction
Developing better business
processes
Improving product quality
Reducing response times
Creating competitive advantage
through investment in quality
Utilizing best practice through
collaboration and focus
Helping you grow your business
(as opposed to fighting fires)

And, yes...
10. Reducing risk

4.1 How does ISO 9001 help you to achieve your business goals?
The central purpose of a quality management system (QMS) is to provide confidence in the
organizations consistent ability to provide customers with conforming goods and services. The
concept of risk in the context of ISO 9001:2015 relates to the uncertainty in achieving these
objectives. By giving much greater emphasis to risk and opportunity management, the approach is in
line with the current thinking of many senior managers.
Risk, as Clause 0.5 of the Introduction to the DIS states, "...is the effect of uncertainty on an expected
result and the concept of risk-based thinking has always been implicit in ISO 9001." ISO 9001:2015
permits organizations to choose whether they develop a more extensive risk-based approach than is
required. The ISO 31000 Risk Management standard is referenced as being able to provide
"guidelines on formal risk management which can be appropriate in certain organizational contexts",
however, it is not mandated. You choose the method/s by which you assess risks and opportunities.
The new version of the standard recognises that not all the processes of the quality management
system represent the same level of risk in terms of the organizations ability to meet its objectives.
The consequences of process, product, service or system nonconformities are not the same for all
organizations. In particular contexts, the consequences of delivering nonconforming products and
services can result in minor inconvenience to the customer; in others, the consequences can be farreaching, and even fatal.
Risk-based thinking" means "...considering risk qualitatively (and, depending on the organizations
context, quantitatively) when defining the rigour and degree of formality needed to plan and control
the quality management system, as well as its component processes and activities." [Clause 0.5].
I suspect this could potentially cause problems during the audit when objective evidence of riskbased thinking in the form of documented information cannot be produced. After all, although the
Page 8

risks and opportunities will have to be determined and addressed, there is no requirement for any
formal risk management process. All that is needed is an "...overall focus on "Risk-based thinking"
aimed at preventing undesirable outcomes (see 0.5)" [Source: 0.3 Process Approach, line 258 of the
DIS]. So how will thinking be assessed?
The FDIS (final draft international standard) may contain a clearer definition of risk-based thinking
and there is of course the question of whether the range of ISO 9000 Guidance documents to be
published (presumably in 2015?) will address the auditing of this requirement?
I watch with interest. No doubt, so will you - and your ISO assessors!

4.2 Why should your organization adopt Risk-based Thinking?

Well, if "thinking" in this context means adequately assessing risk for the purposes of planning and
control (and I think it does!), then the result should be to:

improve customer confidence and satisfaction

assure consistency of quality of goods and services
establish a proactive culture of prevention and improvement.

The key point being: successful companies take a risk-based approach. Not everyone agrees that
there is sufficient evidence to support this statement, but the popularity of risk management as a
discipline in both the public and private sectors is a phenomenon that is hard for industry to ignore.
Personally, I would like to know exactly what evidence should be collected and maintained in
documented information about whatever type of risk is being assessed. The rigour of documenting
your risk assessment process and recording, as they are made, the management decisions to address
those risks will be of more practical value than simply thinking about the risks.
Documented information of this kind properly controlled and updated in a document management
system has its uses in decision-making processes.
In Clause 4, Context of the organization, the requirement is to determine the issues that can affect
the organization's ability to meet its quality objectives:
"The organization shall determine external and internal issues that are relevant to its
purpose and its strategic direction and that affect its ability to achieve the intended result(s)
of its quality management system."
It could be argued here that "issues" are not necessarily "risks"; however, the Notes in this Clause
would suggest that our "understanding" of the organization's external and internal context is
necessary in assessing risk:
NOTE 1 Understanding the external context can be facilitated by considering issues arising
from legal, technological, competitive, market, cultural, social, and economic environments,
whether international, national, regional or local.

Page 9

NOTE 2 Understanding the internal context can be facilitated by considering issues related
to values, culture knowledge and performance of the organization.
Clause 5, Leadership requires that top management commit to ensuring Clause 4 is followed - so
they will need status and progress reports based on documented information from the management
system to achieve this.
A graphical presentation of key management information, updated in real time from a document
management system saves a lot of report writing!
Clause 8, Operation requires the organization to "plan, implement and control" processes 6.1
Actions to address risks and opportunities - see further down.
"The organization shall plan, implement and control the processes, as outlined in 4.4, needed to
meet requirements for the provision of products and services and to implement the actions
determined in 6.1" [Source: 8.1 Operational planning and control]. Unsurprisingly, references to
"processes" continues to be a dominant feature of ISO 9001:2015, both in lines retained from the
2008 standard and the blue text additions. But note the use of the term in the list below:

Processes for planning and consideration of risks and opportunities (Clause 6)

Processes for support, including resources, people and information (Clause 7)
Operational processes related to customers and products and services (Clause 8)
Processes for performance evaluation (Clause 9)
Processes for improvement (Clause 10).

Risk-based thinking is considered integral to an ISO 9001:2015 QMS.

"This International Standard makes risk-based thinking more explicit and incorporates it in
requirements for the establishment, implementation, maintenance and continual
improvement of the quality management system." [Clause 0.5]
ISO 9001:2015 is about managing change processes in your business, based on an understanding the
risks and challenges which may impact on your organization's ability to meet customer requirements
and taking a preventative approach supported by relevant documented information.
Effective planning and consideration of risks and opportunities will be a key (critical?) factor for
successful certification to ISO 9001:2015. Senior management should be able to demonstrate that
they understand the business risks and opportunities, and how they could impact. They will need to
ensure that the management system can achieve its intended results (6.1.1 a), prevent or reduce
undesired effects (6.1.1. b), achieve continual improvement (6.1.1. c); and, that actions to address
risks and opportunities are integrated into processes (see 4.4); and their effectiveness evaluated.
Wikipedia says that Risk management "...is the identification, assessment, and prioritization of risks
(defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and
economical application of resources to minimize, monitor, and control the probability and/or impact
of unfortunate events[1] or to maximize the realization of opportunities".
Clause 9, Performance Evaluation, includes a requirement that top management shall "review the
organization's quality management system". The management review has to take into consideration:
Page 10

"... the effectiveness of actions taken to address risks and opportunities (see clause 6.1);"
Surely, in order to evaluate (a) whether the actions (i.e. the selected controls) are still applicable and
effective, and (b) whether the possible risk-level in the business environment has changed since the
last review, senior management will need to see the results from a 'risk analysis'?
How otherwise could they assess the effectiveness of actions taken to address risks (threats) and
opportunities? Unless they are simply content to do so based on opinions and/or anecdotal
evidence?
Maybe this will be acceptable to managers in some 'low risk' environments, but not in high risk ones
like product design, development and manufacturing such as silicon, military software, the
aerospace industry ... the list will be a very long one!
Clause 10, Improvement does not specifically mention risk; however, BSI says in one of their white
papers that...
"In Clause 10 the organization is required to improve by responding to changes in risk." [Source: ISO
9001 White Paper: The importance of risk in quality management- Approaching change, BSI Group,
July 2014]
When a nonconformity occurs, the organization is required to evaluate the need for action to
eliminate the cause(s), by reviewing the nonconformity; determining its causes, and "determining if
similar nonconformities exist, or could potentially occur" - Risk-based thinking again?
Clause 6.1 Actions to address risks and opportunities reads like 'risk management' to many people
on that basis - me included!
Clause 6.1 Actions to address risks and opportunities is where the what, who, how and when'
concept of this risk management is defined. The organization should plan the actions that are
necessary to address these risks and opportunities as well as working out how to integrate and
implement actions into management system processes. In achieving this, they need to ensure
actions are "proportionate to the potential impact on the conformity of products and services", and
evaluate their effectiveness.
Risk-based thinking in ISO 9001:2015 will extend to your organization's supply chain: a risk-based
approach is required to determine the type and extent of the "controls appropriate to particular
external providers and externally provided products and services". You will need to identify risk
wherever it arises and have the necessary controls in place to manage it.
This means that senior managers will need to be able to demonstrate an understanding of the wider
business environment, social, cultural and regulatory and how that impacts or could impact on the
organizations ability to meet customer requirements. They will also need to have a grasp of the
organizations internal strengths and weaknesses and how these could impact on its ability to deliver
quality products or services.
ISO 9001:2015 will serve to strengthen business process management by underlining the need to (1)
allocate specific responsibilities for processes, (2) demonstrate an understanding of the key risks
associated with each process and the approach taken to 'manage, reduce or transfer the risk'.
Page 11

Is this risk-based thinking new to ISO 9001:2015? I would argue not. It is true that ISO 9001:2008
does NOT include requirements specific to other management systems such as "risk management.
However, 0.1 General clearly states that the design and implementation of an organization's quality
management system is influenced by:
"a) its organizational environment, changes in that environment, and the risks associated
with that environment,"
Hence, in designing and implementing your organization's quality management system, you are
thinking about the risks.
The risk-based approach to drafting this International Standard has also had a beneficial effect in
that it facilitated some reduction in prescriptive requirements and their replacement by
performance-based requirements.
Many people, including myself, think there has always been an element of risk-based thinking in ISO
9001, and that it is now just more explicit. Not every critic of ISO agrees with that, however.

4.3 What should you do in order to adopt "Risk-based thinking"?

I would suggest the following...
Analyse and prioritize the risks and opportunities in your organization:

What is acceptable?
What is unacceptable?

Then plan actions to address the risks. Ask yourself:

How can I avoid or eliminate the risk?

How can I mitigate the risk?

Then...

Implement the plan take action

Check the effectiveness of the actions does it work?
Learn from experience continual improvement

To gain a better appreciation of the extent of these important changes and the effect on your
existing quality management system, you should read the FDIS.

What 'documented information' is required by ISO 9001:2015?

An Executive Summary could read as follows...

Page 12

ISO 9001:2015 will probably merge

documents and records under the term
'documented information' and there will be
no mandatory quality manual, procedures or
quality records. These significant changes
may lead to much greater flexibility in how
information is managed within the quality
management system, but some envisage a
potential downside; i.e. ...
Newcomers to ISO 9001:2015 may be
confused about where to start documenting
their system; also, exactly what they need to record and document in relation to the requirements
of the standard; and hence, when their organization's documented information is ready for audit?

5.1 What does the 2014 committee draft of ISO 9001 actually say?
The Draft BS EN ISO 9001 Quality Management Systems - Requirements published in May 2014 (the
'DIS') defines documented information as that which is "required to be controlled and maintained by
the organization".
The Notes make it clear that this documented information can be in any format and media and from
any source. It can refer to the quality management system (3.33), including related processes (3.12),
or it can be information (3.50) created for the organization (3.01) to operate (i.e. documentation). It
can also be evidence of results achieved (records).
The source for the above references is ISO DIS 9000:2014, 3.8.1.1.1.
ISO 9001:2008 was designed to allow an organization greater flexibility in the way it chooses to
document its quality management system (QMS).
Clause 4.2.1. General provided an explanation of what quality management system documentation
and records were required; specifically:
a)
b)
c)
d)

documented statements of a quality policy and quality objectives;

a quality manual
documented procedures required by this International Standard
documents needed by the organization to ensure the effective planning, operation
and control of its processes, and
e) records required by this International Standard;
In 2012, the ISO Document ISO/TC 176/SC 2/N 525R2, titled: ISO 9000 Introduction and Support
Package: Guidance on the Documentation Requirements of ISO 9001:2008, asked the question
'What is a "document"?' and defined at least some of the main objectives of an organization's
documentation. These were:
f) Communication of Information
g) Evidence of conformity
h) Knowledge sharing
Page 13

In terms of category a), both the type and extent of documentation depended on "the nature of the
organizations products and processes, the degree of formality of communication systems and the
level of communication skills within the organization, and the organizational culture". [Ibid, page 1].

5.2 Out with the old... in with the new ISO 9001 terms and definitions
Which terms and definitions are likely to be defined and used when ISO 9001:2015 is published?
Moreover, does it matter?
For a start, due to the introduction of Annex SL, the requirements for documents and records
(documented information) are now contained within each of the clauses numbered 4 through 10 in
the new structure. See further down.
At the same time, familiar document references will be erased from the standard. As mentioned,
one of the most notable deletions is "Quality Manual". This might be a 'shocker' for those whose QM
careers date all the way back to the introduction of ISO 9001 in 1987. Yet this is only one among a
number of changes that set ISO 9001:2015 apart as a "major revision" of the QMS Standard.
Documented information now means both documents and records.
A.6 Documented information explains, [due to the introduction of Annex SL common management
system framework] a "common clause on 'Documented Information' has been adopted without
significant change or addition". This means that the terms documented procedure and record have
been replaced in ISO 9001 with "documented information".
I counted the text "documented information" appearing 34 times in the committee draft of ISO 9001
between Clauses 4 to 10.
From that figure alone, you can appreciate that ISO 9001:2015 will require the creation /
maintenance of a sizeable number of documents!

5.3 How should you manage your required documented information?

The wording in the DIS sets out requirements for creating and updating:

identification and description (e.g. a title, date, author, or reference number);

format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
review and approval for suitability and adequacy.

Documented information should also be controlled to ensure:

a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity).
To address these requirements, the following activities are necessary:

Page 14

a)
b)
c)
d)

distribution, access, retrieval and use;

storage and preservation, including preservation of legibility;
control of changes (e.g. version control);
retention and disposition.

You should also identify and control documented information of "external origin" which is necessary
for the planning and operation of your QMS.
It is - and will continue to be - necessary to regularly review documents to make sure they are up-todate, suitable and reflect your practices. Review processes should also check for changes in relevant
standards, regulations, specifications and other external documented information.
Documented information will be used to support the operation of processes and be retained "to the
extent necessary to have confidence that the processes are being carried out as planned" [4.4
Quality management system and its processes]. Audit criteria will include a set of policies (3.07),
documented information (3.11) or requirements used as a reference against which audit evidence
(3.61) is compared.
What are the questions that you need to ask to ensure that your documented information meets the
requirements? - Here are just a few suggestions:

Who in your organization approves documented information for release?

How do you know that the documented information has been approved?
What are the steps in your process for reviewing, updating and re-approving documented
information? Does it include a regular review of changes and who is responsible for the
different parts of this process?
How do you identify changes?
How do you manage your documented information so that you know which version you are
looking at, and whether it is the current version?
Who has access to the documented information and is the current version available where it
is needed, for example by teams operating in the field?
What means are used to provide access (e.g. document management system on the
organization's server, cloud application, paper documents)?
Who is responsible for distributing documented information to where it is needed - both
electronically (e.g. via intranet access, document attachments, download links, etc.) and in
paper form?
Is documented information from external sources, such as relevant standards, current
legislation, product specifications from your suppliers, being reviewed, updated and made
available via controlled processes?
Are you deleting, destroying, or obsoleting old documented information so that only the
current version is in use? Moreover, who is responsible for checking that end users only
have access to the current version?
How will you archive and segregate obsolete documented information that you want retain?
Which items of documented information contain confidential data?
What information security measures are you taking to protect data?

Once again, this is not an exhaustive list, but it does highlight the complexity of the task of managing
the documented information.
Page 15

You can find a further discussion of this topic on an earlier CogniDox blog; see:
Document Control, ISO 9001 and CogniDox DMS
Mark Hammar's post on the excellent 'ISO 9001 Blog' (dated May 20, 2014) has some helpful advice
on ISO 9001 document control:
Some Tips to make Document Control more useful for your QMS
Given the sheer number of new documents that are likely to be required, a document management
system (DMS) hosted on your server or in the cloud is worth considering before you transition.
In our earlier post (see above) on the subject of using a DMS versus other approaches, we showed
how CogniDox maps to the list in Mark Hammar's post to give you much greater control over your
documented information.
Mark's useful tips will help to make your controls better suited to your organization's needs. He lists
them under the following seven categories:
1.
2.
3.
4.
5.
6.
7.

Approve for Adequacy (who is responsible for approving this)

Review/Update and Re-Approve
Changes and Revision Status identified
Relevant Versions at point of use
Legible and identifiable.
Control of External Documents
Prevent use of Obsolete Documents

As we said on May 28, 2014: "To rattle through a quick mapping of tips to CogniDox features, we
would find that the ability to create workflows with mandatory approvers delivers #1. The review
and notification process takes care of #2. Version history and the event log provide #3. A clear link to
latest and approved-latest versions solves #4 (as does the ability to hide any version other than the
approved-latest one). Tip #5 is supported by embedded metadata in the documents, so readers can
see what they are using. Wed look to limited partner access and/or the extranet portal functionality
for #6. Finally, tip #7 can be achieved by marking the document as obsolete."
Increased flexibility in terms of the documented information required by ISO 9001:2015 will not
lessen the daunting challenge of controlling the large amount of data contained within your quality
management system. A DMS can greatly improve the efficiency and effectiveness of your QMS.
However, regardless of how you manage documented information, it looks like it will soon be time
to say a heartfelt 'Hasta la vista!' to your trusty Quality Manual.

Page 16

Appendix: Sources referenced plus recommended reading

The following sources are useful in understanding the development process that has led to the
publication of the ISO 9001 Committee Draft (the 'DIS'), including the much debated topic of 'riskbased thinking'.
Firstly, the Draft International Standard (DIS) issued for public comment:
Draft BS EN ISO 9001 Quality Management Systems - Requirements, Date: 14 May 2014, which is
available from the ISO Store, BSI Shop, IT Governance Ltd, and other distributors worldwide.
Even though the FDIS (final draft international standard) is expected soon, the ISO/DIS 9001 draft
issued in May 2014 makes for interesting and necessary reading, - especially the Clause 0.5 'Riskbased thinking' and the schematic (Figure 2 on page 9) with the box labelled 'Plan the Process (Extent of planning depends on RISK)'!
For those looking for straightforward answers to the simple questions regarding the 2015 version
and transition process, I recommend BSI's FAQ on ISO 9001:2015 in the ISO Revisions series - see
reference below:
ISO 9001:2015 Revision, Frequently Asked Questions - Approaching change, BSI Group, July
2014 [PDF]
For a more detailed discussion about the importance of risk in quality management and why this
idea is not new, BSI's white paper is useful:
ISO 9001 Whitepaper, The importance of risk in quality management - Approaching change,
BSI Group, December 2014 [PDF]
The BSI White Paper 'ISO 9001: Understanding the changes' from ISO Revisions is also of value in
explaining the likely impact of ISO 9001:2015:
ISO 9001 Whitepaper, Understanding the changes, Approaching change, BSI Group, July
2014 [PDF]
I also recommend an earlier white paper by Evgeny Avanesov, D.B.A., Prof. at TEST-St.-Petersburg,
and (as stated on the document in 2009) a Member of Russian delegation in ISO/TC 176, ISO/TC 207,
- see the link:
Risk Management in ISO 9000 Series Standards [PDF]
Although this document was published in 2009, it is interesting to revisit because it came out when
the common concepts and ideas for "future activities ISO/TC 176 on the revision of ISO 9001" were
being formulated.
The author provides "Examples of the requirements of ISO 9001:2008, indirectly associated with the
risk management". The Table on page 6 of 11 is worth reading whether you believe that 'risk-based

Page 17

thinking' is a new idea, or something that you do already (see the Conclusion of BSI's 2014 white
paper - and the ISO's white paper titled 'ISO 9001 and Risk').
For the ISO's own (easily digested) explanation of Risk-based thinking, view their slideshare
presentation at:
http://www.slideshare.net/timdwill/iso9001-risk-basedthinking
Note slide 4 of 12: What is "risk-based thinking"? which features a version of the statement found in
the DIS, Clause 0.5, "Risk-based thinking"; i.e. "the concept of risk has always been implicit in ISO
9001 - this revision makes it more explicit and builds it into the whole management system".
The ISO white paper on the same subject of ISO 9001 and Risk can be downloaded from 'Public'
information on the ISO TC/176/SC2 Home Page:
http://isotc.iso.org/livelink/livelink/open/tc176SC2public
Note the frequently quoted line: "Risk-based thinking has always been in ISO 9001 -- this revision
builds it into the whole management system." [Source: ISO Document N1222, July 2014, page 2], which appears, in a longer and more detailed form, in the committee draft of the standard.
Watch the video of the Google hangout where Nigel Croft, Chair of the ISO subcommittee
responsible for ISO 9001 talks to us about how the revision is progressing:
www.youtube.com/watch?v=BrP94_ogRSY
This addresses the thorny subject of risk-based thinking, which as he points out, does not necessarily
mean using formal risk management.
In small, low-risk organizations, the 'risk-based thinking' may simply be "intuitive"; in others, a full
risk management process may be appropriate.
Nigel covers other relevant topics in an equally transparent, friendly way.

Page 18

Company Information
Registered Office:

Cognidox Limited
St Johns Innovation Centre
Cowley Road
Cambridge CB4 0WS
UK

Registered in England and Wales No. 06506232

Email

salesinfo@cognidox.com

Telephone

+44 (0) 1223 911080

Smart Document Management

CogniDox helps teams in Engineering, Marketing, Sales, Operations and other departments to
capture, share and publish product and design documentation.

This easy-to-use tool helps break down the barriers to find information,
share solutions and enjoy a faster, more productive development workflow
inside your company. In addition, CogniDox helps you manage and publish
documents and other content to licensed customers. It reduces technical
support load and accelerates your customers' time to market.

https://www.cognidox.com/

Page 19