ISO 9001:2015 Requirements

FAQ Explains the new revision

Source: ISO.org
The requirements of the 2015 version of the ISO 9001 quality
management system standard (QMS) incorporates internationally
recognized management concepts, principles and practices into a set of
standardized requirements for a quality management system (QMS).
These standardized requirements define controls that focus
on improving an organization’s ability to deliver products or services to:
 Consistently meet customer’s quality requirements
 Meet applicable regulatory requirements
 Enhance customer satisfaction
 Improve its performance in pursuit of these objectives.
The ISO 9001 standard requirements revision 2015 focuses on
improving an organization’s management system and processes. It does
not specify any requirements for product or service quality. Customers
typically set product and service quality requirements. However, the
expectation is that an organization with an effective ISO 9001 based
QMS will indeed improve its ability to meet customer and regulatory
requirements. ISO 9001requirements are complementary to customer’s
contractual and applicable regulatory requirements. Those
implementing a QMS conforming to ISO 9001 must ensure that the
specific requirements of their customers and regulatory agencies are
met. In the past few years, industry groups have developed sector
specific applications of the ISO 9001 standard. These include the
automotive, aerospace, environmental, telecommunications, health and
safety, etc. All these sector-specific standards incorporate the full
requirements of ISO 9001 as their foundation and then add new
requirements or amplify ISO requirements. The following ISO
9001:2015 FAQ will explain broadly the changes, timeline for transition
& other details.
ISO 9001:2015 Requirements: Who is responsible for their
revision?
The ISO Technical Committee no.176, Sub-committee no.2 (ISO/TC
176/SC2) is responsible for the revision process in collaboration with
quality and industry experts nominated by ISO Member bodies, and
representing all interested parties.
ISO 9001 version 2015 Requirements:Why the need to issue the
new version?
ISO 9001 is subject to periodic review to determine whether it is still
relevant in its application to the business environment and its needs.
The review process determines what requirements need to be added,
updated or discarded. The last review and update was in 2008. That
change was considered minor and dealt with clarification of points
already in the standard rather than the inclusion of new
requirements. This latest edition of the ISO 9001 standard ISO
9001:2015, Quality Management System – Requirements is the
5th edition of the ISO 9001 standard since it was first published in 1987.
This change is considered major and some of the reasons given include:
 The need to reflect and adapt to the increasingly dynamic and
complex business environments in which organizations operate.
 Increasing cultural diversity of the workforce.
 The emergence of new technologies
 More complex supply chains.
 To ensure the new standard reflects the needs of all relevant
interested parties
 Decrease the emphasis on documentation.
 Increase the emphasis on providing value for the organization and
its customers.
 Recognize the risk management thinking underlying the preventive
focus of previous versions of the standard to achieve objectives.
 Organizations that use multiple management system standards are
increasingly demanding a common format and language that is
aligned between those standards.
 Greater awareness of the need for sustainable development
initiatives towards a consistent foundation for the future.
ISO 9001 revision 2015 Requirements: What are the potential
benefits?
 Less prescriptive, but with greater focus on achieving conforming
products and services.
 More user friendly for service and knowledge-based organizations
 Greater leadership engagement
 More structured planning for setting objectives
  Management review is aligned to organizational results
 The opportunity for more flexible documented information
 Addresses organizational risks and opportunities in a structured
manner
 Addresses supply chain management more effectively
 Opportunity for an integrated management system that addresses
other elements such as environment, health & safety, business
continuity, etc.
Do ISO 9001 requirements and clauses still apply to all
organizations – big, small, different sectors and different items
– products, services?
The concept of the standard has not changed; it’s applicable to any type
of organization – manufacturing, service and non-manufacturing; for
profit or not for profit businesses, regardless of the size, type or its core
business.
What are the key changes in the ISO 9001 version 2015 pdf?
 The adoption of a 10-clause structure and core text consistent with
all other ISO management systems.
 Better compatibility with the service sector and non-manufacturing
users;
 A need to clearly understand the organization and its context to
avoid a “one size fits all” approach to QMS application and
implementation;
 The recognition that while preventive action was implicit throughout
the standard, there was need to make it more explicit through the
application of risk-based thinking, i.e. the identification and
associated mitigation, both at the strategic and operational levels.
 The need to consider additional factors in determining the
boundaries and applicability of the QMS to establish its scope.
 Improving the understanding and application of the process
approach through the application of risk-based thinking in
conjunction with the context of the organization;
 Greater emphasis on achieving desired process results to improve
customer satisfaction;
 A somewhat contentious change to the use of the term “documented
information” from the terms “documents” and “records”; and
 secondly providing greater flexibility in the need for providing
documented information;
 A change in terminology from the use of the terms “purchasing” and
“outsourcing” to the term “externally provided products and
services”;
 A wider scope has been put on seeking opportunities for
improvement. While continual improvement still remains a
requirement at the operational level to enhance customer
satisfaction, the need for strategic improvements through break-
through change, innovation, use of new technologies,
reorganization and other means to significantly improve products,
performance and customer satisfaction, has been added;
 The wording of Leadership requirements have been beefed up to put
more specificity and emphasis on leadership requirements;
 More emphasis on change management throughout the standard;
 The need to establish and maintain the continuity of organizational
knowledge;
 More specificity in requirements related to post-delivery activities;
 The scope of requirements to analyze and evaluate the data and
information gathered from monitoring and measurement, while not
widened, has been made more specific;
 The need to track trends in operational performance and customer
satisfaction for management review;
 Further dampening down of manufacturing sector terminology for
greater application and acceptability by the services and non-
manufacturing sectors.
How has the structure of the ISO 9001 revision 2015 standard
changed?
The new structure is designed to align with the uniform 10-clause high
level structure developed by ISO to facilitate greater harmonization
among the many different ISO management system standards. The next
revision to ISO 14001 will also adopt this same structure, which is based
on the PDCA (Plan-Do-Check-Act) methodology. All ISO management
system standards will now adopt this structure. This will make it easier
for organizations to integrate the common requirements of more than
one ISO management system standard within a single system. This
should provide significant economies in terms of effort and cost in
system development, implementation, maintenance and costs of
certification. The following chart illustrates so me of the key structural
differences between ISO 9001:2015 and the current ISO 9001:2008:

ISO 9001 revision 2015 versus 2008 – Structure Comparison

Chart

ISO 9001:2015 ISO 9001:2008

1. Scope Scope

2. Nominative References Nominative References

3. Terms and definitions Terms and definitions

4. Context of the organization Quality Management System

5. Leadership Management responsibility

6. Planning Resource management

7. Support Product realization

Measurement, analysis, and

8. Operation improvement

9. Performance evaluation

10. Improvement
Do we have to change our QMS structure and terminology to
reflect the changes in the ISO 9001 revision 2015 pdf standard?
There is no requirement for the structure and terminology used in this
Standard, to be applied in developing and documenting an
organization’s quality management system. Organizations can choose
to use structure and terminology that suits their operations (e.g. using
“records”, “documentation” or “procedures” rather than “documented
information”; or “supplier”, “subcontractor” or “vendor” rather than
“external provider”). The following table shows the major differences in
terminology between this new edition of the Standard and the 2008
edition.

Products and services Products and services

Not used (See clause A.5 for

Exclusions clarification of applicability)

Not used (Similar responsibilities

and authorities are assigned but

no requirement for a single

Management Representative management representative)

Documentation, quality manual,

documented procedures, records Documented information

Environment for the operation of

Work environment processes

 Monitoring and measuring Monitoring and measuring

equipment resources

Externally provided product and

Purchased product and services services and services

Supplier External provider

The structure of clauses is intended to provide a logical presentation of

requirements, rather than a model for documenting an organization’s
policies, objectives and processes. It can be more relevant to the
organization’s users if the structure and content of QMS documented
information relates to the processes operated by the organization and
information maintained for other purposes.
How has the ISO 9001:2015 quality management system
documentation requirements changed?
Specific documented procedures are no longer mentioned; it is the
responsibility of the organization to maintain documented information
to support the operation of its processes
and retain the documented information necessary to have confidence
that the processes are being carried out as planned. The extent of the
documentation that is needed will depend on the business context.
The ISO 9001 requirements do not mention a quality manual. Is
it still required?
The new standard does not specifically mention a quality manual,
however it requires the organization to maintain documented
information necessary for the effectiveness of the quality management
system (QMS). A quality manual is one of many ways to do this.
An organizations may find it quite convenient and appropriate to
describe its quality management system in a quality manual.
Why has management review been moved to performance
evaluation? (clause 9.3)
The sequence of the new version of ISO 9001 is based on the Plan, Do,
Check, Act methodology. Management review is a tool to evaluate the
overall performance of the quality management system. So it makes
sense for management review to come under performance evaluation
after requirements for analysis and evaluation of quality management
system performance.
The title of management representative has been removed. How
is the performance of the system reported to top management?
Although the specific requirement for a management representative has
been removed, top management must still ensure that roles and
responsibilities are assigned for reporting on the performance of the
QMS. Some organizations might find it convenient to maintain their
current set-up and designations, with a single person carrying out this
role. Others might take advantage of the additional flexibility to consider
divvying up the responsibilities depending on their organizational setup.
Why has product been changed to product and service?
ISO 9001:2008 had already made it clear that the term product also
includes service, so there is no impact in practical terms. The change is
more to reflect the far wider use of the standard outside the
manufacturing sector and to emphasize its applicability in the service
industries.
What is risk-based thinking and why has it been introduced into
the standard?
The phrase risk-based thinking is used by ISO 9001:2015 to introduce
the requirement for addressing the question of risk and its control. The
concept of risk has always been implicit in ISO 9001, by requiring the
organization to plan and implement its processes and manage its
business to avoid unwanted results. Organizations have typically done
this by putting greater emphasis on planning and controlling those
processes that have the biggest impact on the quality of the products
and services they provide. The way in which organizations manage risk
varies depending on their business context (e.g. the criticality of the
products and services being provided, complexity of the processes, and
the potential consequences of failure). Use of the phrase risk-based
thinking is intended to make it clear that while addressing risk is
important, formal risk-management methodologies and risk assessment
are not needed for all business situations and organizations. For further
information about risk-based thinking (see Annex A).
What has been changed in terms of planning? ISO 9001:2015 has
widened the scope of planning and now requires the organization to
address risks and opportunities, quality objectives and planning of
changes throughout the organization. As new products, technologies,
markets and business opportunities arise, it is to be expected that
organizations will want to take full advantage of these opportunities.
This has to done in a controlled manner, and be balanced against the
potential risks involved that could potentially lead to undesirable side-
effects.
Are organizations still allowed to exclude some requirements of
ISO 9001?
ISO 9001:2015 no longer has a specific reference to “exclusions” in
relation to the applicability of its requirements to the organization’s
quality management system. However, an organization is still allowed
to determine the applicability of requirements. All requirements in the
new standard are intended to apply. Conformity to this standard can
only be claimed if the requirement determined by the organization as
not being applicable does not affect its ability or responsibility to ensure
the conformity of products and services and the enhancement of
customer satisfaction.
What is the process approach and is it still applicable to ISO
9001:2015?
The process approach is a methodology for obtaining a desired result,
by managing activities and related resources as a process. Although the
clause structure of ISO 9001:2015 follows the Plan-Do-Check-Act
sequence, the process approach is still the underlying concept for the
QMS. For further guidance, please refer to the Support Package
module: Guidance on the Concept and Use of the Process Approach for
management systems.
Alignment of the revised standard to the PDCA format (Plan, Do,
Check, Act)

Clause 4 – Context of the organization Clause 5 –

Leadership Clause 6 – Planning for the QMS Clause 7 –

PLAN Support

DO Clause 8 – Operations

CHECK Clause 9 – Performance evaluation

 ACT Clause 10 – Improvement

What is meant by the context of the organization?(clause 4.1)

This is the combination of relevant internal and external factors that
affect an organization’s ability and approach to providing products and
services to its customer. External factors can include, e,g. cultural,
social, political, legal, regulatory, financial, technological, economic, and
competitive environment, at the international, national, regional or local
level. Internal factors typically include the organization’s corporate
culture, governance, organizational structure, technologies, information
systems, and decision-making processes (both formal and
informal). The standard requires that an organization determine which
of these factors could impact its purpose, direction and quality
management system and accordingly monitor and review these factors
and use this information in determining the scope of the quality
management system.
What are the needs and expectations associated with interested
parties? (4.2)
The organization will need to determine the interested parties that are
relevant to the quality management system and the requirements of
those interested parties, as outlined in clause 4.2. However, there is no
intent in this standard to broaden the scope of the quality management
system to include meeting the needs and requirements of interested
parties, other than customer and applicable regulatory
requirements. Such a change would require a change to the scope of
the standard which is not permitted by the mandate for this
revision. The organization is required to identify these interested
parties, monitor and review information about their needs and
requirements that are relevant to the QMS and consider it in determining
the scope of the QMS. The relevant interested parties other than
customers, external providers or suppliers and regulatory bodies can
include investors, top management, employees and their unions, the
community and environment around the organization depending on it.
The organization needs to interact with these parties on a periodic basis
to understand their needs and expectations As stated in the scope
(clause 1), this standard is applicable to an organization when it needs
to demonstrate its ability to consistently provide products and services
that meet customer and applicable statutory and regulatory
requirements, and aims to enhance customer satisfaction.
 Interested Party Needs and expectations

Customers Quality, price, delivery, services

Regulatory bodies compliance with legal requirements

Owners/Share-holders Sustained profitability/transparency

Good job environment; job security;

Employees recognition and reward

External Providers Mutually lasting beneficial relationship

Environmental protection; ethical

Community/Society behavior

What is meant by organizational knowledge? (clause 7.1.6 )

Organizational knowledge is knowledge specific to the organization; it is
the accumulation of know-how and useful information relevant to the
organization obtained through experience, improvement achieved,
lessons learned and the application of technology and research. It is
information that is used and shared to achieve and further the
organization’s objectives. Requirements regarding organizational
knowledge were introduced for the purpose of safeguarding the
organization from loss of knowledge and encouraging the organization
to acquire new knowledge as its business context changes.
Documents and records have been replaced by documented
information. What does this mean? (clause 7.5)
Documentation, documents and records are now collectively referred to
as documented information. Where that documented information might
be subject to change (as in the case of procedures, work instructions,
etc), organizations are required to maintain the information up-to-date;
where the information is not normally subject to change (for example
records) the organization is required to retain that information. There is
no requirement for the terms used by an organization to be replaced by
the terms used in ISO 9001:2015 to specify quality management system
requirements. Organizations can choose to use terms which suit their
operations, e.g., records, documentation, protocols, etc. rather
than documented information.
Why has Purchasing changed to ‘Control of externally provided
processes, products and services’? (Clause 8.4)
This change reflects the fact that not all products, services or processes
that an organization acquires are necessarily purchased in the
traditional sense. Some may be acquired from other parts of a corporate
entity, for example, as part of a shared pool of resources, products
donated by benefactors or services provided by volunteers. Even with
the changed and beefed up wording, the control requirements of this
standard are essentially the same as in the 2008 version.
What has happened to validation of processes or what used to
be called special processes? (clause 8.5)
Although there is no longer a standalone sub-clause, this requirement
continues, and has been incorporated into the sub-clause on control of
production and service provision. (Ref. 8.5.1)
What is meant by post delivery activities and what is the extent
of an organization’s responsibility? (Clause 8.5.5)
This means that based on customer agreements or other requirements,
the organization may be responsible for providing support for their
product or service after delivery. This could include, for example,
technical support, training, on-site testing and start up and
commissioning, field service, routine maintenance, or in some cases
recall. All of these would typically be part of the contractual
requirements agreed to with customers or in some cases may be
required by regulatory bodies.
What is the difference in the standard between improvement and
continual improvement? (clause 10)
ISO 9001:2008 used the term continual improvement to emphasize the
fact that this is an ongoing activity. However, it is important to recognize
that there are a number of ways in which an organization may improve.
Small step continual improvement is only one of these. Others may
include breakthrough improvements, reorganization, re-engineering
initiatives or innovation. ISO 9001:2015 therefore uses the more
general term improvement, of which continual improvement is one but
not the only component.
What is the transition time frame to comply with this revision?
There will be a three year transition period from the publication date of
ISO 9001:2015. Eighteen (18) months after publication of ISO
9001:2015 all accredited new certifications issued (initial certifications)
shall be to ISO 9001:2015. Three years after publication of ISO
9001:2015, any existing accredited certifications issued to ISO
9001:2008 shall not be valid.
Guidance for transition
For the average ISO 9001:2008 certified company, the impact of the
revised standard should be minimal and quite manageable. One of ISO’s
goals is to seek greater inclusion for the ISO 9001 standard. They want
to see it expand into new sectors and be more user friendly than it is
now. Requiring a company to aggressively overhaul their current ISO
9001:2008 system is not consistent with this goal. For any organization
the degree of change necessary will be dependent upon the maturity
and effectiveness of the current management system, organizational
structure and practices, therefore an impact assessment is strongly
recommended in order to identify realistic resource and time
implications.
How will the revision affect my current
certification? Organizations using ISO 9001:2008 a) Current
users
Organizations that are already certified to ISO 9001:2008 should
contact their certification/registration bodies (CB/RB) to agree a
program for analyzing the clarifications in ISO 9001:2015 in relation to
their individual quality management systems and for upgrading their
certificates. Certified organizations should bear in mind that ISO
9001:2008 certificates have the same status as new ISO 9001:2015
certificates during the co-existence period. Organizations in the process
of certification to ISO 9001:2008 should change to using ISO 9001:2015
and apply for certification to it.
b) New users
New users should start by using ISO 9001:2015.
c) Industry Sector Schemes
All of the major sector specific standards, including TS 16949, AS9100,
and TL9000 have indicated their intentions to transition and continue
their alignment with ISO 9001. The timelines for these other standard
updates are not fully known at this time, bu t a 2016 publication date
seems likely for all three. At present the only major standard that is not
planning to continue its alignment to ISO 9001 is ISO 13485, which is
in the midst of its own update with a targeted publication of early
2016. Users of specific sector schemes are recommended to refer to the
organization that is responsible that sector scheme’, e.g. for:
 ISO/TS 16 949 refer to the IATF (www.iatfglobaloversight.org)
 TL 9000 refer to the QuEST Forum (www.questforum.org)
 AS9100/EN9100 refer to IAQG (iaqg.org ).
When do certification bodies (CB’s or Registrars) need to update
their accreditation to audit their clients to the ISO 9001:2015?
The revised IAF Accreditation Rules 20 and 21 were published July 22,
2015. Each includes a timeline indicating when CBs need to complete
required actions after publication of ISO 9001:2015:

Consequences of

Critical Date CB Required Action Failure

3 months after

publication Apply for transition Suspension

6 months after Recommend

publication Achieve transition suspension

9 months after Recommend

publication Achieve transition withdrawal

Before or at the end All ISO 9001:2008

of 3-year transition certificates expire.

CB’s are allowed to use the FDIS ISO 9001:2015 version of the standard
to begin the transition process. However, no CB can grant or date an
accredited certification to the new standard before the date on which
the CB transitions its accreditation.
How should a certified organization prepare for the transition to
the revised standard?
Until the revised standard’s projected publication date (target –
September 23, 2015), organizations currently holding ISO 9001
certification should track the progress of the revision process as well as
information regarding important changes to the standard. Once the
revised standard has been published, certified organizations will need to
carefully review changes in the standard and map out a process for
implementing modifications to their existing quality management
system to meet the new requirements. Organizations certified to ISO
9001:2008 are recommended to take the following actions:
1. Top management should conduct a full QMS review to identify
organizational gaps which need to be addressed to meet new
requirements,
2. Develop an implementation plan with assigned responsibilities,
3. Provide appropriate training and awareness for all parties that have
an impact on the effectiveness of the organization,
4. Update existing quality management system (QMS) to meet the
revised requirements and provide verification of effectiveness,
5. A full system internal audit followed by a management review
should be completed.
6. Corrective Actions for all internal audit findings should be in process
or complete.
7. Where applicable, contact your certification body for transition
arrangements.
ISO 9001:2015 Requirements: How will the revision affect the
employees of an organization?
This will depend on the extent of revisions that an organization may
need to make to its quality management system, but generally it will be
expected to provide some form of transition training to its staff. At a
minimum, awareness training of the new standard should be provided,
as well as an assessment of the new standard’s impact on the various
processes and personnel. However, it is entirely possible that the
majority of organization’s workforce will feel little or no effect from the
organizations transition to ISO 9001:2015.
ISO 9001:2015 Requirements: How will this revised standard
affect auditors and their skills?
Moving from a prescriptive approach to a process based approach
requires new thinking on how to audit. Even though the process based
approach to QMS auditing was advocated as early as the ISO 9001:2000
edition, unfortunately, many certification body (registrar) auditors
continue to use checklists aligned with the clauses from the
standard. The writers of the ISO 9001:2015 standard are hoping that
with the strengthening of the process based requirements, aligning the
clauses to the PDCA methodology and addition of risk-based thinking,
audits will take place through a series of in-depth discussions and
analyses focused on the evaluation of risk identification of the QMS and
its processes and related mitigation of risk to determine whether
customers consistently receive their expected outputs or services. All
QMS auditors, internal and external, must beef up their skills by
receiving new training in the concepts, tools and methods for risk
management and use this knowledge to investigate and evaluate
conformity and effectiveness of processes and QMS outcomes in
consistently meeting customer requirements. The training should also
focus on the significant changes to the standard and highlight key areas
such as the process approach, customer focus, interested parties,
outcomes, and the integration of clauses when auditing a process.