The ISO 9001 Quality Management Standard
Copyright 2022, Faulkner Information Services. All
Publication Date: 2205
Report Type: STANDARD
ISO 9001 is among the most widely recognized quality management standards
in the world. A new revision was published in 2015 and requires
organizations to follow current best practices in disciplines such as risk
management and knowledge management along with a host of other changes.
The 2015 revision is the most significant change to the standard in 15
years, challenging organizations to adopt some new ways of thinking and of
measuring their results.
- Executive Summary
- Competing Standards
- Current Version
- Web Links
- Related Reports
[return to top of this
Organizations seek ISO 9001 certification as a mark of distinction and as
a framework for improving quality management.
|The ISO/IEC 27001 Information
Security Management Standard
|Total Quality Management Tutorial|
The certification demonstrates that, across a broad range of departments
and functions, an organization is focused on customers and uses
well-defined, well-tested processes. Rather than prescribing rigid rules,
ISO 9001 defines broad guidelines that can be adapted to a variety of
industries and environments.
In September 2015, the first new revision of the standard since 2008 was
released, and its changes were the most significant since 2000. The new
revision puts greater emphasis on the need for organizational leaders to
be involved in quality management and for every employee to be fully aware
of quality goals. The revision also adds new requirements related to
risk-based thinking, the management of organizational knowledge, and
relationships with external parties.
A good first step toward meeting these goals is conducting a gap
analysis, which identifies discrepancies between the standard and an
organization’s current practices. While working to earn the certification,
it is helpful to focus on using the standard to achieve business goals.
Ultimately, ISO 9001 aims not to be a set of practices carried out apart
from everyday activities but instead to be a framework that provides
[return to top of this
ISO 9001 is one of the most sought-after standards to demonstrate an
organization’s dedication to quality management. Certification is also
beneficial because it helps to formalize a quality control program and to
reduce production costs through the standardization of operations.
The need for quality standards arose because vendors were being asked to
justify their internal quality control procedures to their customers, and
each customer had a different view of “quality.” The International
Organization for Standardization (called “ISO” based on the French
abbreviation because the organization is based in Geneva) responded
by promoting a single, consistent international quality standard. This
effort lead to the creation of ISO 9001, an internationally recognized
framework for quality management.
Because it is a framework, ISO 9001 is less about rigid
requirements and more about applying a flexible set of concepts to
each organization’s particular goals and environment. The structure of the
framework (apart from introductory material) is the following:
- Context of the Organization – Organizational goals and influential
- Leadership – The quality-related responsibilities of top management.
- Planning for the QMS – Actions taken for planning quality-related
- Support – The resources that an organization provides and actions it
takes to enable effective quality management.
- Operation – The execution and oversight of quality management
- Performance Evaluation – The monitoring and measurement of
quality management processes.
- Improvement – Ongoing changes to better meet quality goals.
Significantly, with the new revision, this high-level structure is now
common among some other ISO standards such as 14001 for environmental
management and 27001 for information security.
An organization’s ISO 9001 compliance is audited by a third-party that
has been recognized as a qualified registrar. If the organization
passes, the registrar issues a certificate. Compliance then needs to be
re-audited each year. An ISO audit is not very much like a formal
financial audit. Whereas a few irregularities in a company’s accounting
practices could be devastating in financial audit, even leading to
criminal charges, an ISO audit does not expect perfection in an
organization’s operations. Issues like cost overruns on a project, a
complaint from a customer, or a flaw in a manufactured product could all
be considered acceptable – provided that the organization responds to the
Competing Standards &
[return to top of this
ISO 9001 is used by organizations in every region of the world and in
countries ranging from major industrial powers to developing nations. While
there are no directly competing standards, there are several methodologies
that are being used in lieu of or in conjunction with ISO 9001.
The following are the two most recognized:
- Total Quality Management (TQM) – Comprises a
philosophy of management accountability for the quality of goods and
services delivered by an enterprise. TQM proponents assert that any
product, process, service, or methodology can be improved by continuing
to focus on customer needs, developing and using the potential of
employees, managing business processes, and using reliable data to
improve procedures. TQM can be seen as an overarching program that could
include ISO 9001 compliance, but it is not a necessity.
- Six Sigma Methodology – Can be seen as a program,
methodology, and ideal to implement and work with on an ongoing basis.
It promises improved product quality at a lower cost than ISO 9001.
Primarily for quality control in manufacturing processes, Six Sigma
seeks to Define, Measure, Analyze, Improve, and Control (DMAIC)
businesses processes in much the same way as ISO 9001 does.
[return to top of this
The requirements for the 2015 9001 standard are provided in the official
documentation published by ISO.1 Below is a discussion of the
key requirements that are new or that receive greater emphasis in the 2015
revision. As of September 2018, the 2008 version of the standard is
no longer valid, and organizations that were previously audited based on
the older version are no longer certified.
By making competence a standalone clause instead of combining it with
awareness and training, the 2015 standard puts new emphasis on ensuring that
employees are capable of doing their jobs. In the new standard, training is
not a separate clause but just one of the techniques for ensuring competence
and awareness. Other relevant processes include, for example, hiring and
Broadly speaking, ensuring competence involves the following:
- Identifying the skills and knowledge each employee must have
- Taking actions to make employees competent
- Taking actions to measure and verify competence
Like competence, awareness is now a standalone clause. Awareness means,
in short, that all employees should be engaged in quality management and
held accountable for their part in it. The demands of the awareness
requirement are far reaching, potentially covering any aspect of the ISO
standard. But a short list of the key things of which employees must be
aware is the following:
- The quality policy defined by the organization
- The quality objectives defined by the organization
- How the employee’s job relates to quality goals
- How not conforming with quality requirements can impact operations and
The new standard requires compiling and maintaining “organization
knowledge.” To meet this requirement, organizations must identify what
knowledge is needed and maintain a system for storing and distributing that
knowledge. How these requirements are met will depend on factors that are
specific to the organization, so it is crucial that they carefully analyze
their own needs and document this analysis in places such as management
review meeting notes.
Knowledge management systems do not need to be store in a specialized
software application, but doing so can be helpful for ensuring that
- Out-of-date information is removed
- Data is presented and organized clearly
- Data is effectively searchable
- Revision control policies and mechanisms are in place
The requirement to demonstrate risk-based thinking is perhaps the most
substantial, far-reaching change in the 2015 version. Maintaining a risk
management team or having a risk management process is not enough to meet
the new requirement. Instead, an organization must demonstrate that it
considers risk at all levels, from executive decision making to front-line
operations, and in all functions. Further, ISO understands risk-based
thinking in a way that is now common in many fields, in which risk is not
simply about avoiding threats but also about considering the costs of lost
opportunities. Therefore, for example, deciding to not implement a new piece
of software over security concerns is not necessarily a good exercise in
risk management. Instead, such an analysis must also consider the business
impact of not using that software.
The Process Approach
The requirement to use a process approach may seem easy to meet, because any
organization uses processes. But what the new ISO standard is looking for is
that processes are well-defined, comprehensive, and, importantly, connected
to each other. Processes must also be both consistent and repeatable.
Often, processes conform to what is known as the Plan-Do-Check-Act (PDCA)
cycle, in which activities are structured based on the following four
- Plan – Determining the expected results and the metrics to indicate
whether the process is successful or if it is failing.
- Do – Putting the process and the measurement implementation into
- Check – Measuring the results of the process.
- Act – Responding to the measurements of the results, such as to make
corrective actions or to implement continual improvements.
After the “Act” stage, this process is then repeated, forming a routine
The new emphasis on demonstrating leadership is perhaps the hardest
requirement to demonstrate. Leadership provided by executives and managers
is, in many senses, an abstract quality. Also, many of the actions that
leaders take, such as giving someone a verbal instruction in a private
meeting, are not recorded and are therefore difficult to present in an
audit. But auditors do not take an “innocent until proven guilty” approach
to meeting this requirement – organizations must demonstrate that they
have met this requirement. To do so, it is helpful to document actions
that executives and managers take, such as when they have allocated funds
to a project, defined policies, or established key performance indicators
(KPIs). The use of KPIs is especially important in the new version of ISO,
and they will have more weight if they are defined at higher levels of an
Organizations are required to support the quality management system in
several ways. This requirement may cover almost any part of the ISO
standard, but the core elements of organizations support involve the
- Assigning and training people
- Providing facilities and technology
- Defining goals and processes
- Defining how success will be monitored and measured
- Maintaining and distributing organizational knowledge
Control of External Providers
The 2015 standard puts new emphasis on how an organization manages its
third-party partners. Organizations are now expected to more thoroughly
extend their quality management practices and policies to, for instance,
suppliers. The audit will consider, in particular, how an organization
does the following:
- Evaluates third-parties when deciding whether to use them
- Handles corrective actions that involve partners
- Connects its processes with the processes of partners
[return to top of this
The market for ISO 9001 certifications remains large, but it appears to
be flat. Between 2018 and 2019 (the most recent year for which numbers are
available), 9001 certificates grew by just 0.55%, to 883,521.2
The current version of the 9001 standard, 9001:2015, was expected to remain
unchanged for about seven or eight years. But this was just an estimate. ISO
doesn’t follow a rigid update schedule but instead monitors standards based
on whether they are keeping pace with current industry practices. ISO has
not publicly shared plans for releasing a new version, but it did conduct an
online survey, which closed December 31, 2020, asking whether any changes
were needed to the standard.3 The results4 of the survey indicated
that a "slight majority" of 2,221 respondents out of a total of 5,332 preferred
to leave ISO 9001 unchanged, while 36 percent of the survey takers opted to
revise the standard.
[return to top of this
ISO requirements take time to meet, and auditors want to see that
processes have been used for awhile. Therefore, putting ISO compliant
practices into place right before an audit is not a good plan. Instead, an
organization should implement and widely use ISO practices for a
significant amount of time, fine tuning them based on evidence about how
they are performing. Starting now is especially important in respect to
new elements such as risk-based thinking and leadership, for which the
goal is not simply to check off a box in a list of requirements but
instead to demonstrate that these practices are deeply ingrained in the
Work with the Registrar and Auditor
Organizations would be wise to consult with the registrar performing the
audit to clarify ambiguities and to get answers to questions. Organizations
should not assume that their own interpretations will be correct of that
they will be able to stand on the strict letter of the ISO standard’s text.
Instead, an organization should seek to understand how an auditor will
measure compliance with the standard’s new elements.
Conduct a Gap Analysis
A gap analysis is a comprehensive formal process that identifies the
differences between an organization’s current practices and what it needs
to be doing in order to be ISO compliant. Performing such an analysis is a
good step for both organizations that are seeking first-time
certification and for those transitioning from the previous to the new
Update, Don’t Replace, the Quality Management System
Whether an organization is new to ISO or transitioning to the new
version, it is best to think of the challenge as one of adapting existing
quality management processes to new requirements, not as scraping existing
processes and making wholesale changes. The intent of ISO is to provide a
framework that is suitable to a broad range of organizations, each with
their own needs and approaches. In fact, some auditors prefer that an
organization’s quality management system doesn’t too closely follow the
structure and terminology of the ISO standard, a trait that arguably
demonstrates that the organization has not adapted ISO concepts to their
own needs and environment.
Look for Root Causes
An organization can help itself in meeting many ISO requirements by
looking for root causes, which are the ultimate reasons that a certain
problem occurred. For example, if a project team misses a deadline, the
root cause could be investigated by discovering that the deadline was not
communicated clearly, then finding out that the policy for
communicating deadlines is incomplete, and then discovering that the
policy was never fully reviewed by management. Here, the root cause would
be how the organization reviews quality management policies.
Finding root causes is helpful because it identifies issues that have
wide-ranging effects. For example, not fully reviewing polices could
affect many functions. Identifying root causes can help, in particular, in
demonstrating risk-based thinking and the process approach. Also,
although the metaphor of looking for a root implies looking downward, the
process is typically directed upward – toward management and executives
and toward core policies and practices.
A misconception about the 2015 standard is that it doesn’t require
records. While the new version is not as specific about the kinds of
records that need to be kept, organizations still need to demonstrate
compliance to auditors and maintain their systems based on evidence, both
of which require good recordkeeping. The new standard offers
flexibility regarding keeping records so that organizations can develop
their own policies and practices, not so that they can ignore the need to
Seek Business Gains
Finally, it is helpful to seek business advantages when meeting ISO
requirements. Organizations that become certified simply to gain an
impressive credential miss an opportunity to improve key processes and to
better meet the needs of their customers. Also, such organizations may
even hurt their chances of earning a certification because auditors do not
want to see that meeting ISO requirements is handled separately from
everyday activities or being conducted parallel to processes that drive
actual operations. Instead, auditors want to see that organizations
are using concepts like KPIs, management review meetings, and internal
audits to structure and motivate all business functions.
Benefits commonly sought by becoming ISO 9001 certified are:5
- Improving processes
- Improving quality (e.g., improving safety for patients in healthcare)
- Containing costs
- Meeting customer requirements
- Improving customer satisfaction
- Increasing sales and profits
1 “ISO 9001:
Quality Management Systems – Requirements: Fifth Edition.” International
Organization for Standardization. September 15, 2015
2 Liza Horielikova. “Which ISO Standards Are the Most Popular
– Analysis of ISO 2019 Survey.” Advisera: The Compliance Blog.
November 3, 2020.
3 “Committee Responsible for ISO 9001:2015
Announces ISO 9001 User Survey 2020.” Quality Digest. August 13,
4 “Public Report on the Results of the ISO 9001 User Survey 2020.” International Organization for Standardization. May 2021.
5 This list is based in part on the following sources:
- Rahmat Nurcahyo, Zulfadlillah, and Muhammad Habiburrahman. “Relationship
Between ISO 9001:2015 and Operational and Business Performance of
Manufacturing Industries in a Developing Country (Indonesia).” Heliyon, Volume 7,
- Patricia F.S. Siltori, Izabela Simon Rampasso, Vitor WB Martins, Rosley
Anholon, Dirceu Silva, Jefferson Souza Pinto, and Walter Leal Filho.
“Analysis of the Motivations for ISO 9001: 2015 Adoption in the Brazilian
Business Context.” Quality Management Journal, Volume 28, 2021,
- Scott Rupp. “Learning About ISO 9001 for the Healthcare Industry.” Electronic
Health Reporter. July 29, 2020.
[return to top of this
International Organization for Standardization: http://www.iso.org/
About the Author
[return to top of this
Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.
[return to top of this