Sept

Sept 2015

2015

ISO 9001:2015 & you!

SOME ANSWERS TO YOUR QUESTIONS ABOUT THE
REVISED QUALITY MANAGEMENT SYSTEM STANDARD

DR JOHN FITZGERALD
deGRANDSON Global
 deGRANDSON Global

ISO 9001:2015 and you!

ISO 9001:2015 was approved by the appropriate ISO Technical Committee and from September
2015 the three -year transition period begins. Copies can be purchased from the usual sources.

Whether your organisation is certified to ISO 9001:2008 or you’re interested in gaining

certification to the revised Standard, or if you’re an internal auditor or a lead auditor wondering
how and when the 2015 Standard will affect you, we’ve got some answers for you.

We will consider…

The need for change ______________________________________________________________________ 3

The main changes ________________________________________________________________________ 3
The transition to the new Standard __________________________________________________________ 7
How soon can I start the transition process? ________________________________________________________ 7
How long will ISO 9001:2008 continue to be recognised and audited to? _________________________________ 7
Can I upgrade in 2016 during a re-certification audit? __________________________________________________ 7
Will the transition mean additional CB days and additional costs? _______________________________________ 7
What if I want to transition before the end of my 3-year CB Contract? ____________________________________ 7
Will my CB Audits to ISO 9001:2015 be any different? __________________________________________________ 8
How do I find out how far we are through the transition process? _______________________________________ 8
What if I want an extension to scope? Does that have to be to the 2015 version of the standard? ______________ 8
I’m currently implementing/considering certification to ISO 9001, what should I do? ________________________ 8
I have an integrated system including ISO 14001 and OHSAS 18001, how will the changes to ISO 9001 and these
standards affect my system and transition? _________________________________________________________ 8
I have questions regarding my certification now – who do I talk to? _____________________________________ 8
Are there things we should do in advance of the transition? ____________________________________________ 8

Conversion of auditor certification __________________________________________________________ 9

I’m presently a qualified lead auditor/internal auditor, do I need to retrain for the new version of the standard? _ 9
We are certified to both ISO 9001 and ISO 14001. Do I need to undergo training for both standards? ___________ 9
FAQs ___________________________________________________________________________________ 9
What are the benefits of the new version of ISO 9001? ________________________________________________ 9
Can I get a summary of the changes between ISO 9001:2008 and ISO 9001:2015? ___________________________ 9
Are organizations still allowed to exclude requirements of ISO 9001? ___________________________________ 10
The title of management representative has been removed. How is the performance of the system reported to
top management? ____________________________________________________________________________ 10
Do I still need to maintain a quality manual? ________________________________________________________ 10
What is meant by the ‘context of the organization’? (Clause 4) ________________________________________ 10
What are the ‘needs and expectations associated with interested parties’? (Clause 4.2) ____________________ 10
What is meant by ‘organizational knowledge’? (Clause 7.1.6) ___________________________________________ 11
Documents and records have been replaced by ‘documented information’. What does this mean? (Clause 7.5) __ 11
Why has Purchasing changed to ‘Control of externally provided processes, products and services’? (Clause 8.4) _ 11

Page 2 of 12
 deGRANDSON Global

What has happened to validation of processes or what used to be called ‘special processes’? (Clause 8.5) ______ 11
What is meant by post-delivery activities and what is the extent of an organization’s responsibility? (Clause 8.5.5)11
What is the difference in the standard between ‘improvement’ and ‘continual improvement’? (Clause 10) ______ 11

The need for change

ISO 9001, the world’s leading international quality standard has helped more than 1.5 million
organizations to improve their quality and operational performance since it was first published as
BS 5750 in 1979. The new version ensures ISO 9001 maintains relevance in today’s marketplace
and continues to offer organizations improved performance and business benefits.

The intention is that the 2015 Standard be a powerful business improvement tool for
organizations of all sizes and, in manufacturing or service industries, to be used to help them
remain resilient and achieve sustainable growth.

The last restructuring of the standard was in 2000 when the process approach was introduced.
Since then the way we do business has changed enormously. Today we all have instant access to
information, and expectations of higher individual and corporate performance, while we deal
with more complex supply chains and operate in a global economy.

ISO 9001:2015 has been revised to take these changes into account. In particular, you will find in
the revised Standard…

• Greater emphasis on building a management system suited to each organization’s

particular needs;
• A requirement that those at the top of an organization be involved and accountable,
aligning quality with wider business strategy;
• Risk-based thinking throughout the standard makes the whole management system a
preventive tool and encourages continual improvement;
• Less prescriptive requirements for documentation;
• Alignment with other key management system standards through the use of a common
structure and core text.

ISO 9001:2015 brings quality management and continual improvement into the heart of an
organization. The new standard is an opportunity for organizations to align their strategic
direction with their quality management system and means that it can be used to help enhance
and to monitor the performance of an organization.

The main changes

ISO 9001:2015 is based on Annex SL – the new high level structure. This is a common framework
for all ISO management system standards and helps to

Page 3 of 12
 deGRANDSON Global

1. keep consistency,
2. align different management system standards,
3. offer matching sub-clauses and
4. apply common language across all standards.

Risk has always been a feature of ISO 9001; however, now it has become more explicit and is
expanded to include the whole management system. It uses a risk-based approach throughout
and requires that each organization identifies, plans for and takes actions on those risks and
opportunities that are relevant to achieving the intended outcomes of the management system.

There are 10 clauses within the standard and these are the main changes:

Clause 1 is very similar to the 2008 version covering the scope of the standard and there has been
very little change to this clause.

Clauses 2 and 3 cover normative references and term and definitions, both these clauses
reference ISO 9000, Quality Management System (QMS) Fundamentals and vocabulary, which
provides valuable guidance. There are no other normative references, that is, no other
mandatory standards and guides that must be incorporated into your QMS.

The remainder of the clauses include some new key elements which need to be considered when
implementing the new standard.

Clause 4: Context of the Organization

This is a new clause that establishes the context of the QMS and how the business strategy
supports this. The ‘context of the organization’ is the clause that underpins the rest of the new
standard.

The organization will need to determine external and internal issues that are relevant to its
purpose and would have an impact on what the organization does. Secondly, an organization will
also need to identify the “interested parties” that are relevant to their QMS. Each organization
will identify their own unique set of “interested parties” and over time these may change.

Next, the scope of the QMS must be determined which should consider any outsourced functions
or processes if they are relevant.

The new standard does not make any reference to exclusions. However, in Annex A, the
standard clarifies that the organization cannot decide a requirement to be not applicable if it falls
within the scope of its QMS.

The final requirement of Clause 4 is to establish, implement, maintain and continually improve the
QMS.

Clause 5: Leadership

This clause places requirements on “top management” which is the person or group of persons
that directs and controls the organization at the highest level.

Page 4 of 12
 deGRANDSON Global

It is no longer a requirement to have a “Management Representative” who is responsible for the

QMS.

Top management now have greater involvement in the management system and must ensure
that the requirements are integrated into the organization’s processes and that it is compatible
with the strategic direction of the organization. The quality policy should be a living document, at
the heart of the organization.

There is also a greater focus on top management to enhance customer satisfaction by identifying
and addressing risks and opportunities that could affect this.

Clause 6: Planning

Planning has always been a familiar element of ISO 9001, but now there is an increased focus on
ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2
‘interested parties’.

One of the key purpose of implementing a QMS is to act as a preventive tool. As a result, the
formal requirement for preventive action has been removed. This is being replaced by risk-based
thinking. This approach applies throughout the QMS and requires that each organization
identifies, plans for and takes actions on those risks and opportunities which are relevant to
achieving the intended outcomes of the management system. There is, however, no
requirement for implementing a formal risk management process (though there is no barrier to
the use of risk management tools and methods, as many will).

The organization will, then, need to plan…

1. actions to address both risks and opportunities,

2. how to integrate and implement the actions into its management system processes and
3. evaluate the effectiveness.

Actions must be monitored, managed and communicated across the organization.

Another key element of this clause is the need to establish measurable quality objectives. This
retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific.

Clause 7: Support

Clause 7 ensures there are the appropriate resources, people and infrastructure to meet the
organizational goals. Simply expressed, this is a very powerful requirement covering all QMS
resource needs and now covers both internal and external resources.

Organizational knowledge is a new requirement which deals with requirements for competence,
awareness, and communication of the QMS.

Personnel must not only be aware of the quality policy, but they must also understand how they
contribute to it and what the implications of their not conforming are.

Page 5 of 12
 deGRANDSON Global

There is a key requirement to maintain the knowledge held by an organization to ensure

conformity of products and services. The preservation and protection of this base data is the
issue here.

Finally, there are the requirements for “documented information”. This is a new term, which
replaces the references in the 2008 standard to “documents” and “records”. Organizations need
to determine the level of documented information necessary to control the QMS.

Generally, (there are a few exceptions), the comparison between the versions can be stated as…

Documented procedures in ISO 9001:2008 = Maintain documented information in ISO 9001:2015

Records in ISO 9001:2008 = Retain documented information in ISO 9001:2015

Clause 8: Operation

This clause deals with the execution of the plans and processes and includes much of what was
previously referred to in Clause 7 of the 2008 version.

However, there is a greater emphasis on the control of processes especially planned changes and
the review of the consequences of unintended changes, and mitigating any adverse effects, as
necessary.

The revised version of the standard also acknowledges the trend towards greater use of
subcontractors and outsourcing, whose performance should be monitored.

There is also a new clause which covers post-delivery activities. This could include activities such
as maintenance programs, and activities covering final disposal or recycling of the product.

Clause 9: Performance Evaluation

Performance evaluation covers many of the areas previously featured in Clause 8 of the 2008
version. Requirements for monitoring, measurement, analysis and evaluation are covered and
organizations will need to consider what needs to be measured, methods employed, when data
should be analysed and reported on and at what intervals.

There is now an emphasis on directly seeking out information that relates to how customers view
the organization. Organizations must actively seek out information on customer perception.
There is now an explicit requirement that organizations must show how the analysis and
evaluation of this data is used, especially with regards to the need for improvements to the QMS.

Internal audits must also be conducted and this is largely unchanged from those in the 2008
version. Management reviews are still required but there are additional requirements including
the consideration of changes in external and internal issues that are relevant to the QMS.

Clause 10: Improvement

The final clause starts with a new section that organizations should determine and identify
opportunities for improvement. There is also a need to actively look for opportunities to improve

Page 6 of 12
 deGRANDSON Global

processes, products and services, and the QMS, especially with future customer requirements in
mind.

Due to the new way of handling preventive actions, there are no preventive action requirements
in this clause. However, there are some new corrective action requirements, which are very
similar to preventive action (the prevention of potential non-conformities).

The requirement for continual improvement has been extended to cover the suitability and
adequacy of the QMS as well as its effectiveness, but it no longer specifies how an organization
achieves this.

The transition to the new Standard

All organizations currently certified to ISO 9001:2008 will need to transition to the new
requirements by September 2018. The IAF has stipulated that the transition period is three years
from the date of publication of the revised Standard.

How soon can I start the transition process?

You can start preparing for the transition immediately, educating the relevant people in your
business and re-structuring your processes in line with the new high level structure. We suggest
that you build new processes outside of your existing system, ready for subsequent transition to
ISO 9001:2015.

How long will ISO 9001:2008 continue to be recognised and audited to?
The current standard will be recognized and can be audited to until the end of the 3 -year
transition period for ISO 9001:2015. Please note, all organizations must transition to the new
standard by the transition deadline at which point certificates for ISO 9001:2008 will no longer be
valid.

Can I upgrade in 2016 during a re-certification audit?

Yes, providing your system meets all of the requirements of ISO 9001:2015. But make sure your
Certification Body (CB) has completed its transition, namely, that it has accreditation to the new
Standard. It is unlikely that any CB will have competed their transition before April 2016.

In any case, what’s the rush? There’s a learning curve for accreditation boards and CBs as well as
for certified organisations. Wait and see which are the most effective ways of meeting the
specific requirements of the revised Standard, especially the new ones.

Will the transition mean additional CB days and additional costs?

It is expected that organisations will transition during the course of their continuing audit visits
and there will be a modest requirement for additional time to review and assessment your
implementation of the new requirements.

What if I want to transition before the end of my 3-year CB Contract?

You may transition as soon as the 3 -year transition period begins; however, this may require
additional days and as such, you may incur additional costs. Talk to your CB.

Page 7 of 12
 deGRANDSON Global

Will my CB Audits to ISO 9001:2015 be any different?

Although there will be some similarities to the way audits are carried out (they will still be based
on ISO 19011 and ISO 17021), there are some important differences to be aware of. The CB will
need to meet with top management during your audit and so they will be included for interview
in the audit plan.

How do I find out how far we are through the transition process?
Your CB should be in contact with you to discuss this. Additionally, your Lead Auditor should
discuss your transition progress at each audit visit to see where you are on your journey.

What if I want an extension to scope? Does that have to be to the 2015 version of the standard?
No, you can extend the scope of your existing certificate against the 2008 version of the
standard. You must however transition by September 2018, otherwise your certificate will be
invalid.

I’m currently implementing/considering certification to ISO 9001, what should I do?

If you have already started implementing ISO 9001:2008, continue as planned - you still have until
September 2018 to transition to the new standard. Do familiarise yourself with the new high level
structure, so that you can keep this in mind.

If you haven’t started implementation yet, we would recommend that you obtain a copy of the
2015 version and implement this version.

I have an integrated system including ISO 14001 and OHSAS 18001, how will the changes to ISO
9001 and these standards affect my system and transition?
The proposed changes to all three standards will make system integration much easier as there is
greater alignment between the documents. However, as they have different projected
publication dates and transitions, you will need to plan your transitions carefully to retain
certification on each. Talk to your CB who will help you plan this process.

Transitioning to the new standard provides a great opportunity to integrate your systems into
one, should you wish to do so. Obtaining a copy of PAS 99, a BSI Specification, may be of benefit
as it contains valuable guidance on the design and structure of an Integrated Management
System

I have questions regarding my certification now – who do I talk to?

Call your CB who will be happy to answer your specific questions.

Are there things we should do in advance of the transition?

Yes, there’s no need to wait years to make changes you could benefit from immediately. Here
are some suggestions…

• Review your current approach and ‘spring clean’ where appropriate.

• Engage with the leaders of the business as many of the proposed changes will impact on
them and help them understand those issues that they must manage and those they can
delegate.

Page 8 of 12
 deGRANDSON Global

• Review your approach to identification, management and control of your processes.

• Start to consider how you can adopt and benefit from the concept of risk and
opportunity management.
• Read the introduction section of the Standard, it contains some very valuable guidance
on the concepts contained in the standard.
• Also read ISO 9002:2015, Guidelines for the application of ISO 9001:2015, which will be
particularly useful for SMEs and for service businesses.

Conversion of auditor certification

I’m presently a qualified lead auditor/internal auditor, do I need to retrain for the new version
of the standard?
Whilst your existing knowledge and experience is invaluable, this is the biggest change to the
standard in a decade.

It’s vital you understand the new requirements, which won’t be familiar.

We would recommend that you take the relevant Auditor Conversion Course as this will build on
your existing knowledge and help you to feel confident about the new version of the standard.

We are certified to both ISO 9001 and ISO 14001. Do I need to undergo training for both
standards?
There are important changes to both standards. We would recommend that you take formal
training for both Standards to make sure you fully understand what this means to your
organization.

FAQs

What are the benefits of the new version of ISO 9001?

 Less prescriptive, but with greater focus on achieving conforming products and services
 More user friendly for service and knowledge-based organizations
 Greater leadership engagement
 More structured planning for setting objectives
 Management review is aligned to organizational results
 The opportunity for more flexible documented information
 Addresses organizational risks and opportunities in a structured manner
 Addresses supply chain management more effectively
 Opportunity for an integrated management system that addresses other elements such
as environment, health & safety, business continuity, etc.

Can I get a summary of the changes between ISO 9001:2008 and ISO 9001:2015?
We have produced a mapping guide which compares the clauses between both versions of the
standard. It is called ‘Comparison of ISO 9001:2008 vs ISO 9001:2015’. It also gives the reverse
comparison, i.e., it compares the 2015 Standard against the 2008 one. This is a useful document
that will help you to quickly identify the key changes and the clauses they refer to.

Page 9 of 12
 deGRANDSON Global

Are organizations still allowed to exclude requirements of ISO 9001?

ISO 9001:2015 no longer refers to “exclusions” in relation to the applicability of its requirements
to the organization’s QMS. However, an organization can determine the applicability of
requirements. All requirements in the new standard are intended to apply. The organization can
only decide that a requirement is not applicable if its decision will not affect its ability or
responsibility to ensure the conformity of products and services to customer requirements and
the enhancement of customer satisfaction.

The title of management representative has been removed. How is the performance of the
system reported to top management?
Although the prescriptive title of a management representative has been deleted, it is up to top
management to ensure that the roles and responsibilities are assigned for reporting on the
performance of the QMS. Some organizations might find it convenient to maintain their current
structure, with a single person carrying out this role. Others might take advantage of the
additional flexibility to consider other structures depending on their organizational context.

Do I still need to maintain a quality manual?

While there is no specific requirement for a quality manual in ISO 9001:2015, there is a
requirement to provide evidence of “documented information” to support the QMS. As long as
the information needed to evidence the management system is kept and available, how an
organization does it is not important. While most organizations are expected to keep a dedicated
quality manual, some will use a less centralised approach. This recognizes changes in technology
and the differing media now used to record, monitor and retrieve information.

What is meant by the ‘context of the organization’? (Clause 4)

This is the combination of those internal and external factors that affect an organization's
approach to the way in which it provides products and services that are delivered to its customer.

External factors can include, for example, cultural, social, political, legal, regulatory, financial,
technological, economic, and competitive environment, at the international, national, regional or
local level.

Internal factors typically include the organization’s corporate culture, governance, organizational
structure, technologies, information systems, and decision-making processes (both formal and
informal).

What are the ‘needs and expectations associated with interested parties’? (Clause 4.2)
The organization will need to determine the interested parties that are relevant to the quality
management system and the requirements of those interested parties, as outlined in clause 4.2.
This does not extend past the quality management system requirements and the scope of this
International Standard.

As stated in the scope, this International Standard is applicable where an organization needs to
demonstrate its ability to consistently provide products and services that meet customer and
applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.

Page 10 of 12
 deGRANDSON Global

What is meant by ‘organizational knowledge’? (Clause 7.1.6)

Organizational knowledge is knowledge specific to the organization; it is gained by experience. It
is information that is used and shared to achieve the organization’s objectives. Requirements
regarding organizational knowledge were introduced for the purpose of safeguarding the
organization from loss of knowledge and encouraging the organization to acquire new
knowledge as its business context changes.

Documents and records have been replaced by ‘documented information’. What does this
mean? (Clause 7.5)
Documentation, documents and records are now collectively referred to as documented
information. Where that documented information might be subject to change (as in the case of
procedures, work instructions, etc.), organizations are required to MAINTAIN the information up-
to-date; where the information is not normally subject to change (for example, records) the
organization is required to RETAIN that information.

Why has Purchasing changed to ‘Control of externally provided processes, products and
services’? (Clause 8.4)
This change reflects the fact that not all products, services or processes that an organization
acquires are necessarily purchased in the traditional sense. Some may be acquired from other
parts of a corporate entity, for example, as part of a shared pool of resources, products donated
by benefactors or services provided by volunteers.

What has happened to validation of processes or what used to be called ‘special processes’?
(Clause 8.5)
Although there is no longer a standalone sub-clause, this requirement continues, and has been
incorporated into the sub-clause on control of production and service provision. (See clause
8.5.1).

What is meant by post-delivery activities and what is the extent of an organization’s

responsibility? (Clause 8.5.5)
This means that, based on customer agreements or other requirements, the organization may be
responsible for providing support for their product or service after delivery. This could include,
for example, technical support, routine maintenance, or in some cases recall.

What is the difference in the standard between ‘improvement’ and ‘continual improvement’?
(Clause 10)
ISO 9001:2008 used the term continual improvement to emphasize the fact that this is an
ongoing activity. However, it is important to recognize that there are a number of ways in which
an organization may improve. Small step continual improvement is only one of these. Others may
include breakthrough improvements, re-engineering initiatives or innovation. ISO 9001:2015
therefore uses the more general term improvement, of which continual improvement is one but
not the only component.

____________________________________________________

References

Page 11 of 12
 deGRANDSON Global

The following sources were used in the preparation of these notes:

1. Various Articles: www.iso.org/tc176/sc02/public,2015, ISO/TC 176/SC2

2. Article: The New ISO 9001:2015: Why It’s Still Relevant and What are the Changes, 27-Jul-
2015, Quality Magazine
3. Booklet: ISO 9001:2015: Frequently Asked Questions, July 2015, BSI

Page 12 of 12