Transitioning To ISO 9001:2008

Transitioning to ISO 9001:2008
Considerations for Internal Auditors
Instructor: Don Wood, ISOmatrix Senior

Specialist
Review of Changes from

ISO 9001:2000 to ISO 9001:2008
High-level summary of changes
Emphasis on product conformity to requirements as the focus of the

QMS
Addition of statutory and to clauses that previously only referenced
regulatory requirements
Changes in terminology
Measuring equipment vs.. devices better alignment with ISO 9000:2005

Determine vs.. identify implies that more review and analysis (especially
with regard to processes) should take place
Increased use of Where applicable.., placing more onus on

organizations to use judgment in how requirements are applied within
their QMS
Expanded use of notes to clarify the intent of requirements and provide
more examples for organizations to use
Numerous changes to improve grammar, flow and ease of translation
into other languages
Improved alignment with ISO 14001:2004
Updated references, both internally within ISO 9001:2008 and externally
to other management system and guidance standards
What didnt change
No new requirements for documented procedures
No requirements for documented procedures removed, either
By most interpretations, no new requirements period, merely

minor modifications to existing requirements
Some of these modifications have implications for internal auditors
No changes in the certification process

No changes in the auditing process or auditing guidelines
Transitioning to ISO9001:2008
Maximum 24 month Implementation from Publication

Nov. 15, 2010
Existing ISO 9001:2009
certificates no longer valid
Nov. 15, 2008

ISO 9001:2008 released
12 Months
24 Months
Nov. 15, 2009

All NEW certificates must
be issued against
ISO 9001:2008
Maximum Allowed
Time to Upgrade
5
Key to summary of changes

Clause 0.3 Relationship with ISO 9004
ISO 9001:2000
ISO 9001:2008
The present editions of ISO 9001 and ISO 9004 have

been developed as a consistent pair of quality
management system standards which have been designed
to complement each other, but can also be used
independently. Although the two International Standards
have different scopes, they have similar structures in
order to assist their application as a consistent pair.
ISO 9001 specifies requirements for a quality management
system that can be used for internal application by
organizations, or for certification, or for contractual
purposes. It focuses on the effectiveness of the quality
management system in meeting customer requirements.
ISO 9004 gives guidance on a wider range of objectives of a
quality management system than does ISO 9001,
particularly for the continual improvement of an
organization's overall performance and efficiency, as well as
its effectiveness. ISO 9004 is recommended as a guide for
organizations whose top management wishes to move
beyond the requirements of ISO 9001, in pursuit of
continual improvement of performance. However, it is not
intended for certification or for contractual purposes.
Text removed from ISO 9001:2000
ISO 9001 and ISO 9004 are quality management system

standards which have been designed to complement each
other, but can also be used independently.
ISO 9001 specifies requirements for a quality management
system that can be used for internal application by
organizations, or for certification, or for contractual
purposes. It focuses on the effectiveness of the quality
management system in meeting customer requirements.
At the time of publication of this International
Standard, ISO 9004 is under revision. The revised
edition of ISO 9004 will provide guidance to
management for achieving sustained success for any
organization in a complex, demanding, and ever
changing, environment. ISO 9004 provides a wider
focus on quality management than ISO 9001; it
addresses the needs and expectations of all interested
parties and their satisfaction, by the systematic and
continual
improvement
of
the
organizations
performance.
However, it is not intended for
certification, regulatory or contractual use.
Text added to ISO 9001:2008
Caution!
What follows is NOT a complete summary of changes from
the 2000 to the 2008 version of ISO 9001
Rather, this is a listing of changes we feel are of greatest
concern to internal auditors and their management
Internal auditors MUST review ISO 9001:2008 in detail and
review ALL of the changes to ensure adequate competency
as auditors
There are a number of excellent articles and summaries
available online
Major certification bodies
Quality Digest
ASQ
ISO
Whittington Group
Clause 4.1 General requirements

ISO 9001:2000
ISO 9001:2008
The organization shall establish, document, implement

and maintain a quality management system and
continually improve its effectiveness in accordance with
the requirements of this International Standard.
The organization shall establish, document, implement

and maintain a quality management system and
continually improve its effectiveness in accordance with
the requirements of this International Standard.
The organization shall
a) identify the processes needed for the quality

management system and their application throughout
the organization (see 1.2),
a) determine the processes needed for the quality

management system and their application throughout
the organization (see 1.2),
b) determine the sequence and interaction of these

processes,
b) determine the sequence and interaction of these

processes,
c) determine criteria and methods needed to ensure

that both the operation and control of these processes
are effective,
c) determine criteria and methods needed to ensure

that both the operation and control of these processes
are effective,
d) ensure the availability of resources and information

necessary to support the operation and monitoring of
these processes,
d) ensure the availability of resources and information

necessary to support the operation and monitoring of
these processes,
e) monitor, measure and analyse these processes, and
e) monitor, measure where applicable, and analyse

these processes, and
f) implement actions necessary to achieve planned

results and continual improvement of these processes.
These processes shall be managed by the organization
in accordance with the requirements of this
International Standard.
f) implement actions necessary to achieve planned

results and continual improvement of these processes.
These processes shall be managed by the organization
in accordance with the requirements of this
International Standard.
Clause 4.1 General requirements (contd)

ISO 9001:2000
ISO 9001:2008
Where an organization chooses to outsource

any process that affects product conformity
with requirements, the organization shall
ensure control over such processes. Control
of such outsourced processes shall be
identified within the quality management
system.
Where an organization chooses to outsource any process that

affects product conformity to requirements, the organization shall
ensure control over such processes. The type and extent of
control to be applied to these outsourced processes shall be
defined within the quality management system.
NOTE Processes needed for the quality

management system referred to above
should include processes for management
activities, provision of resources, product
realization and measurement.
NOTE 1 Processes needed for the quality management system

referred to above include processes for management activities,
provision of resources, product realization, measurement,
analysis and improvement.
NOTE 2 An outsourced process is a process that the
organization needs for its quality management system and
which the organization chooses to have performed by an
external party.
NOTE 3 Ensuring control over outsourced processes does
not absolve the organization of the responsibility of
conformity to all customer, statutory and regulatory
requirements. The type and extent of control to be applied to
the outsourced process can be influenced by factors such as
a) the potential impact of the outsourced process on the
organization's capability to provide product that conforms to
requirements,
b) the degree to which the control for the process is shared,
c) the capability of achieving the necessary control through
the application of 7.4.
Impact of changes 4.1 General requirements
Effect of changes
Determine vs.. identify processes clearer intent, easier to translate

Subclause e) removes requirement to measure ALL QMS processes. Now
organizations can use judgment as to where measurement of a process (vs..
monitoring and analysis) is warranted
Note 1 expands scope of required QMS processes to include processes for
analysis and improvement
Outsourced processes
Expands definition can include QMS processes performed by other entities within an
organization (i.e. corporate HQ, design centers, distribution centers) as well as by third
parties
Emphasizes point that organizations are held responsible for performance of outsourced
processes
Lists factors that should be considered in defining controls on outsourced processes
Auditing Considerations
Re: Subclause e) The use of Where applicable here has implications for both
QMS design and auditing more on this later in the presentation
Re: Note 1 Auditors should ensure that processes for analysis and improvement
are defined within the QMS, and documented where deemed necessary
Re: Outsourced processes Auditors should carefully review how their organization
has identified any outsourced processes, and how control of such processes is
identified within their QMS.
10
Clause 4.2.1 (Documentation Requirements) General

ISO 9001:2000
The quality management system documentation shall include

a) documented statements of a quality policy and quality
objectives,
b) a quality manual,
ISO 9001:2008
The quality management system documentation shall

include
a) documented statements of a quality policy and quality
objectives,
b) a quality manual,
c) documented procedures required by this International

Standard,
c) documented procedures and records required by this

International Standard, and
d) documents needed by the organization to ensure the

effective planning, operation and control of its processes,
and
d) documents, including records, determined by the

organization to be necessary to ensure the effective
planning, operation and control of its processes.
e) records required by this International Standard (see

4.2.4).
NOTE 1 Where the term documented procedure appears

within this International Standard, this means that the
procedure is established, documented, implemented and
maintained. A single document may address the
requirements for one or more procedures. A
requirement for a documented procedure may be
covered by more than one document.
NOTE 1 Where the term documented procedure appears

within this International Standard, this means that the
procedure is established, documented, implemented and
maintained.
NOTE 2 The extent of the quality management system
documentation can differ from one organization to another
due to
a) the size of organization and type of activities,
b) the complexity of processes and their interactions, and
c) the competence of personnel.
NOTE 2 The extent of the quality management system

documentation can differ from one organization to another
due to
a) the size of organization and type of activities,
b) the complexity of processes and their interactions, and
c) the competence of personnel.
NOTE 3 The documentation can be in any form or type of
medium.
NOTE 3 The documentation can be in any form or type of
medium.
11
Impact of changes 4.2.1 Documentation requirements - General
Effect of changes
Emphasizes that both records required by ISO 9001:2008 AND

records deemed necessary by the organization are considered part
of an organizations QMS documentation
With regard to documented procedures required by ISO
9001:2008, clarifies the intent that organizations can structure their
QMS documentation any way they choose one procedure to
address a requirement for a documented procedure, or many
procedures, or one procedure to address multiple documented
procedure requirements (i.e. Document AND Record Control,
Corrective AND Preventive Action)
Re: Note 1 Auditors now have clear direction from ISO concerning
their organizations freedom to be flexible in how they structure their
QMS documentation
12
Clause 4.2.3 Control of documents

ISO 9001:2000
ISO 9001:2008
Documents required by the quality management

system shall be controlled. Records are a special type
of document and shall be controlled according to the
requirements given in 4.2.4.
Documents required by the quality management system

shall be controlled. Records are a special type of
document and shall be controlled according to the
requirements given in 4.2.4.
A documented procedure shall be established to define

the controls needed
A documented procedure shall be established to define

the controls needed
a) to approve documents for adequacy prior to issue,
a) to approve documents for adequacy prior to issue,
b) to review and update as necessary and re-approve

documents,
b) to review and update as necessary and re-approve

documents,
c) to ensure that changes and the current revision

status of documents are identified,
c) to ensure that changes and the current revision status

of documents are identified,
d) to ensure that relevant versions of applicable

documents are available at points of use,
d) to ensure that relevant versions of applicable

documents are available at points of use,
e) to ensure that documents remain legible and readily

identifiable,
e) to ensure that documents remain legible and readily

identifiable,
f) to ensure that documents of external origin are

identified and their distribution controlled, and
f) to ensure that documents of external origin determined

by the organization to be necessary for the planning
and operation of the quality management system are
identified and their distribution controlled, and
g) to prevent the unintended use of obsolete

documents, and to apply suitable identification to them
if they are retained for any purpose.
g) to prevent the unintended use of obsolete documents,

and to apply suitable identification to them if they are
retained for any purpose.
13
Impact of changes Control of documents
Effect of changes
Subclause f) clarifies the intended scope of external documents

Improves alignment of 4.2.3 f) with its corresponding requirement in
ISO 14001:2004 (4.4.5 f)
Auditors should review controls on external documents. The focus

of this requirement is clearly on external documents pertaining to
conformity to product requirements. You may be over- (or under-)
controlling these documents
Examples may include customer-supplied drawings, customer
specifications and product standards, nationally-or-industry
recognized standards (i.e. ASTM, ASME, commodity-specific),
statutory/regulatory requirements (FMVSS, FAA, FDA)
Keep in mind documents can be hard copy or electronic
14
Clause 6.2.1 (Human resources) General

ISO 9001:2000
ISO 9001:2008
Personnel performing work affecting

product quality shall be competent on the
basis of appropriate education, training,
skills and experience.
Personnel performing work affecting

conformity to product requirements shall
be competent on the basis of appropriate
education, training, skills and experience.
NOTE Conformity to product
requirements can be affected directly or
indirectly by personnel performing any
task within the quality management
system.
15
Impact of changes Human resources - General
Effect of changes
Emphasizes the definition of product quality as the degree of

conformance to product requirements
Clarifies the intended scope of competency, training and awareness
Ensure that this requirement is applied appropriately within your

organization:
Employees that impact product quality, directly or indirectly
Contract personnel that impact product quality, directly or indirectly
Temporary personnel that impact product quality, directly or
indirectly
16
Clause 6.2.2 Competence, training and awareness

.(was Competence, awareness and training)
ISO 9001:2000
ISO 9001:2008
a) determine the necessary competence

for personnel performing work affecting
product quality,
a) determine the necessary competence for

personnel performing work affecting
conformity to product requirements,
b) provide training or take other actions to

satisfy these needs,
b) where applicable, provide training or

take other actions to achieve the
necessary competence,
c) evaluate the effectiveness of the

actions taken,
d) ensure that its personnel are aware of
the relevance and importance of their
activities and how they contribute to the
achievement of the quality objectives, and
e) maintain appropriate records of
education, training, skills and experience
(see 4.2.4).
c) evaluate the effectiveness of the actions

taken,
d) ensure that its personnel are aware of
the relevance and importance of their
activities and how they contribute to the
achievement of the quality objectives, and
e) maintain appropriate records of
education, training, skills and experience
(see 4.2.4).
17
Impact of changes Competence, training and awareness
Effect of changes
Again, conformity to product requirements vs.. product quality
Subclause b) where applicable, allows organizations to use

judgment regarding the need for training or other actions
Long-term employees
Very simple tasks
Keeps focus on competence
Subclause b) Where applicable more on this later

Competence Demonstrated ability to apply knowledge and
skills (ISO 9000:2005 3.1.6) how is competence assessed? (vs.
simple delivery of training). This is often fertile ground for auditing
Good technique assess process/product performance to
requirements, compare to training provided.
18
Clause 6.3 Infrastructure
ISO 9001:2000
ISO 9001:2008
The organization shall determine, provide

and maintain the infrastructure needed to
achieve conformity to product requirements.
Infrastructure includes, as applicable
The organization shall determine, provide and

maintain the infrastructure needed to achieve
conformity to product requirements.
Infrastructure includes, as applicable,
a) buildings, workspace and associated

utilities,
a) buildings, workspace and associated

utilities,
b) process equipment (both hardware and

software), and
b) process equipment (both hardware and

software), and
c) supporting services (such as transport or

communication).
c) supporting services (such as transport,

communication or information systems).
19
Impact of changes 6.3 Infrastructure
Effect of changes
Subclause c) such as list now includes information systems
Assess the impact of information systems on conformance to

customer, statutory and regulatory requirements and ensure that 6.3
requirements are appropriately addressed (if theyre not already)
20
Clause 7.2.1 (Customer-related processes) Determination of requirements

related to the product
ISO 9001:2000
ISO 9001:2008
The organization shall determine
The organization shall determine
a) requirements specified by the customer,

including the requirements for delivery and
post-delivery activities,
a) requirements specified by the customer,

including the requirements for delivery and
post-delivery activities,
b) requirements not stated by the

customer but necessary for specified or
intended use, where known,
b) requirements not stated by the customer

but necessary for specified or intended use,
where known,
c) statutory and regulatory requirements

related to the product, and
c) statutory and regulatory requirements

applicable to the product, and
d) any additional requirements

determined by the organization.
d) any additional requirements considered

necessary by the organization.
NOTE Post-delivery activities include, for
example, actions under warranty
provisions, contractual obligations such
as maintenance services, and
supplementary services such as
recycling or final disposal.
21
Impact of changes 7.2.1 Determination of requirements related to the product
Effect of changes
Subclauses c) and d) clarifies intent of requirement

Note: Clarifies definition and gives examples of post-delivery
services; encourages consideration of entire product lifecycle
Ensure that any customer-required post-delivery services are

determined and reviewed during contract review/quotation
processes (or their equivalent in your organization)
22
Clause 7.3.1 (Design and development) Design and development planning

ISO 9001:2000
ISO 9001:2008
The organization shall plan and control the

design and development of product.
The organization shall plan and control the design and

development of product.
During the design and development

planning, the organization shall determine
During the design and development planning, the

organization shall determine
a) the design and development stages,
a) the design and development stages,
b) the review, verification and validation that

are appropriate to each design and
development stage, and
b) the review, verification and validation that are

appropriate to each design and development stage, and
c) the responsibilities and authorities for

design and development.
The organization shall manage the
interfaces between different groups involved
in design and development to ensure
effective communication and clear
assignment of responsibility.
Planning output shall be updated, as
appropriate, as the design and development
progresses.
c) the responsibilities and authorities for design and

development.
The organization shall manage the interfaces between
different groups involved in design and development to
ensure effective communication and clear assignment of
responsibility.
Planning output shall be updated, as appropriate, as the
design and development progresses.
NOTE Design and development review, verification
and validation have distinct purposes. They can be
conducted and recorded separately or in any
combination, as suitable for the product and the
organization.
23
Impact of changes 7.3.1 Design and development planning
Effect of changes
Emphasizes that organizations can structure the activities of review,

verification and validation in any means that suits them, so long as
these activities are appropriate to each design and development
stage
Auditors should ensure that the activities of design and development

review, verification and validation are suitable for their organizations
modes of operation (keep in mind, all 3 activities are required at
some point in the design and development process).
This is especially important if you structured these activities around
your perception (or a CB auditors perception) of ISO 9001:2000s
requirements, rather than what makes sense:
To your organization
For the products/services you provide
For the level of responsibility your organization has for design and
development
24
Clause 7.3.3 (Design and development) Design and development outputs

ISO 9001:2000
ISO 9001:2008
The outputs of design and development

shall be provided in a form that
enables verification against the design
and development input and shall be
approved prior to release.
The outputs of design and development

shall be in a form suitable for verification
against the design and development input
and shall be approved prior to release.
Design and development outputs shall
Design and development outputs shall
a) meet the input requirements for design

and development,
a) meet the input requirements for

design and development,
b) provide appropriate information for
purchasing, production and for service
provision,
c) contain or reference product
acceptance criteria, and
d) specify the characteristics of the
product that are essential for its safe and
proper use.
b) provide appropriate information for

purchasing, production and service
provision,
c) contain or reference product
acceptance criteria, and
d) specify the characteristics of the
product that are essential for its safe and
proper use.
NOTE Information for production and
service provision can include details for
the preservation of product.
25
Impact of changes 7.3.3 Design and development outputs
Effect of changes
Grammatical
Emphasizes that preservation of product should be considered during
design and development outputs
Auditors should ensure that consideration is given to preservation of

product during design and development
Examples may include (as appropriate)
Storage areas
Bins, totes transport methods used in process
Handling methods
Packaging and packaging methods
Transport and logistics methods and services (inbound and outbound)
26
Clause 7.5.3 (Production and service provision) Identification and traceability

ISO 9001:2000
ISO 9001:2008
Where appropriate, the organization shall

identify the product by suitable means
throughout product realization.
Where appropriate, the organization shall

identify the product by suitable means
throughout product realization.
The organization shall identify the product

status with respect to monitoring and
measurement requirements.
The organization shall identify the product

status with respect to monitoring and
measurement requirements throughout
product realization.
Where traceability is a requirement, the

organization shall control and record the
unique identification of the product (see
4.2.4).
NOTE In some industry sectors,
configuration management is a means by
which identification and traceability are
maintained.
Where traceability is a requirement, the

organization shall control the unique
identification of the product and maintain
records (see 4.2.4).
NOTE In some industry sectors,
configuration management is a means by
which identification and traceability are
maintained.
27
Impact of changes 7.5.3 Identification and traceability
Effect of changes
Clarifies the intent that product shall be identified with respect to its
monitoring and measurement status during all phases of product
realization
Grammatical
Ensure that product is identified with respect to monitoring and

measurement status during all stages of product realization, for
example:
Receiving
Storage
In-process
Final inspection
Shipping
28
Clause 7.5.4 (Production and service provision) Customer property

ISO 9001:2000
ISO 9001:2008
The organization shall exercise care with

customer property while it is under the
organization's control or being used by the
organization. The organization shall
identify, verify, protect and safeguard
customer property provided for use or
incorporation into the product. If any
customer property is lost, damaged or
otherwise found to be unsuitable for use,
this shall be reported to the customer and
records maintained (see 4.2.4).
NOTE Customer property can include
intellectual property.
The organization shall exercise care with

customer property while it is under the
organization's control or being used by the
organization. The organization shall
identify, verify, protect and safeguard
customer property provided for use or
incorporation into the product. If any
customer property is lost, damaged or
otherwise found to be unsuitable for use,
the organization shall report this to the
customer and maintain records (see
4.2.4).
NOTE Customer property can include
intellectual property and personal data.
29
Impact of changes 7.5.4 Customer property
Effect of changes
Grammatical
Note adds personal data. This is in response to increasing
concerns over identity theft and security
Auditors should review controls on customers personal data and

ensure that adequate safeguards and security provisions are in
place.
Access to this data is adequately controlled
Procedures are in place to notify customers if this data is lost (or
presumably, stolen)
Legal and customer requirements are addressed
30
Clause 7.6 Control of monitoring and measuring equipment (was Control of

monitoring and measuring devices)
ISO 9001:2000
ISO 9001:2008
The organization shall determine the monitoring and

measurement to be undertaken and the monitoring and
measuring devices needed to provide evidence of
conformity of product to determined requirements (see
7.2.1).
The organization shall establish processes to ensure that
monitoring and measurement can be carried out and are
carried out in a manner that is consistent with the
monitoring and measurement requirements.
Where necessary to ensure valid results, measuring
equipment shall
a) be calibrated or verified at specified intervals, or prior
to use, against measurement standards traceable to
international or national measurement standards; where
no such standards exist, the basis used for calibration or
verification shall be recorded;
b) be adjusted or re-adjusted as necessary;
c) be identified to enable the calibration status to be
determined;
d) be safeguarded from adjustments that would invalidate
the measurement result;
e) be protected from damage and deterioration during
handling, maintenance and storage.
The organization shall determine the monitoring and

measurement to be undertaken and the monitoring and
measuring equipment needed to provide evidence of
conformity of product to determined requirements.
The organization shall establish processes to ensure that
monitoring and measurement can be carried out and are
carried out in a manner that is consistent with the
monitoring and measurement requirements.
Where necessary to ensure valid results, measuring
equipment shall
a) be calibrated or verified, or both, at specified intervals,
or prior to use, against measurement standards traceable
to international or national measurement standards;
where no such standards exist, the basis used for
calibration or verification shall be recorded (see 4.2.4);
b) be adjusted or re-adjusted as necessary;
c) have identification in order to determine its
calibration status;
d) be safeguarded from adjustments that would invalidate
the measurement result;
e) be protected from damage and deterioration during
handling, maintenance and storage.
31
Clause 7.6 Control of monitoring and measuring equipment (was Control of

monitoring and measuring devices) contd
ISO 9001:2000
ISO 9001:2008
In addition, the organization shall assess and

record the validity of the previous measuring
results when the equipment is found not to
conform to requirements. The organization
shall take appropriate action on the
equipment and any product affected. Records
of the results of calibration and verification
shall be maintained (see 4.2.4).
When used in the monitoring and
measurement of specified requirements, the
ability of computer software to satisfy the
intended application shall be confirmed. This
shall be undertaken prior to initial use and
reconfirmed as necessary.
NOTE See ISO 10012-1 and ISO 10012-2 for
guidance.
In addition, the organization shall assess and

record the validity of the previous measuring
results when the equipment is found not to
conform to requirements. The organization
shall take appropriate action on the equipment
and any product affected.
Records of the results of calibration and
verification shall be maintained (see 4.2.4).
When used in the monitoring and measurement
of specified requirements, the ability of
computer software to satisfy the intended
application shall be confirmed. This shall be
undertaken prior to initial use and reconfirmed
as necessary.
NOTE Confirmation of the ability of
computer software to satisfy the intended
application would typically include its
verification and configuration management
to maintain its suitability for use.
32
Impact of changes - 7.6 Control of monitoring and measuring equipment
Effect of changes
Equipment vs. Device this change in terminology is now consistent throughout
ISO 9001:2008
Subclause a) clarifies that in some cases, both calibration and verification may be
necessary in order to ensure that equipment provides valid results
Subclause e) intent is to further clarify that identification of calibration status need
not be physically present on measurement equipment (i.e. an ID number or serial
number traceable to a calibration database has long been acceptable)
Note clarifies the intent of software verification requirements
Review the definitions in ISO 9000:2005; the intent is that the definition of
measuring equipment encompasses measuring instruments, which includes
measuring devices
Re: subclause a) ensure that both calibration and verification are appropriately
utilized in their organization
Re: software If you use measuring equipment that relies on software to provide
results, review the note and ensure that:
Appropriate procedures are in place to verify the validity of the results the software
provides
Appropriate configuration management procedures are in place (think version control, for
those of you not involved in aerospace or medical devices)
33
Clause 8.2.1 (Monitoring) Customer satisfaction
ISO 9001:2000
ISO 9001:2008
As one of the measurements of the

performance of the quality management
system, the organization shall monitor
information relating to customer perception
as to whether the organization has met
customer requirements. The methods for
obtaining and using this information shall be
determined.
As one of the measurements of the

performance of the quality management
system, the organization shall monitor
information relating to customer perception as
to whether the organization has met customer
requirements. The methods for obtaining and
using this information shall be determined.
NOTE Monitoring customer perception can
include obtaining input from sources such
as customer satisfaction surveys, customer
data on delivered product quality, user
opinion surveys, lost business analysis,
compliments, warranty claims and dealer
reports.
34
Impact of changes 8.2.1 Customer satisfaction
Effect of changes
Gives examples of potential sources of information regarding

customer perception as to whether the organization has met
customer requirements.
Ensure that your organization is using appropriate methods to

determine customer satisfaction. The note provides examples of
data which may be reviewed.
35
Clause 8.2.2 (Monitoring) Internal audit

ISO 9001:2000
ISO 9001:2008
The organization shall conduct internal audits at planned intervals to

determine whether the quality management system
The organization shall conduct internal audits at planned intervals

to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the

requirements of this International Standard and to the
a) conforms to the planned arrangements (see 7.1), to the

requirements of this International Standard and to
quality management system requirements established by the

organization, and
the quality management system requirements established by the

organization, and
b) is effectively implemented and maintained.
b) is effectively implemented and maintained.
An audit programme shall be planned, taking into consideration the

status and importance of the processes and areas to be audited, as
well as the results of previous audits. The audit criteria, scope,
frequency and methods shall be defined. Selection of auditors and
conduct of audits shall ensure objectivity and impartiality of the audit
process. Auditors shall not audit their own work.
An audit programme shall be planned, taking into consideration the

status and importance of the processes and areas to be audited, as
well as the results of previous audits. The audit criteria, scope,
frequency and methods shall be defined. The selection of auditors
and conduct of audits shall ensure objectivity and impartiality of the
audit process. Auditors shall not audit their own work.
The responsibilities and requirements for planning and

conducting audits, and for reporting results and maintaining
records (see 4.2.4) shall be defined in a documented procedure.
A documented procedure shall be established to define the

responsibilities and requirements for planning and conducting
audits, establishing records and reporting results.
The management responsible for the area being audited shall

ensure that actions are taken without undue delay to eliminate
detected nonconformities and their causes. Follow-up activities shall
include the verification of the actions taken and the reporting of
verification results (see 8.5.2).
Records of the audits and their results shall be maintained

(see 4.2.4).
NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for
guidance.
The management responsible for the area being audited shall

ensure that any necessary corrections and corrective actions
are taken without undue delay to eliminate detected
nonconformities and their causes. Follow-up activities shall include
the verification of the actions taken and the reporting of verification
results (see 8.5.2).
NOTE See ISO 19011 for guidance.
36
Impact of changes 8.2.2 Internal Audit
Effect of changes
Better grammar and flow

Updated reference to auditing guidance standards; better alignment
with ISO 14001:2004
ISO 19011:2002 provides guidance in auditing (1st, 2nd and 3rd party)
for both the ISO 9001 and ISO 14001 standards. Use of this
document is STRONGLY recommended.
37
Clause 8.2.3 (Monitoring) Monitoring and measurement of processes
ISO 9001:2000
ISO 9001:2008
The organization shall apply suitable

methods for monitoring and, where
applicable, measurement of the quality
management system processes. These
methods shall demonstrate the ability of the
processes to achieve planned results.
When planned results are not achieved,
correction and corrective action shall be
taken, as appropriate, to ensure
conformity of the product.
The organization shall apply suitable methods

for monitoring and, where applicable,
measurement of the quality management
system processes. These methods shall
demonstrate the ability of the processes to
achieve planned results. When planned
results are not achieved, correction and
corrective action shall be taken, as
appropriate.
NOTE When determining suitable
methods, it is advisable that the
organization consider the type and extent
of monitoring or measurement appropriate
to each of its processes in relation to their
impact on the conformity to product
requirements and on the effectiveness of
the quality management system.
38
Impact of changes 8.2.3 Monitoring and measurement of processes
Effect of changes
Clarifies the intent of the requirement; provides detail of the rationale

for monitoring and measurement of QMS processes
Auditors should review process monitoring and measurement to

ensure the appropriate application (dont forget the changes in 4.1
concerning process monitoring and, where appropriate,
measurement!)
39
Clause 8.5.2 (Improvement) Corrective action

ISO 9001:2000
ISO 9001:2008
The organization shall take action to

eliminate the cause of nonconformities in
order to prevent recurrence. Corrective
actions shall be appropriate to the effects of
the nonconformities encountered.
The organization shall take action to

eliminate the causes of nonconformities in
order to prevent recurrence. Corrective
actions shall be appropriate to the effects of
the nonconformities encountered.
A documented procedure shall be

established to define requirements for

a) reviewing nonconformities (including

customer complaints),
a) reviewing nonconformities (including

customer complaints),
b) determining the causes of

nonconformities,
b) determining the causes of

nonconformities,
c) evaluating the need for action to ensure

that nonconformities do not recur,
c) evaluating the need for action to ensure

that nonconformities do not recur,
d) determining and implementing action

needed,
d) determining and implementing action

needed,
e) records of the results of action taken (see

4.2.4), and
e) records of the results of action taken (see

4.2.4), and
f) reviewing corrective action taken.
f) reviewing the effectiveness of the

corrective action taken.
40
Impact of changes 8.5.2 Corrective action
Effect of changes
Causes vs.. cause recognizes that nonconformities may have

multiple causes; better alignment with clause 8.5.3 Preventive action
Subclause f) clarifies intent that the effectiveness (was the
planned result achieved?) of corrective actions must be reviewed
Good opportunity to review the EFFECTIVENESS of corrective

actions were the actions taken successful in eliminating the
cause(s) of nonconformities?
41
Clause 8.5.3 (Improvement) Preventive action

ISO 9001:2000
ISO 9001:2008
The organization shall determine action to

eliminate the causes of potential
nonconformities in order to prevent their
occurrence. Preventive actions shall be
appropriate to the effects of the potential
problems.
The organization shall determine action to

eliminate the causes of potential
nonconformities in order to prevent their
occurrence. Preventive actions shall be
appropriate to the effects of the potential
problems.

A documented procedure shall be established

to define requirements for
a) determining potential nonconformities and

their causes,
a) determining potential nonconformities and

their causes,
b) evaluating the need for action to prevent

occurrence of nonconformities,
b) evaluating the need for action to prevent

occurrence of nonconformities,
c) determining and implementing action

needed,
c) determining and implementing action

needed,
d) records of results of action taken (see

4.2.4), and
d) records of results of action taken (see

4.2.4), and
e) reviewing preventive action taken.
e) reviewing the effectiveness of the

preventive action taken.
42
Impact of changes 8.5.3 Preventive action
Effect of changes
Subclause f) clarifies intent that the effectiveness (was the

planned result achieved?) of preventive actions must be reviewed
Good opportunity to review the EFFECTIVENESS of corrective

actions were the actions taken successful in eliminating the
cause(s) of POTENTIAL nonconformities?
43
Bibliography
Bibliography now refers to current editions of referenced standards, new standards
referenced and standards withdrawn since the publication of ISO 9001:2000.
New Standards
ISO 10001:2007, Customer satisfaction - Guidelines for codes of conduct for organizations
ISO 10002:2004, Customer satisfaction - Guidelines for complaints handling in organizations
ISO 10003:2007, Customer satisfaction - Guidelines for dispute resolution external to organizations
ISO 10019:2005, Guidelines for the selection of quality management system consultants and use of their services
ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing
IEC 61160:2006, Design review
ISO 90003:2004, Software engineering - Guidelines for the application of ISO 9001:2000 to computer software
New Editions
ISO 9004:200x, Managing for the sustained success of an organization - A quality management approach
ISO 10005:2005, Quality management systems - Guidelines for quality plans
ISO 10006:2003, Quality management systems - Guidelines for quality management in projects
ISO 10007:2003, Quality management systems - Guidelines for configuration management
ISO 10012:2003, Requirements for measurement processes and measuring equipment
ISO/TR 10013:2001, Guidelines for quality management system documentation
ISO 10014:2006, Quality management - Guidelines for realizing financial and economic benefits
ISO/TR 10017:2003, Guidance on statistical techniques for ISO 9001:2000
ISO 14001:2004, Environmental management systems - Requirements with guidance for use
IEC 60300-1:2003, Dependability management - Part 1: Dependability management systems
Withdrawn Standards
ISO 9000-3:1997 (replaced by ISO 90003:2004)
ISO 10011-1: 1990 (replaced by ISO 19011:2002)
ISO 10011-2: 1991 (replaced by ISO 19011:2002)
44
Impact of changes - Bibliography
Effect of changes
None
The referenced standards provide excellent guidance into the

intents of ISO 9001:2008. Auditors are strongly advised to
understand these guidance documents youll be a better auditor
for it!
45
Auditing Where
Appropriate/Where
Applicable
Auditing Where Appropriate/Where Applicable Clauses
Many auditors prefer black and white requirements where

applicable implies judgment. What to do? How do auditors assess
applicability of and conformity with a requirement in the absence of a
definite shall
The ISO 9000 Auditing Practices Group and the International
Accreditation Forum (IAF), an affiliate organization of ISO, has
published two relevant white papers on the subject.
Determination of the where appropriate processes

Auditing the where appropriate requirements
In ISOmatrixs opinion, the same logic applies to where applicable

as where appropriate
The source documents are available at
http://isotc.iso.org/livelink/livelink/fetch/2000/2122/138402/138403/
3541460/customview.html?func=ll&objId=3541460&objAction=browse&sort=n
ame
Keep in mind, these are guidance documents, NOT ISO 9001
requirements or standards
47
Determination of the where appropriate processes

Summary
If there are conflicts between the auditees understanding of
process applicability and the auditors, its the auditors
responsibility to understand the auditees point of view.
Auditors should NOT impose their own point of view
WITHOUT OBJECTIVE EVIDENCE TO SUPPORT THEIR
POINT OF VIEW that a requirement is not met!!!
The issue may be conflicts in understanding the organizations
terminology vs. ISOs use ISO 9000:2005 as a reference to
resolve these conflicts wherever possible
Dont forget Clause 1.2 Applicability!
ISOmatrix suggests considering the impact of the process or
requirement on product conformity to requirements,
statutory/regulatory compliance and customer satisfaction
48
Auditing where appropriate requirements Summary

The organization should carefully consider the applicability of
the where appropriate requirements during implementation
Impact on product conformity to requirements, statutory and
regulatory compliance and customer satisfaction (remember
Clause 1.1?)
Auditors should look at these requirements in light of the
organizations QMS scope how will these requirements
impact the QMS ability to fulfill this scope?
Does this requirement add value to this element of
confidence, without the where appropriate being addressed?
Does it increase the risk that the organisation cannot meet its
customer requirements? (This may be more than a specific
set of customer requirements, as it can include the demands
and expectations of end users, consumers, or the supply
chain).
49
Auditing where appropriate requirements Summary (contd)

Individuals responsible for the selection of internal auditors should
consider whether the auditor has the necessary technical
competence to make these determinations the use of technical
experts per ISO 19011 may be necessary
Auditors should consider the impact of the where appropriate
requirements on how processes are defined and implemented, and
the process outputs.
If the requirement is NOT considered appropriate, its recommended

that the audit provide objective evidence to support that the system is
effective and customer requirements are consistently met.
ISOmatrix adds consider the performance of the system and process.
Review monitoring (and where applicable, measurement) of the
associated process. Is the process effective and efficient in the
absence of conformance to this requirement?
50
Listing of Where Appropriate/Where Applicable Clauses
Where appropriate
7.4.2 Purchasing Information
7.5.3 Identification and traceability
Where applicable
4.1 e) General requirement (New for 2008)
6.2.2 b) Competence, training and awareness (New for
2008)
7.3.2 Design and development inputs
8.2.3 Monitoring and measurement of processes
8.2.4 Monitoring and measurement of product
8.3 Control of nonconforming product (New for 2008)
51
Questions and Answers
52
ISOmatrix
ISOmatrix, Inc.
www.isomatrix.com
805-435-1203
[email protected]
53
Thank You!!!
54

Transitioning To ISO 9001:2008 - Considerations For Internal Auditors

Uploaded by

Copyright:

Available Formats

Transitioning To ISO 9001:2008 - Considerations For Internal Auditors

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Transitioning To ISO 9001:2008 - Considerations For Internal Auditors

Uploaded by

Copyright:

Available Formats

Considerations for Internal Auditors

Instructor: Don Wood, ISOmatrix Senior

Review of Changes from

High-level summary of changes

Emphasis on product conformity to requirements as the focus of the

Measuring equipment vs.. devices better alignment with ISO 9000:2005

Increased use of Where applicable.., placing more onus on

What didnt change

No new requirements for documented procedures

No requirements for documented procedures removed, either

By most interpretations, no new requirements period, merely

Some of these modifications have implications for internal auditors

No changes in the certification process

Transitioning to ISO 9001:2008

Maximum 24 month Implementation from Publication

Nov. 15, 2008

Nov. 15, 2009

Key to summary of changes

The present editions of ISO 9001 and ISO 9004 have

Text removed from ISO 9001:2000

ISO 9001 and ISO 9004 are quality management system

Text added to ISO 9001:2008

Transitioning to ISO 9001:2008

Clause 4.1 General requirements

The organization shall establish, document, implement

The organization shall establish, document, implement

The organization shall

The organization shall

a) identify the processes needed for the quality

a) determine the processes needed for the quality

b) determine the sequence and interaction of these

b) determine the sequence and interaction of these

c) determine criteria and methods needed to ensure

c) determine criteria and methods needed to ensure

d) ensure the availability of resources and information

d) ensure the availability of resources and information

e) monitor, measure and analyse these processes, and

e) monitor, measure where applicable, and analyse

f) implement actions necessary to achieve planned

f) implement actions necessary to achieve planned

Transitioning to ISO 9001:2008

Clause 4.1 General requirements (contd)

Where an organization chooses to outsource

Where an organization chooses to outsource any process that

NOTE Processes needed for the quality

NOTE 1 Processes needed for the quality management system

Transitioning to ISO 9001:2008

Impact of changes 4.1 General requirements

Determine vs.. identify processes clearer intent, easier to translate

Clause 4.2.1 (Documentation Requirements) General

The quality management system documentation shall include

The quality management system documentation shall

c) documented procedures required by this International

c) documented procedures and records required by this

d) documents needed by the organization to ensure the

d) documents, including records, determined by the

e) records required by this International Standard (see

NOTE 1 Where the term documented procedure appears