The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 2....
ISO 9001:2015 Whitepaper
Introduction
Considering that customers have endless choices for products and services and numerous opportunities to express their opinion regarding the quality of those products and services, organizations have been seriously considering the matter of quality.
Increasingly, organizations dedicate huge amounts of resources to ensure quality by establishing and implementing a set of interrelated and coordinated policies, procedures, and processes. Therefore, over one million organizations have implemented a quality management system (QMS) based on the requirements of ISO 9001.
A QMS based on ISO 9001 helps organizations achieve quality objectives, and defines how they will design and develop products and services to meet the requirements of customers. Apart from providing a basis for sustainable development, a QMS also contributes to the improvement of the overall performance of organizations. Furthermore, it provides organizations with the opportunity to take corrective actions when a nonconformity is detected. A QMS requires continual measurement of quality to detect nonconformities and risks at an early stage. This allows organizations to address and mitigate risks, which consequently enables them to prevent costs, maintain sustainability, and improve reputation.
To effectively implement a QMS, among others, ISO 9001 requires from organizations to establish the QMS scope and the quality policy, plan actions to address risks and opportunities, determine and provide the necessary resources, ensure that employees are competent for their role, and ensure that all the interested parties are aware of the quality policy and objectives.
The history of ISO 9001 and its purpose
The development of ISO 9001 can be traced back in early 1960s, when US government issued a Military Specification MIL-Q-9858A which was used only for military contractors. In the latter part of 1960’s, this specification known as “quality assurance program”, was cascaded to other industries, such as nuclear power industry, pharmaceutical and medical device industry, etc.
Additionally, the concept of quality assurance presented in MIL-Q-9858A was introduced to European countries through NATO. The British Standards Institution (BSI) adopted it and in 1979 published its quality system standard BS 5750. This standard was developed to address the issues in the munition industry experienced during the World War II.
In 1987, based on BS 5750, the International Organization for Standardization (ISO) published the first edition of ISO 9001, as part of ISO 9000 family of standards. ISO aimed to create a universal framework and establish requirements for a quality management system (QMS) that would be applicable to all organizations regardless of their size, type, or the industry in which they perform.
The first version of ISO 9000 standards was divided into three parts:
- ISO 9001:1987 — A model for quality assurance in design, development, production, installation, and servicing, applicable to organizations that create new products
- ISO 9002:1987 — A model for quality assurance in production, installation, and servicing
- ISO 9003:1987 — A model for quality assurance in final inspection and test
In 1994, ISO published a revised version of ISO 9000. The updated version required organizations to focus more in implementing controlling procedures at every stage of their production rather than controlling only the final product. This would help organizations prevent potential issues and problems that could arise during the production process, rather than waiting to tackle the issues with corrective actions after they occur. In 2000, ISO 9000 was revised again and its third edition was published as ISO 9001, which replaced the former ISO 9001, ISO 9002, and ISO 9003. This new version aimed to simplify processes and required less documentation. In addition, it encouraged positive growth by focusing on continual improvement and customer satisfaction. Additionally, it encourages organizations to integrate the QMS in all organizational levels. In 2008, ISO 9001 was revised again, however, the changes were minor. With these minor changes, ISO intended to clarify of the existing requirements and increase consistency with other ISO standards, such as ISO 14001.
The latest version of ISO 9001 was published in 2015 to keep up with the recent developments that influenced the means how organizations operate their businesses and the environments in which they operate. In addition, it addressed the structure of the standard to make it easier for organizations to integrate a QMS with other management systems based on ISO standards. Some of the most significant changes include:
- Updated quality management principles
- New terminology
- Enhanced applicability for services
- New requirements for leadership
- New structure of clauses, arranged based on Plan-Do-Check-Act (PDCA) cycle
- An increased focus on the process approach and risk-based thinking
Nowadays, organizations from all over the world implement quality management systems based on the requirements of ISO 9001:2015 to fulfill the needs and meet the expectations of their customers and other interested parties. A QMS also demonstrates organizations’ ability to produce and deliver qualitative products and services, which have undergone through monitored processes and are in compliance with statutory and regulatory requirements. Since the requirements of ISO 9001:2015 are generic, organizations of any type or size, can implement a QMS based on ISO 9001 and benefit from it.
Quality management principles
In general, a principle refers to a basic belief, rule, or theory that influences the way in which something is done. In the same context, quality management principles guide the way in which an organization develops a quality management system. These principles were developed and updated by international experts of ISO’s Technical Committee (TC) 176, responsible for the development and maintenance of ISO’s quality management standards.
When applied correctly, these principles enable organizations to ensure consistency, enhance customer satisfaction, increase employee motivation, and improve their overall performance.
The seven quality management principles on which ISO 9001 has been developed are listed below. The importance of each principle differs among organizations, and can change over time.
Customer focus: A strong customer focus is crucial in quality management. Understanding the needs and expectations of current and potential customers is essential for organizations to ensure sustained success. Being customer oriented, helps organizations increase their market share and revenue and improve customer loyalty. Considering that this principle is very important for an effective QMS, it is reflected throughout the requirements of ISO 9001. Specifically, customer focus is explicitly emphasized in the following clauses:
- Clause 5.1.2 Customer focus — requires from organizations to determine, understand, and meet customer requirements, and continuously enhance customer satisfaction
- Clause 8.2.1 Customer communication — requires from organizations to communicate with their customers and provide them information on products and services, obtain their feedback, handle their inquiries, control their property, etc.
- Clause 9.1.2 Customer satisfaction — requires from organizations to monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled
Leadership: Support and commitment for quality must start at the top. A competent leadership is essential for an effective quality management. Leaders at all levels are responsible for creating, maintaining, and leading a productive business environment, where everyone within the organization works toward the same quality objectives. Strong leadership increases the effectiveness and efficiency of quality practices and ensures better coordination of the organization’s processes. There are several clauses of ISO 9001 where the role of leadership is emphasized:
- Clause 5.1 Leadership and commitment — requires from the top management to demonstrate leadership and commitment toward the QMS by establishing the quality policy and quality objectives, providing all the necessary resources, communicating the importance of an effective QMS, promoting continual improvement, considering the needs and expectations of customers, etc.
- Clause 5.3 Organizational roles, responsibilities and authorities — requires from the top management to assign responsibilities and authorities for relevant roles related to the QMS
- Clause 9.3 Management review — requires from the top management to review the QMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness
Engagement of people: Apart from the commitment of the top management, contribution of everyone within the organization is necessary for an effective QMS. Personnel should understand their role in the day-to-day responsibilities, in the organization as a whole, and feel valued for their contribution. An engaged personnel demonstrates that the organization is committed to ensure the effectiveness of the QMS. Engagement of people is emphasized in the following clauses of ISO 9001:
- Clause 5.1 Leadership and commitment — requires from the top management to support, direct, and engage people to contribute in ensuring the effectiveness of the QMS
- Clause 5.2.2 Communicating the quality policy — requires from the top management to ensure that the quality policy has been communicated within the organization
- Clause 7.3 Awareness — requires from organizations to ensure that personnel is aware about the quality policy, quality objectives, their contribution for an effective QMS, and implications of not conforming with the QMS requirements
- Clause 8.5.1 Control of production and service provision — requires from organizations to assign competent persons to control production and service provision
Process approach: To ensure consistent results, organizations should embrace a process-driven approach. Organizations that embrace a process approach understand and manage their activities as interrelated processes. A process approach ensures effective planning of resources, prevents cross-functional barriers, and facilitates the identification of areas for improvement. In addition, organizations will be able to focus on key processes. This principle is emphasized in the following clauses of ISO 9001:
- Clause 4.4 Quality management system and its processes — requires from organizations to establish, implement, and improve the processes needed for the QMS, including their inputs and outputs, interactions, operations criteria and methods, risks and opportunities, etc.
- Clause 6.1 Actions to address risks and opportunities — requires from organizations to plan actions to address risk and opportunities and integrate and implement those actions into their QMS processes
- Clause 7.1.4 Environment for the operation of processes — requires from organizations to provide a suitable environment for the operation of their QMS processes to achieve conformity of products and services
- Clause 8.1 Operational planning and control — requires from organizations to plan, implement, and control the necessary processes for the provision of products and services
Improvement: To ensure sustained success, organizations should have an ongoing focus on improvement. Regardless of the organizations’ size, or complexity, the changes which occur over time in the environment on which organizations operate impact their management system considerably. As such, the quality management system should be adaptable and responsive to these changes. By treating continual improvement as a core objective, organizations can maintain their current levels of performance, improve their ability to address internal and external risks, and create new opportunities. Even though improvement should be a continual process, there are several clauses of ISO 9001 in which improvement is explicitly emphasized:
- Clause 5.1 Leadership and commitment — requires from the top management to promote continual improvement as part of demonstrating leadership and commitment with respect to the QMS
- Clause 5.2.1 Establishing the quality policy — requires from the top management to establish a quality policy that includes a commitment to continual improvement of the QMS
- Clause 6.1 Actions to address risks and opportunities — requires from organizations to determine and address risks and opportunities that contribute to improvement
- Clause 7.1 Resources — requires from organizations to determine and provide the necessary resources (people, infrastructure, environment) for continual improvement of the QMS
- Clause 10 Improvement — requires from organizations to determine and select opportunities for improvement, such as correction, corrective action, continual improvement, re-organization, etc.
Evidence-based decision making: In order to make informed decisions, accurate and reliable data is essential. The decision-making process can be really complex and always involves a degree of uncertainty. Therefore, it is necessary for organizations to make decisions based on evidence and experience. Data analysis, facts, and accurate evidence lead organizations toward greater objectivity and confidence in decision-making. The importance of evidence-based decision making is emphasized in the following clauses of ISO 9001:
- Clause 7.1.6 Organizational knowledge — requires from organizations to determine and maintain the necessary knowledge for the operation of their processes, and consider it when addressing changing needs and trends
- Clause 7.2 Competence — requires from organizations to retain documented information as evidence of competence of persons doing work under the organization’s control
- Clause 7.5.3 Control of documented information — requires from organizations to retain documented information required by the QMS as evidence of conformity
- Clause 9.1 Monitoring, measurement, analysis and evaluation — requires from organizations to retain documented information as evidence of the performance and effectiveness of the QMS
- Clause 9.3 Management review — requires from organizations to retain documented information as evidence of the inputs and outputs of management reviews
- Clause 10.2 Nonconformity and corrective action — requires from organizations to retain documented information as evidence of the nature of the identified nonconformities, and the results of any corrective actions taken
Relationship management: Sustained success is ensured when organizations establish and manage relationships with all interested parties based on trust. This is especially important in quality management. As such, relationships should be mutually beneficial in order to deliver value to all parties. Establishing strong and continual relationships with suppliers and all other interested parties contributes to enhanced performance and appropriate management of quality-related risks. Relationship management is emphasized in the following clauses of ISO 9001:
- Clause 4.2 Understanding the needs and expectations of interested parties — requires from organizations to determine the interested parties and their requirements relevant to the QMS
- Clause 4.3 Determining the scope of the quality management system — requires from organizations to consider the requirements of interested parties when determining the QMS scope
- Clause 5.2.2 Communicating the quality policy — requires from organizations to make the quality policy available to relevant interested parties
- Clause 8.3.2 Design and development planning — requires from organizations to consider the level of control expected for the design and development process by relevant interested parties
- Clause 8.4.2 Type and extent of control — requires from organizations to ensure that the outsourced processes, products, and services remain within the control of the QMS
- Clause 8.4.3 Information for external providers — requires from organizations to inform its external providers on the requirements regarding products and services, their interactions, performance evaluation, etc.
The risk-based thinking concept
The increased uncertainty in social, economic, and political levels has also increased risks for organizations. As such, it has become necessary for organizations to adopt a risk-based thinking approach in order to:
- Enhance customer satisfaction and confidence;
- Create a consistency in the production and provision of conforming products and services; and
- Promote a culture of continual improvement.
ISO 9001:2015 uses the process approach, in which the PDCA cycle and risk-based thinking are included. ISO 9000 defines risk as “the effect of uncertainty.” However, the effects of any uncertainty can be positive or negative. Through risk-based thinking, organizations are able to identify potential factors that may cause the disruption of processes of the organization and its QMS, minimize their effects, and take advantage of opportunities that may arise during the process. Risks and opportunities are closely related because deciding whether to take or not take an opportunity presents a risk as well.
To ensure the effectiveness of the QMS, a risk-based thinking is crucial. For a QMS to comply with the requirements of ISO 9001, organizations must address risks and opportunities through planning of actions and their implementation. According to ISO 9001, options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision. Whereas, opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
Previous versions of ISO 9001 had a clause which outlined the requirements for preventive actions, and addressed the anticipation and prevention of potential nonconformities. However, in the latest version of the standard, risk-based thinking has been incorporated throughout the requirements. As such, instead of considering risk-based thinking as a separate and independent component, now it is considered to be necessary throughout the implementation of the QMS and it is incorporated in every process of the QMS. For instance, clause 4 Context of the organization requires organizations to determine their QMS processes and address their risks and opportunities. Clause 5 Leadership, requires from the top management of the organization to encourage the use of the risk-based thinking. Cause 6 Planning requires organizations to take appropriate actions to address risks after identifying them. Clause 9 Performance evaluation requires organizations to analyze and evaluate the effectiveness of the actions that were taken. Clause 10 Improvement requires organizations to correct, avoid, or reduce undesired effects by utilizing opportunities for improvement, and updating risks and opportunities.
This approach has allowed for many prescriptive requirements to be reduced and replaced with performance-based requirements and for continual improvement to be promoted throughout the organization.
It is important to note that ISO 9001 does not strictly define how organizations should address risks or what methods to use. As such, organizations are free to choose the tools or methods to address risks and opportunities, and this is what makes the difference between risk-based thinking and risk management. Risk management has more specific guidelines to address risks (e.g., ISO 31000:2018 provides specific guidelines for risk management).
Lastly, some of the benefits of the implementation of risk-based thinking include enhanced preparedness and possibility of achieving objectives, reduced undesired effects, improved governance, compliance with statutory and regulatory requirements, and, last but not least, improved customer confidence and satisfaction.
Leadership and quality culture
Competent and effective leadership is a key factor to successfully implement and maintain a QMS. Continual commitment of the top management toward quality management shapes the organization’s approach to quality. Their behavior influences the actions of the rest of the employees within the organization. It is up to the top management to take quality management to a level that will encourage the personnel to contribute to the achievement of quality objectives.
ISO 9001 provides specific requirements for the top management with respect to the QMS. They are required to demonstrate leadership and commitment by actively engaging, promoting, communicating, and monitoring the performance and effectiveness of the quality management system.
To achieve optimal efficiency and effectiveness for the QMS, the organization should provide an environment that fosters employee responsibility. Specifically, top management should contribute in creating a culture in which every employee integrates quality in their daily actions, and considers quality as a personal value rather than just a simple requirement. As such, competent and committed leadership and consistent quality-focused actions are imperative for an effective quality management system.
The implementation of a QMS based on ISO 9001
ISO 9001 provides a Plan-Do-Check-Act (PDCA) cycle that organizations can follow to establish, implement, and continually improve an effective QMS. The PDCA cycle helps organizations determine the necessary resources for the QMS and the opportunities for continual and sustainable improvement. The PDCA cycle can be applied to the QMS as a whole or to all processes separately. The figure below of the PDCA cycle provides an overview of the elements involved in the implementation of the QMS based on ISO 9001.
ISO 9001, Figure 2 — Representation of the structure of ISO 9001 in the PDCA cycle
PECB has developed a methodology based on best practices for implementing a management system, known as the “Integrated Implementation Methodology for Management Systems and Standards (IMS2).” Based on the PDCA cycle and guidelines from other ISO standards, this implementation methodology meets the requirements of ISO 9001 and can be used to implement a QMS in various organizations.
A detailed explanation of the IMS2 implementation methodology and a step-by-step guide of a QMS implementation project is provided in the ISO 9001 Lead Implementer training course of PECB. To learn more about ISO 9001 Quality Management trainings of PECB click here.
The relationship of ISO 9001 with other management system standards
ISO 9001 consists of 10 main clauses based on the High-Level Structure (HLS) which means that its requirements align with other management system standards developed by ISO. As such, organizations that implement a QMS based on ISO 9001, through the use of the process approach, PDCA cycle, and risk-based thinking, will be able to integrate their QMS with other management systems based on other ISO standards, such as an environmental management system (EMS) based on ISO 14001, an occupational health and safety management system (OH&S MS) based on ISO 45001, an anti-bribery management system (ABMS) based on ISO 37001, etc. An integrated management system (IMS) is recommended when the organization manages several management systems simultaneously. There are several benefits for integration, such as harmonizing and optimizing practices, formalizing informal systems, reducing costs, etc.
With regard to the ISO 9000 family of standards, ISO 9001 relates to the following:
- ISO 9000, which provides the fundamental concepts and principles of quality management systems, ensuring proper understanding and effective implementation of ISO 9001 requirements.
- ISO/TS 9002, which provides guidance regarding the correlation of ISO 9001 clauses, with possible examples of steps that an organization can take to fulfill the requirements.
- ISO 9004, which provides guidance regarding organizations’ ability to achieve sustained success, with reference to the quality management principles described in ISO 9001.
In addition, there are other sector-specific standards that have been developed based on the requirements of ISO 9001. Some of them state additional requirements for quality management system (e.g., ISO 10012, Measurement management systems — Requirements for measurement processes and measuring equipment; ISO 13485, Medical devices — Quality management systems — Requirements for regulatory purposes; ISO/TS 54001, Quality management systems — Particular requirements for the application of ISO 9001:2015 for electoral organizations at all levels of government), while others provide guidance for the application of ISO 9001 within particular sectors (e.g., ISO 18091, Quality management systems — Guidelines for the application of ISO 9001 in local government, ISO/IEC/IEEE 90003, Software engineering — Guidelines for the application of ISO 9001:2015 to computer software).
The benefits of a QMS based on ISO 9001
An effective quality management system based on ISO 9001 brings several benefits to organizations.
A QMS based on ISO 9001 improves organization’s credibility and increases customer confidence giving the organization an edge over its competitors. Getting certified against ISO 9001, which is recognized worldwide as the authority on quality management, will provide assurance to organization’s interested parties, including customers, that the organization is focused on quality and on the increase of efficiency and productivity. Getting certified against ISO 9001 means that the organization is complying with statutory and regulatory requirements as well. Furthermore, as the QMS enables organizations to provide qualitative products and services organizations gain an increase in revenue.
A QMS based on ISO 9001 helps organizations determine their quality objectives and establish communication channels which ensure clear processes and clear division of roles and responsibilities. Through this, the top management and the employees of the organization are aware of their roles and responsibilities for the accomplishment of quality objectives. Additionally, this leads to a minimization of costly errors, since each employee is responsible for their work and will be held accountable based on their responsibilities. Moreover, a QMS enables the organization to focus on the most important areas of its business and increase efficiency.
A QMS based on ISO 9001 ensures the implementation of a process approach with a focus on risk-based thinking and evidence-based approach. Risk-based thinking helps organizations address risks and opportunities, prevent risks, and minimize their undesired effects. In addition, risk-based thinking enables organizations improve planning and monitoring of potential risks, and utilize opportunities for the benefit of the organization. Evidence-based approach, on the other hand, improves an organization’s decision making processes based on gathered and analyzed data. Decision-making through an evidence-based approach will lead to investment in the right areas, increase of efficiency, reduction of costs and risks, and consequently, increase in profitability.
A QMS based on ISO 9001 will promote continual improvement throughout the organization and its interested parties. Continual improvement is one of the core principles of ISO 9001 and its adoption helps organizations focus on updating their methods, tools, products, and services, but also helps them promote growth and embed a quality culture within the organization. By promoting continual improvement, organizations will be able to maintain the best quality for their products and services and remain organizationally resilient.
These benefits, among others, ensure that organizations meet their customers’ needs, increase their efficiency, and, ultimately, increase success.
Conclusion
In an ever-evolving global market, it is crucial for organizations to provide quality products and services that meet the needs and requirements of customers. Therefore, organizations should implement a set of interrelated and coordinated policies, procedures, and processes in order to achieve their quality objectives. A renowned and proven system to ensure quality in organizations is a quality management system (QMS) based on ISO 9001. A QMS based on ISO 9001 helps organizations set clear quality objectives, meet customer requirements, mitigate quality risks, utilize opportunities for improvement, and gain competitive advantage.
The effort for a quality management framework can be traced back over 70 years, however, ISO 9001 has been around since 1987. Since its publication, over one million organizations have been certified against ISO 9001. This quality standard is built upon seven principles which are: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. ISO 9001 employs the process approach in cooperation with the PDCA cycle and risk-based thinking, and it is applicable to all organizations, regardless of their size, type, or industry. It consists of 10 main clauses according to the HLS structure developed by the ISO, which facilitates integration with other management system standards such as ISO 14001, ISO 37001, ISO 45001, etc.
PECB Certified ISO 9001 Available Training Courses
Enhance your knowledge and advance your career by participating in our ISO 9001 training courses. Check the training courses below and find the one that suits you best.
ISO 9001 Introduction
Get introduced to quality management concepts and principles and the requirements of ISO 9001.
ISO 9001 Foundation
Become familiar with the best practices of a quality management system and obtain a clause-by-clause overview of ISO 9001 requirements.
ISO 9001 Lead Implementer
Develop the necessary competencies to assist organizations in establishing, implementing, maintaining, and continually improving a quality management system based on the requirements of ISO 9001.
ISO 9001 Lead Auditor
Acquire the necessary competencies to audit a quality management system against the requirements of ISO 9001 based on the guidelines for auditing management systems provided in ISO 19011 and the requirements for the certification process of ISO/IEC 17021-1.
ISO 9001:2015 Transition
Gain the necessary competencies to guide and support organizations to transition from ISO 9001:2008 to ISO 9001:2015.
Authors:
Djellza Krasniqi, PECB
Donika Gashi Fazlija, PECB
Rina Krasniqi, PECB
Egzon Bunjaku, PECB