What is an ISO 9001 Quality Management System? And do I need one?

A quality management system ( QMS) is the system an organization uses to control activities geared towards achieving management objectives.

Broadly, it covers your organization’s structure together with the planning, processes, resources, and documented information used to achieve quality objectives.

For example, meeting your cus­tomers’ and relevant interested parties’ requirements to improve your products and services.

The requirements of ISO 9001 are generic and are intended to be applicable to any organization. This is regardless of its type or size, or the products and services it provides.

QMS Standards vs Product and Service Standards

Quality management system standards should not be confused with prod­uct and service standards.

Such standards give explicit requirements that specific products and services should conform to. However, quality management system standards (and particularly ISO 9001) specify requirements for good management practices.

This is to achieve quality without referencing any particular type of product or service.

The use of product and service standards, quality management system standards, and quality improvement approaches help to improve customer satisfaction.

Additionally, it also increases the competitiveness of your organization (which are not exclusive of each other).

That said, quality management systems should not result in excessive bureaucracy, paperwork, or lack of flexibility. It should not adversely affect the effectiveness or efficiency of the organization as well.

Quality management system standards should not be confused with prod­uct and service standards.

Such standards give explicit requirements that specific products and services should conform to. However, quality management system standards (and particularly ISO 9001) specify requirements for good management practices.

This is to achieve quality without referencing any particular type of product or service.

The use of product and service standards, quality management system standards, and quality improvement approaches help to improve customer satisfaction.

Additionally, it also increases the competitiveness of your organization (which are not exclusive of each other).

That said, quality management systems should not result in excessive bureaucracy, paperwork, or lack of flexibility. It should not adversely affect the effectiveness or efficiency of the organization as well.

Quality is about the ability of an organization to consistently provide products and services that meet customer requirements.

Using a quality management system is a strategic decision that goes beyond organisations’ ability to provide a product or service.

It doesn’t only help with improving the organisation’s overall performance, it also provides a basis for sustainable improvement initiatives.

Rewards of Implementing a Quality Management System (QMS) based on ISO 9001:2015

1. the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements;
2. facilitating opportunities to enhance customer satisfaction;
3. addressing risks and opportunities associated with its context and objectives;
4. the ability to demonstrate conformity to an internationally-recognised quality management system requirements.

All of the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization. It also applies regardless of its type or size, or the products and services it provides.

While this expression is commonly used, there’s no such thing!

Accreditation relates to the Certification Body that will issue your ISO 9001:2015 Certificate.

For that Certificate to be credible, the Certification Body needs to be accredited. That means it has to be accredited by a recognized Accreditation Body to issue such Certificates.

Having accreditation means that an organisation is competent to perform specific processes in a reliable, credible, and accurate manner. (These are detailed in a scope of accreditation)

The provision of accreditation must:

• be undertaken impartially;
• be objective, transparent and effective;
• use highly professional competent assessors and technical experts in all relevant fields;
• use assessors (and subcontractors) that are reliable, ethical, and competent in both accreditation processes and the relevant technical fields.

Accreditation delivers confidence in certificates and conformity statements. It underpins the quality of results by ensuring their traceability, comparability, validity, and commutability.

Accreditation Bodies

Accreditation Bodies, such as UKAS and INAB, are members of the International Accreditation Forum (IAF). These bodies give international recognition to Certificates issued by the CABs they have accredited.

For more information, visit the websites of UKAS (UK), INAB (Ireland) or other national accreditation bodies.

Certification can be regarded as formal recognition by others of your quality management system.

In some countries, certified quality management systems are considered to be registered and the term “registration” is used instead of certification.

For the sake of brevity, the terms” certification” and” certified” are used here.

Implementation Requirements

Certification is not a mandatory requirement in implementing ISO 9001. However, it could be required by some of your customers.

Your decision regarding certification might also be influenced by your competitors or by statutory or regulatory requirements.

If your organization intends to achieve ISO 9001 certification, all applicable requirements, as defined in the standard, need to be fully implemented.

This then needs to be confirmed by a formal audit by a certification body (sometimes called a registrar).

It is not necessary to conform to any additional requirements to achieve ISO 9001 certification. Even so, your customers or a specific regulator may require you to conform to additional requirements.

If you are considering the certification option, your first step is to contact several certifica­tion bodies (CABs). After that, try to find out which of them are accredited in your sector ( e.g. NACE codes).

You also have to ask what is offered, what the likely costs are, and the requirements for the certification activities.

Key features of the 2015 version of the Standard

This latest version of the standard is less prescriptive than previous versions. For example, there are no mandatory documents or records required. It has four main attributes:

• An emphasis on leadership
• A focus on risk management
• Emphasis on objectives, measurement, and change
  
• Communication and awareness

Not one but four Standards to be considered

ISO publishes four standards that focus directly on an organization’s QMS:

• The management system standard: ISO 9001:2015. This standard is the specification for a QMS.

• The Technical Standard ISO/NP TS 9002:2016 Quality management system — Guidelines for the application of ISO 9001:2015. This standard provides extensive knowledge of all aspects of a QMS and has copious examples that you can use.

Note: This is not a Normative Reference in ISO 9001:2015; therefore, it is not a mandatory requirement that it be applied to your QMS.

• ISO 9000:2015 Quality Management System – Fundamentals and Vocabulary. This provides an essential background for the proper understanding and implementation of ISO 9001:2015.

Note: This is a Normative Reference in ISO 9001:2015; therefore, it is a mandatory requirement that it be applied to your QMS.

• ISO 9004:2016 Managing for the Sustained Success of an Organisation: A Quality Management Approach. This provides guidance for organizations that choose to progress beyond the requirements of ISO 9001:2015.

This standard is intended for organizations with a mature quality management system. It is not generally used when first designing and implementing a QMS.

Note: This standard also is not a Normative Reference in ISO 9001:2015; therefore, it is not a mandatory requirement that it be applied to your QMS.

The High-Level Structure

ISO 9001:2015 adopts the 10-part High-Level Structure now mandatory for all of the ISO 9000 family of Standards.

Parts 1 Introduction, Part 2 Normative References, and Part 3 Terms and Definitions are not auditable.

Parts 4 through 10 are the ‘working’ parts of the Standard and correspond neatly with the P-D-C-A Improvement Cycle.

This is illustrated below.

The 2015 version of the Standard introduced several significant changes including.

Part 4: Context of the Organization

The organization needs to determine external and internal issues that are relevant to its purpose.

These include relevant issues, both inside and out, that have an impact on the organization and its ability to achieve management system objectives.

The term ‘issue’ does not only cover problems that would have been the subject of preventive action in previous standards. It also covers important topics for the management system to address.

Examples of these are market assurance and governance goals that the organization might set for its management system.

Tools such as Strengths, Weaknesses, Opportunities, and Threats analysis (SWOT) and Political, Economic, Social, Technological, Legal, Environmental analysis (PESTLE) are frequently used.

Alternatively, simple approaches such as brainstorming and asking “what if” questions can be useful for your organization.

Part 5: Leadership

This means that senior managers need to be able to demonstrate an understanding of the wider business environment. This includes the social, cultural, and regulatory framework in which it operates. How they impact the organization’s ability to meet customer requirements should be considered as well.

Similarly, they need to have a grasp of the organization’s internal strengths and weaknesses. They also need to understand how these could impact their ability to deliver products or services.

This strengthens the concept of business process management including the need to know how to allocate specific responsibilities for processes. This also demonstrates an understanding of the key risks associated with each process and approaches used to mitigate them.

Part 6: Planning

Clause 6.1 Actions to address risks and opportunities

The new standard makes risk-based thinking more explicit throughout. Risk, as determined by the standard refers to any of the following.

1. An effect is a deviation from the expected – positive or negative.
2. Risk is about what could happen and what the effect of this happening might be.
3. Risk also considers how likely it is to happen.

Senior management must be able to demonstrate an understanding of business risks. They should also know how they could impact the ability to meet customer requirements. An effective risk management process will be critical for successful certification to the new version.

It must ensure the management system can achieve its intended outcomes and achieve continual improvement. Clause 6.1 is where this is covered and it addresses the ‘what, who, how, and when” of risk management.

The organization should plan actions to address these risks and opportunities. It also has to know how to integrate and implement the actions into its management system processes and evaluate their effectiveness.

Risk replaces preventive action. Because of this, you will need to identify where risk arises and ensure controls are in place to manage it.

Employing a Risk-based Thinking Approach to Management

The target of a management system is to achieve conformity and customer satisfaction.  ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

• Clause 4 (Context) the organization is required to determine the risks which may affect this.
• Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
• Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
• Clause 8 (Operation) the organization is required to implement processes to address risks and opportunities.
• In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and evaluate the risks and opportunities.
• In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.

Clause 6.2 Quality Objectives and plans to achieve them

The requirements around quality objectives have also been made more detailed. They need to be consistent with the quality policy, measurable, monitored, communicated, and updated as appropriate. They also have to be established at relevant functions and levels.

Objectives should include plans on how to achieve them as well as how the results will be evaluated. The organization must determine who will be responsible for the delivery of the objectives, resource allocation, process management, and scheduling.

Quality Objectives – the results to be achieved – can be technical, strategic, or operational.

ISO Technical Committee 176

ISO/TC 176 Technical Committee on Quality Management and Quality Assurance have been a leader in the development of quality management systems since 1979.  ISO/TC 176 undertakes its work through its three subcommittees (SC):

• SC 1 – Concepts and terminology (ISO 9000)
• SC 2 – Quality systems (e.g. ISO 9001, ISO 9004, ISO 10005-7)
• SC 3 – Supporting technologies (e.g. ISO 10001-4, ISO 10008-18)

TC 176 membership includes approximately 120 countries.

Part 7: Support

Clause 7.3 Awareness

This is now a clause in its own right.

People working under an organization’s control should be aware of the quality policy, objectives, and their contributions to the QMS.

They should also be aware of implications of non-conformities etc.

There is an increased emphasis on awareness to ensure that everyone knows the implications of not conforming to the management system requirements.

Clause 7.4 Communication

Both internal and external communications are now a requirement. It’s up to you to decide what/who/when and how you are communicating.

The communication plan can include a variety of mediums including briefings, meetings, seminars, conferences and newsletters.

Clause 7.5 Documented Information

This deals with documented information and is split into 3 sub-clauses – general, creating, and updating and control. An organization must decide what information they wish to retain, how these are updated, controlled, and adequately protected.

Part 8: Operation

This clause deals with day-to-day operations and includes:

• Requirements for customer communication (from information on products to contracts and invoicing)
• Review of design and development changes
• Information for external providers
• Identification and traceability
• Release of products and services now part of operational controls
• Non-conforming processes, outputs and product and services

All feature a requirement for them to be controlled and you must consider how best to implement these requirements within your own organization.

Part 9: Performance Evaluation

See the schematic above for the requirements here.

Part 10: Improvement

See the schematic above for the requirements here.

Where to begin is frequently a problem for an executive wishing to secure ISO 9001 Certification.  We suggest a practical 5-Stage process that you can take to get started (often the most difficult part).

The knowledge and information given here are essential if you and your colleagues are to make an informed decision on two things.

One is whether ISO Certification is right for your organization at this time. The other as to the amount of effort and resources that would be required.

Stage 1: Getting an Overview of a Quality Management System

To answer the questions above, you first need to know what’s involved in designing, implementing, and maintaining a Management System.

Stage 2: Overview of the Initiation, Planning and Implementation Processes

On the right is a flowchart of the ’33 Steps to ISO 9001:2015 Certification’.

Please download a copy and study it carefully and note the following.

1. It’s a PDF file for you to print and/or save as you wish.
2. The main headings throughout our Implementation Handbook have numbers in brackets (e.g. #12). This is to indicate the correspondence between the topic under consideration and the step number in the Flowchart being addressed.
3. The numbers in brackets at the bottom of each activity box (e.g. 8.1 & 10.1) is the Clause Number(s). These correspond to the requirement that is being addressed by the activity in question.

33 Steps to ISO 9001:2015 Certification

For ease of understanding, the 33 Steps have been set out in a simple sequence.

In reality, you will frequently be working on several steps simultaneously.  This will help reduce the overall timescale for the project.

When project planning with your project team, you should seek out and document such opportunities.

Relating the 33 Steps to the Standard is not, perhaps, immediately obvious.  The Implementation Model, where each of the six elements is mapped against the main parts of the Standard, may help.

The 33 Steps will take you through each of the six elements in a logical sequence.

Other considerations, such as compatibility, might also be appropriate.

If you intend to lead an ISO 9001 Implementation Project yourself and don’t have Lead Auditor training yet, you need to get it. This is so that the decisions regarding Projects are adequately informed.

Should you choose to get consultancy support for the project, this training will help you manage the relationship. It will also ensure you ask the right questions as well as get the specific help you need.

In addition to conventional Lead Auditor Training, we also offer Lead Implementer Training.  Details and course content information is given in these links:

• Course 033: ISO 9001:2015 Lead Auditor (32 hours/5.3 days)
• Course 032: ISO 9001:2015 Lead Implementer

Part of the ongoing maintenance of a QMS is the requirement to undertake Internal Audits. You will want your own staff to carry out these audits. You will need training as the foundation of their competency to do so.  Details and course content information is given in these links:

• Course 031: ISO 9001:2015 Internal Auditor (12 hours)

When implementing and maintaining a Quality Management System, you need to consider the following things:

• Human Resources including a Steering Team (where top management participation is essential). This is to oversee the Project and help you in securing other resources in a timely manner.

You will also need Task Teams, organized by function or department, to aid in implementing new or revised processes and procedures. It is critically important to ensure that the persons chosen for these teams have the time and commitment to devote to them.

• Consultancy Support is advisable where you have little or no previous experience of implementing and/or maintaining a QMS.  Full-time consultancy support can be expensive. So, a popular choice is to combine
  Lead Implementer training with selective consultancy support.
• Document Management Systems in hard copy or soft copy are needed to store control and distribute procedures and records.  A shift to totally computerized systems is now the norm. Popular choices include
  Sharepoint for in-house developed systems and Q-pulse for off-the-shelf systems.
• Certification Body services from an accredited organization whose independent auditing of your QMS will be basis for issuing your ISO 9001 Certificate.
• 
  Training including Internal Auditor Training and QMS Awareness Training.
• Finance for the above. Your initial ISO 9001 Project Plan, to be submitted for management approval, must include such costings.  To help ensure that your plan is comprehensive and includes all significant costs you should examine our
  33-steps to ISO 9001 Certification.

Before establishing a QMS and drafting the various documents needed, you should purchase copies of the pertinent ISO standards first.

These include:

• The management system standard: ISO 9001:2015. This standard is the specification for a QMS. It sets out the requirements for an auditable QMS.

It provides the standard against which certification audits are performed, including the required documentation.

An organization that seeks certification of its QMS is examined against this standard.

• The Technical Standard ISO/NP TS 9002:2016 Quality Management System — Guidelines for the Application of ISO 9001:2015.  This standard provides an extensive body of knowledge on all aspects of a QMS.

They’re especially helpful for SMEs and for Service Industries (which historically have had difficulty in interpreting ISO 9001).

It contains copious examples that you can use as guides.

You can purchase these standards from the following online stores:

• The ANSI online store: http://webstore.ansi.org
• The ISO Online Shop:  http://www.iso.ch
• The Estonian Standards Shop: https://www.evs.ee/shop
• Or from your National Standards Institute/Authority.

If you haven’t trained to be a Lead Auditor yet, you may want to start training for it. This is so that the decision to be made regarding proceeding with the project is adequately informed.

In addition to conventional Lead Auditor Training, we also offer Lead Implementer Training.  Details and course content information is given on the links below.

• Course 033: ISO 9001:2015 Lead Auditor
• Course 032: ISO 9001:2015 Lead Implementer

Time

The duration of the project will depend on the size of the organization, the complexity of its operating processes, and the extent to which these processes have been formalized within the organization.

Some websites promise Certification in 3 months.  This is nonsense – you’ll need 3 months records alone after implementation to demonstrate that the QMS is being maintained and Certified Bodies like 2 or 3 months notice for an audit.

It is just possible for a small organization to secure certification in 4 months provided management and staff will cooperate fully with the project. More typical is a duration of 6 to 12 months.

Costs

The costs can vary wildly depending on the size of the busines and the number and complexity of the processes involved.

In the UK, and aside from the costs for internal resources, you will also need to consider Consultant’s fees (typically, UK£ 500 to UK£1000 per day) and Certification costs (typically UK£2,500 and upwards).

Be careful when comparing quotes for Certification.  Certification Bodies (CAB) are obliged to base their costs on a mandated number of man-days (based in turn on the numbers employed by your organization).

You would expect, therefore, that prices quoted would be similar but frequently Year 1 costs quoted vary greatly.  As CABs all quote for a 3-year cycle of certification audits, you need to compare the totals for the cycle to get a real comparison.

As an initial budget cost for a small enterprise, we suggest UK£10,000 for the initial project including Year-1 Certification.

Preparation for Certification

Once you have a quality management system in place, you are under no obligation to seek certification.  However, most businesses do. This is because it reassures customers that they can expect high-quality products and services when they do business with you.

The following provides a brief outline for those wishing to follow this path.
Before the certification process begins, make sure your quality management system has been in place and running for several months.

You can then see the system in operation and have the oppor­tunity to improve it. Any improvements achieved at this stage can simplify the certification process, which in turn can save you time and money.

Certification bodies do not operate on the principle of what you say is going to happen. They want to see evidence that your quality management system has been implemented and is effective.

In other words, they want to see what has already happened.

This will usually involve showing them documented informa­tion (records), allowing them to observe your processes, and interview your staff. They may also make other verifications as necessary in order to have confidence in your quality management system.

Choosing a Certification Body

There are two types of assessment that might be relevant to you.

The first may be carried out by your customer(s) and the other by an independent party (a” Certification Body”).

When your customer conducts an assessment, their approval signifies that they are confident that you meet the requirements of the ISO 9001 standard. However, each client may have their own standards for determining whether you pass or not.

Because of this, assessments may not necessarily be shared by other existing or potential customers.

The remainder of what is outlined below relates to those audits conducted by independent third-party Certification Bodies (sometimes referred to as Regis­trars, in certain parts of the world).

In order to maximize recognition of your certificate, you should ensure that the certification body you select has the appropriate accreditation.

This is normally granted by a national accreditation body, which attests to your certification body’s competence and impartiality.

All this is done under the umbrella of the International Accreditation Forum (IAF). This results in a certification that is recognized globally by most accrediting bodies and organizations in your specific industry.

The Certification Process

The process generally follows the sequence set out below.

Once you have selected the most appropriate certification body for your particu­lar needs, you will need to make a formal application to them. The application normally includes a description of your organization‘s activities, your products and services, and any other information requested.

The certification body may then ask you to fill out a questionnaire.

Prior to the certification body conducting its formal audit, you may wish to engage the services of a third party to perform a pre-assessment. This will help you gauge your organization’s readiness for the certification audit.

The initial certification will go as follows:

• obtain information about the scope of your quality management system, including the processes and equipment you use;
• check any statutory and regulatory requirements that are applicable to the products and services you provide;
• ensure that your documented information is appropriate for the context of your enterprise;
• evaluate any site-specific conditions;
• verify that at least one round of internal audits and management reviews have been performed;
• determine if you and your personnel are ready for the next stage
• allow for the planning of the next stage

If any concerns are raised during Stage 1, the Certification Body will indicate these to you.

Adjustments to your quality management system processes and the way you manage those processes will usually overcome most problems. The same goes for any amendments to any relevant documented information.

In Stage 2, the audit team ( there may be more than one auditor) will look closely at the way your organization operates.

The auditor will be looking for objec­tive evidence to verify that you are meeting all the requirements of ISO 9001. They will also verify if your quality management system is fully implemented and effective.

When problems are found, the auditor will prepare a” nonconformance report.” This will explain what has been detected and list it to the relevant requirement in ISO 9001.

You need to be sure that you understand the problem, so that you can address it accordingly.

The auditor has an obligation to explain the evidence that gave rise to the nonconformity, but should not give you advice about how to resolve it. That is up to you to determine.

A common approach among certification bodies is that if “major nonconformities” were identified, certification could be withheld pending corrective action.

If only minor nonconformities are found, a certificate might be issued. However, you will need to take appropriate corrective actions within an agreed timeframe.

You might be required to provide an action plan, or submit details of your analysis of the causes and the actions taken to address them.

Further verifica­tion will take place during a subsequent “routine surveillance” audit that the certification body is required to make at least annually.

The objective of a surveillance audit is to confirm that your quality management system continues to meet the requirements of ISO 9001.

Undergoing a Surveillance Audit

The standard certification cycle (contractually agreed between you and the Certification Body) is three years.

It comprises the initial certification audit, followed by two annual surveillance audits. These later audits aren’t as comprehensive, in that the full quality management system isn’t necessarily assessed at each surveillance audit.

At the end of the three-year certification period, a full re-certification audit is required. If nonconformances are detected during a surveillance audit, a similar approach will be taken as for the initial audit.

For minor nonconformances, you will be given the chance to address these in an agreed timeframe.

If major noncon­formances are found, you will need to take more urgent action. In critical cases, your certification might be suspended until they are resolved.

Organizations certified to ISO 9001 by an accredited certification body stand can benefit from it in a number of different ways.

Main Benefits

1. Customer satisfaction: The ISO 9001 certification is designed to enhancing customers’ experience in doing business with you.
2. Qualification for pre-tender and tender opportunities, especially from the public sector.
3. Risk management. While not a requirement, most certified organizations use it to quantify business threats and proactively deal with them.
4. Objectives and improvement. Obligation requires you to focus on setting targets for improvement and then planning and implementing them in a timely manner.
5. Processes and procedures suited to the mission and strategic objectives you have set for the organization.
6. Internal audits to monitor compliance with requirements and highlight deficiencies.
7. Corrective actions to prevent recurrence of errors.
8. Cost management. The cost of maintaining certification is minimal compared to the benefits of having an ISO 9001 compliant Quality Management System.

Additional Benefits

1. Board of Directors’ Confidence. Knowing that the organization is focused on strategic objectives while satisfying customers can help keep their minds at ease.
2. Lower customer complaint rate as fewer errors occur.
3. Retention of customers. Again, a consequence of reduced errors.
4. Management performance. Less time spent apologising to customers and managing the unnecessary repetition of work.
5. Reputation: You will be taken more seriously as a prospective supplier when you are a holder of ISO 9001 Certification.
6. Status: It will help you compete on equal terms with the ‘big’ boys’ regardless of the size of your organization.

And, if that isn’t enough to convince you and your colleagues to seek ISO 9001 certification, I give up!

The motivation mostly comes from customers and potential customers. Customers may sometimes stipulate that ongoing business is dependent on you securing certification.

Some potential customers may also express a preference for suppliers with ISO 9001 certification when requesting quotations or tender documents.

Occasionally enlightened management will initiate ISO 9001 implementation as a broadly-based improvement project seeking all the benefits listed above.

Sometimes, Boards of Directors will also request ISO 9001 Certification as independent evidence that their organization is being effectively managed.