The difference between "correction" and "corrective action"...

ISO 9001:2015, 9.2.2 e (Internal audit) speaks of “correction” and “corrective action.” What is the difference? 
A correction is the action taken to perform an immediate fix of the most obvious problem to remove the nonconformity and make the product or service acceptable to use. This will take very little investigation to find and is a quick fix for this one-time problem. However, it does not take action to preclude the problem from reoccurring.
If the audit has identified that a problem is more serious than one simple non-conformance, the organization will need to implement corrective action to prevent the problem from happening again. In that case, the organization will need to use a systematic process to ensure the root cause is identified and removed. This can be 6-Step Problem Solving. In a corrective action process, it is critical that the organization does not just fix the surface causes. Instead, the organization needs to look deeper into the cause of the problem to find the root cause so it can be eliminated.
Only when the organization finds and corrects the root cause of a problem will it truly ensure that the nonconformance does not happen again.

What is "Scope" in a Management System?

Determining the scope of the organization’s management system (MS) has been a requirement for a long time. It defines how far the MS extends within the organization’s operations. Many organizations, when starting their implementation, are confused about “scope.” They may equate it with the scope statement in the Standard and claim conformity with that statement or draw a complete blank. The publication of ISO 9001:2015 can help to clear this up for organizations.
Clause 4.3 states that there are three factors to consider when determining scope:
1. Internal and external issues that can affect the organization’s ability to achieve intended pruposes,
2. The requirements of relevant interested parties, and
3. The products and services of the organization.
Therefore, the scope of the MS is a statement of the products and services offered by the organization It’s “what our business does” including the industries for which this is done.
Here are some scope statement, as examples:
“The manufacturing and assembly of cargo and trunk systems, acoustic and water shield solutions and protective in-transit materials”
“The manufacture of close tolerance instrumentation and implants for the medical industry”
“The design and fabrication of wireless network sensors, prognostics, diagnostics, and vehicle telematics systems”
“Security printing, brand protection labels, tamper tapes, labels & seals, security paper documents, Intaglio printing and holograms, for businesses and governments”
It should include enough information to determine the processes used and what is excluded so that your customers and potential customers know exactly what you provide.

ISO 9001:2015 Questions from a recent Webinar Part 3 of 3, Answers by George Hummel, member US TAG to ISO/TC 176


The challenging areas that I see are in 4.1 and 4.2 where more of a business system language moves into the standard. George did point out that this is still a quality standard as opposed to a business standard. The challenge here remains on how to wrap such broad business concepts such as:

·  “The organization shall determine the external and internal issues that are relevant to its purpose and its strategic direction“ to narrow the focus to the areas that “ affect its ability to achieve the intended results of its quality management system.”

·  Narrowing the interested parties to focus on the quality management system.

These requirements, along with the stronger text in 5.1.1, has caused a great deal of confusion in the quality community, as seen in discussion groups, where there is a push toward interpreting ISO 9001:2015 as more of a business standard.


I would appreciate it if George could expand on how ISO 9001:2015 firmly and clearly maintains its identity as a quality management standard as opposed to business management standard.



As was stated in a recent answer, the Scope of the IS focuses the strategic concepts upon the risks and opportunities as they address customer and regulatory/statutory requirements.



When will ISO/TS 16949 be updated to reflect these updates? And is it likely ISO/TS 16949 to have the same implementation dates? 



The automotive sector is (IATF) using ISO 9001:2015 as a base for ISO/TS 16949.  They will announce their timetable.  The dates will most likely be three years from ISO/TS’ publication.



Are there any clauses in ISO 9001:2015 where the current ISO/TS 16949 requirements, Core Tools manuals or Published Customer Specifics Requirements fall short in meeting ISO 9001:2015?



The new requirements, for the most part, are not currently addressed in the automotive documents.  Core Tool manuals are not requirement documents.



Regarding 7.1.5, I've always lamented that Measurement System Analysis (Gauge R & R) was not included in the standard. Has there been discussion of this aspect of Precision of monitoring/measuring Devices within TC 176? (I take the term "valid reliable results" to be supportive of this direction).



It is up to each organization as to how it addresses this requirement.  What matters is that the output of monitoring and measuring be effective.



How do you (others) evaluate the effectiveness of training on employees? This has always been a struggle for our organization.



The organization needs to define the competency needed for each person “doing work under its control that affects the performance and effectiveness of the quality management system.”  When there are deficiencies in the competence needed, the organization must take “action” to address the need.  Any action taken must be evaluated.  A common approach to that evaluation is the change in performance noted as a result.  Does the resulting performance demonstrate that the necessary competence has been achieved? How documented information of evidence is retained is up to the organization.



It seems it will be confusing to keep an existing QMS format when the reference sections have changed. Is it better to make the transition to the new sections for ease of use?



The problem for organizations that use the standard as a format is that the standard changes.  It did in 2000 and has changed again.  It would make more sense for an organization, when planning its quality management system to structure it based upon their business. Thus, if you feel a need to change, now is the time to use your own structure design.

ISO 9001:2015 Questions from a recent Webinar Part 2 of 3, Answers by George Hummel, member US TAG to ISO/TC 176



Our ISO 9001: 2008 manual and our supporting documents cover most or all the rearranged or new requirements.  Is it necessary to rewrite the manual to be more in line with the 2015 standard?



Absolutely NOT. The Introduction of ISO 9001:2015 states:

“It is not the intent of this International Standard to imply the need for:

—   uniformity in the structure of different quality     management systems;


     alignment of documentation to the clause structure of this International Standard;


     the use of the specific terminology of this International Standard within the organization.”


It pays to read the Standard from the first page, not at the beginning of Clause 4.


See an answer below: it may be a good opportunity to create your own structure.



Our management group, especially our Japanese, rely on my position as management rep to communicate the requirements and to communicate information regarding the QMS and EMS.  So under responsibility and authority can my position be documented and if so as what?  There has to be someone else held accountable for feeding a directing the requirements.



While it is no longer a requirement that there be a Management Representative, an organization is free to maintain that role.  However, that does not absolve Top Management of accountability.

ISO 9001:2015 Questions from a recent Webinar Part 1 of 3, Answers by George Hummel, member US TAG to ISO/TC 176


What is the deadline for being audited to ISO 9001:2015?



Organizations have until September 2018, to complete the transition and be certified.  Certification Bodies should be informing clients of their exact process soon.  However, to avoid being caught in a “log jam” at the end of this period, it would be advisable to start the transition now.



How can we use our existing quality manual/procedures while incorporating in ISO 9001:2015 revision?



You are free to incorporate any or all of your existing documentation.  However, it would be wise to check for required documented information you may not have. An effective technique for this is a Gap Analysis.



The new standard is causing a stir in the quality discussions, with some pointing to these clauses as an indication that ISO 9001 is becoming a Business Management Standard.



ISO 9001 is a Quality Management Standard because of its Scope, which gives the requirements of when an organization “needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements…”


Further, ISO provides TC 176, Quality management and assurance, with a design specification for a quality standard.  The committee cannot exceed these inputs.  That is also why ISO 9001:2015 does not address “risk mitigation,” as that is the province of TC 262.



Can you explain Clause 6.1 and its application, as we see the subject of Clause 6 and the risks & opportunities applied to 8.1, 9.1.3, 9.3, and 10.2?



One of the core concepts of ISO 9001:2015 is the methodology of Plan-Do-Check-Act.  Clause 6 addresses planning with regard to risks and opportunities. Clause 8.1 is “Do.”  Clauses 9.1.3 and 9.3 are “Check.”  Clause 10.2 is “Act.”

What does ISO 9001:2015 bring to your QMS?

As the standard progressed from its DIS stage to final publication, there was a high level of debate and anticipation.

With the International Standard, there are some very significant new requirements and a change in approach that can bring challenges to those transitioning their quality management system.  However, approached correctly, ISO 9001 can bring these benefits:

1.   Integration of the QMS into the core of the business

2.   A complete grounding in the process approach, as well as the PDCA cycle

3.   A broadening of the QMS where responsibilities now span the organization

4.   Introduction of risk-based thinking as the foundation of QMS planning

5.   Involvement of Top Management as leaders

6.  The emphasis on performance and outcomes.

ISO 9001:2015 Published in September 2015...Start Now

Why not start ISO 9001:2015 transition/implementation now?

Many organizations are quite satisfied with a three-year window before the 2015 version of ISO 9001 is required for certification. When asked, most say, “We’ll wait.  We have time.” 

Why wait?  The standard has been revised to align closely with the strategic direction of the organization. Since the standard was first written in 1987--and focused upon documentation to give evidence of compliance--the standard developers have moved slowly toward an extremely important concept, now seen in full bloom in ISO 9001:2015: It’s not about compliance, but performance; it’s about output! It’s about using your quality management system to improve business results.

Second, while “risk-based thinking” has been much maligned, the top managers with whom I have worked have seen this requirement in a tremendously positive light. They say, “If I address risk from a system, process, and product perspective, I can focus my quality management system on performance improvement.”   

What this says to us is that ISO 9001:2015 is a tool to improve business results, as well as the bottom line.

So, tell me again, why you are waiting? 

The Final Draft International Standard (FDIS) of ISO 9001:2015 has been published.

The FDIS will help you identify what you need to do to get your quality management system aligned to the 2015 version. 

This is the final stage on the revision journey and means you can be confident that the information contained in the FDIS will be in line with the final version, which will be published in September.
The new 2015 revision is a significant update to the standard, and it’s a great opportunity to make your organization even more effective. The key new areas covered in the standard are:

  • Greater emphasis on building a management system suited to each organization’s particular needs
  • A requirement that those at the top of an organization be involved and accountable, aligning quality with wider business strategy
  • Risk-based thinking throughout the standard makes the whole management system a preventive tool and encourages continuous improvement
  • Less prescriptive requirements for documentation: the organization can now decide what documented information it needs and in what format
  • Alignment with other key management system standards through the use of a common structure and core text

With a comprehensive suite of services and support material, IQC can help you embed this new management system into your organization, so you can start to see the results as quickly as possible.

For more information on the revisions, contact Seth at 937-673-3732 or

The Top 5 Revisions in ISO 9001:2015

ISO 9001 has undergone major revisions for 2015.  Revisions akin to the 2000 version of the Standard.  This is the first major set of changes since that year!  What do organizations implementing or transition have to consider with the fall 2015 publication?

1.    Clause 0.6 in the Introduction section of the draft ISO 9001:2015 standard is titled, "Compatibility with other Management System Standards." It notes that ISO 9001:2015 has adopted the new high-level structure developed by ISO to improve the alignment of all of its management system standards (ISO 14001, ISO 22000, ISO 27001, etc.) The high-level structure is defined in Annex SL of the ISO Directives and provides common:

· Clause sequence

· Text

· Terminology

The ISO 9001:2015 requirements are defined in an order that is consistent with organizational planning and process management:

· Context of organization and its system and processes (Clause 4)

· Leadership, policy, and responsibilities (Clause 5)

· Processes for planning and considering risks and opportunities (Clause 6)

· Processes for support, including resources, people, and information (Clause 7)

· Operational processes related to customers, products, and services (Clause 8)

· Processes for performance evaluation (Clause 9)

· Processes for improvement (Clause 10)


2.    Context of the organization

Understanding an organization and its context, and the needs and expectations of interested parties, is central to maintaining a business. Section 4.1 of the revision requires an organization to determine "external and internal issues that are relevant to its purpose and its strategic direction."

After they are determined, the organization is to monitor those internal and external issues. The clause further requires an assessment of the organization’s ability to achieve the intended results of its QMS. The tool most capable of supporting compliance to section 4.1 is a SWOT or strengths, weaknesses, opportunities, and threats analysis. Another tool, the balanced scorecard, is also a likely candidate. Both are products of business, not necessarily quality management.

At its face, "business thinking" is a welcome addition to the standard, addressing a long-standing complaint that ISO 9001 is not understood as a business system with an output of quality.


3.    Planning for the QMS

Clause 6.1, "actions to address risks and opportunities," is perhaps the single-most talked about addition to the standard. Clause 6.1 weaves together previous elements 4.1 and 4.2, understanding the context of the organization, and the needs and expectations of interested parties by requiring that analysis of these issues become actionable risk-based plans, targets and goals.

The accompanying note to section 6.1.2 provides excellent guidance in this regard, saying "Options to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk or retaining risk by informed decision."

There is no mention of preventive action in ISO 9001:2015; it is expressed through the phrase "risk-based thinking." Clauses 6.1.1 and 6.1.2 continue the theme of borderless business and quality system planning and management. The risk-based thinking approach in ISO 9001:2015 is basic: After you know your challenges, develop appropriate plans and monitoring methods to mitigate the risk of inaction or incorrect in these defined areas.

4.    Organizational knowledge

Clause 7.1.6 ushers in the discipline of knowledge management through the requirement that "the organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services." The point is that knowledge—what, how, when and often why—is required to generate consistent and conforming products.

Furthermore, the right people need access to this knowledge to create this desired outcome. Organizational knowledge management requires analysis and planning that are unique to each organization to balance the typical blend of competent people no longer requiring tools—such as work instructions—against those who do.

5.    Applicability

In ISO/DIS 9001:2015, Clause 4.3, determining the scope of the QMS, you will no longer find references to the term "exclusions." Instead, it’s up to the organization to decide which elements do not apply.

The choice to disregard a requirement is not allowed, however, if it pertains to normal operations.  Furthermore, the text states, "If any requirement(s) of this international standard cannot be applied, this shall not affect the organization’s ability or responsibility to ensure conformity of products and services." The issue of applicability is tied to whether your organization is capable of producing consistent, conforming product.

There are other changes that organizations will need to consider:

·       There is no longer a requirement for a Quality Manual

·       “Product” is now “Products and services”

·       The title “Management Representative” is gone, because:

·       Management Responsibility has been revised to Leadership

·       There is no longer a requirement for 6 documented procedures

·       Document & Record Control is now Control of Documented Information

·       The Process Approach is now mandatory

·       “Outcomes Matter” – the emphasis is upon performance, not compliance

                         .        The use of ISO 9000:2015 for definitions.


Dayton Daily News article about ISO 9001 and AS9100 Implementation Program

IQC, The ISO Pros of Dayton, Ohio, along with Clark State Community College (Springfield and Beavercreek Ohio) and The Economic Development Department of Greene County, Ohio are offering an ISO 9001 and AS9100 implementation program at a discounted rate.  The following link is for a story from the Dayton Daily News.

ISO 9001:2015 Update Training

Are You Prepared to Implement the Changes to ISO 9001? 

The countdown for ISO 9001:2015 has started.

Join us for this informative seminar lead by George Hummel, a member of the US TAG to ISO/TC 176 - the group responsible for drafting the changes to ISO 9001:2015.
May 8, 2015 from 1:00pm to 4:30pm at Clark State Community College, $325.00 per participant

Please CLICK HERE for more information and links to the registration page.

Three Keys to Internal Auditing Success

Keep these in mind to accomplish your goals.

Internal auditing is one of the most routine improvement tools available to organizations. In fact, it’s so ordinary that auditors sometimes forget the underlying principles of auditing. Auditors must be periodically reminded of these underlying truths or the entire audit process can begin to backfire. Keep these in mind as you audit and you’ll nearly always be successful.

Principle 1: The customer of the internal audit is the one being audited
That’s right, the people you’re auditing are your customers. Internal auditing is a service you perform to help make your organization more successful and identify problems before they spiral out of control. The quality of your product depends on how well the audit is planned, the type of training provided to auditors, the level of engagement of top management and the way auditors behave during the audit, among other factors. You must conduct the audit with the same level of professionalism and diplomacy as if you were being paid by an outside party.
Little things that indicate the auditors have forgotten who the customer is include:

  • Treating the audit as a “Gotcha!” exercise. Auditors should never express satisfaction or glee when nonconformances are found. Focus on the facts and keep things as impersonal as possible. Failures revealed by the audit are opportunities for the future.

  • Failing to adjust the audit plan to meet the needs of the auditee. Unexpected events can occur during an audit: accidents happen, lines shut down, rush orders must be processed. The audit plan should be flexible enough to handle changes on the fly.

  • Holding surprises until the very end. The auditee should be apprised of audit results throughout the entire process. Don’t make the mistake of holding a “bombshell” until the closing meeting for maximum impact. Auditor should communicate their concern, along with all supporting evidence, when they think they might have found a problem.

  • Focusing on insignificant details at the expense of critical issues. Auditing is a detailed activity, but don’t forget to examine the effectiveness of the overall system. When faced with an issue, auditors should ask themselves, “What effect does this really have on the organization and its customers?” The answer will usually indicate if the issue is one worth delving into in great detail.

Principle 2: Planning is the key to success
Audits don’t create improvements by accident. It takes a great deal of planning and coordination. I’ve often said that a well planned audit almost runs itself. On the other hand, a poorly planned audit runs itself into the ground, and planning often gets shortchanged in the rush to get audits done.
Audit planning involves a significant amount of dialogue between the auditors and auditees. It’s a dynamic process that begins well in advance of the audit itself. Planning typically provides details around the following issues:

  • Date: When will the audit take place?

  • Location: What’s the audit’s location?

  • Scope: What are the official boundaries of the audit?

  • Objective: What is the point of performing the audit?

  • Auditors: Who will perform the audit?

  • Areas to be audited: What functions, departments or processes will be evaluated during the audit? Sometimes this is clear from the scope, but often not.

  • Topics to be audited: What subjects will be audited in the given departments? Should the auditee expect questions about document control or management commitment? This not only gives the auditee a heads-up, but it also helps guide the auditors.

  • Timing of the audit: When exactly will each department be audited? When will the opening and closing meetings take place?

The audit plan may also address other issues, but the ones mentioned above are the most common. The purpose of the audit plan is two-fold: To help the auditors understand exactly what they’ll be doing during the audit and to allow the auditees to know what to expect. It isn’t uncommon for the auditee to propose changes to the audit plan, usually minor alterations in the timing (“Instead of auditing sales at 9 a.m., can you come at 10 a.m.? We already have something scheduled for 9 a.m.”). Changes of this sort are entirely reasonable and should be accommodated to the extent possible. Remember, the customer of the audit is the auditee.

The audit plan is documented as concisely and clearly as possible. The exact format is usually dictated by the magnitude of the audit. A plan for an audit of an hour or two could take the form of an e-mail. A plan for a full day or multi-day audit will often take the form of a matrix, indicating hour-by-hour blocks of activities. Whatever the format, the plan should be communicated far enough in advance of the audit for all parties to digest it and understand its effect on operations.

Principle 3: Opinions never constitute nonconformances
Everybody has opinions. As people become wiser and more experienced, they tend to develop even more opinions. Many auditors consider themselves to be wise and experienced, meaning they have loads of opinions. Sometimes these opinions become the basis for nonconformities, which is a huge mistake. Facts are the only legitimate basis for nonconformities. Opinions have no role in the process.

A child could write a good nonconformity. The problem is that children don’t write them, wise and experienced auditors do. Consider the following:

  • The company committed itself to doing XYZ. The commitment is a fact, evidenced by its presence in a procedure, plan, policy, specification, contract, work instruction, standard or statement.

  • The company failed to do XYZ. The failure is a fact, based on evidence such as records, observations, documents or interviews.

No opinions are present in the nonconformity, just cold, hard facts. It’s hard to argue with facts. It also makes the audit go much smoother. Sure, facts may remove a degree of creativity that auditors exercised, but creativity is better expressed in other ways.

Evidently, nonconformances aren’t the only kind of audit findings. Because the audit is a balanced process, positives are also highlighted. These may be recorded individually, summarized in an audit report, or presented orally during the closing meeting. Every organization will have at least one or two positives that can be recognized. The auditors just have to remember to look for these in the course of their auditing.

Some organizations also include another category of finding called observations, remarks, comments, opportunities, recommendations, or any number of other names. These fall into a gray area that doesn’t quite constitute nonconformity, but is still an issue worthy of investigation. Sometimes these will include specific recommendations for taking action based on past experience, established best practices or regulatory requirements. These types of findings give auditors a chance to express opinions. Audits are a great place for benchmarking and sharing best practices, as long as all parties to the audit understand and agree to how this will happen.


ISO 9001:2015 Transition Planning Guide released by the IAF

The International Accreditation Forum (IAF) has released a transition planning document that provides guidance for the transition from ISO 9001:2008 to ISO 9001:2015. The Transition Planning Guidance for ISO 9001:2015 document was developed in cooperation with ISO Technical Committee 176, Subcommittee 2, Working Group 23, to provide advice to interested parties on transition arrangements to be considered before implementing ISO 9001:20125. It identifies activities that should be considered by relevant interested parties and increases understanding of the context of ISO 9001:2015, which is scheduled for publication in September 2015.

The Transition Planning Guidance for ISO 9001:2015 document reflects the consensus of IAF members on this subject and is intended to support the consistent application of requirements. Because the document is for information purposes only, IAF accreditation body members and conformity assessment body members they accredit are not obligated to use or comply with the document.

IAF and the ISO Committee on Conformity Assessment have agreed to a three-year transition period from the publication date of ISO 9001:2015. ISO 9001:2008 certificates will not be valid after three years from the publication of ISO 9001:2015. The expiration date of certifications to ISO 9001:2008 issued during the transition period needs to correspond to the end of the three-year transition period.

The Transition Planning Guidance for ISO 9001:2015 document recommends that organizations using ISO 9001:2008 take the following actions:

  • Identify organizational gaps* that need to be addressed to meet ISO 9001:2015’s new requirements.

  • Develop an implementation plan

  • Provide appropriate training and awareness for all parties that affect the organization’s effectiveness.

  • Update the existing quality management system to meet ISO 9001:2015’s new requirements and provide verification of effectiveness.

  • Contact their certification body (registrar) for transition guidance.

The document also provides specific guidance for certification and accreditation bodies.

The Transition Planning Guidance for ISO 9001:2015 document can be download free of charge at

* IQC can perform your Gap Analysis under this guidance.  Contact us for a quote.

ISO 9001:2015 Questions from recent Webinars:

It feels like auditing is going to be more difficult. To ensure compliance, you need to check records which show conformity to the requirement. So how will we understand the requirement if it is not documented well?

It is correct to say the DIS does not mandate documented procedures and records, in the way that ISO 9001:2008 does. However, in effect, both versions require the organization to maintain documented information (documented procedures) sufficient to support the operation of processes and retain documented information (records) to the extent necessary to have confidence that the processes are being carried out as planned.

Organizations do not need to throw away their quality manuals and documented procedures if these are in place and working well. The requirement for documented procedures was very much reduced with the introduction of ISO 9001:2000, compared to the previous version. But a majority of organizations chose to keep their documented procedures and records. The same is likely to be the case in 2015. And as is the case now, if an organization has not got documented procedures, the first question an auditor should ask is 'how have you defined the process requirements, how do people know what to do and what acceptable evidence can you show me to support this?" Our opinion is that auditors are likely to find themselves spending more time looking at everyday business information and IT-based information, and less time looking at documentation created especially for the auditor.


Please specify any changes related to documentation and ISO mandatory procedures

References to a documented quality manual, documented procedures and to quality records have been removed. Instead throughout ISO 9001:2015 DIS there are specific references to Documented Information. This is information which the organization is required to keep, control and maintain. While ISO 9001:2008 specified a number of mandatory documents, DIS ISO 9001:2014 does not. However that does not mean that organizations have to throw away their quality manuals and documented procedures. If this documentation is in place and working well, there is no need to withdraw it.


What will be the effect of the new version on companies with quality management systems that are currently implemented and certified to QMS 9001:2008?

This will vary from organization to organization in terms of how much change will be needed. There will be a three-year transition period for certified organizations which will start when the standard is published. However, the standard writers and certification bodies are already encouraging organizations to make a start.

The first step is to gain an understanding of the new and enhanced requirements. Then do a gap analysis. Some will prefer to wait for the FDIS before launching into redeveloping the quality management system, but we believe there is work that you can usefully get on with now.


What would you advise an organization to do that is considering ISO 9001 certification at the moment– wait for the new standard to come into effect before applying, or go ahead and then convert to the new standard?

The time required to implement 9001 and achieve certification varies according to a range of factors but 8–12 months is typical. That would take you pretty much up to the anticipated release date of the new standard. So, do you develop a QMS against the established requirements of ISO 9001:2008 or the potential requirements of ISO 9001:2015 as contained within the DIS?

If you go down the former route you are working with a set of ‘known’ factors. The 2008 requirements are known and you also know that you will have until 2018 to transition to the 2015 requirements.

On the other hand, if you develop a system based on the requirements of the DIS 9001 as of 2014, you are working with something which is still work in progress and is liable to change. This approach therefore carries inherent risk. If the changes between DIS 9001:2014 and ISO 9001:2015 turn out to be minimal, then you’ll have relatively little work to do in order to achieve a QMS which meets the latest standard. If the changes are significant, however, you’ll need to do more, but this will still be less than those that need to fully transition.

We would recommend that you work within the known parameters, being mindful wherever possible to write the system in such a way that it is capable of meeting both the current 2008 requirements and the projected 2015 requirements. This is a close call however and if someone advised me they were implementing a QMS against the DIS, their reasoning would be perfectly understandable.


Why was the requirement to have a management representative cancelled?

This is an attempt to ensure that ownership of the quality management system does not center on a single individual. The DIS replaces management responsibility with leadership, and repositions a number of ISO 9001:2008 requirements as leadership activities. There will be a greater need for top management to be actively involved in the operation of their quality management system. This does not mean that organizations need to remove their management representatives, but some duties traditionally assigned to the management representative by top management will, in future, need to be undertaken directly by top management themselves.


Organizations that operate integrated management systems already reduce their quality documentation to an absolute minimum. By removing the requirement for a quality manual and procedures, are we in danger of sanctioning this minimalistic approach?

DIS 9001:2014 does not require either a quality manual or documented procedures. It does however require specific 'documented information' to be either retained or maintained.

If an organization wishes to be certified then it must of course meet all of the requirements within a standard, including those pertaining to documented information, and it must be able to show this as evidence to you. There is nothing to stop an organization operating a QMS based on a subset of the ISO 9001 requirements, but it cannot then legitimately claim to meet the standard.


In all instances risk is used in the sense that it is the possibility of an undesirable result, particularly in 0.3 and 6.1, but the definition given (3.09) implies risk has a positive effect. Which is correct?

This lack of clarity has its origins in pre-Annex SL times. Different disciplines have traditionally held different views on risk. Risk management professionals have always seen risk in the Annex SL sense, as both positive and negative. However quality professionals (and most people in the street) usually regard risk as exclusively negative, and environmental professionals prefer to talk in terms of 'threats'. As risk is defined as a common term everyone should be adopting both the positive and negative interpretation, but there is still some resistance to this.


Please can you provide more explanation about what risk-based thinking actually means?

The concept of risk-based thinking is discussed in section 0.5 of the DIS. Risk-based thinking is about demonstrating that you understand the risks to your QMS and its constituent processes which might affect your ability to achieve your intended outcomes. You need to show evidence that you have determined the risks to your system and have taken action that is proportionate to the potential impact of the risk, should the risk become an issue.

Risks are dynamic – they change through time – so risk-based thinking is an ongoing exercise and not a one-off event. Throughout the DIS, you will see requirements referring to the need to consider risk.

Announcing the ISO 9001:2015 Revised Standard

George Hummel, Co-Founder of IQC and a voting member of the US TAG to ISO/TC 176, has been intimately involved in drafting and revising the new version of ISO 9001.  In the following article he explains the specifics behind why, what, when and how you can prepare. 


The Standard must retain relevance for the market.  The Standard was amended in 2008 and revisions are required on a loosely maintained 5-year cycle.  Revisions began two years ago with a Design Standard provided by the ISO General Secretariat.  This design document was the result of market/user surveys. Furthermore, ISO now requires that all Management System Standards have the same format.

The requirement is for all standards to be integrated with common language for areas touched by all (for example, document control).  In the future, organizations can begin with the common core and implement specific management requirements depending on the system they are implementing.

ISO is seeking a consistent foundation for the next 15 to 20 years.  In the 2000 ISO version, process management for the QMS was introduced.  Organizations should be familiar with that approach.  Now it will be a requirement.  This may be difficult for some auditors since a checklist will no longer be allowed!  ISO 9001 must also take into account the advances in quality management made over the last two decades.  ISO 9001, with its emphasis on effectiveness and standardization, should be a solid base for efficiency models such as Lean and Lean Six Sigma.

Over the past two decades, there has been increased adoption of ISO 9001 by a variety of different organizations and sectors. The Standard must be relevant and useful to all industries.  Since its first publication in 1987, the language has evolved from predominantly manufacturing to generic wording.

There are an increased number of service organizations implementing ISO 9001.  The service sector now accounts for 43% of certifications.  This includes public bodies as well as office environments.

There is also an increased complexity of business environments; including virtual offices.

Many of the sector-specific management systems, such as AS9100, are going to use the 2015 revision as the launching pad for their revisions.  (However, the automotive industry with ISO/TS 16949, is saying that the new version is driving them away.  At this point, it is unknown what standards they will be using.) UPDATE: ISO/TS 16949 will change to the new revision of ISO 9001

PLEASE NOTE:  The DIS is available for public use.  ASQ is making it available for purchase.  Please realize, the DIS may change between now and the FDIS. 

IQC will inform you of revisions and the eventual implementation program.  Subsequent training will be provided.

The “organization” of international standards & management standards:

As of 2012, all new management standards and all revisions are required to conform to a common framework commonly called “Annex SL.”  Specifically, Appendix 3 of ISO/IEC Directives, Part 1, Annex SL.  Three standards have been published using the common framework: ISO 22000, 20001, 50001.  Current revisions beside 9001 are 14001 (The US TAGs for both have been coordinating) and 27001.


ISO 9001:2008

  1. Introduction

  2. Scope

  3. Normative references

  4. Terms & definitions

  5. Quality management system

  6. Management responsibility

  7. Resource management

  8. Product realization

  9. Measurement, analysis and improvement

ISO 9001:2015

  1. Introduction

  2. Scope

  3. Normative references

  4. Terms & definitions

  5. Context of the organization

  6. Leadership

  7. Planning

  8. Support

  9. Operation

  10. Performance evaluation

  11.  Improvement

Key changes:

  1. Emphasis on risk mitigation in designing a management system.  Thus, no specific clause for Preventive Action.  The whole management system should mitigate risk through prevention.

  2. Increased emphasis on increasing value for the organization and its customers.

  3. “Documented information” while expanding the concept of documentation, decreases its emphasis and replaces Control of documents and records.

  4. “Organizational context” addresses responsiveness to the environment of the organization.

  5. “Outsourcing” is now “External provision.”

  6. There are enhanced leadership requirements.

  7. There is no longer a requirement for a Management Representative.

  8. There is no longer a requirement for a Quality Manual

High Level Structure and New Clause Numbers:

1.  Scope
2.  Normative references
3.  Terms & definitions
4.  Context of the organization
      1) Understanding the organization & its context
      2) Needs & expectations
      3)  Scope
      4)  Management system    

5.  Leadership
      1)  Management commitment
      2)  Policy
      3)  Roles, responsibility, authority    

6.  Planning
      1)  Actions to address risks & opportunities
      2)  Objectives & plans to achieve them

7.  Support
      1) Resources
      2) Competence
      3)  Awareness
      4)  Communications
      5)  Documented information   

8. Operation
     1)  Operational planning & control    

9.  Performance evaluation
      1)  Monitoring, measurement, analysis & evaluation
      2)  Internal audit
      3)  Management review    

10.  Improvement
       1)  Nonconformity & corrective action
       2)  Continual Improvement

Clause 4:

4.1       Understanding the organization & its context

You must determine the external and internal issues relevant to your organization’s purpose and those that affect its ability to achieve intended outcomes.

4.2       Understanding the needs & expectations of interested parties

You must identify interested parties, their relevance to your management system and their requirements.

Some you should consider:

  • Direct customers

  • Internal customers

  • Industry groups

  • Trading partners

  • End users

  • Suppliers, distributors, retailers and the complete supply chain

  • Regulators, standards, codes of practice, industry standards; corporate governance

  • Any other relevant interested parties

4.4       Quality Management System (QMS)

You must establish, implement, maintain and improve your QMS.  This includes the processes needed and their interactions while meeting the requirements of the International Standard.  Subsequently, the “process approach” is now a requirement and is embedded in all management standards.

5.1       Leadership

Top management must demonstrate leadership and commitment within the QMS by:

  • Ensuring the integration of all QMS requirements into all business processes;

  • Promote awareness of the “process approach;”

  • Supporting other relevant management in their demonstration of leadership as it applies to their areas of responsibility.

Thus, Top Management must demonstrate leadership and commitment with regard to customer focus.

6.1       Actions to address risks and opportunities

When planning your QMS, you have to consider 4.1 and its requirements and 4.2.  Determine the risks and opportunities that need to be addressed in order to:

  • Assure that the QMS can achieve its intended outcomes

  • Prevent or reduce undesired effects

  • Achieve improvement

Then you have to plan:

  • Actions to address these risks and opportunities

  • How to:
    a)  Integrate and implement the actions into your QMS processes
    b)  Evaluate the effectiveness of these actions

7.1       Resources

You need to determine and provide resources needed for the QMS.  These MAY include:

8.1.2        – Infrastructure
8.1.3        – Process environment
8.1.4        – Monitoring
8.1.5        – Knowledge

8.1       Operational planning and control

You must plan, implement and control processes needed to meet requirements and to implement the actions listed for 6.1.  This is accomplished by:

  • Establishing criteria for these processes

  • Implementing control of the processes per the criteria

  • Recording sufficient documented information to provide evidence that the processes have been operated as planned.  If there are adverse effects, you must take action to mitigate them.

This includes “outsourced processes” as now defined as external providers, as addressed in 8.4

9          Performance Evaluation

These clauses are generally the same as the 2008 version:

9.1       Monitoring, measurement, analysis and evaluation
9.2       Internal audit
9.3       Management review

10        Improvement
Nonconformity and corrective action

            10.2  Improvement
            Terminology – changes & concepts

  1. “Product” is now “goods and services”

  2. Clause 4.4.2 specifically states the Process Approach as a requirement

  3. “Risk” is defined as the “effect of uncertainty” (see ISO 31000)

  4. “Design & development” is “Development”

  5. Monitoring & measurement are now defined separately:
       a)  Monitoring: status of a system, a process or an activity
       b)  Measurement: process to determine a value

  6. Terms include "media information"


August, 2014              –Ballot on DIS passed
July, 2015                   –Publication of the FDIS
September, 2015        –Ballot on the International Standard
December, 2015         –Publication of the International Standard
January, 2016             –Organizations can begin implementation
2018                            –Completion of implementation period.

(As of now, the IAF and ANAB have not published requirements for Certification Bodies other than ISO 17021.)


Learn about the revisions as the process progresses

  1. Learn about the revisions as the process progresses

  2. Start to evaluate the impact on your organization

  3. State planning your revision

  4. Conduct a Gap Analysis between current system to ISO 9001:2015

  5. Attend one of the ISO 9001:2015 ½ day Overviews, facilitated by George Hummel.

George Hummel is the Certification Manager for Global Certification-USA.  As a member of the US TAG to TC 176, he is on the US’ ISO 9001 Validation Team and the Interpretations Team.  He can be reached at