ISO 9001:2015 Questions from recent Webinars:

It feels like auditing is going to be more difficult. To ensure compliance, you need to check records which show conformity to the requirement. So how will we understand the requirement if it is not documented well?

It is correct to say the DIS does not mandate documented procedures and records, in the way that ISO 9001:2008 does. However, in effect, both versions require the organization to maintain documented information (documented procedures) sufficient to support the operation of processes and retain documented information (records) to the extent necessary to have confidence that the processes are being carried out as planned.

Organizations do not need to throw away their quality manuals and documented procedures if these are in place and working well. The requirement for documented procedures was very much reduced with the introduction of ISO 9001:2000, compared to the previous version. But a majority of organizations chose to keep their documented procedures and records. The same is likely to be the case in 2015. And as is the case now, if an organization has not got documented procedures, the first question an auditor should ask is 'how have you defined the process requirements, how do people know what to do and what acceptable evidence can you show me to support this?" Our opinion is that auditors are likely to find themselves spending more time looking at everyday business information and IT-based information, and less time looking at documentation created especially for the auditor.


Please specify any changes related to documentation and ISO mandatory procedures

References to a documented quality manual, documented procedures and to quality records have been removed. Instead throughout ISO 9001:2015 DIS there are specific references to Documented Information. This is information which the organization is required to keep, control and maintain. While ISO 9001:2008 specified a number of mandatory documents, DIS ISO 9001:2014 does not. However that does not mean that organizations have to throw away their quality manuals and documented procedures. If this documentation is in place and working well, there is no need to withdraw it.


What will be the effect of the new version on companies with quality management systems that are currently implemented and certified to QMS 9001:2008?

This will vary from organization to organization in terms of how much change will be needed. There will be a three-year transition period for certified organizations which will start when the standard is published. However, the standard writers and certification bodies are already encouraging organizations to make a start.

The first step is to gain an understanding of the new and enhanced requirements. Then do a gap analysis. Some will prefer to wait for the FDIS before launching into redeveloping the quality management system, but we believe there is work that you can usefully get on with now.


What would you advise an organization to do that is considering ISO 9001 certification at the moment– wait for the new standard to come into effect before applying, or go ahead and then convert to the new standard?

The time required to implement 9001 and achieve certification varies according to a range of factors but 8–12 months is typical. That would take you pretty much up to the anticipated release date of the new standard. So, do you develop a QMS against the established requirements of ISO 9001:2008 or the potential requirements of ISO 9001:2015 as contained within the DIS?

If you go down the former route you are working with a set of ‘known’ factors. The 2008 requirements are known and you also know that you will have until 2018 to transition to the 2015 requirements.

On the other hand, if you develop a system based on the requirements of the DIS 9001 as of 2014, you are working with something which is still work in progress and is liable to change. This approach therefore carries inherent risk. If the changes between DIS 9001:2014 and ISO 9001:2015 turn out to be minimal, then you’ll have relatively little work to do in order to achieve a QMS which meets the latest standard. If the changes are significant, however, you’ll need to do more, but this will still be less than those that need to fully transition.

We would recommend that you work within the known parameters, being mindful wherever possible to write the system in such a way that it is capable of meeting both the current 2008 requirements and the projected 2015 requirements. This is a close call however and if someone advised me they were implementing a QMS against the DIS, their reasoning would be perfectly understandable.


Why was the requirement to have a management representative cancelled?

This is an attempt to ensure that ownership of the quality management system does not center on a single individual. The DIS replaces management responsibility with leadership, and repositions a number of ISO 9001:2008 requirements as leadership activities. There will be a greater need for top management to be actively involved in the operation of their quality management system. This does not mean that organizations need to remove their management representatives, but some duties traditionally assigned to the management representative by top management will, in future, need to be undertaken directly by top management themselves.


Organizations that operate integrated management systems already reduce their quality documentation to an absolute minimum. By removing the requirement for a quality manual and procedures, are we in danger of sanctioning this minimalistic approach?

DIS 9001:2014 does not require either a quality manual or documented procedures. It does however require specific 'documented information' to be either retained or maintained.

If an organization wishes to be certified then it must of course meet all of the requirements within a standard, including those pertaining to documented information, and it must be able to show this as evidence to you. There is nothing to stop an organization operating a QMS based on a subset of the ISO 9001 requirements, but it cannot then legitimately claim to meet the standard.


In all instances risk is used in the sense that it is the possibility of an undesirable result, particularly in 0.3 and 6.1, but the definition given (3.09) implies risk has a positive effect. Which is correct?

This lack of clarity has its origins in pre-Annex SL times. Different disciplines have traditionally held different views on risk. Risk management professionals have always seen risk in the Annex SL sense, as both positive and negative. However quality professionals (and most people in the street) usually regard risk as exclusively negative, and environmental professionals prefer to talk in terms of 'threats'. As risk is defined as a common term everyone should be adopting both the positive and negative interpretation, but there is still some resistance to this.


Please can you provide more explanation about what risk-based thinking actually means?

The concept of risk-based thinking is discussed in section 0.5 of the DIS. Risk-based thinking is about demonstrating that you understand the risks to your QMS and its constituent processes which might affect your ability to achieve your intended outcomes. You need to show evidence that you have determined the risks to your system and have taken action that is proportionate to the potential impact of the risk, should the risk become an issue.

Risks are dynamic – they change through time – so risk-based thinking is an ongoing exercise and not a one-off event. Throughout the DIS, you will see requirements referring to the need to consider risk.