ISO 9001

ISO 9001 is the world's most widely used quality management standard, certified at over a million sites globally in more than 170 countries. It defines what a quality management system must include: leadership commitment, customer focus, risk-based thinking, the process approach, documented information, competence, operational control, monitoring and measurement, internal audit, and continual improvement.

ISO 9001 is intentionally generic — it doesn't tell you how to make your product, only how to run the quality system that ensures your product consistently meets requirements. Sector-specific standards (ISO 13485, AS9100, IATF 16949, FSSC 22000, API Q1) extend it with industry-specific requirements but inherit the same backbone.

First published in 1987, ISO 9001 has been revised five times. The 2015 revision was the most substantial: it adopted the Annex SL high-level structure shared across all major ISO management-system standards, made risk-based thinking explicit, dropped the requirement for a documented quality manual and six mandatory procedures, and shifted from "prevent nonconformity" to "plan for and address risks and opportunities". The next revision is expected around 2026.

ISO 9001:2015 adopted the Annex SL high-level structure shared by all major ISO management-system standards (ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 13485, ISO 22000). The 10 clauses are:

These principles are not separately auditable — they are the philosophical backbone the standard's requirements implement. An auditor will look for evidence that they are lived, not just printed. Asking operators "what does our quality policy mean for your day?" is a standard audit technique to test whether leadership and engagement are real.

ISO 9001:2015 explicitly maps the 10-clause structure onto the Plan-Do-Check-Act cycle: clauses 4–7 are Plan, clause 8 is Do, clause 9 is Check, clause 10 is Act. The whole system is meant to operate as a closed loop with planning informed by performance evaluation and improvement feeding back into planning.

Risk-based thinking is the conceptual change introduced by the 2015 revision. The 2008 version required "preventive action" as a discrete clause; 2015 dissolved that into a system-wide expectation that the organisation identify risks and opportunities and plan actions accordingly. There is no prescribed risk-management methodology — sites use what fits (FMEA, SWOT, ISO 31000 frameworks, simple risk registers). The auditor wants to see that risks are identified, addressed, and reviewed for effectiveness.

1. Documented quality policy and measurable objectives, communicated and understood at all relevant levels.
2. Defined scope of the QMS (with justification for any exclusions — only clause 8 requirements may be excluded).
3. Process map showing how the processes interact (no longer required to be a separate document, but evidence of the process approach must be available).
4. Documented information for the operation and control of the processes the organisation has identified as needing it.
5. Risk assessment — identified risks and opportunities and how they are addressed (no prescribed format).
6. Competence records for people doing work that affects performance.
7. Calibration records for monitoring and measuring resources.
8. Supplier evaluation, selection, and re-evaluation evidence.
9. Customer property handled and tracked appropriately.
10. Nonconformity, corrective action and continual-improvement records with effectiveness review.
11. Internal audit programme and outputs covering every clause across the audit cycle.
12. Management review minutes with all required inputs and outputs (clause 9.3).
13. Control of changes — planned change management evidence.

ISO 9001:2015 specifies which documented information is mandatory. The list is shorter than the 2008 version (which required a quality manual plus six procedures); the 2015 version requires the following documented information be "maintained" (kept up to date) or "retained" (kept as records):

Audit duration is set by IAF MD 5 based on number of employees, complexity, and shifts. A 50-employee single-shift site might face 1.5 days for surveillance; a 500-employee three-shift site might face 4–5 days. Multi-site sampling reduces total time when sites perform similar processes.

• Quality objectives not measurable or not regularly reviewed — "improve quality" rather than a specific KPI with a target.
• Risks identified but no follow-through evidence — risk register exists, but no action tied back to it.
• Documented information drift — controlled documents in use on the floor that don't match the master.
• Internal audit programme behind schedule or missing functional areas — design, sales, or finance commonly skipped.
• Corrective actions closed without effectiveness review — "trained the operator" with no recurrence check.
• Management review skipped, abbreviated, or missing required inputs (customer feedback, audit results, NCR trends, risk status, opportunities).
• Supplier re-evaluation lapsed — initial approval recorded but no ongoing performance review.
• Calibration overdue on equipment used for product acceptance.
• Customer complaints handled but no root-cause learning fed back into process improvement.
• Competence requirements defined for some roles but not all roles affecting performance.
• Process approach described in writing but not visible operationally — clauses managed as silos.
• Changes implemented without planning evidence (clause 6.3 / 8.5.6).

Most regulated manufacturers operate to a sector-specific standard that extends ISO 9001:

These are not alternatives to ISO 9001 — they are supersets. A site certified to ISO 13485 effectively satisfies ISO 9001 too, although the certification body usually issues separate certificates. Many manufacturers choose to combine audits to reduce the total on-site days.

Clause 9.3 is the single most-cited finding in ISO 9001 audits, not because management reviews don't happen, but because they happen as a checkbox rather than as the executive instrument the clause intends. A defensible management review is held at least annually (most mature sites run quarterly), is attended by the leadership whose decisions can change the system, and produces decisions and resourced actions — not minutes.

The clause lists nine mandatory inputs and three mandatory outputs. The auditor will tick each one against the minutes and the supporting evidence pack; absent inputs are findings, vague outputs are findings, and "discussed" with no decision attached is a finding.

The three mandatory outputs (decisions on opportunities for improvement, changes needed to the QMS, resources needed) must each be evidenced — assigned owner, target date, resource committed, and tracked through to closure at the next review. The auditor will pull last year's outputs and ask to see what came of each. Outputs with no follow-through are a clause 10.1 finding (continual improvement) layered on top of the 9.3 finding.

Clause 9.2 requires internal audits at planned intervals to provide information on whether the QMS conforms to the standard's requirements and the organisation's own requirements and is effectively implemented and maintained. "At planned intervals" is not annually; it is per the programme the site builds and defends — typically one full pass per certification cycle (three years), with high-risk areas audited more often.

The programme that consistently survives external audit:

1. Risk-based scheduling — clauses with the most NCRs, processes with the highest customer-complaint volume, and areas with recent change get audited more frequently than the rest. The auditor expects the schedule to be revisited annually based on the prior year's trend.
2. Clause coverage matrix — every clause of ISO 9001 mapped to one or more scheduled audits across the cycle. No clause skipped, no clause audited every quarter for symmetry.
3. Process coverage matrix — every operational process (order management, design, production, dispatch, supplier qualification) audited at least once per cycle, ideally during a representative shift not just a quiet office afternoon.
4. Independent auditors — the person auditing a process cannot be responsible for it. Most sites maintain a trained pool of internal auditors drawn from across departments.
5. Findings classified consistently — major / minor / observation with definitions written down; auditors trained on the definitions.
6. Closure verification — every finding has a corrective action, evidence of effectiveness, and a closeout date verified by someone other than the action owner.
7. Programme review — annual review of audit programme effectiveness as a management-review input.

External auditors will pull the internal audit programme, sample three to five audits from the last 12 months, and trace each finding through to closure. Internal audits that found nothing in any process across an entire year are themselves a finding — either the audits weren't done with sufficient depth, or the auditors weren't independent enough to call what they saw.

Clause 6.1 introduced risk-based thinking but pointedly did not mandate a method. Sites are free to use FMEA, ISO 31000-style registers, SWOT, or anything else they can defend. The pattern that works for most mid-size QMS implementations is a single register with the columns below, reviewed quarterly at the operations layer and annually as a management-review input.

Opportunities sit in the same register with a different scoring lens — "if we acted on this, what's the upside?" The clause is explicit that the system has to identify and act on opportunities, not just risks. Sites that maintain a risk-only register get a clause 6.1.1 finding on the next external audit.