ISO 9001:2015

Comparison and Guidance Matrix

© URS 2015
1 of 45
 ISO 9001:2015 Comparison and Guidance Matrix (ISO 9001:2015 versus ISO 9001:2008)
ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Context of the 4
4
organization
Understanding
The organisation shall determine external There are different ways to demonstrate that
the organization
and internal issues that are relevant to its you understand your organization. For
and its context purpose and its strategic direction and that example:
effect its ability to achieve the intended
1. An organization chart
results(s) of its quality management system.
2. Roles and responsibilities
The organisation shall monitor and review
information about these external and internal 3. A process map showing the
issues. process and interactions
Issues – let’s call these threats or risks. If
you link this requirement to ‘Actions to
address risks and opportunities’ (Clause 6)
then there is an expectation that you perform
some form of risk assessment.
The risk assessment should address:
Risks to your customers (products and
services) – this is linked to ‘Understanding the
4.1 4.1 Needs and Expectations of Interested Parties
in 4.2
Threats/risks to your business (core
processes)
Risks to the management system (support
processes)
Risks to compliance to legislation/regulations
Once you have done a thorough risk
assessment, you will truly understand all
issues, threats and risks.
You are required to monitor and review the
information regarding issues – you could do
this via management reviews, internal
audits, other meetings etc. You could cross-
refer to the risk assessment

© URS 2015
2 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Understanding
Due to their effect or potential effect on the Who are the relevant interested parties (the
the needs and
organisation’s ability to consistently provide preferred term to stakeholders) and what
expectations of products and services that meet customer are their requirements? Generally
interested parties and applicable statutory and regulatory customers of course – so what do they
requirements, the organisation shall want? Always good products or services as
determine: per their requirements, and on time.
a) The interested parties that are relevant Other interested parties could be end users,
to the quality management system suppliers, distributors, retailers or others in
the supply chain, regulators etc.
b) The requirements of these interested
4.2 4.1 parties that are relevant to the quality See 4.1 above
management system
You are required to monitor and review the
The organisation shall monitor and review information regarding interested parties –
information about these interested parties you could do this via management reviews,
and their relevant requirements. internal audits, other meetings etc. You
could cross-refer to the risk assessment
For individual contracts/orders, you will be
required to review their requirements
(including legislation/regulations) before
acceptance to identify any issues that need
resolving.
Determining the The organization shall determine the You need to determine your own scope and
scope of the boundaries and applicability of the quality where are the boundaries of the
quality management system to establish its scope. management system? What’s in and what’s
management out? This needs to be appropriate to the
system When determining this scope, the organization organisation and it objectives.
shall consider:

a) the external and internal issues referred The scope shall be stated in terms of goods
to in 4.1 and services, the main processes to deliver
4.3 b) the requirements of relevant interested them and the sites of the organization
parties referred to in 4.2 included. The main processes to deliver them
c) the products and services of the is significant – we will need to be sure to
organization. understand the scope and processes at stage 1
but need to be careful so as not to include all
sub-processes.

© URS 2015
3 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
The organization shall apply all the Clients including those already certified:
requirements of this International Standard if Some clients restrict their scope to exclude
they are applicablewithin the determined some products, processes, locations. The
scope of its quality management system. scope must be clear such that customers
and other interested parties are in no doubt
The scope of the organization’s quality about the extent of the ISO9001 system
particularly if they state ISO9001 as a pre-
management system shall be available and requisite for doing business.
be maintained asdocumented information.
The scope shall state the types of products
and services covered, and providejustification Exclusions are NOT allowed if the
for any requirement of this International requirements CAN be applied
Standard that the organization determines is
not applicable to the scope of its quality
Review your quality management system
management system. scope – do you include everything? Do you
exclude anything? On your site you may be
Conformity to this International Standard may certified for the manufacture of plastic parts
only be claimed if the requirements and not for metal stampings. Is that a risk to
determined as not being applicable do not your business? Is it a risk to your customers?
Have you considered any interfaces/overlaps
affect the organization’s ability or responsibility
between the plastic moulding operation and
to ensure the conformity of itsproducts and the metal stamping operation for example?
services and the enhancement of customer
satisfaction.
The new standard says that ‘where a
requirement of the standard CAN be applied,
then it SHALL be applied. This means that if
you do design, then you cannot exclude it in
the scope.

You need to document the scope.

You need to justify any requirements that
CANNOT be applied

© URS 2015
4 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Quality
management
4.4 4.1
system and its
processes
The organization shall establish, You must establish, implement, maintain and
implement, maintain and continually improve a quality management system,
improve a quality management system, including the processes needed and their
including the processes needed and their interactions, in accordance with the
requirements of this International Standard.
interactions, in accordance with the
requirements of this International
Standard. Clients including those already certified: The
The organization shall determine the inference here, to demonstrate compliance, is
that the organisation needs to somehow ‘list’
processes needed for the quality
(or otherwise) the processes within the scope
management system and their application of their ISO9001 system that are needed to
throughout the organization, and shall: fulfil their own and customer expectations.
a) determine the inputs required and Some processes interact with each other, some
the outputs expected from these processes interact with several processes. For
example, calibration would interact with
processes; production and QC processes.
b) determine the sequence and
4.4.1 interaction of these processes;
What is a Process? There are many definitions
c) determine and apply the criteria but the most widely accepted is: An activity or
and methods (including set of activities using resources, and managed
monitoring, measurements and in order to enable the transformation of inputs
related performance indicators) into outputs.
needed to ensure the effective A detailed process map is useful in showing the
operation and control of these processes and how they interact with each
processes; other. This could also be used as a tool for
determining internal and external issues. Note
d) determine the resources needed that outsources processes and other locations
for these processes and ensure that support the site (site being the location
their availability; being certified) should be shown, and their
interactions.
e) assign the responsibilities and
authorities for these processes;
f) address the risks and
opportunities as determined in
accordance with the
© URS 2015
5 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
requirements of 6 . 1 ; Some people may read the standard and say
g) evaluate these processes and that documented procedures/instructions etc
implement any changes needed to are not needed.
ensure that these processes achieve
their intended results;
h) improve the processes and the First of all, you need to determine what your
quality management system. processes are (including support/management
processes. And you need to determine the
requirements of 4.4 a-h.

Based on the risks identified, to customers, the

business, system etc. then the level and extent
of documented instruction can be identified.
The question is, is there a risk without a
documented procedure/instruction?

To the extent necessary, the organisation

See below for guidance on ‘process approach’
shall:

a) Maintain documented information to

support the operation of its
processes;
b) Retain documented information to
have confidence that the processes
are being carried out as planned

4.4.2 4.1

© URS 2015
6 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

Process Approach
What is Process Approach? The application of a system of processes within an organisation, together with the identification and
interactions of these processes, and their management to produce the desired outcome.
Processes really need to be ‘documented’ and ‘mapped’. BUT this also depends on the output from the risk assessment. If the risk
assessment shows that a documented procedure or work instruction, for example, would reduce or eliminate a risk, then there is a
case for a documents procedure/WI etc.
The inputs need to be identified (customer requirements generally) and the expected outputs need to be ‘documented’.
Once the processes have been identified, they need to be managed:
determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process
interaction is ineffective (more about risks later)
determine criteria, methods, measurements, and related performance indicators needed to ensure that both the operation and control of
these processes are effective –
criteria and methods – what do we want to achieve, how are we going to do it? There needs to be guidance to those doing the work.
Maybe work instructions (verbal or documented), procedures, samples etc. These need to specify what needs to be monitored and
what the end results should be (and what to do if things go wrong). We should give credit to highly skilled people – why do they need
fine detail instructions if they are experts? Could be insulting.
Conversely, some unskilled workers may need very clear guidance (and maybe supervision).
performance indicators infers that a measurable performance target (KPI, metric etc.) is assigned to a process. Not all processes lend
themselves to targets but those that have a direct affect on the customer should be a good starting point. As previously stated, the
customer wants goods/services as specified, and on time. If process targets focus on these, that’s a good start. A lot of organisations,
auditors and certification bodies seem to forget about performance indicators which are related to business needs. Effective processes
give the customer what they want, efficient processes give the organisation what they want. If the customer gets their 100 parts perfectly
to specification but 150 were made with 50 scrapped, was it an efficient process?
determine the resources and ensure their availability; - what, equipment, consumables, materials, people are needed?
assign responsibilities and authorities for processes; only those who have been approved via a competence process should be
assigned. There should be evidence of their qualifications, experience etc., against competence criteria. This also provides auditors with
a point of reference when looking at who did what.
implement actions necessary to achieve planned results - up and running against the methods and criteria.
monitor, analyse and change (if needed), these processes ensuring that they continue to deliver the intended outputs;- so the
processes have to be monitored (maybe self checking by the worker, maybe an independent working doing checks). If the processes
are stable and meeting requirements, they probably don’t need changing but if things go wrong or there is obvious variation, the process

© URS 2015
7 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
may need to be stopped (and something done to rectify) or adjusted.
ensure improvement of these processes – if a process continually achieves 100% effectiveness, should the organisation now
concentrate on efficiencies? Auditors should not get hung up if the processes have been analysed and there are no areas for
improvement – it proves that the client has done a good job!! If the process(es) are not achieving desired results (process targets) then
something needs to be done to improve the process. Auditors can record nonconformities if no action has been taken.

5 Leadership 5
Leadership and
5.1
commitment
General
Top management shall demonstrate Please note the ‘highest level’ requirement
leadership and commitment with respect to
the quality management system by:
There is more here; top management now
a) taking accountability for the
have to have a greater involvement in the
effectiveness of the quality management
management system.
system;
b) ensuring that the quality policy and
quality objectives are established for the Top Management – person or group of
quality management system and are people who direct and control an
compatible with the context and strategic organisation at the highest level.
5.1.1 direction of the organization;
c) ensuring the integration of the quality
management system requirements into Clients have to demonstrate their
the organization’s business processes; commitment by making sure that the
management system achieves its intended
d) promoting the use of the process outcome(s) and has adequate resources.
approach and risk-based thinking; Also, they have to inform everyone that t h e
e) ensuring that the resources needed for management system is important and that
everyone should participate in its effective
the quality management system are
implementation. The involvement of top
available;
management in the management system is
f) communicating the importance of now explicit and hands-on.

© URS 2015
8 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
effective quality management and of
Top management have to make sure that
conforming to the qualitymanagement
the requirements of the management
system requirements;
system are integrated into your business
g) ensuring that the quality management processes – the management system is
system achieves its intended results; not just an add-on. The ‘business’ is
whatever activities (core processes) are at
h) engaging, directing and supporting
the heart of the organisation’s reason for
persons to contribute to the effectiveness
existing.
of the quality management system;
i) promoting improvement;
j) supporting other relevant management
roles to demonstrate their leadership as
it applies to theirareas of responsibility.
NOTE Reference to “business” in this
International Standard can be interpreted
broadly to mean thoseactivities that are core
to the purposes of the organization’s
existence, whether the organization is public,
private, for profit or not for profit.
Customer focus Top management shall demonstrate
Have a process for identifying customer,
leadership and commitment with respect to statutory and regulatory requirements.
customer focus by ensuring that: Maybe a register? Ensure you have the
means to check for updates and assess if
a) customer and applicable statutory
any changes have an impact on what you do.
and regulatory requirements are
Maybe need to make some changes. You
determined, understood and should have a process for communicating
consistently met requirements to those that need to know.

5.1.2 Risk assessment again appears

b) the risks which can affect conformity
of goods and services and customer Risk assessment should identify areas for
improvement. Also, monitoring process and
satisfaction are identified and product/service performance should identify
addressed; areas for improvement with a focus on
enhancing customer satisfaction
c) the focus on enhancing customer
satisfaction is maintained;

© URS 2015
9 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
5.2 Policy 5.3
Developing the
Top management shall establish, implement The ISO 9001 policy has been
quality policy
and maintain a quality policy that: strengthened. It has to include
commitments to satisfy applicable
a) is appropriate to the purpose and context requirements and continually improve the
of the organization and supports its management system. As well as being
strategic direction; documented and communicated internally
it has to be made available to interested
5.2.1 5.3 b) provides a framework for setting quality parties and reviewed from time to time for
objectives; continued suitability. (We see this as –
‘available on request’).
c) includes a commitment to satisfy Write or re-write your policy around the
applicable requirements; requirements of 5.2.1

d) includes a commitment to continual

improvement of the quality management
system.
Communicating
The quality policy shall: How you communicate the quality policy can
the quality policy
vary. Could be via training (induction for new
a) be available and be maintained as starters), noticeboards etc. If other interested
documented information; parties e.g. customers want to see it, you
5.2.2 5.3 should provide them with a copy.
b) be communicated, understood and
applied within the organization;
c) be available to relevant interested Needs to be made available and kept up to
parties, as appropriate. date. It has to be documented.
Organizational
Top management shall ensure that the Job descriptions are a good way to define
roles,
responsibilities and authorities for relevant roles and responsibilities. Could be linked to
responsibilities roles are assigned, communicated and an organisation chart.
and authorities understood within the organization.
5.5, 5.5.1, Top management shall assign the
There is no specific requirement to have a
5.3 5.5.2, responsibility and authority for:
management representative but it makes sense
5.5.2.1
a) ensuring that the quality management to do so. Either way, someone needs to be
system conforms to the requirements of responsible for the above.
this International Standard;
b) ensuring that the processes are
delivering their intended outputs;

© URS 2015
10 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

c) reporting on the performance of the

quality management system and on
opportunities for improvement (see 10.1),
in particular to top management;
d) ensuring the promotion of customer
focus throughout the organization;
e) ensuring that the integrity of the quality
management system is maintained
when changes to thequality
management system are planned and
implemented.
Planning Clause 6 puts a greater emphasis on the
6 5.4 organisation’s ISO 9001 planning which is
integral to the business.
Actions to
address risks
6.1 5.4
and
opportunities
When planning for the quality management Risk management is a new and welcome
system, the organization shall consider the addition to ISO 9001.
issues referred to in 4.1 and the requirements
How will the organisation prevent, or
referred to in 4.1 and determine the risks and
reduce, undesired effects? How will the
opportunities that need to be addressed to:
organisation ensure that it can achieve its
a) give assurance that the quality intended outcomes and continual
management system can achieve its improvement?
intended result(s);
One big plus is that preventive action does
b) enhance desirable effects; not now appear. The assumption is that the
6.1.1 5.4 risk management process has features which
c) prevent, or reduce, undesired effects;
creates inherent preventive actions via the
d) achieve improvement. improvement cycle.
Do a risk assessment. See example above
The standard does not specify any methods
for risk management – there are many
methods – but needs to be taken seriously
for the benefit of the organisation. All risks
should be considered (after they have been
identified) and ‘weighted’ in order of priority.

© URS 2015
11 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
The risk assessment method should take into
consideration the severity (to the
organisation and customers) and the
likelihood of occurrence. Some methods also
take into account the detection methods in
place. Some form of scoring system is
advised (based on existing controls) so that
Severity/Occurrence/Detection factors are
calculated (as a sum) and a ‘list’ will evolve
which shows the highest number as the most
significant risk which would then take priority
for improvement.
Any actions to improve must be agreed and
when implemented, then the scoring can be
recalculated. Organisations can set their own
SOD sum limits but they should not be set so
low that the risk assessment becomes just
an exercise to get ISO9001 certification.
The organization shall plan: As above

a) actions to address these risks and

opportunities;
b) how to:
1) integrate and implement the
actions into its quality
management system processes
(see 4.4);
6.1.2 2) evaluate the effectiveness of
these actions.
Actions taken to address risks and
opportunities shall be proportionate to the
potential impact on the conformity of
products and services.
NOTE 1 Options to address risks can
include avoiding risk, taking risk in
order to pursue an opportunity,
eliminating the risk source, changing

© URS 2015
12 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
the likelihood or consequences, sharing
the risk, or retaining risk by informed
decision.
NOTE 2 Opportunities can lead to the
adoption of new practices, launching new
products, opening new markets,
addressing new clients, building
partnerships, using new technology and
other desirable and viable possibilities to
address the organization’s or its
customers’ needs.
Quality
objectives and
6.2 5.4
planning to
achieve them
The organization shall establish quality The requirements around the ISO 9001
objectives at relevant functions, levels and objectives have also been made more
processes needed for the quality management detailed. They are to be consistent with the
system. ISO 9001 policy, measurable (if
practicable), monitored, communicated,
The quality objectives shall:
and updated as appropriate. They have to
a) be consistent with the quality policy; be established at relevant functions and
levels.
b) be measurable;
See 4.4.2 above. Other objectives may be
c) take into account applicable set (in addition to process performance
requirements; indicators). The risk management scoring
6.2.1 5.4 d) be relevant to conformity of products and system may reveal some activities that may
services and to enhancement of benefit from having performance objectives
customer satisfaction; assigned.
e) be monitored; Set KPIs to measure processes. Think
about what your customer wants. Basic
f) be communicated; measures/objectives could be On time
g) be updated as appropriate. Delivery and zero defects. This would be a
good starting point. Collect data to check
The organization shall maintain documented how you are performing and if you don’t
information on the quality objectives. meet targets, you need to put improvement
actions in place. Think about other
processes and see how you can benefit
from measuring against a target.
© URS 2015
13 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

Note that tasks such as painting the

building, achieving ISO9001, maintaining
ISO9001 ARE NOT QUALITY
OBJECTIVES.
When planning how to achieve its quality What will be done? – describe the process
objectives, the organization shall determine: flow and consider customer requirements
a) what will be done; What resources will be needed? –
equipment, work environment etc.
b) what resources will be required;
Who will be responsible? – An owner of the
c) who will be responsible;
process and other staff – all to be
d) when it will be completed; competent to do the work
e) how the results will be evaluated. When will it be completed? – to meet
customer requirements
To enable objectives to be met, the process
approach needs to be adopted. Processes
can be ‘designed’ with a measurable
objective in mind
How will the results be evaluated? – collect
data to analyse – if objectives are not being
met, an improvement needs to be made.
6.2.2 5.4
Upon analysis, it may be one or more
factors that failed in some way e.g.:
 Poor description of the process and
work flow
 Un-calibrated equipment, old
equipment, out of date software etc.
 Unqualified/untrained persons
 Etc.
Looks like these could be ‘captured’ in a
risk assessment

© URS 2015
14 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Planning of
When the organization determines the need for This can be via the risk management process.
changes
changes to the quality management system, If a systematic and effective risk management
the changes shall be carried out in a planned process is put in place, needs and
manner (see 4.4). opportunities for change will become obvious.
The organization shall consider:
a) the purpose of the changes and their No good making changes for the sake of it but
6.3 5.4
potential consequences; if they are made, they have to be made under
controlled conditions. Consideration has to be
b) the integrity of the quality management
given to the effect on other processes etc., The
system;
risk management process should be revisited
c) the availability of resources; as a result of changes.
d) the allocation or reallocation of
responsibilities and authorities.
7 Support 6
Resources 6.1, 6.3,
7.1
6.4
General
The organization shall determine and provide This could be during the identification of
the resources needed for the establishment, processes and the design of processes to
implementation, maintenance and make them work, utilising the features as
improvement of the quality management described in 4.4.2
system.
7.1.1 6.2.1
The organization shall consider:
a) the capabilities of, and constraints on,
existing internal resources;
b) what needs to be obtained from external
providers.
People
The organization shall determine and provide There needs to be enough people to
the persons necessary for the effective implement and do the work. These need to be
implementation of its quality management competent in accordance with the company’s
system and for the operation and control of its competence requirements
processes.
7.1.2 6.2
Human resources need to be evaluated as part
of the total resource evaluation

© URS 2015
15 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Infrastructure The organization shall determine, provide and
This is a difficult one to audit as the
maintain the infrastructure necessary for the
organisation will already be in business when
operation of its processes and to achieve
we audit them and will have their infrastructure
conformity of products and services.
in place.
NOTE Infrastructure can include:
7.1.3 6.3 However, there is no reason why the risk
a) buildings and associated utilities;
b) equipment, including hardware and management process can’t include building,
software; equipment, transport etc., and a Business
c) transportation resources; Continuity Plan would be good business
d) information and communication practice to ensure continuity if buildings,
technology. equipment, IT systems etc., were at risk.

Environment for The organization shall determine, provide and

Depends on client products/processes
the operation of maintain the environment necessary for the
processes operation of its processes and to achieve
conformity of products and services.
Some industries require strict controls over the
NOTE A suitable environment can be a process environment. Food, electronics,
combination of human and physical factors, pharmaceuticals and other industries are
such as: typical. Controls must be effective and
monitored. Cleanliness, dust free, anti-static,
a) social (e.g. non-discriminatory, calm, restricted etc. More general industries would
non-confrontational); also need to consider cleanliness, humidity,
b) psychological (e.g. stress-reducing, temperature etc. A simple example would be a
burnout prevention, emotionally paper stockist – would a leaking roof create a
protective); risk to the paper in stock?
7.1.4 6.4
c) physical (e.g. temperature, heat,
humidity, light, airflow, hygiene, noise).
d) These factors can differ substantially
depending on the products and services
provided.

© URS 2015
16 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Monitoring and
7.1.5 measuring 7.6
resources
General
The organization shall determine and provide Devices must be fit for purpose. No change
the resources needed to ensure valid and really. We all know they have to be in good
reliable results when monitoring or measuring is condition and calibrated.
used to verify the conformity of products and
Note that measurement systems are not
services to requirements.
restricted to devices that have indicators. Jigs
The organization shall ensure that the and fixtures are measuring devices and should
resources provided: be subject to validation. Also, visual inspection
should be considered –. Are appraisers all
a) are suitable for the specific type of
seeing the same things (rejecting bad and
monitoring and measurement activities
accepting goods) or is there variation? If
being undertaken;
variation, why? Lighting, training etc.?
b) are maintained to ensure their continuing
7.1.5.1 7.6 Client to have a process to manage monitoring
fitness for their purpose.
and measuring devices
The organization shall retain appropriate
Equipment needs to be identified so that
documented information as evidence of fitness
records can be seen that shows the status of
for purpose ofthe monitoring and
the equipment.
measurement resources.
Intervals for re-calibration need to be stated
If a piece of equipment is found to be unfit for
purpose, an evaluation must be made to
determine if any previous
measurements/results are invalid. This could
have a big impact on product supplied to
customers.
Measurement
When measurement traceability is a The standard requires measurement standards
traceability requirement, or is considered by the traceable to international or national standards.
organization to be an essential part of providing
It would be reasonable if measuring devices
confidence in the validity of measurement
formed part of the risk management process.
results, measuring equipment shall be:
7.1.5.2 7.6 a) calibrated or verified, or both, at specified
intervals, or prior to use, against
measurement standards traceable to
international or national measurement
standards; when no such standards
exist, thebasis used for calibration or
verification shall be retained as

© URS 2015
17 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
documented information;
b) identified in order to determine their
status;
c) safeguarded from adjustments, damage
or deterioration that would invalidate the
calibration status and subsequent
measurement results.
The organization shall determine if the
validity of previous measurement results has
been adverselyaffected when measuring
equipment is found to be unfit for its intended
purpose, and shall take appropriate action as
necessary.
Organisational
The organization shall determine the This will vary from organisation to organisation
Knowledge
knowledge necessary for the operation of its – some are very complex and some utilise
processes and toachieve conformity of simple processes. The organisation needs to
products and services. think about what knowledge is needed to
perform certain functions and the implications
This knowledge shall be maintained and be
of that knowledge being lost (imagine the only
made available to the extent necessary.
design engineer who the company totally rely
When addressing changing needs and trends, on for the design of their specialist equipment
the organization shall consider its current won the lottery). As in 7.1.2 above, business
knowledge and determine how to acquire or continuity management is a useful tool for
access any necessary additional knowledge ensuring continuity of knowledge
and required updates.
NOTE 1 Organizational knowledge is
7.1.6 6.2.2 Human knowledge:
knowledge specific to the organization; it is
gained by experience. It is information that is  Job descriptions
used and shared to achieve the organization’s
objectives.  Competence criteria

NOTE 2 Organizational knowledge can be  Ongoing training and development

based on:  Etc.
a) internal sources (e.g. intellectual
property; knowledge gained from
experience; lessons learned from Product/process knowledge:
failures and successful projects;
 Historic records
capturing and sharing undocumented
knowledge and experience; the results  Manuals
of improvements in processes, products
© URS 2015
18 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
and services);
 Instructions
b) external sources (e.g. standards;
academia; conferences; gathering  Obsolete parts
knowledge from customers or external  Lessons learned
providers).
A Business Continuity Plan, or Succession
plan or similar could be in place
Competence
The organization shall: This means that the organisation must identify,
as part of the process design, who needs to do
a) determine the necessary competence
the work and what skills they need.
of person(s) doing work under its
Competence requirements need to be
control that affects the performance
identified then people assigned who can meet
and effectiveness of the quality
the competence criteria.
management system
b) ensure that these persons are
competent on the basis of appropriate If there is a shortfall of skills, the organisation
education, training, or experience; will need to provide training (external/internal)
by qualified trainers. There is a risk to the
c) where applicable, take actions to
business and customers if risks are taken by
acquire the necessary competence,
assigning ill-equipped personnel.
and evaluate the effectiveness of the
actions taken;
d) retain appropriate documented It is also risky to employ temporary/agency
7.2 6.2 information as evidence of staff – controls such as close supervision until
competence. training is proven to be effective is essential.
NOTE Applicable actions can include, for
example, the provision of training to, the
Competence criteria
mentoring of, or the re- assignment of
currently employed persons; or the hiring or Training records
contracting of competent persons.
Ongoing monitoring and evaluation
Process performance evaluation

The above are some examples of records to

be retained

© URS 2015
19 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Awareness
The organization shall ensure that persons This is normally achieved at induction.
doing work under the organization’s control are However, this also applies to existing
aware of: employees. Such things as workshops,
meetings, noticeboards etc., are usual
a) the quality policy;
b) relevant quality objectives;
7.3 6.2 c) their contribution to the effectiveness of
the quality management system,
including the benefits of improved
performance;
d) the implications of not conforming to the
quality management system
requirements.
Communication The organization shall determine the need
Does the customer need to know if there is a
for internal and external communications
failure?
relevant to the quality management system
including When do they need to know and who needs to
know.
a) on what it will communicate,
7.4 5.5.3 This could be an example of external
b) when to communicate, and communication.
c) with whom to communicate. Internal communication could be noticeboards,
intranet, meeting etc. The question is, will
d) How to communicate
something fail if we do not communicate?
e) Who communicates
Documented
4.2.3,
information 4.2.3.1,
7.5
4.2.4,
4.2.4.1

General The organization’s quality management It’s up to the organization to review the
system shall include: standard and find the clauses which require
information to be documented. Documented
4.2.3, a) documented information required by this
information can be in any form and can be hard
4.2.3.1, International Standard;
7.5.1 copy or electronic. The organisation may want
4.2.4, b) documented information determined by to write procedures, process flows, work
4.2.4.1 the organization as being necessary for instructions, photographs, it is entirely their
the effectiveness of the quality choice. The organisation has to evaluate the
management system. benefit of documented information weighed
against the risk of not having any or having

© URS 2015
20 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
insufficient. Based on the competency levels
NOTE The extent of documented
and skills of personnel, the organisation should
information for a quality management
be able to make a judgement as to what level
system can differ from one organization
the documented information should go. If there
to another due to:
is a very simple process e.g. putting two plastic
a) the size of organization and its type of parts together then putting that assembly into a
activities, processes, products and container, there is a probability that a
services; photograph or very simple work instruction
would suffice.
b) the complexity of processes and their
interactions; Or even a verbal instruction from a supervisor
would be enough as long as there was
c) the competence of persons. evidence of competence ‘sign-off’. Similarly,
there may be a very complex process e.g.
processing immigration visas for application to
the Border Agency – maybe a very detailed
procedure is required? On the other hand, that
process may be an electronic method whereby
the person handling the application uses a
software package that ‘forces’ actions and the
process along. Is there a need for a detailed
procedure in that case?
You have to weigh the risk of NOT having
documented information.
If things go wrong, and which are attributable
to the lack of information, auditors have this
clause as a point of reference.
Now no requirement for a quality manual. But
it’s OK to have one.
Creating and When creating and updating documented
Documented information must be identifiable in
updating information, the organization shall ensure
some way and have an issue status (because
appropriate:
there may be changes in the future).
4.2.3, a) identification and description (e.g. a title, Can be electronic or paper
4.2.3.1, date, author, or reference number);
7.5.2 4.2.4, b) format (e.g. language, software version, Must be reviewed and approved for suitability
4.2.4.1 graphics) and media (e.g. paper, and adequacy
electronic);
c) review and approval for suitability and
adequacy.

© URS 2015
21 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Control of 4.2.3,
documented 4.2.3.1,
7.5.3 4.2.4,
information
4.2.4.1
Documented information required by the quality
Someone must be responsible for approving
management system and by this International
Standard shall be controlled to ensure: documents and someone (could be the same
person) needs to keep a register or similar so
that there is a ‘library’ of information which can
a) it is available and suitable for use, where
be treated as the ‘master’. Old versions must
and when it is needed;
be taken out of use and handled in some way
b) it is adequately protected (e.g. from loss
as to avoid inadvertent use. Specification,
of confidentiality, improper use, or loss of
drawings, instructions etc., from customers
integrity).
need to be properly managed. Also, standards
and regulations need to be kept up to date.
For the control of documented information, the
Changes must be identified and communicated
organization shall address the following
effectively. Auditors can test this.
activities, as applicable:

a) distribution, access, retrieval and use;

b) storage and preservation, including Electronic Data is classed as documented
preservation of legibility; information and must be protected accordingly.
c) control of changes (e.g. version control); Personnel should have access restrictions as
4.2.3,
d) retention and disposition. appropriate and entry should be password
7.5.3.1 4.2.3.1, protected for example. The organisation
7.5.3.2 4.2.4, should back-up data according to their own
4.2.4.1 methods.

Documented information (previously known as

records) must be retained (for internal use and
sometimes for legal reasons). Retention
periods should be known, as should the
methods of protecting information (storage
conditions etc.) and disposing of information.

© URS 2015
22 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
8 Operation 7
Operational The organization shall plan, implement and
Whatever the organisation is in business to
planning and control the processes (see 4.4) needed to meet
achieve, clause 8 is it.
control the requirements for the provision of products
and services, and to implement the actions At its core, the organisation needs to
determined in clause 6, by: “...plan, implement and control the
processes needed…...”. This addresses
a) determining the requirements for the both in- house and any outsourced
products and services; processes. This overall process
b) establishing criteria for: management includes having process
criteria, controlling the processes within the
1. the processes; criteria, controlling planned change and
2. the acceptance of products and addressing unintended change as
services; necessary.

c) determining the resources needed to See process approach above plus the risk
achieve conformity to the product and assessment approach.
service requirements; The planning of processes is directly linked to
d) implementing control of the processes in the risk assessment
accordance with the criteria;
e) determining and keeping documented
8.1 7.1
information to the extent necessary: The risk assessment should be re-visited when
f) to have confidence that the processes any adverse incidents occur (NC product,
have been carried out as planned; customer concern etc.)
g) to demonstrate the conformity of
products and services to their You need to control and take responsibility for
requirements. any processes that you outsource.
So, to provide customers with what they want,
NOTE. “Keeping” implies both the maintaining you need to plan effectively so that they can
and the retaining of documented information. achieve what is required. This will include
The output of this planning shall be suitable for identifying processes (see process approach)
the organization’s operations. and setting the ‘rules’ for their operation i.e.
The organization shall control planned who, with what, how, how measured what
changes and review the consequences of processes support the process(s).
unintended changes,taking action to mitigate
any adverse effects, as necessary.
The organization shall ensure that outsourced
processes are controlled (see 8.4).

© URS 2015
23 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Requirements for
8.2 products and 7.2
services
Customer Communication with customers shall include:
This means that there needs to be some
Communication
means to find out what the customer wants.
a) providing information relating to products
This could be via sales teams, meetings etc.
and services;
Some companies sell via the internet which
b) handling enquiries, contracts or orders,
interacts with the customer and usually without
including changes;
human intervention.
c) obtaining customer feedback relating to
8.2.1
products and services, including
customer complaints;
d) handling or controlling customer
property;
e) establishing specific requirements for
contingency actions, when relevant.

Determination of When determining the requirements for the

You need to get clear instructions e.g.
requirements products and services to be offered to
purchase order or even verbal instructions.
related to the customers, theorganization shall ensure that:
There must be no doubt as to what the
goods and customer wants because failure would be
services a) the requirements for the products and
potentially costly. Information should include
services are defined, including:
exactly what the customer wants
b) any applicable statutory and regulatory
(specifications etc.), when they want it (on time
requirements;
delivery is important) and are there are
c) those considered necessary by the
standards or regulatory requirements that need
organization;
to be met.
d) the organization can meet the claims for
the products and services it offers.
8.2.2 Sometimes, the customer does not get a full
appreciation of what they want so may not fully
specify. In such cases, they may be relying on
the organisation because after all they are the
experts. So the organisation should advise the
customer on features that need to be
included/modified so that the product/service
actually achieves the customer’s intended use.
This would add value and increase customer
confidence.

© URS 2015
24 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Review of
requirements
8.2.3 related to the 7.2
goods and
services
The organization shall ensure that it has the
This is the stage where the organisation needs
ability to meet the requirements for products
to review the purchase order (or other
and services to be offered to customers. The
contractual method) to ensure that there is no
organization shall conduct a review before
doubt what the customer has ordered and to
committing to supply products and services to
ensure that the order matches the quotation.
a customer, to include:
Any ambiguities/differences must be checked
with the customer.
a) requirements specified by the customer,
including the requirements for delivery There must be some sort of evidence of a
and post- delivery activities; review (by a competent person – auditor will
b) requirements not stated by the customer, verify). This could be evidenced by a signature
but necessary for the specified or intended (hard or electronic), computer ID or other
use, when known; means.
c) requirements specified by the
organization;
d) statutory and regulatory requirements So for verbal instructions, the organisation
applicable to the products and services; needs to confirm to the client that they have
e) contract or order requirements differing understood the requirements and can fulfil
8.2.3.1 from those previously expressed. them. This could be via a verbal order book,
may be via an acknowledgement of an internet
The organization shall ensure that contract order, a formal order acknowledgement etc.
or order requirements differing from those
previouslydefined are resolved. If the customer changes their mind before or
during order processing (any stage), their new
The customer’s requirements shall be requirements must be reviewed and relevant
confirmed by the organization before documented information updated. Those with a
acceptance, when thecustomer does not need to know must be updated.
provide a documented statement of their
requirements.

NOTE In some situations, such as internet

sales, a formal review is impractical for each
order. Instead, the review can cover relevant
product information, such as catalogues or
advertising material.

© URS 2015
25 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
The organization shall retain documented
Keep records
information, as applicable:
8.2.3.2
a) on the results of the review;
b) on any new requirements for the
products and services.
Changes to The organization shall ensure that relevant
No need for interpretation
requirements for documented information is amended, and that
8.2.4 products and 7.2 relevant persons are made aware of the
services changed requirements, when the requirements
for products and services are changed.
Design and
Many people ask about the difference between
development of
8.3 7.3 design and development. We have produced
products and guidance at Appendix 1 of this document.
services
General
The organization shall plan and implement a
8.3.1 d esig n development process that is
appropriate to ensure the subsequent
provision of goods and services.
Design and In determining the stages and controls for the
If you are responsible for the design and
development development processes, the organization
development of products or services, they must
planning shall consider:
have processes in place that control those
a) the nature, duration and complexity of the design and development activities.
design and development activities,
b) the required process stages, including Some organisations conduct a risk assessment
applicable design and development at the design stage – this is to be
reviews recommended.
c) the required design and development
8.3.2 verification and validation activities
d) the responsibilities and authorities
involved in the design and development
process
e) the internal and external resource needs
for the design and development of
products and services
f) the need to control interfaces between
persons involved in the design and
development process
© URS 2015
26 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

g) the need for involvement of customers

and users in the design and development
process, the requirement for subsequent
provision of products and services
h) the level of control expected for the
design and development process by
customers and other relevant interested
parties
i) the documented information needed to
demonstrate that design and
development requirements have been
met

Design and
The organisation shall determine the Inputs must be defined to a level sufficient for
development
requirements essential for the specific types the development activities being undertaken
Inputs of products and services to be designed and and do not give rise to ambiguity, conflict or
developed. The organisation shall consider: lack of clarity
a) functional and performance requirements
b) information derived from previous similar
designs and development activities
c) statutory and regulatory requirements
d) standards or codes of practice that the
organization has committed to
8.3.3 implement,
e) potential consequences of failure due to
the nature of the products and services.

Inputs shall be adequate for design and

development purposes, complete and
unambiguous

Documented information on Design and

Development shall be retained

© URS 2015
27 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Design and
The controls applied to the It is usual for there to be a design and
development
development process shall ensure development plan (activities versus timing for
controls
that example. The plan should be reviewed at
required stages and issues resolved before
a) the result to be achieved are defined proceeding to the next stage – although some
b) reviews are conducted to evaluate the stages can be managed simultaneously. Any
ability of the results of the design and issues relating to the customer must be
development to meet requirements resolved)

c) verification activities are conducted to There could be ‘sign-off at each stage.

Sometimes independent verification is needed
ensure that the design and development
to check that the outputs reflect the inputs and
outputs meet the input requirements
the design brief
d) validation activities are conducted to The planned design and development
ensure the resulting products and
processes need to be followed, to ensure the
services meet the requirements for the
outputs are consistent with the inputs and the
specified application or intended use
objective of the development activity has been
e) any necessary actions are taken on met
problems determined during the reviews, Problems and issues arising during the
or verification and validation activities development process are resolved or otherwise
8.3.4
f) documented information of these managed before committing to further
activities is retained development work or setting priorities for that
work,
Sometime during design and development,
some validation work is needed – this could be
by comparing outputs with similar proven
designs, checking outputs using alternative
calculations or, and probably most effective is
the production of ‘prototype parts’ that can be
checked against specifications)
So when the design and development activities
are complete and validated the production or
service provision can begin but only when
everyone has a clear understanding. Take a
look at 8.3. – production and service provision
planning. Processes need to be planned to
deliver the products or services as they were
designed.

© URS 2015
28 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

You need to ensure that transfer from

development to production or service
provision only takes place when actions
outstanding or arising from development have
been completed or are otherwise managed
such that there is no adverse impact on the
organization’s ability to consistently meet
customer requirements, statutory or regulatory
requirements, or to enhance customer
satisfaction.
Design and The organisation shall ensure that
Outputs need to be in a form suitable for
development design and development outputs:
outputs subsequent use for production of goods and
provision of services and related monitoring
a) Meet the input requirements and measurement
b) Are adequate for the subsequent
processes for the provision of
products and services Outputs can include:
c) Include or reference monitoring and
measuring requirements, as  Calculations
appropriate, and acceptance
 Drawings
8.3.5 criteria
d) Specify the characteristics of the  Models/prototypes
products and services that are
essential for their intended purpose  Product characteristics
and their safe and proper provision  Testing and inspection requirements
 Material requirements
Documented information of these activities is to
be retained  Packaging requirements
 Storage conditions
 Etc.
Design and Design and development changes need to be
It is common for changes to occur during the
development identified as appropriate and made to ensure
design and development process. These need
changes there is no adverse impact on conformity to
to be controlled. Controls would include
requirements.
updating specification and other related
8.3.6 documents, communicating the changes to
Documented information shall be retained on:
those that need to know, updating document
registers etc.)
a) Design and development changes
b) Results of reviews
c) Authorization of changes
© URS 2015
29 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
d) Actions taken to prevent adverse impacts It is essential that appropriate change control
and configuration management is maintained
throughout the design and development of
goods and services and any subsequent
modifications to goods and services

Control of
external
8.4 provision of 7.4
goods and
services
General
The organization shall ensure that externally NoteWhere the organization has arranged for
provided goods and services conform to an external provider to perform a function or
specified requirements. process of the organization it is assumed this
will result in the provision of goods, services or
Controls are needed when: both goods and services
a) Products and services from external
providers are intended for incorporation
into the organisation’s own products and
services
b) Products and services are provided
directly to the customer by external
providers on behalf of the organisation

8.4.1 c) A process, or part of a process, is

provided by an external provider as a
result of a decision by the organisation

The organization shall determine and apply

criteria for the evaluation, selection,
monitoring performance and re- evaluation
of external providers based on their ability
to provide, goods and services in
accordance with the organization's
requirements.

Documented information describing the results

of evaluations shall be maintained

© URS 2015
30 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Type and extent
The organisation shall: You need to control and take responsibility for
of control
out-sourced processes
a) Ensure externally provided processes see 6.1 – risk assessment should cover every
remain within the control of its quality activity including purchasing and out-sourcing)
management system This means that the organisation must
b) Define both the controls that it intends determine, probably as a result of the risk
to apply to an external provider and assessment including historical experience, the
those it intends to apply to the levels of controls needed. Simple products or
resulting output outsourced processes may not need any
checking on receipt other than quantity checks,
c) Take into consideration:
others may need checking against set criteria
before they can be accepted),
1. The potential impact of the Before controls are implemented, the capability
8.4.2
externally provided processes, needs to be evaluated – this can be via the risk
products and services on the assessment e.g. occurrence and detection
organisation’s ability to modes? Over time, the effectiveness of the
consistently meet customer and capability evaluation will become evident
applicable statutory and regulatory through success or failure – failure would result
requirements in re-visiting the risk assessment and
2. The effectiveness of the controls increasing controls)
applied to an external provider
Records need to be kept.

d) Determine the verification, or other

activities, necessary to ensure that the
externally provided processes, products
and services meet requirements.

Information for
Adequate documented information shall be
external
provided to the external provider describing,
providers The organization must ensure the adequacy
where appropriate. The organisation shall
of specified requirements prior to their
communicate requirements to the external
communication to the external provider.
provider for:
8.4.3 a) the processes, products and services to
be provided or the process to be This can be via purchase orders,
provided, specifications, verbal instructions (to be
recorded) and other appropriate means.
b) the approval products and services to be
provided, methods, processes and
equipment and the release of goods and

© URS 2015
31 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
services, procedures, processes or
Requirements may also include:
equipment,
the quality management system requirements,
c) the requirements for competence of
personnel, including necessary
qualification,
the requirements for handling of external
d) the control and monitoring of the external provider’s property provided to the organization.
provider’s performance to be applied by
the organization,
Someone needs to check the requirements
e) any verification activities that before issuing them. This could be a simple
the organization, or its matter of the competent (auditor will check)
customer, intends to perform completing an electronic purchase order and
at the external provider’s sending it electronically. Some
premises, orders/instructions need to be authorised by
and with a higher authority.

f) the requirements for handling of external

provider’s property provided to the
organization. The performance of these suppliers/sub-
contractors needs to be evaluated from time to
There needs to be a process for selecting time and records kept
suppliers/sub-contractors etc. On what
basis? ISO9001 certification, past
experience, trials etc. Only those ‘approved
via the organisations evaluation process
should be used.

Documented information shall be maintained.

Production and There will be some duplication in the rest of
8.5 service provision 7.5, 7.6 clause 8 – some aspects have already been
covered above.
Control of
The organization shall implement production The process approach has already been
production and
and service provision under controlled discussed and the designing of processes in
provision of 6.2.2. Everything is in place, now it’s time to
conditions. Controlled conditions shall
services include, as applicable: ‘implement’. In other words, the PLAN part of
8.5.1 Plan Do Check Act has been completed.
a) the availability of documented information How to do (process steps) – instructions,
that defines: specifications

© URS 2015
32 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
1. the characteristics of the products to
Why by (competent people)
be produced, the services to be
provided, or the activities to be How monitored (inspection/checking points,
performed checking equipment) –

2. the results to be achieved; With what – equipment, IT, work environment

b) the availability and use of suitable Support processes

monitoring and measuring devices The above will be implemented in accordance
c) the implementation of monitoring and with 8.5.1 and records kept where needed.
measurement activities at appropriate Refer to bullet f) in the adjacent column. In old
stages to verify that criteria for control of terms these are special processes. For
processes or outputs, and acceptance example welding, painting etc. Three things are
criteria for products and services have needed – the qualification of the people doing
been met the work, the qualification of the methods they
d) the use of suitable are to use and the qualification of the
infrastructure and equipment to be used – if these 3 are satisfied,
environment for the operation then there should be a high level of confidence
of processes in the process delivering what is specified.
That’s not to say that some ongoing validation
is not required, it probably will be e.g. weld
e) the appointment of competent persons, tests (destructive, non-destructive, paint
including any required qualifications thickness tests etc.)

f) the validation and periodic

revalidation, of the ability to There needs to be some rules as to the criteria
achieved planned results of when product or service can be released and
the processes for production by who – this could be a simple process where
and service provision, where the person (competent) doing the work is
the resulting output cannot be sufficient control, or there may need to be
verified by subsequent some independent checks – refer to the risk
monitoring or measurement assessment process. Packaging requirements
need to be identified – maybe special
packaging requirements, transport
g) then implementation of requirements etc. There may also need to be
actions to prevent human defined criteria for warranty handling,
error maintenance contracts etc. – see 8.3 above);

h) the implementation of
The risk assessment should identify any
release, delivery and post-
delivery activities activities that need special attention and where
human effort creates risk. Some companies

© URS 2015
33 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
implement ‘fool-proofing’ devices in the
manufacturing processes ((POKE YOKE),
sometimes double inspection (not efficient),
The company needs to evaluate the risks – see
6.1 above). Sometimes, preventive actions can
only be identified when problems occur but a
robust risk assessment should reduce the risk
of errors).

Identification
The organization shall use suitable means to Note: Process outputs are the results of any
and traceability
identify outputs when it is necessary to ensure activities which are ready for delivery to the
the conformity of products and services. customer (external or internal) or become the
inputs to the next process. They can include
The organization shall identify the status products, services, intermediate parts,
of process outputs with respect to components, etc.
monitoring and measurement requirements
Some companies implement traceability
throughout realization production and
activities that are not necessary. Think about
service provision.
the following:
 What does your customer want?
The organization shall control the unique
8.5.2 identification of the outputs when  What do you want?
traceability is a requirement, and shall retain
the documented information necessary to  What are the risks of not maintaining
enable traceability. traceability.
 If a problem occurs, do you need to trace
back (materials and records)?
 If a problem occurs, would you be able to
prove that the correct material, measuring
equipment, personnel etc., were used?

Do not overdo it but evaluate the risks.

Property
The organization shall exercise care with This sis sometimes called ‘free-issue’ and if it is
belonging to not suitable, you need to tell your customer.
property belonging to the customer or
customers or
external providers while it is under the
external Some companies receive electronic/digital data
8.5.3 organization's control or being used by
providers from customers. This needs to be protected
the organization.
and kept safely and confidential.
The organization shall identify, verify,
protect and safeguard the customer or
© URS 2015
34 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
external provider’s property provided for
use or incorporation into the
p r o d u c t s and services.
When the property of the customer or
external provider is lost, damaged or
otherwise found to be unsuitable for use,
the organization shall report this to the
customer or external provider and maintain
documented information.

NOTE Property belonging to customer or

external providers can include material,
components, tools and equipment, premises
intellectual property and personal data.
Preservation
The organization s h a l l preserve the Think about (as applicable to your
outputs, during production and service products/services):
provision to the extent necessary to ensure
 FIFO (First in first out)
conformity to the requirements.
 Shelf life limitations
NOTE. Preservation can include identification,  Temperature controls
handling, contamination control, packaging,
storage, transmission or transportation, and  Work environment conditions –
8.5.4
protection. temperature, humidity, cleanliness etc.)
 Pest control
 Type of packaging to protect products
 Type of handling to protect products
 Type of transport to protect products
 Security arrangements
Post-delivery
The organization shall meet requirements for If you provide additional services after you
activities
post-delivery activities associated with the have provided products and services, these
products and services. services need to be controlled.

8.5.5
The extent of post-delivery activities that are
For example, if you provide maintenance
required shall consider:
services, you need to consider such things as
a) the potential undesired consequences spare parts, routine and emergency call-outs
associated with its products and services, etc.
© URS 2015
35 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

b) customer requirements
c) customer feedback, and Warranty claims and complaints must be
analysed to see if there are any trends – and
d) statutory and regulatory requirements. improvement actions implemented.

NOTE Post-delivery activities can include,

for example, actions under warranty
provisions, contractual obligations such as
maintenance services, and supplementary
services such as recycling or final disposal.

Control of
The organization shall review and control Changes to processes must be controlled,
changes
changes for production or service provision, including the impact on other processes. When
to the extent necessary to ensure process changes are made, the risk
continuing conformity with requirements. assessment should be revisited to update (risk
evaluation)
8.5.6 The organisation shall retain documented
information describing the results of the
review of changes, the person(s) authorizing
the change and any necessary actions
arising from the review.

Release of goods The organization shall implement the

This means that the work will be done as per
and services planned activities at appropriate stages to
the planned arrangements e.g. timing
verify that product and services
schedules, instructions etc., and sometimes,
requirements have been met.
some checking will need to be done before the
work can go on to the next stage. The checking
Evidence of conformity with the acceptance
stages will need to be defined and by whom.
criteria shall be maintained.
The checks done will need to be documented
The release of products and services to (records). If the checks prove satisfactory (as
the customer shall not proceed until the per requirements) then things can progress. If
8.6 7.5
planned arrangements have been the checks show errors/failures etc., then work
satisfactorily completed, unless otherwise may need to be stopped and not continue until
approved by a relevant authority and, as rectifications are made. Any work with errors
applicable, by the customer. may need to be separated from good work.
Documented information shall be traceable
to the person(s) authorizing release of
There will need to be checks before the product
goods and services for delivery to the
or service is provided to the customer. As
customer.
above, the ‘checking’ criteria needs to be

© URS 2015
36 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
defined. Checks to be by authorised people.
Any errors/failures must not be provided to the
customer unless the customer has given
permission (concession). The type and level of
checks needed will depend on many factors
including criticality, severity, competence of the
people having done the work etc. Also,
customer requirements will need to be taken
into consideration.
Control of
8.7 nonconforming
outputs
The organization shall ensure that outputs
This could be by reject/scrap labels, other
that do not conform to t h ei r requirements
status labels, segregation etc.
are identified and controlled to prevent their
unintended use or delivery.
This could include re-work, scrap, ask customer
The organization shall take actions for a concession etc. The customer may need to
appropriate to the nature of the be notified if any non-conforming
nonconformity and its effect on the product/service has already delivered – may
conformity of products and services. This need to be recalled.
shall also apply to nonconforming products
and services detected after delivery of
products, during or after the provision of When the nonconforming goods and services
services. have been delivered to the customer, you need
to take appropriate correction to assure that
8.7.1 8.3 The organisation shall deal with customer satisfaction is achieved.
nonconforming outputs in one or more of the Correction means immediate action.
following ways:
Containment. means actions to protect the
customer and the business. May mean
stopping production/work and segregating
a) correction parts. You may have to go to the customer’s
b) segregation, containment, return premises to sort parts already delivered. Also
or suspension of provision of consider parts in stock and in production.
products and services; Re-visit the risk assessment when all actions
c) informing the customer as have been taken.
appropriate; and Note some dialogue in the text in the left
d) obtaining authorization for column.
acceptance (repair, re-

© URS 2015
37 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
grade, use as it is, release,
continuation or re-provision
of the service) under
concession.

Conformity to the requirements shall be

verified when nonconforming outputs are
corrected.
The organisation shall retain documented
Keep records
information th at:

 describing the nonconformity

8.7.2  describes the actions taken
 describes any concessions obtained
 identifies the authority deciding action
in respect of the nonconformity
Performance 8
9
evaluation
Monitoring,
measurement,
9.1 8.1
analysis and
evaluation
General The organization shall determine:
See risk assessment, process approach and
1. what needs to be monitored and planning. The measuring and monitoring
requirements should be the ‘detection’ part of
measured in order to:
the risk assessment
2. the methods for monitoring,
measurement, analysis and evaluation,
as applicable, to ensure valid results;
3. when the monitoring and measuring shall
be performed
9.1.1 4. when the results from monitoring and
measuring shall analysed and evaluated

The organization shall evaluate the

performance and the effectiveness of the
quality management system

The organization shall retain appropriate

documented information as evidence of the
results.

© URS 2015
38 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

Customer The organization shall monitor customer

Could be via complaints, feedback via surveys,
satisfaction perceptions of the degree to which t h e i r
compliments etc.
needs and expectations have
been fulfilled. The organisation Think about what the customer wants. They all
s h al l d et er m i n e t h e m et ho d s f or want good products or services and on-time. If
obtaining, monitoring and you measure these indicators and you achieve
reviewing this information. 100% then we can assume the customer is
9.1.2 satisfied. They may also want price reductions
but that might be difficult but to be competitive,
you may find ways to make processes more
efficient and be able to pass on some cost
savings.
Based on any surveys etc., you may need
process improvements – risk assessment to be
re-visited
Analysis and
The organization shall analyse and See process approach, management review
evaluation of
evaluate appropriate data a n d and improvement.
data
i n f o r m a t i o n arising from monitoring,
When processes have been ‘designed’ and
measurement.
implemented, they should be reviewed
regularly. If things are going well and targets are
The results of analysis and evaluation shall
being achieved, we can be pretty sure that all
be used to evaluate:
the features of a process are working well.
a) conformity of products and services If the process is not performing, it needs to be
b) the degree of customer satisfaction analysed to see where it is failing. Are
processes achieving desired results and any
c) the performance and effectiveness of the performance indicators?
9.1.3 quality management system
Variation of outputs is problematic therefore
d) if planning has been implemented stability of processes is necessary. Data can be
effectively analysed to see if there are variations in the
processes and find out why – people,
e) then effectiveness of actions taken to machinery etc., - see process approach
address risks and opportunities
Improvements can include looking for
f) the performance of external providers efficiencies – see process approach – note that
g) the need for improvements to the quality improvements in one place may have a
management system detrimental effect on others – change control is
important)
Methods to analyse data can include Re-visit the risk assessment as needed
statistical techniques
© URS 2015
39 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
9.2 Internal Audit 8.2
The organization shall conduct internal
(Most CBs mandate annual as
audits at planned intervals to provide
a minimum)
information on whether the quality
management system; This is self-policing to ensure that the system is
working as the organisation wants);
a) conforms to
To achieve certification, all requirements need
9.2.1 1) the organization’s own requirements to be addressed satisfactorily
for its quality management system
This can be tested during day to day
and
monitoring, internal audits, analysis of data,
2) the requirements of this International management review
Standard
b) is effectively implemented and maintained
The organization shall:
The system must be capable of on-going
compliance to planned arrangements. Over
a) plan, establish, implement and maintain time, systems should become robust
an audit programme(s), including the
frequency, methods, responsibilities, Generally accepted that the more critical and
planning requirements and reporting perhaps problematic processes get audited
which shall take into consideration the more frequently
importance of the processes
Scope may be restricted to one or more
concerned, changes affecting the
process/project;
organisation, and the results of previous
audits; Internal auditors should be trained and be
b) define the audit criteria and scope for knowledgeable of the processes they are to
each audit (criteria may be customer audit, auditors must not audit their own work;
9.2.2 requirements, internal procedures etc.)
Someone needs to take responsibility for
c) select auditors and conduct audits to
deciding on actions to take),
ensure objectivity and the impartiality of
the audit process Correction, root cause analysis, corrective
d) ensure that the results of the audits are actions etc. (organisation needs to decide
reported to relevant management timings);
e) take appropriate action without undue
delay
f) retain documented information as
evidence of the implementation of
the audit programme and the audit
results.

© URS 2015
40 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Management
9.3 5.6
review
General Top management shall review the
(Most CBs mandate annual as a minimum),
organization's quality management system,
at planned intervals to ensure its
9.3.1 continuing suitability, adequacy, and
effectiveness and alignment with the No further interpretation necessary
strategic direction of the organisation.

Management
The management review shall be planned
review inputs
and carried out, taking into consideration:

a) the status of actions from previous

management reviews;
b) changes in external and internal issues
that are relevant to the quality
management system;
c) information on the performance of the
quality management system, including
trends and indicators for:
1) customer satisfaction and feedback;
9.3.2 2) the extent to which quality objectives
have been met
3) process performance and conformity
of products and services
4) nonconformities and corrective
actions
5) monitoring and measurement results;
6) audit results;
7) the performance of external providers
d) the adequacy of resources
e) the effectiveness of actions taken to
address risk and opportunities
f) opportunities for improvement.

© URS 2015
41 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Management
The outputs of the management review shall
Review outputs
include decisions and actions related to:
a) opportunities for improvement
b) any need for changes to the quality
management system.
9.3.3
c) resource needs

The organization shall retain documented

information as evidence of the results of
management reviews

10 Improvement 8
General The organisation shall determine and select The risk assessment can be re-visited to look
opportunities for improvement and implement to see if the process controls can be improved.
any necessary actions to meet customer For example, an in-line detection camera may
requirements and enhance customer be useful to detect non-conforming parts where
satisfaction. human inspection may be accepting bad parts
(or rejecting good parts).
These shall include:
a) improving products and services to meet Why is delivery performance below target? Is it
requirements as well as to address future the haulage firm? Change them or get them to
needs and expectations improve.
b) correcting, preventing or reducing Is it too much downtime? Maybe maintenance
10.1 undesired effects department need more people?
c) improving the performance and
effectiveness of the quality management
system If targets are being met, there is a case for
pushing the target – for example if the scrap
target is >90% and it is consistently being
achieved, push the target to 100%

© URS 2015
42 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause
Nonconformity
10.2 and corrective 8.5
action
When a nonconformity (can be called other The risk assessment should be re-visited when
names) occurs, including any arising from any actions have been taken – the scoring
complaints, the organization shall: may need to be recalculated
a) react to the nonconformity, and as (severity/occurrence/detection).
applicable
1) take action to control (may need Note some dialogue in the text in the left
containment action to protect the column.
customer and the organisation) and
correct it (may be adjust a machine,
may be rework, may be stop work
etc.); and
2) deal with the consequences (need to
handle the problem which may include
notifying the customer);
b) evaluate the need for action to eliminate
the causes (before the causes can be
10.2.1 eliminated, a root cause analysis needs
to be conducted) of the nonconformity, in
order that it does not recur or occur
elsewhere (similar or related
processes?), by

1) reviewing and analysing the

nonconformity (by authorised people);
2) determining the causes of the
nonconformity (techniques such as 5
WHY are useful),
3) determining if similar nonconformities
exist (may be in the same process
and/or other processes), or could
potentially occur (risk assessment
looks at likelihood of occurrence);
c) implement any action needed (actions that
have been authorised);

© URS 2015
43 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

d) review the effectiveness of any corrective

action taken (the actions need to be
checked to ensure they are achieving what
was intended – some actions can have an
adverse effect);
e) update risks and opportunities determined
during planning, if necessary
f) make changes to the quality management
system, if necessary

Corrective actions shall be appropriate to the

effects of the nonconformities encountered.
The organization shall retain documented
information (records) as evidence of
a) the nature of the nonconformities and any
subsequent actions taken; and
b) the results of any corrective action.
The organisation shall retain documented Keep records
information as evidence of:

10.2.2
a) The nature of the non-conformities
and any subsequent actions taken;
b) The results of any corrective action
Continual The organization shall continually improve Evaluation - analysis can reveal below target
Improvement the suitability, adequacy and effectiveness results so action is needed to improve results –
of the quality management system. if targets ARE being met, maybe targets can be
stretched
The organization shall c o n s i d e r t h e Changes in the context of the organization (any
results of analysis and evaluation, and the organisational changes need to be evaluated –
10.3 8.5 outputs from management review, to there may be a risk if there are changes to
determine if there are needs or opportunities personnel, processes, goods/services provided
that shall be addressed as part of continual etc.);
improvement.
Changes in identified risk – the risk
assessment is a good tool to identify areas for
improvement)

© URS 2015
44 of 45
 ISO ISO
ISO 9001:2015 9001:2008 What the standard requires Action Plan
9001:2015
Requirement What should clients do?
Clause Clause

You need to evaluate, prioritise and determine

the improvement to be implemented. (This
could be related to the risk assessment –
prioritisation must be given to highest risk –
improvements need to be realised).

© URS 2015
45 of 45