Keep Calm and Prepare for ISO 9001:2015

Eight experts outline key changes and how to handle them

Revisions of iso management systems are often accompanied by a bit of anxiety. More than 1
million organizations have been certified to ISO 9001:2008, the international quality
management system (QMS) standard, and they now must embark on implementing a revised
version to be published later this month.
Most organizations are on pins and needles: What are the key changes we must be aware of?
When and how should we introduce the required changes? What resources will we need?
The international technical advisory groups (TAG) to ISO Technical Committee 176, the group
responsible for writing ISO 9001, have toiled to achieve the highest caliber revision. You can
imagine how challenging it is to achieve a consensus among hundreds of individuals in dozens of
countries, with multiple languages and cultures. This is why a betteralthough not perfectISO
9001:2015 is on track for finalization.
The following pages are meant to calm your anxieties by helping you to understand five of the
key changes in ISO 9001:2015, what they mean, what you must do to meet the new requirements
and the resources available to you during the transition process.
Certainly, not every change can be fully detailed in this article, and youll find most of the
changes relate to one another. Risk-based thinking, for example, which arguably may be the
most impactful change in ISO 9001:2015, is engrained in several aspects of the standard.
In a perfect world, a revision for an established, internationally accepted standard such as ISO
9001 should be easier to read, learn and implement. It should provide noncontroversial,
improved tools for quality management. Although our world is not yet perfect, ISO 9001:2015s
new features do provide promise for improved quality.
Allen Gluck
Editors note: This following article was written by several standards experts before the release
of the final version of ISO 9000:2015. Information presented here was based on the draft
international standard (DIS) and final draft international standard (FDIS) versions of ISO
9001:2015.

Prepare for a New Structure

by Deann Desai and Susan L.K. Briggs

What is the change?

The structure of ISO 9001 has been revised. Clauses and subclauses are retitled and reordered
according to a high-level structure that allows for all management system standards (MSS) to be
aligned.
To fully understand this change, some background explaining why it was done should be helpful.
From the early 1990s, the International Organization for Standardization (ISO) technical
committee for quality management (ISO/TC 176) and its technical committee for environmental
management (ISO/TC 207) worked together to enhance compatibility and avoid conflicting
requirements between ISO 9001 and ISO 14001, the international environmental MSS.
In 2003, the ISO General Assembly received advice from advisory and user groups that greater
alignment of the structureincluding clause sequence and requirements in the standardswas
desirable and achievable, and that this would benefit organizations implementing more than one
MSS.
In 2005, the ISO Technical Management Board established a technical advisory group to fulfill
this task, and a joint vision and high-level structure for all MSSs was developed. Building on this,
the group developed the MSS requirements, which were published as Annex SL in the ISO/IEC
Directives1, 2 in 2011.
Annex SL defines the high-level structure including common text, terms and definitions along
with guidance on how they should be applied. The impact of Annex SL is that all ISO
management system requirements standards will be aligned, and ISO will seek to enhance the
compatibility of these standards through the promotion of identical:

Clause titles.
Sequence of clause titles.
Text.
Terms and definitions.

These items are permitted to diverge among standards only where necessitated by specific
differences in managing the individual fields of application.

What does it mean?

The aim of Annex SL is to enhance the consistency and alignment of existing and future ISO
MSSs by providing a unifying and agreed-on high-level structure, identical core text, and
common terms and core definitions.
There are 10 elements in the Annex SL high-level structure:
1. Scope.
2. Normative references.
3. Terms and definitions.

4. Context of the organization.

5. Leadership.
6. Planning.
7. Support.
8. Operation.
9. Performance evaluation.
10. Improvement.
These elements have driven the changes that users will find in ISO 9001, including the
restructuring of the standard from eight clauses in the 2008 version to 10 clauses in the 2015
version.3

What do I need to do?

A frequently asked question about this change is: "Must organizations renumber their documents
and other relevant items based on the new structure of the standard?"
The short answer is: No, you do not need to renumber, but many organizations will choose to do
so as a tracking mechanisma way to keep things straight and ensure they are able to do a full
review and cover the requirements. Keep in mind that there is no guarantee the numbering will
remain the same in future revisions.
Some of the main changes in ISO 9001:2015, including introduction of context of the
organization and risk, came from the use of the high-level structure.
One of the key responses in the user survey conducted prior to writing the revision was that the
connection with the larger, strategic view of the organization was missing. The introduction of a
clause related to a concept called the "context of the organization" addressed this concern.
The intent of this clause is for organizations to have a high-level (strategic) understanding of the
important issues that can affect a management systempositively or negatively. Part of an
organizations context also includes relevant needs and expectations of interested parties that
apply to its QMS. Knowledge of the issues and interested party requirements is used to guide the
efforts to plan, implement and operate a QMS.
The issues identified by an organization and the relevant requirements of interested parties are
linked to the section on planning. The organization plans how it will address any negative or
positive consequence posed by these issues and requirements in a prioritized fashion in its QMS.
The purpose of planning is for an organization to anticipate potential scenarios and consequences,
and as such, is preventive in addressing undesired effects before they occur. Similarly,
organizations should look for favorable conditions or circumstances that can offer a potential
advantage or beneficial outcome, and include planning for those worthy of pursuit.
An organization has the authority and autonomy to decide which risks and opportunities it must
address to ensure its QMS achieves its intended outcome, prevents or reduces undesired effects,

and achieves continual improvement. Annex SL calls for actions to address risks and
opportunities in subclause 6.14 but does not require risk management, risk assessment or risk
treatment.
The addition of these two strategic business processes were included to encourage an
organizations top management to become more actively engaged, ensuring the QMS takes a
more strategic view and is integrated into its business processes, with the overall intent to
promote improved performance of the QMS.

References and note

1. International Organization for Standardization and International Electrotechnical
Commission, ISO/IEC Directives, Part 1, Consolidated ISO Supplement, Procedures
specific to ISO, sixth edition, 2015, Annex SL, Appendixes 2 and 3.
2. For additional guidance on the intent of Annex SL, review Appendix 3 of Annex SL in
the ISO/IEC Directives, see reference 1.
3. Sandford Liebesman, "Work in Progress," Quality Progress, November 2013, pp. 52-53.
4. International Organization for Standardization and International Electrotechnical
Commission, ISO/IEC Directives, see reference 1, subclause 6.1.

Understand Your Context

by John E. "Jack" West and Charles A. Cianfrani

What is the change?

The latest edition of ISO 9001 contains content that will appear new to some users. The newness
of the content will vary widely among organizations depending on their existing QMSs. An
organizations prior compliance could have ranged from the absolute minimum to deployment of
processes that address the explicit requirements and the intent of the latest requirements.
ISO 9001:2015s clause 4, dealing with context of the organization, therefore may require a
widely different range of attention by organizations transitioning to the new version.1
Clause 4 introduces some new language and expands concepts related to defining requirements.
A few of the more notable changes include:

Understanding the organization and its context.

External and internal issues.
Understanding the needs and expectations of relevant interested parties.

Subclause 4.1 contains requirements for an organization to determine external and internal issues
that can affect and are relevant to its purpose and strategic direction, and to monitor and review
information related to these external and internal issues.

These requirements inject a QMS into an organizations strategic planning process. At a

minimum, to "determine external and internal issues that are relevant to its purpose and its
strategic direction,"2 an organization must know its strategic direction.
This clause introduces the concept of requiring an organization to think at strategic and tactical
levels when it develops and deploys its QMS. Neither big-picture strategic thinking nor detailed
analysis and tactical thinking is sufficient by itself.
The standard mandates consideration of internal and external issues that affect the ability of the
organization to achieve its intended results. The requirements also say the organization shall
monitor and review the issues it considers to be relevant to its purpose.

What does it mean?

The requirements for understanding an organization and its context mean an organization must
know itself and the external organizations and factors that do or can affect it. Achieving such an
understanding can result from activities such as performance of competitive analysis, assessment
of existing and emerging technology, and evaluation of its impact on the environment.
Such activities and assessments are elements of overall strategic and tactical planning for an
organization and its associated QMS. It also forms a context for developing, implementing,
maintaining and improving a QMS.
This subject is a normal topic for top managers and is interrelated with subclause 5.1.1 on
leadership and commitment,3 which requires top management to ensure a quality policy and
quality objectives are compatible with an organizations strategic direction and context. This is a
key top management role in the development of a QMS.

What do I need to do?

What is meant by "determine external and internal issues"? What should be considered? How far
should you go?
One suggested approach is to have a formal process for deciding what to consider and why. This
approach makes sense for several reasons:
1. It formalizes the process to ensure it is invoked.
2. It precludes going overboard on determining pertinent external and internal issues.
3. If certification is an organizational objective, it preempts disputes with external auditors
regarding compliance. The notes to subclause 4.1 provide guidance.
An organization, for example, could develop a list of areas in which issues could exist and
perform periodic evaluations of any existing or emerging problems that might affect meeting
requirements.
Examples of internal issues that could be considered include:

Internal audit results and self-assessment results.

Analysis of quality cost data.
Analysis of technology trend information.
Competitive analysis.
Results of customer reviews, audits, complaints and feedback.
Actual versus intended internal values and culture.
Organizational performance.
Best practices of the organization and comparisons with industry benchmarks.
Employee satisfaction data analysis.

One process that is underused but powerful in identifying internal issues is a self-assessment. It
should be considered for serious attention. Self-assessments can be complex, using criteria such
as those of the Malcolm Baldrige National Quality Award, the European Foundation for Quality
Management or the ASQ guidelines for performing a QMS self-assessment.
Assessment also can be simplified by using the seven quality management principles as a guide.4
It is up to each organization to determine how detailed the analysis should be and what follow-up
action, monitoring and review is needed.
External issues can be found through several techniques such as analysis of:

Economic environment and trends.

International trade conditions.
Competitive products and services.
Opportunities and conditions related to outsourcing.
Technology trends.
Raw material availability and prices.
Potential changes in statutes and regulations.
Benchmarking best-in-class performers in and outside the current marketplace.

Also consider the potential interactions with other processes of your QMS. For example,
subclause 4.1 may have direct or indirect interactions with your processes dealing with interested
parties, risks and opportunities, or with clauses 8, 9 and 10.
These new requirements related to the organization and its context should provide the
organization an opportunity to expand the breadth and depth of its QMS, integrate the QMS with
the strategic and tactical management of the organization, and align objectives throughout the
organization.

References
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, clause 4.
2. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, subclause 4.1.

3. International Organization for Standardization, ISO/FDIS 9001:2015Quality

management systemsRequirements, subclause 5.1.1.
4. International Organization for Standardization, ISO/FDIS 9000:2015Quality
management.

Consider Risk
by Denise Robitaille

What is the change?

Many of the changes in ISO 9001:2015 will involve a paradigm shift across all functions. The
most prevalent of these relates to the concept of risk-based thinking.

What does it mean?

The idea of risk-based thinking isnt particularly difficult. Whenever an organization decides to
change something or to respond to an impending change, there are choices, consequences,
opportunities and risks.
ISO 9001:2015 disperses language relating to risk throughout the standard. The logical segue is
that because the QMS touches most processes and departments, the need to engage in risk-based
thinking is similarly expanded to encompass multiple functions throughout the organization.
What happens if you change the design of your most popular product? You improve your
position in the marketplace and beat the competition. You also incur the need to carry inventory
of replacement parts because youve made a commitment to your customers to continue to
support older versions of the product.
How about signing a contract that will double your business? Youll make a ton of money if you
can: Get suppliers to ship extra raw material, hire 15 more techs, put on a second shift and
maintain the production schedule to keep your other customers happy.

What do I need to do?

All organizations, but especially small companies, must apply risk-based thinking in their
internal environments. A small amount of effort along these lines can lead to big results. ISO
9001:2015 allows organizations the flexibility to apply as little effort as is needed.
When implementing risk-based thinking, parse things out into manageable chunks. The benefit is
that youll have fewer unpleasant surprises resulting from a failure to adequately assess the risk
associated with a change. The change can be as small as substituting an epoxy or as
overwhelming as moving the business to a new facility.

One of the side benefits of the inclusion of risk-based thinking in ISO 9001:2015 is that it
eliminates the ineffectual and cumbersome preventive action process included in ISO 9001:2008.
Often, risk is presumed to be within the purview of large companies with loads of quality
technicians and MBAs performing failure mode and effects analyses and implementing
sophisticated risk management programsall slick with data, pretty charts and graphs printed on
high-gloss paper. This is hardly a capability for a small delivery service organization or a fiveperson machine shop.
To help an organization of any size get over this hurdle, look no further than clause 4 of ISO
9001:2015.1 All of the language about the context of the organization is directly relevant to the
conversation about risk. To understand your risks, you must understand your organizationits
internal and external issues, the interested parties that can have an effect on it and its ability to
fulfill customer expectations.
These concepts also can be parsed into smaller components. For smaller organizations, issues
can be as simple as the retirement of one person, the loss of a supplier, a change in cash flow, a
major road repair outside their entrance or change in the local schools calendar affecting parents
who need daycare. All of these events carry risks that must be managed properly.
There are other changes that must be understood and implemented. All the changes carry some
benefit. The transition process itself carries its own benefit because implicit in the transition is
the opportunity to objectively assess a system and sweep away what isnt working.

Reference
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, clause 4.

ISO 31000 Guides Risk-Based Thinking

ISO 9001 includes two new and related requirements: understanding the organization and its
context, and risk-based thinking. The latter is a term that is nonexistent in current quality and risk
nomenclature. How should you understand, implement and audit to this requirement?
Fortunately, you dont have to reinvent the wheel. These concepts and their implementation are
detailed in ISO 31000,1 the international risk management standard. Although ISO 31000 uses
different terms, referring to that standard can help organizations implement risk-based thinking
in the context of ISO 9001.
The writers of ISO 9001:2015 state that "risk-based thinking has always been implicit in ISO
9001"2 and chose not to require a full, formal and systemic risk management method, such as
ISO 31000. The risk-based thinking requirement allows organizations the flexibility to choose
either a basic approach or a more extensive formal risk management process based on what is
appropriate for an organization.

Explicit in the new standard, however, is the requirement that some minimal risk management be
integrated into an organizations quality system. Indeed, the writers deliberately created the term
"risk-based thinking" to encompass the varying, acceptable degrees in which organizations may
choose to manage risk. Employing the term "risk management" may have implied full adherence
to the ISO 31000 standard is required, a suggestion defeated in early international revision
negotiations.
While using ISO 31000 is not required in ISO 9001:2015, the existing risk management standard
already has become popular internationally, and it will be helpful in implementing ISO
9001:2015. As a guidance document, it allows for tailoring to various systems including the
management of quality. It is helpful for understanding the organization and its context, which is
sparsely defined in ISO 9001:2015, but more fully detailed in sections 4 and 5 of ISO 31000.
These sections explain the how and why of establishing the context.
Like ISO 9001, ISO 31000 is more clearly understood after professional training. Quality
professionals who master ISO 31000 will be able to identify how detailed an organizations riskbased thinking implementation must be to satisfy the requirements of ISO 9001:2015.
Why should your organization embrace risk management as part of your quality system? The
answer is stated in ISO 31000: "All organizations manage risk to some degree."3 In laymans
terms, managing risk is simple: Make decisions while considering how the potential
consequences of unknown factors can help or hinder your organizations objectives.
This idea is not new. The management of uncertainty is something you do each day in your
personal and professional lives to ensure you achieve your objectives. The requirement that
consideration of uncertainty be part of formal and auditable processes will serve to further
quality and corporate objectives.
Allen Gluck

References
1. International Organization for Standardization, ISO 31000:2009Risk management
Principles and guidelines.
2. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements.
3. Ibid.

Resources: The Small Business Challenge

As the revision to ISO 9001 wends its way toward its 2015 debut, the standards users have
waited for its much anticipated release with curiosity and apprehension. Revisions of this kind
invariably bring change. Equally predictable is that the changes will be accompanied by
discomfort, confusion and upheaval.

In actuality, there are changes in ISO 9001:2015 that are logical, appropriate and carry the
potential to introduce concepts and requirements that will benefit all organizations. However,
they are still changes, and people are often averse to changes they dont understand.
The salient point is found in the key word: understand.
While all organizations are going to experience growing pains, small companies are likely to
undergo the transition with a higher degree of angst. Why?
Any change implies expenditure of resourcespeople, time and money. Theres a lot less of
these commodities in a small organization. How do they choose to best spend their limited
resources?
For small companies, the first hurdle is getting good, reliable information efficiently at a
reasonable cost. The other resource issues relate to the time individuals will need to conduct
assessments, attend training on the changes to the standard, implement the changes, revise any
affected documentation and train internal auditors. The second hurdle is understanding the
changes and operationalizing them in their organizations.
For all businesses, the two best sources of information on the ISO 9001 revision are ASQ and the
International Organization for Standardization. Other traditional sites that have a long history in
the standards arena also can be reliable sources of good information.
Small businesses simply dont have the time to slosh through the vast dumping ground of the
internet trying to figure out who has the best information. As in all things, something that looks
free can turn out to be expensive. This is not to say that all free stuff is questionable. Its just that
making a decision solely on cost can have devastating consequences. Caveat emptor.
Denise Robitaille
ASQ offers multiple sources of information for small businesses, including:

View the video "ISO 9001:2015Considerations for Small Businesses" (hyperlink:

http://videos.asq.org/product/risk-organizational-culture-and-small-business) featuring
Denise Robitaille, author and U.S. Technical Advisory Group to ISO Technical
Committee 176 (TAG 176) member, as well as "Risk, Organizational Culture and Small
Business," (http://videos.asq.org/product/iso-90012015-considerations-for-smallbusinesses-2) featuring Scott Dawson, a TAG 176 member.
ISO 9001:2008 for Small and Medium-Sized Businesses (http://asq.org/qualitypress/display-item/?item=E1385) by Robitaille (ASQ Quality Press). Currently in its
second edition, a third edition, ISO 9001:2015 for Small and Medium-Sized Businesses, is
scheduled for release later this year.
The 2015 Quality Standards Conference (http://asq.org/conferences/qualitystandards/2015/index.html) will feature a session by Robitaille titled "Small Business
Challenge: The ISO 9001:2015 Transition."

Leaders, Step Up
by Paul C. Palmes

What is the change?

The 2015 revision of ISO 9001 contains several important improvements regarding top
management. Specifically, subclause 5.1.1 on leadership and commitment for the QMS1 includes
11 requirements designed to ensure top management is involved and committed more than ever
before to the QMS.
Observers of ISO 9001 throughout the years have consistently and correctly commented that
QMS implementation results suffer without real top management support. As a result,
organizations are left to install "bolt-on" quality systems limited to production related issues
with primary top management interaction through management review.
Thats about to change. According to subclause 5.1.1, top management is required to
"demonstrate leadership and commitment" with respect to the QMS by:
1. Taking accountability of the effectiveness of a QMS.
2. Ensuring the quality policy and quality objectives are established for a QMS and that they
are compatible with the strategic direction and the context of an organization.
3. Ensuring the quality policy is communicated, understood and applied in an organization.
4. Ensuring the integration of the QMS requirements into an organizations business
processes.
5. Promoting awareness of the process approach.
6. Ensuring the resources needed for a QMS are available.
7. Communicating the importance of effective quality management and of conforming to
QMS requirements.
8. Ensuring a QMS achieves its intended results.
9. Engaging, directing and supporting persons to contribute to the effectiveness of a QMS.
10. Promoting continual improvement.
11. Supporting other relevant management roles to demonstrate leadership as it applies to
leaders respective areas of responsibility.

What does it mean?

From the perspective of an organization that is already implementing ISO 9001 and looking to
transition to the new version of the standard, some will proudly affirm the existing link between
quality and business goals, while others face a major realignment of their existing systems.
Yes, some of the above requirements, such as "ensuring that the quality policy is communicated,
understood and applied within the organization," are management responsibility-related
holdovers from the 2008 revision. Several additional requirements in the 2015 revision, however,
affirm a fundamental shift from having top management simply provide direction and support to
its becoming a key participant.

The QMS now must consider how to manage "ensuring the integration of the QMS requirements
into the organizations business processes." They are now one and the same, requiring quality
objectives to support the achievement of the organizations business goals.
Who better to ensure business success than top management? After all, top management also is
tasked in the new version of ISO 9001 with "engaging, directing and supporting persons to
contribute to the effectiveness of the QMS."

What do I need to do?

Given the importance of the material, explaining all these changes to top management will best
be accomplished through several meetings. It may be constructive to use the second of Stephen R.
Coveys seven habits by "beginning with the end in mind."2
If you can clearly imagine the best outcome of each meeting, you can work backward to imagine
everything you may need to achieve a successful set of results. After all, for many organizations,
effective implementation of subclause 5.1.1 will require a fundamental paradigm shift in which
top management participates rather than observes.
There is, for example, a new requirement to promote awareness of the process approach. No
doubt, this may become a teachable moment for many organizations, requiring prepared
materials to explain this fundamental concept to top management during these meetings.
Take your time. Be prepared and professional in your approach. Develop appropriate action
items and venues for each requirement. Perhaps your organization routinely schedules an allorganization business status meeting conducted by top management. This may be the perfect
place to "communicate the importance of effective quality management and of conforming to
QMS requirements."3
Others requirements in subclause 5.1.1 are also fair game for such events, and if you use
PowerPoint to present, you now have a record of compliance. (The correct term is now
"documented information," but its still acceptable to use terms to which youve become
accustomed).
Naturally, to just proclaim support is not enough, and similarly no one expects top managers to
move into the quality department. The real work will be somewhere in between when it becomes
obvious to everyone that top management actually is using the quality system to guide and
validate its decisions and to encourage the discovery of new areas of improvement throughout
the organization.
Fundamentally, clause 5.1.1 in ISO 9001:2015 is a call for top management involvement in the
QMS. "Integration of the QMS requirements into the organizations business processes" requires
analysis and collaboration on both sides. As the two become one, working together to support
common goals, the organization develops deeper purpose, strength and success.

Thats the vision you must encouragethe goal you wish to achieve when you begin with the
end in mind.

References
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, subclause 5.1.1.
2. Stephen R. Covey, The Seven Habits of Highly Effective People, Free Press, 1989.
3. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, see reference 1.

Determine Your Documentation Needs

by Bill Aston

What is the change?

One of the more notable changes in ISO 9001:2015 will be the nonexistance of any reference to
requirements for a quality manual, documented procedures and records to be maintained. Does
this mean documented procedures, records and other QMS documents are not necessary?
No, that is not the case. Consider the requirements of ISO/FDIS 9001:2015, subclause 4.4.2.1
This subclause requires an organization to maintain documented information (procedures) to
support the operation of its processes and to retain documented information (records) to have
confidence that processes were performed as planned.
Annex A, section A.6, provides guidance regarding the references made to requirements
throughout the standard to "maintain" documented information (such as procedures, quality plans
and a quality manual) as well as to "retain" documented information (records).2
How are an organizations requirements for QMS documents determined? Every organization
will be responsible for determining the level of documented information, such as procedures,
needed to support its QMS, processes, product and services.
ISO 9001:2015 will specifically require risk-based thinking to be a part of every organizations
process approach to quality. Risk-based thinking is not a new activityits a regular part of an
organizations QMS and product planning processes, which includes ensuring controls, such as
procedures or instructions, are established to address identified risks.
ISO/FDIS 9001:2015 requires the following documented information to be maintained by every
organization:

Scope of the QMS (subclause 4.3).

Information needed to support the operation of its processes (subclause 4.4.2, a).

Quality policy (subclause 5.2.2, a).

Quality objectives (subclause 6.2.1).
Control of product and services (subclause 8.5.1).

Furthermore, ISO/FDIS 9001:2015 identifies the following 18 records to be retained:

1. Monitoring and measurement of resources (subclauses 7.1.5.1 and 7.1.5.2, a).
2. Personnel competency (subclause 7.2, d).
3. Operational planning and control (subclause 8.1, e).
4. Review of requirements related to products and services (subclause 8.2.3.2).
5. Design and development inputs (subclause 8.3.3).
6. Design and development controls (subclause 8.3.4, f).
7. Design and development output (subclause 8.3.5).
8. Design and development change (subclause 8.3.6).
9. Externally provided product and services (subclause 8.4.1).
10. Traceability (subclause 8.5.2).
11. Property belonging to customers or external parties (subclause 8.5.3).
12. Control of change (subclause 8.5.6).
13. Release of product and services (subclause 8.6).
14. Control of nonconforming process output, products and services (subclause 8.7.2).
15. Monitoring, measurement, analysis and evaluation (subclause 9.1.1).
16. Internal audit (subclause 9.2.2).
17. Management review (subclause 9.3.3).
18. Nonconformity and corrective action (subclause 10.2.2).

What does it mean?

Concerning requirements for documented information to be maintained (procedures), ISO
9001:2015 will be less prescriptive. This increased flexibility will support requirements for
documented information to be scaled to be appropriate to the complexity and criticality of the
products produced or services provided. The greater the risk or potential consequences of the
nonconformance, the more control (procedures) required to address the probability of the risk
and its potential impact.
Documented information may include procedures, work instructions, drawings, checklists, data
sheets, media or records as deemed appropriate for an organizations operation.
Risk-based thinking is essential for identifying risk and the resources, such as personnel
competencies, equipment, facilities, product and services design, materials, process procedures
and instructions required to address those risks. ISO 9001:2015 will not require formal risk
assessments. The organization will determine whether a formal risk assessment is required and if
so, select a risk assessment method that best suits its needs.
Future QMS audits will require auditors, consultants and other interested parties to use a
different approach to determining an organizations conformance with ISO 9001:2015
requirements. Auditors must be knowledgeable about the risks associated with the products,

services and processes being audited, and be able to assess the effectiveness of the controls used
to manage those risks.

What do I need to do?

Consider the following actions to prepare for transitioning to ISO 9001:2015:
1. Obtain a copy of ISO FDIS 9001:2015 and become familiar with its requirements.
2. Attend ISO 9001:2015 training via your registrar, the Professional Evaluation and
Certification Board, Exemplar Global College, ASQ or other accredited training
providers.
3. Consider training on ISO 31000:2009Risk managementPrinciples and guidelines to
ensure familiarization with basic risk-management practices and terms.3
4. Download free copies of risk-based thinking documents and PowerPoint slides via the
ISO website.4 This information may be helpful for promoting and understanding riskbased thinking.
5. Conduct a gap analysis of your existing QMS. Ask your registrar to provide a checklist
suitable for this purpose.
6. Contact your registrar to determine its timeline and requirements to transition clients with
existing QMS certifications from ISO 9001:2008 to ISO 9001:2015.
7. If your organization is currently planning or in the process of obtaining an ISO 9001
certification, contact your registrar to determine their timing to begin issuing ISO
9001:2015 as opposed to ISO 9001:2008 certifications.
ISO 9001:2015 will provide an organization increased flexibility to maintain a QMS specific to
its particular processes and product. Risk-based thinking will drive the organizations need to
ensure documented information, such as procedures, instructions and other QMS documents, are
available to address risks and opportunities. ISO 9001:2008 certifications will not be valid after
three years from the publication date of ISO 9001:2015.
The International Accreditation Forum Informative Document 9: 2015 Transition Planning
Guidance for ISO 9001:20155 provides general guidance to organizations, certification bodies
and accreditation bodies for preparing to transition from ISO 9001:2008 to ISO 9001:2015.
Future QMS auditing will need a different approach to determining an organizations
conformance with ISO 9001:2015 requirements. Techniques and skills for auditors, consultants
and other quality professionals must change to meet the new challenges of ISO 9001:2015.

References
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, subclause 4.4.2.
2. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, Annex A, section A.6.
3. International Organization for Standardization, ISO 31000:2009Risk management
Principles and guidelines.

4. International Organization for Standardization, Technical Committee 176, Subcommittee

2 (ISO TC/176/SC2) homepage, http://tinyurl.com/TCSC2.
5. International Accreditation Forum (IAF), IAF Informative Document 9: 2015 Transition
Planning Guidance for ISO 9001:2015, Issue 1, Jan. 12, 2015.

Revision Resources
ISO 9001:2015 is scheduled to be released later this month and will be available for purchase at
asq.org. Find out more about the new standard by:

Tuning in to the ASQ Standards Channel (videos.asq.org/asq-standards-channel) to watch

experts discuss changes and transition advice.
Subscribing to the Standards Connection enewsletter at asq.org/standardsconnection to
have information delivered to your inbox every month.
Visiting Standards Central at asq.org/standards, where you can find updates, articles and
more.

The Panel of Experts

Bill Aston is managing director of Aston Technical Consulting Services LLC in Kingwood, TX,
and worked 40 years in the oil, gas and chemical industries. A senior member of ASQ, Aston is
an ASQ-certified quality auditor, an Exemplar Global-certified quality management system
(QMS) auditor and a Professional Evaluation and Certification Board-certified trainer and lead
auditor. He is also a voting member of the U.S. Technical Advisory Group to ISO Technical
Committee 176 (TAG 176) and the American Petroleum Institute Quality subcommittee 18.
Susan L.K. Briggs is a member of the task force in the Joint Technical Coordination Group that
wrote Annex SL and the associated guidance. She is the chair of TAG 207 on environmental
management and the convener of the international working group revising ISO 14001:2015. She
has a bachelors degree in natural science from Harvard University in Cambridge, MA. Briggs is
an ASQ-certified quality/organizational excellence manager, auditor and engineer.
Charles A. Cianfrani is a principal consultant for Green Lane Quality Management Services in
Green Lane, PA. An ASQ fellow, Cianfrani is a U.S. expert representative to ISO Technical
Committee 176 (ISO/TC 176). He has an MBA from Drexel University in Philadelphia and a
masters degree in applied statistics from Villanova University in Pennsylvania. Cianfrani has
implemented ISO 9001-compliant processes on six continents.
Deann Desai is a project manager for Georgia Techs Enterprise Innovation Institute in Atlanta.
She has a masters degree in statistics and polymers from the Georgia Institute of Technology in
Atlanta. An ASQ member, Desai is an Exemplar Global-certified QMS lead auditor, energy
management lead auditor and environmental management systems lead auditor. Desai is a

member of multiple ISO standards committees, including TAG 176 and the task force in the
Joint Technical Coordination Group that wrote Annex SL and the associated guidance.
Allen Gluck is president of ERM31000 Training and Consulting in Spring Valley, NY, and an
adjunct professor at Manhattanville School of Business in Purchase, NY. He has a masters
degree in leadership from Bellevue University in Nebraska. Gluck is an ASQ member and a
member of TAG 176, which develops ISO 9001, and TAG 262, which develops ISO 31000. He
may be contacted at his website, www.erm31000.com or at allen.gluck@erm31000.com.
Paul C. Palmes is president and principal consultant with Business Systems Architects Inc. in
Fargo, ND, and Prescott, WI. He is a member of TAG 176 and chair of international ISO/TC 176,
subcommittee 1, responsible for the revision of ISO 9000. He has been international ISO/TC 176
liaison to the International Accreditation Forum (IAF), co-chair of the IAFs ISO 9000 advisory
group, and member of the Auditing Practices Group and the Accreditation Council of the
ANSI/ASQ National Accreditation Board. Palmes is an ASQ-certified quality manager, British
Standards Institution-certified ISO 9001 auditor and has a masters degree in administration from
Gonzaga University in Spokane, WA.
Denise Robitaille is the author of 12 books, including ISO 9001:2008 for Small and MediumSized Businesses (ASQ Quality Press, 2010), and an internationally recognized speaker and
trainer. She is an active member of TAG 176, where she has participated in the revision of
multiple standards. Robitaille is an ASQ fellow, an Exemplar Global-certified lead assessor and
an ASQ-certified quality auditor.
John E. "Jack" West is a member of Silver Fox Advisors in Houston. He is past chair of TAG
176 and lead delegate of the committee responsible for the ISO 9000 family of quality
management system standards. He is an ASQ fellow and has co-authored several ASQ Quality
Press books.