ISO 9001:2015 is the first major revision to the standard since the 2000 version. The intent of the 2015 revision was simple:
- •Consider recent the technological changes in business and other organisations,
- •Develop requirements that could be dynamic enough to adjust when additional changes occur in industry, and
- • Include requirements that could be audited for conformance.
Any changes in requirements should enhance a customer’s confidence in the organisation’s quality management system (QMS) and help the organisation achieve intended results. A common criticism of past versions of ISO 9001 was that organisations could meet the standard’s requirements but deliver product and services that didn’t meet customer requirements. ISO 9001:2015 includes requirements that focus on achieving intended results i.e. meeting the needs of the customer.
By making the standard less prescriptive and more reliant on risk-based thinking to determine the level of complexity needed for an organisation’s QMS, ISO 9001:2015 accomplishes what many users have requested. This introduces new challenges and for this reason ISO 9001:2015 includes an annex that provides the rationale for some of the changes.
Here are some of the key changes in ISO 9001:2015.
The structure of ISO 9001:2015 changed due to a decision by the ISO Technical Management Board to adopt a standardised format and common core text and terms for use in all new and revised ISO management system standards. This is to promote greater ease of use for organisations that want to integrate the requirements of multiple management system standards such as ISO 9001, ISO 14001, and ISO 50001. This standardized format is referred to as Annex SL, which is simply the alphanumeric indication of the index from the ISO Directives.
Understanding the change
Before getting too caught up in the structure of the revised standard, it’s important to read subclause 0.4, Relationship with other management system standards, and Annex A. Subclause 0.4 introduces the Annex SL high-level structure, explains the rationale of the structure, and highlights some of the changes in ISO 9001:2015. Specifically, it indicates that the structure relates to the framework developed by ISO to approve alignment among management system standards.
Subclause A.1 (located within Annex A), Structure and terminology, provides details that should help organisations understand the requirements related to structure. Subclause A.1 specifically states that there is no requirement for organisations to adopt the ISO 9001:2015 structure in their own QMS, nor do organisations have to change the terminology used in their QMS.
If an organisation wants to ensure that it has addressed any new requirements in ISO 9001:2015, it should develop a cross-reference of compliance methods such as implemented processes or documented procedures from whatever structure it’s using to the requirements in the revised standard. A cross-reference of ISO 9001:2008 requirements to ISO 9001:2015’s requirements is available to the public at no charge at: http://isotc.iso.org/livelink/livelink/open/tc176SC2public .
Subclause 4.4, Quality management system and its processes, should also be considered when reviewing requirements related to the structure. Organisations that have taken a minimal approach to this requirement may need to make some changes in how they identify and control their processes. Organisations that have embraced the process approach will not only find that the transition to ISO 9001:2015 is simpler, but also that the integration of any new requirements into their QMS is easier to accomplish.
Ever since the first of edition of ISO 9001 was published, there has been feedback from some users that the standard is difficult to apply to all types of industries, specifically the service sector. For that reason, the language in ISO 9001 was modified to make it easier to use across all sectors.
Products and services
One way that ISO 9001:2015 has been made more generic is by replacing the word “product” with “products and services.” Using “products and services” helps to emphasize that the standard can be applied to all types of organisations. In addition, some requirements have been specifically changed to emphasize this point. This includes subclause 7.1.5, Control of monitoring and measuring resources, which was made easier to apply to service industries by changing the words “monitoring and measuring equipment” to “monitoring and measuring resources” and incorporating requirements related to monitoring and measuring as applicable to the service sector.
Some of ISO 9001:2015’s new requirements are practices that most organisations already do, but may cause some discussion regarding implementation. This is partially due to the new terminology in ISO 9001:2015 related to “interested parties.”
ISO 9001 has always been and remains a customer-focused standard. The high-level structure and common text that is required to be used by Annex SL uses the term “interested parties” instead of “customers.” Specifically, subclauses 4.1, Understanding the organisation and its context, and 4.2, Understanding the needs and expectations of interested parties, require you to focus on these aspects. These requirements were implied in subclause 0.1, General, in ISO 9001:2008, which indicated that the QMS is influenced by the environment that the organisation operates in, including changes and risks.
To eliminate the potential for the term “interested parties” to be interpreted beyond the intent of ISO 9001:2015, subclause A.3, Understanding the needs and expectations of interested parties (located in Annex A), explains subclauses 4.1 and 4.2. Specifically, ISO 9001:2015 doesn’t require an organisation to consider interested parties that aren’t relevant to its QMS. Organisations will need to determine what is relevant for them based on whether the interested party has an effect on the organisation’s ability to meet customer, statutory, and/or regulatory requirements. Some organisations may choose to expand the interpretation of the requirement, but this is at their discretion and where it can be determined that such an application can add value. A list of examples of interested parties is included in ISO 9000:2015.
In ISO 9001:2008, exclusions allowed an organisation to exclude a requirement of clause 7 of the standard as long as it doesn’t affect the organisation’s ability to meet customer, statutory, and/or regulatory requirements or provide a product or service that conformed to such requirements.
With the introduction of the core Annex SL text, which includes a different structure, the standard has been made more generic. Therefore, it’s easier to apply the standard’s requirements. This change focuses ISO 9001:2015 on the application of the requirements and not on the exclusion of requirements. ISO 9001:2015 requires organisations to apply the requirements where they can.
Subclause 4.3, Determining the scope of the quality management system, still requires an organisation to justify any instance where a requirement cannot be applied. However, it isn’t limited to certain clauses of ISO 9001:2015 like it was in the previous two versions of the standard. The required justification for not applying a requirement of ISO 9001:2015 will assist with establishing the framework of an organisation’s QMS. This will be helpful not only to the organisation, but also to any third-party auditors who will be reviewing the organisation’s QMS.
Understanding the change
Subclause A.5, Applicability (located in Annex A), outlines the new concept of “application not exclusion.” It specifically addresses the idea that not all requirements have to be applied by an organisation due to the nature of the product or service that it provides. Other influences might be the size of the organisation, the management model it adopts, and/or its risks and opportunities.
Organisations that are already taking exclusion to a requirement in their ISO 9001:2008-based QMS should be able to determine if the requirement continues to no longer appliy when they transition to ISO 9001:2015.
Another concept that has been integrated into ISO 9001:2015 is risk-based thinking. Although risk was implied in previous versions of ISO 9001, the word “risk” is now actually used in ISO 9001:2015. Using risk-based thinking allows an organisation to determine the level of controls needed for certain requirements, thereby reducing some requirements that were seen as more prescriptive than others.
In alignment with risk-based thinking, ISO 9001:2015 doesn’t use the term “preventive action.” The language in the standard looks at how an organisation determines the risks and opportunities that need to be addressed as part of an effective QMS. Subclause 6.1, Actions to address risks and opportunities, includes requirements to ensure that the QMS can achieve its intended outputs. It also addresses taking action appropriate to the potential effect of conformity of products and services and preventing the occurrence of potential issues.
Understanding the change
Subclause 6.1 includes a note that provides clarification of the options that can be used to address risks and opportunities, including the idea that risks and opportunities aren’t always negative. The organisation can take actions to avoid risks or actions to pursue an opportunity.
Subclause A.4, Risk-based thinking (located in Annex A), emphasizes the point that there is no requirement to implement a specific, formal risk-management system. Instead, ISO 9001:2015 focuses on the potential risks and opportunities associated with the implementation of a specific requirement and the level of implementation required.
In addition, subclause 0.3.3, Risk-based thinking, includes the consideration of risks and the potential consequences for different types of organisations, which allows the application of requirements based on those consequences.
In ISO 9001:2015 the terms “documents” and “records” have been replaced with the term “documented information.” In addition, in previous versions of ISO 9001 the requirements for documents and records were kept in separate clauses. They are now included in subclause 7.5, Documented information.
It’s important to understand that this new terminology has been introduced because the way we control documented information today is vastly different than it was when ISO 9001 was first released. Despite this fact, there had been little change to the requirements in past revisions.
Understanding the change
Subclause A.1, Structure and terminology (located in Annex A), identifies some of the biggest terminology changes in ISO 9001:2015. It states that although the terms have been changed, organisations aren’t required to use the same terminology used by ISO 9001:2015 in their QMS. Furthermore, subclause A.6, Documented information (located in Annex A), includes clarifying information related to when the term “documented information” is used. It states, “Where ISO 9001:2008 used specific terminology such as ‘document’ or ‘documented procedures,’ ‘quality manual’ or ‘quality plan,’ this edition of this International Standard defines requirements to ‘maintain documented information.’
“Where ISO 9001:2008 used the term ‘records’ to denote documents needed to provide evidence of conformity with requirements, this is now expressed as a requirement to ‘retain documented information.’ ”
The annex goes on to explain that when the word “information” is used without “documented,” there is no requirement that the organisation maintain documented information unless the organisation determines it’s necessary.
Subclause 7.1.6, Organisational knowledge, requires organisations to determine what knowledge is necessary for the operation of their processes to meet product or service requirements. This is one of ISO 9001:2015’s new requirements, but it’s something that most organisations already have in place, even if informally.
This requirement is frequently confused with the requirements for employee competence. Organisational knowledge relates to the organisation; competence relates to the degree an employee understands and applies their knowledge.
Understanding the change
Subclause A.7, Organisational knowledge (located in Annex A), addresses this requirement. It specifically relates that the organisation needs to safeguard against loss of knowledge through employee turnover. It also provides examples of methods for acquiring knowledge, such as benchmarking or sharing lessons learned.
Control of externally provided products and services
This is another aspect of ISO 9001:2015 where the terminology has changed. In ISO 9001:2000, the term “vendor” was changed to “supplier.” In ISO 9001:2015, the term “supplier” has been replaced with “external provider.” This is because not all products or services are obtained through a traditional purchasing process. For example, some organisations receive parts or services from an associate company.
Understanding the change
Using the term “supplier” limited the organisation’s ability to see that there might be the need for controls for providers other than suppliers. With the understanding that the controls for a traditional “supplier” might be different than those for an associate company, subclause A.8, Control of externally provided processes, products, and services (located in Annex A), provides clarification that the organisation can take a risk-based approach to determine the type and extent of controls needed for each external provider based on the products and services to be provided.
In addition to this terminology change, additional terminology changes are included in subclause A.1, Structure and terminology (located in Annex A). As with the previous examples outlined, there is no requirement that organisations transition to these terms. Organisations should use terms that best fit their needs regardless of their use in the standard.