ISO 9001:2008 Gap Analysis

A sample section from our 32-page ISO 9001:2008 checklist is shown on the next page.
You can order the complete electronic Word file by sending a check for $50.00 to Whittington
& Associates, 242 Highlands Drive, Woodstock, GA 30188.
Please call 770-517-7944 (or email Larry@WhittingtonAssociates.com) if you have any
questions. The file will be transmitted upon receipt of your payment (or a purchase order
number). Credit card orders are not accepted.

Revision 6: 11/17/08

2000-2008 Whittington & Associates, LLC

Page 1 of 32

ISO 9001:2008 Gap Analysis

Company: ________________________________________________________________
Contact:

________________________________________________________________

Email:

________________________________________________________________

Telephone: _________________________

Fax:

______________________________

Scope:

________________________________________________________________

Auditor:

_________________________

Date: ______________________________

This checklist can be used to evaluate the conformity level of your quality management system against the
requirements of the ISO 9001:2008 standard.
Additional criteria for the quality management system may be specified in customer contracts, regulatory
documents, and in the organizations own quality manual, plans, procedures, and instructions, but are not
considered during the gap analysis. All these requirements must be addressed in your internal audits.
Process Owners
First, identify the process owners and their managers in the Process Owner table.
Process Matrix
Next, identify for each row of the Process Matrix, the process areas with Primary responsibility (owner) and
Secondary responsibility (user). Use an X for a requirement that is not applicable for a process area. Each row
should have a P assigned. Avoid, if possible, multiple primary responsibilities in a single row.
Gap Checklist
The gap checklist is used to assess the process areas with Primary responsibility for the applicable requirements.
Indicate under the Status column a C for Conformity with all the clause requirements. Indicate P for Partial
conformity and N if a Nonconformity.
Conformity Level
Interviews during the gap analysis are with the process owners with Primary responsibility for the applicable
requirements. Users of the process (Secondary responsibility) are not interviewed. Their conformity level will be
assessed in later internal audits after the system is fully implemented.
After completing the checklist for each clause, indicate the conformity level for each row in the Process Matrix as
Green for conforming, Yellow for partial conformity, and Red for nonconformity.
Process owners will be responsible for writing any documents, and adding any practices, necessary to achieve
complete conformity with the requirements. It should be expected that organizations just beginning their
implementation of an ISO 9001:2008-based quality management system will have few green areas.
The Process Diagram (see next page) can be used to help process owners better understand their process in
terms of inputs, resources, methods, measures, and outputs, along with documents and records. The diagram can
also be used to help develop any procedures needed for the processes.

Page 2 of 32

2000-2008 Whittington & Associates, LLC

Revision 6: 11/17/08

ISO 9001:2008 Gap Analysis

Process Owners
Process Area
(department)

Process Manager
(owns process)

(reports to)
Management Owner

01.
02.
03.
04.
05.
06.
07.
08.
09.
10.
11.
12.
13.
14.
15.

Process Matrix
P = Primary Responsibility (Owner)
Green = Conforming
Clause

S = Secondary Responsibility (User)

Yellow = Partial

ISO 9001:2008 Requirements

01

02

03

04

05

06

X = Not Applicable
Red = Nonconformity

Process Areas
07 08 09

10

11

12

13

14

15

4. Quality Management System

4.1
General Requirements
4.2
Documentation Requirements
4.2.1 General
4.2.2 Quality Manual
4.2.3 Control of Documents
4.2.4 Control of Records
5. Management Responsibility
5.1
Management Commitment
5.2
Customer Focus
5.3
Quality Policy
5.4
Planning
5.4.1 Quality Objectives
5.4.2 Quality Management System Planning
5.5
Responsibility, Authority, Communication
5.5.1 Responsibility and Authority
5.5.2 Management Representative
5.5.3 Internal Communication
5.6
Management Review
5.6.1 General
5.6.2 Review Input
5.6.3 Review Output

Revision 6: 11/17/08

2000-2008 Whittington & Associates, LLC

Page 3 of 32

ISO 9001:2008 Gap Analysis

P = Primary Responsibility (Owner)
Green = Conforming

Clause

S = Secondary Responsibility (User)

Yellow = Partial

ISO 9001:2008 Requirements

01

02

03

04

05

06

X = Not Applicable
Red = Nonconformity

Process Areas
07 08 09

10

11

12

13

14

15

6. Resource Management
6.1
Provision of Resources
6.2
Human Resources
6.2.1 General
6.2.2 Competence, Training, and Awareness
6.3
Infrastructure
6.4
Work Environment
7. Product Realization
7.1
Planning of Product Realization
7.2
Customer-Related Processes
7.2.1 Determination of Product Requirements
7.2.2 Review of Product Requirements
7.2.3 Customer Communication
7.3
Design and Development
7.3.1 Design and Development Planning
7.3.2 Design and Development Inputs
7.3.3 Design and Development Outputs
7.3.4 Design and Development Review
7.3.5 Design and Development Verification
7.3.6 Design and Development Validation
7.3.7 Control of Design Changes
7.4
Purchasing
7.4.1 Purchasing Process
7.4.2 Purchasing Information
7.4.3 Verification of Purchased Product
7.5
Production and Service Provision
7.5.1 Control of Production and Service
7.5.2 Validation of Processes
7.5.3 Identification and Traceability
7.5.4 Customer Property
7.5.5 Preservation of Product
7.6
Control of Measuring Equipment
8. Measurement, Analysis, and Improvement
8.1
Measurement, Analysis, Improvement
8.2
Monitoring and Measurement
8.2.1 Customer Satisfaction
8.2.2 Internal Audit
8.2.3 Process Monitoring and Measurement
8.2.4 Product Monitoring and Measurement
8.3
Control of Nonconforming Product
8.4
Analysis of Data
8.5
Improvement
8.5.1 Continual Improvement
8.5.2 Corrective Action
8.5.3 Preventive Action

Page 4 of 32

2000-2008 Whittington & Associates, LLC

Revision 6: 11/17/08

ISO 9001:2008 Gap Analysis

PROCESS NAME:

PROCESS DIAGRAM

Process Owner:

3.
WHAT

4.
WHO

Worksheet Number:
1.
INPUTS

Auditor Name:
Report Number and Date:

2.
OUTPUTS

PROCESS

5.
METHODS

6.
MEASURES

PROCESS

ENVIRONMENT

(Main Activities)

(Workplace Needs)

1. INPUTS

2. OUTPUTS

(What Received, When, and from Whom)

(What Delivered, When, and to Whom)

3. WHAT - Resources

4. WHO - Resources

(Equipment, Materials, and Tools)

(People, Skills, and Experience)

5. METHODS

6. MEASURES

(Procedures, Instructions, and Controls)

(Performance Results and Objectives)

DOCUMENTS

RECORDS

(Any Documents Not Listed Under Methods)

(Records Generated by the Process)

Revision 6: 11/17/08

2000-2008 Whittington & Associates, LLC

Page 5 of 32

ISO 9001:2008 Gap Analysis

4. Quality Management System

4.1 General Requirements
C = Conformity
ISO 9001

N = Nonconformity

ISO 9001:2008 Requirements

Clause
4.1

P = Partial Conformity

Status
(C-P-N)

Has the organization established, documented, implemented, and maintained a quality

management system and continually improved its effectiveness in accordance with the
ISO 9001 requirements?
Refer to clause 5.4.2 (a) for planning to meet these requirements.

4.1

Has the organization:

4.1.a

a) determined the processes needed for the quality management system and their
application throughout the organization? See ISO 9001 clause 1.2.

4.1.b

b) determined the sequence and interaction of these processes?

Refer to ISO clause 4.2.2.c on the description required in the quality manual.
4.1.c

c) determined criteria and methods needed to ensure that both the operation and control
of these processes are effective?

4.1.d

d) ensured the availability of resources and information necessary to support the

operation and monitoring of these processes?

4.1.e

e) monitored, measured where applicable, and analyzed these processes?

4.1.f

f) implemented the actions necessary to achieve the planned results and continual
improvement of these processes?

4.1

Are these processes managed in accordance with the ISO 9001 requirements?

Note 1

Processes needed for the quality management system should include processes for management
activities, provision of resources, product realization, measurement, analysis, and improvement.

4.1

Has the organization ensured control over any outsourced processes that affect product
conformity with requirements?

4.1

Has the type and extent of control of these outsourced processes been defined within the
quality management system?

Page 6 of 32

2000-2008 Whittington & Associates, LLC

Revision 6: 11/17/08

ISO 9001:2008 Gap Analysis

4.1 General Requirements (continued)
ISO 9001

ISO 9001:2008 Requirements

Clause
Note 2

Note 3

Status
(C-P-N)

An outsourced process is a process that the organization needs for its quality management system
and which the organization chooses to have performed by an external party.
Ensuring control over outsourced processes does not absolve the organization of the responsibility of
conformity to all customer, statutory, and regulatory requirements. The type and extent of control to
be applied to the outsourced process can be influenced by factors such as:
a) the potential impact of the outsourced process on the organization's capability to provide product
that conforms to requirements,
b) the degree to which the control for the process is shared;
c) the capability of achieving the necessary control through the application of clause 7.4.

4.2 Documentation Requirements

4.2.1 General
ISO 9001

ISO 9001:2008 Requirements

Clause
4.2.1

Status
(C-P-N)

Does the quality management system documentation include:

4.2.1.a

a) documented statements of quality policy and quality objectives?

4.2.1.b

b) a quality manual?

4.2.1.c

c) documented procedures and records required by ISO 9001?

(See clauses 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, and 8.5.3 for documented procedures)

4.2.1.d

d) documents, including records determined by the organization to be necessary to

ensure the effective planning, operation, and control of its processes?

Note 1

Where the term documented procedure appears within ISO 9001, this means that the procedure is
established, documented, implemented, and maintained. A single document may include the
requirements for one or more procedures. A requirement for a documented procedure may be
covered by more than one document.

Note 2

The extent of quality management system documentation can differ between organizations due to:
a) size of organization and type of activities,
b) complexity of processes and their interactions, and
c) competence of personnel.

Revision 6: 11/17/08

2000-2008 Whittington & Associates, LLC

Page 7 of 32

ISO 9001:2008 Gap Analysis

4.2.1 General (continued)
ISO 9001

ISO 9001:2008 Requirements

Clause
Note 3

Status
(C-P-N)

The documentation can be in any form or type of medium.

4.2.2 Quality Manual

ISO 9001

Clause
4.2.2

ISO 9001:2008 Requirements

Status
(C-P-N)

Has the organization established and maintained a quality manual that includes:

4.2.2.a

a) scope of the quality management system, including details of, and justification for, any
exclusions? (see ISO 9001 clause 1.2)

4.2.2.b

b) documented procedures established for the quality management system, or reference

to them?

4.2.2.c

c) description of the interaction between processes of the quality management system?

4.2.3 Control of Documents

ISO 9001

Clause

ISO 9001:2008 Requirements

Status
(C-P-N)

4.2.3

Are the documents required by the quality management system controlled?

4.2.3

Are records (a special type of document) controlled according to the requirements given
in 4.2.4?

4.2.3

Has a documented procedure been established to control documents?

Does the documented procedure define the controls to:

4.2.3.a

a) approve documents for adequacy prior to issue?

4.2.3.b

b) review, and update as necessary, and re-approve documents?

4.2.3.c

c) ensure that changes and the current revision status of documents are identified?

Page 8 of 32

2000-2008 Whittington & Associates, LLC

Revision 6: 11/17/08

ISO 9001:2008 Gap Analysis

4.2.3 Control of Documents (continued)
ISO 9001

ISO 9001:2008 Requirements

Clause

Status
(C-P-N)

4.2.3.d

d) ensure that relevant versions of applicable documents are available at points of use?

4.2.3.e

e) ensure that documents remain legible and readily identifiable?

4.2.3.f

f) ensure that documents of external origin determined by the organization to be

necessary for the planning and operation of the quality management system are
identified and their distribution controlled?

4.2.3.g

g) prevent the unintended use of obsolete documents, and to apply suitable identification
to them if they are retained for any purpose?

4.2.4 Control of Records

ISO 9001:2008 Requirements

ISO 9001

Clause

Status
(C-P-N)

4.2.4

Are records established and controlled to provide evidence of conformity to requirements

and of the effective operation of the quality management system?

4.2.4

Has a documented procedure been established for controlling records?

Does the documented procedure define the controls needed for the:

4.2.4

Identification of records?

4.2.4

Storage of records?

4.2.4

Protection of records?

4.2.4

Retrieval of records?

4.2.4

Retention time of records?

4.2.4

Disposition of records?

4.2.4

Are records kept legible, readily identifiable, and retrievable?

Revision 6: 11/17/08

2000-2008 Whittington & Associates, LLC

Page 9 of 32