You are on page 1of 52

EXECUTIVE SUMMARY

ISO 9001 2015 is a quality management standard. It defines a


set of quality management requirements. These requirements
can be found in the following seven sections:

1 Context

2 Leadership

3 Planning

4 Support

5 Operations

6 Evaluation

7 Improvement

ISO 9001 was first published in 1987, updated in 1994, and


again in 2000 and 2008. This current version was published
in September of 2015 and is the fifth edition of the ISO 9001
standard. It cancels and replaces all previous editions.

The purpose of this standard is to help organizations to provide


products and services that meet all relevant customer needs and
expectations and comply with all relevant regulatory and statutory
requirements. According to ISO 9001, any organization can achieve
these important objectives if it establishes a quality management
system (QMS) and if it continually tries to improve the suitability,
adequacy, and effectiveness of this system.

A quality management system (QMS) is a set of interrelated or


interacting elements that organizations use to formulate quality
policies and quality objectives and to establish the processes
that are needed to ensure that these policies are followed
and these objectives are achieved.
SCOPE OF 9001 2015
ISO 9001 applies to all types of organizations. It doesnt
matter what size they are or what they do. It can help any
organization to achieve standards of quality that are
recognized and respected throughout the world.

Use ISO 9001 if you need to be able to prove that you


can meet customer requirements and enhance customer
satisfaction. Use it if:

You need to be able to show that your organization is


consistently capable of providing products and services
that meet customer requirements and comply with all
relevant statutory and regulatory requirements.

You need to be able to demonstrate that your organization


can enhance customer satisfaction because it is consistently
capable of continually improving both its products and
services and its practices and processes.

You need to be able to assess your organization's ability


to consistently provide products and services that meet
customer requirements and comply with all relevant
statutory and regulatory requirements.

HOW TO USE ISO 9001 2015


If you dont already have a quality management system (QMS), you
can use this ISO 9001 standard to establish one. And once youve
established your organizations QMS, you can use it to demonstrate
that your organization is capable of meeting customer requirements,
enhancing customer satisfaction, and continually improving both
its products and services and its practices and processes.

According to ISO 9001, your QMS must meet every requirement


if you wish to claim that it complies with this ISO standard. Every
requirement is both generic and mandatory and may only be
excluded if it cannot be applied. Furthermore, you may exclude
or ignore a requirement only if doing so does not compromise
your organization's ability or responsibility to ensure that its
products and services are in compliance and only if you
can justify and explain why you cannot apply it. In short,
if a requirement can be applied it must be applied.

However, how you choose to meet ISO's requirements, and to


what extent, will depend on and be influenced by many factors.
It will depend on your organizations context, its structure, its
objectives, its risks, its processes, its process interactions,
and its products and services; and will be influenced by the
competence of its personnel and the needs and expectations
of its customers and other interested parties. Consequently,
quality management systems can vary quite a bit.

ISO 9001 is designed to be used for certification purposes. Once


youve established a QMS that meets ISO's requirements and deals
with your organizations own risks and requirements, you can ask
a registrar (certification body) to audit your system. If you pass the
audit, your registrar will issue an official certificate that states that
your organization's QMS meets ISO's requirements.

While ISO 9001 is designed to be used for certification purposes,


you dont have to become certified. You can be in compliance
without being formally certified by an accredited certification body
(registrar). You can self-audit your QMS and then announce to the
world that it complies with the ISO 9001 standard (assuming that it
actually does). Of course, your compliance claim may have more
credibility in the marketplace if an independent certification body
agrees with your assessment.
Section 4 Context asks you to start by
understanding your organization
and its context before you start developing its
quality management
system (QMS). It asks you to consider the
external and internal
issues that are relevant to your organization's
purpose and strategic
direction and to think about the influence
these issues could have
on its QMS and the results it intends to
achieve.
This means that you need to understand your
organization's external
environment, its culture, its values, its
performance, and its interested
parties before you develop its QMS. Why?
Because your QMS will
need to be able to manage all of these
influences. Once youve
considered all of this, you're ready to define
the scope of your
QMS and to begin its development.
Section 5 Leadership asks your organization's
top management to
provide leadership for its QMS by showing
that they support it, by
expecting people to focus on quality and on
customers, by expecting
them to provide compliant products and
services, and by expecting
them to manage risks and opportunities.
Section 5 also expects top
management to establish a quality policy and
to assign QMS roles,
responsibilities, and authorities.

Section 6 Planning asks you to plan the


development of your QMS.
It asks you to address the risks and
opportunities that could
influence your organization's QMS or disrupt
its operation and
to consider how its context and its interested
parties could affect
its QMS and the results it intends to achieve.
Section 6 also asks
you to set quality objectives and to develop
plans to achieve them.
Finally, it asks you to control changes to your
QMS.

Section 7 Support asks you to support your


QMS by managing
communications and by providing the
necessary resources.
It asks you to provide competent people, to
provide an appropriate
infrastructure and environment, to provide
suitable monitoring and
measuring technologies, to provide the
knowledge that is needed to
support process operations, and to provide
documented information.
It asks you to start by figuring out how
extensive your documented
information should be and then asks you to
select and include all the
documentation your organization needs in
order to ensure that its
processes are being carried out as planned
and all the documentation
it needs in order to comply with the ISO 9001
standard. It asks you to
manage the creation and modification of this
documentation and to
control how it is used.

Section 8 Operations asks you to develop,


implement, and control
the operational processes that your
organization needs in order
to provide products and services and to
manage and control risks
and opportunities. It asks you to clarify how
product and service
requirements will be managed and how
communications with
customers will be handled.
Section 8 also asks you to establish a product
and service design
and development process (when necessary),
to monitor externally
provided products and services, to manage
production and service
provision, to supervise product and service
release, and to control
nonconforming outputs in order to prevent
unintended use.

Section 9 Evaluation asks you to monitor,


measure, analyze, and
evaluate the performance of your
organization's QMS. It asks
you to monitor customer satisfaction, to
evaluate monitoring and
measuring results, to audit conformance and
performance, and
to review the suitability, adequacy, and
effectiveness of your QMS.

Section 10 Improvement asks you to identify


opportunities to improve
your organization's processes, products and
services, and to enhance
customer satisfaction. It also asks you to
control nonconformities, to
take corrective actions, and to enhance the
suitability, adequacy, and
effectiveness of your QMS.

Both old and new standards cover essentially the same topics.
However, there are some important differences. Some of these
are discussed below.
Structure of the standard
Perhaps the biggest difference between the old and the new
standard is the structure. ISO 9001 2008 had five main sections
(4 to 8) and ISO 9001 2015 now has seven (4 to 10). This is because
the new edition uses the new Annex SL template. According to ISO,
all future management system standards (MSSs) will use this new
layout and share the same basic requirements. As a result, all new
MSSs will have the same basic look and feel.

A common structure is possible because basic concepts such as


management, customer, requirements, policy, procedure, planning,
performance, objective, control, monitoring, measurement, auditing,
decision making, corrective action, and nonconformity are common
to all management system standards. While this will make it easier for
organizations to implement multiple standards because they will all
share the same basic requirements, it may cause some disruption
in the short run as organizations get used to the new structure.
Context of the organization
Unlike the old standard, the new one expects you to understand
your organization's context before you establish its QMS. When
ISO 9001 2015 asks you to understand your organization's context
it wants you to consider the external and internal issues that are
relevant to its purpose and strategic direction and to think about
the influence these issues could have on its QMS and the
results it intends to achieve.

This means that you need to understand your organization's


external environment, its culture, its values, its performance, and
its interested parties before you develop its QMS. Why? Because
your QMS will need to be able to manage all of these influences.

And once you understand all of this, you're expected to use this
special insight to help you define the scope of your QMS and the
challenges it must deal with. While this will certainly help ensure
that organizations develop unique quality management systems
that address their own needs and requirements, doing all of this
could be quite a challenge for some organizations.
Documented information
The new ISO 9001 2015 standard has also eliminated the long
standing distinction between documents and records. Now they
are both referred to as documented information. Why ISO chose
to abandon two common sense concepts and replace them with
one that is needlessly awkward and esoteric is not entirely clear.

According to ISO's definition, the term documented information


refers to information that must be controlled and maintained. So,
whenever ISO 9001 2015 uses the term documented information
it implicitly expects you to control and maintain that information
and its supporting medium. However, this isn't the whole story.

An annex to the new standard (A.6) further says that "Where


ISO 9001:2008 would have referred to documented procedures ...
this is now expressed as a requirement to maintain documented
information, and "Where ISO 9001:2008 would have referred to
records this is now expressed as a requirement to retain
documented information".

So, whenever the new standard refers to documented information


and it asks you to maintain this information, it's talking about what
used to be referred to as procedures, and whenever it asks you to
retain this information, it's talking about what used to be called
records. So sometimes it must be maintained and sometimes it
must be retained (contrary to what the official definition says).

So, while the definition of the term "documented information"


abandons the distinction between documents (or documented
procedures) and records, through the use of the words "maintain"
and "retain" and because of what this means (according to Annex A)
the main body of the standard actually restores this distinction.

In other words, while documents and records were kicked out the
front door, they were actually allowed back in through the back door.
Risk-based thinking
According to the new standard, risk-based thinking has always
been implicit in ISO 9001. According to this perspective, ISO 9001
has always been about anticipating and preventing mistakes, which
is what risk-based thinking is all about. That's why we train people,
why we plan our work, why we assign roles and responsibilities, why
we validate and verify results, why we audit and review activities, and
why we monitor, measure, and control processes. We do these things
because we want to prevent mistakes. We do them because we're
trying to manage risk. So, if we think of risk-based thinking in this
way, it's always been an inherent part of ISO 9001. Before it was
implicit; now it's explicit.

So what kind of thinking is risk-based thinking and how is it applied?


What does the new standard expect organizations to do? The new
standard expects organizations to identify and address the risks
that could influence their ability to provide compliant products and
services and to satisfy customers. It also expects them to identify
and address the opportunities that could enhance their ability to
provide compliant products and services and to satisfy customers.

The new ISO standard also expects organizations to identify the


risks and opportunities that could influence the performance
of their quality management systems or disrupt their operation
and then it expects them to define actions to address these risks
and opportunities. It then further expects them to figure out how
they're going to make these actions part of their QMS processes
and how they're going to implement, control, evaluate, and review
the effectiveness of these actions and these processes.

While risk-based thinking is now an essential part of the new


standard, it does not actually expect you to implement a formal
risk management process nor does it expect you to document
your risk-based approach.
Requirements and exclusions
Section 1.2 of ISO 9001 2008 says that organizations may
exclude or ignore product realization requirements (section 7)
if they cannot be applied and if doing so doesn't interfere with its
ability or responsibility to meet customer and legal requirements.
The new standard takes a similar approach but, instead, seems
to apply this thinking to all requirements.

Section 4.3 of ISO 9001 2015 says The organization shall apply all
the requirements of this International Standard if they are applicable
within the determined scope of its quality management system.
So once youve determined the scope of your QMS, ISO 9001 2015
says that every requirement must be applied within the boundaries
defined by your statement of scope if it applies in your case.

However, while the new ISO 9001 2015 standard says that every
requirement must be applied, section 4.3 and Annex A5 also says
that any requirement may be excluded if it cannot be applied, if you
can justify and explain why it cant be applied, and if excluding it
does not undermine your ability or responsibility to ensure that
products and services are in compliance.

So, the message is clear: if a requirement can be applied you


can't just ignore it. You must apply it. And if you really cant
apply it, you better be able to explain why not.
Objects, outputs, products, and services
The definition of the term object is new. The introduction of
the term object to mean anything conceivable or perceivable
and its use in various definitions (quality, design and development,
innovation, review, traceability) seems to suggest that the new
ISO 9001 standard can be applied to any object whatsoever.
In theory at least, this greatly expands its scope.

What ISO 9000 2005 used to call a product the new standard
now calls an output. The two definitions are the same. Since the
term output was not defined in 2005, this shift in terminology
suggests that the process approach is now even more central
to the new standard.

And to further complicate things, the old definition of product has


now been split into three separate definitions for the terms output,
product, and service. Output is the general concept since both
products and services are now thought of as outputs.
Other clarifications and modifications
While the previous changes could be the most important ones,
the new standard has also clarified some concepts and modified
others. Some of these changes are listed below.

The old standard said that a service was a type of product.


Now, the phrase "products and services" is used throughout the
new standard and the term "service" has received its own definition.
This should help make it clear that ISO 9001 2015 applies not only
to manufacturers but also to all types of service providers.

What used to be called customer property has been modified


and greatly expanded to include products, services, and processes
belonging to all types of external providers (including customers).
The new standard now expects you to control externally provided
products and services if they are included in your products or
services or if they are provided directly to customers.

The old definition of continual improvement has changed.


When ISO 9001 2008 asked you to make continual improvements
it was asking you to improve your ability to fulfill requirements.
Now, ISO 9001 2015 says it means enhancing performance
(getting better results). This is an important shift.

According to the new standard, organizations must now identify,


acquire, and share the knowledge that personnel need in order
to support process operations and achieve conformity of
products and services.

The old concept of product realization is gone. Most of the


material in the old product realization section has been modified
and moved to the new ISO 9001 2015 section on Operations.

The term management representative has been dropped.


The management duties and responsibilities that were previously
assigned to someone called a management representative may
now be assigned either to one person or to many people.

"Preventive action" has also disappeared. Its been replaced


by "risk-based-thinking", evidently because both approaches try
to achieve the same thing. Both try to prevent future problems.
Once you introduce risk-based thinking, you no longer need a
separate clause on preventive action. It's redundant.

While the old standard asked you to use monitoring and measuring
equipment, the new standard refers to monitoring and measuring
resources. This is a more flexible approach to monitoring and
measuring because it recognizes the fact that these activities
can often be carried out without the use of equipment.
4. Context

4.1 Understand your organization and its particular context

Identify and understand your organization's external context.

Identify the external issues that are relevant to your organization's purpose.

Identify the external conditions that are relevant to your organization's purpose.

Identify and understand your organization's internal context.

Identify the internal issues that are relevant to your organization's purpose.

Identify the internal conditions that are relevant to your organization's purpose.

4.2 Clarify the needs and expectations of your interested parties

Identify the interested parties that are relevant to your organization's EMS.

Identify those who are interested in your environmental performance.

Determine the needs and expectations of your organization's interested parties.


Determine those that are relevant to your environmental performance.

Determine those that have become compliance obligations (requirements).

4.3 Define the scope of your environmental management system

Clarify boundaries and think about what your EMS should apply to.

Use boundary and applicability information to define the scope of your EMS.

Consider your compliance obligations when you define your scope.

Consider your corporate context when you define your scope.

Define the scope of your environmental management system (EMS).

Include all the products that fall within the scope (boundary) of your EMS.

Include all the services that fall within the scope (boundary) of your EMS.

Include all the activities that fall within the scope (boundary) of your EMS.

Document the scope of your environmental management system.

4.4 Establish and maintain an environmental management system

Consider your organization's context when you establish and maintain its EMS.

Consider your external context when you develop your organization's EMS.

Think about how external issues could influence your organization's EMS.

Think about how external interested parties could influence your EMS.

Consider your internal context when you develop your EMS.

Think about how internal issues could influence your EMS.

Develop an EMS in accordance with the requirements of this ISO 14001 standard.
Establish the processes that you need and clarify your process interactions.

Implement, maintain, and improve your environmental management system.

5. Leadership

5.1 Provide leadership by accepting responsibility for the EMS

Accept responsibility for your organization's EMS.

Demonstrate that you are committed to your EMS.

Ensure that an environmental policy is formulated.

Ensure that environmental objectives are established.

Communicate your commitment to the EMS.

Explain why environmental management is important.

Expect your managers to be accountable for their EMS.

Encourage your personnel to personally support their EMS.

5.2 Provide leadership by establishing an environmental policy

Formulate your organization's environmental policy.

Consider your context when you formulate your organization's policy.

Consider the environment when you formulate your organization's policy.

Consider your compliance obligations when you formulate your policy.

Implement your organization's environmental policy.

Document your organization's environmental policy.


Communicate your organization's environmental policy.

Expect your personnel to comply with your environmental policy.

5.3 Provide leadership by assigning EMS roles and responsibilities

Provide effective environmental leadership.

Assign all EMS roles, responsibilities, and authorities.

Communicate all EMS roles, responsibilities, and authorities.

6. Planning

6.1 Formulate actions to address your risks and opportunities

6.1.1 Develop processes and prepare plans to establish your EMS

Develop the processes that you need to meet EMS requirements.

Establish processes needed to plan and implement your EMS.

Implement processes needed to plan and implement your EMS.

Maintain processes needed to plan and implement your EMS.

Plan the establishment of your environmental management system.

Consider the scope of your environmental management system (4.3).

Consider how you're going to address your organization's context (4.1).

Consider how you're going to determine your risks and opportunities (4.1).

Consider how you're going to identify potential emergency situations (8.2).


Consider how you're going to ensure that EMS achieves intended results.

Establish environmental management planning documents and records.

Document the risks and opportunities that need to be addressed.

Document the processes needed to plan and manage your EMS.

Maintain and control your EMS planning documents and records.

6.1.2 Identify significant environmental aspects and associated impacts

Use risk planning process (from 6.1.1) to identify environmental aspects.

Identify environmental aspects that fall within the scope of your EMS.

Identify those environmental aspects you can influence or control.

Identify your organization's significant environmental aspects.

Establish criteria to identify significant environmental aspects.

Use risk planning process (from 6.1.1) to identify environmental impacts.

Identify the environmental impacts that fall within the scope of your EMS.

6.1.3 Study environmental aspects and identify compliance obligations

Use risk planning process (from 6.1.1) to identify compliance obligations.

Identify the compliance obligations that fall within the scope of your EMS.

Document your organization's particular EMS compliance obligations.

6.1.4 Address environmental aspects, obligations, risks, and opportunities

Plan how you're going to ensure that EMS achieves its intended outcomes.
Plan how you're going to address significant environmental aspects.

Plan how you're going to address environmental compliance obligations.

Plan how you're going to address environmental risks and opportunities.

Formulate actions to ensure that your EMS achieves its intended outcomes.

Carry out actions to ensure that your EMS achieves its intended outcomes.

6.2 Set environmental objectives and make plans to achieve them

6.2.1 Establish environmental objectives for all relevant areas

Clarify criteria for setting environmental objectives.

Ensure that objectives are consistent with your environmental policy.

Ensure that objectives are measurable (whenever this is practicable).

Ensure that objectives consider your options and requirements.

Set objectives at relevant levels and for relevant functions.

Set objectives that address your specific risks and opportunities.

Set objectives that address your particular compliance obligations.

Set objectives that address your significant environmental aspects.

6.2.2 Establish plans to achieve objectives and evaluate results

Establish plans to achieve your environmental objectives.

Develop actions to achieve your environmental objectives.

Figure out how to integrate actions into business processes.

Figure out how you're going to evaluate your results.


Monitor how well objectives are being achieved.

7. Support

7.1 Support your EMS by providing the necessary resources

Determine the resources that your environmental management system needs.

Provide the resources that your environmental management system needs.

7.2 Support your EMS by ensuring that people are competent

Clarify your organization's environmental competence requirements.

Identify those under your control who affect environmental performance.

Identify the competence requirements of the people under your


control who have an impact on your environmental performance.

Acquire competence whenever shortcomings are discovered.

Acquire the necessary competence whenever people fail to meet


your organization's environmental competence requirements.

Document the competence of those who affect environmental performance.

Retain your documentation and use it as evidence to show that people


have the competence they need to handle the environmental aspects
of activities, processes, products, services, and systems.

7.3 Support your EMS by making people aware of their duties

Make personnel aware of your organization's EMS.

Share information about your EMS with the people who


carry out work that is under your organization's control.

Make sure that they are aware of your environmental policy.

Make sure that they are aware of your environmental objectives.

Make sure that they are aware of your environmental aspects.

Make sure that they are aware of your environmental impacts.

7.4 Support your EMS by controlling your communications

7.4.1 Support your EMS by creating a communications processes

Plan how you're going to manage EMS communications.

Establish processes to manage your EMS communications.

Figure out how internal communications will be handled.

Figure out how external communications will be handled.

Implement your organization's EMS communications processes.

7.4.2 Support your EMS by facilitating internal communications

Establish EMS communications within and throughout your organization.

Discuss your EMS with people at all organizational levels and functions.

Enable anyone under your control to contribute to continual improvement.

7.4.3 Support your EMS by establishing external communications

Establish communications between your organization and external parties.


Use your communications process to control external communications.

7.5 Support your EMS by managing documented information

7.5.1 Support your EMS by using all necessary EMS documents

Figure out how extensive documented EMS information should be.

Consider your activities when you establish documents and records.

Consider your personnel when you establish documents and records.

Consider your obligations when you establish documents and records.

Consider your processes when you establish documents and records.

Consider your products when you establish documents and records.

Consider your services when you establish documents and records.

Consider your size when you establish documents and records.

Select all the documents and records that your EMS needs.

Select all the internal documents and records that EMS needs.

Select all the external documents and records that EMS needs.

7.5.2 Support your EMS by managing the use of EMS documents

Manage your organization's documented EMS information.

Make sure that your organizations EMS documents


and records are properly identified and described.

Make sure that your organizations EMS documents


and records are properly formatted and presented.

Make sure that your organizations EMS documents


and records are properly reviewed and approved.

7.5.3 Support your EMS by controlling the use of EMS documents

Select all of the EMS documents and records that you need.

Figure out how your EMS documents should be controlled.

Think about how EMS documents and records are created.

Think about how EMS documents and records are identified.

Think about how EMS documents and records are distributed.

Think about how EMS documents and records are stored.

Think about how EMS documents and records are retrieved.

Think about how EMS documents and records are accessed.

Think about how EMS documents and records are used.

Think about how EMS documents and records are protected.

Think about how EMS documents and records are changed.

Think about how EMS documents and records are preserved.

Control all the EMS documents and records that you need.

Control all the internal documents and records that your EMS needs.

Control all the external documents and records that your EMS needs.

8. Operations

8.1 Establish your EMS processes and control how they operate

Determine the environmental requirements that processes must meet.


Specify environmental requirements for procurement process (as appropriate).

Clarify environmental requirements for your product and service purchases.

Specify environmental requirements for your design process (as appropriate).

Establish controls to ensure that environmental requirements are considered.

Plan the implementation of your organization's EMS processes.

Clarify the operating criteria that your EMS processes must meet.

Develop controls for your environmental management processes.

Consider using personnel to control your organization's processes.

Consider using procedures to control your organization's processes.

Consider using technologies to control your organization's processes.

Consider using methodologies to control your organization's processes.

Implement and control your organization's EMS processes.

Use documents to show that EMS processes were implemented.

8.2 Establish your emergency preparedness and response processes

Establish emergency preparedness and response processes.

Establish processes to prepare for potential emergency situations.

Establish processes to respond to potential emergency situations.

Maintain emergency preparedness and response processes.

Provide emergency preparedness and response training and information.

Document emergency preparedness and response processes and activities.

Review emergency preparedness and response processes and actions.


9. Evaluation

9.1 Determine your environmental performance and compliance

9.1.1 Investigate your organizations environmental performance

Plan how you're going to investigate your environmental performance.

Plan how you're going to monitor your environmental performance.

Plan how you're going to measure your environmental performance.

Plan how you're going to analyze your environmental performance.

Plan how you're going to evaluate your environmental performance.

Investigate your organization's environmental performance.

Monitor your organization's environmental performance.

Measure your organization's environmental performance.

Analyze your organization's environmental performance.

Evaluate your organization's environmental performance.

Communicate your organization's environmental performance.

9.1.2 Evaluate your organizations environmental compliance

Plan how you're going to find out if compliance obligations are being met.

Figure out how often environmental compliance should be evaluated.

Establish suitable environmental compliance evaluation processes.

Implement suitable environmental compliance evaluation processes.


Maintain suitable environmental compliance evaluation processes.

Take action to resolve environmental compliance shortcomings.

9.2 Audit your organizations environmental management system

9.2.1 Conduct EMS conformance audits and document your results

Conduct internal EMS conformance audits at planned intervals.

Determine if your organization's EMS meets requirements.

See if your EMS meets your organization's own requirements.

See if your EMS meets the requirements of this ISO standard.

Examine the effectiveness of your organization's EMS.

9.2.2 Establish internal audit methods, schedules, and requirements

Plan the development of your internal audit program.

Develop a program that can find out if EMS meets requirements.

Develop a program that can determine if EMS is effective.

Establish your internal audit program.

Establish internal audit responsibilities.

Establish internal audit planning requirements.

Establish internal audit reporting requirements.

Establish internal audit schedules.

Establish internal audit methods.

Implement your internal audit program.


Define the scope for each internal audit.

Specify audit criteria for each internal audit.

Select impartial and objective internal auditors.

Carry out internal audits at planned intervals.

Report internal audit results to management.

9.3 Review your organizations environmental management system

Review your organization's EMS at regular intervals.

Review EMS suitability, adequacy, and effectiveness.

Review the status of your previous management reviews.

Review how well environmental objectives are being achieved.

Review relevant communications from interested parties.

Review environmental performance (including trends).

Review changes in aspects, obligations, issues, and risks.

Review potential continual improvement opportunities.

Review the strategic direction that your EMS is taking.

Review your EMS resource needs and requirements.

Generate appropriate management review outputs.

Draw conclusions about your organization's EMS.

Make decisions about your organization's EMS.

Define actions to improve environmental performance.

Consider implications for your overall strategic direction.

Document the results of your management reviews.


10. Improvement

10.1 Take action to improve your EMS and achieve intended outcomes

Determine opportunities to improve EMS and achieve its intended outcomes.

Take all necessary actions to improve EMS and achieve its intended outcomes.

Use performance evaluation outputs to improve your organization's EMS.

Use compliance evaluation outputs to improve your organization's EMS.

Use management review outputs to improve your organization's EMS.

Use internal audit outputs to improve your organization's EMS.

10.2 Control nonconformities and take appropriate corrective action

React to your organization's nonconformities.

Take action to control nonconformities.

Deal with all relevant consequences.

Evaluate the need to eliminate causes.

Review nonconformity and identify causes.

Determine if similar nonconformities exist.

Decide if corrective action should be taken.

Develop corrective actions to address causes.

Implement corrective actions to address causes.

Review the effectiveness of your corrective actions.

Document your nonconformities, actions, and results.


10.3 Enhance the suitability, adequacy, and effectiveness of your EMS

Enhance your organization's environmental performance.

Continually improve the performance of your EMS.

Continually improve the suitability of your EMS.

Continually improve the adequacy of your EMS.

Continually improve the effectiveness of your EMS.

Also see the new ISO 9001 2015 and ISO 13485 2016 standards (in Plain English).
Audit - Audit Criteria - Audit Evidence - Audit Findings - Audit Program
Characteristic - Competence - Complaint - Concession - Conformity -
Context
Continual Improvement - Contract - Correction - Corrective Action -
Customer
Customer Satisfaction - Data - Defect - Design and Development -
Determination
Documented Information - Effectiveness - Feedback - Function -
Improvement
Information - Information System - Infrastructure - Innovation - Interested
Party
Involvement - Knowledge - Management - Management System -
Measurement
Measuring Equipment - Monitoring - Nonconformity - Object -
Objective
Objective Audit Evidence - Objective Evidence - Organization - Output
Outsource - Performance - Performance Indicator - Policy - Process
Process Approach - Process-based QMS - Product - Provider - Quality
Quality Management - Quality Management System - Quality Objective
Quality Policy - Regulatory Requirement - Release - Requirement - Review
Risk - Risk-based Thinking - Service - Statutory Requirement -
Strategy
Supplier - System - Top Management - Traceability - Validation -
Verification

3.1 Availability

Availability is a characteristic that applies to a service or service


component. A service or service component is available if it is able to
perform its required function at a specific point in time or according to a
pre-established time schedule. Availability is often expressed as a ratio or
a percentage that compares how long the service is actually available for
use by the customer against how long it should have been available.
3.2 Configuration baseline

A configuration baseline is an official description of a service or service


component that has been formally designated at a specific time in its life
cycle. This configuration information is used as an official starting point
for future development work.

3.3 Configuration item (CI)

A configuration item is any element that needs to be managed and


controlled in order to ensure the successful delivery of a service or
services. CIs can vary quite a bit. Examples include software elements
such as applications, systems, and modules; and hardware elements such
as computers, tools, equipment, furniture, and buildings. CIs can also
include documents such as drawings, photographs, plans, policies, procedures,
manuals, contracts, licenses, and agreements.

3.4 Configuration management database (CMDB)

A configuration management database stores data about the attributes of


configuration items and the relationships between these items. It is used
to control items and to track how they change throughout their lifecycle.

3.5 Continual improvement

Continual improvement is a set of recurring activities that organizations


carry out in order to enhance their ability to meet service requirements.
Continual improvements can be achieved by performing audits, reviews,
and measurements, by managing service incidents, requests, and risks,
and by solving service problems. Continual improvements can also be
achieved by collecting data, analyzing information, setting objectives,
monitoring performance, evaluating results, and implementing
corrective and preventive actions.
3.6 Corrective action

Corrective actions are steps that are taken to eliminate the causes of
existing nonconformities in order to prevent recurrence. The corrective
action process tries to make sure that existing nonconformities and
undesirable situations dont happen again.

3.7 Customer

A customer is anyone who receives a service or services from a service


provider. Customers can be people or organizations and can be either
external or internal to the service provider's organization.

3.8 Document

When information is placed on a medium, it becomes a document.


Examples include policies, procedures, plans, agreements, contracts,
records, and process descriptions.

NOTE: ISO IEC 20000-1 2011 does not expect you to write a manual.

3.9 Effectiveness

Effectiveness refers to the degree to which a planned effect is achieved.


Planned activities are effective if these activities are actually carried out
and planned results are effective if these results are actually achieved.

3.10 Incident
An incident is any unplanned service interruption or any reduction in
service quality. The term incident also includes any event that has not
yet interrupted service to the customer or reduced its quality but could
potentially cause a disruption or a deterioration in quality.

3.11 Information security

The purpose of information security is to protect and preserve the


confidentiality, integrity, and accessibility of information. It may also
involve protecting and preserving the authenticity and reliability of
information and ensuring that entities can be held accountable.

NOTE: The ISO IEC 27000 2014 information security standard refers to
the availability of information (instead of accessibility). ISO IEC 20000
uses the term accessibility because the term availability is already being
used to refer to a characteristic that applies to a service (see 3.1 above).

3.12 Information security incident

An information security incident is made up of one or more unwanted or


unexpected information security events that could possibly compromise
the security of information and weaken or impair business operations.

Information security incident management is a process that is used


to address incidents. It includes a detection process, a reporting process,
an assessment process, a response process, and a learning process.

3.13 Interested party

An interested party is a person or group that has a stake in the success


or performance of a service providers activities. Interested parties may
be directly affected by a service provider or actively concerned about
its activities. Interested parties can come from inside the organization or
outside of it. Examples of interested parties include customers, suppliers,
owners, partners, employees, unions, bankers, or members of the general
public. Interested parties may also be referred to as stakeholders.

3.14 Internal group

An internal group is any part of a service providers organization that


has formally agreed to contribute to the design, deployment, delivery,
or improvement of its services. Such agreements are documented.

Whenever internal groups help service providers to design, deploy,


deliver, or improve services, service providers must monitor them to
ensure that appropriate governance methods are being used. This
is because section 4.2 expects service providers to monitor internal
groups to ensure that proper governance methods are being used
whenever these groups operate processes or parts of processes
referred to in sections 5 to 9 (processes like service design,
deployment, delivery, and improvement).

3.15 Known error

A known error is a problem that has an identified root cause or a


problem that has a method that can be used to reduce or remove
its impact on service delivery. The impact is often reduced or
removed by working around it.

3.16 Nonconformity
Nonconformity is a nonfulfillment or failure to meet a requirement.
A requirement is a need, expectation, or obligation. It can be stated or
implied by an organization, its customers, or other interested parties.

3.17 Organization

An organization is a group of people who share a set of facilities


and have established a set of orderly arrangements, relationships,
responsibilities, and authorities. An organization could be a company,
corporation, enterprise, firm, partnership, charity, or institution. It could
also be a smaller part of a larger entity or a combination of entities. And
it could be either incorporated or unincorporated and be either privately
or publicly owned.

3.18 Preventive action

Preventive actions are steps that are taken to remove the causes of
potential nonconformities or potential situations that are undesirable.
The preventive action process is designed to prevent the occurrence
of nonconformities or situations that do not yet exist.

3.19 Problem

ISO 20000-1 uses the term problem to refer to the root cause of one or
more incidents . ISO 20000-1, section 8.2, expects you to use a formal
problem management procedure to investigate reported problems in
order to uncover the real underlying problem (i.e., the root cause).
3.20 Procedure

A procedure is a way of carrying out a process or activity. According to


ISO IEC 20000-1, procedures may or may not be documented. However,
in most cases, ISO IEC 20000-1 wants you to document your procedures.

3.21 Process

A process is a set of activities that are interrelated or that interact with


one another. Processes use resources to transform inputs into outputs.
Processes are interconnected because the output from one process
becomes the input for another process.

3.22 Record

A record is a type of document. Records provide evidence that activities


were performed or results were achieved. They always document the past.
Records are, for example, used to show that incidents were reported, that
audits were done, that people were trained, or that meetings took place.

3.23 Release

A release is a collection of one or more new or modified configuration


items that are deployed into a live environment. And since a configuration
item is any element that needs to be controlled in order to deliver a service,
the concept of a release is very broad. It includes not only software
releases and document releases but hardware releases as well.
3.24 Request for change

A request for change is an official proposal to change a service, a service


component , or the service management system. Requests for change can
include not only proposals to modify existing services but can also include
proposals to create new services or to remove old ones.

3.25 Risk

According to ISO 31000, risk is the effect of uncertainty on objectives


and an effect is a positive or negative deviation from what is expected.
The following paragraph will try to explain what this means.

This definition recognizes that all of us operate in an uncertain world.


Whenever we try to achieve an objective, theres always the chance that
things will not go according to plan. Sometimes we get positive results
and sometimes we get negative results and occasionally we get both.
Because of this, we need to reduce uncertainty as much as possible.

3.26 Service

A service is a means or a method that organizations use to deliver


results that customers value and wish to achieve. These results are
usually intangible although they may also include tangible elements.

3.27 Service component

A service component is a single unit of a service. Service components


are made of configuration items. When several service components
are combined, they make up a complete service. Examples of service
components include hardware, software, documents, information,
processes, and other supporting services.

3.28 Service continuity

Service continuity is a corporate capability. This capability exists


whenever organizations are capable of managing risks and events
that could have a serious impact on their ability to continually
deliver service at agreed levels.

3.29 Service level agreement (SLA)

A service level agreement identifies services and service targets and


is between a service provider and a customer. It can also be between a
service provider and a supplier (or an internal group or customer acting
as a supplier). Service level agreements are documented. They can be
standalone agreements or be part of a larger agreement or contract.

3.30 Service Management

Service management is a set of capabilities and processes that service


providers use to direct and control the activities and resources needed
to fulfill service requirements. Service management is used to direct and
control the design, deployment, delivery, and improvement of services.

3.31 Service management system (SMS)

A service management system is a set of interrelated or interacting


elements that service providers use to direct and control their service
management activities. These elements include all of the service
management policies, objectives, processes, procedures, documents,
and resources that service providers use in order to direct and control
how services are planned, designed, developed, implemented, deployed,
delivered, monitored, measured, reviewed, maintained, and improved
(i.e., how these service management activities are carried out).

3.32 Service provider

A service provider is an organization or part of an organization that


manages and delivers a service to customers. Customers can be
either external or internal to the service providers organization.

3.33 Service request

A service request could be a request for information or for advice or it


could be a request for access to a service or to a pre-approved change.

3.34 Service requirement

A service requirement is a service need, expectation, or obligation.


It can be stated or implied by service users and customers and
by service providers.

3.35 Supplier

A supplier is an external organization or part of an external organization


that has contractually agreed to help the service provider to design,
deploy, deliver, or improve a service or process.

3.36 Top management

The term top management refers to a person or a group of people


at the highest level who direct and control the service provider.

3.37 Transition

The term transition refers to all the activities that are carried out when
a new or changed service is moved to or from a live environment.
PROCESS APPROACH
ISO 9001 2015 section 0.3 expects organizations to adopt a process approach
and section 5.1.1 asks top management to exercise leadership by promoting
an awareness of this approach. But what is it?

The process approach is a management strategy. When managers use a


process approach, it means that they manage and control the processes that
make up their organizations, the interactions between these processes, and
the inputs and outputs that tie these processes together. It also means that
they manage these process interactions as a system.

When this approach is applied to quality management, it means that they


manage processes and process interactions as a coherent process-based
quality management system.

PROCESS DEFINITION
A process is a set of activities that are interrelated or that interact with
one another. Processes use resources to transform inputs into outputs.
They are interconnected because the output from one process often
becomes the input for another process. Since all of this is rather
abstract, well try to make it more concrete with examples.
PROCESS EXAMPLES
Since the process approach is now central to ISO 9001, we've tried
to identify the processes that could make up a process-based QMS.
Some of these are listed below.

Of course, our list is not exhaustive. In addition, some of the processes


we have listed overlap. This is difficult to avoid because processes can
be grouped into larger processes and can be subdivided into smaller
processes and because there are many ways to categorize processes.

How you define your processes is entirely up to you. Your organization's


list will probably be much shorter than ours and could be much different.

Design process Development process


Review process Improvement process
Delivery process Measurement process
Training process Manufacturing process
Planning process Service delivery process
Assembly process Market research process
Marketing process Internal auditing process
Validation process Communications process
Evaluation process Product provision process
Innovation process Document control process
Monitoring process Service acceptance process
Production process Product acceptance process
Purchasing process Management review process
Leadership process Complaints handling process
Verification process Records management process
Traceability process Resource management process
Distribution process Performance evaluation process
Maintenance process Design and development process
Management process Information management process
Post-delivery process Customer communications process
INPUTS AND OUTPUTS
The new standard defines an output as the result of a process and then
goes on to list four general types of outputs: services, software, hardware,
and processed materials. However, ISO's very broad definition suggests
that there are many more types of outputs. If an output is the result of a
process, then many kinds of outputs (results) are possible including
not only tangible outputs like products but also intangible ones.

So outputs could include not only services, software, hardware, and


processed materials, but also decisions, directions, instructions, plans,
policies, proposals, solutions, expectations, regulations, requirements,
recommendations, complaints, comments, measurements, and reports.
Clearly, an output could be almost anything.

But what about inputs? Since the output of an upstream process often
becomes the input for a downstream process, outputs and inputs are
really the same thing.

PROCESS INTERACTIONS
When you think about all the processes that could make up a quality
management system and then think about all the possible input-output
relationships that tie these processes together, you soon realize how big
and complex such a system is. Because of this, you may find it difficult to
create a single map or diagram of your entire process-based quality
management system. There are just too many processes and too
many input-output relationships.

For this reason, we suggest that you diagram one process at a time
using a single flowchart on a single page (see diagram below). This
will allow you to specify the most important input-output relationships
without getting buried in complexity. The diagram below shows, in
general terms, how this could be done.

The box in the center is the process you want to diagram. Thats your
focus. Upstream processes provide outputs for the central process and
downstream processes receive inputs from them. Arrows represent inputs
and outputs and the associated text describes them. These arrows also
show that an input-output relationship is sometimes a two-way street.
Sometimes inputs go one way and outputs go the other way.
PROCESS-BASED QMS
ISO 9001 section 0.3 introduces the concept of a process-based quality
management system and sections 4 to 10 explain what you need to do
to establish one. But what is it?

A process-based quality management system uses a process approach


to manage and control how its quality policy is implemented and how its
quality objectives are achieved. A process-based QMS is a network of
interrelated and interconnected processes. Each process uses resources
to transform inputs into outputs. Since the output of one process becomes
the input of another process, processes interact and are interrelated by
means of such input-output relationships. These process interactions
create a single integrated process-based QMS.

ISO 9001 asks you to identify the processes that your QMS needs,
to identify their sequence and interaction, to identify required inputs
and expected outputs for each process, to identify process risks and
opportunities, and to assign responsibilities and authorities for each
process. It also expects you to identify the methods needed to manage,
monitor, measure, evaluate, and control each process and to provide the
resources that each process needs. Once you've done all of this you've
defined your process-based QMS. But that's not enough. It also asks
you to address the risks and opportunities that could influence your
organization's process-based QMS or disrupt its operation and to
consider how its context and its interested parties could affect
the results it intends to achieve.

At an abstract level, a process-based QMS can be diagrammed


in the following way. The diagram below shows several processes
interconnected using many lines (and how suppliers and customers fit it).
These lines represent inputs and outputs. All of these interconnected
processes make up a process-based QMS.
ISO 9001 2015 says that you should maintain documented information
to the extent necessary to support the operation of processes and retain
documented information to the extent necessary to have confidence that
the processes are being carried out as planned. In other words, you must
maintain the documents that you need in order to support your processes
and retain the records that you need in order to show that process plans
are actually being followed.

This leaves you with quite a bit of leeway. Essentially, you can provide as
much documentation as you need in order to support your process-based
QMS. While this general requirement allows for quite a bit of flexibility, the
ISO 9001 standard also expects you to establish quite a few very specific
documents and records (most of these are discussed in section 7.5).

We suggest that you use flowcharts to give people a view of the big
picture and develop more detailed procedures to show them how
process activities should be carried out. However, this is only our
recommendation. It's not an ISO 9001 requirement.
PDCA MODEL
PDCA stands for Plan-Do-Check-Act. ISO used the PDCA model
to organize the new ISO 9001 standard in the following way:

Plan (sections 4, 5, 6, 7)

Do (section 8)

Check (section 9)

Act (section 10)

ISO 9001 also recommends that you use the PDCA model to
establish your organization's processes. It suggests that you:

Plan each process

Operate each process

Evaluate each process

Improve each process

It also suggests that you use the PDCA approach to establish


your organization's process-based QMS. It suggests that you:

Plan your process-based QMS

Operate your process-based QMS

Evaluate your process-based QMS

Improve your process-based QMS

MORE ISO 9001 2015 PAGES

You might also like