You are on page 1of 15

This guide provides details of the High

Level Structure requirements based on DIS

9001: 2014. It concentrates on the core
requirements that should not change
when ISO 9001: 2015 is published.

JEMO Limited
11 Willowbank, Chippenham
Wiltshire SN14 6QG, United Kingdom
Phone: +44 (0) 1249 447 544
Fax: +44 (0) 1249 400 200

ISO 9001: 2015 A Guide to

Understanding and
Implementing the High Level
Structure (HLS)

Guide to ISO 9001: 2015 the requirements that should not change
ISO 9001: 2015 is nearing publication, the certification industry is gearing up with road shows, and
new terminology is entering the quality language. The jury is out on whether the changes are ground
breaking or just a tidy up job; whether you should get started now or wait for the amnesty period to
expire before you get started. Two highly respected commentators - the Chartered Quality Institute
(CQI) and the IRCA (the International Register of Certificated Auditors) in a joint statement have said
This is the most important event since ISO 9001.
We consider the changes to be sufficiently significant, affecting the way your organization is run for
you to make a start now. In this guide we cut to the chase and provide you in plain language an
introduction to the new core requirements and a brief overview of the quality related changes.
But there could still be some changes, couldnt there? Well Yes and No. Some of the changes
that have been made are to the core material that affects all ISO management system standards and
these should not change. It is these that we concentrate on in this guide.
As we are auditors working for international accredited certification bodies we also provide some
opinions on how their auditors may approach the changes.
Why does the standard have to change?
The International Standards Organization (ISO) reviews its standards every five to seven years. It
also carries out surveys and takes into account feedback from many quarters. Based on this it has
decided this time to standardise as much content as possible in all of its management system
standards. This has resulted in at least 60% of ISO 9001 having core content that is the same as ISO
14001 (environmental management) and other standards. This should not change. The remaining
40% is quality specific and could be subject to minor further change.
A significant comment received was that the standard was biased too much to manufacturing and did
not adequately take into account the needs of service industries. This has been addressed in the new
standard and service has the same status as product.
What is standardised and what is not?
The core requirements common to all ISO management system standards are known as the High
Level Structure (HLS) and are derived from an IEC/ISO Directive which the standards writing teams
must follow. Without going into the technical details, this is in an annex to a Directive and you may
also hear these referred to as Annex SL.
As we said earlier, on top of these core requirements the rest for each standard are disciplinespecific. The quality related standards such as ISO 9001, ISO 13485 and others will have different
discipline specific requirements to ISO 14001, ISO 22000 (food management) and others.
Will the HLS/Annex SL requirements change?
This is unlikely, but you never can tell with standards not yet published. The consensus of opinion
from the quality professionals such as the (CQI) is that they will not change. Which is why have
recommended that you make a start now.
Many of the quality discipline requirements have been developed from the existing ISO 9001: 2008
standard and our experience from previous major revisions is that the changes to these from now on
will be relatively minor.

JEMO Ltd. 2015

Page 1 of 15

Guide to ISO 9001: 2015 the requirements that should not change
What is the position with ISO 9001: 2015 at the moment?
The standard is currently at Draft International Standard (DIS) status. This has been reviewed and will
be issued as Final Draft International Standard (FDIS) in June this year. There should be no changes
between the FDIS and the publication of ISO 9001: 2015 in September this year
Whilst we have done our best to ensure the information we have provided is accurate we cannot be
held responsible for any errors or omissions or actions resulting from your interpretation and
implementation of this guidance.

JEMO Ltd. 2015

Page 2 of 15

Guide to ISO 9001: 2015 the requirements that should not change
The major changes to the core (HLS/Annex SL) requirements
There are ten clauses instead of eight
Whilst ISO 9001: 2008 has eight clauses, the 2015 version has ten. This would not be an issue if
clauses had simply been sub-divided, but most of the clauses have new requirements. The common
clause titles and sequence are shown in Table 1 with comments on the changes:




Basically as the 2008 version

Normative references

There are no normative references they are now

contained within the standard

Terms and definitions

These are now contained within the standard

Context of the organization

This is a completely new requirement and is significant



This involves top management leading the quality

management system (QMS). The management
representative role is now redundant significant
This now involves risk assessment and management
and is significant


This develops Resources of the 2008 version to a

higher level. Significant changes in terminology


This develops product realization of the 2008 version

to a higher level. Significant changes.

Performance evaluation

This develops several 2008 requirements for

monitoring and measuring the QMS and the processes,
products and services.



This develops Non-conformance, Corrective action and

Improvement of ISO 9001: 2008. Preventive action is
dropped the whole standard is aimed at prevention.

Table 1 The ISO 9001: 2015 clauses and sequence

Changes to terminology
There are some significant changes to terminology that will need to be understood by you and your
auditors. As examples:

documented procedures are not now referred to but you do need to maintain documented
information wherever you see the verb maintain this means document

records are not referred to and are embraced by documented information wherever you see
the verb retain this means record

product is replaced by products and services emphasising that the standard is equally
applicable to services

JEMO Ltd. 2015

Page 3 of 15

Guide to ISO 9001: 2015 the requirements that should not change

quality manual has been dropped it is now up to you how you describe what you do and
what you call it. The standard requires integration of the quality processes with the overall
business processes so Business Manual might be an appropriate title for your quality manual

quality context is a completely new term which when combined with internal and external
issues and will need to be thoroughly understood

risk based approach is what it says it is identified risks, their impacts, the chances of
occurrence and the management of them.

management representative (MR) as we have said in Table 1, this has been dropped and
the roles and the MR responsibilities need to be spread around the top management team

monitoring and measuring resources this spreads the net wider than instruments to include
the people who make decisions as a result of checks they do

externally provided products and services replaces purchasing products, services and even
processes can be provided from a wide range of sources

Some old friends are still there e.g.:

quality objectives

processes and a process approach

design and development this was dropped in the committee draft but reinstated in DIS
9001: 2014 and will be retained in the published standard

The core HLS requirements

To repeat ourselves, these should not change and you can make a start on these. We will look at
them in the sequence of the standard.
Clause 4 Context of the organization
This has the following sub-clauses covering:
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the quality management system
4.4 T he qua lit y management system and its processes
The Organization and its context may look a little intimidating at first but what it really means is that
you should clearly define what your organization does and its reason for existence. You probably
already have this in place in high level strategy documents such as business and marketing plans. If
so, include this in your quality system documentation.
You will then need clear definition of the issues that can affect what you are there to achieve. These
can be many and varied and include those from within your organization (such as cultural issues) and
external issues (such as the ability to raise credit in a tough financial market). There may be many
more issues and it may take some time to identify them all. They should be regularly reviewed as
circumstances and the issues change.

JEMO Ltd. 2015

Page 4 of 15

Guide to ISO 9001: 2015 the requirements that should not change
The other influences on what you achieve can be from stakeholders in your business. The standard
now calls these interested parties and they can be more than customers. You will need a good idea of
who they are, their interests and any risks to your business that they present.
If you have an ISO 9001: 2008 compliant system you should already have a well-defined scope of
your quality management system stating what is included and what is not. We suggest you examine
this to see if it is still appropriate to the issues identified and the needs and expectations of all
interested parties.
Finally for this clause your quality management system should be centred on your key processes and
be continually developed and improved to cope with changing circumstances. You are probably
already doing this. We will look at this further when we get to Clause 6 which covers planning and
Clause 10 which covers improvement.
The quality related requirements.
Most of this clause is HLS/Annex SL and there are no significant quality related requirements
How auditors may approach this
This can make an auditors job easier. When they approach an organization for the first time they may
have only a limited idea of what you do and the issues you face. They may only glean a proportion of
this from studying websites and questionnaire returns. You should now be able to provide a profile
and an insight into your business goals, objectives and influencing factors. Of course expect them to
challenge this if it is not transparent, over-biased in your favour or conflicts with what their experience
of similar organizations suggests.
Clause 5 Leadership
This has the following sub-clauses:
5.1 Leadership and commitment to the quality management system
5.2 Quality Policy
5.3 Organisational roles, responsibilities and authorities

The qualifier Quality differs with other management system standards. For example ISO 14001 will
have Environmental Policy. There are sub-sub clauses that are quality specific and listed later.
At first glance this appears to be much like Clause 5 (management responsibility) of ISO 9001: 2008.
Look closer and you will see it has some significant changes. In many organizations top management
do not lead the QMS and leave this to Mr or Ms Quality the management representative (MR). In
these organizations this must change because the quality management representative role has
Much of what ISO 9001: 2008 required the MR to do have been transferred to the top management
team, although they can delegate some of this. If you are the management representative we suggest
you closely examine what you do now. Re-position your role as an internal consultant to your top
management team to provide them with the assistance they need to make the transition and to be on
hand when needed afterwards.
Top management now have to accept genuine accountability and hands on commitment to the
quality management system and be able to demonstrate this.

JEMO Ltd. 2015

Page 5 of 15

Guide to ISO 9001: 2015 the requirements that should not change
They have to ensure the quality management system is integrated into the business and is not a bolton extra. The general purpose of this is to spread the involvement in the QMS to the wider
management team and involve people in a quality culture. This is one good reason for starting now
culture changes can take substantial time to introduce.
The quality policy has been strengthened and developed and now includes a commitment to meet all
applicable requirements and to be improved. It must be understood by everyone who works under
your organizations control and who can affect the quality of what you deliver. This includes other
interested parties and providers and you should make the policy available to them.
The quality related requirements.
There are quality related requirements in sub-clauses to 5.1 and also in Organizational roles,
responsibilities and authorities (5.3) but as we are concentrating on the HLS/Annex SL requirements
in this briefing we confined ourselves to listing these in Table 2. If you require comprehensive tools for
implementing and auditing all of the changes please visit or contact us at




Leadership and commitment to

the quality management system

This was summarised above and is one of the most

significant changes


Customer focus

Basically as the 2008 version but now includes risk


Table 2 Clause 5.1 Leadership and commitment

The disappearing management representative
If the quality management system revolves around you or a small team under your leadership and
everyone leaves all matters Quality to you we strongly suggest you examine how his can be spread
wider. Expect issues with, for example, other managers not being prepared to take on the
management representative roles. There may be other issues that arise from this such as conflicts of
interest and internal politics. If you are the management representative start now on planning your
career progression after the publication of the standard. You will be joining 1.2 million others working
for registered organizations!
How auditors may approach this
The changes also make their job easier. Expect them to reserve more time for interviewing top
management and obtaining objective evidence of their commitment (or not) to the QMS. They will look
for evidence that more people are involved with the quality management system and that it is
genuinely embedded in the overall business systems. Expect them to look for risk identification when
examining your focus on your customers.
6 Planning for the quality management system
This has the following HLS/Annex SL sub-clauses:
6.1 Actions to address risks and opportunities
6.2 Q u alit y objectives and planning to achieve them

JEMO Ltd. 2015

Page 6 of 15

Guide to ISO 9001: 2015 the requirements that should not change
The new standard has removed the requirement for preventive action in the 2008 version and
replaced it with risk based thinking. This means the whole standard is intended to look ahead, to
identify risks and put in place controls to manage them. In addition to risks you may identify
opportunities for improvement and you should exploit these. How this is done is via the planning work
you do to meet this clause.
This is the logical development of the process you started in Clause 4 where your interested parties,
their needs and issues were defined and in clause 5 where you identified risks to your customers from
your products and services. These are now at the heart of the risk management processes.
You probably already have quality objectives and departments, teams or individuals working on them.
The new standard reinforces the principle that these should be clearly defined, measurable (when
practicable), achievable and with responsibilities defined for their achievement in specified timescales.
The quality related requirements.
There are quality specific requirements in 6.1 Actions to address risks and opportunities, 6.2 Quality
objectives and planning to achieve them and 6.3 - Planning of changes, which we list in Tables 3 - 5




No title

Covers planning the QMS in the context of your

organization and identifying risks and opportunities


No title

Covers how you will manage the risks and


Table 3 Clause 6.1 Actions to address risks and opportunities





No title

This covers establishing your quality objectives and

now includes objectives for processes


No title

This covers planning to achieve the objectives, the

resources needed and the way the results are
measured and monitored

Table 4 Clause 6.2 Quality objectives and planning to achieve them




Planning of changes

This covers the planning of known changes and

preserving the integrity of the QMS. It is more explicit
than ISO 9001: 2008

Table 5 Clause 6.3 Planning of changes

If you require comprehensive tools for implementing and auditing all of the changes please visit or contact us at

JEMO Ltd. 2015

Page 7 of 15

Guide to ISO 9001: 2015 the requirements that should not change
How auditors may approach this
Auditors who are not familiar with risk management techniques should not be auditing you. Expect
experienced auditors to look for tangible evidence that you are evaluating the risks and effectively
eliminating them or reducing them to an acceptable level. They will examine your resources and
competencies to do this. A useful tool for this is a risk register. ISO 31000 provides useful guidance
on risk management.
They should be familiar with how to audit your objectives and planning of changes and may spend
more time with your top management on this.

Clause 7 Support
This has the following HLS/Annex SL clauses:
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
There are also sub-sub clauses but with the exception of 7.5 below these are quality specific and so
are listed but not discussed here.
7.5 Documented information this has the following sub-sub clauses that are HLS/Annex SL:
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
In general, this is a development of existing ISO 9001: 2008 requirements for support to your main
operational processes. The human resources (i.e. your colleagues) need to be demonstrably
competent and aware of the requirements that apply to them and the consequences of not following
the rules of the QMS.
Your communication systems need to be robust and include external and internal communications. A
gap in the ISO 9001: 2008 standard has been filled communication with your suppliers and external
providers has to be as robust as communication with your customers

The documented quality system may not have to include your quality manual, documented
procedures or work instructions but there should be something that does a similar job for instruction
and control. This is called documented information. Much of what you already have can still suffice,
although you may want to take this opportunity to examine your documentation to see what can be
retained, what is superfluous and if it is all in the right format and media for your current and future
Your top management could, as part of their leadership role, engage the workforce in deciding what
they really need in the documentation and the media that is most suitable for them.

JEMO Ltd. 2015

Page 8 of 15

Guide to ISO 9001: 2015 the requirements that should not change
The quality related requirements.
There are many additional quality related requirements here under sub-clauses - in particular in
clause 7.1 which has six sub-clauses with significant additional requirements. We have listed these in
Tables 6 but do not discuss them in detail here as we are focusing on the HLS/Annex SL





Basically as ISO 9001: 2008 - you must determine and

obtain the resources needed to run your QMS from
inside and outside your organization



Basically as ISO 9001: 2008



Basically as ISO 9001: 2008


7.1.4 Environment for the

operation of processes

This extends the work environment of ISO 9001: 2008

to include environments for the effective operation of


7.1.5 Monitoring and measuring


This is a substantial development of the ISO 9001:

2008 requirements and now embraces the calibration
control of people used in monitoring and measurement


Organizational knowledge

This is a new requirement which covers the knowledge

needed by your organization and how you obtain and
control this and keep it up to date

Table 6 Clause 7.1 Resources

For comprehensive tools for implementing and auditing all of the changes please visit or contact us at
How auditors may approach this
Auditors should use flexibility with your documented system. They should not expect you to throw out
your existing quality manual and documented procedures, but they should expect you to be reviewing
them against the requirements for documented information. There is a three year transition period
before the 2008 standard is withdrawn and this should be ample time for them to determine if you
have things under control.
They should find the more explicit requirements for communication easier to audit and to obtain
evidence of the effectiveness of your communication processes.
Competence should also be easier to audit. Note that this can also include the competence of people
working under your organizations control especially where you outsource processes and activities.
You are still responsible for the results of these.

Clause 8 Operation
The bulk of this clause contains quality specific requirements that are derived from the 2008 standard.
You are recommended to use our gap analysis checklist and PowerPoint presentation to familiarise
yourself with these, or obtain a copy of the standard.

JEMO Ltd. 2015

Page 9 of 15

Guide to ISO 9001: 2015 the requirements that should not change
The only HLS/Annex SL requirements are in:
8.1 Operational planning and control
All the rest are quality specific. We list these but do not look at them in detail
This takes the strategic planning you did for clause 6 and focuses down onto the planning of the
specific processes for creating products and providing services. This extends beyond your internal
process chain to include processes that you outsource. A new requirement is for you to have controls
for unplanned changes as well as the changes you plan to make.
The quality related requirements.
There are many quality specific requirements here, much of which you will probably be doing already.
We have listed these in Table 7, but it is beyond the scope of this brief to cover them in detail.



Determination of requirements for

products and services



Customer communication

An extension of ISO 9001; 2008 to include contingency

and other quality related communications

Determination of requirements
related to the products and

Subtle change from ISO 9001: 2008 including a need

to substantiate all claims you make for your products
and services

Review of requirements related to

products and services

Basically as ISO 9001: 2008 but extended to include

other interested party requirements


Design and development of

products and services

This has six sub-clauses, amalgamating some of the

sub-clauses of ISO 9001: 2008. The only significant
change relates to reviewing experience from previous
design now dropped, and determining the risk of
design failure. We consider this significant omissions


Control of externally provided

products and services

This has three sub-clauses similar to ISO 9001: 2008.

The range of supply is extended to include anything
including sub-contracted processes that is provided
(excluding property provided by your customer)


Production and service provision

This has six sub-clauses, including new requirements

for post-delivery activities and the control of unplanned
process changes


Control of nonconforming process

outputs, products and services

This is basically as ISO 9001: 2008



If you require comprehensive tools for implementing and auditing all of the changes please visit or contact us at

JEMO Ltd. 2015

Page 10 of 15

Guide to ISO 9001: 2015 the requirements that should not change
How auditors may approach this
The auditors will be discipline-oriented and should have a good understanding of how to audit process
based quality management systems. Expect them to look in detail at your planning and link this to the
planning of the overall QMS and risk management that you did for clause 6. They will then probably
devote the bulk of their examination to the quality specific requirements. We have indicated where
these are new and expect them to devote more time to these.
Clause 9 Performance evaluation
This has the following HLS/Annex SL sub-clauses:
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review

You will recognise these from the 2008 version and in most cases the requirements are very similar.
The scope of your management review should be expanded and more aligned to reviewing the QMS
performance in the context of the overall business. The finer details include making use of the results
of data analysis and your management review.
If you are operating a successful ISO 9001: 2008 system you should have little problem with this.
The quality related requirements.
There are no quality specific requirements. These are all HLS/Annex SL.
How auditors may approach this
The standard includes considerable detail that was not in the 2008 version and auditors may be
expected to be more explicit in what they look for. Expect them to focus more on requiring your top
management to explain the management review process and results and to have a more hands on
approach to directing and monitoring actions from these. Expect them to also examine closely the
analysis you do of data and especially what you do as a result of this.

Clause 10 Improvement
The HLS/Annex SL requirements are covered under the following sub-clauses:
10.2 Nonconformity and corrective action
10.3 Continual improvement

The key change here from ISO 9001: 2008 is the removal of a separate sub-clause for preventive
action. The work you did in 4.1 where you identified internal and external issues that affect your QMS
achieving its intended outcomes and the risk assessment and management of clause 6 together with
the remainder of the standard are all preventive. If anything they exceed the requirements of the 2008
Continual improvement is required for the QMS as in ISO 9001: 2008 and the controls for nonconformance are similar.

JEMO Ltd. 2015

Page 11 of 15

Guide to ISO 9001: 2015 the requirements that should not change
The quality specific requirements.
The major quality specific requirements are covered under 10.1 General. This focuses on the
processes you have for improving your products, services, processes and the overall performance of
your QMS.
For comprehensive tools for implementing and auditing all of the changes please visit or contact us at
What you should do now
The HLS/Annex SL requirements that we have outlined have less than a 5% chance of being further
changed. The main reason is that these are already in recently issued standards and those being
amended. It therefore follows that you can make a start on the changes at very little risk.
Figure 1 is a suggestion of how you may want to approach this:
What you get in the JEMO Implementation Tools
The JEMO implementation tools have been developed from over 30 years of working with ISO
management system standards. We currently have the following available through our website :

An auditors guide to ISO 9001: 2015. Based on the DIS, this is a comprehensive distance
learning course that explains in plain language the requirements and the changes and
guidance on how to audit these. There are over 320 slides with the changes graded in
severity and the Annex SL requirements highlighted. Cost 49.50 + VAT

ISO 9001: 2015 Gap Analysis. Based on the current DIS this comprises over 100 pages and is
published in landscape so that it can be bound as a working checklist. This allows you to
capture conformity and non-conformity and the audit evidence that you found. At the end
of each clause there is comprehensive, plain language explanation of the requirements,
comprehensive guidance on how to audit this and the evidence you would look for. This is
designed to be used by both internal and external auditors and you can indicate the severity
of the gaps (graded as high, medium or low). The Annex SL requirements (that should not
change) are highlighted. This also serves as an executive report in which you can record
action summaries conclusions and who will do what. Cost 49.50 + VAT

Discount for early purchasers. If you purchase both of these before 1 March 2015 we are offering
these at 20% discount for 80 + VAT
Free updates if there are changes. For purchases before 1 March 2015 we are offering a free update
if there are changes in the published standard.
Coming shortly
We will shortly have available:

an implementation guide to ISO 9001: 2015 comprising over 320 slides

an audit checklist with guidance for implementers and internal auditors comprising over 100

JEMO Ltd. 2015

Page 12 of 15

Guide to ISO 9001: 2015 the requirements that should not change

an e-learning executive awareness course for top management

an e-learning awareness course for other members of the workforce

JEMO Ltd. 2015

Page 13 of 15

Guide to ISO 9001: 2015 the requirements that should not change

Do a gap analysis on your existing QMS

The JEMO Gap Analysis Tool is ideal for this

Estimate the work and resources needed and

produce a report for your top management

The Gap Analysis Tool provides a template for this

Obtain authorisation to go ahead and assemble

an implementation team

Give training to top management and staff on what

the HLS/ Annex SL changes mean to them

The JEMO distance learning package is ideal for this

Implement the HLS/Annex SL changes first

Train internal auditors to audit to the HLS/Annex SL

requirements using the JEMO tools

Do the internal audits and a management review

Implement any changes

Repeat the exercise for the quality specific requirements

Figure 1 A suggested approach to implementing the changes

JEMO Ltd. 2015

Page 14 of 15