You are on page 1of 42

ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
4 Context of the organization
4.1 Understanding the organization and its context
Has the organization identified the external and internal issues Describe the process used by the organization to identify the internal and
that are relevant to its ‘context’ and that affect its ability to external issues and monitoring process;
achieve the intended result(s) of its quality management system?
 Does the organization continue to monitor and review those
issues to establish whether any changes to them will affect its
QMS or its purpose?
Notes:
 The context of the organization (also known as its business or organizational environment) refers to the combination of internal and external factors and conditions that can
have an effect on an organization's approach to its products, services, investments and intended outcome of its QMS.
 An organization’s context may include:
- Specific objectives & targets of the organization.
- Needs and expectations of its customers and any other relevant ‘interested parties’ e.g. Shareholders, employees, end used, suppliers, regulators etc.
- Products and services it provides;
- Complexity of organizational processes and their interaction.
- Competence of personnel working within or on behalf of the organization.
- The size and structure of the organization.
 Auditors will need to understand the internal and external issues typically experienced in type of organisations and must be prepared and able to challenge an organisation if
they believe the organisation’s interpretation of their context is having deficiency or incorrect.
 The standard does not ask for any specific requirement that these internal and external issues, or their monitoring and review, have to be documented by an organization, so
auditors cannot simply ask for a list of issues or records of reviews. However, the information may be obtained from different sources (refer examples below). The auditors
will also need a change in the audit approach and will have to more likely interview the senior management in relation to the organization’s context and its strategic direction
and related issues.
 An evidence of conformity needs to be obtained to assure that organisations are reviewing internal and external issues periodically.
Examples:
 External context can include issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national,
regional or local.
 Internal context can include issues related to values, culture, knowledge and performance of the organization.
 Auditors can obtain information from sources including; Business plan or strategy, Information provided on the organization’s website, Annual reports, Management meeting
minutes having these issues addressed etc.
 Use of Process approach by organization to identify relevant internal and external issues right from ‘sources of input’ to ‘receiver of output’ covering both internal & external
context issues as above. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]

4.2 Understanding the needs and expectations of interested parties

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks

a) Has the organization determined the interested parties Describe the process used by the organization to fully identify the interested
that are relevant to its QMS, who can effect or potentially parties;
effect on the organisation’s ability to consistently provide
products and services that meet customer and applicable
statutory and regulatory requirements and which
requirements are relevant to its QMS?

b) Does the organization monitor and review the Describe that how they monitor these interested parties and their relevant
information about these interested parties and their requirements;
relevant requirements?

Notes:
 An ‘interested party’ is any person or organization that can affect, be affected by, or perceive themselves to be affected by the decisions or activities of the organization
implementing the QMS.
 In order to determine whether an interested party, or its requirements, are relevant to their QMS, the organization must consider whether or not they have an effect on the
organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or to enhance customer
satisfaction.
 Each organisation will have its own set of relevant interested parties and these may change over time. Similarly, each interested party may also have its own set of
requirements, but all of these may not be relevant to an organization’s QMS. For any difference in opinion with client organization regarding the relevant interest of the
interested parties, the Auditors should be well prepared to challenge it.
 Auditors will have to ensure that the organisation has been through a process of initially identifying these interested parties/ groups and then to identify their requirements
that are relevant to the organisation’s QMS.
 They will also need to ensure that this process is revisited periodically because the relevant requirements of the interested parties may change over time.
 Again, as there are no specific requirements for documented information in the standard, the auditor need to use the same approach, as in clause 4.1, to obtain information
through several sources/ documents and interviews with senior management to obtain the objective evidences when there is no direct documentation provided by the client
for this purpose. Where the organization has determined that any interested party and/or its requirements are not relevant to QMS, then it does not have to take any action to
address them.

Examples:
 Interested parties could include the organization’s shareholders, employees, customers, end users, suppliers, regulators etc.
 Requirement of Interested parties may include; Specs from raw materials manufacturers/ suppliers, Concerns on employee feedback forms, Contractual requirements from
Customers, Corporate policies & procedures, Legal requirements etc.

4.3 Determining the scope of the quality management system
Δ The scope of the Quality management system sets its
boundaries, identifying what the requirements of the Quality
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
management system are applicable to, and to what they are not.
a) When defining the scope of QMS, has the organization Does the scope include all consideration in point a) as well as geographical
considered its context (e.g. the internal and external locations;
issues it faces and the requirements of relevant
interested parties), and also products and/ or services it
intends to deliver?

 b) Is the scope made available and maintained as
documented information?

c) Does the scope include any justification or instances
where specific elements of the standard cannot be
applied?
Notes:
 The scope of a management system may include the whole of the organization or specific functions, section of the organization, or one or more functions across a group of
organizations. Boundaries for the scope may even include specific geographic location(s), Processes, activities etc. Outsourced functions or processes are considered within
the organization’s scope of Quality management system.
 Although there is no longer any requirement that the scope of an organization’s QMS must be documented in a Quality Manual (which is no longer required), it need be
available and maintained as ‘documented information’ (ISO 9001:2015clause 7.5). The scope must include reference to the products and services covered by the QMS.
 Where a requirement cannot be applied (e.g. the organization does not perform any design activity), the organization can determine that the requirement is not applicable.
However, this should not result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction (Annex-A. A5)
 If the organization has excluded any requirement, this must be clearly recorded and the organization must be able to justify the exclusion.
 Auditors will need to verify that the organisation’s scope is documented, and evidence that it has been produced in consideration of organization’s context and products and
services. If exclusions have been applied by the organisation, auditors must ensure that they are recorded and that the rationale for the exclusion is stated and justified.

4.4 Quality management system and its processes
a) Has the organization adopted the process approach Is the process approach understood in the organization;
while establishing, implementing, maintaining and
continually improving the effectiveness of its quality
management system?
Ensure requirements in point b) has met and upload organization’s processes to
b) Has the organization determined the processes needed
demonstrate the Process approach is fully understood;
for the quality management system and their application
throughout the organization including;
Δ  Inputs required and the outputs expected,
 Sequence and interaction of processes,
 Measurements and related performance indicators,
 Availability of resources needed,
 Responsibilities and authorities assigned,
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
 Risks and opportunities associated and planned and
implemented appropriate actions to address them,
 Evaluation of processes, andImprovement opportunities
for the established processes and QMS.
c) Does the organisation maintain the documented Objective evidence can be indicated on process audit notes F103-16 or the
information necessary to support the operation of its organization’s identified processes if point b) above implemented;
 processes? Do they also retain documented information
that evidences thatprocesses are being carried out as
planned?
Notes:
 ISO 9001:2015 includes specific requirements necessary for the adoption of a process approach when developing, implementing and improving the effectiveness of a quality
management system. This requires an organization to systematically define and manage processes and their interactions so as to achieve the intended results in accordance
with both the quality policy and strategic direction of the organization.
 There needs to be evidence that these process requirements are included e.g. in the design, operation and on-going update of the organization’s QMS. The organizations will
have to pay attention to use the performance indicators to control and monitor processes, and the risks and opportunities associated with them.
 Although there is no longer any reference to ‘Records’ (ISO 9001: 2008 clause 4.2.4), there is still a requirement to demonstrate evidence of compliance with QMS
requirements and processes (ISO 9001:2015 clause 7.5).
 Auditor must note that there are explicit requirement for a process-based quality management system now. They should also note the additional new requirements regarding
use of performance indicators to control and monitor processes, and the requirement for processes to be assessed from a risk and opportunity perspective. In effect, auditors
will need to review how the organisation has designed its process-based management system.

Examples:
 Existing operational procedures, work instructions and flow charts are valid examples of documented information and can be used to evidence that the requirement for
documented information to support the operation of processes is being met. If these are working well for the organisation then there is no need to replace them.
 Use of Turtle diagram by the organization for identifying the Process related Inputs, Outputs, Resources used (Human & Infrastructure), Monitoring and measuring processes
and documentation.
 Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, and
the risks and opportunities associated with them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]

5 Leadership
5.1 Leadership and commitment
5.1.1 General
Has top management exhibited their leadership and Objective evidence must include an interview with Top management covering the elements
Δ commitment towards its Quality Management system by: of points a) to h) to ensure thorough understanding and leadership at the highest level. If the
Top management is not involved, a non-conformance needs to be raised.
a) Taking accountability of QMS effectiveness?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
b) ensuringQuality policy and Quality objectives are
established and, are consistent with its overall strategic
direction and the context in which the organization
operates?
c) ensuring that quality management system requirements
are integral to the organization’s business processes
(i.e. Core to the purpose to Organization’s existence)?
d) promoting the adoption of the process approach and
risk-based thinking& improvement?
e) ensuring resources required for the effective operation
of the quality management system are made available?
f) communicating the importance conforming to the quality
management system requirements& its effectiveness?
g) ensuring that quality management system attain its
intended outcome?
h) involving, directing and providing support people& for
them to demonstrate leadership in their relevant
processes/ areas to contribute to theeffective operation
of the QMS?
Notes:
 Top management need to emphasize the importance of conforming to the QMS requirements. Additionally, they mustalso ensure that the QMS is achieving its intended
results and continual improvement driven within the organization.
 Auditors should look forevidences that top management has a “hands-on” approach to the management of their quality management system during interviews and auditing
other requirements e.g. Context of the organization, Quality policy, Quality objectives, Management review minutes, Resources etc.
 Where top management have effectively delegated responsibility for the QMS down to the MR, then they will now have to demonstrate much more direct involvement in the
QMS with an exception where ISO 9001:2015 indicates that the Top Management is responsible for ‘ensuring’ that a task is done, but otherwise the specified requirements
must be seen to be undertaken by top management directly. Auditors must understand which ISO 9001:2015 requirements top management can delegate and which they
cannot.
 Auditors should ensure that they are well prepared to interview the top management in respect of theircommitment to their quality management systems. Auditing at this level
is likely to be a newexperience and challenging at same time. A good understanding of management related processes and language used by top management can be
helping tool to engage with management on range of issues.

5.1.2 Customer focus
Has top management taken the lead in demonstrating the Objective evidence must include an interview with Top management covering the elements
Δ organization’s commitment to its customers by ensuring: of points a) to c) to ensure thorough understanding and leadership at the highest level. Top
management is not involved, a non-conformance needs to be raised.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
a) Customer and applicable statutory and regulatory
requirements are identified and met?
b) Determination and addressing the risks and
opportunities that can affect conformity of products and
services and its ability to enhance customer
satisfaction?
c) Remain focused on providing products and services that
meetcustomer, applicable statutory & regulatory
requirements and, on enhancing the customer
satisfaction?
Notes:
 Auditors will need to seek evidence that top management are ensuring that any risks and opportunitieswith the potential to impact the organisation’s ability to supply products
and services that conformto customer requirements and applicable statutory or regulatory requirements, or that may affectcustomer satisfaction, are being identified and
addressed by the organisation.
 Auditors should expectto find a focus on risks, but should note that opportunities must also be considered too.
 The requirement is to maintain a customer focus, so it will not be a one-time exercise,but must be evidenced as on-going activity.

5.2 Quality policy
5.2.1 a) Has the Top management established, implemented & Objective evidence must include an interview with Top management
maintained a Quality policy that is consistent with the covering the elements of points a) to c) to ensure thorough
purpose and context of the organization and its strategic understanding and leadership at the highest level. Top management is
Δ direction? not involved, a non-conformance needs to be raised.

b) provides a framework for the setting the quality
objectives?
c) includes commitments to satisfy any applicable
requirements and continually to improve their quality
management system?
5.2.2 Is the Quality policy;

 a) available as documented information?

b) communicated, understood andapplied across the Interview with Top management down to different levels of the
Δ
organization and available to relevant interested organization to ensure the Quality policy is communicated,
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
parties? understoodand implemented.How is it made available to interested
parties?

Notes:
 ISO 9001:2015 now requires that an organization’s quality policy is appropriate to both its purpose and context. This means that once the organization has determined its
context and the relevant requirements of its interested parties, Top management need to have a review its quality policy in light of that information.
 They will have to continue to review the quality policy to ensure that any changes in its context, interested parties or their requirements is reflected in the Quality policy and
whether the organization’s quality objectives are effected (6.2a).
 The auditors will also have to check that how the Quality policy is made available to relevant interested parties, where it is appropriate to do so.

5.3 Organizational roles, responsibilities and authorities
Does top management of the organization ensures assignment, Objective evidence must include an interview with Top management
communication & understanding of the necessary through different levels covering the elements of points a) to d) to ensure
responsibilities and authorities to individuals within the leadership and thorough understanding at the highest level.
organization?
Has top management assigned the responsibility and authority
Δ for:
a) ensuring that the requirements of this International
Standard are conformed and QMS processes are
delivering their intended results?
b) reporting on the QMS performance and any
opportunities for improvement, especially to top
management?
c) ensuring the promotion of customer focus throughout the Interview through different level in the organization to ensure
organization? understanding the customer requirements;

d) ensuringwhenever changes to QMS is planned and
implemented, the integrity of the system is maintained?
Notes:
 Auditors should note that there is no longer a requirement for appointment of Management Representative (MR), though the duties currently assigned to the MR under
ISO 9001:2008 must still be undertaken and can be assigned to different personnel.
 Auditor must seek evidence that Organizations personnel have not only been advised of their QMS responsibilities& authorities, but also that they understand these in the
context of the overall purpose of the Quality management system.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
 Auditors must also seek evidence that top management have assigned responsibility and authority forpreserving the integrity of the organisation’s QMS during revisions or
updates.

6 Planning for the Quality Management system
6.1
Actions to address risks and opportunities

6.1.1 Has the organization considered their context when planning for What process did the organization used to identify the risks?
the Quality management system covering issues referred to in
4.1 and the requirements referred to in 4.2 and determined the
risks and opportunities that need to be addressed to:

a) to provide assurance that the quality management
system can achieve its intended outcomes, enhance
desirable effects, to prevent or reduce undesired effects,
and to achieve improvement.

6.1.2 a) Has the organization planned actions to address these How the organization addressing those risks?
risks and opportunities?

b) Has the organization integrate and implement the
actions into its quality management system processes
and evaluate the effectiveness of these actions?

c) Are the actions taken to address risks and opportunities Auditor to verify the effectiveness of the identified actions by the
proportionate to the potential impact on the conformity of organization in addressing the risk;
products and services?
Notes:
 ‘Risk’ is defined as the effect of uncertainty on an expected result. Risk is often characterized by reference to potential “events” and “consequences” as well as the
“likelihood” of occurrence.
 Although risks and opportunities have to be determined and addressed, there is no requirement for a formal, documented risk management process. Auditors should seek
evidence that confirms that an organization has a methodology in place that enables them to effectively identify risks and opportunities in respect of the planning of their
quality management system.
 The role of the auditorisnot to carry out their own determination of risks and opportunities, but to ensure that the organisation is applying their methodology consistently and
effectively.
 All of the processes of a QMS do not represent the same level of risk in terms of the organization’s ability to meet its objectives. Due to this reason, the consequences of
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations. When deciding how to plan and control its
QMS, therefore, including its component processes and activities, the organization needs to consider both the type and level of risk associated with them.
 Options to address risks and opportunities can include:
- avoiding risk,
- taking risk in order to pursue an opportunity,
- eliminating the risk source,
- changing the likelihood or consequences,
- sharing the risk, or
- retaining risk by informed decision.
 Auditors should ensure that the organisation is taking a planned approach to addressing risks and realising opportunities, and that any actions taken have been recorded. For
those actions that have been completed, auditors should ensure that each action’s effectiveness has subsequently been assessed. They should also ensure that the action
taken was proportionate to the risk or opportunity.
Examples:
 SWOT analysis by the organization as part of their business strategy to identify the external risk and opportunities and action plan to address them.
 Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan.
 Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, the
risks and opportunities associated with them and action plan to address them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]

6.2 Quality objectives and planning to achieve them

6.2.1 Has the organization established quality objectives at relevant Have the Quality objective been identified throughout the organization?
functions, levels and processes? Are the Quality objectives;
Δ

a) consistent with the organization’s quality policy and be What Quality objectives are established to enhance customer
relevant to the conformity of products and services, and satisfaction?
the enhancement of customer satisfaction?
b) measurable, take into account applicable customer and Objectives must be measureable and what’s the process to monitor?
statutory and regulatory requirements, and be monitored
in order to determine whether they are being met?
c) communicated across the organization and be updated What process does the organization used to communicate the objectives
as and when the need arises? to process owners and update when needed?

d) maintained as documented information?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
6.2.2 Has the organization carried out planning in order to determine;

a) the work required in order to realize its quality What strategic action plans established to ensure achieving the Quality
objectives, the resources necessary to undertake this objectives?
work, who will be responsible for ensuring that the work
is done and when the work needs to be completed by?
b) how it will evaluate the work done to determinewhether What process has been used to evaluate that the objectives have been
it has led to the objective being realized? met?

Notes:
 ISO 9001:2015 now requires organizations to set quality objectives at functions, levels and processes that are relevant to conformity of product and the enhancement of
customer satisfaction. There will need to be evidence that the established quality objectives add value to the relevant functions, levels and processes within the organization.
 Organizations are now required to determine what resources will be required to achieve quality objectives, who will be responsible for them, what will be done and when, as
well as how achievement of the objectives will be evaluated. In many cases, this will require organizations to undertake more detailed monitoring of objectives and targets
than they currently do.
 Auditors should ensure that organizations are able to evidence that they are complying with these new requirements.

6.3 Planning of changes

Where the organization determines the need for change to the Does the organizationhave the management change process?
quality management system (4.4), are changes carried out in a
planned and systematic manner?

Does the organization consider:

a) the purpose of the change and any of its potential The change identified include all potential risks and related actions;
consequences (both positive & negative)?
b) the integrity of the quality management system may be How does the organizationmaintain the integrity of the QMS while
compromised (or indeed improved)? changes carried out within the organization?

c) the availability of resources to effect the change? What resources the organization has put in place to control the
changes?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
d) any changes required in responsibilities and authorities
to drive the change through?
Notes:
 Clause 6.3 is an enhancement of ISO 9001:2008 clause 5.4.2b. When the organization determines there is a need to change the quality management system, clause 6.3 of
ISO 9001:2015 requires such changes to be carried out in a controlled manner by planning first and then logically enacted.
 Auditors should ensure that the organization is able to evidence that it has taken into account the considerations of ISO 9001:2015 Clause 6.3, when planning and
implementing changes to its quality management system.

Clause # Requirements Yes No Objective evidence/ Remarks
7 Support

7.1 Resources

7.1.1 General

a) Has the organization determined and provided the
resources necessary to establish, implement,
maintain and continual improve its quality
management system?

b) Has the organization considered both the What process the organization used to determine the internal resources as
capabilities and constraints on its existing internal well as external resources needed?
Δ
resources and what need to be obtained from
external providers?

Notes:
 Organizations need to demonstrate that they have considered both internal and external resource requirements and capabilities e.g. training, software, appropriate work
instructions, competency skills, contract requirements, supply chain etc.
 Auditors must now evidence that organizations have considered their need for external resources inaddition to their need for internal ones.

7.1.2 People

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
To ensure that the organization can consistently meet What the process used to ensure that there is sufficient manpower?
customer and applicable statutory and regulatory
Δ requirements, has the organization provided the persons
necessary for the effective operation of the quality
management system, including the processes needed?

Notes:
 Essentially the same requirements as in ISO 9001: 2008, though the obligation to meet statutory and regulatory requirements is now explicit.
 No change in the audit approach required here.

7.1.3 Infrastructure

Has the organization determined, provided and What infrastructure determined by the organization? During the onsite audit
maintained the infrastructure for the operation of its ensure that how the infrastructure been maintained?
processes to achieve conformity of products and
services?

Notes:
 Essentially the same requirements as in ISO 9001: 2008, but it is made clear that ‘Infrastructure’ can include:buildings and associated utilities;equipment including hardware
and software;transportation; and information and communication technology.
 No change in the audit approach required here.

7.1.4 Environment for the operation of processes

Has the organization determined, provided and During the site tour, ensure that the environment determined by the
maintained the environment necessary for the operation organization based on the product and service provided is verified.
Δ
of its processes and to achieve conformity of products
and services?

Notes:
 The key change here is that “work environment” now becomes “environment” necessary for the operation of processes reflecting an increased focus throughout the standard
on a process-based approach. Organizations to not only to determine what is a work environment suitable to ensure conformity of products and services, but also to ‘provide
and maintain’ it.
 ‘Environment for the operation of processes’ can include physical, social, psychological, environmental and other factors (such as temperature, humidity, ergonomics and
cleanliness).
 Organizations will need to demonstrate that it is applying this updated requirement to the processes it has determined are necessary for the effective operation of its QMS.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
 Auditors will need to audit the organization’s process environment, not its work environment. As wellas physical factors, this now includes social and psychological factors too.

7.1.5 Monitoring and measuring resources

7.1.5.1 a) Where an organization uses monitoring or Upgrade audit: The delta would be to determine resources to ensure
measuring to demonstrate that its products and measuring results are valid.
services conform to requirements, has the
organization provided the necessary resources to Initial audit: The complete requirements from the point a) to c) to be
Δ ensure that monitoring and measuring results are established;
valid?

b) Does the organization ensure that the resources Upgrade audit: The delta would be that does the organization have expertise
provided are suitable to the type of monitoring or to the type of monitoring & measurement being undertaken.
measurement being undertaken and maintained in
Initial audit: The complete requirements from the point b) to be established;
Δ order to ensure they remain fit for purpose?

c) Does the organization retain appropriate No change from ISO 9001:2008 version.
 documented information that the monitoring and
measurement resources are fit for purpose?

7.1.5.2 In instances, where measurement traceability is a
statutory or regulatory requirement; a customer or relevant
interested party expectation; or considered by the No change from ISO 9001:2008 version
organization to be an essential part of providing
confidence in the validity of measurement results.Are the
measuring equipment;

a) verified or calibrated against international or
 national measurement standards at specific
intervals or prior to their use. If no such standards

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
exist, is the basis used for calibration or
verification retained as documented information?

b) identified in such a way that their calibration status
can be determined? They must also be protected
to prevent them being adjusted, damaged or
subjected to deterioration.

c) found to be defective during its planned
verification or calibration, or during its use,
previous results need to be revisited and
anynecessary corrective action implemented.

Notes:
 Organizations will need to demonstrate that they retain documented information to evidence that not just monitoring and measuring equipment is fit for purpose, but that all
monitoring and measuring ‘resources’ are.
 Auditors should note that where measurement traceability is required, measuring equipments are subject to additional controls. If measurement traceability is not required then
auditors must satisfy themselves that themonitoring and measuring resources an organization has employed are suitable and fit for purpose,and that arrangements are in place
to ensure their continued fitness for purpose.
 Auditors should also ensure that documented information is being maintained by the organization todemonstrate that monitoring and measuring resources are fit for purpose in
these instances.

7.1.6 Organizational knowledge

Does the organization take steps to capture and preserve What processes does the organization used to determine the knowledge
the knowledge necessary for the effective operation of its necessary for ensuring conformity to products & services?
processes and for ensuring the conformity of products
and services?

Is this knowledge maintained and made available to the How the knowledge is preserved?
extent necessary?

Does the organization consider its current knowledge and When changes occur at the organization, what processes do they use to
determine how to acquire or access the necessary determine the necessary additional knowledge?
additional knowledge, when addressing changing needs

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
and trends?

Notes:
 ‘Organizational knowledge’ addresses the need to determine and maintain the knowledge obtained by the organization, including by its personnel, to ensure that it can achieve
conformity of products and services. The process for considering and controlling past, existing and additional knowledge needs to take account of the organization’s context,
including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge.
 The balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization, provided that conformity of
products and services can be achieved. Organizational knowledge can include information such as intellectual property and lessons learned.
 To obtain the knowledge required, the organization can consider:
a) internal sources (e.g. learning from failures and successful projects, capturing undocumented knowledge and experience of topical experts within the organization);
b) external sources (e.g. standards, academia, conferences, gathering knowledge with customers or providers).
 Organizations need to demonstrate that, if they are planning to make changes to their QMS, they re-assess the extent of their current organizational knowledge and take steps
to improve it if it is determined to be insufficient to accommodate the planned changes.

7.2 Competence

Has the organization; What process does the organization used to determine competence?

a) determined the necessary competence of those
people working under its control that affects its
quality performance?
b) ensured that those people possesses the
necessary competence either on the basis of
appropriate education, training, or experience?
c) taken actions, where applicable, to acquire the What actions are taken to address competency gaps?
necessary competence, and evaluated the
effectiveness of the actions taken?

 d) retained appropriate documented information to
evidence of the competence of its people?

Notes:
 ‘Competence’ is defined as the ability to apply knowledge and skills to achieve intended results
 Organizations are still required to take action to address any competency issues and subsequentlyto check that this action has been effective. Additionally, organizations are
still required to maintainevidence to demonstrate that people doing work under its control are competent. This evidenceneeds to be maintained as documented information. For
example, a clean driving license can be evidence of competence for a driver)
 As these requirements apply to personnel ‘under its control’ this will include any sub-contract/agency personnel, as well as anyone undertaking outsourced processes and
functions – see reference to the need to communicate competence requirements to external providers in ISO 9001:2015 clause 8.4.3 (c).

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
7.3 Awareness

Are persons doing work under the organization’s control
Δ
aware of:

the organization’s quality policy, any quality objectives that What processes have been established by the organization to make people,
are relevant to them, how they are contributing to the working on behalf of organization, aware of the stated requirements?
effectiveness of the QMS and what the implications are of
them not conforming to QMS requirements?

Notes:
 The important factor here is the addition of requirement to make people aware both of the organization’s quality objectives as well as the consequences of non-conformance
with its QMS requirements.
 Auditors should note that additional information as set out above must be communicated to these individuals both (internal and external).

7.4 Communication

Has the organization determined those QMS related
Δ matters on which it wishes to communicate internally and
externally including;
a) on what it will communicate, when it will Has communication strategy been developed and implemented?
communicate, withwhom it will communicate and
how it will communicate?
Notes:
 ISO 9001:2015 now makes communication with persons outside the organization a specific requirement.
 Auditors should ensure that organizations are identifying external communications as well as internal communications that need to take place in respect of the operation of its
quality management system. They should also ensure that the organization has determined what it needs to communicate, when it will communicate, with whom it will
communicate and how it will communicate.
7.5 Documented Information

7.5.1 General

Does the organization’s quality management system No change from ISO 9001:2008 version.
 include:both documented information identified as
required in standard and documented information
identified by the organization as necessary for the

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
effective operation of its quality management system.

7.5.2 Creating and updating

a) When creating and updating documented Requirements are more explicit, but changes are insignificant.
information, does the organization ensure that it
is appropriately identified and described (e.g. title,
Δ date, author, reference number), in an
appropriate format (e.g. language, software
version, graphics) and on appropriate media (e.g.
paper, electronic)?

b) Does the documented information reviewed and Upgrade audit: No changes
approved for suitability and adequacy?
7.5.3 Control of documented information

7.5.3.1 a) Is the documented information controlled in order Upgrade audit: No changes
to ensure that it is available where needed and
that it is suitable for use?
b) Is it adequately protected against improperuse, What processes established by the organization to comply with point b)
loss of integrity and loss of confidentiality? requirements?
Δ

7.5.3.2 For the control of documented information, has the
organization addressed the following activities, as
applicable: No change from ISO 9001:2008 version

a) how it will distribute, access, retrieve and use
documentedinformation?
b) how it will store and preserve documented
information, and how it will controlany
changes to the documented information?
c) its retention and disposalarrangements?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
d) Has the organization identified any
 documented information of external origin that
it considers necessary for the planning and
operation of the organizations’
qualitymanagement system
Notes:
 The terms ‘documented procedure’ and ‘record’ used in ISO 9001: 2008 have both been replaced throughout ISO 9001:2015 by the term ‘documented information’, which is
defined as information required to be controlled and maintained by an organization, as well as the medium on which it is contained. Documented information can be in any
format and media and from any source.
 There is no longer a requirement to establish and maintain a Quality Manual (2008 clause 4.2.2) or for mandatory documented QMS procedures.
 The extent of documented information required for a quality management system can differ from one organization to another. This can be due to:
a) the size of organization and its type of activities, processes, products and services; b) the complexity of processes and their interactions; or c) the competence of persons.
 The organization needs to determine the level of documented information necessary to control its QMS.
 ‘Access’ can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented
information.
Examples:
 Operational procedures, work instructions, flow charts, process maps, etc. are all examples of ‘documented information’. Organizations do not have to remove their current
Quality Manual or documented procedures. If an organization wishes to retain these then they can do so.
8 Operation

8.1 Operational planning and control

Does the organization plan, implement and control those Is the organizational process identified for Production or service in control and where not,
processes that it has previously identified (clause 4.4) as are appropriate action taken for those identified risks and opportunities?
Δ necessary in order for it to meet product or service
requirements and to implements the actions determined in
6.1 by;

a) determining the product and services This should include organizational internal requirements and external
requirements; customer requirements.

b) establishing criteria for the processes and for the What criteria established for controlling the processes and the resulting
acceptance of products and services? output?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
c) determining resources needed to support each Objective evidences for control of processes to demonstrate adequate
process and implementing control of the resources;
processes in accordance with the criteria?

d) retaining documented information to the extent Objective evidence to demonstrate that processes are carried out as planned
necessary to ensure that its processes are being and the output meets the requirements of acceptance criteria.
 carried out as planned, and that the products and
services that are being produced conform to the
identified requirements and acceptance criteria?

Is the output of operational planning and control suitable Objective evidence that KPIs/ measuring of the processes have been met
for the organization's operations? and/ or the action taken if they are not.

Does the organization control planned changes and
review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary?

Does the organization ensure that outsourced processes Have the organization identified the controls to be applied to outsourced
are controlled in accordance with clause 8.4? processes?

Notes:
 The term “product realization” has been withdrawn and replaced by “operation”, and the requirement for “Planning of product realization” has been replaced by “Operational
planning and control”.
 The new control-focused requirements centre on ensuring that processes are implemented as planned, including actions to address risks and opportunities. This needs to be
evidenced by means of documented information.
 ISO 9001:2015 introduces a requirement to establish the ‘criteria for the processes’ and to implement controls ‘in accordance with the criteria’. The emphasis is on controlling
the processes and organizations need to demonstrate that they have planned and implemented the appropriate process criteria:
- inputs, outputs, resources, controls, criteria, process measurement indicators, etc., plus

- any actions required to address identified risks and opportunities.

 Additional requirements are included in ISO 9001:2015 relating to the control and review of changes to process controls (including unintended changes). Auditors should also
gather and evaluate evidence related to it.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks

8.2 Determination of requirements for products and services

8.2.1 Customer communication

Has the organization established the processes for
Δ
communicating with customers on matter related to;

a) its products and services, enquiries, contracts or order
handling (including amendments?

b) obtaining customer views and perceptions,
including customer complaints?

c) the handling or treatment of customer property?

d) specific requirements for contingency actions,
when customer requirements are not met?

Notes:
These requirements are essentially the same as for ISO 9001:2008 sub-clause 7.2.3 “Customer communication”, but with the addition of new requirements to communicate in respect of
the handling or treatment of customer property and specific requirements for contingency actions where relevant. The requirement to obtain “customer feedback” has been amended to
obtain “customer views and perceptions”.

8.2.2 Determination of requirements related to products and services

Has the organization put in place a process to ensure that No changes from the ISO 9001:2008 version.
requirements for the products and services it intends to
offer to customers have been defined? This includesany
applicable statutory and regulatory requirements (and
those considered necessary by the organisation).

Δ Does the organization ensure that it has the ability to meet
the defined requirements and substantiate the claims for

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
the products and services it intends to supply?

Notes:
 ISO 9001:2015 starts from the position that the organization has already determined the products and services it intends to offer to customers, taking into account customer
requirements.
 Auditors should also evidence that the organization is able to substantiate any claims it is making for the products and services it offers e.g. Claims for mileage per litre of petrol
by the Car manufacturer, an ISO 9001 certified company catalogue/ website or in media claiming certification for full range of products against a limited scope of certification
etc.

8.2.3 Review of requirements related to products and services

8.2.3.1 Does the organization review, as applicable:

a) requirements relating to its products and services, No changes from the ISO 9001:2008 version.
consideration of requirements set by the
customer, including ones relating to delivery and
post-delivery

b) consideration of any requirements not expressly
stated by the customer but that are known to be
necessary for the product or service to be suitable
for thecustomer’s intended use?

c) consideration of any statutory or regulatory
requirements relating to the product or service,
and any new or changed requirements that differ
from those previouslydetermined?

d) Is this review conducted prior to the organization’s
commitment to supply products and services to
the customer and does it ensure that contract or
order requirements differing from those previously
defined are resolved?

e) Where the customer does not provide a
documented statement of their requirements, are

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
the customer requirements shall be confirmed by
the organization before acceptance?

8.2.3.2 Is documented information retained which describes the
results of the review, including any new or changed
 requirements for the products and services?

8.2.4 Where requirements for products and services are
changed, does the organization ensure that relevant
documented information is amended and that relevant
personnel are made aware of the changed requirements?

Notes:
 There is no substantive change to content, though there is recognition that when reviewing requirements relating to products or services, these requirements could now include
those arising from relevant interested parties – not just from customers.
 Auditors should ensure that requirements from relevant interested parties are considered as part of an organization’s product and service requirement review process.

8.3 Design and development of products and services

8.3.1 General

Has the organization established, implemented and
 maintained a design and development process that it is
adequate for subsequent production or service provision?

Notes:
ISO 9001:2015 now makes clear the circumstances when ‘design and development’ is required; there is also a specific requirement for a design and development process to be in
place:

 where the organisation has not established detailed requirements for products or services, or

 where these have not been defined by the customer or other interested parties

Increased knowledge of the products and services, and methods of arriving at them, will be required by auditors in order to be able to verify whether the organization’s QMS should or
should not include design and development.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
8.3.2 Design and development planning

When determining the stages and controls to be applied to Does the organization’s design process include the stages and evidences of a) through h)
its design and development process, does the as below?
Δ organization considered:
Note: The organization’s current product or service in the design phase should be the
objective evidence.

a) the nature, duration and complexity of the design
and development activities?

b) anyrequirements that specify particular process
stages must be included, for example design and
development reviews, verification & validation?

c) the responsibilities and authorities of those
involved in the design and development process?

d) the internal and external resource needed for the
design and development of products and
services?

e) the need to ensure that interfaces between
individuals and parties involved in the design and
development process are controlled?

f) the need for involvement and control expected by
the customer and user groups in the design and
development process?

g) the requirements for subsequent provision of
products and services?

h) the necessary documented information to confirm
 that design and development requirements have
been met?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
Notes:
 ISO 9001: 2015 is more explicit in terms of the elements that must be considered as part of the design planning process.
 Auditors should ensure that organizations are able to evidence that they have taken into consideration the explicitly referenced considerations relating to the design and
development process set out above.
 They should also ensure that the organization has retained documented information to confirm that its identified design and development requirements have been met.

8.3.3 Design and development inputs

Does the organization determine: Does the organization’s design process include the stages and evidences of a) through h)
as below?
Δ
Note: The organization’s current product or service in the design phase should be the
objective evidence.

a) requirements essential for the specific type of
products and services being designed and
developed, including, as applicable, functional and
performance requirements?

b) applicable statutory and regulatory requirements?

c) anystandards or codes of practice that the
organization has committed to implement?

d) any resources needed, whether internal and
external for the design and development of
products and services?

e) the potential consequences of failure due to the
nature of the products and services?

f) Are inputs adequate for design and development
purposes, complete and unambiguous?

g) Are conflicts on design & development inputs
resolved?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks

 h) Are the documented information maintained for
the design and development input?

Notes:
Auditors need to verify that the organization has addressed the specific new requirements set out in ISO 9001:2015, sub-clause: 8.3.3 – specifically, those relating to ‘resource
requirement and the consequences of design or development failure’.

8.3.4 Design and development controls

Has the organization applied controls to its design and Does the Organization’s design process include the stages and evidences of a) through d)
development process to ensure that: as below?
Δ
Note: The Organization’s current product or service in the design phase should be the
objective evidence.

a) the results from undertaking the design and
development process are clearly defined?

b) design and development reviews takes place as
per planned arrangements?

c) design and development outputs meets the input
requirements (verification)?

d) the resulting products and services are fit for their
intended use and specified application, where
known to the organization (Validation)?

Notes:
 This is a new clause introduced by ISO9001:2015, which is basically a combination of the requirements in ISO 9001: 2008 relating to design review, verification and validation.
 There is no change in the audit approach required. However, the requirement in ISO 9001: 2008 that, where practicable, validation should be completed prior to the delivery or
implementation of the product/service has been removed.

8.3.5 Design and development outputs

Does the organization ensure that design and Does the organization’s design process include the stages and evidences of a) through h)
development outputs: as below?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
Note: The organization’s current product or service in the design phase should be the
objective evidence.

a) meet the input requirements for design and
development and suitable for use in subsequent
processes?

b) As applicable, includes or reference any related
monitoring and measuring requirements, and
acceptance criteria?

c) Finally, does the organization ensure that the
products that are to be produced or the services
that are to be delivered are fit for their intended
purpose and are safe to use?

d) Does the organization retain the documented
 information resulting from the design and
development process?

Notes:
 The requirements are essentially unchanged, except that the requirement to “include or reference monitoring and measuring requirements, where appropriate” has been
added.
 Auditors should note the additional requirement for documented information in respect of sub-clause 8.3.5. They should also note the need for design outputs to reference
monitoring and measuring requirements, as applicable.

8.3.6 Design and development changes Does the organization’s design process include the stages and evidences of a) through h)
as below?

Note: The organization’s current product or service in the design phase should be the
objective evidence.

a) Does the organization review, control and identify
changes made to design inputs and design
outputs during the design and development of
products and services or subsequently, to the
extent that there is no adverse impact on

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
conformity to requirements?

 b) Is documented information on design and
development changes retained?

Notes:
 The ISO 9001:2015 requirements are essentially the same, though there is no longer any reference for design and development changes having to be ‘verified’, ‘validated and
approved before implementation’ (ISO 9001: 2008 clause 7.3.7).
 No change in the audit approach would require.

8.4 Control of externally provided processes, products and services

8.4.1 General

Does the organization ensure that externally provided Has the organization identified risks and actions for the products and services
processes, products and services meet the organization’s provided by the external providers?
specified requirements?

Does the organization apply the specified requirements for
Has the organization determined the requirements to demonstrate adequate controls over
the control of externally provided products and services
external providers for a) through c) as below?
when:

a) products and services from the external providers
for incorporation into the organization’s own
products and services?

b) products and services to be provided directly to
the customer by external providers on the
organization’s behalf?

c) outsourced processes or part of a process from
an external provider?

Has the organization established and applied criteria that No change from ISO 9001:2008 version.
allows it to evaluate and select external providers and,
that allows it to subsequently monitor their performance?
Criteria relating to the re-evaluation of external providers
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
also need to be established and implemented.

Does the organization retain appropriate documented Does the organization’s process include monitoring the performance of
information for the results of external provider’s
 evaluation, re-evaluation and monitoring of their
external providers?

performance?

Notes:
 The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided
products and services.
 Auditors should note the new requirement for the organization to establish criteria to allow it additionally to monitor the performance of external providers. This must be
maintained as documented information.
 They should also note the requirement for organization to provide a record of the results of their monitoring of the external provider’s performance as documented information.
8.4.2 Type and extent of control

In determining the type and extent of controls to be What processes are established by the organization to demonstrate control over
applied to the external provision of processes, products processes, products and services provided by the external provider for the points a)
Δ
and services, does the organisation take into through e) as below?
consideration:

a) the externally provided processes are part of its
Quality management system?

b) the controls it intends to apply to both the external
provider and the resulting output?

c) the potential impact that the externally provided
processes, products or services could have on its
ability to supply conforming products and services
to its customers and meeting statutory and
regulatory requirements?

d) how effective it considers the controls that are
being applied by the provider are?

e) verification or other activities necessary to ensure

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
the externally provided processes, products and
services conforms to its customer requirements?

Notes:
 ISO 9001:2015 now requires the organizations to control both, “the external providers and the potential impact of the externally provided processes, products or services on the
organization’s ability consistently to meet customer and applicable statutory and regulatory requirements”.
 There is a greater emphasis on the organization’s need to satisfy itself that the controls applied by its external providers (to ensure that it meets the organization’s
requirements) are adequate.

8.4.3 Information for external providers

Does the organization ensure that the requirements it
intends to communicate to the external provider are
reviewed for adequacy prior to their being communicated?

Does the organization communicate to external providers
Δ
applicable requirements for the following:

a) products or services to be provided or the
processes to beperformed by the external
provider on behalf of the organization?

b) approval or release of products and services,
methods, processes or equipment?

c) competence of personnel, including
necessary qualification they must possess?

d) their appropriate interactions with the
organization's quality management system?

e) details as to how the external provider’s New requirement as covered in section 8.4.1.
performance will be monitored and controlled
by theorganisation?

f) details of any verification or validation
activities that the organisation (or its
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
customer) intends to perform atthe external
provider’s premises?

Notes:
 Essentially, these requirements are unchanged. However few requirements are expanded such as;
- there is an acknowledgement that organizations may need to communicate not just the products or services they wish to receive, but also any processes they want the external
provider to undertake on their behalf.
- The requirement for the organization to communicate, as applicable, the necessary qualification of personnel to cover the competency and qualification of personnel.
- The requirement for the organization to communicate any “quality management system requirements”, as applicable, to “their (ie the external provider’s) interactions with the
organization’s quality management system”.

8.5 Production and service provision

8.5.1 Control of production and service provision

Has the organization implemented controlled conditions
for production and service provision, including delivery
and post-delivery activities?

Δ Do those controlled conditions include, as applicable:

a) documented information that defines the
 characteristics of the products and services is
available?

b) documented information that defines the activities
 to be performed and the results to be achieved is
available?

c) suitable monitoring and measuring resources are
made available?

d) monitoring and measurement takes place at
appropriate stages in the production process to
ensure that both the processes themselves and
the process outputs meet the organization’s

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
acceptance criteria

e) the process environment and infrastructure are
suitable?

f) personnel are competent and, where necessary,
appropriately qualified?

g) for processes where the results cannot be verified
by subsequent monitoring or measurement, the
process itself is initially validated and then
periodically re-evaluated?

h) products and services release, delivery and post-
delivery activities are implemented?

Notes:
This clause is essentially the amalgamation of clause 7.5.1 and 7.5.2 of ISO 9001:2008 with few modifications as below;
 The reference to “work instructions” has been replaced by a reference to “documented information that defines the activities to be performed and the results to be achieved”.
 “The results to be achieved” is an important addition. These may not appear in existing documentation describing the activities to be performed or in records generated from
them.
 There is now an explicit requirement to ensure monitoring and measurement activities are undertaken at appropriate points. This is in order to verify processes are being
controlled and that process outputs, products and services are meeting their acceptance criteria.
 Reference is made to monitoring and measuring “resources” as opposed to “monitoring and measuring equipment”, reflecting the fact that monitoring may be being carried out
by humans.
 The “qualification of personnel” has modified to “the competency and, where applicable, required qualification of persons emphasizing competency over qualification”

8.5.2 Identification and traceability

Where necessary to ensure conformity of products and
services, does the organization use suitable means to
identify process outputs?

Does the organization able to identify the status of
process outputs in respect of any monitoringand
measurement requirements it has set, at all stages of

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
production or service provision?

Where traceability is a requirement, does the organization

 control the unique identification of the process outputs and
retain any documented information necessary to maintain
traceability?

Notes:
 These requirements are essentially the same as ISO 9001: 2008 clause 7.5.3, but the emphasis now is on ‘process outputs’ rather than products.
 Process outputs are the results of any activities which are ready for delivery to the organization’s customer or to an internal customer (e.g. receiver of the inputs to the next
process). They can include products, services, intermediate parts, components, etc.

8.5.3 Property belonging to customers or external providers

Does the organization take care of property that has been Objective evidence for the property belonging to customer or external
supplied to it forincorporation into its products or services providers;
by customers or by external providers?

Does the organization ensure that any such property is
identified, verified, protectedand safeguarded?

If the property is lost or damaged, or found unsuitable for

 use, has the organization made ensure that this isreported
back to the customer or external provider including
retaining documented information?

Notes:
 These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.4), but the definition of customer property has been widened to specify that it can include
material, components, tools and equipment, customer premises, intellectual property and personal data.
 The evidence is required to confirm that the controls appearing in ISO 9001:2008 relating to customer property have been extended to cover property from external providers.

8.5.4 Preservation

Does the organization ensure preservation of process
outputs during production and service provision, to the

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
extent necessary to maintain conformity to requirements?

Notes:
 These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.5), but again the emphasis now is on ‘process outputs’ rather than product.

8.5.5 Post-delivery activities

Does the organization fulfil requirements for post-delivery
activities related to its products and services?

When making this decision, does the organisation The processes established by the organization to address the post-delivery activities and
Δ
consider: associated risk identified based on the nature product or service;

a) the risks associated with the particular product or
service, the nature of the product or service, how
the product or service will be used andwhat the
product or service’s intended lifetime is.

b) any post-delivery activities also needs to take into
account customer feedback and any applicable
statutory or legal requirements?

Notes:
 This clause expands the ISO 9001: 2008 requirement that post-delivery activities are carried out under ‘controlled conditions’ – clause 7.5.1 (f) – and now also requires the
organization to consider a list of issues as above when determining what post-delivery activities are required.
 ‘Post-delivery activities’ can include actions under warranty provisions, contractual obligations such as maintenance services and supplementary services such as recycling or
final disposal.

8.5.6 Control of changes

Does the organization control any unplanned changes that The processes established to address any sudden changes and related
are considered essential in orderto ensure that products or objective evidence;
services continue to meet their specified requirements?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
Does the organization retain documented information

 describing the results of thereview of the changes, the
person(s) authorizing the changes and any necessary
actions?

Notes:
 These are new specific requirements (though they are implicit in ISO 9001: 2008 clauses 7.5.1 & 2).
 Organizations need to demonstrate that where it has to make unplanned changes to its processes in order to ensure its products or services conform to specified requirements,
these changes must be made in a controlled manner.
 Auditors should evidence that the organisation has controlled unplanned changes in accordance withthe requirements set out above

8.6 Release of products and services

a) Does the organization carry out predetermined
verification at appropriate stages in the
production/delivery process in order to verify that
products and services meet agreed acceptance
criteria?

b) Does the release of Products or services not
normally proceed to the customer until all of the
planned tests and checks have been satisfactorily
completed, unless otherwise approved by a
relevant authority and where applicable,
permission for early release must also be
obtained from the customer?

c) Does documented information retained provide
evidence of conformity to acceptance criteria and
 traceability to the person(s) authorizing release of
products and services for delivery to the
customer?

Notes:
 These requirements are essentially the same as those in ISO 9001: 2008.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
8.7 Control of nonconforming outputs

8.7.1 Does the organization identified process outputs, products
or services that do not conform to their intended
requirements? Controls need to be established and
implemented to ensure that these “nonconforming”
process outputs, products or services are not delivered to
the customer or used unintentionally.

Where nonconforming process outputs, products or
services are identified, does the organization take
corrective action proportionate, reflecting both the nature
of the nonconformity and its ability to impact the
organization’s intended product or service?

Is this also applied to nonconforming products and
services detected after delivery of the products or during
the provision of the service?

Does the organization deal with nonconforming process The processes established to deal with non-conforming product/ or service
outputs, products or services in one or more of the and clients notified, where appropriate;
following ways:
 by correcting the fault;
Δ  by segregation, containment, return or suspension
of provision of product and services;
 by informing the customer;
 by obtaining authorization for acceptance under a
concession.
8.7.2 Does the organization retain documented information of
on nonconforming description, actions taken, any
 concessions obtained and on the person or authority that
made the decision regarding dealing with the
nonconformity?

Notes:

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
 These requirements are essentially the same as those in ISO 9001: 2008 (clause 8.3), but once again, ‘process outputs’ are a key focus of the requirements, though the
options available when non-conformities are identified are more explicitly detailed; in particular, the need to take ‘corrective’ action.
 Documented procedure is no longer required, but documented information relating to non-conformities now has to include details of the person(s), who authorized the action
taken to deal with it.
9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.1.1 General

Has the organization determined; Objective evidence of evaluating of the results of monitoring and
Δ
measurement and analysis;

a) what it needs to monitor andmeasure?

b) the requirement for methods to ensurevalid results
also extends to the organisation’s analysis and
evaluation activities?

c) when monitoring and measurement should be
carried out and atwhat stage the results of
monitoring and measurement should be analysed
and evaluated?

Has the organizations subsequently ensured that
monitoring and measurement takes placein accordance
with the requirements the organization has set itself?

Has the organization ensured that wheremonitoring and
 measurement takes place, documented information is
retained to evidencethe results?

Notes:
 The auditors should confirm that the organization identify the ‘what’ ‘how’ and ‘when’ of the monitoring and measurement, along with when the results should be evaluated.
 Auditors should note the additional requirement for organizations to evidence evaluation of the results of monitoring and measurement, not just their analysis.
 They should also note a new requirement to monitor the performance and effectiveness of the organization’s quality management system.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
9.1.2 Customer satisfaction

Does the organization monitor the degree to which
Δ customers believe their requirements for products and
services have been met?

Have the methods for obtaining, monitoring and reviewing What methods determined by the organization to monitor & review customer
this information been determined? perception;

Notes:
 Organizations now need to demonstrate that they have sought out information relating to how customers view the organization itself as well as its products and services. They
also must have a defined methodology identifying both how they will obtain, monitor and review this information.
 Information related to customer views can include customer satisfaction or opinion surveys, customer data on delivered products or services quality, market-share analysis,
compliments, warranty claims and dealer reports, etc.

9.1.3 Analysis and evaluation

Does the organization analyze and evaluate appropriate
Δ data and informationthat it has obtained either internally or
externally for a variety of pre-defined purposes?

Is the output of analysis and evaluation used to:

 demonstrate that the organization’s products and Objective evidence of analysis of data carried out and the effectiveness of
services conform to requirements; actions related to identified risk & opportunities;
 to assess and enhance customer satisfaction;
 to ensure the performance and effectiveness of
the quality management system;
 to demonstrate that planning has
beensuccessfully implemented;
 the effectiveness of actions pertaining to risk and
opportunities;
 assess the performance of external providers;
 improvements needed in the organization’s QMS.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
Notes:
 Although these requirements are similar to those in ISO 9001: 2008 (clause 8.4) there are now explicit requirements relating to how the analysis and evaluation data must be
used. Organizations now need to demonstrate evaluation as well as analysis of data (from measurement, monitoring or other sources);
 There has to be evidence of interpretation of the data analysis they carry out including effectiveness of actions pertaining to risk & opportunities identified.
 Auditors should note that organisations now need to evidence both analysis and evaluation of data and information. It is not sufficient just to carry out an analysis without
interpreting the results. They should ensure that organisations are able to evidence through analysis and evaluation thatplanning has been effective.
9.2 Internal audit

9.2.1 Does the organization carry out internal audits at planned
intervals in order to determine whether the quality
management system;
a) conforms to both the organization’s own
requirements and the requirements of ISO 9001?
b) is being effectively implemented and maintained?

9.2.2 Does the organization:

a) When planning, establishing and implementing an
audit programme including frequency, methods,
responsibilities, planning requirements and
Δ reporting, does the organization consider the
importance of the processes concerned, changes
within the organization, and the results of previous
audits?
b) have a defined scope and its own audit criteria each
audit?
c) ensure audits and auditors be impartial and objective
of the process audited?
d) ensure that the findings from audits fed back to the
relevant management with any required corrections or
corrective actions being taken in a timely manner?

 e) retain documented information to provide
evidence that the audit programme has been
implemented and the results of audits?
Notes:
 Organizations are not necessarily required to have a documented internal audit procedure, however auditors must be able to access documented information confirming the

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
implementation of anaudit programme by the organization including evidences related to results of audits.
 While reviewing the internal audit programme of the organization, auditors should ensure thatconsiderations are given to the importance of the processes concerned,
changes within the organization, and the results of previous audits.

9.3 Management review

9.3.1 Does reviews of the quality management system
undertaken by top management at planned intervals in
order to ensure the quality management system’s
continuing suitability, adequacy and effectiveness?

9.3.2 Is the management review planned and carried out taking
into consideration;

a) thereview of actions decided during previous
management reviews?
b) thechanges to context (internal/ external issues)
of the organization that are relevant to its QMS?
c) information on the performance and QMS
effectiveness, including trends and indicators for;
 feedback from Customer and relevant interested
parties,
 achievements related to the Quality objectives,
Δ  process performance and conformity of products
and services,
 non-conformities and related corrective actions,
 results of monitoring and measurement, and
 external provider’s performance.

d) adequacy of resources required for maintaining an
effective QMS?
e) process performance and conformity of products
and services?
f) reviewing the effectiveness of actions
implemented to address risks and opportunities?

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
g) new potential opportunities for continual
improvement?
9.3.3 Does the outputs of the management review include
decisions and actions related to:

a) improvement opportunities?

b) any need for changes to the quality management
system, including resources needed?

 Does the organization retain documented information as
evidence of the results of management reviews?

Note:
 Organizations are now required to retain documented information as evidence of the results of the management reviews (rather than records of management review as stated
in 9001:2008)
 Auditors should expect to evidence the same outputs from management reviews as at present. However, they should note that the results of management reviews can now be
held in any format that the organization chooses.
10 Improvement

10.1 General

Does the organization decide and choose improvement What processes are planned and implemented by the organization to improve
opportunities and take necessary actions that will better the Quality performance and effectiveness of QMS?
enable the organization to meet customer requirements
and enhance their customers’ satisfaction?

Does this include, as appropriate:

a) improving process output to fulfill the
requirements and to address future requirements?
b) correction, prevention and reduction of unwanted
results?
c) improvement of performance and QMS
effectiveness?
Note:

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
 This is a new section which emphasises the general need to improve processes, products and services, as well as the performance of QMS overall, in order to meet customer
current and future requirements and enhance customer satisfaction.
 The associated note reminds that ‘Improvement’ can be effected reactively (e.g. corrective action), incrementally (e.g. continual improvement), by step change (e.g.
breakthrough), creatively (e.g. innovation) or by re-organisation (e.g. transformation).
 Auditors should note that there is no longer a requirement to audit preventive action as a separate entity.

10.2 Nonconformity and corrective action

10.2.1 When a nonconformity is identified including complaints,
does the organization:
Δ

a) take whatever action is necessary to control and
correct the nonconformity, and to deal with any
resultant consequences
b) consider whether any further action is required to
eliminate the causes of the nonconformities to
avoid their re-occurrence or occurrence
elsewhere, by review of nonconformity, cause
analysis, and determine if similar nonconformity
exist or may occur in future?
c) implement any actions identified as needed,
review theireffectiveness and make changes to
the quality management system if required?
Are the corrective actions appropriate to the effects of the
nonconformities encountered?

Does the evidences of nature of nonconformity and any
 subsequent action taken, and corrective action results are
retained as documented information by the organization?

Note:
 Auditors should evidence that, where nonconformities have been identified by an organization, an investigation has been conducted to determine whether other similar
nonconformities actually do or potentially could exist.This covers some of the requirements previously included under Preventive Action.
 They should also evidence that where nonconformity has occurred, the organization has considered whether it needs to make changes to the wider quality management
system to prevent a re-occurrence.

F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document

Clause # Requirements Yes No Objective evidence/ Remarks
10.3 Continual Improvement

Does the organization work continually to improve its
quality management system in terms of suitability,
adequacy and effectiveness?

Does the organization consider the outputs of analysis
and evaluation, and from management review, to confirm
Δ if there are areas of underperformance or opportunities
that need to be addressed to ensure continual
improvement?

Note:
 Organizations now need to demonstrate that they are using the outputs from their analysis and evaluation processes to identify areas of unsatisfactory performance and
opportunities for improvement.
 Auditors should evidence that organizations are using the outputs from their analysis, evaluation and management review processes to identify improvement opportunities and
quality management system performance.

Legend:

Symbol Description

 Documented information to be either maintained (document) or retained (record)

Δ Delta for additional requirements with the existing once

 New clause/ requirements introduced in ISO 9001:2015 version

F103-12-QMS-2015 – Issue date: 08-OCT-2015