Webinar, 20th June 2014

“ISO 9001 – The Story so Far”

th
On June 20 , IRCA and CQI hosted a live webinar explaining and analysing the ISO 9001 revision. During the webinar,
we received over 500 technical questions relating to the standard and its implications. Our technical experts have
answered a selection of questions on the most common issues.

This document is hot-linked: click on the headers below to go to the relevant section

Contents

General ............................................................................................................................................................................. 2
Quality manual ................................................................................................................................................................. 3
Annex SL ........................................................................................................................................................................... 3
Customer focus ................................................................................................................................................................ 3
Information for IRCA auditors .......................................................................................................................................... 4
Information for companies............................................................................................................................................... 5
Risk ................................................................................................................................................................................... 5
Quality management principles ....................................................................................................................................... 6
Management .................................................................................................................................................................... 7
PDCA................................................................................................................................................................................. 7
Interested parties ............................................................................................................................................................. 7
Documentation................................................................................................................................................................. 8
Other ................................................................................................................................................................................ 9
General

Q: What are the main differences between ISO 9001:2008 and ISO 9001:2015 for each of the clauses?

A: The best source of this information is the CQI/IRCA DIS 9001:2014 report which is now available free to CQI and IRCA
members. Non-members can purchase a copy of the report at a cost of £25. Please visit the IRCA site or the CQI site for
more information.

Q: Will ISO provide an official cross-reference between the 2008 and 2015 versions?

A: This is being considered. At a high level this would be fairly straightforward to put together, however, at the level of
detailed requirements it would be considerably more complicated. This is because clauses have not necessarily been
relocated to the 2015 version as complete entities. A number have been broken up and elements of them have been
relocated to several of the new clauses.

Q: What will be the effect of the new version on companies with quality management systems that are currently
implemented and certified to QMS 9001:2008?

A: This will vary from organisation to organisation in terms of how much change will be needed. There will be a three-
year transition period for certified organisations which will start when the standard is published. However, the standard
writers and certification bodies are already encouraging organisations to make a start. The first step is to gain an
understanding of the new and enhanced requirements. Then do a gap analysis. Some will prefer to wait for the FDIS
before launching into redeveloping the quality management system, but we believe there is work that you can usefully
get on with now.

Q: It is very difficult to start to carry out many actions based on a draft – this can still change. How certain are you
that the final version will be very similar to the DIS?

A: There will be changes between now and the final version of the standard. That is why IRCA typically does not revise
its course criteria until the FDIS is published. Having said that, changes arising from the adoption of Annex SL are among
the most likely to remain unchanged, as changing Annex SL would impact not just 9001 but all Annex SL-based
standards. At this point you should certainly be looking to carry out a gap analysis between the current and proposed
new requirements (our DIS report will be useful for this). You should also be raising awareness within your organisation
on what the future may look like, particularly for top managers. We would also recommend working with your auditors
to make them familiar with the new structure of the standard and its headline requirements.

Q: The intent of ISO 9001, when first published in 1987, was to specify minimum requirements for certification.
Considering the present status of certification, is the time ripe for raising this bar so high?

A: Some would argue that the basic intent of ISO 9001 has always been to specify requirements for a quality
management system that will give assurance to purchasers that the product will meet requirements. ISO 9001:2015 will
continue this underlying approach. Accredited certification is intended to avoid multiple audits by different purchasing
organisations and enable mutual recognition across country borders. If there are issues with certification, then these
need to be addressed without compromising the expectations of management system standards.

2
Quality manual

Q. In my experience organisations that operate integrated management systems already reduce their quality
documentation to an absolute minimum. By removing the requirement for a quality manual and procedures, are we
in danger of universally sanctioning this minimalistic approach?

A: DIS 9001:2014 does not require either a quality manual or documented procedures. It does however require specific
'documented information' to be either retained or maintained. If an organisation wishes to be certified then it must of
course meet all of the requirements within a standard, including those pertaining to documented information, and it
must be able to show this as evidence to you. There is nothing to stop an organisation operating a QMS based on a
subset of the ISO 9001 requirements, but it cannot then legitimately claim to meet the standard.

Annex SL

Q: In the DIS, there is no reference to Annex SL. What exactly is contained within Annex SL?

A: Annex SL could be described as the standard writers’ 'standard'. It was developed to ensure all future ISO
management system standards share a common format irrespective of the specific discipline to which they relate.
Annex SL prescribes a high-level structure, identical core text and common terms and definitions. Consequently, users
of ISO management system standards can expect to find a lot more commonality across standards which should make
implementing and auditing multi-discipline and integrated systems more straightforward. Please look at the briefing
note on Annex SL available on the IRCA and CQI websites.

Q: Why was it necessary to designate Annex SL as an annexure and not a full standard? The very designation ‘Annex
SL’ suggests that it is part of another document.

A: It is part of another document, used within ISO. It is an annex to ISO/IEC Directives Part 1 and Consolidated ISO
Supplement. This Directive defines the basic procedures to be followed in the development of international standards.
Annex SL of this Directive is titled ‘Proposals for management system standards’.

Q: Each of the management standards, e.g. ISO 9001, will consist of a core structure, reproducing the requirements
of Annex SL. If there are any amendments in future, will all the standards have to be amended?

A: We would expect this to be the case, otherwise the purpose of having the same high-level structure and common
core text will be lost. It is not yet clear how this will be accomplished, with standards having different revision dates.

Customer focus

Q: In Annex B, customer focus is expressed as a state in which we strive to exceed customer expectations. It is only
said to enhance customer satisfaction in 5.1.2 – which is correct?

A: The definition of 'customer satisfaction' tells us these are both saying the same thing. It's not the case that one is
correct and one is not.

3
Information for IRCA auditors

Q: I’m already an IRCA-registered auditor. Will I have to attend an ISO 9001:2015 course?

A: Yes, you will need to attend a 2 day IRCA-approved QMS transition course.

Due to the nature and extent of the forthcoming changes, we will require all IRCA registered auditors to undertake
transition training to migrate from QMS 9001:2008 to QMS 9001:2015. We will finalise and communicate transition
requirements when the FDIS is published.

You will not have to attend another IRCA approved 5 day Auditor/Lead Auditor course or a 2 day Internal Auditor
course. You will only have to attend the 2 day QMS transition course.

Q: Since ISO 9001:2008 will be revised, what will be the status of IRCA registered QMS auditors?

A: IRCA QMS auditors who have been trained and who audit against ISO9001:2008 standard will remain registered IRCA
auditors.

Audits and training carried out against ISO 9001:2008 will be accepted for recertification purposes until the end of the
transition period (September 2018). However, if you are carrying out audits against an organisation which has adopted
ISO 9001:2015, audits must be carried out against this standard and you must have completed the requisite IRCA
approved transition course prior to conducting these audits.

We encourage QMS auditors to transition to 9001:2015 as soon as our training providers make IRCA approved
transition training courses available. Please note that training courses which are not IRCA approved will not be accepted
for recertification purposes.

Q: As I am a lead auditor for a certification body, I will attend 9001:2015 training on a regular basis. Is it mandatory
for me to undertake IRCA-approved transition training or will IRCA accept training from accredited certification
bodies?

A: Under ISO 17021:2011, accredited certification bodies are required to demonstrate that they have established
competence criteria and performed evaluations of their auditors. Consequently, for QMS auditors employed by an
accredited certification body, including subcontracted auditors, IRCA will accept a statement or certificate of
competence in ISO 9001:2015, authorised by a member of the organisation’s top management.

Q: Regarding IRCA QMS courses, will there be a period during which both courses (QMS 2008 and QMS 2015) will be
provided by training providers?

A: Yes – this has yet to be decided, but it is typically either six or nine months. During this period, training providers may
offer either a 2008-based course or a 2015-based course. This will give providers time to amend their existing courses.
At the end of this period, only 2015 courses may be offered.

4
Information for companies

Q: Will clients be given a three-year time frame to convert to the new standard?

A: Yes, there will be a three-year transition period for existing 2008 registrations.

Q: What are the main QMS mandatory procedures that need to be implemented or changed for the currently
certified ISO 9001:2008 company?

A: The CQI/IRCA DIS report will advise you on which elements of your existing system can remain the same and which
will need to be revised. It also highlights instances where you need to introduce new elements into your QMS to meet
new requirements.

Q: What would you advise an organisation to do that is considering ISO 9001 certification at the moment– wait for
the new standard to come into effect before applying, or go ahead and then convert to the new standard?

A: Interesting question. The time required to implement 9001 and achieve certification varies according to a range of
factors but 8–12 months is typical. That would take you pretty much up to the anticipated release

date of the new standard. So, do you develop a QMS against the established requirements of ISO 9001:2008 or the
potential requirements of ISO 9001:2015 as contained within the DIS?

If you go down the former route you are working with a set of ‘known’ factors. The 2008 requirements are known and
you also know that you will have until 2018 to transition to the 2015 requirements.

On the other hand, if you develop a system based on the requirements of the DIS 9001:2014, you are working with
something which is still work in progress and is liable to change. This approach therefore carries inherent risk. If the
changes between DIS 9001:2014 and ISO 9001:2015 turn out to be minimal, then you’ll have relatively little work to do
in order to achieve a QMS which meets the latest standard. If the changes are significant, however, you’ll need to do
more, but this will still be less than those that need to fully transition.

Personally, I would work within the known parameters, being mindful wherever possible to write the system in such a
way that it is capable of meeting both the current 2008 requirements and the projected 2015 requirements. The CQI/
IRCA DIS report highlights those clauses where this approach could be employed.

This is a close call however and if someone advised me they were implementing a QMS against the DIS, their reasoning
would be perfectly understandable.

Risk

Q: In all instances risk is used in the sense that it is the possibility of an undesirable result, particularly in 0.3 and 6.1,
but the definition given (3.09) implies risk has a positive effect. Which is correct?

A: This lack of clarity has its origins in pre-Annex SL times. Different disciplines have traditionally held different views on
risk. Risk management professionals have always seen risk in the Annex SL sense, as both positive and negative.
However quality professionals (and most people in the street) usually regard risk as exclusively negative, and

5
environmental professionals prefer to talk in terms of 'threats'. As risk is defined as a common term everyone should be
adopting both the positive and negative interpretation, but there is still some resistance to this.

Q: Please can you provide more explanation about what risk-based thinking actually means?

A: The concept of risk-based thinking is discussed in section 0.5 of the DIS. Risk-based thinking is about demonstrating
that you understand the risks to your QMS and its constituent processes which might affect your ability to achieve your
intended outcomes. You need to show evidence that you have determined the risks to your system and have taken
action that is proportionate to the potential impact of the risk, should the risk become an issue. Risks are dynamic –
they change through time – so risk-based thinking is an ongoing exercise and not a one-off event. Throughout the DIS,
you will see requirements referring to the need to consider risk.

Q: With reference to the ‘risk management’ requirement, will ISO 31000:2009 be compulsory for that analysis?

A: No. DIS 9001:2014 does not prescribe a particular risk-management methodology. It is up to each organisation to
decide how it wishes to meet the new risk-related requirements. In section 0.5 of the DIS, we are advised that
organisations may choose to go beyond the requirements of 9001 and adopt ISO 31000 if they chose to do so. There is
no obligation to do so.

Q: I'm still not sure that the terms ‘risk’ and ‘opportunity’ should be derived from issues. I think that risk could be
derived from context or situation rather than issues.

A: In DIS terms the context of an organisation is the product of the internal and external issues that it faces which are
relevant to its purpose, strategic direction and its ability to achieve intended results and the relevant requirements of
relevant interested parties. A risk only becomes an issue when it has materialised. Until that point it remains as
something that could occur.

Quality management principles

Q: What are the changes to the quality management principles?

A: We believe the revised quality management principles will be:

QMP 1 – Customer focus
QMP 2 – Leadership
QMP 3 – Engagement of people
QMP 4 – Process approach
QMP 5 – Improvement
QMP 6 – Evidence-based decision making
QMP 7 – Relationship management.

Q: Why do seven principles now remain? Was the system approach introduced into the process approach?

A: The Process approach principle is revised so that “Consistent and predictable results are achieved more effectively
and efficiently when activities are understood and managed as interrelated processes that function as a coherent
system”. This has removed the need for a separate 'systems approach' principle.

6
Management

Q: Why does the standard require a QMS to be established (4.4) when it also implies in 5.1.1 that those elements of
business processes that exist to manage product and service quality constitute the QMS, i.e. the system already
exists?

Q: You may be referring to 5.1.1d which requires top management to ensure the integration of the quality
management system requirements into the organisation's business processes. Our understanding of this is exactly what
it says – quality management system requirements should be an integral part of the business management processes,
not something separate operated, for example, by the quality assurance department. Of course, the organisation's
business processes will most likely include processes outside of the scope of the quality management system.

Q: Why was the requirement to have a management representative cancelled?

A: This is an attempt to ensure that ownership of the quality management system does not centre around a single
individual. DIS 9001:2014 replaces management responsibility with leadership, and repositions a number of ISO
9001:2008 requirements as leadership activities. There will be a greater need for top management to be actively
involved in the operation of their quality management system. This does not mean that organisations need to remove
their management representatives, but some duties traditionally assigned to the management representative by top
management will, in future, need to be undertaken directly by top management themselves.

Q: To comply with the 2008 standard top management normally signs the policy and approves the actions from the
management review. What else will they have to do to comply with the new standard?

A: This is detailed in the CQI/IRCA DIS report. There are now activities which top management are not able to delegate,
but which they must undertake themselves. For us, the changes relating to leadership are among the most significant
changes in the new version of the standard.

PDCA

Q: Will the 2015 version still recommend the use of PDCA?

A: Yes, PDCA applies at both the quality management system level, i.e. plan the QMS, operate the QMS, check the QMS
and then adjust the QMS as necessary, as well as at the process level. Please see the DIS 9001:2014 Introduction
Section 0.4 for more details.

Interested parties

Q: Please explain how interested parties are being introduced to this new version

A: Relevant interested parties are groups or individuals who have the ability to impact (or potentially impact) the
organisation's ability consistently to supply products and services that meet customer and applicable regulatory
requirements. Customers, board members and competitors would all fit into this classification. Each organisation will

7
have its own set of interested parties and this set will change over time. The final decision as to whether a party is
relevant rests with the organisation, not the party.

Documentation

Q: How can the redesign of the quality manual be done?

A: Organisations do not need to renumber existing QMS documentation to correspond to the new clause references. It
is the responsibility of each organisation to determine whether the benefits gained from renumbering will exceed the
efforts involved.

Q: Please specify any changes related to documentation and ISO mandatory procedures

A: References to a documented quality manual, documented procedures and to quality records have been removed.
Instead throughout ISO 9001:2015 DIS there are specific references to Documented Information. This is information
which the organisation is required to keep, control and maintain. While ISO 9001:2008 specified a number of
mandatory documents, DIS ISO 9001:2014 does not. However that does not mean that organisations have to throw
away their quality manuals and documented procedures. If this documentation is in place and working well, there is no
need to withdraw it.

Q: It feels like auditing is going to be more difficult with the removal of documentation requirements. To ensure
compliance, you need to check records which show conformity to the requirement. So how will we understand the
requirement if it is not documented well and how should we ascertain its conformity without records?

A: It is correct to say DIS ISO 9001:2014 does not mandate documented procedures and records, in the way that ISO
9001:2008 does. However, in effect, both versions require the organisation to maintain documented information
(documented procedures) sufficient to support the operation of processes and retain documented information
(records) to the extent necessary to have confidence that the processes are being carried out as planned.

Organisations do not need to throw away their quality manuals and documented procedures if these are in place and
working well. The requirement for documented procedures was very much reduced with the introduction of ISO
9001:2000, compared to the previous version. But a majority of organisations chose to keep their documented
procedures and records. The same is likely to be the case in 2015. And as is the case now, if an organisation has not got
documented procedures, the first question an auditor should ask is 'how have you defined the process requirements,
how do people know what to do and what acceptable evidence can you show me to support this?" Our opinion is that
auditors are likely to find themselves spending more time looking at everyday business information and IT-based
information, and less time looking at documentation created especially for the auditor.

Q: The 2008 version was asking for six mandatory procedures: what will it be in the 2015 version?

A: There are no mandatory procedures in 2015. Instead you will find requirements throughout the DIS to either
'maintain' or 'retain' documented information. The CQI/IRCA DIS report explains what is meant by 'documented
information' and highlights where this is required.

8
Other

Q: What is the position on clause exclusions? In particular for design, which could now be interpreted as a
requirement for all organisations.

A: All references to ‘exclusions’ in the 2008 version (sub-clause 1.2, ‘Application’) have been removed. This is because
all of the requirements in ISO 9001:2015 are intended to be applicable to all types and size of organisation. However,
DIS 9001:2014 Annex A, A.5 recognises that there may be circumstances where it is impossible for an organisation to
conform to a specific requirement – for example, where it does not operate a ‘required’ process. In these instances, the
organisation can deem the requirement ‘not applicable’, providing this doesn’t affect its ability to supply conforming
products or services, or compromise its aim to enhance customer satisfaction. So design is applicable to all
organisations.

Q: In what way do processes needed for the quality management system (4.4) differ from the processes needed to
run the business and satisfy the stakeholders (5.1.1)?

A: Business processes are likely to include processes that are outside the scope of the quality management system,
such as health and safety, financial and maybe some regulatory processes.

Q: Concerning the definition of scope of the management system in regard to Clause 4.3 of the DIS – if an
organisation manufactures a product and wishes to be certified to ISO 9001 at a particular manufacturing location
(location A), but the design of that product is conducted at a different location (location B) by the same organisation:

a) Would the design of the product have to be included in the scope (of certification) at location A?

b) Would location B have to be certified to ISO 9001 for its design activity?

A: a) No, but the organisation (location A) has to ensure that the controls that they (the organisation) and the external
supplier (whoever they are) are up to the job – ensuring the product does what it says on the tin. This means that there
have to be criteria, controls, etc. This situation comes under 8.4 – Control of externally provided products and services
(8.4.1)

b) No, location B does not have to be certified to ISO 9001.

Q: In terms of requirements based on business strategy, will it not require organisations to spell out their vision and
mission statements?

A: Establishing and communicating a clear purpose and direction for the organisation is part of understanding the
organisation and its context and is part of leadership. However there is no requirement for organisations to 'spell out
their vision and mission statements'.

Q: Will English-speaking companies be allowed to use familiar words such as Procedure, Records, and Purchasing?

A: Try to use the new terminology. The new terms have specific meanings that do not equate with current ISO
9001:2008 terminology. There is no DIS 9001:2014 concept of a procedure, record or purchasing. Nonetheless, you can

9
use whatever terminology you want, provided you are able to prove that you are meeting the requirements of the
standard in full.

Q: Why is there a shift from 'continual improvement' to 'improvement'?

A: This acknowledges that improvement is not necessarily continual. There may be periods where no improvement
occurs followed by a technical breakthrough leading to the organisation then operating at a whole new level.

Q: Preventive actions are now replaced with the concept of improvement. Does this mean there are any changes to
the methods?

A: Preventive action has actually become redundant as a result of the introduction of risk-based thinking. In future
organisations will need to employ risk management methods.

Q: Please explain the reporting process for internal audits

A: You need to retain documented information evidencing the implementation of an audit programme and also the
results of audits. The results of audits now need to be fed back to the 'relevant management' as opposed to the ISO
9001:2008 requirement to feed results back to ‘the management of the area audited’.

Q: What will be the difference on audit methodology?

A: That issue is too significant to explain in full here. This (or rather Annex SL) will change the way auditors plan,
conduct and report audits. There are potential implications in respect of audit duration and audit team composition.

Q: Regarding 8.5.5, Post-delivery activities – can you provide an example to help us understand it better?

A: Note 4 to 8.5.5. provides examples of post-delivery activities. Post-delivery activities would include commissioning a
piece of machinery you have supplied after it has been delivered to the site, repairing your products if they break down
and taking back items that you are legally obliged to recycle. There are many instances where you may need to carry
out work after the initial product or service has been delivered.

Q: Are there any specific requirements (added) for outsourced process?

A: Yes, you will need to apply criteria for the monitoring of the performance of external providers of processes, in
addition to your existing criteria for evaluating, selecting, and re-evaluating them.

For more analysis of the DIS 9001:2014, please see our exclusive report “DIS
9001:2014 – Understanding the Draft International Standard”. It is free for IRCA
and CQI members and costs £25 for non-members. Go to the IRCA or CQI sites
to find out how to download it.

10