Management Systems Certification | ISO 9001:2015

ISO 9001:2015
Frequently Asked Questions, part 1

While the 2015 version of ISO 9001 is still about a year away from
publication, ISO 9001 certified organizations and those looking to get
certified in the near future wonder about the changes to come and
what they mean for their business. This white paper will answer some
of the most frequently asked questions about the upcoming revision.

www.tuv.com/us | info@tuv.com | 1-TUVRHEINLAND

Management Systems Certification | ISO 9001:2015
Timeline for Changes
1. When is the new version of ISO 9001likely
to be released? How much time do companies
have to become compliant with the new
standard?
The final draft version is likely to be approved
in June 2015. Once the draft is approved, we
will go into a three-year transition period. If
there is any delay in the approval process, the
transition period is also moved. Based on the
policies of past transitions, should there be no
delay in the approval process, companies will
have to be compliant with the new changes
by June 2018.
2. My company will be due for the ISO 9001
recertification audit in October 2015. Will we
recertify to ISO 9001:2008 and migrate to the
2015 version by 2018?
You may get a three-year extension to
October 2018 should the draft go through
its approval process on time. Alternatively,
you may even get an extension to 2021
if the standards committee hits a snag in
agreements, thus delaying the implementation
until after October 2015.
3. What advice do you have for a company
seeking ISO 9001:2008 this year? Should we
wait?
The adherence to the standards provides
benefits as soon as you begin to deploy the
policies. Therefore, it is better to start sooner
rather than later. It is our understanding that
currently certified organizations will only need
to “repackage” their system documentation,
not make sweeping changes to the operating
strategy with the transition to ISO 9001:2015.
Procedures, Manuals & Documentation
Requirements
4. ISO 9001:2008 has 39 procedures. How many
procedures does the 2015 version currently
have?
In the ISO 9001:2015 version, there is no
requirements for “procedures” however there
are currently six areas that require
“documented information” (Document
Control, Record Control, Internal Audits, Control
of Nonconforming Product, Corrective Actions
and Preventive Actions).
“Documented information” is required
for generally in the form of proof that the
requirements are being met. Specifically, look
for the phrase “documented information” in
the standard and make sure that some form
of written documentation is available (a) to
control the manner in which the requirement is
met or (b) to prove the requirement has been
met (evidence of compliance).
5. Will there still be a quality policy or a mission
statement only?
The policy will be required and must be in the
form of documented information and kept up
to date.
Changes to Consider
6. ISO 9001:2015 takes on a stronger role in
“Preventive” rather than “Corrective” actions
and requires organizations to have an adjust
ment in attitude. Could you explain that?
Every business controls risks but it is mostly
done outside of the QMS. Most organizations
could use improvements in their approach
to Preventive actions per section 8.5.3 of ISO
9001:2008. This requirement is usually wrapped
up with Corrective action and, if executed at
all, is done after a Corrective action event.
The new standard takes a more intellectual
approach to acknowledging manufacturing’s
two primary risks to its customers: defects in
the product and late delivery. If businesses
correctly apply requirements from section
8.5.3 to these risks, they can identify Preventive
actions in several areas. For example, training
could be conducted to prevent unsafe
operation of equipment, defect generation,
and “off pace” or slow operations.
Management Systems Certification | ISO 9001:2015
Changes to Consider
7. Although there is no requirement for a Quality
Management Representative (QMR), is there
anything to prevent a senior manager from
assigning a QMR? With no QMR required, who
is now supposed to “manage” the QMS?
There is nothing in the standard that prevents
an organization from assigning a QMR.
However, the intent of eliminating the QMR
requirement is to bring the leadership closer
to the essential responsibilities for establishing,
implementing and maintaining a QMS.
In the current version of the standard, that
responsibility is assigned to “a member of
management,” which gives senior leaders
an opportunity to defer responsibility for
the essential management of the QMS as a
separate duty, usually assigned to the Quality
Manager.
The process owners will need to be able to
articulate how their processes meet the ISO
9001 requirements and not rely on an ISO
technician to translate for the auditor.
8. Does the new version of ISO 9001 place less
emphasis on Design and Development?
No. It has less structure but places the same
emphasis on controlling the design of goods
and services. An organization needs to identify
how much risk the design activity poses to
all interested parties. The design strategy
must include a level of control needed to
mitigate risks. The design effort must include
risks imposed at testing prototypes, installation,
vendor qualification, etc. that may not exist
once the design is moved into production. For
example; “I designed an acid that will dissolve
anything. Now I need to figure out what to put
it in.”
9. Please explain the comment from your
webinar presentation, “Outsourcing cannot
be used as an excuse for the outcome of the
system.”
ISO 9001:2008 is clear in section 4.1 that
outsourced processes must be controlled by
the organization. ISO 9001:2015 has a similar
requirement which addresses all forms of
external provision, whether it is by purchasing
www.tuv.com/us | info@tuv.com | 1-TUVRHEINLAND
from a supplier, through an arrangement with
an associate company, through outsourcing
of processes and functions of the organization
or by any other means. The organization is
required to take a risk-based approach to
determine the type and extent of controls
appropriate for each external provider and all
external provision of goods and services.
10. Because ISO 9001:2015 does not require
manuals or procedures, what is the “starting
point” for an auditor to review the Quality
Management System (QMS)?
Firstly, while no manual or procedure is
required, if these documents are helpful to the
business or facilitate the control of processes,
they will add value to the QMS.
Secondly, if a customer chooses not to have
manuals or procedures, a more complex audit
planning and a lot of pre-audit preparation
will be required. Auditors would need to get
a sense of where documentation is located.
As the traditional markers will be gone, it
would require some maneuvering between
the systems (ERP to Handbooks to Control
Software Packages) to obtain evidence
during an audit.
This audit strategy might shift our focus from
“Compliance” to “Effectiveness.” Auditors
may become less concerned with structure
(the path everyone must follow to achieve
customer satisfaction) and more concerned
with results (what is the proof that the client is
satisfying the customer).
For example: This is similar to the transition
we saw in ISO 9001:1994 to ISO 9001:2000 in
the area of training. The focus used to be on
determination of training needs and using
sign-in sheets as evidence of training. No
further analysis of ability was required. Now,
we look for evidence that the training or hiring
process was effective in achieving its goals of
having competent employees. Sign-in sheets
are merely the evidence of presence at
training, at least long enough to sign in.