Professional Documents
Culture Documents
uk
Control of Documented
Information
EQMS
Integrated
Management
System
Guidance
ISO 9001:2015 & ISO 14001:2015
Clause-by-Clause Interpretation
Integrated Management System Guidance
ISO 9001:2015 & ISO 14001:2015
Table of Contents
1 INTRODUCTION ........................................................................................................................................... 4
6.1 GENERAL....................................................................................................................................................................................... 25
6.1.1 Actions to Address Risks & Opportunities ......................................................................................................... 25
6.1.2 Environmental Aspects ............................................................................................................................................... 34
6.1.3 Compliance Obligations ............................................................................................................................................ 36
6.2 EQMS OBJECTIVES .................................................................................................................................................................... 36
6.2.1 Objectives ........................................................................................................................................................................ 36
6.2.2 Objectives & Planning to Achieve Them............................................................................................................. 38
6.3 PLANNING FOR CHANGE ............................................................................................................................................................ 39
10.1 GENERAL....................................................................................................................................................................................... 75
10.2 NON-CONFORMITY & CORRECTIVE ACTION ........................................................................................................................... 75
10.3 CONTINUAL IMPROVEMENT ....................................................................................................................................................... 80
1 Introduction
The purpose of this document is to outline a potential integrated management system to meet the
requirements of ISO 9001:2015 and ISO 14001:2015. The integrated management system is designed to be
implemented to function within current business practices and serves as an effective tool to help your business
grow and improve.
The application of the integrated management system is scalable and generic; regardless of the size and type
of organization. The elements that form a typical the EQMS are the same; please refer to the figure below. The
Typical Elements of an Intregated Management System using PDCA
Policies
Organization &
Improvement
Personnel
Management
Review Act Context &
requirements
Plan Identify aspects,
impacts & risks
Initial
Identify
review
Auditing compliance
obligations
Commitment
Monitoring &
measurement
Check Do Set objectives
primary goal is to achieve a set of consistent processes that provide a route for enhancing customer
satisfaction, mitigation uncertainty and providing meaningful data for continuous improvement activities.
You may decide to keep your current quality and environmental management systems and simply amend them
where necessary. Some of you may take this as an opportunity for a complete revamp of the management
system. Both courses of action are entirely reasonable, and this guidance document will guide you through
what the essential elements that you need to address in order become certified.
The integrated management system includes the processes and procedures required to achieve compliance to
quality and environmental requirements, as well as, highlight their interaction with other support processes.
Top management must take responsibility for leadership, commitment and take active involvement for
developing and maintaining the management system. It is necessary to have well defined processes, both
operational and support, to be able to realize the product or service. Customer satisfaction has to be measured
and analyzed so that the organization can be improved continually.
The implementation of a formal management system is best handled as a specific project that is led by
someone with project management experience. Ideally, they should be a key member of the organization’s
management team and have sufficient authority and trust of the personnel involved. In the ideal situation this
person will also be the Management Representative, but skills in project management are highly beneficial.
Integration itself is not difficult to implement but rather, the concepts themselves are sometimes difficult to
interpret and can therefore be difficult to apply in the real world. For instance, concepts such as non-
conformances, hazards, impacts and corrective action systems might seem burdensome at first but the outputs
of these concepts will soon be an invaluable source of information that should be used to drive your corporate
objectives. In order implement the integrated management system, we recommend that you follow the steps
in this guidance documents.
this early stage, you can more easily secure buy in by assigning responsibility and utilising their skills,
knowledge and experience to help develop the management system.
The greatest resource of any company are its people, so strategies for managing both real and perceived
change, or concerns and attitudes, should be addressed during the initial planning of the EQMS. It is likely that
during the first few months, Top management will need to positively reinforce its requirements on a routine
basis to ensure that staff maintain motivation and do not lapse back into old habits.
Iterative adjustment of new or existing management system documentation should also be expected as staff
become accustomed to the requirements and begin to suggest improvements in usability. Instant business or
operational improvements may initially be observed. The benefits of a properly functioning EQMS are not just
restricted to the knowledge that it complies with regulatory requirements but that it has the discipline to
manage customer requirements effectively and to mitigate risk.
It will no longer be appropriate to have one representative driving the EQMS on behalf of the rest of the
organisation. Top management is accountable for the success of the EQMS and as such should lead, promote
and direct others to ensure it drives quality and environmental benefits.
This is a significant change from the requirements of ISO 9001:2008 and ISO 14001:2004 where Top
management appointed a Management Representative; signed the policies and attended management review
meetings. Top management can be one or more people but must have cross-functional influence in order to
integrate the EQMS with current business processes and to ensure EQMS compatibility with your organization’s
strategic direction.
The first step in engagement could be to brief your senior team on the changes. Attendance should be
encouraged as failure to transition effectively could mean the loss of the ISO accreditation certificates.
However, on a more positive note, for many organizations the new standards could act as a watershed moment
where the environment plays a significant part in generating value for your organization. Engagement can be
further enhanced by reviewing the quality and environmental achievements of your organization. These are
often greater and broader than expected because the initiatives are categorised under economic rather than
quality or environmental improvement. This realisation builds commitment to do more. By developing
engagement, the senior team are more likely to contribute to the other changes such as the context review
and stakeholder analysis.
One of the key moments in the implementation process is defining the individual responsibility of management
and employees for the introduction of different elements into current working process. That is why the most
experienced employees from the company should be involved in this process. Following this methodology, a
team of experienced and engaged key personnel should be formed at the beginning of the implementation
process. The implementation team should include personnel that have the authority to devote resources to
the project and to remove roadblocks.
The implementation team should meet on an ‘as needed’ basis according to the project timeline. When the
implementation team meets they must address the items on their task list. Spread out the implementation
team meetings along the implantation timeline so you do not have too many meetings at one time. For
example, you may want to have the document control team meet early in the project to establish a system to
collect and control the documents that will be generated. Whereas, the internal audit team would meet later in
the process because audits will not begin until the system is complete.
For certain activities, consulting organizations may provide expertise and guidance, which can be useful in the
implementation of the EQMS. However, internal staff should be involved throughout the process because they
will need to operate the EQMS on a daily basis.
4. Does your EQMS take account of the risks and opportunities resulting from trends, macro
environmental or big picture issues (political, economic, social, etc.)?
5. Does the EQMS consider the impact of a changing environment on your organisation?
6. Do the requirements of internal and external stakeholders help shape the EQMS?
7. Is there an existing environmental communication plan (formal or informal) in place?
8. Are robust monitoring and measurement and internal audit procedures in place to ensure quality
and environmental data is reliable?
9. Are environmental aspects considered at each stage of the lifecycle?
10. Are environmental and quality requirements imposed upon contractors and suppliers?
11. Is information on significant impacts made available to end users and those involved with final
disposal and transport of your products or services?
The knowledge obtained about the status your existing management system will be a key driver of the
subsequent implementation approach. Armed with this knowledge, it allows you to establish accurate budgets,
timelines and expectations which are proportional to the state of your current management system when
directly compared to the requirements of the standards.
Your organization may already have in place a management system or parts of a system. If this is the case, you
will want to determine how closely your system conforms to the requirements ISO 9001 and ISO 14001.
The results of a gap analysis exercise will help to determine the differences, or gaps, between your existing
management system and the requirements of the standards. Not only will this analysis identify the gaps, but it
also should determine the size of the gaps. These findings will lead to recommendations, project plans, and
the identification of necessary resources for filling the gaps.
The gap analysis output also provides a valuable baseline for the implementation process as a whole and for
measuring progress. Try to understand each business process in context of each of the requirements of the
standards by comparing different activities and processes with what the standards requires. At the end of this
activity you will have a list of activities and processes that comply and ones that do not comply. The latter list
now becomes the target of your implementation plan.
Use the gap analysis checklists to compare the requirements of the standard against your organization’s
existing management system. Each question in the checklist refers to a requirement that must be met in order
to comply with ISO 9001:2015 and ISO 14001:2015.
At the end of this activity you will have a list of activities and processes that comply and a lift of processes that
do not comply. The latter list now becomes your action plan. Also consider the effectiveness of what's being
practiced on a day to day basis. It is not unusual for an organization to overlook something which needs some
work to make it effective. Congratulations, you have just conducted the first audit of your new management
system!
The initial orientation meetings will get the programme off to a good start, but many more meetings will be
necessary. While the primary activities taking place during the early meetings will involve system development
and implementation, the Team Leader may also wish to use this time to provide team members with some
training.
The Implementation Team should meet on a regular basis to resolve problems and to report progress. Meeting
minutes should be documented as they may prove helpful when working with Certification Auditors. In some
cases, auditors’ questions may be answered by the documented meeting notes.
Worldwide: www.iso.org/iso/en/info/ISODirectory/countries.html
www.ukas.org
Within the UK:
www.irca.org
Different organizations look at their registrations differently; some organizations prefer to have multiple
business units or locations on a single certificate. You can register one location in an organization or you can
register the entire organization.
You can even, theoretically, register one part of an individual facility. You should address this issue in your
registration scope statement. You should discuss the scope of registration very early in your contact with the
registrar, prior to or during the selection process.
The scope of registration and certification will need to reflect precisely and clearly the activities covered by
your organization's EQMS; any exclusion to non-applicable requirements of the standards should be
documented and justified in the EQMS manual. No single business-related activity should exist outside of the
scope.
In ISO 9001:2008, the quality manual helped to establish and document the framework of your organization's
quality management system while articulating those aspects of the management system to any interested
parties. While there is no requirement for a management system manual or even documented procedures in
ISO 9001:2015 or ISO 14001:2015, it is suggested that if your existing documentation adds value, then they
should not simply be binned. You will be expected to maintain the integrity of the management system during
the transition process.
You do not need to renumber your existing documentation to correspond to the new clauses. It is down to
each organization to determine whether the benefits gained from renumbering will exceed the effort involved.
Neither do you need to restructure your management system to follow the sequence of and titles of the
requirements. Providing all of the requirements contained in ISO 9001:2015 and ISO 14001:2015 are met, your
organization’s management system will be compliant.
1. If your system manual fits your business and your customers or regulators require it, keep it!
2. If your procedures are effective and define how your key processes operate, keep them!
3. If the policies and related objectives align with current business strategy, and they are communicated
and adding value, keep those too!
Maintain the following as a type of ‘documented information’:
EQMS aspects and impacts and their criteria to determine significance 6.1.2
Evidence of the basis used for calibration of the monitoring and measurement resources (when no
7.1.5.2
international or national standards exist)
Results of the review and new requirements for the products and services 8.2.3
Design and development changes, including the results of the review and the authorization of the changes
8.3.6
and necessary actions
Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and
8.4.1
any actions arising
Records of property of the customer or external provider that is lost, damaged or non-conforming and of its
8.5.3
communication to the owner
Results of the review of changes for production or service provision, the persons authorizing the change, and
8.5.6
necessary actions taken
Records of authorized release of products for delivery to the customer including acceptance criteria and
8.6
traceability to the authorizing person(s)
Records of non-conformities, actions taken, concessions and the identity of the authority deciding the action
8.7
in respect of the nonconformity
Evidence of the evaluation of the performance and the effectiveness of the EQMS 9.1.1
3 Common Requirements
The integrated management system (EQMS) shares common requirements that are stipulated by ISO
9001:2015 and ISO 14001:2015. The table shown below cross refers these common requirements to the section
headings found within this document, as well as within the EQMS manual:
To assess whether your organisation has a high-level, conceptual understanding of its internal and external
issues that affect it, either positively or negatively, its ability to achieve the intended outcomes, you should
describe the processes used by your organization to identify internal and external issues and make reference
to all objective evidence, including examples of these issues. Examples of organizational issues might include:
1. Quality and environmental conditions capable of affecting or being affected by the organization;
2. External: cultural, social, political, regulatory, financial, economic, natural and competitive issues,
whether international, national, regional or local;
3. Internal: organization’s activities, products, services, strategic direction and capabilities (people,
knowledge, processes, systems).
You will need to determine and understand the various quality and environmental conditions, internal and
external issues, typically experienced in your type of organization that can have positive or negative impacts.
The standards do not specify that these internal and external issues, or their monitoring and review, be
documented, so there might not be ‘lists of issues’ or records of reviews. However, information can be obtained
via interviews with relevant Top management in relation to your organization’s context and its strategic
direction, the identified issues and conditions, and how these may affect the intended outcomes of the
Management System.
Collate evidence to provide assurance that your organization is regularly, or as necessary, reviewing and
updating its external and internal issues. Although there is no requirement for documented information to
define the context of the organization, your organization will find it helpful to retain the types of documented
information listed below to help demonstrate compliance:
only will this ensure a broader appreciation of the context but also wider engagement, particularly with those
functions not previously involved with the EQMS.
A workshop approach often allows ideas to be shared and provides an effective and efficient way of achieving
a valuable outcome. The workshop could simply be a discussion identifying the issues that can be mapped out
using Political, Economic, Social, Technological, Legal and Environmental (PESTLE) analysis. This method helps
to structure the conversation and will also help to achieve buy-in to what is often seen as a peripheral or niche
area.
Once stakeholders and their requirements are identified, the next step is to consider which stakeholder
requirements generate compliance obligations. Legal requirements should be identified before other
requirements. This process of adopting requirements will allow you to focus and coordinate on what’s
important.
You should allow additional time to determine whether your organization has adequately determined its
interested parties, their requirements, and their impact upon the EQMS. Determine which of these
requirements are considered as organization’s compliance obligations and describe the processes used by your
organization to identify the interested parties.
Make reference to all objective evidence, including examples of interested parties and any resulting compliance
obligations. Look for evidence that your organization has undergone a process to initially identify these groups,
and then to identify any of their requirements that are relevant to your organization’s EQMS. Examples of
interested parties might include:
1. Customers;
2. Communities;
3. Contractors;
4. Suppliers;
5. Regulators;
6. NGOs;
7. Business partners;
8. Shareholders.
You should also determine whether these groups’ requirements are reviewed and updated as changes in their
requirements occur, or when changes to your organization’s EQMS are planned. Ensure that your organization
has properly identified its interested parties, and subsequently determined if any of their needs and
expectations to be adopted as a compliance obligation. Ensure that this process is revisited periodically
because the relevant requirements of relevant interested parties may change over time.
Although not specifically required, objective evidence could be a list or matrix of the interested parties, their
corresponding needs and expectations, and indication of which of these accepted as compliance obligations.
Compliance obligations might include:
1. Information summarised as part of inputs to risk and opportunity registers (e.g. for ISO 9001 and ISO
14001 this could be an additional process in the identification of environmental aspects and impacts;
2. Recorded in a simple spreadsheet;
3. Logged and maintained in a database;
4. Captured and recorded through key meetings.
This section requires your organization to think clearly and logically about what can internally and externally
affect your management system, and to be in a position to demonstrate that this information is regularly
monitored and reviewed.
There is now essentially a process by which a scope must be determined; simply declaring a scope and
excluding product-related aspects without evaluating the new considerations is not acceptable. Evaluate the
process by which the scope was determined and review any process or procedure, if present. The lack of
documented processes will require more reliance on objective evidence from interviews.
Look for confirmation that your organization has determined the boundaries and applicability of the EQMS to
establish its scope with reference to any external and internal issues referred to in 4.1 and the requirements of
relevant interested parties referred to in 4.2. The scope of your EQMS may include the whole of the
organization, specific and identified functions within the organization, specific sections of the organization, or
one or more functions across a group of organizations.
1. Has your organization determined the boundaries and applicability of the EQMS to establish its
scope?
2. Has your organization effectively considered the following prior to determining the scope of the
EQMS?
3. Has your organization effectively considered the extent of its control and influence, context, external
and internal issues, compliance obligations, physical and functional boundaries, activities, products
and services?
4. Has your organization made its scope available to all interested parties as documented information?
A statement from your organization that the scope can be provided upon request may be accepted
as objective evidence.
Check that this has been done in consideration of your organization’s context and your products. You should
review any exclusions previously noted under ISO 9001:2008 for ongoing suitability. Check that legacy issues
which limited scope and omitted activities do not affect product conformity. Check that they are recorded and
that the rationale for the exclusion is stated and justified.
Existing operational procedures, work instructions and flow charts are valid examples of documented
information and can be used to evidence the requirement for ‘documented information to support the
operation of processes is being met’. Check that process inputs and outputs are defined and review how each
of the processes are sequenced and how they interact. Look for evidence that your organization has:
management reviewing EQMS KPI’s as part of regular business reviews, awareness of contractors and
employees of EQMS goals and expectations, etc.
A good way to do this is to think about how workflows through your organization. Consider how the inputs
and outputs to the key processes flow from one process to the next, what sub-processes might exist within it
and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists.
Instead focus on your key processes and how the departments interface with each other.
Once you have defined the processes and interfaces; go back to the standard and determine which processes
are responsible for meeting which requirements. When defining your organization’s processes, think about
each process and department and assign try to define those processes around the current organizational model
and not around the requirements of the standard.
Certification auditors will expect to see a process model that explains the key processes of the business and
how each relates and links to the others. The depth of process explanation may be as detailed as the company
chooses but should be based on its customer and applicable regulations or statutory requirements, the nature
of its activities and its overall corporate strategy. You should expect to see evidence that your organization has
determined their processes and interactions. If your organization calls it a ‘process’, it must be monitored for
effectiveness and improved.
The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to
demonstrate that the processes and their sequence and interactions were determined. Such documents may
be used by organizations should they deem them useful, but they are not mandatory. Graphical representation
such as flow-charting is perhaps the most easily understandable method for describing the interaction between
processes.
Outsourced processes must be controlled by the organization and these controls must be defined and
described within their system. Organizations are required to identify the controls they apply for any outsourced
processes. The facility EQMS manual must identify if outsource processes are applicable. In addition, the client
shall have written documentation on the methods used to control the outsourced processes. Examples of some
outsourced processes are:
1. A process completed wholly or partially by a sister facility outside the scope of registration. Such as
corporate performing design, purchasing or customer related processes, this includes management
activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc. This may include
the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of
suppliers and the registered site initiates purchase orders.
1. A process completed by an outside vendor or subcontractor such as heat treating, plating,
calibration, painting, powder coating, etc. These types of processes may be controlled by the
purchasing process where a formal contract or purchase order may be the controls. If this is the case,
written documentation would be the purchasing documentation and records however; these
processes are required to be documented in the quality manual.
If an outsourced process is controlled through purchasing, there must be documented objective evidence to
ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused
on controlling products not processes. The organization is responsible to ensure that the outsourced process
is meeting the applicable requirements to ISO 9001:2008. Outsourced processes may be controlled through
such methods as, but not limited to:
1. Auditing;
2. Contractual agreements;
3. Process performance data review on an on-going basis;
4. Purchasing process.
Ensuring control over outsourced processes does not absolve the organization of the responsibility for
conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied
to the outsourced process can be influenced by factors such as:
1. The potential impact of the outsourced process on the organization’s capability to provide a product
or service that conforms to requirements;
2. The degree to which the control of the process is shared;
3. The capability of achieving the necessary control through the application of the purchasing process.
Top management is now required to emphasize the importance of conforming to the EQMS requirements.
Additionally, it must also ensure that the EQMS is achieving its intended results, and that continual
improvement is driven within the organization. If it is evident that the Top management is not involved with
the EQMS, a major non-conformance is likely.
Auditors should look for evidence that top management has a ‘hands-on’ approach to the management of
their EQMS during interviews and auditing other requirements e.g. Context of the organization, policies and
objectives, Management review minutes, Resources etc. Evidence of Top management involvement may be
found in:
Without solid management commitment, you will not have a successful integrated management system. This
is not a commitment in words; it is the continuous and active demonstration to everyone in the organization
that the need to meet customers' expectations is vital. The actions required of Top management include:
You should review the quality policy to determine whether the quality policy is appropriate to the context of
the organization and its purpose, that there is a commitment to continually improving the QMS, and the quality
objectives are consistent with the quality policy. Top management should demonstrate that the quality policy
is compatible with the strategic direction and context of the organization, as required by 5.1.1b.
Your organization will need to review the EQMS policies as necessary to ensure that any changes in context,
interested parties or their requirements is reflected in the policies and whether your organization’s objectives
are affected (6.2.1 a). The EQMS policies do not have to include objectives but should create a framework for
establishing them. The policies should be stated in such a way that it aims toward continual improvement. It
should be reviewed and possibly revised to meet higher aspirations.
Certification does not require that the policies include the words ‘continual improvement’; however, it must be
ascertained that processes of continual improvement are implied and known throughout the organization. To
meet the intent of this clause, the auditor would be looking for clearly defined EQMS policies that are
sufficiently detailed to provide a framework for the subsequent EQMS objectives that can be monitored for
continual improvement.
An auditor would not want to see a vague policy. The policies should real and the objectives consistent with
the policies; meaning that, the policies are implemented and the objectives cascaded throughout all levels of
the Management System. EQMS objectives may be the same as the business plan objectives.
The auditor’s intent is not just conformance to the requirements but also to assist an organization in meeting
their business objectives, better customer satisfaction and eventually more market share, which, in time, brings
more profits for the organization. When interviewing Top management, their input into, and commitment to,
the EQMS policies should to be determined. For multi-site/corporate certifications, the policies must be
applicable for all sites and be fully integrated with the objectives. Develop and implement a policy that is
consistent with the company’s codes of conduct and business practices. The policy should be signed by senior
management and commit to:
1. Preventing incidents that could cause environmental harm and any process loss or quality impacts;
2. Complying with obligations and legal requirements;
3. Promoting continual improvement;
4. Adopting best practice;
5. Creation of measurable and achievable targets for performance improvement;
6. Providing resources to achieve targets;
7. Communicating and consulting with all stakeholders regarding the EQMS;
8. Meeting customer requirements.
These policies will be the foundation of the EQMS and should reflect the goals of the business. The policy will
change as the business changes, but the underlying commitment to zero harm should not change.
Auditors will wish to determine if the policies meet the intent and are understood, by interviewing personnel
at all levels. Although the exact content of the policies does not need to be recited by interviewees, the
awareness of the policies and how their job affects the company objectives should be determined. This does
not require your employees to memorize the policies but it does mean they should be aware of it, know where
it may be found and be able to paraphrase, or give an interpretation as it applies to them.
If the personnel interviewed do not know what their measurable objectives are and/or do not know what the
organizational objectives are that they have a direct effect upon, the auditor would be further directed to
evaluate top management’s communication of the policies and objectives.
Inferred awareness through knowledge of procedures is not considered sufficient; otherwise why have the
requirement in the first place? A quick and convenient way to promote and communicate the policy might be
to create a shortened version of main policy; try condensing it to five key words or even a couple of short
sentences. This can be posted on bulletin boards in each department.
You could even add it to the reverse side of staff security passes or ID badges. If an auditor asks an employee
whether they are aware of the policy; they can point to the bulletin board or point to it on their badge. The
employee can elaborate to the auditor, what the policy means to them and how it influences their work.
Examples might include an organization chart, defined job roles prior to recruitment, allocated job descriptions
to personnel and linking these activities to the processes within your business. This should effectively define,
document, and communicate the organizational structure of the EQMS. Please note that this method is a
suggestion, and other ways of meeting the requirement for organizational structure may be used. Develop an
organization chart and create job descriptions to satisfy the requirements:
Describe how Top management assigns responsibility and authority for monitoring and reporting on the
operation and performance of the QMS, via audits and inspections, business meetings, and KPI reviews, etc.
Assignment of relevant roles, responsibilities and authorities across the organization e.g. top management,
functional leaders, heads of departments, process owners, lead process users, end users etc. relating to:
1. Conformance of the EQMS requirements, ISO 9001 and ISO 14001 (4.3);
2. Delivery of process output results (4.4.1);
3. Reporting of EQMS performance and improvement opportunities (9.3);
4. Promoting customer focus (5.1.2);
5. Maintaining EQMS integrity when change occurs (6.3).
You should seek evidence that your organization’s personnel have not only been advised of their EQMS
responsibilities and authorities, but also that they understand these in the context of the overall purpose of
the EQMS. You should also ensure that Top management have assigned responsibility and authority for
preserving the integrity of the organization’s EQMS during changes.
What process has been developed to identify risks and opportunities? In the absence of documented
processes/procedures, you may need to use observations and interviews (and a review of the process output,
which may contain documented evidence) to assess the processes that determine whether or not
undocumented processes are being carried out as planned.
External and internal issues, and relevant needs and expectations of relevant interested parties may be sources
of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as
an aspect register, corrective/preventive action log and forms, etc. All of the processes of an EQMS do not
represent the same level of risk in terms of your organization’s ability to meet its objectives. Due to this reason,
the consequences of failures or non-conformities in relation to processes, systems, products and/or services
will not be the same for all organizations.
When deciding how to plan and control the EQMS, including its component processes and activities, your
organization needs to consider both the type and level of risk associated with them. Ensure that your
organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions
taken have been recorded. Options to address risks and opportunities can include:
1. Avoiding risk;
2. Taking risk in order to pursue an opportunity;
3. Eliminating the risk source;
4. Changing the likelihood or consequences;
5. Sharing the risk;
6. Retaining risk by informed decision;
7. SWOT analysis by the organization as part of its business strategy to identify the external risk and
opportunities and action plan to address them;
8. Formal business risk assessment performed by the organization talking into consideration its context,
associated risk and opportunities and mitigation plan;
9. Use of process approach by organization to identify sources of input, activities, output, receiver of
output, performance indicators to control and monitor processes, the risks and opportunities
associated with them and action plan to address them.
Why is Risk Management Important?
The concept of risk in the context of ISO 9001:2015 and ISO 14001:2015 relates to the uncertainty in achieving
the objectives of the EQMS. Risk will influence every aspect of your organization’s operations and by
understanding the risks you face, managing them appropriately will enhance your ability to make better
decisions and to achieve your objectives.
Your organization should begin to view the management of risks to its people, assets and all aspects of its
operations as an important responsibility. Implement and maintain a risk management process to protect and
support your organization’s responsibilities. An effective risk management approach is not only good business
practice but provides organizational resilience, confidence and benefits, including:
By considering risk throughout your organization the likelihood of achieving stated objectives is improved,
output is more consistent and customers can be confident that they will receive the expected product or
service. Risk-based thinking therefore helps to:
1. Improve customer confidence and satisfaction;
2. Assure consistency of quality of goods and services;
3. Establishes a proactive culture of prevention and improvement;
4. Intuitively take a risk-based approach.
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s
transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups
such as:
1. Business planning and strategic direction;
2. Process risk;
3. Product and service risk;
4. Risk associated with the control of externally provided product and service.
Document controls, including document change controls, for risk management system documentation should
be the same as the controls for quality management system documentation. This documentation can be in any
form or type of medium.
Communication of Risks
Within your quality management system, consideration needs to be given to internal and external
communication of risk. Internal communication is necessary for all appropriate personnel to be aware of the
remaining risks even after implementing risk control measures.
Outsourced Processes
Your organization might outsource the provision of some processes or the manufacture of components,
subassemblies or entire units. In order to maintain control over the processes, your organization should
incorporate appropriate risk management activities for these processes and products by planning and by
ensuring risk control measures are appropriately applied. Before the approval and implementation of a change
to any outsourced process or product, your organization should:
For each identified hazard, the risk in both normal and fault conditions is estimated. In risk evaluation, you
should decide whether risk reduction is needed. The results from this risk evaluation such as the need for risk
control measures then become part of the design input.
Risk Registers
While not mandated by ISO 9001:2015 or ISO 14001:2015, risk registers can help identify and record the risks
and opportunities facing different areas of the business and identifying risk is a critical step in managing it.
Risk registers will allow your organization to assess the risk in context with the overall context of your
organization and will help to record the controls and treatments of those risks. Risk registers can be developed
in tiers:
1. Strategic level;
2. Operational level;
3. Process level.
The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps
to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is
a table. A table presents a great deal of information in just a few pages. As the register is a living document, it
is important to record the date that risks are identified or modified. Optional dates to include are the target
and completion dates.
The internal audit function provides independent appraisal of the adequacy and effectiveness of internal
controls. Recommendations should be provided, where applicable, for improvements to controls, efficiency
and effectiveness of processes.
1. Clause 4.4.1 requires your organization to determine the risks which can affect its ability to meet the
system objectives. Risk-based thinking means considering risk quantitatively as well as qualitatively,
depending on the business context.
2. Clauses 5.1.1 and 5.1.2 require Top management to demonstrate leadership and commit to
ensuring that risks and opportunities that can affect the conformity of a product or service are
determined and addressed.
3. Clauses 6.1.1 and 6.1.2 each require your organization take action to identify risks and
opportunities, and plan how to address the identified risks and opportunities.
4. Clause 8 requires your organization to plan, implement and control its processes to address the
actions identified in Clause 6.
5. Clause 9 requires your organization to monitor, measure, analyze and evaluate the risks and
opportunities.
6. Clause 10 requires your organization to improve by responding to changes in risk.
The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring
the consistency of the quality of goods and services brought on by establishing a culture of prevention and
improvement.
Step 1: Planning
Your organization should develop and document a plan that briefly describes how and when risk, in the form
of strengths, weaknesses, opportunities and threats, will be assessed, and who will be involved. This should
reflect the scope (including its complexity, interfaces, etc.), policies and objectives.
Step 2: Identification
In this step, your organization should systematically identify those risks associated with the scope of the
process that could significantly affect the achievement of objectives and product conformity.
Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant
perspectives and expertise should be represented (e.g. appropriately qualified representatives from various
functions, contractors, stakeholders, suppliers and specialists as appropriate.
Risk identification involves the relationship between your organization and the broader, external environment
or community. A range of issues should be considered in examining the strategic content, including:
1. Opportunities and threats associated with the local, regional, and global economic, social, political,
cultural, environmental, regulatory and competitive environments;
2. Key thrusts of stakeholder strategies;
3. Strengths and weaknesses of in attaining objectives.
Operational risk identification involves gaining an understanding of the organisation’s capabilities, goals,
objectives, strengths and weaknesses by considering:
3. The identity and nature of interaction with key internal or external stakeholders;
4. The existence of any operational constraints;
5. Objectives and key performance indicators;
6. Business resilience vulnerabilities;
7. Relevant issues relating to recent change management risk, performance or audit reviews;
8. Relevant stakeholder community concerns or requirements;
9. Regulatory and contractual requirements and constraints; and
10. Quality management systems.
Step 3: Assessment
This assessment process is vital in determining the need for controls aimed at either reducing risk to levels
deemed to be tolerable or meeting the requirements of legislation. The significance level (or risk rating) should
then be used to prioritise actions. Remember that the importance of this process cannot be overestimated. If
you get this process wrong, the whole system will be suspect.
The assessment of the severity of a risk should drive management attention and supports the planning for risk
mitigation. Quantitative risk assessments (QRA) can be undertaken to provide an improved understanding of
the risk profile and derive a more detailed understanding of certain cost and time risks. The output of QRA can
also support decision making and monitoring of risk management activities.
Risk criticality (Table S1) is calculated by multiplying the likelihood (Table S2) by the consequences of risk (Table
S3). The resulting score (Table S4) is then used to prioritise the appropriate level of action.
Certain 25 20 15 10 5
Occasionally 20 16 12 8 4
Probable 15 12 9 6 3
Unlikely 10 8 6 4 2
Improbable 5 4 3 2 1
Likelihood (S2)
Score Likelihood Description Percentage Probability
Consequences (S3)
Score Impact Quality Cost Programme
More
Catastrophic failure of a Variance (+) from current milestone stage or
than
5 Catastrophic component to function in either completion date, of estimated completion date
£50
temporary or permanent state. of >40% or >60 days.
million.
Step 4: Response
For each risk, the risk owner must establish an appropriate level of mitigation. Control measures in addition to
those already existing may be needed to achieve this level of mitigation. When a response action is completed,
the risk should be reassessed (i.e. repeat Step 3) to reflect any newly introduced existing control measure.
Step 5: Review
Regular review and challenge is essential to ensure that risks are being appropriately managed, and that the
risk data remains accurate and reliable, reflecting any changes in circumstances or management activities.
Step 6: Reporting
Regular reports are necessary to inform and provide assurance to Top management and other key
stakeholders, that risks are being appropriately managed. Reporting must be based on current process data,
which must be updated and reviewed in good time for the reporting cycle (see Step 5 above).
On occasion, it may be appropriate to escalate a risk to ensure it is assessed and/or managed by the person or
party best placed to do so (able and with appropriate authority). For example, where a more substantial or
coordinated response is required than the current owner can authorise or implement, or where the risk severity
or its effects on the wider project justify higher level assessment and/or management.
Step 7: Monitoring
Continuous systematic and formal monitoring of implementation of the risk process and outputs will take place
against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring may
take a variety of forms and range from self-assessment and internal audit to detailed reviews by independent
external experts.
Training
To ensure that adequate risk management competency levels are achieved and maintained, your organization
should provide training in the risk management process and their application. Specific risk management
training sessions should be held on an annual basis, aimed at providing an overview of the risk management
process. Instruments providing training on appropriate controls include:
Significant environmental aspects can result in risks and opportunities with associated adverse or beneficial
impacts. Objective evidence must contain established criteria for evaluating significance of aspects (i.e., process
or procedure). Also, a register/matrix of aspects and impacts may be presented as evidence.
The new ‘Life-cycle Perspective’ consideration of environmental aspects and impacts has been broadened to
include an identification and evaluation process to consider aspects associated with:
For instance, an environmental aspect, or cause, can be the emission of volatile organic compounds (VOCs).
The environmental impact, or effect, is ozone depletion. To comply with ISO 14001 Section 4.3.1, the following
five actions should be taken:
4. Establish and maintain a procedure or method to identify any new or modified environment aspect or
impact;
5. Identify the most significant environmental impacts.
The identification of environmental aspects will form the foundation of your EQMS. The aspects that have
significant impacts on the environment will become the basis of your organization’s objectives and targets;
therefore, you will want to be thorough in completing this step. Develop a list of the organization’s activities,
products, and services can be a difficult task. The activity, product, or service should be small enough to be
understood, but large enough to be analyzed.
Environmental Aspects
The next step is to identify the environmental aspects for each activity, product and service. For each
environmental aspect that is identified, you should list any quantitative information that is applicable. For
instance, if an activity emits air pollutants, state the amount (i.e. 543 tons of CO2 per year, or 3.5 Kg of
particulate matter per hour). The following is a list of additional information to include, if applicable:
1. Compliance obligations;
2. Other relevant requirements;
3. Permits and licences;
4. Record keeping requirements;
5. Pollution controls or treatment;
6. Best management practices;
7. Monitoring requirements.
Environmental Impacts
The next step is to identify the environmental impact for each environmental aspect, list the environmental
impact for each environmental aspect. As you complete this step, remember the cause-and-effect relationship
discussed earlier. Please note that environmental impacts can be positive or negative.
Examples of negative impacts include increased air pollution, potential contamination of the ground, or
depletion of natural resources. Positive impacts can include conservation of natural resources, improved
wetlands area, decreased soil erosion, and conservation of natural habitat.
Significant Impacts
ISO 14001 does not provide a standard or method with which to determine the significant impacts. Part of the
reason for not establishing a standard or method is that the significance of each impact can vary for each
organization based on various factors and concerns.
The significance of each impact can vary for each organization based on the listed concerns. The standard lists
several environmental and business-related factors and concerns to consider when evaluating the significance
of each environmental impact:
Environmental Concerns:
1. The scale of the impact;
2. The severity of an impact or a potential impact;
3. The probability of occurrence;
Establish and maintain documented EQMS objectives and targets, at each relevant function and level within
the organization. The objectives and targets establish an important link between the policies and the
management programmes. The objectives and targets must be consistent with the EQMS policies, including
the commitment to prevention of pollution and continual improvement.
Depending on the size, management structure, and other factors pertaining to your organization, the objectives
may be established and reviewed by various personnel and with direct top management input.
Auditors will expect to review a set of interrelated objectives, ensuring that they are mutually consistent and
that they are aligned with the strategic direction of your organization. Documented information of objectives
typically is in the form of a description or matrix of the objective and corresponding means and timeframe to
achieve the objectives.
Your organization will need to set their environmental and quality objectives for relevant functions, levels and
processes within its EQMS. It is for your organization to decide which functions, levels and processes are
relevant. A key addition in the 2015 revision of ISO 9001 and 14001 (and soon ISO 45001:2017) is the use of
indicators to monitor the achievement of objectives. Indicators are defined as a measurable representation of
the status of operations, management or conditions. Each objective will need one or more associated
indicators.
Objectives can apply to an entire organization, can be site-specific, or can be specific to individual activities.
The appropriate level(s) of management personnel should define the objectives and targets. In some cases,
personnel who set objectives may not be the same as those who set targets. Remember that the objectives are
the overall goals as reflected in the principles established in the policy.
The scope and number of the objectives and targets must be realistic and achievable. Otherwise, the success
and continued commitment from top management and employees will diminish. Consider the factors below,
as you begin to formulate your objectives:
1. Compliance obligations;
2. Significant aspects (aspects directly related to significant impacts);
3. Significant hazards (hazards directly related to risks);
4. Financial, operational, and business requirements;
5. Views of interested parties.
Targets must be quantified where practicable and the units that are used to quantify the targets are referred
to as key performance indicators (KPIs). A KPI is defined as an expression that is used to provide information
about management system performance. The following are some examples of KPIs:
In this case, the better KPI would have been the weight amount of waste per product unit (Kg per unit). In many
cases, measuring against the production units proves to be more accurate. The following is an example of an
objective with a specific of a target and an environmental performance indicator:
EQMS. Properly designed and implemented, management programmes should achieve the objectives and,
consequently, improve your organization’s performance. The management programme must:
Additionally, your organization must determine how it will evaluate the work done, including the use of
indicators, and whenever possible, to integrate these planned actions into its business processes. The use of
indicators needs to be audited in detail in order to determine whether:
1. Involve your employees early in establishing and carrying out the action plans;
2. Communicate the expectations and responsibilities laid out in the action plans to those who need to
know;
3. Build on the plans and programmes you have now for EQMS compliance;
4. Keep it simple;
5. Focus on continual improvement of management programmes over time.
The integrated management programme should be revised regularly to reflect changes in your organization’s
objectives and targets. Track all new or modified operations, activities, and/or products in case the
management programme needs to be amended to reflect these changes.
1. Inputs;
2. Resources;
3. Personnel;
4. Activities;
5. Controls;
6. Measurements;
7. Outputs.
Changes are intended to be beneficial but they need to be carried out when determined by your organization
as relevant and achievable. In addition, consideration of newly introduced risks and opportunities should also
be taken into account. To achieve the benefits associated with changes, your organization should consider all
types of change that may occur. These changes may be generated, for example, in:
Ensure that your organization has planned how to integrate and implement the changes into its EQMS
processes. Check that your organization has considered:
1. The purpose of the changes and their potential consequences (risk and opportunities);
2. The integrity of the management system (how does the change effect current process?);
7.0 Support
7.1 Resources
Ensure that your organization has determined and provided the resources needed for the establishment,
implementation, maintenance and continual improvement of the EQMS. Check that your organization has
identified which resources it needs to make available in order to ensure the effective operation of the EQMS.
Resources will often include raw materials, infrastructure, finance, personnel and IT, all of which can be either
internally or externally provided.
Auditors may look at the budget to check that some funding has been allocated to the EQMS but they might
dig deeper, checking if the organization has really identified all types of resources required and that it has
taken action to ensure that those resources are available as needed.
7.1.1 General
You should seek and record evidence conforming that your organization has considered the need for external
resources in addition to the need for internal resources. Most organizations determine resource requirements
during management review meetings; you should review the management review minutes for evidence of
resource allocation.
7.1.2 People
You should seek and record evidence to confirm that your organization has provided the staff necessary for
the effective implementation of the EQMS and for the operation and control of its processes.
7.1.3 Infrastructure
You should seek and record evidence to confirm that your organization has provided the infrastructure
necessary for the effective implementation of the EQMS and for the operation and control of its processes.
Identify, provide and maintain infrastructure requirements necessary to achieve product conformance:
1. A place of work that is safe, including all equipment and methods of work;
2. Training, instruction, information and supervision for employees;
3. A means of safe handling, storage, use and transportation of equipment, materials and chemicals;
4. Safe working environment with good lighting, ventilation, safe passageways, stairs and corridors.
All employees must:
1. Protect themselves and co-workers who may be affected by their actions and behavior;
2. Use appropriate personal protective equipment (PPE) and/or clothing provided;
3. Report any unsafe acts or conditions and follow procedures and work instructions.
1. Calibrated or verified at specific intervals, or prior to being used. Equipment must be calibrated
using measurement standards traceable to international or national measurement standards. Where
there is no standard available for the device the basis for calibration or verification must be recorded.
A Certification Auditor would expect to see that traceable standards are used and where applicable
have not expired. Where calibration is completed by an outsourced process i.e. vendor, the records
of traceability must be reviewed.
2. Adjusted or readjusted as necessary. A Certification Auditor would expect to see evidence that
equipment found to be out of calibration are adjusted/re-adjusted by qualified personnel and the
validity of the previous measuring results are accessed when equipment is found to be out of
calibration and appropriate action is taken (may include recall of product). A Certification Auditor
would also expect to see that a process is in place to provide traceability of each piece of equipment
to the process/product that the equipment was used on. The results of calibration and verification
are required to be maintained as quality records.
3. Identified to show calibration status. A Certification Auditor would expect to see that each piece of
equipment is identified in such a way that the user can determine that the device has current
calibration, this may be accomplished by the equipment unique serial number traceable to the
calibration record however, the calibration status label is a good practice. Other methods may be
used however must clearly identify the calibration status. Where the environment is not conducive to
the use of stickers, status may be identified by color-coding, identification number with associated
calibration record, and/or calibrated prior to every use.
4. Safeguarded from adjustment. A Certification Auditor would expect to see that a process is in
place to ensure that users outside the calibration process do not adjust equipment. Equipment may
be verified prior to use however any adjustments made to equipment must meet all requirements of
this section. Methods to safeguard may include; locking materials for setscrews, tamper-proof seals,
limited entrance to calibration areas, and other methods.
5. Protected from damage during handling, maintenance and storage. A Certification Auditor
would expect to see that measuring equipment are handled and stored in a manner to protect the
equipment from damage.
7.1.6 Organizational Knowledge
Not all resources are tangible, the acquisition and maintenance of knowledge essential to keep the EQMS
moving in the right direction. ‘Organizational Knowledge’ is a new requirement and is closely linked with
‘documented information’.
You should seek and record evidence that your organization has taken steps to identify the internal and
external knowledge necessary to ensure the continued product conformity. Check that organizational
knowledge is reviewed before changes to the EQMS are made in when responding to change.
Sources of internal knowledge often include the organization’s intellectual property; knowledge gained from
experience; lessons learned from failures and successes; capturing and sharing undocumented knowledge and
experience; the results of improvements in processes, products and services. Sources of external knowledge
often include other ISO standards; research papers; conferences; or knowledge gathered from customers or
external parties.
You should also seek to evidence to confirm how your organization has determined and made available the
knowledge needed to keep up to date with changing situations and knowledge related to new products and
services. You determine whether your organization has considered internal and external sources, such as:
1. Lesson learnt from non-conformities and corrective actions, near miss situations and successes;
2. Gathering knowledge from customers, suppliers and partners;
3. Capturing knowledge existing within the organization, e.g. through mentoring, succession planning;
4. Benchmarking against competitors;
5. Sharing organizational knowledge with relevant interested parties to ensure sustainability;
6. Updating the necessary organizational knowledge based on the results of improvement;
7. Knowledge from conferences, attending trade fairs, networking seminars, or other external events.
A Certification Auditor would expect look for the following evidence for meeting the requirements of clause
7.1.6 organizational knowledge:
Has your organization established processes for communication, participation and consultation?
Has your organization determined the nature and extent of documentation required to manage
organizational knowledge?
Has your organization identified any applicable regulatory and other requirements?
Has your organization implemented the organizational knowledge plan defined above?
Do Has your organization performed organizational knowledge activities – assign responsibilities, identify,
obtain, accumulate, store, maintain, protect, communicate, use and evaluate the performance of
organizational knowledge?
Has your organization maintained appropriate records of organizational knowledge management activities?
Has your organization reviewed data from CHECK stage and determined improvement actions?
Act
Has your organization verified achievement of organizational knowledge goals and objectives?
7.2 Competence
This requirement is comparable to ISO 9001:2008 Clause 6.2.1 - Human Resources and Clause 6.2.2 -
Competence, training and awareness but additionally, you should check whether your organization takes action
to address competency issues whilst checking that they were effective.
Your organization should establish a process for assessing existing staff competencies against changing
business needs and prevailing trends. Check for evidence that all staff which work under your organization’s
control are competent, and that evidence continuing competence is maintained as documented information
in accordance Clause 7.5.
Competency-based training programmes can vary greatly and be as unique as the facility and personnel
working at a facility. The distinct operations of the facility and the level of education, training, and experience
of the personnel determine the necessary elements of a competency-based training programme. To establish
and maintain a competency-based training programme, the following steps must be taken:
Ensure that those competencies are possessed by the people doing the work under your organization’s control
including: the organization’s own personnel, contractors and outsourced personnel working either on site or
off site. Training alone is not sufficient to demonstrate competence; this must be demonstrated through tests,
observations, results, etc. Auditors need to find objective evidence in order to determine that the competency
requirements have been met.
If the people are found not to be competent, your organization is required to take action. The actions taken
need to be evaluated for effectiveness in raising competence to the required level. Examples of action may
include remedial training, recruitment or the use of external people in order to acquire the necessary
competence.
Identification of employee training needs is typically the first step in developing a competency-based training
programme. In addition to existing workers, new hires, temporary workers and outside contractors must be
included when identifying training needs. Your organization must demonstrate that the training needs for
these employees were identified.
After developing a list of these employees, the management representative or human resources manager
should establish the appropriate training programme for each person based on the type of employee
interaction with each significant impact or risk. Even though some personnel may have the same job, the type
or level of training may vary according to each person’s past education, training, and experience.
A register containing information on specified levels of education, training, and experience must be established
for each employee whose work is involved with any significant impact. The planned training programme for
each individual then should be listed. The training sessions should, at a minimum:
1. Make the employee aware of the aspects and hazards, and the impacts and risks associated with
their work;
2. Include training required by applicable regulatory requirements and the EQMS requirements;
3. Include training necessary to obtain/retain required licenses or registrations;
4. Emphasize responsibility for minimizing significant impacts and risks associated with their work;
5. Identify potential consequences of departures from specified operating procedures;
6. Address the benefits of improved personal performance.
Training options may be as simple as on-the-job training, administered by senior/experienced members; formal
training, including classroom instruction; training provided by external consultants. For some situations,
commercially available training courses may be another alternative.
Additional or customized training activities specific to individual needs, job descriptions, regulations and goals
may be necessary pending the significant impacts and the existing skill level of each employee.
7.3 Awareness
This requirement is comparable to ISO 9001:2008 Clause 6.2.2 - Competence, training and awareness which
was limited to the organization’s own personnel. You seek evidence to confirm that this requirement has been
applied by your organization to ensure that the people who need to be made aware now include all the people
who work on your organization’s behalf that affect the conformity of your organization’s EQMS or products.
You ensure that these people are aware of:
Other methods to promote and reinforce the quality and environmental awareness training sessions include
communication via electronic bulletin boards, posters, newsletters and informational meetings.
The requirements for general awareness training apply to all employees including those whose work may cause
significant environmental impact. Awareness training is intended to provide an overview of the organization’s
environmental policy, objectives and targets, and overall EQMS. Your organization must ‘establish and maintain
procedures to make its employees and members at each relevant function and level aware of’:
1. The importance of conformance with the policy and the EQMS procedures and requirements;
2. The actual and the potential significant impacts and risks of the activities, products, and/or services;
3. The benefits of improved personal performance;
4. The employees’ roles and responsibilities in achieving conformance with the policies and the EQMS
procedures;
5. The employees’ roles and responsibilities with the emergency preparedness and response
requirements;
6. The potential consequences of departure from specified operating procedures.
The awareness training materials may also include additional elements that address:
7.4 Communication
7.4.1 General
Organizations need to develop and implement a process (i.e., communication strategy) to determine those
EQMS matters on which it wishes to communicate taking into account its compliance obligations and the
quality (reliability and consistency) of the communicated information. Communications may relate to your
organization’s ongoing compliance to various obligations, milestone achievements, or sustainable resourcing.
You should seek evidence to confirm that your organization has identified the necessary internal and external
communications that are required for the operation of the EQMS. You should confirm how your organization
has determined:
Communication is the key; communicate goals, plans, progress and milestones. Listen first then ask for
feedback. Lack of communication seems to be one of the main root causes for errors in business. Keep people
informed of the progress of the project; e.g. what’s been done, what’s to be done next and how the project is
progressing against the plan.
Make this process transparent and visible to all concerned; for example, place progress charts on the walls and
notice boards. Employees that are not part of the implementation team may not be hearing as much about
what is going on with the project and may think the project has faded away. Communicate its progress
via newsletters, bulletin boards or meetings.
The organisation needs to ensure that procedures to control internal and external communications and
interfaces are in place. Particular care needs to be taken when dealing with communications from external
parties, which might well include enforcement authorities, lawyers/solicitors, insurance companies, etc. In many
parts of the world there is an increasing trend towards litigation resulting from injuries received in the
workplace, so the need to manage the communication process is critical.
All well as briefing employees during introductory presentations, try using a combination of other methods to
promote awareness, such as posters placed on notice boards and leaflets with pay-slips, etc. Use training
sessions to inform employees of the plan, how they will be expected to contribute. Issues pertaining to the
EQMS that could be communicated include:
5. Environmental aspects.
Effective communication media:
This does not require your employees to memorize the policies but it does mean they should be aware of it,
know where it may be found and be able to paraphrase, or give an interpretation as it applies to them.
If the personnel interviewed do not know what their measurable objectives are and/or do not know what the
organizational objectives are that they have a direct effect upon, the auditor would be further directed to
evaluate top management’s communication of the policies and objectives.
Inferred awareness through knowledge of procedures is not considered sufficient; otherwise why have the
requirement in the first place? A quick and convenient way to promote and communicate the policy might be
to create a shortened version of main policy; try condensing it to five key words or even a couple of short
sentences. This can be posted on bulletin boards in each department.
You could even add it to the reverse side of staff security passes or ID badges. If an auditor asks an employee
whether they are aware of the policy; they can point to the bulletin board or point to it on their badge. The
employee can further elaborate to the auditor, what the policy means to them and how it influences their work.
Your organization should encourage the two-way flow of information between your workforce and
management. Input from employees is considered vital in the development of quality and environmental
policies and procedures.
It is also vital that your employees are kept informed of matters relating to their welfare via Representatives,
Supervisors and Managers. Communication and consultation should take place both formally and informally.
Representatives can be appointed to assist your company with the process. Inputs to quality and environment
consultation might include the following:
and procedures during signing in. In addition, contractors should be required to go through a contractor’s
induction briefing.
In most instances, external interested parties (such as consumers, stockholders, neighboring communities, etc.)
are the main driving forces for organizations to implement an EQMS. The appropriate external communications
may establish environmental credibility and satisfy stakeholder requests by presenting objective information
on the organization’s significant aspects, its EQMS, or its performance. The various processes or means of
external communication may include:
You must first determine whether or not your organization will initiate and establish communication regarding
the organization’s significant aspects. You may decide not to communicate such information. The
organization’s decision must be recorded to meet the requirement in this section. Your organization should:
The terms ‘documented procedure’ and ‘record’ used in ISO 14001: 2004 and ISO 9001:2015 have both been
replaced by the term ‘documented information’, which is defined as information required to be controlled and
maintained by an organization, as well as the medium on which it is contained. Operational procedures, work
instructions, flow charts, process maps, signs, placards, container markings, labels etc. are all examples of
‘documented information’. Documented information can be in any format and media and from any source.
The organization needs to determine the level of documented information necessary to control its EMS.
‘Access’ can imply a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information.
Your organization must control the documented information required by the EQMS. A suitable process must
be implemented to define the controls needed to; approve, review, update, identify changes, identify revision
status and provide access. The documented information process should define the scope, purpose, method
and responsibilities required to implement these parameters.
In order to comply with the documented information requirements, it is essential that all personnel understand
what types of information that should be controlled and more importantly, how this control should be
exercised. To get the most out of your documented information process, it must be communicated to ensure
that staff and other users of the documentation information understand what they must do in order to manage
that information effectively and efficiently.
Departmental managers should always be responsible for promoting good documented information practices
in their area whilst supporting overall compliance to the requirements. Individuals and their line managers
should be responsible for the information that they create, as well as being responsible for their retention and
disposal in line with legislative requirements and organizational needs.
EQMS aspects and impacts and their criteria to determine significance 6.1.2
Evidence of the basis used for calibration of the monitoring and measurement resources (when no international
7.1.5.2
or national standards exist)
Evidence of competence of people doing work under the control of the organization that affects the
7.2
performance and effectiveness of the EQMS
Results of the review and new requirements for the products and services 8.2.3
Design and development changes, including the results of the review and the authorization of the changes and
8.3.6
necessary actions
Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and
8.4.1
any actions arising
Records of property of the customer or external provider that is lost, damaged or non-conforming and of its
8.5.3
communication to the owner
Evidence of the evaluation of the performance and the effectiveness of the EQMS 9.1.1
8.0 Operation
8.1 Operational Planning & Control
This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.1 – Product Realization
Planning, but it has been extended to include implementation and control, as well planning. You should seek
and record evidence that your organization has determined the design and its processes to meet the
requirements of your customers and the requirements of your EQMS. Evidence that the process, including all
inputs, outputs, resources, controls, criteria, and process measurement and performance indicators being
planned should be sought.
For those risks and opportunities that your organization has identified, you should seek evidence that these
actions have been integrated into the management system; as such, these actions should be verifiable at
process level – for example, evidence of controls, acceptance criteria and resources to address the risks and
opportunities. Review the acceptability criteria; this may include targets, measures, values, KPIs, specifications
and other criteria as relevant to the output.
You should ensure that the implemented processes are controlled as planned and that there is evidence that
your organization has evaluated the effectiveness of actions taken when addressing risks and opportunities.
Evaluate and record any evidence pertaining to planned and unintended changes.
Operational planning is about controlling the design and development process. The organization must ensure
that all related activities take place under controlled conditions. The final product or service is the culmination
of events that transfer customer requirements and expectations into a tangible product or effective service that
conforms to specified requirements and expectations. Control product realization planning by:
ISO 9001:20015 and ISO 14001:2015 both introduce the concept of controlling change, whether it is a ‘planned
change to be controlled’ or an ‘unintended change to be reviewed for their consequences’. Controls can include
engineering controls, procedures, documented procedure, etc. They can be implemented following a hierarchy
(e.g. elimination, substitution, administrative) and can be used singly or in combination.
Considering that some of your organization’s environmental impacts can occur once the products and services
have been delivered to the customers, organizations need to provide information to those that will transport,
use, treat or dispose of the products and services in order to prevent adverse environmental impacts. The Life
cycle perspective means that your organization must also:
1. Design and develop products and services taking into account the environmental impact throughout
their life cycle;
2. Include environmental requirements in the purchasing specifications of products and services;
3. Communicate these environmental requirements to external providers;
4. When necessary, provide information on potential environmental impacts related to the
transportation, use, end of life treatment and final disposal of its products and services.
Ensure that those with responsibility for each stage of the lifecycle, for example; procurement, design, logistics,
operations, sales, and after sales, are represented in environmental aspects identification and evaluation. Again,
a workshop scenario works well. Where significant aspects relate to other stages of the lifecycle, these can be
managed or coordinated through the EQMS, for example by operational control and environmental objectives.
Certification Auditors will not expect to see a fully developed life cycle analysis. This is not a requirement of
the new standard. Operating procedures should also be developed for processes, plant, and equipment should
include:
1. Specification;
2. Relevant legislation;
3. Hazards;
4. Operating criteria;
5. Maintenance strategies;
6. Inspection and testing;
7. Material safety information.
All operational factors must be determined and risks associated with the environment must be managed in a
way that conforms to the EQMS policies. There should be a process for developing work instructions that detail
standard practice for performing tasks that comply with all EQMS requirements, as well as a process for
identifying hazards and controlling tasks for all non-routine tasks and ensuring all environmental requirements
are met.
1. Marketing information;
2. Quotations and order forms;
3. Confirmation of authorized orders and amended orders;
4. Delivery notes and certificates of conformity;
5. Invoices and credit notes;
6. E-mail and general correspondence;
This may also include the requirements from interested parties and also statutory and regulatory requirements
relating to the product. You should determine how your organization was proactive in evaluating if there were
any additional requirements for the product or service’s intended use.
If the organization determined there were not any additional requirements, this should be evident in associated
records. If there were additional requirements, then evidence should be present how they were addressed in
the affected process i.e. design, purchasing, manufacturing. The objective here is to set up a process to make
sure that however an order is accepted, all the requirements for that order are determined. You will need to
identify the following:
1. Customer’s requirements;
2. Those defined by the product’s purpose;
3. Legal and statutory obligations;
4. Organizational objectives;
5. Appropriate records.
8.2.3 Review of the Requirements for Products & Services
This requirement is comparable to ISO 9001:2008 Clause 7.2.1 - Determination of Requirements Related to
Product and Clause 7.2.2 - Review of Requirements Related to Product. The requirement states that your
organization should now include a review of the requirements arising from any relevant interested parties. You
should seek and record evidence that these requirements are considered during product and service reviews.
The sub-clause mandates that your organization should not issue a quotation or accept an order until it has
been reviewed to ensure requirements are defined, and that the organization has the capability to meet the
defined requirements. It goes on to require that records of the review and any subsequent actions be
maintained.
If the customer does not provide their requirements in writing, the requirements must still be confirmed before
they are accepted. A note is included that covers situations such as internet sales where a formal review of each
order is impractical, stating, instead, that the review could cover the product information provided in
catalogues and advertising material.
Your process must include a step for reviewing product requirements and ensuring the organizational
capability to meet those requirements. You should conduct a review of customer requirements before order
acceptance:
Many companies perform some enhancements or minor reconfiguration of mature designs, such organizations
may have to introduce a comprehensive design system and related or processes. If your organization is ‘design
responsible’ but outsourcers all of its design, all records from Section 8.3 must be maintained by your
organization, are they are responsible for design.
8.3.2 Planning
This requirement expands upon the requirements from ISO 9001:2008 Clause 7.3.1 – Design and Development
Planning. It is likely that if your organization already complies with ISO 9001:2008, you will already be
undertaking the activities required by this clause.
You should seek and record evidence that your organization has considered the explicitly referenced
considerations relating to the design and development process set out above. You should also ensure that
your organization has retained documented information to confirm the identified design and development
requirements were met and that design reviews were undertaken.
You must have an overall plan for your design. Your plan must specify the design and development stages,
activities and tasks; responsibilities; timeline and resources; specific tests, validations and reviews; and
outcomes. There are many tools available for planning ranging from a simple checklist to complex software.
Plan and control product design and development by:
In addition, auditors would likely want to see objective evidence of how the interfaces between other processes
are managed, either through statements, or in associated procedures, process mapping, and matrix approach
or in the time line planning.
8.3.3 Inputs
This requirement expands upon the requirements from ISO 9001:2008 Clause 7.3.2 - Design and Development
Inputs 7.3.1. You should seek and record evidence that your organization has documented and retained
information concerning the need for internal and external resources and the potential consequences of design
or development failure.
Define which inputs are required to carry out the design and development process. The inputs should be
determined according to the design and development activities. For example, which employees are required
or what information is required for every step of the development. Determine design and development inputs
by:
8.3.4 Controls
This requirement is comparable to the requirements from ISO 9001:2008 Clauses 7.3.3, 7.3.4, 7.3.5 and 7.3.6.
You should seek and record evidence that your organization has applied the necessary controls to its design
and development process in order to ensure that:
1. The results from undertaking the design and development process are clearly defined;
2. The design and development reviews take place in accordance with planned arrangements;
3. The design and development outputs meet the design and development inputs (verification);
4. The resulting products and services are fit for their intended use or specified application where this is
known to the organization (validation).
Verification is a comparison between the outputs the inputs. Does the available evidence indicate that the
design will meet the requirements? The verification could consist of calculations, simulations, prototype
evaluation, tests or comparison against samples. You must maintain records of design verification as these
records will indicate the results of verifications and determine any necessary corrective actions. Perform design
and development verification by:
1. Determining whether the outputs meet the input requirements for the design;
2. Maintaining records.
Validation is similar to verification, except this time you should check the designed product under conditions
of actual use. If you are designing dune buggies, you might take our creation for a spin on the beach. If you
are making beverages, you might conduct a consumer taste test. Verification is a documentary review; while
validation is a real-world test. Perform design and development validation by:
8.3.5 Outputs
This requirement is comparable to the requirement from ISO 9001:2008 Clauses 7.3.3 – Design Development
Outputs. You should seek and record evidence that the additional requirement to retain documented
information concerning design outputs. You should also check the need for design outputs to reference
monitoring and measuring requirements.
Design and development output is the result of design and development process. The output is a clear
description of the product, containing detailed information for production. Design and development outputs
must reconcile with design and development inputs by:
1. Determining whether the outputs meet the input requirements for the design;
2. Determining whether the outputs provide suitable information for purchasing;
3. Determining whether the outputs provide reference to product acceptance criteria;
4. Determining whether the outputs accurately specify essential characteristics;
5. Maintaining records.
The auditor should expect to see objective evidence that the outputs (7.3.3 a – d) have been verified against
the design inputs. This can be accomplished by reviewing documents, plans, etc. interfacing with the customer
or internal processes and by comparison with past proven designs. Outputs may also include product
preservation methods, identification, packaging, service requirements, etc. as appropriate.
8.3.6 Changes
This requirement is directly comparable to ISO 9001:2008 Clause 7.3.7 - Control of Design and Development
Changes. It is important to control design changes throughout the design and development process and it
should be clear how these changes are handled and what affects they have on the product. You should seek
and record evidence that your organization has retained documented information concerning:
1. Identified;
2. Recorded;
3. Reviewed;
4. Verified;
5. Validated;
6. Approved.
Design and development changes (after the original verification and validation) have to be “verified and
validated as appropriate” (as well as reviewed) and to “include evaluation of the effect of changes on
constituent parts and products already delivered”. If the organization chooses not to perform re-verification
and re-validation on every design change, then the auditor should expect to see some very well-defined criteria
as to when the activity needs to occur
Organizations need to identify which materials and services that they buy can affect the quality of their
products. Then they need to establish criteria for selection of suppliers that can provide these materials and
services. Standard requires suppliers to be evaluated, based on predefined criteria determined by the
organization before selection. The criteria for will depend upon type of product and its effect on other
processes and final product.
Purchased product is any product procured by an organization from another source that is incorporated or
used in the production of the final product. Note that products need not be procured from an 'independent
source', in some cases sister companies supply each other and are not totally independent. Maintain control
of your organization’s purchasing process by:
4. Maintaining records.
8.4.2 Type and Extent of Control
This requirement is comparable to the requirements from ISO 9001:2008 Clauses 7.4.1 – Purchasing Process
and Clause 7.4.3 - Verification of Purchased Product. You should seek and record evidence you’re your
organization has ensured that the supplied product or service meets the specified requirements. Confirm that
your organization has established and implement a process of inspection to ensure that purchased products
conform to:
1. Purchase orders;
2. Delivery notes;
3. Product specifications;
4. National or international standards.
You could consider dividing your suppliers into groups based on the product or service they provide and what
effect it has on the quality of your products or processes, e.g. level I/II/III/etc. Based on those categories, you
can define the criteria for supplier evaluation and approval. You are free to define your supplier levels and
approval parameters accordingly, but, whatever rationale is opted for, it should be properly documented.
There is no ‘right way’ for vetting suppliers. To meet the intent of the clause you simply need to establish a
process with properly documented criteria which are based upon customer requirements. Such criteria might
include:
Technical:
1. Credit worthy;
2. Legally registered;
Your specific requirements:
ISO 9001 requires that the purchasing documentation contains the correct information before it is issued to a
supplier. This verification can be undertaken by the Procurement Manager. Describe the product to be
purchased by:
1. Documented information that defines the characteristics of the product or service is available;
2. Documented information that defines the activities that need to be performed to produce the
product or deliver the service is available, and that this specifies the results that are to be achieved;
3. Monitoring and measurement takes place at appropriate points in the production process to ensure
that both the processes themselves and the process outputs meet the organization’s acceptance
criteria;
4. The process environment and infrastructure are suitable;
5. Suitable monitoring and measurement resources are made available;
6. Personnel are competent and, where necessary, appropriately qualified;
7. For processes where the results cannot be verified by subsequent monitoring or measurement,
8. The process itself is initially validated and then periodically re-evaluated;
9. Product and service release, delivery and post-delivery activities are implemented.
8.5.2 Identification & Traceability
This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.5.3 - Identification and
traceability. You should seek and record evidence that product is identified (as appropriate) and its status with
regards to monitoring and measuring (conforming or not) is identified throughout the manufacturing
processes. Where traceability is a requirement, you should expect to see that your organization is controlling
and recording the unique identification of the product.
There are several ways of identifying products. The most obvious is using tags or stickers with part numbers,
bar codes, job numbers, etc. The identification may be engraved in the product itself, or the product may simply
be marked by a colour. Establish and implement a procedure to identify the product through the design,
development, manufacture and delivery stages:
The auditor will expect to see that product is identified (as appropriate) and its status with regards to
monitoring and measuring (conforming or not) is identified throughout the product realization processes.
Where traceability is a requirement, the auditor will expect to see that the organization is controlling and
recording the unique identification of the product.
Check that your organization communicates with its customers in regard to the handling and treatment of
their property. You should also check that contingency plans and, where relevant, actions are undertaken when
non-conformities occur with customer property. Good sources of information often include the following
examples:
8.5.4 Preservation
This is a new requirement. The auditor will expect to see that adequate measures are taken to protect/preserve
the product during internal processing and delivery to the intended destination. The preservation process must
include the following: Preservation, packaging and other product specific handling methods are likely to an
output of the product design process.
1. Identification – this is relative to Identification and Traceability however for preservation of product
it is a requirement and not ‘as applicable’. You should expect to see that all products are clearly
identified;
2. Handling – you should verify that suitable handling methods are implemented throughout the
processes. This may include bulk handing using moving equipment or physical contact where
handling may influence product conformity;
3. Packaging – you should expect to see that methods have been established for packaging the
product to preserve its integrity;
4. Storage – you should expect to see that product is stored in a manner to safe guard product;
5. Protection – you should verify that appropriate measures are in place to protect product. This will
vary depending on the product.
8.5.5 Post-delivery Activities
This is a new requirement. Your organization must meet requirements for post-delivery activities associated
with the products and services. In determining the extent of post-delivery activities that are required, the
organization shall consider:
In the olden days of ISO 9001:2008 this would have been addressed by Clause 7.3.7 Design & Development
Outputs. ISO 9000:2015 Term 3.3.10 defines change control as ‘activities for the control of the output after
formal approval of its product configuration information’. The clause requires an organization to make changes
in a thoughtful manner and to consider the potential impact to other process, products and possibly the
customer. Key items to consider are:
1. Is the impact of the change evaluated to determine its affects to work in process or products already
delivered?
2. What process control documentation (procedures, travellers, forms, etc.) will need updating as the
result of change to be implemented?
3. Was the change approved prior to implementation including, where applicable, approval by the
customer, statutory or regulatory authority?
4. Does retained documented information indicate the source of change and information on necessary
actions and approvals?
You should seek objective evidence that your organization has implemented a process to control unplanned
changes in accordance with the requirements set out above.
The release of product or delivery of service must not be completed until the planned requirements (7.1) have
been met. ‘Release’ of product may include, according to product planning and the verification stages, release
to the next operation, release to an internal customer, release to final customer, etc.
For product release or service delivery, the planning requirements may be waived, but must be approved by
relevant authority and by the customer as appropriate. Monitor and measure product characteristics to ensure
they are able to demonstrate:
By keeping records of your non-conformities, it is easier to spot negative trends and examine the root cause
and eliminate the cause of your problems. This, in turn, should result in fewer defective products or process
outputs and could lead to more satisfied customers.
If you have manufactured a product, inspected it and found it to be out of specification, it is most likely to be
deemed nonconforming product. In some instances, you will have to scrap the defective product but in other
situations you may be able to do some remedial work and bring it back into specification.
What the clause is telling us is that the product should then be subject to further inspection to verify that it is
now correct. As for records, if you documented the non-conforming product there should normally be
somewhere to verify that you successfully (or not) cured the problem and that it is now conforming.
Re-verification simply means that you cannot assume that because someone tells you they have corrected the
problem then it is ok. The clause is asking you to re-verify by whatever means you originally chose. If you used
inspection as a method of verification then re-inspect in the same method. If not, use whatever method suits
you (or your customer). Just make sure it is ok before it leaves!
The re-verification after remedial work might involve testing as well as inspection. The reason is not just to
verify that the defect has been removed, but also to assure that fresh defects have not been introduced by the
rework.
Records would be as appropriate for the re-inspection or re-testing performed. Re-verification is equivalent to
re-inspection and records could include a signature of approval or a more formal test report.
Generally, you could take two routes. If you have an internal non-conformance then depending on your NCR
documentation, your verification could be documented on your non-conformance report. If your non-
conformance is external, you should supply evidence of conformance to your customer.
You may need to supply new evidence of conformance to your customer along with corrective action
documentation if requested. The method that you use in either of these situations should be defined in your
EQMS and procedures, that way you relieve yourself and your auditor from guessing how you would address
them.
Where necessary, any product or process outputs that do not conform to specified requirements should be
properly identified and controlled to prevent unintended use or delivery. Improvements are then implemented
to ensure the non-conformance does not reoccur. Control non-conforming products by:
2. Any temporary corrections that are implemented to mitigate the effect of the Non-conformity (e.g.
refund, credit, upgrade, etc.)
3. The identification, segregation and replacement of the service
4. Equipment, service providers and environment.
This will enable you to judge whether the control of such non-conforming services are effective. In such
situations the EQMS and processes should have provisions to capture data on the non-conformities and to
feedback information, at the appropriate management level, for the effective definition and implementation of
corrective actions. Evidence will need to be sought to justify effective implementation of these techniques.
1. Fire;
2. Accidental emissions to the atmosphere;
3. Accidental discharges to water;
4. Accidental discharges to land;
Identifying potential accidents and emergency situations requires intimate knowledge of operations including,
processes, materials used, and operating practices. When determining potential accidents and emergency
situations, consult the following sources:
How does your organization carry out these monitoring and measurement activities in order to ensure that the
results obtained are valid? These methods may include, as appropriate, statistical techniques to be applied to
the analysis of those results. When monitoring and measurement should be carried out and at what stage the
results of monitoring and measurement should be analyzed and evaluated.
You should note the additional requirement for your organization to evidence evaluation of the results of
monitoring and measurement, not just their analysis. They should confirm that the organization has considered
what, how and when to measure and that the outcomes from this decision result are ensuring appropriate
process control.
Also note a new requirement to monitor the performance and effectiveness of your organization’s EQMS. You
should expect to see that your organization has developed a process (method, techniques, format, etc.) to
identify, collect and analyse various data and information from both internal and external sources, including:
1. EQMS records;
2. Monitoring and measuring results;
3. Process performance results;
4. Meeting objectives;
5. Internal audit findings;
6. Customer surveys and feedback;
7. 2nd or 3rd party audit results;
8. Competitor and benchmarking information;
9. Product test results;
10. Supplier performance information.
This ‘input’ (information and data) should reflect upon the adequacy, suitability and effectiveness of the
integrated management system and its processes. The ‘output’ (result of the analysis) must provide information
(understanding, insight, awareness, confidence, knowledge of, etc.). The analysis output must provide insight
to:
Monitoring and measuring EQMS operations and activities will establish a mechanism to ensure that your
organization is meeting its policies, objectives and targets. In order to meet this requirement, your organization
must perform six steps:
1. Step 1 - Identify the activities that can have a significant impacts and risks;
2. Step 2 - Determine key characteristics of the activity to be monitored;
3. Step 3 - Select the best way to measure the key characteristics;
4. Step 4 - Record data on performance, controls and conformance with objectives and targets;
5. Step 5 - Determine the frequency with which to measure the key characteristics;
6. Step 6 - Establish management review and reporting.
Establish the monitoring and tracking criteria for each activity that has a significant impact or risk and review
the action plan. You should incorporate any monitoring and measurement information to cover these same
activities.
Just collecting data on customer perceptions is not sufficient, you should seek and record evidence that your
organization has analyzed and evaluated customer data and that conclusions have been made with regard to
the effectiveness of the EQMS.
1. Are there any trends?
2. Is the situation stable, improving, or deteriorating?
3. Are customer needs and expectations changing?
Both internal and external auditors will look for proof that a consistent and systematic approach has been
implemented to deal with customer complaints. This approach would typically include defined responsibilities
for logging and tracking complaints, clearing technical issues, determining problem causes and actions to
address them. Specific examples of complaints must be sampled.
The link between the customer complaint process and corrective action also requires special scrutiny.
Determine appropriate methods for monitoring and measuring customer satisfaction by:
This ‘input’ (information and data) should reflect upon the adequacy, suitability and effectiveness of the quality
management system and its processes. The ‘output’ (result of the analysis) must provide information
(understanding, insight, awareness, confidence, knowledge of, etc.). The analysis output must provide insight
to:
The Certification Auditor’s role is not to verify the result of the compliance audit, but to assess the effectiveness
of the audit process and taken actions. An understanding of compliance status must be demonstrated.
Therefore, your organization must have the means (inspections, tests, audits) that are frequent and robust
enough to ensure that knowledge and understanding of compliance status is maintained.
In ISO 9001:2008 and ISO 14001:2004, the purpose of the internal audit is to ‘determine whether the
management system conforms to requirements and is effectively implemented and maintained’, i.e. to actually
make the judgment. In the 2015 version of the standards, the purpose of the internal audit is to simply ‘provide
information’ as to whether this is the case. Subsequent determination is now undertaken by relevant
management, e.g. during management review meetings.
The resulting scores are highlighted to indicate whether the process requires more frequent auditing based on
its ability to affect the customer and how well it is performing. This is a great way to mathematically substantiate
your audit schedule. You should then schedule processes with high, red scores for additional audits, perhaps
or three or even more times per year.
Status
You should consider process status in terms of maturity and stability; a more established, proven process will
be audited less frequently than a newly implemented or recently modified process and should receive a lower
status score. Conversely; processes which are not performing to the planned arrangements, should be assigned
a higher status score.
Importance
You should consider process importance as the degree of direct impact that process performance has on
customer satisfaction; i.e. could the process provide the customer with non-conforming product? Support
processes should be given a lower ranking than the manufacturing/service provision processes. In addition,
the results of previous audits should be considered too. Processes that have been audited recently that have
shown effectiveness and improvement should be audited less frequently.
this method provides a great way to engage with them and to objectively justify the audit programme to Top
management.
Customer Complaints
Simply put, enter the actual number of complaints in the relevant cell that is related to the process. Customer
complaints are ranked very highly in terms of seriousness and will elicit a red warning on the total score heat
map to highlight that process as requiring greater audit scrutiny.
Corrective Actions
Include the number of open corrective actions in the relevant cell that is related to the process. The corrective
actions should be included and must cover all those that were raised internally or externally. External corrective
actions rank higher in terms of importance than internal corrective actions. External corrective actions might
arise from customer audits, registrar audits or from other stakeholders.
Auditors should not necessarily expect to find a documented internal audit procedure in place. However, they
must be able to access documented information confirming the implementation of an audit programme by
the organization. Documented information must also be available to evidence the results of audits. When
designing the audit programme you should ensure that customer feedback, organizational changes, and risks
and opportunities have been brought into consideration.
The purpose and final outcome of the management review should be continual improvement of the EQMS. As
your organization’s EQMS increases in its effectiveness and efficiency, your environmental performance will
likewise increase.
Here's what ISO 9001:2015 is really all about: defining a policy, creating a plan devising with relevant objectives.
You then implement the system according to the plan. You then begin auditing, monitoring and measuring
performance against the plan and reacting to your findings. Bi-annual management reviews are insufficient in
frequency to be able react to any issues effectively.
Performance metrics should be monitored with varying frequencies, some hourly, some daily, some weekly and
some monthly. Management cannot wait for six months to respond, if they do, it will be too late. Every time
management convenes to review and react to performance, it is considered as a management review. Whether
they are reviewing an individual's performance, departmental programmes and projects, etc., this should be
considered as valid management review.
Some companies have multiple review levels, whereby, each review may require multiple subjects and rely
upon multiple metrics as inputs. Sometimes subjects are reviewed at more than one level, e.g. production
numbers might be reviewed by the Production teams during daily production meetings and then by senior
management, possibly weekly.
Top management might conduct weekly meetings in which they review metrics and objectives to determine if
any corrective action is required. The process owner is then responsible for reporting close out progress in the
meeting a week later. Undertake management reviews in order to:
Auditors should expect to evidence the same outputs from management reviews as at present. However, they
should note that the results of management reviews can now be held in any format that the organization
chooses. The management review process should focus on the following inputs:
10.0 Improvement
10.1 General
Your organization should actively seek out and realize improvement opportunities that will better enable it to
achieve the intended outcomes of its EQMS. Potential sources of improvement opportunities include the results
of analysis and evaluation of environmental and quality performance, compliance, internal audits and
management reviews.
Improvement often does not take place on a ‘continual’ basis. Sometimes improvement can be affected
reactively through corrective actions, incrementally overtime, by a step change or breakthrough, creatively
through innovation or by re-organization and transformation. Look out for objective evidence that
improvement is taking place. However, while improvement does not need to be continuous, it does need to
be evidenced as occurring.
1. Take whatever action is necessary to control and correct the nonconformity, and to deal with any
resultant environmental impact;
2. Determine what caused the nonconformity and then to consider whether the potential for a similar
problem remains;
3. Consider whether any further action is required to prevent a similar nonconformity recurring at the
same place or occurring somewhere else, at some point in the future;
4. Determine if similar non-conformity has occurred elsewhere and consequently whether it needs to
take similar corrective action.
There may be instances where it is impossible to completely eliminate the cause of non-conformity, so in
instances, the best organizations can do is to reduce the likelihood or the consequences of a similar occurrence
happening again in order to reduce the risk to an acceptable level.
Application criteria:
1. The symptom(s) has been defined and quantified;
2. The customer(s) who experienced the problem(s)/symptom(s) are identified;
3. Measurements taken to quantify the problem(s)/symptom(s);
4. Look for a performance gap;
5. The cause is unknown;
6. Symptom complexity exceeds the ability of one person to resolve.
Establish an investigation team with:
1. Process and/or product knowledge;
2. Allocated time;
3. Authority to solve the problem and implement corrective actions;
4. Skill in the required technical disciplines;
5. A designated Team Leader.
Define the Problem
Describe the internal/external customer problem by identifying what is wrong and detail the problem in
quantifiable terms Define, verify and implement the interim containment action to isolate the effects of the
problem from any internal/external customer until permanent corrective actions (PCA) are implemented.
Validate the effectiveness of the containment actions.
1. Plan (Re-plan);
2. Do (Implement);
3. Check (Monitor);
4. Act (Evaluate);
Identifying the Root-Cause
Isolate and verify the root-cause by testing each possible cause against the problem description and test data.
Also isolate and verify the place in the process where the effect of the root-cause should have been detected
and contained (escape point).
Once you have reviewed the problem description, you can begin a comparative analysis. A comparative analysis
will help you identify relevant changes in a change-induced situation. Then you can reduce the number of
possibilities that you must consider to determine root-cause. To complete a comparative analysis:
1. Ask yourself; what is unique, peculiar, different, or unusual about the symptoms?
2. Consider features such as people, processes, materials, machines and the environment;
3. List all facts without prejudice as to the possible cause.
Consider each difference you listed, and look for changes, ask yourself:
1. Ask, ‘Does this theory explain the symptoms and data, if so how?’
2. Test the theory against each individual condition.
If a theory explains the problem, but lacks information necessary to explain why it happened, gather data:
If additional information reveals that a theory cannot fully explain why the problem happened eliminate it from
consideration. If it is not feasible to gather and evaluate additional information, try to verify each remaining
theory. Start verification with the theory that best explains the symptoms.
A control system is a system deployed to monitor the product/process and ensure compliance to quality
requirements. A control system consists of responsibilities, procedures, and resources. A control point is a
location within the control system at which the product/process is checked for compliance to the quality
standards.
A product or process may have more than one control point within the system. When you identify the escape
point, you can work to improve or establish a system to ensure that if problems occur, they will not go
undetected. To understand how the problem escaped and to identify the escape point:
1. Review the process; focus on the part of the process where the root-cause occurred;
2. Determine if a control system exists to detect the problem.
If none exists, the development of a new control system must be considered as part of the problem solution.
If a control system currently exists:
Determine whether your organization identifies improvement opportunities and EQMS underperformance
using the data output from its processes, such as from analysis and evaluation, internal auditing, management
review, and the use of appropriate tools and methodologies to support validate findings. Ensure that your
organization has implemented the identified opportunities for improvement in a controlled manner.
You should seek objective that your organization has implemented a process, with appropriate methods,
techniques, and formats for identifying areas of underperformance or opportunities for improvement. You
should expect to evidence that your organization has selected the appropriate tools and techniques to
investigate the causes and thereby establishing and implementing a process for continual improvement. The
impetus for continual improvement must come from the use of (as a minimum):
1. EQMS Policies;
2. Risks and opportunities;
3. EQMS objectives;
4. Aspect and impacts
5. Analysis and evaluation of data;
6. Audit results;
7. Management review;
8. Non-conformity and corrective action.
Requirements for continual improvement interrelate with the following clauses:
1. EQMS planning;
2. EQMS objectives;
3. Risks and opportunities;
4. Recommendations for improvement;
5. Improvement of the system, processes and products;
6. Analysis and evaluation of data;
7. Non-conformity and corrective action.
Processes can always be made more efficient and effective, even when they are producing conforming
products. The aim of a continual improvement programme is to increase the odds of satisfying customers by
identifying areas that need improvement. It requires the organization to plan improvement systems and to
take into account many other activities that can be used in the improvement process.
You will be required to ensure that you continually improve the degree to which your products and services
meet customer requirements and to measure effectiveness of your processes. To this end the continual
improvement principle implies that you should adopt the attitude that improvement is always possible and
your organizations should develop the skills and tools necessary to drive improvement.
The PDCA cycle is a perfect way of introducing continual improvement to your organization’s activities. Each
step to improvement can be defined by four sub steps, Plan, Do, Check and Act:
1. Plan: Establish a timetable for internal audits and management reviews. Establish the objectives and
processes necessary to deliver results in accordance with your customer’s requirements and your
organization’s policies.
2. Do: Implement changes designed to solve the problems on a small scale first to see the effect. This
minimizes disruption to routine activity while testing whether the changes will work or not.
3. Check: Monitor and measure processes and product against policies, objectives and requirements
and report the results. Also check on key activities to ensure that the quality of the output is
conforming and not influenced by the changes.
4. Act: Take actions to continually improve process performance. Implement the changes on a larger
scale, if the experimental changes have proven to be successful. This means making the changes a
routine part of the activity.
Also act to involve other people, departments or suppliers affected by the changes and whose co-operation is
needed to implement them on a larger scale. Make sure that changes are documented properly according to
the documentation requirements.