EQMS Integrated Management System Guidance

www.iso9001help.co.
uk
Control of Documented
Information
EQMS
Integrated
Management
System
Guidance
ISO 9001:2015 & ISO 14001:2015
Clause-by-Clause Interpretation
Integrated Management System Guidance
ISO 9001:2015 & ISO 14001:2015
Table of Contents
1 INTRODUCTION ........................................................................................................................................... 4
1.1 IMPLEMENTATION & DEVELOPMENT .......................................................................................................................................... 5

1.2 MANAGING THE CHANGE ............................................................................................................................................................ 6
1.3 TOP MANAGEMENT COMMITMENT ............................................................................................................................................ 6
1.4 SENIOR MANAGEMENT ENGAGEMENT ....................................................................................................................................... 6
1.5 IMPLEMENTATION TEAM .............................................................................................................................................................. 7
1.6 GAP ANALYSIS ............................................................................................................................................................................... 7
1.7 TEAM MEETINGS ........................................................................................................................................................................... 8
1.8 CHOOSING YOUR REGISTRAR ....................................................................................................................................................... 9
2 DOCUMENTED INFORMATION ................................................................................................................ 10
3 COMMON REQUIREMENTS ....................................................................................................................... 12
4 ABOUT YOUR ORGANIZATION ................................................................................................................ 15
4.1 ORGANIZATIONAL CONTEXT ...................................................................................................................................................... 15

4.2 RELEVANT INTERESTED PARTIES................................................................................................................................................. 16
4.3 INTEGRATED MANAGEMENT SCOPE.......................................................................................................................................... 17
4.4 INTEGRATED MANAGEMENT PROCESSES.................................................................................................................................. 18
5.0 LEADERSHIP & GOVERNANCE .............................................................................................................. 21
5.1 LEADERSHIP & COMMITMENT .................................................................................................................................................. 21

5.1.1 EQMS Management .................................................................................................................................................... 21
5.1.2 Customer Focus............................................................................................................................................................. 22
5.2 CORPORATE POLICIES ................................................................................................................................................................. 22
5.2.1 Establishing the EQMS Policies ............................................................................................................................... 22
5.2.2 Communicating the EQMS Policies ....................................................................................................................... 23
5.3 ROLES, RESPONSIBILITIES & AUTHORITIES ............................................................................................................................... 23
6.0 EQMS PLANNING .................................................................................................................................. 25
6.1 GENERAL....................................................................................................................................................................................... 25
6.1.1 Actions to Address Risks & Opportunities ......................................................................................................... 25
6.1.2 Environmental Aspects ............................................................................................................................................... 34
6.1.3 Compliance Obligations ............................................................................................................................................ 36
6.2 EQMS OBJECTIVES .................................................................................................................................................................... 36
6.2.1 Objectives ........................................................................................................................................................................ 36
6.2.2 Objectives & Planning to Achieve Them............................................................................................................. 38
6.3 PLANNING FOR CHANGE ............................................................................................................................................................ 39
7.0 SUPPORT ................................................................................................................................................ 41
7.1 RESOURCES ................................................................................................................................................................................. 41

7.1.1 General.............................................................................................................................................................................. 41
7.1.2 People ............................................................................................................................................................................... 41
www.iso9001help.co.uk © 2018 Page 1 of 82

ISO 9001:2015 & ISO 14001:2015
7.1.3 Infrastructure .................................................................................................................................................................. 41

7.1.4 Environment for the Operation of Processes .................................................................................................... 41
7.1.5 Monitoring & Measuring .......................................................................................................................................... 42
7.1.6 Organizational Knowledge ....................................................................................................................................... 43
7.2 COMPETENCE ............................................................................................................................................................................... 44
7.3 AWARENESS ................................................................................................................................................................................. 45
7.4 COMMUNICATION ....................................................................................................................................................................... 46
7.4.1 General.............................................................................................................................................................................. 46
7.4.2 Internal Communication ............................................................................................................................................ 47
7.4.3 External Communication ........................................................................................................................................... 49
7.5 DOCUMENTED INFORMATION ................................................................................................................................................... 50
7.5.1 General.............................................................................................................................................................................. 50
7.5.2 Creating & Updating ................................................................................................................................................... 50
7.5.3 Control of Documented Information .................................................................................................................... 50
8.0 OPERATION ............................................................................................................................................ 53
8.1 OPERATIONAL PLANNING & CONTROL .................................................................................................................................. 53

8.2 REQUIREMENTS FOR PRODUCTS & SERVICES ......................................................................................................................... 54
8.2.1 Customer Communication ........................................................................................................................................ 54
8.2.2 Determination of Requirements for Products & Services ............................................................................ 55
8.2.3 Review of the Requirements for Products & Services ................................................................................... 55
8.2.4 Changes to Requirements for Products & Services ........................................................................................ 56
8.3 DESIGN & DEVELOPMENT OF PRODUCTS & SERVICES ......................................................................................................... 56
8.3.1 General.............................................................................................................................................................................. 56
8.3.2 Planning............................................................................................................................................................................ 56
8.3.3 Inputs................................................................................................................................................................................. 57
8.3.4 Controls ............................................................................................................................................................................ 57
8.3.5 Outputs ............................................................................................................................................................................. 58
8.3.6 Changes ............................................................................................................................................................................ 58
8.4 EXTERNALLY PROVIDED PROCESSES, PRODUCTS & SERVICES .............................................................................................. 59
8.4.1 General.............................................................................................................................................................................. 59
8.4.2 Type and Extent of Control ....................................................................................................................................... 60
8.4.3 Information for External Providers......................................................................................................................... 60
8.5 PRODUCTION & SERVICE PROVISION ...................................................................................................................................... 61
8.5.1 Control of Production & Service Provision ........................................................................................................ 61
8.5.2 Identification & Traceability ..................................................................................................................................... 61
8.5.3 Property Belonging to Customers or External Providers .............................................................................. 62
8.5.4 Preservation .................................................................................................................................................................... 62
8.5.5 Post-delivery Activities ............................................................................................................................................... 63
8.5.6 Control of Changes ...................................................................................................................................................... 63
8.6 RELEASE OF PRODUCTS & SERVICES ........................................................................................................................................ 64
8.7 NON-CONFORMING PROCESS OUTPUTS, PRODUCTS & SERVICES ..................................................................................... 64
8.8 ENVIRONMENTAL EMERGENCY SITUATIONS ........................................................................................................................... 66

ISO 9001:2015 & ISO 14001:2015
9.0 PERFORMANCE EVALUATION.............................................................................................................. 68
9.1 MONITORING, MEASUREMENT, ANALYSIS & EVALUATION .................................................................................................. 68

9.1.1 General.............................................................................................................................................................................. 68
9.1.2 Customer Satisfaction ................................................................................................................................................. 69
9.1.3 Analysis & Evaluation.................................................................................................................................................. 70
9.1.4 Evaluation of Compliance.......................................................................................................................................... 70
9.2 INTERNAL AUDIT.......................................................................................................................................................................... 71
9.2.1 Internal Audit Programme ........................................................................................................................................ 71
9.2.2 Internal Audit Checklists ............................................................................................................................................ 72
9.3 MANAGEMENT REVIEW .............................................................................................................................................................. 73
9.3.1 General.............................................................................................................................................................................. 73
9.3.2 Inputs................................................................................................................................................................................. 74
9.3.3 Outputs ............................................................................................................................................................................. 74
10.0 IMPROVEMENT ....................................................................................................................................... 75
10.1 GENERAL....................................................................................................................................................................................... 75
10.2 NON-CONFORMITY & CORRECTIVE ACTION ........................................................................................................................... 75
10.3 CONTINUAL IMPROVEMENT ....................................................................................................................................................... 80

ISO 9001:2015 & ISO 14001:2015
1 Introduction
The purpose of this document is to outline a potential integrated management system to meet the
requirements of ISO 9001:2015 and ISO 14001:2015. The integrated management system is designed to be
implemented to function within current business practices and serves as an effective tool to help your business
grow and improve.
The application of the integrated management system is scalable and generic; regardless of the size and type
of organization. The elements that form a typical the EQMS are the same; please refer to the figure below. The
Typical Elements of an Intregated Management System using PDCA
Policies
Organization &
Improvement
Personnel
Management
Review Act Context &
requirements
Plan Identify aspects,
impacts & risks
Initial
Identify
review
Auditing compliance
obligations
Commitment
Monitoring &
measurement
Check Do Set objectives
Operational Competence &

control Awareness
Management
programmes
primary goal is to achieve a set of consistent processes that provide a route for enhancing customer
satisfaction, mitigation uncertainty and providing meaningful data for continuous improvement activities.

ISO 9001:2015 & ISO 14001:2015
You may decide to keep your current quality and environmental management systems and simply amend them
where necessary. Some of you may take this as an opportunity for a complete revamp of the management
system. Both courses of action are entirely reasonable, and this guidance document will guide you through
what the essential elements that you need to address in order become certified.
The integrated management system includes the processes and procedures required to achieve compliance to
quality and environmental requirements, as well as, highlight their interaction with other support processes.
Top management must take responsibility for leadership, commitment and take active involvement for
developing and maintaining the management system. It is necessary to have well defined processes, both
operational and support, to be able to realize the product or service. Customer satisfaction has to be measured
and analyzed so that the organization can be improved continually.
The implementation of a formal management system is best handled as a specific project that is led by
someone with project management experience. Ideally, they should be a key member of the organization’s
management team and have sufficient authority and trust of the personnel involved. In the ideal situation this
person will also be the Management Representative, but skills in project management are highly beneficial.
Integration itself is not difficult to implement but rather, the concepts themselves are sometimes difficult to
interpret and can therefore be difficult to apply in the real world. For instance, concepts such as non-
conformances, hazards, impacts and corrective action systems might seem burdensome at first but the outputs
of these concepts will soon be an invaluable source of information that should be used to drive your corporate
objectives. In order implement the integrated management system, we recommend that you follow the steps
in this guidance documents.
1.1 Implementation & Development

Begin with the assumption that you are already doing most of what ISO requires, you probably are! Many
people talk about the high cost of implementing management systems but this is a false assumption. If you do
it right and understand the standards, then implementation should not be a problem since 75% of your
management system is already in place. Here are some initial review tasks to consider:
1. Identify legal and regulatory compliance requirements related to EQMS performance;

2. Compare actual performance with external standards, regulations, codes of practice and guidelines;
3. Identify activities, products, services that cause impacts on the environment and/or pose legal risks;
4. Review existing management procedures;
5. Compare actual operations with internal policies and procedures;
6. Identify policies and procedures dealing with external contracts for services and suppliers;
7. Review investigations of previous EH&S incidents, accidents and ‘near misses’;
8. Gather the views of internal and external interested parties;
9. Assess if/how other internal systems can help or interfere with EQMS performance;
10. Do a gap analysis comparing what is in place with what ISO 9001 & 14001 require;
11. Consider ‘benchmarking’ with other organizations’ EQMS.
By implementing a management system like the one detailed in this document, your organization will have the
necessary foundation to enact a culture change. It is expected that the culture shift will start during the early
development and implementation phase, and by getting involvement and consultation from the employees at

ISO 9001:2015 & ISO 14001:2015
this early stage, you can more easily secure buy in by assigning responsibility and utilising their skills,
knowledge and experience to help develop the management system.
1.2 Managing the Change

The organizational migration from a pre-certification state to one that operates within the rigors of an ISO
based management system is not a casual task. There must be a tightening of how processes are managed
and there are often changes in staff interactions, responsibilities and accountability. Such changes are unlikely
to succeed without the dedicated support of both the executive and operational management.
The greatest resource of any company are its people, so strategies for managing both real and perceived
change, or concerns and attitudes, should be addressed during the initial planning of the EQMS. It is likely that
during the first few months, Top management will need to positively reinforce its requirements on a routine
basis to ensure that staff maintain motivation and do not lapse back into old habits.
Iterative adjustment of new or existing management system documentation should also be expected as staff
become accustomed to the requirements and begin to suggest improvements in usability. Instant business or
operational improvements may initially be observed. The benefits of a properly functioning EQMS are not just
restricted to the knowledge that it complies with regulatory requirements but that it has the discipline to
manage customer requirements effectively and to mitigate risk.
1.3 Top Management Commitment

Implementation takes time, money and other resources. Make sure you have Top management’s commitment
before continuing the implementation project. Be sure that Top management are solidly behind
implementation of the EQMS because without that commitment, the implementation process becomes almost
impossible. Top management should demonstrate their initial commitment to the implementation project by
the ensuring that:
1. The implementation mandate is communicated and understood;

2. Appropriate resources are made available;
3. An appropriate budget is made available.
Understand why your organization is implementing an integrated management system. Is it because a client
or the market requires you to register? Is it for internal benefits? Is the motivation coming from top
management? Whatever the reasons for implementation, keep them visible during the implementation project
as this helps to retain commitment and to maintain focus on the end goal.
It will no longer be appropriate to have one representative driving the EQMS on behalf of the rest of the
organisation. Top management is accountable for the success of the EQMS and as such should lead, promote
and direct others to ensure it drives quality and environmental benefits.
This is a significant change from the requirements of ISO 9001:2008 and ISO 14001:2004 where Top
management appointed a Management Representative; signed the policies and attended management review
meetings. Top management can be one or more people but must have cross-functional influence in order to
integrate the EQMS with current business processes and to ensure EQMS compatibility with your organization’s
strategic direction.
1.4 Senior Management Engagement

ISO 9001:2015 & ISO 14001:2015
The first step in engagement could be to brief your senior team on the changes. Attendance should be
encouraged as failure to transition effectively could mean the loss of the ISO accreditation certificates.
However, on a more positive note, for many organizations the new standards could act as a watershed moment
where the environment plays a significant part in generating value for your organization. Engagement can be
further enhanced by reviewing the quality and environmental achievements of your organization. These are
often greater and broader than expected because the initiatives are categorised under economic rather than
quality or environmental improvement. This realisation builds commitment to do more. By developing
engagement, the senior team are more likely to contribute to the other changes such as the context review
and stakeholder analysis.
1.5 Implementation Team

Top management should consider creating an Implementation Team to assist in developing the new
management system. This decision should be based on the size of the organization or facility that will be
implementing the EQMS. This team should consist of key individuals from various divisions, departments, and
operating work areas from within your organization who are familiar with the facility and the various processes
within. Diversity among team members will bring together a pool of expertise and ideas from which to develop
and implement the EQMS.
One of the key moments in the implementation process is defining the individual responsibility of management
and employees for the introduction of different elements into current working process. That is why the most
experienced employees from the company should be involved in this process. Following this methodology, a
team of experienced and engaged key personnel should be formed at the beginning of the implementation
process. The implementation team should include personnel that have the authority to devote resources to
the project and to remove roadblocks.
The implementation team should meet on an ‘as needed’ basis according to the project timeline. When the
implementation team meets they must address the items on their task list. Spread out the implementation
team meetings along the implantation timeline so you do not have too many meetings at one time. For
example, you may want to have the document control team meet early in the project to establish a system to
collect and control the documents that will be generated. Whereas, the internal audit team would meet later in
the process because audits will not begin until the system is complete.
For certain activities, consulting organizations may provide expertise and guidance, which can be useful in the
implementation of the EQMS. However, internal staff should be involved throughout the process because they
will need to operate the EQMS on a daily basis.
1.6 Gap Analysis

Prior to commencing your transition to the new standards, you should answer the following questions; a ‘no’
indicates a gap and an area you will need to concentrate on.
1. Are Top management engaged and involved with the EQMS?

2. In addition to existing quality and environmental teams, are other functions involved with the EQMS;
e.g. procurement, design, production, finance, HR and operations?
3. Is the management system integrated with business processes such as project sign off, competency
matrices, procurement requirements and business communications and meetings?

ISO 9001:2015 & ISO 14001:2015
4. Does your EQMS take account of the risks and opportunities resulting from trends, macro
environmental or big picture issues (political, economic, social, etc.)?
5. Does the EQMS consider the impact of a changing environment on your organisation?
6. Do the requirements of internal and external stakeholders help shape the EQMS?
7. Is there an existing environmental communication plan (formal or informal) in place?
8. Are robust monitoring and measurement and internal audit procedures in place to ensure quality
and environmental data is reliable?
9. Are environmental aspects considered at each stage of the lifecycle?
10. Are environmental and quality requirements imposed upon contractors and suppliers?
11. Is information on significant impacts made available to end users and those involved with final
disposal and transport of your products or services?
The knowledge obtained about the status your existing management system will be a key driver of the
subsequent implementation approach. Armed with this knowledge, it allows you to establish accurate budgets,
timelines and expectations which are proportional to the state of your current management system when
directly compared to the requirements of the standards.
Your organization may already have in place a management system or parts of a system. If this is the case, you
will want to determine how closely your system conforms to the requirements ISO 9001 and ISO 14001.
The results of a gap analysis exercise will help to determine the differences, or gaps, between your existing
management system and the requirements of the standards. Not only will this analysis identify the gaps, but it
also should determine the size of the gaps. These findings will lead to recommendations, project plans, and
the identification of necessary resources for filling the gaps.
The gap analysis output also provides a valuable baseline for the implementation process as a whole and for
measuring progress. Try to understand each business process in context of each of the requirements of the
standards by comparing different activities and processes with what the standards requires. At the end of this
activity you will have a list of activities and processes that comply and ones that do not comply. The latter list
now becomes the target of your implementation plan.
Use the gap analysis checklists to compare the requirements of the standard against your organization’s
existing management system. Each question in the checklist refers to a requirement that must be met in order
to comply with ISO 9001:2015 and ISO 14001:2015.
At the end of this activity you will have a list of activities and processes that comply and a lift of processes that
do not comply. The latter list now becomes your action plan. Also consider the effectiveness of what's being
practiced on a day to day basis. It is not unusual for an organization to overlook something which needs some
work to make it effective. Congratulations, you have just conducted the first audit of your new management
system!
1.7 Team Meetings

After the Implementation Team members have been selected, an initial orientation meeting should be held. At
the meeting, everyone involved should be informed of the organization’s planned implementation as well as
team members’ new responsibilities.

ISO 9001:2015 & ISO 14001:2015
The initial orientation meetings will get the programme off to a good start, but many more meetings will be
necessary. While the primary activities taking place during the early meetings will involve system development
and implementation, the Team Leader may also wish to use this time to provide team members with some
training.
The Implementation Team should meet on a regular basis to resolve problems and to report progress. Meeting
minutes should be documented as they may prove helpful when working with Certification Auditors. In some
cases, auditors’ questions may be answered by the documented meeting notes.
1.8 Choosing your Registrar

The registrar is a third-party certification auditor who will formally assess your management system and issue
a certificate if the system meets the requirements of ISO 9001:2015 and ISO 14001:2015. When choosing a
registrar, you should consider their industry experience, geographic coverage, price and service level offered.
The key is to find a registrar who can meet your requirements and who is able to certify against all three
standards. For further information regarding accredited certification bodies, please see the following:
Worldwide: www.iso.org/iso/en/info/ISODirectory/countries.html
www.ukas.org
Within the UK:
www.irca.org
Different organizations look at their registrations differently; some organizations prefer to have multiple
business units or locations on a single certificate. You can register one location in an organization or you can
register the entire organization.
You can even, theoretically, register one part of an individual facility. You should address this issue in your
registration scope statement. You should discuss the scope of registration very early in your contact with the
registrar, prior to or during the selection process.
The scope of registration and certification will need to reflect precisely and clearly the activities covered by
your organization's EQMS; any exclusion to non-applicable requirements of the standards should be
documented and justified in the EQMS manual. No single business-related activity should exist outside of the
scope.

ISO 9001:2015 & ISO 14001:2015
2 Existing Documented Information

The extent of the documented information will differ from your organization to another because of to the
size of organization and its activities, processes, products and services; the complexity of processes and
their interactions, and the competence of personnel.
In ISO 9001:2008, the quality manual helped to establish and document the framework of your organization's
quality management system while articulating those aspects of the management system to any interested
parties. While there is no requirement for a management system manual or even documented procedures in
ISO 9001:2015 or ISO 14001:2015, it is suggested that if your existing documentation adds value, then they
should not simply be binned. You will be expected to maintain the integrity of the management system during
the transition process.
You do not need to renumber your existing documentation to correspond to the new clauses. It is down to
each organization to determine whether the benefits gained from renumbering will exceed the effort involved.
Neither do you need to restructure your management system to follow the sequence of and titles of the
requirements. Providing all of the requirements contained in ISO 9001:2015 and ISO 14001:2015 are met, your
organization’s management system will be compliant.
1. If your system manual fits your business and your customers or regulators require it, keep it!
2. If your procedures are effective and define how your key processes operate, keep them!
3. If the policies and related objectives align with current business strategy, and they are communicated
and adding value, keep those too!
Maintain the following as a type of ‘documented information’:
Maintain the following as a type of documented information Clause
The scope of the environmental and EQMS 4.3
Information necessary to support the operation of processes 4.4
Quality and environmental policies 5.2
Risk and opportunities that need to be addressed 6.1.1
EQMS aspects and impacts and their criteria to determine significance 6.1.2
Information about an organization’s compliance obligations 6.1.3
EQMS objectives 6.2
Documented information required by ISO 9001:2015 and ISO 14001:2015 7.5.1a
Retain the following as a type of ‘documented information’ as a record:
Retain the following as a type of documented information as a record Clause

Documented information to the extent necessary to have confidence that the processes are being carried out
4.4
as planned
Evidence of fitness for purpose of monitoring and measuring resources 7.1.5.1
Evidence of the basis used for calibration of the monitoring and measurement resources (when no
7.1.5.2
international or national standards exist)

ISO 9001:2015 & ISO 14001:2015

Evidence of competence of people doing work under the control of the organization that affects the
7.2
performance and effectiveness of the EQMS
Evidence of communications to external parties and interested parties 7.4.1
Documented information required by the EQMS 7.5.1b
Results of the review and new requirements for the products and services 8.2.3
Records to demonstrate compliance with design and development requirements 8.3.2
Records of design and development inputs 8.3.3
Records of the activities of design and development controls 8.3.4
Records of design and development outputs 8.3.5
Design and development changes, including the results of the review and the authorization of the changes
8.3.6
and necessary actions
Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and
8.4.1
any actions arising
Evidence of the unique identification of outputs when traceability is a requirement 8.5.2
Records of property of the customer or external provider that is lost, damaged or non-conforming and of its
8.5.3
communication to the owner
Results of the review of changes for production or service provision, the persons authorizing the change, and
8.5.6
necessary actions taken
Records of authorized release of products for delivery to the customer including acceptance criteria and
8.6
traceability to the authorizing person(s)
Records of non-conformities, actions taken, concessions and the identity of the authority deciding the action
8.7
in respect of the nonconformity
Evidence of the evaluation of the performance and the effectiveness of the EQMS 9.1.1
Evidence of compliance evaluations 9.1.2
Evidence of the implementation of the internal audit programme 9.2.2
Evidence of internal audit results 9.2.2
Evidence of the results of management reviews 9.3.3
Evidence of the nature of the non-conformities 10.2.2
Evidence of any subsequent actions taken to correct non-conformities 10.2.2
Results of any corrective actions 10.2.2

ISO 9001:2015 & ISO 14001:2015
3 Common Requirements
The integrated management system (EQMS) shares common requirements that are stipulated by ISO
9001:2015 and ISO 14001:2015. The table shown below cross refers these common requirements to the section
headings found within this document, as well as within the EQMS manual:
Environmental & Quality Management System ISO Standard Clause Ref.
Section No. EQMS Manual Heading BS EN ISO 9001:2015 BS EN ISO 14001:2015
4.0 About our Organization 4.0 4.0

4.1 Organizational Context 4.1 4.1
4.2 Relevant Interested Parties 4.2 4.2
4.3 Integrated Management Scope 4.3 4.3
4.4 Integrated Management Processes 4.4.1 & 4.4.2 4.4.1 & 4.4.2
5.0 Leadership & Governance 5.0 5.0
5.1 Leadership and Commitment 5.1 5.1
5.1.1 EQMS Management 5.1.1 5.1
5.1.2 Customer Focus 5.1.2 N/a
5.2 Corporate Policies 5.2 5.2
5.2.1 Establishing & Communicating 5.2.1 5.2
5.2.2 Policy Statement 5.2.2 5.2
5.3 Roles, Responsibilities and Authorities 5.3 5.3
6.0 EQMS Planning 6.0 6.0
6.1 General 6.1 6.1
6.1.1 Risk & Opportunities 6.1.1 6.1.1
6.1.2 Environmental Aspects 6.1.2 6.1.2
6.1.3 Compliance Obligations 6.1.3 6.1.3
6.2 EQMS Objectives 6.2 6.2.1
6.2.1 Objectives 6.2 6.2.1
6.2.2 Objectives & Planning to Achieve Them 6.2 6.1.4 & 6.2.2
6.3 Planning for Change 6.3 N/a
7 Support 7.0 7.0
7.1 Resources 7.1 7.1
7.1.1 General 7.1.1 7.1
7.1.2 People 7.1.2 7.1
7.1.3 Infrastructure & Natural Resources 7.1.3 8.1
7.1.4 Operational Environment 7.1.4 N/a
7.1.5 Monitoring and Measuring Tools 7.1.5 N/a
7.1.6 Organizational Knowledge 7.1.6 N/a
7.2 Competence 7.2 7.2
7.3 Awareness 7.3 7.3
7.4 Communication 7.4 7.4.1
7.4.1 Internal Communication 7.4 7.4.2
7.4.2 External Communication 7.4 7.4.3
7.5 Documented Information 7.5 7.5

ISO 9001:2015 & ISO 14001:2015
7.5.1 Management System Documents 7.5.1 7.5.1

7.5.2 Creating and Updating 7.5.2 7.5.2
7.5.3 Controlling Documented Information 7.5.3 7.5.3
8.0 Product & Service Development 8.0 8.0
8.1 Operational Planning & Control 8.1 8.1
8.1.1 Environmental Management 8.1 N/a
8.1.2 Quality Management N/a 8.1
8.2 Determining Requirements for Products 8.2 8.1
8.2.1 Customer Communication 8.2.1 8.1
8.2.2 Determining Requirements 8.2.2 8.1
8.2.3 Reviewing Requirements 8.2.3 8.1
8.2.4 Changes in Requirements 8.2.4 8.1
8.3 Design & Development 8.3 8.1
8.3.1 General 8.3.1 8.1
8.3.2 Planning 8.3.2 8.1
8.3.3 Inputs 8.3.3 8.1
8.3.4 Controls 8.3.4 8.1
8.3.5 Outputs 8.3.5 8.1
8.3.6 Changes 8.3.6 8.1
8.4 Control of Suppliers & External Processes 8.4 8.1
8.4.1 General 8.4.1 8.1
8.4.2 Purchasing Controls 8.4.2 8.1
8.4.3 Purchasing Information 8.4.3 8.1
8.5 Production & Service Provision 8.5 8.1
8.5.1 Control of Production & Service Provision 8.5.1 8.1
8.5.2 Identification & Traceability 8.5.2 8.1
8.5.3 3rd Party Property 8.5.3 8.1
8.5.4 Preservation 8.5.4 8.1
8.5.5 Post-Delivery Activities 8.5.5 8.1
8.5.6 Control of Changes 8.5.6 8.1
8.6 Release of Products and Services 8.6 8.1
8.7 Control of Non-conforming Outputs 8.7 & 10.2 10.2
8.8 Control of Emergency Situations N/a 8.2
9.0 Performance Evaluation 9.0 9.0
9.1 Monitoring, Measurement, Analysis & Evaluation 9.1 9.1
9.1.1 General 9.1.1 9.1.1
9.1.2 Customer Satisfaction 9.1.2 N/a
9.1.3 Analysis & Evaluation 9.1.3 N/a
9.1.4 Evaluation of Compliance N/a 9.1.2
9.2 Internal Audit 9.2.1 & 9.2.2 9.2.1 & 9.2.2
9.3 Management Review 9.3 9.3

ISO 9001:2015 & ISO 14001:2015
9.3.1 General 9.3.1 9.3

9.3.2 Inputs 9.3.2 9.3
9.3.3 Outputs 9.3.3 9.3
10.0 Improvement 10.0 10.0
10.1 General 10.1 10.1
10.2 Non-Conformity & Corrective Action 10.2 & 8.7 10.2
10.3 Continual Improvement 10.3 10.3

ISO 9001:2015 & ISO 14001:2015
4 About Your Organization

4.1 Organizational Context
You should allow additional time to establish a suitable understanding of the circumstances, and the market
in which your organization operates. To be compliant, evidence should be obtained that demonstrates that
your organization is reviewing all pertinent internal and external issues at periodic intervals.
To assess whether your organisation has a high-level, conceptual understanding of its internal and external
issues that affect it, either positively or negatively, its ability to achieve the intended outcomes, you should
describe the processes used by your organization to identify internal and external issues and make reference
to all objective evidence, including examples of these issues. Examples of organizational issues might include:
1. Quality and environmental conditions capable of affecting or being affected by the organization;
2. External: cultural, social, political, regulatory, financial, economic, natural and competitive issues,
whether international, national, regional or local;
3. Internal: organization’s activities, products, services, strategic direction and capabilities (people,
knowledge, processes, systems).
You will need to determine and understand the various quality and environmental conditions, internal and
external issues, typically experienced in your type of organization that can have positive or negative impacts.
The standards do not specify that these internal and external issues, or their monitoring and review, be
documented, so there might not be ‘lists of issues’ or records of reviews. However, information can be obtained
via interviews with relevant Top management in relation to your organization’s context and its strategic
direction, the identified issues and conditions, and how these may affect the intended outcomes of the
Management System.
Collate evidence to provide assurance that your organization is regularly, or as necessary, reviewing and
updating its external and internal issues. Although there is no requirement for documented information to
define the context of the organization, your organization will find it helpful to retain the types of documented
information listed below to help demonstrate compliance:
1. Business plans and strategy reviews;

2. Competitor analysis;
3. Economic reports from business sectors or consultant’s reports;
4. SWOT analysis for internal issues;
5. PESTLE analysis for external issues;
6. List of external and internal EQMS issues and conditions.
7. EQMS action plans and objectives;
8. Annual reports;
9. Minutes of meetings (Management review and, e.g. design review minutes);
10. Process maps, tables, spreadsheets, mind mapping diagrams.
Reviewing your organization’s context could include interviews with senior management, questionnaires,
surveys and research. Cross-functional input is essential for the specific expertise required to identify the full
breadth of issues, such as finance, training, human resources, commercial, engineering and design, etc. Not

ISO 9001:2015 & ISO 14001:2015
only will this ensure a broader appreciation of the context but also wider engagement, particularly with those
functions not previously involved with the EQMS.
A workshop approach often allows ideas to be shared and provides an effective and efficient way of achieving
a valuable outcome. The workshop could simply be a discussion identifying the issues that can be mapped out
using Political, Economic, Social, Technological, Legal and Environmental (PESTLE) analysis. This method helps
to structure the conversation and will also help to achieve buy-in to what is often seen as a peripheral or niche
area.
4.2 Relevant Interested Parties

Similar to the context review discussed above, cross functional input is vital, as certain functions will identify
with particular stakeholders, for example procurement with suppliers, and sales with customers. A workshop
approach should be encouraged which can be undertaken independent to, or in conjunction with the context
review workshop.
Once stakeholders and their requirements are identified, the next step is to consider which stakeholder
requirements generate compliance obligations. Legal requirements should be identified before other
requirements. This process of adopting requirements will allow you to focus and coordinate on what’s
important.
You should allow additional time to determine whether your organization has adequately determined its
interested parties, their requirements, and their impact upon the EQMS. Determine which of these
requirements are considered as organization’s compliance obligations and describe the processes used by your
organization to identify the interested parties.
Make reference to all objective evidence, including examples of interested parties and any resulting compliance
obligations. Look for evidence that your organization has undergone a process to initially identify these groups,
and then to identify any of their requirements that are relevant to your organization’s EQMS. Examples of
interested parties might include:
1. Customers;
2. Communities;
3. Contractors;
4. Suppliers;
5. Regulators;
6. NGOs;
7. Business partners;
8. Shareholders.
You should also determine whether these groups’ requirements are reviewed and updated as changes in their
requirements occur, or when changes to your organization’s EQMS are planned. Ensure that your organization
has properly identified its interested parties, and subsequently determined if any of their needs and
expectations to be adopted as a compliance obligation. Ensure that this process is revisited periodically
because the relevant requirements of relevant interested parties may change over time.

ISO 9001:2015 & ISO 14001:2015
Although not specifically required, objective evidence could be a list or matrix of the interested parties, their
corresponding needs and expectations, and indication of which of these accepted as compliance obligations.
Compliance obligations might include:
1. All relevant legal requirements;

2. All requirements imposed by upper levels in the organization (for example corporate requirements);
3. All relevant requirements of relevant interested parties that the organization decides to comply with,
whether contractually (customers) or voluntarily (environmental commitments).
In order to determine the relevance of an interested party or its requirements, your organization needs to
answer: ‘does this interested party, or their requirements, affect the organization’s ability to achieve the
intended outcomes of its EQMS?’ If the answer is yes, the interested parties’ requirements should be captured.
There are many ways to capture this information, and your approach might include:
1. Information summarised as part of inputs to risk and opportunity registers (e.g. for ISO 9001 and ISO
14001 this could be an additional process in the identification of environmental aspects and impacts;
2. Recorded in a simple spreadsheet;
3. Logged and maintained in a database;
4. Captured and recorded through key meetings.
This section requires your organization to think clearly and logically about what can internally and externally
affect your management system, and to be in a position to demonstrate that this information is regularly
monitored and reviewed.
Communicating with stakeholders, particularly in relation to compliance obligations is vital. Communication

with stakeholders should be based on performance data generated by your organization’s EQMS, which will
require robust monitoring and measurement to ensure that the data is reliable. You should ensure that the
monitoring and measurement processes are included in the internal audit programme so your organization
can assure itself that the checking processes and validated and that the data it is communicating is accurate.
4.3 Integrated Management Scope

You will need to verify that your organization’s scope exists as documented information (which may be in the
form of a Manual) in accordance with Clause 7.5.1a. Verify that the organization’s scope has been established
in consideration of organization’s boundaries and applicability of the EQMS.
There is now essentially a process by which a scope must be determined; simply declaring a scope and
excluding product-related aspects without evaluating the new considerations is not acceptable. Evaluate the
process by which the scope was determined and review any process or procedure, if present. The lack of
documented processes will require more reliance on objective evidence from interviews.
Look for confirmation that your organization has determined the boundaries and applicability of the EQMS to
establish its scope with reference to any external and internal issues referred to in 4.1 and the requirements of
relevant interested parties referred to in 4.2. The scope of your EQMS may include the whole of the
organization, specific and identified functions within the organization, specific sections of the organization, or
one or more functions across a group of organizations.
1. Has your organization determined the boundaries and applicability of the EQMS to establish its
scope?

ISO 9001:2015 & ISO 14001:2015
2. Has your organization effectively considered the following prior to determining the scope of the
EQMS?
3. Has your organization effectively considered the extent of its control and influence, context, external
and internal issues, compliance obligations, physical and functional boundaries, activities, products
and services?
4. Has your organization made its scope available to all interested parties as documented information?
A statement from your organization that the scope can be provided upon request may be accepted
as objective evidence.
Check that this has been done in consideration of your organization’s context and your products. You should
review any exclusions previously noted under ISO 9001:2008 for ongoing suitability. Check that legacy issues
which limited scope and omitted activities do not affect product conformity. Check that they are recorded and
that the rationale for the exclusion is stated and justified.
4.4 Integrated Management Processes

ISO 9001:2015 and ISO 14001:2015 include specific requirements necessary for the adoption of processes when
developing, implementing and improving a management system. This requires your organization to
systematically define and manage processes and their interactions so as to achieve the intended results in
accordance with both the policy and strategic direction. Auditors will want to determine:
1. How well is the ‘process approach’ understood in the organization?

2. Is the EQMS in line with the organization’s context, and requirements of interested parties?
3. Is it likely the established EQMS will achieve its intended outcomes and enhance environmental and
quality performance?
4. Does it include the enhancement of EQMS performance?
5. Does it include the desire to fulfil of compliance obligations and objectives?
Some documented information can be used to verify that your organization has implemented all required
management system processes. If these are working well for your organization then there is no need to replace
them.
Existing operational procedures, work instructions and flow charts are valid examples of documented
information and can be used to evidence the requirement for ‘documented information to support the
operation of processes is being met’. Check that process inputs and outputs are defined and review how each
of the processes are sequenced and how they interact. Look for evidence that your organization has:
1. Assigned duties/process owners; (Clause 5.3)

2. Assessed risks and opportunities; (Clause 6.1)
3. Provided resources; (Clause 7.1)
4. Maintained and retained documented information. (Clause 7.5)
5. Implemented measurement criteria; (Clause 9.0)
6. Improved its processes and the EQMS; (Clause 10.0)
Your organization should begin using quality and environmental performance indicators to control and
monitor issues, and associated risks and opportunities. These types of objective evidence will indicate that your
organization has successfully integrated the EQMS processes into its business processes. Evidence may include

ISO 9001:2015 & ISO 14001:2015
management reviewing EQMS KPI’s as part of regular business reviews, awareness of contractors and
employees of EQMS goals and expectations, etc.
Identifying Key Processes

Key processes are steps that you go through to give the customer what they want, e.g. from order acceptance
to design through to delivery. Whereas support processes do not contribute directly to what the customer
wants but do help the key processes to achieve it. Support processes include often human resources, finance,
document control, training and facilities maintenance, etc.
A good way to do this is to think about how workflows through your organization. Consider how the inputs
and outputs to the key processes flow from one process to the next, what sub-processes might exist within it
and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists.
Instead focus on your key processes and how the departments interface with each other.
Once you have defined the processes and interfaces; go back to the standard and determine which processes
are responsible for meeting which requirements. When defining your organization’s processes, think about
each process and department and assign try to define those processes around the current organizational model
and not around the requirements of the standard.
Certification auditors will expect to see a process model that explains the key processes of the business and
how each relates and links to the others. The depth of process explanation may be as detailed as the company
chooses but should be based on its customer and applicable regulations or statutory requirements, the nature
of its activities and its overall corporate strategy. You should expect to see evidence that your organization has
determined their processes and interactions. If your organization calls it a ‘process’, it must be monitored for
effectiveness and improved.
Sequence & Interaction

The auditor must see evidence that the organization has determined their processes and that the interactions
are also defined, all within the EQMS manual. Subsequently, this includes the actual and technical inputs and
outputs of the processes to show their inter-relationship. This requires the description of the interactions
between the processes and should include process names, process inputs and process outputs in order define
their interactions. Interaction means how one influences the other. Auditors commonly agree that the
description of the interactions of the processes cannot be done if the processes are not determined (names).
The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to
demonstrate that the processes and their sequence and interactions were determined. Such documents may
be used by organizations should they deem them useful, but they are not mandatory. Graphical representation
such as flow-charting is perhaps the most easily understandable method for describing the interaction between
processes.
Outsourced processes must be controlled by the organization and these controls must be defined and
described within their system. Organizations are required to identify the controls they apply for any outsourced
processes. The facility EQMS manual must identify if outsource processes are applicable. In addition, the client
shall have written documentation on the methods used to control the outsourced processes. Examples of some
outsourced processes are:

ISO 9001:2015 & ISO 14001:2015
1. A process completed wholly or partially by a sister facility outside the scope of registration. Such as
corporate performing design, purchasing or customer related processes, this includes management
activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc. This may include
the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of
suppliers and the registered site initiates purchase orders.
1. A process completed by an outside vendor or subcontractor such as heat treating, plating,
calibration, painting, powder coating, etc. These types of processes may be controlled by the
purchasing process where a formal contract or purchase order may be the controls. If this is the case,
written documentation would be the purchasing documentation and records however; these
processes are required to be documented in the quality manual.
If an outsourced process is controlled through purchasing, there must be documented objective evidence to
ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused
on controlling products not processes. The organization is responsible to ensure that the outsourced process
is meeting the applicable requirements to ISO 9001:2008. Outsourced processes may be controlled through
such methods as, but not limited to:
1. Auditing;
2. Contractual agreements;
3. Process performance data review on an on-going basis;
4. Purchasing process.
Ensuring control over outsourced processes does not absolve the organization of the responsibility for
conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied
to the outsourced process can be influenced by factors such as:
1. The potential impact of the outsourced process on the organization’s capability to provide a product
or service that conforms to requirements;
2. The degree to which the control of the process is shared;
3. The capability of achieving the necessary control through the application of the purchasing process.

ISO 9001:2015 & ISO 14001:2015
5.0 Leadership & Governance

5.1 Leadership & Commitment
5.1.1 EQMS Management
You should seek and record evidence that Top management is taking a ‘hands-on’ approach to the
management of the EQMS. Be prepared to constructively challenge Top management’s commitment to the
EQMS. Auditing this tier of management is likely to be a new experience for many people, so it is important
that you have a good understanding of management activities in order to effectively engage with them.
Top management is now required to emphasize the importance of conforming to the EQMS requirements.
Additionally, it must also ensure that the EQMS is achieving its intended results, and that continual
improvement is driven within the organization. If it is evident that the Top management is not involved with
the EQMS, a major non-conformance is likely.
Auditors should look for evidence that top management has a ‘hands-on’ approach to the management of
their EQMS during interviews and auditing other requirements e.g. Context of the organization, policies and
objectives, Management review minutes, Resources etc. Evidence of Top management involvement may be
found in:
1. Business strategy plans and meetings;

2. Environmental goals and communications;
3. Information provided on the organization’s website;
4. Annual reports;
5. Management meeting minutes.
Management involvement must now be demonstrated and cannot be simply confined to annual management
reviews. Auditors should ensure that they are well prepared to interview the Top management in respect of
their commitment to their EQMS. A good understanding of management-related processes and language used
by Top management can be helpful to engage with management on a range of issues.
Without solid management commitment, you will not have a successful integrated management system. This
is not a commitment in words; it is the continuous and active demonstration to everyone in the organization
that the need to meet customers' expectations is vital. The actions required of Top management include:
1. Supporting EQMS and actively promote the agenda;

2. Encouraging the goal of meeting, customer, regulatory and statutory requirements.
Develop and support the EQMS by:
1. Defining and communicate the EQMS policies;

2. Establishing organizational EQMS objectives;
3. Ensuring appropriate resources are available.
Implement and improve the EQMS by:
1. Encouraging employees to achieve requirements;

2. Reviewing EQMS performance;
3. Ensuring resources are available to improve the EQMS.

ISO 9001:2015 & ISO 14001:2015
5.1.2 Customer Focus

Customer focus involves determining customer requirements and ensuring that processes exist to meet the
requirements and achieve customer satisfaction. Enhance customer satisfaction by ensuring that customer
requirements are identified. The principal message that Top management must convey is that the objective of
the business is to satisfy your customers by ensuring a process exists to achieve the following:
1. Identifying customer requirements;

2. Meeting customer requirements;
3. Enhancing customer satisfaction.
When auditing customer focus, the audit team should assess whether customer satisfaction is adequately
determined and appropriate corrective action undertaken when things go wrong. The customer feedback
process should be audited as a process in its own right and not just as a clause in the standard. Determine how
this process is planned, implemented and improved as these factors will affect the processes’ ability to provide
meaningful information about the effectiveness of the EQMS.
5.2 Corporate Policies

5.2.1 Establishing the EQMS Policies
ISO 9001:2015 and ISO 14001:2015 now require an organization’s policies to be appropriate to both its purpose
and context. This means that once your organization has determined its context and the relevant requirements
of its interested parties, Top management must review the policies in light of that information.
You should review the quality policy to determine whether the quality policy is appropriate to the context of
the organization and its purpose, that there is a commitment to continually improving the QMS, and the quality
objectives are consistent with the quality policy. Top management should demonstrate that the quality policy
is compatible with the strategic direction and context of the organization, as required by 5.1.1b.
Your organization will need to review the EQMS policies as necessary to ensure that any changes in context,
interested parties or their requirements is reflected in the policies and whether your organization’s objectives
are affected (6.2.1 a). The EQMS policies do not have to include objectives but should create a framework for
establishing them. The policies should be stated in such a way that it aims toward continual improvement. It
should be reviewed and possibly revised to meet higher aspirations.
Certification does not require that the policies include the words ‘continual improvement’; however, it must be
ascertained that processes of continual improvement are implied and known throughout the organization. To
meet the intent of this clause, the auditor would be looking for clearly defined EQMS policies that are
sufficiently detailed to provide a framework for the subsequent EQMS objectives that can be monitored for
continual improvement.
An auditor would not want to see a vague policy. The policies should real and the objectives consistent with
the policies; meaning that, the policies are implemented and the objectives cascaded throughout all levels of
the Management System. EQMS objectives may be the same as the business plan objectives.
The auditor’s intent is not just conformance to the requirements but also to assist an organization in meeting
their business objectives, better customer satisfaction and eventually more market share, which, in time, brings
more profits for the organization. When interviewing Top management, their input into, and commitment to,

ISO 9001:2015 & ISO 14001:2015
the EQMS policies should to be determined. For multi-site/corporate certifications, the policies must be
applicable for all sites and be fully integrated with the objectives. Develop and implement a policy that is
consistent with the company’s codes of conduct and business practices. The policy should be signed by senior
management and commit to:
1. Preventing incidents that could cause environmental harm and any process loss or quality impacts;
2. Complying with obligations and legal requirements;
3. Promoting continual improvement;
4. Adopting best practice;
5. Creation of measurable and achievable targets for performance improvement;
6. Providing resources to achieve targets;
7. Communicating and consulting with all stakeholders regarding the EQMS;
8. Meeting customer requirements.
These policies will be the foundation of the EQMS and should reflect the goals of the business. The policy will
change as the business changes, but the underlying commitment to zero harm should not change.
5.2.2 Communicating the EQMS Policies

ISO 9001:2015 and ISO 14001:2015 require that the policies are maintained as documented information, refer
to Clause 7.5.1a. You should check whether the policies have been communicated and understood throughout
your organization. The policies must also be available to any relevant interested parties.
Auditors will wish to determine if the policies meet the intent and are understood, by interviewing personnel
at all levels. Although the exact content of the policies does not need to be recited by interviewees, the
awareness of the policies and how their job affects the company objectives should be determined. This does
not require your employees to memorize the policies but it does mean they should be aware of it, know where
it may be found and be able to paraphrase, or give an interpretation as it applies to them.
If the personnel interviewed do not know what their measurable objectives are and/or do not know what the
organizational objectives are that they have a direct effect upon, the auditor would be further directed to
evaluate top management’s communication of the policies and objectives.
Inferred awareness through knowledge of procedures is not considered sufficient; otherwise why have the
requirement in the first place? A quick and convenient way to promote and communicate the policy might be
to create a shortened version of main policy; try condensing it to five key words or even a couple of short
sentences. This can be posted on bulletin boards in each department.
You could even add it to the reverse side of staff security passes or ID badges. If an auditor asks an employee
whether they are aware of the policy; they can point to the bulletin board or point to it on their badge. The
employee can elaborate to the auditor, what the policy means to them and how it influences their work.
5.3 Roles, Responsibilities & Authorities

Each employee needs to know who is responsible for the various elements of the EQMS to ensure a successful
implementation. You should develop and make available to all employees a list of key personnel and their job
descriptions, responsibilities, along with an organizational chart of key employees as they relate to the EQMS.

ISO 9001:2015 & ISO 14001:2015
Examples might include an organization chart, defined job roles prior to recruitment, allocated job descriptions
to personnel and linking these activities to the processes within your business. This should effectively define,
document, and communicate the organizational structure of the EQMS. Please note that this method is a
suggestion, and other ways of meeting the requirement for organizational structure may be used. Develop an
organization chart and create job descriptions to satisfy the requirements:
1. Clearly define roles, responsibilities and authorities;

2. Communicate those responsibilities and authorities throughout your organization.
There is no longer a requirement for appointment of Management Representative (MR), though the duties
currently assigned to the MR under ISO 9001:2008 or ISO 14001:2004 must still be undertaken but can be
assigned to different personnel. Examples of objective evidence to verify implementation might include:
1. Communication of roles, responsibilities and authority;

2. Processes and procedures to fulfil requirements are adequately resourced;
3. Awareness of expectations is demonstrated in all relevant levels of the organization;
4. Reporting on the operation (audits & inspections) and performance of the EMS is done (business
meetings, KPI reviews, etc.).
Describe how Top management assigns responsibility and authority to maintain EQMS conformity. Has your
organization delegated responsibility and authority to a ‘System’ Manager, or the duties assigned to
Department Heads?
Describe how Top management assigns responsibility and authority for monitoring and reporting on the
operation and performance of the QMS, via audits and inspections, business meetings, and KPI reviews, etc.
Assignment of relevant roles, responsibilities and authorities across the organization e.g. top management,
functional leaders, heads of departments, process owners, lead process users, end users etc. relating to:
1. Conformance of the EQMS requirements, ISO 9001 and ISO 14001 (4.3);
2. Delivery of process output results (4.4.1);
3. Reporting of EQMS performance and improvement opportunities (9.3);
4. Promoting customer focus (5.1.2);
5. Maintaining EQMS integrity when change occurs (6.3).
You should seek evidence that your organization’s personnel have not only been advised of their EQMS
responsibilities and authorities, but also that they understand these in the context of the overall purpose of
the EQMS. You should also ensure that Top management have assigned responsibility and authority for
preserving the integrity of the organization’s EQMS during changes.

ISO 9001:2015 & ISO 14001:2015
6.0 EQMS Planning

6.1 General
6.1.1 Actions to Address Risks & Opportunities
Although risks and opportunities have to be determined and addressed, there is no requirement for a formal,
documented risk management process. Confirm that your organization has a methodology in place that
enables them to effectively identify risks and opportunities with respect to the planning of its EQMS. Reference
to risk-based thinking is present in the following clauses of the standards:
1. Determine and address risks (Clause 4.4.1);
2. Promote risk-based thinking (Clause 5.1.1);
3. Ensure risks determined and addressed (Clause 5.1.2);
4. Determine risks that need to be addressed to achieve intended results (Clause 6.1.1);
5. Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2);
6. Control those risks identified (Clause 8.1);
7. Evaluate effectiveness of actions on risks (Clause 9.1.3);
8. Review effectiveness of actions on risks (Clause 9.3.2);
9. Improve the EQMS responding to risk (Clause 10.3);
The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any
interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification
methodology consistently and effectively.
What process has been developed to identify risks and opportunities? In the absence of documented
processes/procedures, you may need to use observations and interviews (and a review of the process output,
which may contain documented evidence) to assess the processes that determine whether or not
undocumented processes are being carried out as planned.
External and internal issues, and relevant needs and expectations of relevant interested parties may be sources
of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as
an aspect register, corrective/preventive action log and forms, etc. All of the processes of an EQMS do not
represent the same level of risk in terms of your organization’s ability to meet its objectives. Due to this reason,
the consequences of failures or non-conformities in relation to processes, systems, products and/or services
will not be the same for all organizations.
When deciding how to plan and control the EQMS, including its component processes and activities, your
organization needs to consider both the type and level of risk associated with them. Ensure that your
organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions
taken have been recorded. Options to address risks and opportunities can include:
1. Avoiding risk;
2. Taking risk in order to pursue an opportunity;
3. Eliminating the risk source;
4. Changing the likelihood or consequences;
5. Sharing the risk;
6. Retaining risk by informed decision;

ISO 9001:2015 & ISO 14001:2015
7. SWOT analysis by the organization as part of its business strategy to identify the external risk and
opportunities and action plan to address them;
8. Formal business risk assessment performed by the organization talking into consideration its context,
associated risk and opportunities and mitigation plan;
9. Use of process approach by organization to identify sources of input, activities, output, receiver of
output, performance indicators to control and monitor processes, the risks and opportunities
associated with them and action plan to address them.
Why is Risk Management Important?
The concept of risk in the context of ISO 9001:2015 and ISO 14001:2015 relates to the uncertainty in achieving
the objectives of the EQMS. Risk will influence every aspect of your organization’s operations and by
understanding the risks you face, managing them appropriately will enhance your ability to make better
decisions and to achieve your objectives.
Your organization should begin to view the management of risks to its people, assets and all aspects of its
operations as an important responsibility. Implement and maintain a risk management process to protect and
support your organization’s responsibilities. An effective risk management approach is not only good business
practice but provides organizational resilience, confidence and benefits, including:
1. Provides a rigorous decision-making and planning process;

2. Provides the flexibility to respond to unexpected threats;
3. Takes advantage of opportunities and provides competitive advantage;
4. Equips managers with tools to anticipate changes and threats, and to allocate appropriate resources;
5. Provides assurance to Top management and stakeholders that critical risks are being managed;
6. Enables better business resilience and compliance management.
Risk Management Methodology
Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them
appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance
your ability to provide products and services and to achieve your mission and goals.
By considering risk throughout your organization the likelihood of achieving stated objectives is improved,
output is more consistent and customers can be confident that they will receive the expected product or
service. Risk-based thinking therefore helps to:
1. Improve customer confidence and satisfaction;
2. Assure consistency of quality of goods and services;
3. Establishes a proactive culture of prevention and improvement;
4. Intuitively take a risk-based approach.
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s
transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups
such as:
1. Business planning and strategic direction;
2. Process risk;
3. Product and service risk;
4. Risk associated with the control of externally provided product and service.

ISO 9001:2015 & ISO 14001:2015
Risk Theme PDCA Clause References Activity

Has the organization identified both internal and external
Plan 4.1, 4.2 issues and interested parties that are relevant to and/or
support the strategic direction of the organization?
Is the strategic direction being utilized as an input to the
Business Planning Do 5.2.1 EQMS policies, objectives, risk management and the
and Strategic management review processes?
Direction
Is the EQMS being assessed and reviewed in accordance
Check 4.1, 4.2, 5.1.1, 9.3.2
with the strategic direction?
Is the EQMS being updated as necessary in response to
Act 10.3
changes in any of the above?
4.4.1, 6.1, 6.2, 6.3, When establishing the EQMS and planning for change,
Plan
8.5.6 have risks to achieving process objectives been identified?
Do 8.1 Have the identified process risks been addressed?

Process Risk
Is the organization analyzing the effectiveness of actions
Check 6.1.2, 9.1.3, 9.3.2
taken to address process risks?
Following analysis and corrective action is there evidence
Act 10.2.1, 10.3
that process risks have been updated?
Have risks to achieving product or service conformity
considered:
1. As part of the planning for operational control?
5.1.2, 6.1, 6.2, 8.1,
Plan 2. When determining and reviewing customer
8.2.2, 8.2.3, 8.3.2
requirements?
3. And has product complexity been considered during
design planning?
Product and Service
Risk Have design and operational controls to address the
Do 8.1, 8.2.3.1, 8.3.3
identified product and service risks been implemented?
Is the organization analyzing the effectiveness of actions

Check 9.1.3, 9.3.2
taken to address product risks?
Has the organization determined and selected

Act 10.1
opportunities for improvement on product and service?
Have risks associated with externally provided product,

Plan 6.1 process (i.e. formerly named outsourced) or service been
identified?
Are the identified risks utilized as an input into the:

1. Potential impact of externally provided product,
Risk associated with process or service?
Do 8.4.1, 8.4.2
the control of 2. Type and extent of controls?
externally provided 3. Selection and evaluation of external providers?
product and service 4. Degree of information provided to these resources?
Has the organization applied criteria for the evaluation,

Check 8.4.1, 9.3.2 selection, monitoring of performance and re-evaluation of
external providers?
Has the organization modified the controls applied to

Act 9.3.3
external providers based upon the results of evaluation?

ISO 9001:2015 & ISO 14001:2015
Risk Management Information

Documented information resulting from risk management activities such as risk management processes, plans
and reports, etc. should be maintained or referenced in either a risk management file or other appropriate
sources:
1. Design history file;

2. Technical file/documentation;
3. Device master record;
4. Device history record;
5. Process validation files.
Your organization should consider the benefits of integrating the risk management processes, documents and
records directly into your quality management system. The advantage of this could be a single document
control system, ease of use and review, accessibility, retention, etc.
Document controls, including document change controls, for risk management system documentation should
be the same as the controls for quality management system documentation. This documentation can be in any
form or type of medium.
Communication of Risks
Within your quality management system, consideration needs to be given to internal and external
communication of risk. Internal communication is necessary for all appropriate personnel to be aware of the
remaining risks even after implementing risk control measures.
Outsourced Processes
Your organization might outsource the provision of some processes or the manufacture of components,
subassemblies or entire units. In order to maintain control over the processes, your organization should
incorporate appropriate risk management activities for these processes and products by planning and by
ensuring risk control measures are appropriately applied. Before the approval and implementation of a change
to any outsourced process or product, your organization should:
1. Review the change;

2. Assess if new risks have been discovered; and,
3. Determine if current and/or new individual residual risks and/or the overall risk is acceptable according
to the predetermined existing acceptability criteria.
If risk control measures are applied to outsourced process or products, the risk control measures and their
importance should be documented within the purchasing data or information and clearly communicated to
the supplier.
Design & Development

Risk management activities should begin as early as possible in the design and development phase when it is
easier to prevent problems rather than correcting them later.
For each identified hazard, the risk in both normal and fault conditions is estimated. In risk evaluation, you
should decide whether risk reduction is needed. The results from this risk evaluation such as the need for risk
control measures then become part of the design input.

ISO 9001:2015 & ISO 14001:2015
Risk Registers
While not mandated by ISO 9001:2015 or ISO 14001:2015, risk registers can help identify and record the risks
and opportunities facing different areas of the business and identifying risk is a critical step in managing it.
Risk registers will allow your organization to assess the risk in context with the overall context of your
organization and will help to record the controls and treatments of those risks. Risk registers can be developed
in tiers:
1. Strategic level;
2. Operational level;
3. Process level.
The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps
to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is
a table. A table presents a great deal of information in just a few pages. As the register is a living document, it
is important to record the date that risks are identified or modified. Optional dates to include are the target
and completion dates.
1. Description of the risk;

2. Risk Type (business, project, stage);
3. Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur;
4. Severity of effect which provides an assessment of the impact that the occurrence of this risk would
have on the project;
5. Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include
production of contingency plans;
6. Risk owner who is responsible for ensuring that risks are appropriately engaged with
countermeasures undertaken;
7. Current status of whether this is a current risk or if risk can no longer arise and impact;
8. Other columns such as quantitative value can also be added.
Auditing Risk Management
The primary objective of auditing the risk management process is to provide an assurance framework that
underpins the risk management process. This should include reviews of processes and controls over high risks
as determined through the risk planning process.
The internal audit function provides independent appraisal of the adequacy and effectiveness of internal
controls. Recommendations should be provided, where applicable, for improvements to controls, efficiency
and effectiveness of processes.
Clauses that Promote Risk-based Thinking

Risk-based thinking is probably already part of your organization’s process approach as it forms a key part of
preventive action routines. Risk is often thought of only in the negative sense but risk-based thinking can also
help to identify opportunities and advantages, this is the positive aspect of risk management. There are six
clauses in ISO 9001:2015 that require your organization to consider risk:
1. Clause 4.4.1 requires your organization to determine the risks which can affect its ability to meet the
system objectives. Risk-based thinking means considering risk quantitatively as well as qualitatively,
depending on the business context.

ISO 9001:2015 & ISO 14001:2015
2. Clauses 5.1.1 and 5.1.2 require Top management to demonstrate leadership and commit to
ensuring that risks and opportunities that can affect the conformity of a product or service are
determined and addressed.
3. Clauses 6.1.1 and 6.1.2 each require your organization take action to identify risks and
opportunities, and plan how to address the identified risks and opportunities.
4. Clause 8 requires your organization to plan, implement and control its processes to address the
actions identified in Clause 6.
5. Clause 9 requires your organization to monitor, measure, analyze and evaluate the risks and
opportunities.
6. Clause 10 requires your organization to improve by responding to changes in risk.
The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring
the consistency of the quality of goods and services brought on by establishing a culture of prevention and
improvement.
Risk Evaluation Process

Risk evaluation should become embedded into your organization’s day-to-day operations and should be
undertaken at all levels throughout your organization. The overall aim of risk evaluation is to ensure that
organizational capabilities and resources are employed in an efficient and effective manner to manage
opportunities and threats. Risk evaluation can be represented as a seven step, cyclical process:
Step 1: Planning
Your organization should develop and document a plan that briefly describes how and when risk, in the form
of strengths, weaknesses, opportunities and threats, will be assessed, and who will be involved. This should
reflect the scope (including its complexity, interfaces, etc.), policies and objectives.
Step 2: Identification
In this step, your organization should systematically identify those risks associated with the scope of the
process that could significantly affect the achievement of objectives and product conformity.
Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant
perspectives and expertise should be represented (e.g. appropriately qualified representatives from various
functions, contractors, stakeholders, suppliers and specialists as appropriate.
Risk identification involves the relationship between your organization and the broader, external environment
or community. A range of issues should be considered in examining the strategic content, including:
1. Opportunities and threats associated with the local, regional, and global economic, social, political,
cultural, environmental, regulatory and competitive environments;
2. Key thrusts of stakeholder strategies;
3. Strengths and weaknesses of in attaining objectives.
Operational risk identification involves gaining an understanding of the organisation’s capabilities, goals,
objectives, strengths and weaknesses by considering:
1. Organisational structure and culture;

2. Geographical/demographical;

ISO 9001:2015 & ISO 14001:2015
3. The identity and nature of interaction with key internal or external stakeholders;
4. The existence of any operational constraints;
5. Objectives and key performance indicators;
6. Business resilience vulnerabilities;
7. Relevant issues relating to recent change management risk, performance or audit reviews;
8. Relevant stakeholder community concerns or requirements;
9. Regulatory and contractual requirements and constraints; and
10. Quality management systems.
Step 3: Assessment
This assessment process is vital in determining the need for controls aimed at either reducing risk to levels
deemed to be tolerable or meeting the requirements of legislation. The significance level (or risk rating) should
then be used to prioritise actions. Remember that the importance of this process cannot be overestimated. If
you get this process wrong, the whole system will be suspect.
The assessment of the severity of a risk should drive management attention and supports the planning for risk
mitigation. Quantitative risk assessments (QRA) can be undertaken to provide an improved understanding of
the risk profile and derive a more detailed understanding of certain cost and time risks. The output of QRA can
also support decision making and monitoring of risk management activities.
Risk criticality (Table S1) is calculated by multiplying the likelihood (Table S2) by the consequences of risk (Table
S3). The resulting score (Table S4) is then used to prioritise the appropriate level of action.
Risk Criticality (S1)
Likelihood of Consequence Rating

Occurrence (L) Catastrophic Major Moderate Minor Negligible
Certain 25 20 15 10 5
Occasionally 20 16 12 8 4
Probable 15 12 9 6 3
Unlikely 10 8 6 4 2
Improbable 5 4 3 2 1
Likelihood (S2)
Score Likelihood Description Percentage Probability
1 Rare May only occur in exceptional circumstances <0.1% 1 in 1,000
2 Unlikely Could occur during a specified time period 1% 1 in 100
3 Possible Might occur within a given time period 10% 1 in 10
4 Likely Will probably occur in most circumstances 50% 1 in 2

Almost
5 Expected to occur in most circumstances >95% 1 in 1
Certain

ISO 9001:2015 & ISO 14001:2015
Consequences (S3)
Score Impact Quality Cost Programme
Non-compliance with standard Less Variance (+) from current milestone or

1 Negligible or procedure that can be than £1 completion date, of estimated completion date
managed. million. of up to 5% or up to 10 days.
Developed component or Variance (+) from current milestone or

£1-5
2 Minor system may not receive approval completion date, of estimated completion date
million.
through assurance process. of >5% up to 10% or >10 days up to 20 days.
Failure to manufacture Variance (+) from current milestone or

£5-10
3 Moderate component to meet design, completion date, of estimated completion date
million.
specification or standards. of >10% up to 20% or >20 days up to 30 days.
Variance (+) from current milestone or

Failure of a major component or £10-50
4 Major completion date, of estimated completion date
system leading to rejection. million.
of >20% up to 40% or >30 days up to 60 days.
More
Catastrophic failure of a Variance (+) from current milestone stage or
than
5 Catastrophic component to function in either completion date, of estimated completion date
£50
temporary or permanent state. of >40% or >60 days.
million.
Risk Exposure Score (S4)

Score Colour Management Control Action (MCA)
No mitigation, no action is required, the risk is ALARP. Monitor to ensure that the risk remains
1 to 4 Very Low
tolerable at this level.
Maintain assurance that the risk remains tolerable at this level. Monitor and manage by
5 to 8 Low routine procedures, unlikely to need specific application of resources (managers and key
staff).
Tolerable if the cost of reduction would exceed the improvement gained. Mitigate through
9 to
Medium management by specific reviews and monitoring of procedures (Managers) but regular
12
monitoring should occur.
Tolerable only if risk reduction is impractical or if cost is disproportionate to the improvement
13 to
High gained. Mitigate by implementing controls to reduce the risk to as low as is reasonably
15
practicable. Where this cannot happen, continual monitoring should occur.
16 to Intolerable, the risk cannot be justified, expect in extraordinary circumstances. Mitigate by
Very High
25 ceasing all related activities.
Step 4: Response
For each risk, the risk owner must establish an appropriate level of mitigation. Control measures in addition to
those already existing may be needed to achieve this level of mitigation. When a response action is completed,
the risk should be reassessed (i.e. repeat Step 3) to reflect any newly introduced existing control measure.
Step 5: Review
Regular review and challenge is essential to ensure that risks are being appropriately managed, and that the
risk data remains accurate and reliable, reflecting any changes in circumstances or management activities.

ISO 9001:2015 & ISO 14001:2015
Step 6: Reporting
Regular reports are necessary to inform and provide assurance to Top management and other key
stakeholders, that risks are being appropriately managed. Reporting must be based on current process data,
which must be updated and reviewed in good time for the reporting cycle (see Step 5 above).
On occasion, it may be appropriate to escalate a risk to ensure it is assessed and/or managed by the person or
party best placed to do so (able and with appropriate authority). For example, where a more substantial or
coordinated response is required than the current owner can authorise or implement, or where the risk severity
or its effects on the wider project justify higher level assessment and/or management.
Step 7: Monitoring
Continuous systematic and formal monitoring of implementation of the risk process and outputs will take place
against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring may
take a variety of forms and range from self-assessment and internal audit to detailed reviews by independent
external experts.
Training & Communication

Your organization should ensure that it has documented and clarified the roles, responsibilities, accountabilities
and authorities at all levels of the business to address risk management. This ensures that a risk management
approach is embedded your operations through a number of communication, training and support systems,
including:
Training
To ensure that adequate risk management competency levels are achieved and maintained, your organization
should provide training in the risk management process and their application. Specific risk management
training sessions should be held on an annual basis, aimed at providing an overview of the risk management
process. Instruments providing training on appropriate controls include:
1. Job descriptions, contracts;

2. Inductions;
3. Policies;
4. Procedures, process maps;
5. Terms of reference;
6. Performance planning;
Communication of Responsibilities & Accountabilities

Risk management responsibilities, accountabilities and authorities should be set out in the following
documented information:
1. Risk management policy;

2. Job/position descriptions;
3. Internet/intranet;
4. Project/process/product/service documentation;
5. Performance planning and review documentation;

ISO 9001:2015 & ISO 14001:2015
6.1.2 Environmental Aspects

This is almost the same requirement as in the 2004 edition. Your organization must determine the
environmental aspects, and their impacts, of its activities, products and services under its control and influence.
Your organization has to establish criteria to determine which of these aspects have or can have a significant
environmental impact.
Significant environmental aspects can result in risks and opportunities with associated adverse or beneficial
impacts. Objective evidence must contain established criteria for evaluating significance of aspects (i.e., process
or procedure). Also, a register/matrix of aspects and impacts may be presented as evidence.
The new ‘Life-cycle Perspective’ consideration of environmental aspects and impacts has been broadened to
include an identification and evaluation process to consider aspects associated with:
1. Natural resources use (mining, water withdrawal);

2. Purchased raw materials;
3. Transportation;
4. Manufacturing, services, other activities;
5. By-products: air, waste and waste emissions;
6. Transportation of products;
7. Use of products and services;
8. End of life issues – recycling and disposal.
The term ‘environmental aspects’ is defined in the standard as ‘any element of an organization’s activities,
products or services which can interact with the environment’, in laymen’s terms, environmental aspects cause,
or have the potential to cause, an environment impact, examples of environmental aspects include:
1. Emissions to air via smoke or fumes;

2. Waste water discharge;
3. The potential for accidental chemical spill;
4. The generation of waste and disposal of waste;
5. The use of resources, including water and energy;
6. The use of recycled materials;
7. Noise and vibration.
An environmental impact is defined as ‘any change to the environment, whether adverse or beneficial, wholly
or partially resulting from an organization’s activities, products or services’. A cause and effect relationship exist
between environmental aspects and environmental impacts, respectively.
For instance, an environmental aspect, or cause, can be the emission of volatile organic compounds (VOCs).
The environmental impact, or effect, is ozone depletion. To comply with ISO 14001 Section 4.3.1, the following
five actions should be taken:
1. Identify all of your organization’s activities, products and services;

2. Identify the environmental aspects of all activities, products and services that can be controlled or
influenced;
3. Identify the environmental impact(s) of each aspect;

ISO 9001:2015 & ISO 14001:2015
4. Establish and maintain a procedure or method to identify any new or modified environment aspect or
impact;
5. Identify the most significant environmental impacts.
The identification of environmental aspects will form the foundation of your EQMS. The aspects that have
significant impacts on the environment will become the basis of your organization’s objectives and targets;
therefore, you will want to be thorough in completing this step. Develop a list of the organization’s activities,
products, and services can be a difficult task. The activity, product, or service should be small enough to be
understood, but large enough to be analyzed.
Environmental Aspects
The next step is to identify the environmental aspects for each activity, product and service. For each
environmental aspect that is identified, you should list any quantitative information that is applicable. For
instance, if an activity emits air pollutants, state the amount (i.e. 543 tons of CO2 per year, or 3.5 Kg of
particulate matter per hour). The following is a list of additional information to include, if applicable:
1. Compliance obligations;
2. Other relevant requirements;
3. Permits and licences;
4. Record keeping requirements;
5. Pollution controls or treatment;
6. Best management practices;
7. Monitoring requirements.
Environmental Impacts
The next step is to identify the environmental impact for each environmental aspect, list the environmental
impact for each environmental aspect. As you complete this step, remember the cause-and-effect relationship
discussed earlier. Please note that environmental impacts can be positive or negative.
Examples of negative impacts include increased air pollution, potential contamination of the ground, or
depletion of natural resources. Positive impacts can include conservation of natural resources, improved
wetlands area, decreased soil erosion, and conservation of natural habitat.
Significant Impacts
ISO 14001 does not provide a standard or method with which to determine the significant impacts. Part of the
reason for not establishing a standard or method is that the significance of each impact can vary for each
organization based on various factors and concerns.
The significance of each impact can vary for each organization based on the listed concerns. The standard lists
several environmental and business-related factors and concerns to consider when evaluating the significance
of each environmental impact:
Environmental Concerns:
1. The scale of the impact;
2. The severity of an impact or a potential impact;
3. The probability of occurrence;

ISO 9001:2015 & ISO 14001:2015
4. The duration of impact;

5. The frequency of an impact or a potential impact;
6. The location of facility.
Business Concerns:
1. The potential regulatory and legal exposure;
2. The difficulty of changing the impact;
3. The cost of changing the impact;
4. The effect of change on other activities and processes;
5. Any concerns of interested parties;
6. The effect on the public image of the organization.
6.1.3 Compliance Obligations
These compliance obligations can result in risks and opportunities to the organization. Obligations may arise
from mandatory requirements, applicable laws and regulations, voluntary commitments such as organizational
and industry standards, contractual relationships, principles of good governance and community and ethical
standards. The introduction of new legislation and changes to current legislation can be monitored through
following sources:
1. NETRegs service www.netregs.gov.uk

2. Recycling envirowise.wrap.org.uk
3. Environment www.environment-agency.gov.uk
4. Environment www.netregs.gov.uk
5. Environment www.cedrec.com/home/index.htm
6. Relevant publications and professional bodies.
Documented information could be in the form a list, or matrix of compliance obligations.
6.2 EQMS Objectives

6.2.1 Objectives
An effectively implemented integrated management system aligns the policies with strategic and management
system objectives and provides the framework upon which to translate these objectives into functional targets.
Establish and maintain documented EQMS objectives and targets, at each relevant function and level within
the organization. The objectives and targets establish an important link between the policies and the
management programmes. The objectives and targets must be consistent with the EQMS policies, including
the commitment to prevention of pollution and continual improvement.
Depending on the size, management structure, and other factors pertaining to your organization, the objectives
may be established and reviewed by various personnel and with direct top management input.
Auditors will expect to review a set of interrelated objectives, ensuring that they are mutually consistent and
that they are aligned with the strategic direction of your organization. Documented information of objectives
typically is in the form of a description or matrix of the objective and corresponding means and timeframe to
achieve the objectives.

ISO 9001:2015 & ISO 14001:2015
Your organization will need to set their environmental and quality objectives for relevant functions, levels and
processes within its EQMS. It is for your organization to decide which functions, levels and processes are
relevant. A key addition in the 2015 revision of ISO 9001 and 14001 (and soon ISO 45001:2017) is the use of
indicators to monitor the achievement of objectives. Indicators are defined as a measurable representation of
the status of operations, management or conditions. Each objective will need one or more associated
indicators.
Objectives can apply to an entire organization, can be site-specific, or can be specific to individual activities.
The appropriate level(s) of management personnel should define the objectives and targets. In some cases,
personnel who set objectives may not be the same as those who set targets. Remember that the objectives are
the overall goals as reflected in the principles established in the policy.
The scope and number of the objectives and targets must be realistic and achievable. Otherwise, the success
and continued commitment from top management and employees will diminish. Consider the factors below,
as you begin to formulate your objectives:
1. Compliance obligations;
2. Significant aspects (aspects directly related to significant impacts);
3. Significant hazards (hazards directly related to risks);
4. Financial, operational, and business requirements;
5. Views of interested parties.
Targets must be quantified where practicable and the units that are used to quantify the targets are referred
to as key performance indicators (KPIs). A KPI is defined as an expression that is used to provide information
about management system performance. The following are some examples of KPIs:
1. The quantity of raw material or energy used;

2. The amount waste produced;
3. The number of incidents/accidents;
4. The percentage of waste recycled;
5. Investment in environmental protection.
Carefully consider the type of KPI you choose to use. Suppose your organization establishes a target to reduce
its non-hazardous waste by 40 % and the KPI you choose is the total tonnage of waste produced each year
(tons/year). If your organization triples its production of units and reduces the amount of waste by 50 % percent
per product unit, the KPI, tons per year, does not show the reduction.
In this case, the better KPI would have been the weight amount of waste per product unit (Kg per unit). In many
cases, measuring against the production units proves to be more accurate. The following is an example of an
objective with a specific of a target and an environmental performance indicator:
1. Objective: reduce energy required in manufacturing processes;

2. Target: achieve 15 % reduction of energy usage by 2018;
3. Indicator: quantity of electricity per production unit (kilowatt/unit).
Organizations are required to establish and maintain one or more management improvement programmes for
achieving their objectives. The management improvement programme is a key element to the success of the

ISO 9001:2015 & ISO 14001:2015
EQMS. Properly designed and implemented, management programmes should achieve the objectives and,
consequently, improve your organization’s performance. The management programme must:
1. Address each objective and target;

2. Designate the personnel responsible for achieving targets at each relevant function/level of the
organization;
3. Provide an action plan describing how each target will be achieved;
4. Establish a time-frame or a schedule for achieving each target.
The management programme is an action plan or a series of action plans to achieve an objective.
6.2.2 Objectives & Planning to Achieve Them

Your organization must undertake planning in order to determine how its EQMS objectives will be achieved.
This planning includes determining the work required in order for the organization to realize its objectives you
should look for evidence that effective planning is taking place to support the achievement of your
organization’s objectives.
Additionally, your organization must determine how it will evaluate the work done, including the use of
indicators, and whenever possible, to integrate these planned actions into its business processes. The use of
indicators needs to be audited in detail in order to determine whether:
1. Objectives based on sound information;

2. Indicators really related to the corresponding objectives;
3. Statistical tools needed to define and to monitor objectives;
4. Indicators reach the expected values;
5. The organization can assure that the objective has been achieved.
You should seek and record evidence that effective planning was undertaken in support of the organization’s
quality objectives and their achievement. You should ensure that this planning activity takes into considerations
of Clause 6.2.1, as well as the following points:
1. Identification of processes, resources, and skills needed to achieve quality;

2. Identification of suitable verification criteria at appropriate stages;
3. Compatibility of design, production, inspection and testing;
4. The confirmation of criteria of acceptability for all features and requirements;
5. Details of calibration of any special measuring or test equipment to be used.
Establishing an action plan for each objective may require considerable effort on the part of the personnel at
relevant levels within your organization. To ensure the progress of the action plan and a coordinated effort, a
target leader should be selected for each target. The target leader will be responsible for ensuring a target is
achieved within the specified time-frame. Once the action plan is established, you must implement it. You may
find that the following suggestions will help foster a cooperative effort in accomplishing the plan:
1. Involve your employees early in establishing and carrying out the action plans;
2. Communicate the expectations and responsibilities laid out in the action plans to those who need to
know;

ISO 9001:2015 & ISO 14001:2015
3. Build on the plans and programmes you have now for EQMS compliance;
4. Keep it simple;
5. Focus on continual improvement of management programmes over time.
The integrated management programme should be revised regularly to reflect changes in your organization’s
objectives and targets. Track all new or modified operations, activities, and/or products in case the
management programme needs to be amended to reflect these changes.
6.3 Planning for Change

This is a new requirement for ensuring that once your processes are determined; your organization must
identify the risks and opportunities associated with these processes. In order to realize the benefits associated
with the identified risks and opportunities, subsequent changes may be needed. These changes could relate
to any aspect of any process, such as:
1. Inputs;
2. Resources;
3. Personnel;
4. Activities;
5. Controls;
6. Measurements;
7. Outputs.
Changes are intended to be beneficial but they need to be carried out when determined by your organization
as relevant and achievable. In addition, consideration of newly introduced risks and opportunities should also
be taken into account. To achieve the benefits associated with changes, your organization should consider all
types of change that may occur. These changes may be generated, for example, in:
1. Processes and procedures;

2. Documented information;
3. Infrastructure;
4. Tooling;
5. Process equipment;
6. Employee training;
7. Supplier evaluation;
8. Stakeholder management;
9. Interested party requirements.
You should seek and record evidence that your organization has retained documented information relating to
planning and implementing changes that impact upon the EQMS. Check that organizational knowledge is
reviewed before changes to the EQMS are made when responding to any change.
Ensure that your organization has planned how to integrate and implement the changes into its EQMS
processes. Check that your organization has considered:
1. The purpose of the changes and their potential consequences (risk and opportunities);
2. The integrity of the management system (how does the change effect current process?);

ISO 9001:2015 & ISO 14001:2015
3. The availability of resources (are resources allocated to affect change?);

4. The allocation or reallocation of responsibilities and authorities (are the right staff allocated?).

ISO 9001:2015 & ISO 14001:2015
7.0 Support
7.1 Resources
Ensure that your organization has determined and provided the resources needed for the establishment,
implementation, maintenance and continual improvement of the EQMS. Check that your organization has
identified which resources it needs to make available in order to ensure the effective operation of the EQMS.
Resources will often include raw materials, infrastructure, finance, personnel and IT, all of which can be either
internally or externally provided.
Auditors may look at the budget to check that some funding has been allocated to the EQMS but they might
dig deeper, checking if the organization has really identified all types of resources required and that it has
taken action to ensure that those resources are available as needed.
7.1.1 General
You should seek and record evidence conforming that your organization has considered the need for external
resources in addition to the need for internal resources. Most organizations determine resource requirements
during management review meetings; you should review the management review minutes for evidence of
resource allocation.
7.1.2 People
You should seek and record evidence to confirm that your organization has provided the staff necessary for
the effective implementation of the EQMS and for the operation and control of its processes.
7.1.3 Infrastructure
You should seek and record evidence to confirm that your organization has provided the infrastructure
necessary for the effective implementation of the EQMS and for the operation and control of its processes.
Identify, provide and maintain infrastructure requirements necessary to achieve product conformance:
1. Buildings and workspaces;

2. Tools and process equipment, e.g. hardware or software;
3. Supporting services, e.g. transport, I.T. and communication.
7.1.4 Environment for the Operation of Processes
You should seek and record evidence to confirm that your organization has identified, provided and maintained
the infrastructure necessary for achieving product conformance. Provide a work environment that allows the
achievement of product conformity, consider the following factors:
1. A place of work that is safe, including all equipment and methods of work;
2. Training, instruction, information and supervision for employees;
3. A means of safe handling, storage, use and transportation of equipment, materials and chemicals;
4. Safe working environment with good lighting, ventilation, safe passageways, stairs and corridors.
All employees must:
1. Protect themselves and co-workers who may be affected by their actions and behavior;
2. Use appropriate personal protective equipment (PPE) and/or clothing provided;
3. Report any unsafe acts or conditions and follow procedures and work instructions.

ISO 9001:2015 & ISO 14001:2015
7.1.5 Monitoring & Measuring

This requirement is comparable to ISO 9001:2008 Clause 7.6 - Control of Monitoring and Measuring
Equipment. You should seek and record evidence to confirm that where measurement traceability is a
requirement that instruments used for measurement are subject to the following controls:
1. Devices are calibrated at intervals or prior to use, based on recognized standards;

2. Devices are adjusted as necessary in accordance with manufacturer’s instructions;
3. Devices are identified to enable calibration status to be determined;
4. Devices are safeguarded from adjustment, which may invalidate results;
5. Devices are protected from damage during handling, maintenance or storage;
6. The validity of results from a non-confirming device are re-checked with a conforming device;
7. Devices are calibrated by external providers certified to ISO 17025;
8. Records of calibration and verification are maintained;
9. Computer software which is used for monitoring/measuring is validated prior to initial use;
10. Computer software used for monitoring and measuring is re-validated where necessary;
If measurement traceability is not required, verify that those monitoring and measuring resources used by your
organization are suitable. You should ensure that documented information is maintained in order to
demonstrate suitability of monitoring and measuring equipment. While this is not required, all equipment
requiring calibration must be identified and must be:
1. Calibrated or verified at specific intervals, or prior to being used. Equipment must be calibrated
using measurement standards traceable to international or national measurement standards. Where
there is no standard available for the device the basis for calibration or verification must be recorded.
A Certification Auditor would expect to see that traceable standards are used and where applicable
have not expired. Where calibration is completed by an outsourced process i.e. vendor, the records
of traceability must be reviewed.
2. Adjusted or readjusted as necessary. A Certification Auditor would expect to see evidence that
equipment found to be out of calibration are adjusted/re-adjusted by qualified personnel and the
validity of the previous measuring results are accessed when equipment is found to be out of
calibration and appropriate action is taken (may include recall of product). A Certification Auditor
would also expect to see that a process is in place to provide traceability of each piece of equipment
to the process/product that the equipment was used on. The results of calibration and verification
are required to be maintained as quality records.
3. Identified to show calibration status. A Certification Auditor would expect to see that each piece of
equipment is identified in such a way that the user can determine that the device has current
calibration, this may be accomplished by the equipment unique serial number traceable to the
calibration record however, the calibration status label is a good practice. Other methods may be
used however must clearly identify the calibration status. Where the environment is not conducive to
the use of stickers, status may be identified by color-coding, identification number with associated
calibration record, and/or calibrated prior to every use.
4. Safeguarded from adjustment. A Certification Auditor would expect to see that a process is in
place to ensure that users outside the calibration process do not adjust equipment. Equipment may
be verified prior to use however any adjustments made to equipment must meet all requirements of
this section. Methods to safeguard may include; locking materials for setscrews, tamper-proof seals,
limited entrance to calibration areas, and other methods.

ISO 9001:2015 & ISO 14001:2015
5. Protected from damage during handling, maintenance and storage. A Certification Auditor
would expect to see that measuring equipment are handled and stored in a manner to protect the
equipment from damage.
7.1.6 Organizational Knowledge
Not all resources are tangible, the acquisition and maintenance of knowledge essential to keep the EQMS
moving in the right direction. ‘Organizational Knowledge’ is a new requirement and is closely linked with
‘documented information’.
You should seek and record evidence that your organization has taken steps to identify the internal and
external knowledge necessary to ensure the continued product conformity. Check that organizational
knowledge is reviewed before changes to the EQMS are made in when responding to change.
Sources of internal knowledge often include the organization’s intellectual property; knowledge gained from
experience; lessons learned from failures and successes; capturing and sharing undocumented knowledge and
experience; the results of improvements in processes, products and services. Sources of external knowledge
often include other ISO standards; research papers; conferences; or knowledge gathered from customers or
external parties.
You should also seek to evidence to confirm how your organization has determined and made available the
knowledge needed to keep up to date with changing situations and knowledge related to new products and
services. You determine whether your organization has considered internal and external sources, such as:
1. Lesson learnt from non-conformities and corrective actions, near miss situations and successes;
2. Gathering knowledge from customers, suppliers and partners;
3. Capturing knowledge existing within the organization, e.g. through mentoring, succession planning;
4. Benchmarking against competitors;
5. Sharing organizational knowledge with relevant interested parties to ensure sustainability;
6. Updating the necessary organizational knowledge based on the results of improvement;
7. Knowledge from conferences, attending trade fairs, networking seminars, or other external events.
A Certification Auditor would expect look for the following evidence for meeting the requirements of clause
7.1.6 organizational knowledge:
PDCA What to look for

Has your organization used the PDCA (plan/do/check/act) approach for addressing organizational
knowledge?
Has Top management provided the leadership & direction for establishing strategies to use organizational
knowledge and policies and objectives to optimize the value derived from organizational knowledge?
Has your organization identified the scope of organizational knowledge relevant to its business and related
risks and opportunities associated with each type of organizational knowledge?
Plan Has your organization defined the process needed to manage organizational knowledge - identify, obtain,
accumulate, store, communicate, use, maintain, protect and evaluate the performance of organizational
knowledge management against objectives?
Has your organization defined roles, authority and responsibilities for organizational knowledge process
activities listed above?
Has your organization determined competency requirements and provided appropriate training and
awareness for all employees using organizational knowledge?

ISO 9001:2015 & ISO 14001:2015
PDCA What to look for
Has your organization established processes for communication, participation and consultation?
Has your organization determined the nature and extent of documentation required to manage
organizational knowledge?
Has your organization identified any applicable regulatory and other requirements?
Has your organization defined an organizational knowledge change management process?
Has your organization implemented the organizational knowledge plan defined above?
Do Has your organization performed organizational knowledge activities – assign responsibilities, identify,
obtain, accumulate, store, maintain, protect, communicate, use and evaluate the performance of
organizational knowledge?
Has your organization tracked organizational knowledge performance measures?
Does your organization investigate loss, irretrievability or theft of organizational knowledge?

Check
Has your organization evaluated compliance to applicable regulatory requirements?
Has your organization maintained appropriate records of organizational knowledge management activities?
Has your organization reviewed data from CHECK stage and determined improvement actions?
Act
Has your organization verified achievement of organizational knowledge goals and objectives?
7.2 Competence
This requirement is comparable to ISO 9001:2008 Clause 6.2.1 - Human Resources and Clause 6.2.2 -
Competence, training and awareness but additionally, you should check whether your organization takes action
to address competency issues whilst checking that they were effective.
Your organization should establish a process for assessing existing staff competencies against changing
business needs and prevailing trends. Check for evidence that all staff which work under your organization’s
control are competent, and that evidence continuing competence is maintained as documented information
in accordance Clause 7.5.
Competency-based training programmes can vary greatly and be as unique as the facility and personnel
working at a facility. The distinct operations of the facility and the level of education, training, and experience
of the personnel determine the necessary elements of a competency-based training programme. To establish
and maintain a competency-based training programme, the following steps must be taken:
1. Identify competency-based training needs;

2. Prepare the training materials;
3. Conduct and evaluate the training.
How does your organization determine the necessary competence of person(s) doing work under its control
that affect its environmental and quality performance? Clause 7.2 is essentially a rewording of the text from
ISO 14001:2004. However, the impact of the change is that competency evidence is now expanded to be
necessary for persons that may affect the organization’s environmental performance. Competency could be
obtained on the basis of their education, training or experience.

ISO 9001:2015 & ISO 14001:2015
Ensure that those competencies are possessed by the people doing the work under your organization’s control
including: the organization’s own personnel, contractors and outsourced personnel working either on site or
off site. Training alone is not sufficient to demonstrate competence; this must be demonstrated through tests,
observations, results, etc. Auditors need to find objective evidence in order to determine that the competency
requirements have been met.
If the people are found not to be competent, your organization is required to take action. The actions taken
need to be evaluated for effectiveness in raising competence to the required level. Examples of action may
include remedial training, recruitment or the use of external people in order to acquire the necessary
competence.
Identification of employee training needs is typically the first step in developing a competency-based training
programme. In addition to existing workers, new hires, temporary workers and outside contractors must be
included when identifying training needs. Your organization must demonstrate that the training needs for
these employees were identified.
After developing a list of these employees, the management representative or human resources manager
should establish the appropriate training programme for each person based on the type of employee
interaction with each significant impact or risk. Even though some personnel may have the same job, the type
or level of training may vary according to each person’s past education, training, and experience.
A register containing information on specified levels of education, training, and experience must be established
for each employee whose work is involved with any significant impact. The planned training programme for
each individual then should be listed. The training sessions should, at a minimum:
1. Make the employee aware of the aspects and hazards, and the impacts and risks associated with
their work;
2. Include training required by applicable regulatory requirements and the EQMS requirements;
3. Include training necessary to obtain/retain required licenses or registrations;
4. Emphasize responsibility for minimizing significant impacts and risks associated with their work;
5. Identify potential consequences of departures from specified operating procedures;
6. Address the benefits of improved personal performance.
Training options may be as simple as on-the-job training, administered by senior/experienced members; formal
training, including classroom instruction; training provided by external consultants. For some situations,
commercially available training courses may be another alternative.
Additional or customized training activities specific to individual needs, job descriptions, regulations and goals
may be necessary pending the significant impacts and the existing skill level of each employee.
7.3 Awareness
This requirement is comparable to ISO 9001:2008 Clause 6.2.2 - Competence, training and awareness which
was limited to the organization’s own personnel. You seek evidence to confirm that this requirement has been
applied by your organization to ensure that the people who need to be made aware now include all the people
who work on your organization’s behalf that affect the conformity of your organization’s EQMS or products.
You ensure that these people are aware of:
1. The EQMS policies;

ISO 9001:2015 & ISO 14001:2015
2. Relevant EQMS objectives;

3. Their contribution to the effectiveness of the EQMS;
4. Benefits of improved performance;
5. The implications of not conforming to EQMS requirements.
The awareness training does not need to follow the format of long classroom sessions. Training techniques
can include short training segments supplemented with videos and hands-on demonstrations that address key
elements of the EQMS.
Other methods to promote and reinforce the quality and environmental awareness training sessions include
communication via electronic bulletin boards, posters, newsletters and informational meetings.
The requirements for general awareness training apply to all employees including those whose work may cause
significant environmental impact. Awareness training is intended to provide an overview of the organization’s
environmental policy, objectives and targets, and overall EQMS. Your organization must ‘establish and maintain
procedures to make its employees and members at each relevant function and level aware of’:
1. The importance of conformance with the policy and the EQMS procedures and requirements;
2. The actual and the potential significant impacts and risks of the activities, products, and/or services;
3. The benefits of improved personal performance;
4. The employees’ roles and responsibilities in achieving conformance with the policies and the EQMS
procedures;
5. The employees’ roles and responsibilities with the emergency preparedness and response
requirements;
6. The potential consequences of departure from specified operating procedures.
The awareness training materials may also include additional elements that address:
1. The organization’s objectives and targets;

2. The employees’ actions to minimize/eliminate impacts and risks and how each employee can
contribute;
3. The importance of compliance with operational and regulatory requirements;
4. The overall improvement of the organization’s EQMS performance and the potential financial return;
5. The importance to interested parties.
The awareness training does not need to follow the format of long classroom sessions. Training techniques
can include short training segments supplemented with videos and hands-on demonstrations that address key
elements of the EQMS. Other methods to promote and reinforce the environmental awareness training
sessions include communication via electronic bulletin boards, posters, newsletters and informational
meetings.
7.4 Communication
7.4.1 General
Organizations need to develop and implement a process (i.e., communication strategy) to determine those
EQMS matters on which it wishes to communicate taking into account its compliance obligations and the

ISO 9001:2015 & ISO 14001:2015
quality (reliability and consistency) of the communicated information. Communications may relate to your
organization’s ongoing compliance to various obligations, milestone achievements, or sustainable resourcing.
You should seek evidence to confirm that your organization has identified the necessary internal and external
communications that are required for the operation of the EQMS. You should confirm how your organization
has determined:
1. What it needs to communicate;

2. When it will communicate;
3. With whom it will communicate;
4. How it will communicate.
The key to successful implementation is often through the involvement of all people within the organization;
let everyone in the company know that you have started to introduce a new management system by holding
basic awareness sessions for all employees. Make sure you retain records of attendance as this action will
contribute towards satisfying the clause.
Communication is the key; communicate goals, plans, progress and milestones. Listen first then ask for
feedback. Lack of communication seems to be one of the main root causes for errors in business. Keep people
informed of the progress of the project; e.g. what’s been done, what’s to be done next and how the project is
progressing against the plan.
Make this process transparent and visible to all concerned; for example, place progress charts on the walls and
notice boards. Employees that are not part of the implementation team may not be hearing as much about
what is going on with the project and may think the project has faded away. Communicate its progress
via newsletters, bulletin boards or meetings.
The organisation needs to ensure that procedures to control internal and external communications and
interfaces are in place. Particular care needs to be taken when dealing with communications from external
parties, which might well include enforcement authorities, lawyers/solicitors, insurance companies, etc. In many
parts of the world there is an increasing trend towards litigation resulting from injuries received in the
workplace, so the need to manage the communication process is critical.
7.4.2 Internal Communication

Internally, your organization needs to communicate information relevant to the EQMS amongst all levels and
functions, including information on any change, as appropriate, and have to establish a mechanism to enable
all persons performing work under the organization’s control to contribute to continual improvement.
All well as briefing employees during introductory presentations, try using a combination of other methods to
promote awareness, such as posters placed on notice boards and leaflets with pay-slips, etc. Use training
sessions to inform employees of the plan, how they will be expected to contribute. Issues pertaining to the
EQMS that could be communicated include:
1. Day-to-day operations and general awareness;

2. Environmental regulatory reporting;
3. Information on achieving EQMS objectives and targets;
4. Incidents, accidents and near misses;

ISO 9001:2015 & ISO 14001:2015
5. Environmental aspects.
Effective communication media:
1. Verbal (i.e., meetings, briefing, etc.);

2. Formal memorandums;
3. Newsletters;
4. Posters or bulletin boards;
5. Suggestion box.
Auditors will wish to determine if the policies meet the intent and are understood, by interviewing personnel
at all levels. Although the exact content of the policies does not need to be recited by interviewees, the
awareness of the policies and how their job affects the company objectives should be determined.
This does not require your employees to memorize the policies but it does mean they should be aware of it,
know where it may be found and be able to paraphrase, or give an interpretation as it applies to them.
If the personnel interviewed do not know what their measurable objectives are and/or do not know what the
organizational objectives are that they have a direct effect upon, the auditor would be further directed to
evaluate top management’s communication of the policies and objectives.
Inferred awareness through knowledge of procedures is not considered sufficient; otherwise why have the
requirement in the first place? A quick and convenient way to promote and communicate the policy might be
to create a shortened version of main policy; try condensing it to five key words or even a couple of short
sentences. This can be posted on bulletin boards in each department.
You could even add it to the reverse side of staff security passes or ID badges. If an auditor asks an employee
whether they are aware of the policy; they can point to the bulletin board or point to it on their badge. The
employee can further elaborate to the auditor, what the policy means to them and how it influences their work.
Your organization should encourage the two-way flow of information between your workforce and
management. Input from employees is considered vital in the development of quality and environmental
policies and procedures.
It is also vital that your employees are kept informed of matters relating to their welfare via Representatives,
Supervisors and Managers. Communication and consultation should take place both formally and informally.
Representatives can be appointed to assist your company with the process. Inputs to quality and environment
consultation might include the following:
1. EQMS objectives and targets;

2. Incident investigations;
3. Operational changes affecting health, safety and welfare;
4. Introduction of new plant and equipment;
5. Contractors and visitors to site;
6. Information request from interested parties.
Your organization should communicate health and safety requirements to its visitors and contractors that
attending your sites. Visitors to each site should receive health and safety information relating to the site rules

ISO 9001:2015 & ISO 14001:2015
and procedures during signing in. In addition, contractors should be required to go through a contractor’s
induction briefing.
7.4.3 External Communication

Externally, your organization needs to communicate as required by its compliance obligations. Additionally,
organizations may choose to communicate on other issues, as appropriate. The process has to ensure that all
received communications are responded to appropriately.
In most instances, external interested parties (such as consumers, stockholders, neighboring communities, etc.)
are the main driving forces for organizations to implement an EQMS. The appropriate external communications
may establish environmental credibility and satisfy stakeholder requests by presenting objective information
on the organization’s significant aspects, its EQMS, or its performance. The various processes or means of
external communication may include:
1. Annual reports or newsletters of performance sent to external stakeholders;

2. Open house meetings for interested parties and focus groups;
3. Availability of regulatory submissions, or results of audits;
4. Policies published in the media and industry association publications and press releases;
The various means of such communication are endless. Such communication may benefit your organization in
several ways, including improved employee morale and increased market exposure, either of which can lead
to increased profits.
You must first determine whether or not your organization will initiate and establish communication regarding
the organization’s significant aspects. You may decide not to communicate such information. The
organization’s decision must be recorded to meet the requirement in this section. Your organization should:
1. Consider processes for external communications of its significant EQMS issues;

2. Record its decision on whether it will or will not proceed with external communications.
In most instances, external interested parties (such as consumers, stockholders, neighboring communities, etc.)
are the main driving forces for organizations to implement an EQMS. The appropriate external communications
may establish environmental credibility and satisfy stakeholder requests by presenting objective information
on the organization’s significant aspects, its EQMS, or its performance. The various processes or means of
external communication may include:
1. Annual reports or periodic newsletters of environmental performance sent to external stakeholders;

2. Open house meetings for interested parties and Focus Groups;
3. Availability of regulatory submission of environmental data, or results of audits;
4. Policy published in the media and industry association publications and press releases;
The various means of such communication are endless. Such communication may benefit your organization in
several ways, including improved employee morale and increased market exposure, either of which can lead
to increased profits. The company will communicate with our interested parties through the supply of
environmental information upon request, e.g.:
1. Requests from insurers for environmental management systems;

2. Requests from Enforcing Authorities for information on environmental performance.

ISO 9001:2015 & ISO 14001:2015
7.5 Documented Information

7.5.1 General
It should be noted that there is no need to maintain a documented procedure but your organization may still
choose to operate one. You should ensure that your organization’s EQMS includes documented information
required to be maintained and retained by ISO 9001:2015 and ISO 14001:2015, and the documented
information identified by your organization to demonstrate the effective operation of its EQMS as defined
below.
The terms ‘documented procedure’ and ‘record’ used in ISO 14001: 2004 and ISO 9001:2015 have both been
replaced by the term ‘documented information’, which is defined as information required to be controlled and
maintained by an organization, as well as the medium on which it is contained. Operational procedures, work
instructions, flow charts, process maps, signs, placards, container markings, labels etc. are all examples of
‘documented information’. Documented information can be in any format and media and from any source.
The organization needs to determine the level of documented information necessary to control its EMS.
‘Access’ can imply a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information.
7.5.2 Creating & Updating

You should seek to confirm that when documented information is created or updated, your organization has
ensured that it is appropriately identified and described (e.g. title, date, author, reference number). It must be
in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper,
electronic). Confirm that documented information is reviewed and approved for suitability and adequacy.
7.5.3 Control of Documented Information

A robust document control process invariably lies at the heart of any compliant management system; almost
every aspect of auditing and compliance verification is determined through the scrutiny of documented
information. With this in mind, it becomes apparent that the on-going maintenance of an efficient document
management system must not be overlooked.
Your organization must control the documented information required by the EQMS. A suitable process must
be implemented to define the controls needed to; approve, review, update, identify changes, identify revision
status and provide access. The documented information process should define the scope, purpose, method
and responsibilities required to implement these parameters.
In order to comply with the documented information requirements, it is essential that all personnel understand
what types of information that should be controlled and more importantly, how this control should be
exercised. To get the most out of your documented information process, it must be communicated to ensure
that staff and other users of the documentation information understand what they must do in order to manage
that information effectively and efficiently.
Departmental managers should always be responsible for promoting good documented information practices
in their area whilst supporting overall compliance to the requirements. Individuals and their line managers
should be responsible for the information that they create, as well as being responsible for their retention and
disposal in line with legislative requirements and organizational needs.

ISO 9001:2015 & ISO 14001:2015
Maintain Documented Information

Maintain the following as a type of ‘documented information’:
Maintain the following as a type of documented information Clause
The scope of the environmental and EQMS 4.3
Information necessary to support the operation of processes 4.4
Environmental and quality policies 5.2
Risk and opportunities that need to be addressed 6.1.1
EQMS aspects and impacts and their criteria to determine significance 6.1.2
Information about an organization’s compliance obligations 6.1.3
Environmental and quality objectives 6.2
Documented information required by ISO 9001:2015 and ISO 14001:2015 7.5.1a
Retain Documented Information

Retain the following as a type of ‘documented information’ as a record:

Documented information to the extent necessary to have confidence that the processes are being carried out
4.4
as planned
Evidence of fitness for purpose of monitoring and measuring resources 7.1.5.1
Evidence of the basis used for calibration of the monitoring and measurement resources (when no international
7.1.5.2
or national standards exist)
Evidence of competence of people doing work under the control of the organization that affects the
7.2
performance and effectiveness of the EQMS
Evidence of communications to external parties and interested parties 7.4.1
Documented information required by the EQMS 7.5.1b
Results of the review and new requirements for the products and services 8.2.3
Records to demonstrate compliance with design and development requirements 8.3.2
Records of design and development inputs 8.3.3
Records of the activities of design and development controls 8.3.4
Records of design and development outputs 8.3.5
Design and development changes, including the results of the review and the authorization of the changes and
8.3.6
necessary actions
Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and
8.4.1
any actions arising
Evidence of the unique identification of outputs when traceability is a requirement 8.5.2
Records of property of the customer or external provider that is lost, damaged or non-conforming and of its
8.5.3
communication to the owner

ISO 9001:2015 & ISO 14001:2015

Results of the review of changes for production or service provision, the persons authorizing the change, and
8.5.6
necessary actions taken
Records of authorized release of products for delivery to the customer including acceptance criteria and
8.6
traceability to the authorizing person(s)
Records of non-conformities, actions taken, concessions and the identity of the authority deciding the action
8.7
in respect of the nonconformity
Evidence of the evaluation of the performance and the effectiveness of the EQMS 9.1.1
Evidence of compliance evaluations 9.1.2
Evidence of the implementation of the internal audit programme 9.2.2
Evidence of internal audit results 9.2.2
Evidence of the results of management reviews 9.3.3
Evidence of the nature of the non-conformities 10.2.2
Evidence of any subsequent actions taken to correct non-conformities 10.2.2
Results of any corrective actions 10.2.2
Retention Period for Records

We suggest the following retention periods for your retained documented information:
Document Suggested Retention Period

Management Review Minutes 2 Years
Internal and External Audit Reports 5 Years
Process Monitoring and Inspection Records 5 Years
Legal and Compliance Records and Registers 10 Years
Environmental Aspects and Impacts Records 10 Years
Emergency Preparedness Plans and Records 10 Years
Environmental Incident Records 10 Years
Risk and Opportunity Assessments and Registers 10 Years
Business Plans 5 Years
SWOT Analysis Records 5 Years
PESTLE Analysis Records 5 Years
Corrective Action Reports 5 Years
Complaint Records 2 Years
Inspection and Test Reports 5 Years
Non-conformance Reports 5 Years
Design Review Records 5 Years
Training and Competence Records 10 Years
Calibration Results and Certificates 5 Years

ISO 9001:2015 & ISO 14001:2015
8.0 Operation
8.1 Operational Planning & Control
This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.1 – Product Realization
Planning, but it has been extended to include implementation and control, as well planning. You should seek
and record evidence that your organization has determined the design and its processes to meet the
requirements of your customers and the requirements of your EQMS. Evidence that the process, including all
inputs, outputs, resources, controls, criteria, and process measurement and performance indicators being
planned should be sought.
For those risks and opportunities that your organization has identified, you should seek evidence that these
actions have been integrated into the management system; as such, these actions should be verifiable at
process level – for example, evidence of controls, acceptance criteria and resources to address the risks and
opportunities. Review the acceptability criteria; this may include targets, measures, values, KPIs, specifications
and other criteria as relevant to the output.
You should ensure that the implemented processes are controlled as planned and that there is evidence that
your organization has evaluated the effectiveness of actions taken when addressing risks and opportunities.
Evaluate and record any evidence pertaining to planned and unintended changes.
Operational planning is about controlling the design and development process. The organization must ensure
that all related activities take place under controlled conditions. The final product or service is the culmination
of events that transfer customer requirements and expectations into a tangible product or effective service that
conforms to specified requirements and expectations. Control product realization planning by:
1. Determining quality and environmental objectives for the product;

2. Determining requirements for the product;
3. Identifying processes required to achieve conformance;
4. Establishing processes required to achieve conformance;
5. Identifying documents to demonstrate conformance;
6. Identifying resources required to achieve conformance;
7. Maintaining and retaining documented information.
Your organization needs to plan in advance for how they will manufacture their product or deliver their service.
The plans need to take into account the product requirements and any quality objectives that might be
appropriate, resources and documents that may be necessary, what type of monitoring and/or inspection
activities should be put in place to ensure the product or service will meet the requirements, and what types
of records should be kept.
ISO 9001:20015 and ISO 14001:2015 both introduce the concept of controlling change, whether it is a ‘planned
change to be controlled’ or an ‘unintended change to be reviewed for their consequences’. Controls can include
engineering controls, procedures, documented procedure, etc. They can be implemented following a hierarchy
(e.g. elimination, substitution, administrative) and can be used singly or in combination.
Considering that some of your organization’s environmental impacts can occur once the products and services
have been delivered to the customers, organizations need to provide information to those that will transport,

ISO 9001:2015 & ISO 14001:2015
use, treat or dispose of the products and services in order to prevent adverse environmental impacts. The Life
cycle perspective means that your organization must also:
1. Design and develop products and services taking into account the environmental impact throughout
their life cycle;
2. Include environmental requirements in the purchasing specifications of products and services;
3. Communicate these environmental requirements to external providers;
4. When necessary, provide information on potential environmental impacts related to the
transportation, use, end of life treatment and final disposal of its products and services.
Ensure that those with responsibility for each stage of the lifecycle, for example; procurement, design, logistics,
operations, sales, and after sales, are represented in environmental aspects identification and evaluation. Again,
a workshop scenario works well. Where significant aspects relate to other stages of the lifecycle, these can be
managed or coordinated through the EQMS, for example by operational control and environmental objectives.
Certification Auditors will not expect to see a fully developed life cycle analysis. This is not a requirement of
the new standard. Operating procedures should also be developed for processes, plant, and equipment should
include:
1. Specification;
2. Relevant legislation;
3. Hazards;
4. Operating criteria;
5. Maintenance strategies;
6. Inspection and testing;
7. Material safety information.
All operational factors must be determined and risks associated with the environment must be managed in a
way that conforms to the EQMS policies. There should be a process for developing work instructions that detail
standard practice for performing tasks that comply with all EQMS requirements, as well as a process for
identifying hazards and controlling tasks for all non-routine tasks and ensuring all environmental requirements
are met.
8.2 Requirements for Products & Services

8.2.1 Customer Communication
This requirement is directly comparable to the requirements of ISO 9001:2008 Clause 7.2.3 – Customer
Communication. It has been expanded to include new requirements to obtain ‘customer views and perceptions’
instead of ‘customer feedback’. Some or all of the following specific customer communication should be
observed and evidenced:
1. Marketing information;
2. Quotations and order forms;
3. Confirmation of authorized orders and amended orders;
4. Delivery notes and certificates of conformity;
5. Invoices and credit notes;
6. E-mail and general correspondence;

ISO 9001:2015 & ISO 14001:2015
7. Site visit reports or notes to/from customer;

8. Customer feedback and complaints management process.
You should ensure that your organization has established effective arrangements for providing the customer
with product information, a means of handling inquiries and orders and a method for handling customer
comments that includes both compliments and complaints. Establish processes for communicating with your
customers:
1. Develop a process to control communications with customers;

2. Implement your customer communications process;
3. Communicate with your customers;
4. Maintain records.
8.2.2 Determination of Requirements for Products & Services
This new requirement replaces ISO 9001:2008 Clause 7.2.1 - Determination of Requirements Related to
Product Requirements. You should seek and record evidence that your organization has implemented a
process to determine the requirements for the products and services that it intends to offer to customers.
This may also include the requirements from interested parties and also statutory and regulatory requirements
relating to the product. You should determine how your organization was proactive in evaluating if there were
any additional requirements for the product or service’s intended use.
If the organization determined there were not any additional requirements, this should be evident in associated
records. If there were additional requirements, then evidence should be present how they were addressed in
the affected process i.e. design, purchasing, manufacturing. The objective here is to set up a process to make
sure that however an order is accepted, all the requirements for that order are determined. You will need to
identify the following:
1. Customer’s requirements;
2. Those defined by the product’s purpose;
3. Legal and statutory obligations;
4. Organizational objectives;
5. Appropriate records.
8.2.3 Review of the Requirements for Products & Services
This requirement is comparable to ISO 9001:2008 Clause 7.2.1 - Determination of Requirements Related to
Product and Clause 7.2.2 - Review of Requirements Related to Product. The requirement states that your
organization should now include a review of the requirements arising from any relevant interested parties. You
should seek and record evidence that these requirements are considered during product and service reviews.
The sub-clause mandates that your organization should not issue a quotation or accept an order until it has
been reviewed to ensure requirements are defined, and that the organization has the capability to meet the
defined requirements. It goes on to require that records of the review and any subsequent actions be
maintained.
If the customer does not provide their requirements in writing, the requirements must still be confirmed before
they are accepted. A note is included that covers situations such as internet sales where a formal review of each

ISO 9001:2015 & ISO 14001:2015
order is impractical, stating, instead, that the review could cover the product information provided in
catalogues and advertising material.
Your process must include a step for reviewing product requirements and ensuring the organizational
capability to meet those requirements. You should conduct a review of customer requirements before order
acceptance:
1. Ensure product requirement are defined;

2. Ensure product requirement are agreed;
3. Ensure any amendments to the specification are agreed;
4. Ensure any amendments to the specification are communicated;
5. Ensure your organization is able to achieve the stated requirements;
6. Maintain records.
8.2.4 Changes to Requirements for Products & Services
This is a new requirement. You should seek and record evidence that your organization has ensured that all
relevant documented information; relating to changed product or service requirements, is amended and those
relevant design personnel are made aware of the changed requirements. If the customer’s requirements have
changed, all related documents must be amended and the relevant personnel must be informed.
8.3 Design & Development of Products & Services

8.3.1 General
This is a new requirement that mandates the introduction of a design and development process where this
activity is required. You should seek and record evidence that, where applicable, your organization has
implemented a design and development process to allow effective product or service provision, where the
requirements for products and services are not defined by your customers or interested parties.
Many companies perform some enhancements or minor reconfiguration of mature designs, such organizations
may have to introduce a comprehensive design system and related or processes. If your organization is ‘design
responsible’ but outsourcers all of its design, all records from Section 8.3 must be maintained by your
organization, are they are responsible for design.
8.3.2 Planning
This requirement expands upon the requirements from ISO 9001:2008 Clause 7.3.1 – Design and Development
Planning. It is likely that if your organization already complies with ISO 9001:2008, you will already be
undertaking the activities required by this clause.
You should seek and record evidence that your organization has considered the explicitly referenced
considerations relating to the design and development process set out above. You should also ensure that
your organization has retained documented information to confirm the identified design and development
requirements were met and that design reviews were undertaken.
You must have an overall plan for your design. Your plan must specify the design and development stages,
activities and tasks; responsibilities; timeline and resources; specific tests, validations and reviews; and
outcomes. There are many tools available for planning ranging from a simple checklist to complex software.
Plan and control product design and development by:

ISO 9001:2015 & ISO 14001:2015
1. Determining all design development phases;

2. Determining all review, verification and validation techniques for each phase;
3. Determining responsibility for design and development;
4. Determining authorities for design and development;
5. Maintaining records.
Although the standard does not require a documented procedure, the design process needs to demonstrate
how the process is controlled and planned. The organization, however, will need to provide some type of
objective evidence as to what the planning activities include. This can be accomplished with the use of time-
lines, Gantt charts or any other planning method such as Microsoft project manager.
In addition, auditors would likely want to see objective evidence of how the interfaces between other processes
are managed, either through statements, or in associated procedures, process mapping, and matrix approach
or in the time line planning.
8.3.3 Inputs
This requirement expands upon the requirements from ISO 9001:2008 Clause 7.3.2 - Design and Development
Inputs 7.3.1. You should seek and record evidence that your organization has documented and retained
information concerning the need for internal and external resources and the potential consequences of design
or development failure.
Define which inputs are required to carry out the design and development process. The inputs should be
determined according to the design and development activities. For example, which employees are required
or what information is required for every step of the development. Determine design and development inputs
by:
1. Determining functional and performance characteristics;

2. Determining statutory and regulatory requirements;
3. Determining relevant information from previous designs;
4. Determining requirements essential to the product;
The auditor will need to review evidence that the inputs have been addressed based on the nature of the
product being produced, that they have been reviewed for adequacy and that records are maintained of the
activity. An organization may include design personnel in the contract review stage; these records may suffice
the review of design input requirements.
8.3.4 Controls
This requirement is comparable to the requirements from ISO 9001:2008 Clauses 7.3.3, 7.3.4, 7.3.5 and 7.3.6.
You should seek and record evidence that your organization has applied the necessary controls to its design
and development process in order to ensure that:
1. The results from undertaking the design and development process are clearly defined;
2. The design and development reviews take place in accordance with planned arrangements;
3. The design and development outputs meet the design and development inputs (verification);
4. The resulting products and services are fit for their intended use or specified application where this is
known to the organization (validation).

ISO 9001:2015 & ISO 14001:2015
Verification is a comparison between the outputs the inputs. Does the available evidence indicate that the
design will meet the requirements? The verification could consist of calculations, simulations, prototype
evaluation, tests or comparison against samples. You must maintain records of design verification as these
records will indicate the results of verifications and determine any necessary corrective actions. Perform design
and development verification by:
1. Determining whether the outputs meet the input requirements for the design;
Validation is similar to verification, except this time you should check the designed product under conditions
of actual use. If you are designing dune buggies, you might take our creation for a spin on the beach. If you
are making beverages, you might conduct a consumer taste test. Verification is a documentary review; while
validation is a real-world test. Perform design and development validation by:
1. Ensuring the product meets the specified requirements;

The organization shall have records that the product designed will meet defined user needs prior to delivery
of the product to the customer, as appropriate. Methods of validation could include simulation techniques,
proto-type build and evaluation, comparison to similar proven designs, beta testing, field evaluations, etc.
Irrespective of the methods used, the validation activity should be planned, executed with records maintained
as defined in the planning activity.
8.3.5 Outputs
This requirement is comparable to the requirement from ISO 9001:2008 Clauses 7.3.3 – Design Development
Outputs. You should seek and record evidence that the additional requirement to retain documented
information concerning design outputs. You should also check the need for design outputs to reference
monitoring and measuring requirements.
Design and development output is the result of design and development process. The output is a clear
description of the product, containing detailed information for production. Design and development outputs
must reconcile with design and development inputs by:
1. Determining whether the outputs meet the input requirements for the design;
2. Determining whether the outputs provide suitable information for purchasing;
3. Determining whether the outputs provide reference to product acceptance criteria;
4. Determining whether the outputs accurately specify essential characteristics;
The auditor should expect to see objective evidence that the outputs (7.3.3 a – d) have been verified against
the design inputs. This can be accomplished by reviewing documents, plans, etc. interfacing with the customer
or internal processes and by comparison with past proven designs. Outputs may also include product
preservation methods, identification, packaging, service requirements, etc. as appropriate.
8.3.6 Changes
This requirement is directly comparable to ISO 9001:2008 Clause 7.3.7 - Control of Design and Development
Changes. It is important to control design changes throughout the design and development process and it

ISO 9001:2015 & ISO 14001:2015
should be clear how these changes are handled and what affects they have on the product. You should seek
and record evidence that your organization has retained documented information concerning:
1. Design and development changes;

2. The results of reviews;
3. The authorization of changes;
4. Actions taken to prevent adverse impacts.
It is as important to control design changes throughout the design and development process and it should be
clear how these changes are handled and what effects they have on the product. Ensure control over design
and development changes, design changes must be:
1. Identified;
2. Recorded;
3. Reviewed;
4. Verified;
5. Validated;
6. Approved.
Design and development changes (after the original verification and validation) have to be “verified and
validated as appropriate” (as well as reviewed) and to “include evaluation of the effect of changes on
constituent parts and products already delivered”. If the organization chooses not to perform re-verification
and re-validation on every design change, then the auditor should expect to see some very well-defined criteria
as to when the activity needs to occur
8.4 Externally Provided Processes, Products & Services

8.4.1 General
This requirement is comparable to the requirement from ISO 9001:2008 Clauses 7.4.1 – Purchasing Process
and Clause 7.4.3 - Verification of Purchased Product. You should seek and record evidence that your
organization has retained documented information that records not only the criteria by which suppliers were
selected, but also the results of the selection activities, and the results from the monitoring of their ongoing
performance.
Organizations need to identify which materials and services that they buy can affect the quality of their
products. Then they need to establish criteria for selection of suppliers that can provide these materials and
services. Standard requires suppliers to be evaluated, based on predefined criteria determined by the
organization before selection. The criteria for will depend upon type of product and its effect on other
processes and final product.
Purchased product is any product procured by an organization from another source that is incorporated or
used in the production of the final product. Note that products need not be procured from an 'independent
source', in some cases sister companies supply each other and are not totally independent. Maintain control
of your organization’s purchasing process by:
1. Determining the extent of control to be applied to suppliers;

2. Developing criteria for the selection of suppliers;
3. Evaluating suppliers to ensure they are able meet requirements;

ISO 9001:2015 & ISO 14001:2015
8.4.2 Type and Extent of Control
This requirement is comparable to the requirements from ISO 9001:2008 Clauses 7.4.1 – Purchasing Process
and Clause 7.4.3 - Verification of Purchased Product. You should seek and record evidence you’re your
organization has ensured that the supplied product or service meets the specified requirements. Confirm that
your organization has established and implement a process of inspection to ensure that purchased products
conform to:
1. Purchase orders;
2. Delivery notes;
3. Product specifications;
4. National or international standards.
You could consider dividing your suppliers into groups based on the product or service they provide and what
effect it has on the quality of your products or processes, e.g. level I/II/III/etc. Based on those categories, you
can define the criteria for supplier evaluation and approval. You are free to define your supplier levels and
approval parameters accordingly, but, whatever rationale is opted for, it should be properly documented.
There is no ‘right way’ for vetting suppliers. To meet the intent of the clause you simply need to establish a
process with properly documented criteria which are based upon customer requirements. Such criteria might
include:
Technical:
1. Ability to understand product requirements;

2. Capability to meet product specifications, e.g. men, machines, materials, method;
3. Logistical capacity;
4. Operates a compliant EQMS or other management system.
Financial/Legal:
1. Credit worthy;
2. Legally registered;
Your specific requirements:
1. Having passed a second party audit of their EQMS;

2. Capacity to work on continuous improvement;
3. Commitment to cost reduction.
8.4.3 Information for External Providers
This requirement is again comparable to the requirements from ISO 9001:2008 Clause 7.4.2 – Purchasing
Information. You should seek and record evidence that your organization has, where appropriate,
communicated not just the products or services they wish to receive, but also any processes they want the
external provider to undertake on their behalf, as well as any interactions with your organization’s EQMS. You
should also check that the requirement for competency of external personnel is communicated.

ISO 9001:2015 & ISO 14001:2015
ISO 9001 requires that the purchasing documentation contains the correct information before it is issued to a
supplier. This verification can be undertaken by the Procurement Manager. Describe the product to be
purchased by:
1. Defining product approval requirements, e.g. certificate of conformity;

2. Defining intended verification arrangements, e.g. witness testing or certification;
3. Defining personnel qualifications and quality and environmental requirements;
8.5 Production & Service Provision
8.5.1 Control of Production & Service Provision
This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.5.1 - Control of Production
and Service Provision and Clause 7.5.2 Validation of Processes from Production and Service Provision. You
should seek and record evidence that your organization has controlled the conditions by which products or
services are provided, ensuring that:
1. Documented information that defines the characteristics of the product or service is available;
2. Documented information that defines the activities that need to be performed to produce the
product or deliver the service is available, and that this specifies the results that are to be achieved;
3. Monitoring and measurement takes place at appropriate points in the production process to ensure
that both the processes themselves and the process outputs meet the organization’s acceptance
criteria;
4. The process environment and infrastructure are suitable;
5. Suitable monitoring and measurement resources are made available;
6. Personnel are competent and, where necessary, appropriately qualified;
7. For processes where the results cannot be verified by subsequent monitoring or measurement,
8. The process itself is initially validated and then periodically re-evaluated;
9. Product and service release, delivery and post-delivery activities are implemented.
8.5.2 Identification & Traceability
This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.5.3 - Identification and
traceability. You should seek and record evidence that product is identified (as appropriate) and its status with
regards to monitoring and measuring (conforming or not) is identified throughout the manufacturing
processes. Where traceability is a requirement, you should expect to see that your organization is controlling
and recording the unique identification of the product.
There are several ways of identifying products. The most obvious is using tags or stickers with part numbers,
bar codes, job numbers, etc. The identification may be engraved in the product itself, or the product may simply
be marked by a colour. Establish and implement a procedure to identify the product through the design,
development, manufacture and delivery stages:
1. Establish the identity and status of products;

2. Maintain the identity and status of products;
3. Maintain records of serial or batch numbers.

ISO 9001:2015 & ISO 14001:2015
The auditor will expect to see that product is identified (as appropriate) and its status with regards to
monitoring and measuring (conforming or not) is identified throughout the product realization processes.
Where traceability is a requirement, the auditor will expect to see that the organization is controlling and
recording the unique identification of the product.
8.5.3 Property Belonging to Customers or External Providers

This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.5.4 – Customer Property
but it has now been expanded to cover property belonging to external providers that your organization intends
to incorporate into its own products and services. You should seek and record evidence that your organization
has extended their treatment of customer property to include that of external providers.
Check that your organization communicates with its customers in regard to the handling and treatment of
their property. You should also check that contingency plans and, where relevant, actions are undertaken when
non-conformities occur with customer property. Good sources of information often include the following
examples:
1. Goods returned by the customer;

2. Warranty claims;
3. Revised invoices;
4. Credit notes;
5. Articles in the media;
6. Consumer websites;
7. Direct observation of, or communication with, the customer.
If there are any products, materials, or tools on the organization's premises that are owned by a customer, all
employees must exercise care with this property. This means they must ensure that the product is not lost or
damaged. If it is lost or damaged, this needs to be recorded and the customer needs to be notified. Establish
and implement a process to manage property supplied by customers:
1. Establish the identity and status of customer supplied product;

The auditor will expect to see that the organization has clearly identified any and all customer property. The
auditor will verify that the organization has established a process to protect customer property. Further a
process must be established for contacting the customer when these items are lost, damaged or otherwise
found unsuitable for the process.
8.5.4 Preservation
This is a new requirement. The auditor will expect to see that adequate measures are taken to protect/preserve
the product during internal processing and delivery to the intended destination. The preservation process must
include the following: Preservation, packaging and other product specific handling methods are likely to an
output of the product design process.
1. Identification – this is relative to Identification and Traceability however for preservation of product
it is a requirement and not ‘as applicable’. You should expect to see that all products are clearly
identified;

ISO 9001:2015 & ISO 14001:2015
2. Handling – you should verify that suitable handling methods are implemented throughout the
processes. This may include bulk handing using moving equipment or physical contact where
handling may influence product conformity;
3. Packaging – you should expect to see that methods have been established for packaging the
product to preserve its integrity;
4. Storage – you should expect to see that product is stored in a manner to safe guard product;
5. Protection – you should verify that appropriate measures are in place to protect product. This will
vary depending on the product.
8.5.5 Post-delivery Activities
This is a new requirement. Your organization must meet requirements for post-delivery activities associated
with the products and services. In determining the extent of post-delivery activities that are required, the
organization shall consider:
1. Statutory and regulatory requirements;

2. The potential undesired consequences associated with its products and services;
3. The nature, use and intended lifetime of its products and services;
4. Customer requirements;
5. Customer feedback.
Post-delivery activities can include actions under warranty provisions, contractual obligations such as
maintenance services, and supplementary services such as recycling or final disposal.
8.5.6 Control of Changes

This is a new requirement for the organization to implement a process for responding to unplanned changes
that are considered essential in order to ensure that products or services continue to meet their specified
requirements, in such a way that conformity with requirements is maintained. Changes should be documented
and information retained about the changes, including who authorized the change and the actions arising from
the change.
In the olden days of ISO 9001:2008 this would have been addressed by Clause 7.3.7 Design & Development
Outputs. ISO 9000:2015 Term 3.3.10 defines change control as ‘activities for the control of the output after
formal approval of its product configuration information’. The clause requires an organization to make changes
in a thoughtful manner and to consider the potential impact to other process, products and possibly the
customer. Key items to consider are:
1. Is the impact of the change evaluated to determine its affects to work in process or products already
delivered?
2. What process control documentation (procedures, travellers, forms, etc.) will need updating as the
result of change to be implemented?
3. Was the change approved prior to implementation including, where applicable, approval by the
customer, statutory or regulatory authority?
4. Does retained documented information indicate the source of change and information on necessary
actions and approvals?
You should seek objective evidence that your organization has implemented a process to control unplanned
changes in accordance with the requirements set out above.

ISO 9001:2015 & ISO 14001:2015
8.6 Release of Products & Services

This requirement is comparable to ISO 9001:2008 Clause 8.2.4 Monitoring and Measurement of Processes.
Your organization must show evidence that a process (method, techniques, formats, etc.) is in place to monitor
and measure the characteristics of product to verify that requirements are being met. This must be
accomplished at appropriate stages of the design and development process. The auditor will verify that records
are maintained to provide evidence of conformity and indicate the person(s) authorizing the release of
products.
The release of product or delivery of service must not be completed until the planned requirements (7.1) have
been met. ‘Release’ of product may include, according to product planning and the verification stages, release
to the next operation, release to an internal customer, release to final customer, etc.
For product release or service delivery, the planning requirements may be waived, but must be approved by
relevant authority and by the customer as appropriate. Monitor and measure product characteristics to ensure
they are able to demonstrate:
1. Product characteristics are continually met;

2. Evidence of conformity with product requirements.
8.7 Non-conforming Process Outputs, Products & Services
This requirement is comparable to the requirements from ISO 9001:2008 Clause 8.3 – Control of Non-
conforming Product but it now includes as a new requirement, the terms ‘process outputs’ and ‘services’ as
well as products. It should be noted that there is no need to maintain a documented procedure but your
organization may still choose to operate one. You should seek and record evidence that your organization has
retained documented information concerning non-conformities and the actions arising.
Controlling Product and Process Non-conformities

No matter how you resolve a non-conformance, you must keep records of each non-conformance and how it
was dealt with. Records of product non-conformity should be periodically reviewed to determine if a chronic
problem exists with the production process, it’s all about improvement!
By keeping records of your non-conformities, it is easier to spot negative trends and examine the root cause
and eliminate the cause of your problems. This, in turn, should result in fewer defective products or process
outputs and could lead to more satisfied customers.
If you have manufactured a product, inspected it and found it to be out of specification, it is most likely to be
deemed nonconforming product. In some instances, you will have to scrap the defective product but in other
situations you may be able to do some remedial work and bring it back into specification.
What the clause is telling us is that the product should then be subject to further inspection to verify that it is
now correct. As for records, if you documented the non-conforming product there should normally be
somewhere to verify that you successfully (or not) cured the problem and that it is now conforming.
Re-verification simply means that you cannot assume that because someone tells you they have corrected the
problem then it is ok. The clause is asking you to re-verify by whatever means you originally chose. If you used
inspection as a method of verification then re-inspect in the same method. If not, use whatever method suits
you (or your customer). Just make sure it is ok before it leaves!

ISO 9001:2015 & ISO 14001:2015
The re-verification after remedial work might involve testing as well as inspection. The reason is not just to
verify that the defect has been removed, but also to assure that fresh defects have not been introduced by the
rework.
Records would be as appropriate for the re-inspection or re-testing performed. Re-verification is equivalent to
re-inspection and records could include a signature of approval or a more formal test report.
Generally, you could take two routes. If you have an internal non-conformance then depending on your NCR
documentation, your verification could be documented on your non-conformance report. If your non-
conformance is external, you should supply evidence of conformance to your customer.
You may need to supply new evidence of conformance to your customer along with corrective action
documentation if requested. The method that you use in either of these situations should be defined in your
EQMS and procedures, that way you relieve yourself and your auditor from guessing how you would address
them.
Where necessary, any product or process outputs that do not conform to specified requirements should be
properly identified and controlled to prevent unintended use or delivery. Improvements are then implemented
to ensure the non-conformance does not reoccur. Control non-conforming products by:
1. Defining how non-conforming products and processes are identified;

2. Defining how non-conforming products and processes are dealt with;
3. Removing or correcting non-conformities;
4. Preventing the delivery or use of non-conforming products and processes;
5. Verifying how non-conforming products and processes were corrected;
6. Providing evidence that corrected products and processes now conform to requirements;
7. Keeping records that catalogue non-conforming products and processes.
Controlling non-conformances applies to services just as much as it does to tangible goods. Reports, data, test
results and intellectual property, to name just a few service outputs, can all be potentially non-conforming, in
which case all the disciplines of this process apply. It is the company’s policy is to detect, control and rectify
any aspect of non-conformance as quickly and efficiently as possible.
Controlling Service-based Non-conformities

In the case of service processes that directly involve the customer, the control of non-conforming outputs is
the way the organization deals with non-conformities in the service provision until the appropriate corrective
action can be defined and implemented. When non-conformities are identified, you should examine whether
the personnel involved are sufficiently empowered with the authority to decide the disposition of the service,
for example:
1. To immediately terminate the service;

2. To replace the service provided;
3. To offer an alternative.
You should also examine:
1. Your organization's customer claims and complaints processes;

ISO 9001:2015 & ISO 14001:2015
2. Any temporary corrections that are implemented to mitigate the effect of the Non-conformity (e.g.
refund, credit, upgrade, etc.)
3. The identification, segregation and replacement of the service
4. Equipment, service providers and environment.
This will enable you to judge whether the control of such non-conforming services are effective. In such
situations the EQMS and processes should have provisions to capture data on the non-conformities and to
feedback information, at the appropriate management level, for the effective definition and implementation of
corrective actions. Evidence will need to be sought to justify effective implementation of these techniques.
8.8 Environmental Emergency Situations

The emergency situations may originate within your organization and have the potential to affect the
environment or may be an environmental condition that has the potential to affect your organization. You
should determine whether your organization has the:
1. Processes in place that are tested, and ready to be triggered.

2. The planned response actions need to be tested, reviewed and revised when necessary, in particular
after the occurrence of emergency situations and after tests.
3. Capability to respond effectively to emergency situations
4. Interested parties are made aware of these arrangements, (and when necessary trained if they are
required to participate in the emergency response)
The emergency preparedness and response section requires your organization to establish and maintain
procedure to:
1. Identify potential emergency scenarios;

2. Respond to accidents and emergencies;
3. Prevent and mitigate any impacts and risks that may be associated with accidents and emergencies.
Your organization should review and revise, when necessary, the emergency preparedness and response
procedure, especially after an accident or emergency situation. Your organization must also periodically test
such procedures where practicable. Whether your facility has emergency response plans or not, you should
review the following sections to ensure you meet the emergency response requirements. Develop a procedure
to respond to emergency situations.
Identification of Potential Accidents and Emergencies

The emergency response procedure(s) describe how you plan to identify potential accidents and emergency
situations. Potential accidents and emergency situations could include:
1. Fire;
2. Accidental emissions to the atmosphere;
3. Accidental discharges to water;
4. Accidental discharges to land;
Identifying potential accidents and emergency situations requires intimate knowledge of operations including,
processes, materials used, and operating practices. When determining potential accidents and emergency
situations, consult the following sources:

ISO 9001:2015 & ISO 14001:2015
1. Aspect and impact evaluations;

2. Process engineers;
3. Equipment manufacturers;
4. Accident reports and records;
5. Maintenance personnel;
6. Material Safety Data Sheets (MSDS);
7. COSHH data sheets.
In addition to consulting the above resources, it is useful to perform a walk-through inspection to identify
potential environmental accidents and emergency situations Walk-through inspections are most effective
when performed during typical operating conditions using observational and non-threatening interview and
communication techniques.
Emergency Response Plans

Emergency response plans are the result of prior planning, testing, and the coordination of internal and external
resources. Emergency response plans provide written instructions and information to use during accidents and
emergency situations. Such plans can also provide information to prevent or mitigate environmental impacts.
It is recommended that emergency response plans include:
5. Emergency organization and responsibilities

6. A list of key personnel
7. Provisions for safe evacuation, assembly and accounting of personnel details of emergency services
(e.g., fire department, ambulance services, spill clean-up services, etc.)
8. Internal and external communication plans
9. Actions taken in the event of different types of emergencies
10. Information on hazardous materials (COSHH & MSDS) that include each material’s potential impact
on the environment
11. Measures to be taken in the event of accidental release
12. Training plans
13. Procedures to test the plan’s effectiveness
Emergency response plans, including facility layouts and MSDSs, should be filed with the emergency
responding agencies for emergency situations. Emergency responders must be familiar with facility layouts and
potential hazards and must be adequately trained to prevent and mitigate a variety of human and
environmental impacts.
Emergency Response Plans Review and Revision

Your organization must review and revise, when necessary, its emergency preparedness and response
procedures, especially after an accident or emergency situation. You must also periodically test such
procedures where practicable. Otherwise, plans may never be determined to be adequate or inadequate until
after an accident that may have been avoidable with proper testing procedures.

ISO 9001:2015 & ISO 14001:2015
9.0 Performance Evaluation

9.1 Monitoring, Measurement, Analysis & Evaluation
9.1.1 General
The organization has to determine what it needs to monitor and measure. This includes the determination of
the criteria against which the quality and environmental performance will be evaluated including appropriate
indicators. Some examples on what to measure your organization’s progress on quality and environmental
objectives, characteristics of operational activities, products and services related to significant environmental
aspects and the status of compliance obligations.
How does your organization carry out these monitoring and measurement activities in order to ensure that the
results obtained are valid? These methods may include, as appropriate, statistical techniques to be applied to
the analysis of those results. When monitoring and measurement should be carried out and at what stage the
results of monitoring and measurement should be analyzed and evaluated.
You should note the additional requirement for your organization to evidence evaluation of the results of
monitoring and measurement, not just their analysis. They should confirm that the organization has considered
what, how and when to measure and that the outcomes from this decision result are ensuring appropriate
process control.
Also note a new requirement to monitor the performance and effectiveness of your organization’s EQMS. You
should expect to see that your organization has developed a process (method, techniques, format, etc.) to
identify, collect and analyse various data and information from both internal and external sources, including:
1. EQMS records;
2. Monitoring and measuring results;
3. Process performance results;
4. Meeting objectives;
5. Internal audit findings;
6. Customer surveys and feedback;
7. 2nd or 3rd party audit results;
8. Competitor and benchmarking information;
9. Product test results;
10. Supplier performance information.
This ‘input’ (information and data) should reflect upon the adequacy, suitability and effectiveness of the
integrated management system and its processes. The ‘output’ (result of the analysis) must provide information
(understanding, insight, awareness, confidence, knowledge of, etc.). The analysis output must provide insight
to:
1. Customer satisfaction and perception;

2. Product conformance;
3. Process performance;
4. Product and process characteristics;
5. Trends in products and processes;

ISO 9001:2015 & ISO 14001:2015
6. Opportunities for preventive action;

7. Suppliers and subcontractors.
Other potential or useful options might include:
1. Need for corrective action;

2. Opportunity for improvement;
3. Competition.
Documented information and organizational knowledge that records process data should be considered for
analysis. Records are evidence of system performance and should be analyzed for potential improvements.
Monitoring and measuring EQMS operations and activities will establish a mechanism to ensure that your
organization is meeting its policies, objectives and targets. In order to meet this requirement, your organization
must perform six steps:
1. Step 1 - Identify the activities that can have a significant impacts and risks;
2. Step 2 - Determine key characteristics of the activity to be monitored;
3. Step 3 - Select the best way to measure the key characteristics;
4. Step 4 - Record data on performance, controls and conformance with objectives and targets;
5. Step 5 - Determine the frequency with which to measure the key characteristics;
6. Step 6 - Establish management review and reporting.
Establish the monitoring and tracking criteria for each activity that has a significant impact or risk and review
the action plan. You should incorporate any monitoring and measurement information to cover these same
activities.
9.1.2 Customer Satisfaction

This requirement is comparable to the requirements from ISO 9001:2008 Clause 8.2.1 – Customer Satisfaction,
the change being that your organization must now solicit customer’s perception about the your organization,
and its products and services. You should seek and record evidence that your organization has implemented
a consistent and systematic approach to dealing with customer feedback and is obtaining information on
customer perception.
Just collecting data on customer perceptions is not sufficient, you should seek and record evidence that your
organization has analyzed and evaluated customer data and that conclusions have been made with regard to
the effectiveness of the EQMS.
1. Are there any trends?
2. Is the situation stable, improving, or deteriorating?
3. Are customer needs and expectations changing?
Both internal and external auditors will look for proof that a consistent and systematic approach has been
implemented to deal with customer complaints. This approach would typically include defined responsibilities
for logging and tracking complaints, clearing technical issues, determining problem causes and actions to
address them. Specific examples of complaints must be sampled.
The link between the customer complaint process and corrective action also requires special scrutiny.
Determine appropriate methods for monitoring and measuring customer satisfaction by:

ISO 9001:2015 & ISO 14001:2015
1. Using customer satisfaction surveys;

2. Providing methods for receiving and dealing with customer feedback;
3. Providing suitable processes to monitoring trends in and reviewing customer data.
9.1.3 Analysis & Evaluation
This requirement is comparable to ISO 9001:2008 Clause 8.4 - Analysis of Data. You should expect to see that
the organization has developed a process (method, techniques, format, etc.) to identify, collect and analyze
and evaluate data and information from both internal and external sources (i.e. quality, and environmental
records, monitoring and measuring results, process performance results, objectives, internal audit findings,
customer surveys and feedback, 2nd or 3rd-party audit results, competitor and benchmarking information,
product test results, complaints, supplier performance information, etc.).
This ‘input’ (information and data) should reflect upon the adequacy, suitability and effectiveness of the quality
management system and its processes. The ‘output’ (result of the analysis) must provide information
(understanding, insight, awareness, confidence, knowledge of, etc.). The analysis output must provide insight
to:
1. Customer satisfaction and perception;

2. Product conformance;
3. Process performance;
4. Product and process characteristics;
5. Trends in products and processes;
6. Opportunities for preventive action;
7. Suppliers and subcontractors.
8. Need for corrective action;
9. Opportunity for improvement;
10. Competition.
The requirements of Clause 9.1.3 interrelate with those in clauses:
1. Management review input;

2. Improvement;
3. Corrective action;
4. Risks and opportunities.
Furthermore, any record with data that is an established part of the EQMS may be considered relevant for
analysis. Records are evidence of system performance and should be analyzed for potential improvements.
9.1.4 Evaluation of Compliance

With reference to the evaluation of compliance, your organization should set up a process that involves the
determination of the frequency of the evaluation, the execution of the evaluation and the actions that need to
be taken. If during a compliance evaluation, a failure to fulfil a compliance obligation is identified, the
organization needs to take action to achieve compliance. This may require getting in contact with a regulatory
agency to agree the action to be taken. Once that agreement is in place, it becomes another compliance
obligation.

ISO 9001:2015 & ISO 14001:2015
The Certification Auditor’s role is not to verify the result of the compliance audit, but to assess the effectiveness
of the audit process and taken actions. An understanding of compliance status must be demonstrated.
Therefore, your organization must have the means (inspections, tests, audits) that are frequent and robust
enough to ensure that knowledge and understanding of compliance status is maintained.
9.2 Internal Audit

This requirement is unchanged from the requirements of ISO 9001:2008 and ISO 14001:2004. Your organization
should establish an internal audit programme to cover all requirements of the standards. In addition, you
should ensure that consideration is given to the status and importance of the processes that comprise the
audit programme and the results of previous audits. Objective evidence should demonstrate information of
concerning the effective implementation the audit programme, as well as a sample of audit results.
In ISO 9001:2008 and ISO 14001:2004, the purpose of the internal audit is to ‘determine whether the
management system conforms to requirements and is effectively implemented and maintained’, i.e. to actually
make the judgment. In the 2015 version of the standards, the purpose of the internal audit is to simply ‘provide
information’ as to whether this is the case. Subsequent determination is now undertaken by relevant
management, e.g. during management review meetings.
9.2.1 Internal Audit Programme

Planning the internal audit programme, whilst taking into account process status and importance, is one of the
most disregarded requirements of ISO 9001. Use the process status and importance tracker to help determine
which of your processes and procedures should be audited more frequently than others by entering a score to
rank various process attributes.
The resulting scores are highlighted to indicate whether the process requires more frequent auditing based on
its ability to affect the customer and how well it is performing. This is a great way to mathematically substantiate
your audit schedule. You should then schedule processes with high, red scores for additional audits, perhaps
or three or even more times per year.
Status
You should consider process status in terms of maturity and stability; a more established, proven process will
be audited less frequently than a newly implemented or recently modified process and should receive a lower
status score. Conversely; processes which are not performing to the planned arrangements, should be assigned
a higher status score.
Importance
You should consider process importance as the degree of direct impact that process performance has on
customer satisfaction; i.e. could the process provide the customer with non-conforming product? Support
processes should be given a lower ranking than the manufacturing/service provision processes. In addition,
the results of previous audits should be considered too. Processes that have been audited recently that have
shown effectiveness and improvement should be audited less frequently.
Environmental & Quality Ranking

Consider how a failure in quality and environmental attributes could affect your customers in terms of providing
non-conforming product. In fact, why not ask your customers which attributes could affect them the most, as

ISO 9001:2015 & ISO 14001:2015
this method provides a great way to engage with them and to objectively justify the audit programme to Top
management.
Customer Complaints
Simply put, enter the actual number of complaints in the relevant cell that is related to the process. Customer
complaints are ranked very highly in terms of seriousness and will elicit a red warning on the total score heat
map to highlight that process as requiring greater audit scrutiny.
Corrective Actions
Include the number of open corrective actions in the relevant cell that is related to the process. The corrective
actions should be included and must cover all those that were raised internally or externally. External corrective
actions rank higher in terms of importance than internal corrective actions. External corrective actions might
arise from customer audits, registrar audits or from other stakeholders.
9.2.2 Internal Audit Checklists

The audit checklist is just one of the many tools which are available from the auditor’s toolbox that help ensure
your audits address the necessary requirements. The checklist stands as a reference point before, during and
after the audit, and will provide the following benefits:
1. Ensures the audit is conducted systematically;

2. Promotes audit planning;
3. Ensures a consistent audit approach;
4. Actively supports your organization’s audit process;
5. Provides a repository for notes collected during the audit process;
6. Ensures uniformity in the performance of different auditors;
7. Provides reference to objective evidence.
We have provided you with three different audit checklists and each checklist allows you to determine the
extent to which your management system conforms to the requirements by determining whether those
requirements have been effectively implemented and maintained. The templates will help you to assess the
status of your existing management system and identify process weakness to allow a targeted approach to
prioritizing corrective action to drive improvement.
1. Audit checklist metrics dashboard graphically displays status attributes;

2. Quickly identify and target system weakness with heat maps;
3. Real time charts display audit result data - ideal for reports or presentations.
The dashboard provides fast and reliable access to system and process metrics, precluding the need to know
where all performance data is stored, or for having to locate the metrics champion for current data. It also
reduces the likelihood that data is lost when metrics owners change or leave the company and reduces the
learning curve for new metrics owners.
1. Clearly illuminates under-performing metrics for prompt management attention;

2. Provides a unique management ally during internal and external audits;
3. Improves meeting efficiency by segregating metrics.

ISO 9001:2015 & ISO 14001:2015
Auditors should not necessarily expect to find a documented internal audit procedure in place. However, they
must be able to access documented information confirming the implementation of an audit programme by
the organization. Documented information must also be available to evidence the results of audits. When
designing the audit programme you should ensure that customer feedback, organizational changes, and risks
and opportunities have been brought into consideration.
9.3 Management Review

9.3.1 General
Top management must periodically review the EQMS to ensure its continuing suitability, adequacy, and
effectiveness. The frequency or intervals of the Top management’s formal review must be defined in the EQMS.
The management review must address the possible need for changes to policy, objectives, targets, and other
elements of the EQMS. The management review process must ensure that the necessary information is
collected ahead of time to allow management to effectively carry out this evaluation. Information that must be
reviewed includes:
1. Minutes from previous management reviews;

2. The policies, objectives and targets;
3. Results of EQMS and process audits;
4. The extent to which objectives and the numeric targets were met.
Suitability and effectiveness of the EQMS based possible changing circumstances that may include:
1. New or proposed legislation or regulations;

2. Changing expectations/requirements of relevant interested parties;
3. New or modified activities, products, or services;
4. Advances in technology and science;
5. Changing market preferences of buyers.
All management reviews must be documented. Observations, conclusions, and recommendations for further
necessary action from the review must be recorded. If any corrective action must be taken, Top management
should follow up to ensure that the action was effectively implemented.
The purpose and final outcome of the management review should be continual improvement of the EQMS. As
your organization’s EQMS increases in its effectiveness and efficiency, your environmental performance will
likewise increase.
Here's what ISO 9001:2015 is really all about: defining a policy, creating a plan devising with relevant objectives.
You then implement the system according to the plan. You then begin auditing, monitoring and measuring
performance against the plan and reacting to your findings. Bi-annual management reviews are insufficient in
frequency to be able react to any issues effectively.
Performance metrics should be monitored with varying frequencies, some hourly, some daily, some weekly and
some monthly. Management cannot wait for six months to respond, if they do, it will be too late. Every time
management convenes to review and react to performance, it is considered as a management review. Whether
they are reviewing an individual's performance, departmental programmes and projects, etc., this should be
considered as valid management review.

ISO 9001:2015 & ISO 14001:2015
Some companies have multiple review levels, whereby, each review may require multiple subjects and rely
upon multiple metrics as inputs. Sometimes subjects are reviewed at more than one level, e.g. production
numbers might be reviewed by the Production teams during daily production meetings and then by senior
management, possibly weekly.
Top management might conduct weekly meetings in which they review metrics and objectives to determine if
any corrective action is required. The process owner is then responsible for reporting close out progress in the
meeting a week later. Undertake management reviews in order to:
1. Determine and evaluate EQMS performance;

2. Determine the need for change and improvement;
3. Determine the suitability of the policies and the objectives.
9.3.2 Inputs
This now includes additional requirements for your organization to have a structured management review
process that includes discussion of internal and external issue changes, and its potential effect on the strategic
direction of your organization. Your organization’s management review process must also include discussion
of external provider’s, and other suppliers’ performance. It must also include an assessment of risk
management actions.
Auditors should expect to evidence the same outputs from management reviews as at present. However, they
should note that the results of management reviews can now be held in any format that the organization
chooses. The management review process should focus on the following inputs:
1. Risks and opportunities (Clause 6.1);

2. Possible changes that might affect the system (Clause 6.3);
3. External provider and suppliers performance (Clause 8.4);
4. Customer satisfaction and perception (Clause 9.1.2);
5. Audit results (Clause 9.2);
6. Non-conformity and corrective actions (Clause 10.2).
9.3.3 Outputs
The management review process is comparable to ISO 9001:2008 Clause 5.6.3 – Management Review Outputs.
You should seek and record evidence of outputs from the management review process, there should be
evidence of decisions regarding:
1. Process improvement actions;

2. EQMS improvement actions;
3. Product and service improvement actions;
4. Resource provision actions;
5. Revised business plans and budgets;
6. Revised objectives and KPIs;
7. Amendments to policies;
8. Management meeting minutes.
Management review meeting minutes should be retained as documented information.

ISO 9001:2015 & ISO 14001:2015
10.0 Improvement
10.1 General
Your organization should actively seek out and realize improvement opportunities that will better enable it to
achieve the intended outcomes of its EQMS. Potential sources of improvement opportunities include the results
of analysis and evaluation of environmental and quality performance, compliance, internal audits and
management reviews.
Improvement often does not take place on a ‘continual’ basis. Sometimes improvement can be affected
reactively through corrective actions, incrementally overtime, by a step change or breakthrough, creatively
through innovation or by re-organization and transformation. Look out for objective evidence that
improvement is taking place. However, while improvement does not need to be continuous, it does need to
be evidenced as occurring.
10.2 Non-conformity & Corrective Action

The requirements of Clause 10.2.1 are comparable to ISO 9001:2008 Clause 8.3 - Control of Non-conforming
Product and Clause 8.5.2 - Corrective Action. There is an additional requirement for your organization to
determine whether other similar non-conformances exist or have the potential to exist that may affect product,
process or EQMS conformity. There is also a new requirement for your organization to determine whether
changes to the EQMS are required to prevent a reoccurrence. Your organization is now required to:
1. Take whatever action is necessary to control and correct the nonconformity, and to deal with any
resultant environmental impact;
2. Determine what caused the nonconformity and then to consider whether the potential for a similar
problem remains;
3. Consider whether any further action is required to prevent a similar nonconformity recurring at the
same place or occurring somewhere else, at some point in the future;
4. Determine if similar non-conformity has occurred elsewhere and consequently whether it needs to
take similar corrective action.
There may be instances where it is impossible to completely eliminate the cause of non-conformity, so in
instances, the best organizations can do is to reduce the likelihood or the consequences of a similar occurrence
happening again in order to reduce the risk to an acceptable level.
Dealing with Corrective Action

A corrective action should be considered as a reactive response to a problem since it is taken when a non-
conformance is detected or upon receipt of a customer complaint. Your organization should first contain the
problem and then determine its root cause in order to take appropriate corrective action to prevent the
problem’s recurrence.
1. Recording corrective actions using the forms provided;

2. Performing an initial review;
3. Determining causes and the need to take action;
4. Implementing action where required;
5. Preventing recurrence;
6. Evaluating effectiveness;

ISO 9001:2015 & ISO 14001:2015
7. Recording the results using the forms provided;

8. Examine the effectiveness of corrective actions.
In response to a symptom, evaluate the need for initiating the problem solving process. If necessary, provide
an emergency response action to protect the customer and initiate the process.
Application criteria:
1. The symptom(s) has been defined and quantified;
2. The customer(s) who experienced the problem(s)/symptom(s) are identified;
3. Measurements taken to quantify the problem(s)/symptom(s);
4. Look for a performance gap;
5. The cause is unknown;
6. Symptom complexity exceeds the ability of one person to resolve.
Establish an investigation team with:
1. Process and/or product knowledge;
2. Allocated time;
3. Authority to solve the problem and implement corrective actions;
4. Skill in the required technical disciplines;
5. A designated Team Leader.
Define the Problem
Describe the internal/external customer problem by identifying what is wrong and detail the problem in
quantifiable terms Define, verify and implement the interim containment action to isolate the effects of the
problem from any internal/external customer until permanent corrective actions (PCA) are implemented.
Validate the effectiveness of the containment actions.
Select an Interim Containment Action

An interim containment action is kept in place until a verified permanent corrective action can be implemented.
In some cases, the interim containment action may be the same as or similar to the emergency response action.
However, an emergency response action is implemented with minimal supporting data. An interim
containment action provides more opportunity for investigation.
Verify an Interim Containment Action

Any interim containment action you implement must protect the customer from the problem without the
introduction any new problems. Also, a single interim containment action may not be enough. You may need
to implement more than one interim containment action to fully protect the customer. An interim containment
action can be any action that protects the customer from the problem. However, before you implement an
interim containment action, you need to verify that the interim containment action will work.
To verify the interim containment action:
1. Prove before implementation it protects the customer from the problem;

2. Provide a before-and-after comparison;
3. Prove that the interim containment action will not introduce any new problems.
Methods of verification may include:

ISO 9001:2015 & ISO 14001:2015
1. A test to determine the desired performance level;

2. A demonstration that changes eliminated the issue without creating a new problem;
3. A comparison between the interim containment action and similar proven actions;
4. A review to evaluate whether the interim containment action was effective;
5. Assurance that the interim containment action did not introduce a new problem.
Implement an ICA
Conduct trial runs whenever possible. However, in some situations, your verification may simply be a matter of
common sense. For example, if an interim containment action involves stopping the shipment of all products,
you can be sure that customers will stop experiencing the problem. You and your team must consider all of
the trade-offs connected to your interim containment action. An important part of implementing an interim
containment action is planning how you will implement the action. To implement an interim containment
action, follow this management cycle:
1. Plan (Re-plan);
2. Do (Implement);
3. Check (Monitor);
4. Act (Evaluate);
Identifying the Root-Cause
Isolate and verify the root-cause by testing each possible cause against the problem description and test data.
Also isolate and verify the place in the process where the effect of the root-cause should have been detected
and contained (escape point).
Complete a Comparative Analysis

The problem description should describe the problems in terms of what, where, when, and how big. The
description should contain facts; such as observations and documentary evidence and not assumptions. All
information must be gathered before identifying the root-cause can begin. Make sure both of the above factors
are true before you move to the next step. Consider any new information that the team may have gathered
since completing the initial problem description.
Once you have reviewed the problem description, you can begin a comparative analysis. A comparative analysis
will help you identify relevant changes in a change-induced situation. Then you can reduce the number of
possibilities that you must consider to determine root-cause. To complete a comparative analysis:
1. Ask yourself; what is unique, peculiar, different, or unusual about the symptoms?
2. Consider features such as people, processes, materials, machines and the environment;
3. List all facts without prejudice as to the possible cause.
Consider each difference you listed, and look for changes, ask yourself:
1. What has changed to give rise to this difference?

2. Keep in mind that each difference may not have a corresponding change;
3. List the changes next to the difference;
4. Look at the dates each change occurred;
5. Eliminate some changes if they occurred after the problem started;

ISO 9001:2015 & ISO 14001:2015
6. Consider categories of people, machines, processes or measurements.

If the problem is change-induced, the root-cause must be the result of a change relative to one or more of the
identified changes. It is important to remember that you have not yet moved from the ‘observations’ phase of
the process. Any information you develop during the comparative analysis must be fact based, not opinion
based and must be true only for the symptoms information. Do not rule out any facts that might be valid
answers. If it is a fact and it answers the question, write it down.
Develop Root-cause Theories

Now that you have narrowed down the possible root-causes, you need to develop theories about how the
problem occurred. Theories are statements that describe how a change may have created the problem. To
develop root-cause theories:
1. Use brainstorming techniques to generate ideas;

2. Ask: ‘how could this change have caused the problem?’
3. Continue to ask the question until all possible theories are developed;
4. List at least one theory for each change;
5. List each theory individually on a worksheet;
6. List every possibility, no matter how strange or unlikely;
7. Don't reject or qualify any theory;
8. Start with the simplest single change theory first;
9. Then work up to more complex theories;
10. Be specific; don't use generalities such as ‘poor quality’ or ‘doesn't work’.
Test the Theories
To test the theory, do the following:
1. Ask, ‘Does this theory explain the symptoms and data, if so how?’
2. Test the theory against each individual condition.
If a theory explains the problem, but lacks information necessary to explain why it happened, gather data:
1. Gather more data to prove or disprove these theories;

2. Test simple (single change) theories first;
3. Test highly complex or interactive theories last.
The root-cause must explain all known data. Any theories that pass the trial run are the most likely causes. If
only one theory passes the trial run then verify this theory as the root-cause. However, more than one theory
may pass the trial run. In those cases (and when practical and feasible), collect and analyse any missing data
for uncertain theories and re-examine information to resolve uncertainties.
If additional information reveals that a theory cannot fully explain why the problem happened eliminate it from
consideration. If it is not feasible to gather and evaluate additional information, try to verify each remaining
theory. Start verification with the theory that best explains the symptoms.
Verify the Root-Cause

Once you have determined the most likely cause(s), verify that it actually causes the problem. Verification is
the proof you need to confirm that you have identified the root-cause.

ISO 9001:2015 & ISO 14001:2015
Verification is done passively and actively. Passive verification is done by observation:
1. Look for the presence of the root-cause without changing anything;

2. If you cannot prove root-cause, then the identified cause is not the root-cause.
Active verification is done by manipulating the root-cause variable:
1. Implement and remove the root-cause variable to make the problem ‘come and go’;
2. Both ‘coming’ and ‘going’ are essential tests to confirm the root-cause;
3. There can be more than one verified root-cause.
Determine and Verify the Escape Point
After you have determined and verified the root-cause, you need to determine the escape point of the problem.
An escape point is the point closest to the root-cause at which the problem could have been detected but was
not.
A control system is a system deployed to monitor the product/process and ensure compliance to quality
requirements. A control system consists of responsibilities, procedures, and resources. A control point is a
location within the control system at which the product/process is checked for compliance to the quality
standards.
A product or process may have more than one control point within the system. When you identify the escape
point, you can work to improve or establish a system to ensure that if problems occur, they will not go
undetected. To understand how the problem escaped and to identify the escape point:
1. Review the process; focus on the part of the process where the root-cause occurred;
2. Determine if a control system exists to detect the problem.
If none exists, the development of a new control system must be considered as part of the problem solution.
If a control system currently exists:
1. Identify the control point closest to the root-cause;

2. Determine if the control point is capable of detecting the problem.
If the control system is not capable, the development of an improved system must be part of the problem
solution. If the control point is capable of detecting the problem, then the control point is the verified escape
point. Choose and verify permanent corrective actions for the root-cause and the escape point. Select the best
permanent corrective action to remove the root-cause and select the best permanent corrective action to
eliminate the escape point. Verify that both decisions will be successful when implemented without causing
undesirable effects. Steps for permanent corrective actions (PCA) selection:
1. Establish decision criteria, e.g. what is feasible;

2. Identify possible actions;
3. Choose the most appropriate permanent corrective action (PCA);
4. Test and verify the permanent corrective action;
5. Re-evaluate the ICA & PCA for the escape point.
Implementing & Validating Permanent Corrective Actions
Plan and implement selected permanent corrective actions. Remove the interim containment action and
monitor the long-term results. Steps for PCA implementation:

ISO 9001:2015 & ISO 14001:2015
1. Develop Action Plan for PCA;

2. Implement the PCA Plan;
3. Remove the ICA;
4. Evaluate the PCA for escape point;
5. Perform validation;
6. Confirm with the customer that the symptom has been eliminated.
Preventing Recurrence
Modify the necessary systems, policies, practices and procedures to prevent recurrence of this problem and
similar ones. Make recommendations for systemic improvements as necessary:
1. Review the history of the problem;

2. Analyse how the problem occurred and escaped;
3. Identify affected parties;
4. Identify opportunities for similar problems to occur and escape;
5. Identify practices and procedures that allowed the problem to occur;
6. Identify practices/procedures that allowed the problem to escape to the customer;
7. Analyse how similar problems could be addressed;
8. Identify and choose appropriate preventive actions;
9. Verify preventive action and its effectiveness;
10. Develop action plan;
11. Implement preventive actions;
12. Present systemic preventive recommendations to the process owner.
Serious consequences may occur when the underlying symptoms are not addressed, when the quick fix is
accepted as a final, permanent solution. Excessive reliance on containment or emergency response action will
create a repeating cycle. Problem containment is an addiction that will only get worse until root-causes are
found and addressed.
10.3 Continual Improvement

This requirement is comparable to ISO 9001:2008 Clause 8.5.1 Continual Improvement. One of the driving
goals of ISO 9001 is the principle of continual improvement. You must be able to demonstrate continual
improvement. Most auditors would expect you to revise the quality system documentation and processes as
the quality management system matures or when a new process is implemented.
Determine whether your organization identifies improvement opportunities and EQMS underperformance
using the data output from its processes, such as from analysis and evaluation, internal auditing, management
review, and the use of appropriate tools and methodologies to support validate findings. Ensure that your
organization has implemented the identified opportunities for improvement in a controlled manner.
You should seek objective that your organization has implemented a process, with appropriate methods,
techniques, and formats for identifying areas of underperformance or opportunities for improvement. You
should expect to evidence that your organization has selected the appropriate tools and techniques to
investigate the causes and thereby establishing and implementing a process for continual improvement. The
impetus for continual improvement must come from the use of (as a minimum):

ISO 9001:2015 & ISO 14001:2015
1. EQMS Policies;
2. Risks and opportunities;
3. EQMS objectives;
4. Aspect and impacts
5. Analysis and evaluation of data;
6. Audit results;
7. Management review;
8. Non-conformity and corrective action.
Requirements for continual improvement interrelate with the following clauses:
1. EQMS planning;
2. EQMS objectives;
3. Risks and opportunities;
4. Recommendations for improvement;
5. Improvement of the system, processes and products;
6. Analysis and evaluation of data;
7. Non-conformity and corrective action.
Processes can always be made more efficient and effective, even when they are producing conforming
products. The aim of a continual improvement programme is to increase the odds of satisfying customers by
identifying areas that need improvement. It requires the organization to plan improvement systems and to
take into account many other activities that can be used in the improvement process.
You will be required to ensure that you continually improve the degree to which your products and services
meet customer requirements and to measure effectiveness of your processes. To this end the continual
improvement principle implies that you should adopt the attitude that improvement is always possible and
your organizations should develop the skills and tools necessary to drive improvement.
The PDCA cycle is a perfect way of introducing continual improvement to your organization’s activities. Each
step to improvement can be defined by four sub steps, Plan, Do, Check and Act:
1. Plan: Establish a timetable for internal audits and management reviews. Establish the objectives and
processes necessary to deliver results in accordance with your customer’s requirements and your
organization’s policies.
2. Do: Implement changes designed to solve the problems on a small scale first to see the effect. This
minimizes disruption to routine activity while testing whether the changes will work or not.
3. Check: Monitor and measure processes and product against policies, objectives and requirements
and report the results. Also check on key activities to ensure that the quality of the output is
conforming and not influenced by the changes.
4. Act: Take actions to continually improve process performance. Implement the changes on a larger
scale, if the experimental changes have proven to be successful. This means making the changes a
routine part of the activity.

ISO 9001:2015 & ISO 14001:2015
Also act to involve other people, departments or suppliers affected by the changes and whose co-operation is
needed to implement them on a larger scale. Make sure that changes are documented properly according to
the documentation requirements.

EQMS Integrated Management System Guidance

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EQMS Integrated Management System Guidance

Uploaded by

Copyright:

Available Formats

www.iso9001help.co.

1.1 IMPLEMENTATION & DEVELOPMENT .......................................................................................................................................... 5

2 DOCUMENTED INFORMATION ................................................................................................................ 10

3 COMMON REQUIREMENTS ....................................................................................................................... 12

4 ABOUT YOUR ORGANIZATION ................................................................................................................ 15

4.1 ORGANIZATIONAL CONTEXT ...................................................................................................................................................... 15

5.0 LEADERSHIP & GOVERNANCE .............................................................................................................. 21

5.1 LEADERSHIP & COMMITMENT .................................................................................................................................................. 21

6.0 EQMS PLANNING .................................................................................................................................. 25

7.0 SUPPORT ................................................................................................................................................ 41

7.1 RESOURCES ................................................................................................................................................................................. 41

www.iso9001help.co.uk © 2018 Page 1 of 82

7.1.3 Infrastructure .................................................................................................................................................................. 41

8.0 OPERATION ............................................................................................................................................ 53

8.1 OPERATIONAL PLANNING & CONTROL .................................................................................................................................. 53

www.iso9001help.co.uk © 2018 Page 2 of 82

9.0 PERFORMANCE EVALUATION.............................................................................................................. 68

9.1 MONITORING, MEASUREMENT, ANALYSIS & EVALUATION .................................................................................................. 68

10.0 IMPROVEMENT ....................................................................................................................................... 75

www.iso9001help.co.uk © 2018 Page 3 of 82

Operational Competence &

www.iso9001help.co.uk © 2018 Page 4 of 82

1.1 Implementation & Development

1. Identify legal and regulatory compliance requirements related to EQMS performance;

www.iso9001help.co.uk © 2018 Page 5 of 82

1.2 Managing the Change

1.3 Top Management Commitment

1. The implementation mandate is communicated and understood;

1.4 Senior Management Engagement

www.iso9001help.co.uk © 2018 Page 6 of 82

1.5 Implementation Team

1.6 Gap Analysis

1. Are Top management engaged and involved with the EQMS?

www.iso9001help.co.uk © 2018 Page 7 of 82

1.7 Team Meetings

www.iso9001help.co.uk © 2018 Page 8 of 82

1.8 Choosing your Registrar

www.iso9001help.co.uk © 2018 Page 9 of 82

2 Existing Documented Information

Maintain the following as a type of documented information Clause

The scope of the environmental and EQMS 4.3

Information necessary to support the operation of processes 4.4

Quality and environmental policies 5.2

Risk and opportunities that need to be addressed 6.1.1

Information about an organization’s compliance obligations 6.1.3

EQMS objectives 6.2

Documented information required by ISO 9001:2015 and ISO 14001:2015 7.5.1a

Retain the following as a type of ‘documented information’ as a record:

Retain the following as a type of documented information as a record Clause

Evidence of fitness for purpose of monitoring and measuring resources 7.1.5.1

www.iso9001help.co.uk © 2018 Page 10 of 82

Retain the following as a type of documented information as a record Clause

Evidence of communications to external parties and interested parties 7.4.1

Documented information required by the EQMS 7.5.1b

Records to demonstrate compliance with design and development requirements 8.3.2

Records of design and development inputs 8.3.3

Records of the activities of design and development controls 8.3.4

Records of design and development outputs 8.3.5

Evidence of the unique identification of outputs when traceability is a requirement 8.5.2

Evidence of compliance evaluations 9.1.2

Evidence of the implementation of the internal audit programme 9.2.2

Evidence of internal audit results 9.2.2

Evidence of the results of management reviews 9.3.3

Evidence of the nature of the non-conformities 10.2.2