QMS

BACKGROUND OF ISO
 ISO is an independent, non-governmental

international organization with a membership
of 164 national standards bodies.
 On 23 February 1947, ISO began operations.
 ISO from Greek means equal

(IOS in English, OIN in French for Organisation
internationale de normalisation)
06/08/2023
2
Expected results of ISO
Standards
 ISO 9001 – “Consistent, conforming
products”
 ISO 14001 – “Prevention of
pollution”
 OHSAS 18001 – “Safe working
conditions
 ISO 45001 – Safe working condition
and participation of workers”
 ISO 50001 – “Efficient energy
usage”
06/08/2023 3
To enhance Organizational Capability
Technology
People
QMS
Processes
4
ISO 9001 revisions since beginning
1994
2000
1987 Revisions
2008
2015
Prepared By: Reza Seifollahy

 First published in 1987, ISO 9000 has
consistently been ISO’s most popular
series of standards.
 building on 25 years of success, ISO

technical committee ISO/TC 176,Quality
management and quality assurance,
subcommittee SC 2, Quality systems, is
busy laying the groundwork for the next
generation of quality management
standards.
Prepared by: Reza Seifollahy

Development of ISO 9001
1994: 2000:Qua
1987: 2015: New
Small lity
Quality 2008: structure
revision- managem
assurance miner including
preventi ent –
-20 revision risk based
ve process
elements thinking
action approach
06/08/2023 7
KEY Aspects- 7 QM Principles
ISO 9001:2015 ISO 9001:2008
Seven Quality Management

Eight Quality Management Principles
Principles
1. Customer Focus 1. Customer Focused Organization
2. Leadership 2. Leadership
3. Engagement of People 3. Involvement of People
4. Process Approach 4. Process Approach
5. Improvement 5. System Approach to Management
6. Evidence-Based Decision
6. Factual Approach to Decision Making
Making
7. Relationship
7. Continual Improvement
Management
8. Mutually Beneficial Supplier Relationship
06/08/2023
QMS PRINCIPLES
1. Customer Focus
2. Leadership
3. Engagement of People
4. Process Approach
5. Improvement
6. Evidence based Approach
7. Relationship Management
KEY TERMS & DEFINITIONS
QUALITY
Degree to which a set of inherent characteristics of an object
fulfills requirements
PROCESS
set of interrelated or interacting activities that use inputs to
deliver an intended result
RISK
Effect of uncertainty
AUDIT
Systematic, independent and documented process for obtaining
audit evidence and evaluating it objectively to determine the
extent to which the audit criteria are fulfilled.
10
Process Approach
Development of ISO 9001
Key is to engage all gears Process Approach
Risk
P-D-C-A based
Approac thinking
h
Process
Risk: Effect of Approac
Uncertainty on an h
expected results-
ISO 9001:2015
06/08/2023 12
Process Approach
Implementa Managemen
tion t
Proces Improvem
Identificat
s ent
ion
06/08/2023 13
Process Approach
How is the Process Matured ?
Efficient - No Effective- Desired

waste Result achieved
Input Activity Output
Right Resources:- Desired

Qualified people, Results:-Quality
Right facilities'/equipment Product, Quality
Correct Material, Proven Services,
Methods' Customer
Satisfaction
06/08/2023 14
ISO Requirements
“Should” “Note”
Recommenda guidance /
tion Clarification
“ Shall ” “Such as”

Requiremen guidance
Mandatory
ts only
06/08/2023 15
3 core
concepts…………
 Identify the processes needed to achieve the
planned results
 Continually monitor the risks (“Risk-based
thinking”)
 Understanding “Cause and effect”
 Manage the processes and the system
using
“PDCA”
06/08/2023 16
06/08/2023
Plan-Do-Check-Act cycle
Quality Management System
Organization
and its context
Support and
(4)
Operation
(7,8) Customer
satisfaction
Plan Do
Customer
requirements
Planning Performance
Leadership
(6) Evaluation (9)
(5)
Act Check Products and

Needs and services
expectations of Improvement
interested (10)
parties
(4)
06/08/2023 20
Major differences in terminology between ISO
9001:2008 and ISO 9001:2015
ISO 9001:2008 ISO 9001:2015
Products Products and services
Exclusions Not used
(See Clause A.5 for clarification of
applicability)
Management Not used
representative (Similar responsibilities and authorities
are assigned
but no requirement for a single
management representative)
Documentation, quality Documented information
manual, documented
procedures,
records
Work environment Environment for the operation of
processes
Monitoring and Monitoring and measuring resources
measuring equipment
Purchased product Externally provided products and services
Supplier 06/08/2023 External provider

Key difference in ISO 9001:2015 and ISO
9001:2008
ISO 9001:2008 ISO 9001:2015
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
4 Quality Management System 4 Context of the organization
5 Management Responsibility 5 Leadership
6 Planning
6 Resource Management 7 Support
7 Product Realization 8 Operation
8 Measurement .analysis and 9 Performance evaluation
improvement
10 Improvement
The first three clauses in I SO 9001:2015 are largely the same as those
in ISO 9001:2008 , but there are considerable difference between
Them from the fourth clause onwards. The last seven clauses are now
arranged accord to the PDCA cycle.
06/08/2023
“Annex SL” High Level Structure
7. Support
• Resources
1. Scope • Competence
2. Normative references • Awareness
3. Terms and definitions • Communication
• Documented information
4. Context of the 8. Operation
• organization Understanding • Operational planning and control
the organization and its context
• Needs and expectations of 9. Performance
interested parties evaluation
• Determining the scope
• Management System • Monitoring, measurement,
5. Leadership
 analysis & evaluation
• Leadership and commitment  Internal Audit Review
•
• Policy  Management
• Roles, responsibility and
authority •
6. Planning 10.Improvement
• Actions to address risks & • Non conformity and
opportunities corrective
• Objectives and plans to achieve  action
them
• Continual Improvement
06/08/2023 23
Some key
changes...........
 Complete reformatting to align with “Annex SL”
 “Products and services” instead of “product”
 More emphasis on addressing “risks &
opportunities”
 Elimination of the term “preventive action”
 the concept still remains, and is actually reinforced
 throughout the standard (by addressing “risk”)
“External provision of products and services”
 instead of “purchasing” – includes outsourced
processes Elimination of specific requirements for
 Quality Manual
 Management representative
06/08/2023 24
Benefits of QMS
Structure of ISO 9001:2015
PLAN DO CHECK ACT
4 Context of 9 Performance
5 Leadership 6 Planning 7 Support 8 Operation 10 Improvement
evaluation
organization
Understanding Actions to Monitoring,

Leadership Operation
of the address risk measurement, Nonconformity
and Resources planning and
organization and analysis and
commitment control and corrective
and its context opportunity evaluation
aaccttiion
Needs & Determination of
Expectations of Quality requirements for
Quality policy Competence products/ Internal audit
interested objectives Continual
services
parties im rovement
Roles,
responsibilities Planning Design and Management
Scope of the Awareness
and of changes development review
QMS
authorities
Control of
QMS and its Communication externally provided
Processes products and
services
Production &
Documented
service
information provision
Release of
products and
services
Control of
Nonconforming
process outputs,
products and
services
06/08/2023 26
4.3 Determining
4.2 Understanding the scope of the
the needs and quality
expectations of management
interested parties system
4.1
Understandi 4 Context of 4.4 Quality
ng the the management
organization system and
organization
and its its processes
context
06/08/2023 28
4. Context of the organization
As per ISO 9000, the definition of Context of the Organization
is “business environment“, “combination of internal and
external factors and conditions that can have an effect on
an organization’s approach to its products, services and
investments and interested Parties“.
In normal language, this concept is also known as the

business environment, organizational environment or
ecosystem of an organization.
The “Context of Organization” clause has four sub-clauses :-

4.1 Understanding organization and its
context
The organization should determine external and internal issues

for the organization relevant to its purpose, strategic planning
and which affect the organization’s ability to achieve its
objectives.
The Organization should monitor and review the information

about external and internal issues.
The organization must consider issues related to values, culture

knowledge and performance of the organization for the
understanding of internal issues.
4.1 Understanding organization and its
context
.
The organization must consider issues related to arising

from legal, technological, competitive, market, cultural,
social, and economic environments, whether
international, national, regional or local for the
understanding of external context.
For considering internal context as well as external factors
both positive as well as negative factors must be considered.
Internal context
An organization’s internal context is the internal environment within

which the organization seeks to achieve its sustainability goals.
The internal context may include:-
 Product and service offerings
 Governance, organizational structure, roles, and accountability
 Regulatory requirements
 Policies and goals, and the strategies that are in place to achieve
them,
 Assets (e.g., facilities, property, equipment and technology)
 Capabilities understood in terms of resources and knowledge (e.g.,
capital, time, people, processes, systems, and technologies)
 Information systems, information flows, and decision-making
processes (both formal and informal)
 Relationships of the staff/volunteers/members and the perceptions
and values of their internal stakeholders including suppliers and
partners
 Organization’s culture
 Standards, guidelines, and models adopted by the organization and
 Form and extent of the organization’s contractual relationships.
Internal context
Example internal issues could include, but are not limited to:-
Structure of the organization — limited flexibility when dealing with varying
demands
Roles within the organization — Rigid, personnel willing to adapt to
demands?
Availability of reliable qualified and competent workforce — very good
(positive)
Stability of workforce – Wage benchmarking is not consistent with
competitors
Staff retention — very high (positive)
Impact of unionization – Uncordial
Staff competency levels– high(positive)
Contractual arrangements with customer-beneficial
Payment terms from customers-high credit
Service level agreements with customers -etc
The culture within the organization -etc
Once the internal context is understood, one can conduct the macro-
environmental external analysis using “PEST” (political, economic,
social and technological) analysis.
This analysis determines which factors are can influence how the
organization operates. The organization cannot control these factors,
but it must seek to adapt to them. The PEST factors can be classified as
opportunities and threats in a SWOT (strengths, weaknesses,
opportunities, and threats) analysis.
External context
 To determine external context, you should consider
issues arising from its social, technological,
environmental, ethical, political, legal, and economic
environment. Examples of external context may
include:
 government regulations and changes in the law
 economic shifts in the organization’s market
 the organization’s competition
 events that may affect corporate image
 changes in technology
External context
Example external issues could include, but are not limited to:-
Political, economic, social, technological, legal and regulatory — Laws

changing, affecting product conformity, minimum wage changing, evolutions in
more efficient machinery affecting the price
Operating Permits becoming tighter on emission levels — technology
demands
Overall economic performance in the country — above EU norm (positive)
Competitive environment — overall low-cost of entry into the market
Economic plans for future -etc
The nature and impact of the economy on the market -etc
Customer demographics -etc
General levels of consumer confidence -etc
Customer expectation -etc
Standardization and certification within the industry -etc
Regulation within the industry generally -etc
Trade associations and lobbying powers -etc
Impact on neighbors. -etc
4.2 Understanding needs and expectations of
interested parties
The organization shall determine relevant interested parties

and relevant requirements of relevant interested parties.
 Relevant interested parties to be considered are those that

could affect or potentially affect the organization’s ability to
constantly provide products and services that meet customer
and applicable statutory and regulatory requirements.
 Monitor and review information related to interested parties

and relevant requirements.
4.2 Understanding needs and expectations of
interested parties
 The organization should monitor and review information

about these interested parties and their relevant
requirements.
 There will be those external interested parties that impose

specific legal, regulatory or contractual requirements in an
organization.
Interested Parties
 Customers: The people who use your product directly affect your
ability to satisfy their needs. You need to understand the needs,
expectations, and requirements of these people, because how they will
use your product or service determines how your products or services
need to be created. These can be some of your most important
interested parties.
 Suppliers: Organizations usually sign different kinds of agreements
with external providers that those providers need to comply with,
including material service agreements, non-disclosure agreements, etc.
In addition, suppliers may have different business practices or quality
requirements, which the company will have to respond to.
 Governments & non-government organizations: Many industries
have legal requirements that their products and services need to meet,
and there can be a great cost to not meeting these.
 In addition, it’s important to understand the expectations of other
organizations, such as industry watchdog groups, which might identify
what levels of performance and durability are expected by your
ultimate customers.
Interested Parties
 Employees: Even if your employees are not purchasers of
your product or service, they will want to work in an
environment that creates products and services that will
meet the needs of your end customers. Nobody wants to
create faulty products or services.
 Shareholders: Since your financial bottom line is directly
affected by the costs of your products or services, your
shareholders will be interested in how well your QMS
performs. In particular, the expectations around continual
improvement could be extremely important for this group of
interested parties.
4.3 Determining the scope of the quality management
system
The organization shall determine the boundaries and applicability
of the quality management system to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements of relevant interested parties referred to in
4.2;
c) the products and services of the organization.
The organization shall apply all the requirements of this
International Standard if they are applicable within the
determined scope of its quality management system
4.3 Determining the scope of the quality management
system
Determining the scope of the QMS is one of the main milestones in the
implementation.
The scope must be examined and defined considering the internal and
external issues, interested parties and their needs and expectations, as
well as legal and regulatory compliance obligations.
Additional required considerations for the QMS scope are products,

services, and organizational size, nature and complexity. The scope and
justified exclusions must be kept as documented information
4.3 Determining the scope of the quality management system
The scope of the organization’s quality management system

shall be available and be maintained as documented
information.
The scope shall state the types of products and services
covered, and provide justification for any requirement of this
International Standard that the organization determines is not
applicable to the scope of its quality management system
4.3 Determining the scope of the quality management system
It is most common that the scope of the QMS covers the entire
organization. Some noted exceptions are when your QMS only
covers one physical location of a multi-location company, or when
your manufacturing or service is distinctly split between industries
(e.g., in a plant with three assembly lines where assembly lines 1
and 2 are for automotive and need to have a QMS certified to the
ISO/TS 16949 QMS standard for automotive, but you want line 3 to
be certified to ISO 9001 since many of the automotive requirements
do not apply).
So, your scope should identify the physical locations of the QMS,
products or services that are created within the QMS processes, and
the industries that are applicable if this is relevant.
4.4 Quality management system and its processes
4.4.1 The organization should establish, implement, maintain
and continually improve a quality management system,
including the processes needed and their interactions, in
accordance with the requirements of this International
Standard.
4.4.1The organization shall determine the processes
needed for the quality management system and their
application throughout the organization, and must :
a) determine the inputs required and the outputs expected

from these processes;
b) determine the sequence and interaction of these
processes;
c) determine and apply the criteria and methods (including
monitoring, measurements and related performance
indicators) needed to ensure the effective operation and
control of these processes;
d) determine the resources needed for these processes and

ensure their availability;
e) assign the responsibilities and authorities for these
processes;
f) address the risks and opportunities as determined in
accordance with the requirements of 6.1;
g) evaluate these processes and implement any changes
needed to ensure that these processes achieve their
intended results;
h) improve the processes and the quality management
system.
4.4.1 Quality management system and its
processes
The standard requires the organization to establish a
process-based management system.
This is required to be maintained and continually
improved.
The clause sets out high level requirements for the design
of such a process-based management system.
Process
The process is a set of interrelated activities that transform activity
inputs into outputs. For example, Installation: The process of
converting a box of components into a working security system.
4.4.1 Quality management system and
its processes
Process approach
Process approach is a management strategy that requires
organizations to manage its processes and the interactions between
them. Thus you need to consider each major process of the
company and their supporting processes.
All processes have:
1. inputs;
2. outputs;
3. operational control;
4. appropriate measurement & monitoring.
Each process will have support processes that underpin(Basis) and
enable the process to become realized.
Process Approach
Process Approach
Questions to ask:
a. What are the inputs to the process?
b. Where do the inputs come from?
c. What are the outputs to the process?
d. Where do the outputs go to?
e. Is there an effective inter-relationship between processes?
f. Who plans the process?
g. Who conducts the process?
h. Are responsibilities and authorities defined?
i. Who monitors and measures the process?
j. What resources are required for the process? - Materials,
people, information,
k. environment, infrastructure, etc.?
Process Approach
Questions to ask:
a. What documented information is required for the operation and
control over the process?
b. What competences & training are required?
c. What awareness and knowledge is required?
d. What methods are used to control and run the process?
e. What are the risks and opportunities for the process?
f. What happens when the process goes wrong or does not yield the
correct output or result?
g. How can the process be improved?
h. Is the process part of the management review process?
i. Is the process subject to internal audit?
4.4 Quality management system and its
processes
4.4.2 To the extent necessary, the organization must:

a) maintain documented information to support the operation
of its processes;
b) retain documented information to have confidence that the
processes are being carried out as planned.
5 Leadership
5.1 Leadership and commitment
Top management must:

 have accountability for the effectiveness of their organization's
quality management system;
 ensure that their organization's quality policy and quality
objectives are consistent with the organization's overall strategic
direction and the context in which the organization is operating;
 work alongside their people in the organization in order to
ensure that the
 quality objectives are achieved;
5 Leadership
Top management must:

 ensure that the quality policy is communicated, understood and
applied across
 the organization;
 make sure that the quality management system is achieving the
results that are
 intended;
 lead people to contribute to the effective operation of the
system;
 drive continual improvement and innovation and develop
leadership in their
 managers.
The top management is required to ensure that:-
 the requirements set out in ISO 9001:2015 are met;

 QMS processes are delivering their intended outcomes;
 reporting on the operation of the QMS and identifying any
opportunities for
improvement is taking place;
 a customer focus is promoted throughout the organization;
 whenever changes to the QMS are planned and
implemented, the integrity of the system is maintained.
5.1.2 – Customer focus
Top management shall demonstrate leadership and commitment

with respect to customer focus by ensuring that:
a) customer and applicable statutory and regulatory requirements

are determined, understood and consistently met;
b) the risks and opportunities that can affect conformity of
products and services and the ability to enhance customer
satisfaction are determined and addressed;
c) the focus on enhancing customer satisfaction is maintained.
5.1.2 – Customer focus
How to :-
 knowing the customer’s expectations and delivering it;

 What can go wrong with what you are selling and providing and
what
opportunities you also have when you deliver this;
 opens doors, for example, to other work streams;
 Making sure the customer is happy.
Example
Understanding the customer specification/needs. Ensure you know
exactly what the customer wants and documenting this from initial
enquiry to commissioning paper work
5.2 Policy
5.2.1 Establishing the quality policy
Top management Must establish, implement and maintain a

quality policy that:
a) is appropriate to the purpose and context of the organization
and supports its strategic direction;
b) provides a framework for setting quality objectives;
c) includes a commitment to satisfy applicable requirements;
d) includes a commitment to continual improvement of the quality
management system.
5.2 Policy
5.2.2 Communicating the quality policy
The quality policy shall:

a) be available and be maintained as documented information;
b) be communicated, understood and applied within the
organization;
c) be available to relevant interested parties, as appropriate.
Example
Quality policy, company induction, basic training, tool box talks.
Example CEB QUALITY POLICY
STATEMENT
CEB is committed to providing the highest quality
voice/data communications repair and refurbishment
services to our customers by:
 Consistently meeting or exceeding our customer’s expectations

for product quality and performance;
 Timely delivery of products and services to meet our customer’s
requirements;
 Continuous improvement of our processes, and systems;
 Ensuring our personnel is properly trained so they are better
able to serve our customers.
5.3 - Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and

authorities for relevant roles are assigned, communicated
and understood within the organization.
Top management shall assign the responsibility and
authority for:
a) ensuring that the quality management system conforms

to the requirements of this International Standard;
b) ensuring that the processes are delivering their
intended outputs;
c) reporting on the performance of the quality management

system and on opportunities for improvement (see 10.1), in
particular to top management;
d) ensuring the promotion of customer focus throughout the
organization;
e) ensuring that the integrity of the quality management
system is maintained when changes to the quality
management system are planned and implemented
Responsibilities and authorities must be precisely defined

and communicated to all hierarchical levels of the
organization. In specific situations (seasonal fluctuation of
labor force, emergency situations, etc.), it is necessary to
precisely document and communicate authorities, and
especially the responsibilities of temporarily employed
workers.
Clause 6 - Planning
 Clause 6 Planning brings risk-based thinking to the front. Once
the organization has highlighted risks and opportunities in clause
4, it needs to stipulate how these will be addressed through
planning.
 The planning phase looks at what, who, how and when these
risks must be addressed. This proactive approach replaces
preventative action and reduces the need for corrective actions
later on.
 Particular focus is also placed on the objectives of the
management system.
 These should be measurable, monitored, communicated, aligned
to the policy of the management system and updated when
needed.
Clause 6 - Planning
6.1 - Actions to address risks and opportunities
6.1.1 When planning for the quality management system, the

organization must consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and
opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its
intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
6.1.2 Action
a) The organization must plan actions to address the risks
and opportunities determined in clause 6.1.1.
b) b) The organization must also plan on how to integrate
and implement the actions into its quality management
system processes and evaluate the effectiveness of
these actions
Actions taken to address risks and opportunities shall be

proportionate to the potential impact on the conformity of
products and services.
6.1.2 Action
Options to address risks can include
Avoiding risk, taking risk in order to pursue an opportunity,

eliminating the risk source, changing the likelihood or
consequences, sharing the risk, or retaining risk by informed
decision.
Opportunities can lead to
The adoption of new practices, launching new products, opening

new markets, addressing new customers, building partnerships,
using new technology and other desirable and viable possibilities to
address the organization’s or its customers’ needs
6.1.2 Action
At the business and QMS planning stage, the organization
should:
1. Determine the categories of risk from – strategic,

operational, environmental legal, social, and financial
points of view that the organization may be exposed to
– that could impact its ability to conduct its business
operations without disruption and to provide customer
satisfaction and achieve sustained success.
2. The risk management methodology must be

appropriate to the size and complexity of the
organization. Establish a comprehensive list of risks
under each of the categories described above, that
might influence the achievement of process, product
and service objectives;
6.1.2 Action
At the business and QMS planning stage, the organization
should:
3. The methodology should include the following steps to:
Methods to identify risks
 Identify each potential risk;

 Describe the potential outcome of the risk;
 Identify the potential cause(s) of risk outcome
 Rate the consequence or severity of the outcome;
 Rate the likelihood of the cause occurring;
6.1.2 Action
Identify each potential risk;
 Rate the probability of early detection of the outcome should it

occur;
 Establish risk tolerance criteria;
 Categorize each risk into critical, high, medium or low based on
using a combination of severity, occurrence, detection ratings, and
other relevant factors to establish an overall risk score to all risks
listed; Use the risk score to establish priority in addressing identified
risks.
 Identify and determine the adequacy of any existing control to
address the identified risk;
 Determining appropriate controls to respond to each identified risk
(process control plans). These controls should preferably prevent the
potential cause of the risk from occurring and secondly at least be
able to detect the cause and/or outcome of the risk.
 Determine compliance with predetermined tolerance criteria for
acceptability of risk
 Provide and use risk management information for strategic decision-
making and managing operations.
6.1.2 Action
4.) Methods to identify risks
• Look at the past history of performance, lessons learned,
current operations and planned future activities to identify
potential risks or undesirable outcomes.
• Look at current activities and problems encountered, current
and planned future activities – TGW (things going wrong)
• Apply TGW (Things Gone Wrong) for past activities and a
contingency or “what if’ approach to identifying current and
future risks.
• Apply these approaches to the full spectrum of risk categories
listed in 1 above.
• Use various tools such as cross-functional teams, flow charts,
checklists, risk analysis diagrams to brainstorm and facilitate
risk identification, analysis, and evaluation
• Ask when, where, why, who and how type questions to
identify past, current, and future risks
6.1.2 Action
5.) As indicated earlier the purpose of risk management controls

is manifold and could include:
o Avoiding risk, where the only option is not to go forward with an
activity or to withdraw from it
o Taking the risk, where risks have desirable potential consequences
o Altering risk, to optimize potential opportunities and minimize threats
o Transferring risk by measures including insurance, contractual
arrangements, trade unions, partnerships, and joint ventures
o Retain risk, where no worthwhile controls actions are feasible and the
risk is within the organization’s risk tolerance
o Removing the source of the risk by perhaps using alternate or new
technology.
Example of Determining Risk and Opportunity:
Issues (internal) Expected Uncertaint Risk(- Opportunities

Results y Ve)
H/M/L
Availability of Workforce is Existing M Opportunity to
reliable, qualified, Competent Workforce multi-skilled
competent and not all installation teams
multi-skilled skilled — impact on
workforce installation times
WorkForce The workforce Workforce H Opportunity to
retention- Wage is loyal to the leaving for benchmark our
organization better-paid Competitors
work wages
Issues (internal) Expected Uncertaint Risk(- Opportunities
Results y Ve)H//L
Standardization and Being up to Code of L Opportunity for
certification within date and practices are designers to
the informed on changing all attend free
industry – not standards the time update the trade
conforming body conference
(0.5 days)
6.2 Quality Objectives and Planning to
Achieve Them
6.2.1
The organization must establish quality objectives at relevant

functions, levels, and processes.
 The quality objectives must be consistent with the
quality policy.
 If practicable it must be measurable.
 It must be based on application requirements.
 It must be relevant to the conformity of products and
services and the
 enhancement of customer satisfaction.
 It must be monitored and communicated.
 It must be updated as appropriate.
The organization should maintain a documented information on

the quality objectives.
Quality Objectives and Planning to
Achieve Them
6.2.2
When planning how to achieve the quality objectives,

the organization must determine
 what will be done;

 what resources will be required;
 who will be responsible;
 when it will be completed;
 how the results will be evaluated.
Examples of Quality Objectives:
Product – reduction in defect rates, PPM’s (defective parts per
million), scrap rates, rework; improvement in on time delivery.
Process – objectives generally focus on improving process

productivity through the elimination or reduction of variation and
waste in process – inputs, outputs, conversion activity and related
use of resources.
Monitor and improve the process – productivity, reduction of

cycle time, errors, omissions, and failures; etc. Examples could
include objectives for – set-up time, run rates, process cycle time,
etc.
Customers – reduction in No.of complaints, improvement in

customer satisfaction rating, on-time delivery, service, support, etc,.
Examples of Quality Objectives:
Suppliers – material defects, on time delivery, no of complaints with

supplier.
Resources includes facility, equipment, labor, etc.- objectives could
be established based on availability, capability, maintenance,
personnel competency, absenteeism, production rates; efficiency;
safety; etc.
For the QMS – customer satisfaction feedback, internal audit results,

# of improvement opportunities; etc.
6.3 Planning of Changes
Where the organization determines the need for change to the
quality management system (from 4.4 g) the change must be
carried out in a planned and systematic manner.
The organization must consider
a) the purpose of the change and any of its potential
consequences;
b) integrity of the quality management system;
c) availability of resources;
d) allocation or reallocation of responsibilities and authorities.
In such instances, change control would require:
 careful planning of nature and timeline for the changes;
 determining the impact or outcome of such changes;
 ensuring adequate resources are available to implement the
change;
 top management authorization
 change deployment and follow-up
 review of the QMS by top management after changes are
affected.
To determine the priority, the organization should

consider a methodology that allows them to take into
account:
1. Consequences of the change
2. Likelihood of the consequence
3. Impact on customers
4. Impact on interested parties
5. Impact on quality objectives
6. Effectiveness of processes that are part of the QMS
Steps to implement changes
a) Define the specifics of what is to be changed

b) Have a plan (tasks, timeline, responsibilities, authorities,
budget, resources, needed information, others)
c) Engage other people as appropriate in the change process
d) Develop a communication plan (appropriate people within the
organization, customers, suppliers, interested parties, etc.
may need to be informed)
e) Use a cross-functional team review the plan to provide
feedback related to the plan and associated risks
f) Train people
g) Measure the effectiveness
7 Support
7.1 Resources
7.1.1 General
The organization should determine and provide resources
needed to establish, implement, maintain, and continually
improve the QMS. And should consider the capabilities of, and
constraints on,
1. existing internal resources;
2. and what needs to be obtained from external providers
The top management has the responsibility to ensure the availability

of resources to develop and maintain your QMS.
This is typically done through business and quality planning.

Having adequate resources is vital to ensure product conformity or
satisfy customer requirements – e.g.
having adequate personnel, materials, and equipment to ensure
timely production and delivery of the product.
7 Support
7.1 Resources
7.1.1 General
Example
Specialist skills that are better outsourced due to the size of
the organization (e.g. security
screening, health and safety advice).
Regular meetings to discuss contract and planned work.
Include review of type work to
ensure that, if the right skills sets aren’t in-house, you get the
right subcontract support
Clause 7.1.2 - People
This standard expects an organization to determine and
provide the appropriate number of personnel to effectively
implement the QMS and for the operation and control of its
processes
Allocation of staff in order to achieve the required outcome.

This means determining that you have someone to carry out
a specific process (e.g. recruitment, screening and training
of staff). Dependent on the size of the organization this may
be one or two people or a team.
The senior management will need to determine the resource

needed and maintain
this.
7.1.3 – Infrastructure
Essentially a company needs to consider all the things they will
need in order to deliver service/product to the customer/client.
This needs to include:
 buildings / water / gas / electric, etc.;
 equipment - for example computers / operating systems (e.g.
alarm master);
 vehicles – for engineers / management / sales and survey
staff;
 information – standards that have to be applied, mobile
phones / tablets, etc.
7.1.4 Environment for the Operation of
Processes
The organization should determine, provide,
and maintain the environment necessary for
the operation of processes and to achieve
conformity of products and services.
A Suitable environment for operation of

processes can be a combination of human and
physical factors such as
a. social (for e.g. non-discriminatory,
calm, non-confrontational etc),
b. psychological (for e.g. stress reducing,
burnout prevention, emotional protective),
c. physical (for example, temperature, heat,
humidity, light, airflow, hygiene, noise).
d. These factors can differ depending on the
type of product and service provided by the
organization
7.1.5 Monitoring and Measuring
Resources
7.1.5.1 General
The organization should determine and provide the
resources needed for valid and reliable monitoring and
measuring results,
where monitoring or measuring is used for evidence of
conformity of products and services to specified
requirements.
The organization should ensure that the resources provided

are :-
 suitable for the type of monitoring and measurement
activities being undertaken
 and are maintained to ensure continued fitness for their
purpose.
7.1.5 Monitoring and Measuring
Resources
7.1.5.1 General
Example
 Suitable measuring tools?
Equipment that is used to test and commission systems
such as millimeters,
insulation testers, sound pressure level meters, etc.
 Maintained – calibration of all the test equipment that
you use.
The Organization should retain appropriate documented

information as evidence of fitness for the purpose of
monitoring and measurement resources
7.1.5.2 Measurement Traceability
Where measurement traceability is a requirement(statutory
or regulatory or customer or relevant interested party
expectation) or considered by the organization to be an
essential part of providing confidence in the validity of
measurement results, measuring instruments must :-
 be verified or calibrated at specified intervals or prior to

use against measurement standards traceable to
international or national measurement standards.
 The organization must retain the basis used for

calibration or verification as documented information if no
such standard exists as documented information.
7.1.5.2 Measurement Traceability
 Measuring instruments must be identified in order to

determine their calibration status;
 It must be safeguarded from adjustments, damage, or

deterioration that would invalidate calibration status and
subsequent measurement results.
 The organization should determine if the validity of

previous measurement results has been adversely
affected when an instrument is found to be defective
during its planned verification or calibration, or during its
use, and take appropriate corrective action as necessary.
7.1.6 - Organizational knowledge
The organization must determine the knowledge necessary for
the operation of its processes and to achieve conformity of
products and services.
This knowledge shall be maintained and be made available to
the extent necessary.
 When addressing changing needs and trends, the organization shall

consider its current knowledge and determine how to acquire or
access any necessary additional knowledge and required updates.
 Organizational knowledge is knowledge specific to the organization;

it is generally gained by experience. It is information that is used
and shared to achieve the organization’s objectives.
7.1.6 - Organizational knowledge
Organizational knowledge can be based on:
a) internal sources (e.g. intellectual property; knowledge gained

from experience; lessons learned from failures and successful
projects; capturing and sharing undocumented knowledge and
experience; the results of improvements in processes, products
and services);
b) External sources ( e.g. standards; academia; conferences;
gathering knowledge f rom customers o r external providers).
7.2 Competence
The organization must :-
 determine the necessary competence of person(s) doing

work under its control that affects the performance and
effectiveness of its QMS;
 It must ensure that these persons are competent on the

basis of appropriate education, training, or experience
and
 where applicable, take actions to acquire the necessary

competence, and evaluate the effectiveness of the actions
taken;
7.2 Competence
The organization must :-
 It must retain documented information as evidence of

competence.
 Applicable actions can include, for example, training,

mentoring, or reassignment of currently employed
persons; or hiring or contracting of competent persons.
 “Competence” is defined in the section on terms as the

ability to apply knowledge and skills to achieve intended
results.
 Demonstrated competence is sometimes referred to as

“qualification”.
7.3 Awareness
Persons doing work under the organization’s control must
be aware of
I. the quality policy; relevant quality objectives;
II. their contribution to the effectiveness of the QMS,

including benefits of improved quality performance;
III. the implications of not conforming with system

requirements.
Example: Increase in sales = need for additional trained

surveyors.
Example
Skills matrix
Training records
Personnel files
7.4 Communication
The organization shall determine the internal and

external communications relevant to the quality
management system, including:
a) on what it will communicate;

b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who communicates.
7.4 Communication
Internal communications: Briefings to staff on:
new policies;
new or amended objectives;
new of amended strategies;
new or amended technology;
new products;
issues with suppliers;
anything that will have an impact on them.
Designate person responsible for updates: either department

heads, leaders in the business.
External communications: APPOINTMENT OF ACCOUNTS /

PURCHASE MANAGER.
7.4 Communication
What will be communicated – What communications will you
have for your QMS? You will most likely need to communicate on
product and service nonconformance's, but do you have to
communicate all of them (such as spare parts that you determine
to be scrap)?
When you will communicate – If you are reporting on the
nonconforming product, how long will you wait until you report?
When will you communicate on a change in your company’s
location?
With whom you will communicate – You will likely have
customers in your list of people to communicate with, but what
other stakeholders will be included in some, if not all, of your
communications? Will your list of people to communicate with
include employees, shareholders, suppliers, customers, business
partners, or members of the public?
7.4 Communication
How you will communicate – There are many ways to
communicate, and some will work better than others for different
information and for different stakeholders. You could use email,
phone, text, press release, or even in-person discussions
depending on what you need to communicate and to whom.
Who will do the communication – This may change depending
on the information to be relayed or the severity of the
information. Critical failures may need to be communicated by the
CEO, while smaller nonconformance's may be communicated by a
project team. You may even have dedicated individuals who can
speak to the media about your company, and this should be part
of your communication plan.
7.5 Documented information
7.5.1 General
The organization’s quality management system shall
include:
a) documented information required by this
International Standard;
b) documented information determined by the
organization as being necessary for the effectiveness
of the quality management system.
— the complexity of processes and their interactions;
— the competence of persons.
7.5 Documented information
7.5.1 General
This refers to what is needed for the QMS. What does this
mean? It means in order to prove that you are working a
QMS that you need to evidence it.
 How can you demonstrate that you understand something
unless there is evidence?
 You could explain it but it is far easier to write the system
around your business and business processes so that you
are evidencing it as a part and parcel of the way you
operate.
Remembering that to the extent necessary:
a) maintain documented information to support the

operation of its processes (i.e.procedures, etc.);
b) retain documented information to have confidence
that the processes are being carried out as planned
(i.e. records).
7.5.2 – Creating and updating
When creating and updating documented information, the
organization Should ensure appropriate:
a) identification and description (e.g. a title, date, author,

or reference number);
b) format (e.g. language, software version, graphics) and

media (e.g. paper, electronic);
c) review and approval for suitability and adequacy

7.5.3 Control of documented information
7.5.3.1 Documented information required by the quality
management system and by this International Standard
shall be controlled to ensure:
a) it is available and suitable for use, where and when

it is needed;
b) it is adequately protected (e.g. from loss of

confidentiality, improper use, or loss of integrity).
7.5.3.2 For the control of documented information, the

organization shall address the following activities, as
applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of

legibility;
c) control of changes (e.g. version control);
d) retention and disposition.

 Documented information of external origin determined by

the organization to be necessary for the planning and
operation of the quality management system shall be
identified as appropriate, and be controlled.
 Documented information retained as evidence of

conformity shall be protected from unintended alterations
8 OPERATION
.1 Operational Planning and Control
 The Organization should plan, implement, and control

the processes, as outlined in 4.4, needed to meet
requirements for the provision of products and services
and to implement the actions determined in 6.1
 by determining product and services requirements;

establishing criteria for the processes and for the
acceptance of products and services;
 determining the resources needed to achieve conformity

to product and service requirements;
 implement control of the processes in accordance with
the criteria;
8 OPERATION
.1 Operational Planning and Control
 The Organization should plan, implement, and control the
processes, as outlined in 4.4, needed to meet
requirements for the provision of products and services
and to implement the actions determined in 6.1
 by determining product and services requirements;

establishing criteria for the processes and for the
acceptance of products and services;
 determining the resources needed to achieve conformity

to product and service requirements;
 implement control of the processes in accordance with
the criteria;
8.1 Operational Planning
and Control
once they have done their planning for what they are
going to
sell, they then plan the detail of how this can be done
operationally.
1. Set up supplier accounts / trade accounts.
2. Purchase stock.
3. Ensure staff have correct skills and understand the
process.
4. Purchase tools and vehicles.
5. Make sure you have enough staff.
6. Issue clear instructions, drawings, procedures risk
assessments to enable them to
7. do the job.
8.1 Operational Planning
and Control
The organization needs to show clear control of the
process. They will be expected to check that delivery
as expected and when there are deviations that this is
managed and negative impacts are controlled.
The same control should be applied to subcontractors.
8.2 Determination of Requirements for Products
and Services
8.2.1 Customer Communication
The organization must establish the processes for

communicating with customers to
 provide information relating to products and

services;
 inquiries, contracts, or order handling, including
changes;
 obtaining customer feedback relating to product and
services including customer complaints;
 handling or controlling customer property,
 and establishing specific requirements for
contingency actions, when relevant.
8.2 Determination of Requirements for Products
and Services
This is essentially about what how you relate to the

customer, to include:
a) what you are selling;

b) how they can expect to be dealt with (e.g.
formal quote / email / letter / terms you will
work under/within);
c) getting feedback from the customer;
d) looking after their property (e.g. premises
whilst you are in there);
e) what plans you put in place for if something
goes wrong.
8.2.2 Determining the requirements for
products and services
The organization must ensure while determining the

requirements for the products and services
1. to be offered to customers that the product and

service requirements (including those considered
necessary by the organization), and
2. applicable legal requirements, are defined.
The organization must also ensure that it has the ability

to meet the defined requirements and substantiate the
claims for the products and services it offers.
8.2.3 Review of the requirements for products
and services
8.2.3.1 The organization must ensure that it has the ability
to meet the requirements for products and services to be
offered to customers.
The organization shall conduct a review before committing

to supply products and services to a customer;
The review should include the requirements specified by

the customer, including the requirements for delivery and
post-delivery activities; requirements not stated by the
customer, but necessary for the specified or intended use,
when known;
requirements specified by the organization; statutory and

regulatory requirements applicable to the products and
services;
contract or order requirements differing from those

previously expressed. such as catalogs.
and services
The organization must ensure that contract or order
requirements differing from those previously defined are
resolved.
When the customer does not provide a documented

statement of their requirements, the organization must
confirm them before accepting them.
In some situations, such as internet sales, when a formal
review is impractical for each order, the review can cover
relevant product information, such as catalogs.
and services
8.2.3.2 The organization should retain documented information
on the results of the review and on any new requirements for
the products and services
8.2.4 Changes to requirements for products and services

The organization shall ensure that relevant documented information
is amended, and that relevant persons are made aware of the
changed requirements, when the requirements for products and
services are changed.
8.3 Design and Development of Products and
Services
8.3.1 General
The organization should establish, implement, and maintain a
design and development process. such that they are
adequate for subsequent production or service provision.
This means that previously, when design was not relevant as you
provided a service, that this needs to be considered even if you do not
make the products. The fact you are designing a system means you
need to consider all the elements of design
8.3 Design and Development of Products and
Services
Enquire-Input Survey -Input Design
Contract
Contract Review
Submission /Design
(Output) Verification
8.3.2 - Design and development planning
While planning for design and development, the

organization must consider the following in
determining the stages and controls for design and
development:-
 nature, duration, and complexity of the design

and development activities;
 the required process stages, including applicable
design and development reviews;
 the required design and development verification
and validation activities;
 the responsibilities and authorities involved in the
design and development process;
 the internal and external resource needs for the
design and development of products and services;
8.3.2 - Design and development planning
 the need to control interfaces between persons
involved in the design and development process;
 the need for involvement of customers and users in
the design and development process;
 the requirements for subsequent provision of products
and services;
 the level of control expected for the design and
development process by customers and other relevant
interested parties;
 the documented information needed to demonstrate
that design and development requirements have been
met
8.3.3 Design and Development Inputs
The organization must determine the requirements

essential for the specific type of products and services
being designed and developed, including,
as applicable, functional and performance requirements;
applicable legal requirements;
information derived from previous similar design and

development activities;
8.3.3 Design and Development Inputs
standards or codes of practice the organization has committed
to implement;
potential consequences of failure due to the nature of

products and services;
Ensure inputs are adequate for design and development

purpose, complete, and unambiguous.
Resolve conflicts among Design and Development inputs.
The organization shall retain documented information on design and

development inputs.
8.3.4 Design and Development Controls
The organization should apply controls to the design and

development process to ensure that
 results to be achieved by the design and development
activities are clearly defined;
 Design and development reviews are conducted as
planned;
 Verification activities are conducted to ensure that the

design and development outputs have met the design
and development input requirements;
 Validation activities are conducted to ensure that the

resulting products and services are capable of meeting
the requirements for the specified application or
intended use (when known).
8.3.4 Design and Development Controls
 The organization must take any necessary actions on

the problems determined during the reviews, or
verification and validation activities.
 The organization must maintain any documented

information about these activities.
 Design and development reviews, verification and

validation have distinct purposes. They can be
conducted separately or in any combination. as is
suitable for the products and services of the
organization
8.3.5 Design and Development Outputs
The organization must ensure that design and
development outputs
meet the input requirements for design and

development.
They should be adequate for the subsequent

processes for the provision of products and services.
They must include or have a reference of monitoring

and measuring requirements, and acceptance
criteria, as applicable.
8.3.5 Design and Development Outputs
They must ensure products to be produced, or services

to be provided, are fit for the intended purpose and
their safe and proper use.
The organization must retain the documented

information resulting from the design and development
process.
8.3.6 Design and Development Changes
The organization should identify, review and control

changes made (during the design and development of
products and services, or subsequently) to design inputs and
design outputs to the extent that there is no adverse impact
on conformity to requirements.
The organization must retain documented information on
 design and development changes,
 the result of the review,
 the authorization of changes and
 action taken to prevent adverse impact

8.4 - Control of externally provided processes,
8.4.1 General
The organization must ensure that externally provided

processes, products, and services conform to specified
requirements.
The organization must apply the specified requirements

for control of externally provided products and services
when products and services are
 provided by external providers for incorporation into

the organization’s own products and services;
 products and services are provided directly to the

customer by external providers on behalf of the
organization;
8.4 - Control of externally provided processes,
8.4.1 General
 a process or part of a process is provided by an external

provider as a result of a decision by organization to
outsource a process or function.
The organization must determine and apply criteria for

evaluation, selection, monitoring of performance, and re-
evaluation of external providers based on their ability to
provide processes or products and services in accordance
with specified requirements.
The organization must retain appropriate documented

information of the above-mentioned activities and any
necessary action arising out of the evaluation.
8.4.1 - Control of externally provided processes,
Examples may include:-
 ARCs – alarm handling times

 Key holding / Alarm response – response to site
times
 Call handing – time for calls to be handled
 CCTV – Response times
 Corrective maintenance – 4 hour response
 Suppliers – Delivery of critical goods in 24
hours
 Outsources security screening services
 Outsourced control room services
8.4.1 - Control of externally provided processes,
Evidence would include:
 Reports on alarm/call handling times

 Delivery reports
 Performance measures
 Check call reports
 Screening progress reports
8.4.2 Type and Extent of Control
The organization should ensure that externally provided

processes, products, and services do not adversely affect
the organization’s ability to consistently deliver
conforming products and services to its customers.
The organization should :-

 ensure that externally provided processes remain within
the control of its quality management system.
 It should define both the controls that it intends to
apply to an external provider and those it intends to
apply to the resulting output.
 In determining type and extent of controls to be
applied to external provision of processes, products,
and services, organization must consider the potential
impact of the externally provided processes, products,
and services on the organization’s ability to
consistently meet customer and applicable legal
requirements
 and effectiveness of the controls applied by the

external provider.
 The organization must establish and implement verification
or other activities necessary to ensure the externally
provided processes, products, and services meet the
requirements.
Purchasing process is impacted here and this needs to be

extended from just supplier approval process to what it
means once they start delivering, what your expectations
are, etc.
Example
Supplier approval agreements to be in place before they start
work for you – essential.
Checks on insurance, vetting , screening, etc.
8.4.3 - Information for external providers
The organization must ensure the adequacy of specified
requirements prior to their communication to external
providers.
The organization should communicate to external providers

applicable requirements for the following:-
 products and services to be provided or the processes to be

performed on behalf of the organization;
 approval or release of products and services, methods,
processes or equipment;
 competence of personnel, including necessary qualification;
 their interactions with the organization’s quality
management system;
 control and monitoring of the external provider’s

performance to be applied by the organization;
 verification activities that the organization, or its
customer, intends to perform at the external provider’s
premises.
Externally provided processes, products and services includes

purchasing from a supplier an arrangement with an associate
company outsourcing processes to an external provider.
This is about ensuring that third party suppliers and subcontractors
have a clear understanding of what they are expected to supply.
Example
Install CCTV at X location, ensure that certain checks are

undertaken and PTZ are fixed at XX height in line with client
requirements.
a) How the subcontractor is then expected to fulfil this and

document it so that the organization is confident it has been
done.
b) Send it to subcontractor / pre-start meeting / weekly site
meeting/calls
c) Processes for subcontractors
d) May include commissioning paperwork / signing off / training /
tests
e) Also expects you to check the competence of the personnel a
subcontractor is using Interactions within the organization’. This
means all contact with a company
8.5 Production and Service Provision
8.5.1 Control of Production and Service
The organization should implement production and service

provision under controlled conditions. Include these
controlled conditions, as applicable:-
 availability of documented information that defines
characteristics of products and services.
 availability of documented information that defines
activities to be performed and results to be achieved.
 availability and use of suitable monitoring and
measuring resources
 implementation of monitoring and measurement
activities at appropriate stages to verify that criteria for
control of processes and process outputs, and
acceptance criteria for products and services, have been
met.
8.5.1 Control of Production and Service
 use and control of suitable infrastructure and process

environment for operation of process.
 appointment of competent person and, where applicable,
required qualification of persons;
 validation, and periodic revalidation, of ability to achieve
planned results of any process for production and service
provision where resulting output cannot be verified by
subsequent monitoring or measurement.
 implementation of products and services release,
delivery, and post-delivery activities.
Documented information – must be available to record
activities undertaken and results.
Monitoring and measurement is now no longer just about test
results / meter readings but checks that personnel may
undertake such as human checks.
 Should have info that describes the product –
specification / manufacturers guidance / quotation.
 Define what the customer wants (e.g. intruder system).
 Ensuring that you have what you need to measure and test
systems installed. Meter readings / paper work for
commissioning.
 Define what tests should be done and when (e.g. test
electric output before, during and after install).
 Make sure that you have the right support from the
office and site to complete the job this could be as
simple as someone ordering the right part for you to be
delivered to
site.
 Competent and trained staff.
 A clear process to test and check the install is as
should be during delivery so that you know that when
it’s done it was done correctly.
 Safety measures to prevent mistakes taking place.
 Process required when an install is complete.
Example
Install of a server - Can be carried out in house, configuring IP
cameras pre install. Need support from the IT support at the office.
8.5.2 Identification and Traceability
The organization should use suitable means to identify “process
outputs” where necessary to ensure conformity of products and
services.
The organization should identify the status of “process outputs”

with respect to monitoring and measurement requirements
throughout production and service provision.
The organization should control the unique identification of

“process outputs” where traceability is a requirement.
8.5.2 Identification and Traceability
It should retain any documented information necessary to

maintain traceability. “Process outputs” are results of any
activities which are ready for delivery to the customer or to
an internal customer (e.g., the receiver of inputs to next
process). “Process outputs” can include products, services,
intermediate parts, components, etc.
Example
A unique reference number to clients’ quotes and variations to
such.
8.5.3 Property Belonging to Customers or
External Providers
The organization should exercise care with property

belonging to customers or external providers while under the
organization’s control or being used by organization.
 The organization should identify, verify, protect, and

safeguard the customer’s or external provider’s property
provided for use or incorporation into products and
services.
 It should report to the customer or external provider when

their property is incorrectly used, lost, damaged, or
otherwise found to be unsuitable for use.
8.5.3 Property Belonging to Customers or
External Providers
 Customer property can include material, components, tools and
equipment, customer premises, intellectual property, and
personal data.
 Intellectual info such as Example

data / addresses / prices. Inducted on site by client, ensure
 Materials. insurances are in place to cover
 Tools equipment. all eventualities and
 Customer keys. protect liabilities.
Intellectual data – supervise
staff/additional security screening.
8.5.4 Preservation
The organization should ensure the preservation of “process
outputs” during production and service provision, to the
extent necessary to maintain conformity to requirements.
Preservation can include identification, handling, packaging,

storage, transmission or transportation, and protection.
This is a requirement to ensure that the supply of services are protected

so that what is supposed to be achieved.
Examples:
Ensuring that products delivered to site are not damaged and are
delivered when an engineer is on site to receive it.
8.5.5 Post-Delivery Activities
Note: This is a new clause.
The organization should meet requirements, as applicable, for
post-delivery activities associated with products and services.
In determining the extent of post-delivery activities that are

required the organization should consider risks associated with
products and services;
Customer feedback;
legal requirements;
nature, use, and intended lifetime of products and services;
Post-delivery activities can include actions under warranty

provisions, contractual obligations (such as maintenance services)
and supplementary services (such as recycling or final disposal)
The extent of post delivery activity will depend on:-
Statutory and regulatory requirements: If statutory or

regulatory requirements dictate post-delivery activities or
warranties, they must be addressed
the potential undesired consequences associated with its
products and services: The organization must consider
potential consequences, and how they intend to respond, the
scope of their reaction plan, etc
the nature, use and intended lifetime of its products and
services: This is very commonly stated in the organization’s
return policy or statement of liability. Some organizations clearly
state that there are no warranties (or post-delivery activities)
offered, expressed or implied. If this is the case (and in the
absence of any other requirements in this list), this section can be
addressed simply by acknowledging that there are no post-
delivery activities.
The extent of post delivery activity will depend on:-
customer requirements: If the customer requires post-delivery,

support, warranty, protection through delivery and receipt, etc, the
post-delivery activities should be clearly described.
Customer feedback: Customer feedback should be considered
when determining the scope of post-delivery activities. This also
implies that the scope of those post delivery activities may change
over time in response to customer feedback.
8.5.6 Control of Changes
This is a new clause
The organization should review and control changes for

production or service provision to the extent necessary to
ensure continuing conformity with requirements.
The organization should retain documented information
describing results of the review of changes, personnel
authorizing the change, and any necessary actions arising
from the review
8.5.6 Control of Changes
There is a clear expectation that when an organization wants to

or has to make a change to a process in the business then they
document this change.
And consider :-
Why have they made it?
What impact did it have?
What are the implications for staff and customers?
Example
A company expands and decides to separate the enquiry &
sales department from the design department. What are the
impact? How will the new interactions between departments
operate effectively?
8.6 Release of Products and Services
The organization should implement planned

arrangements at appropriate stages to verify product
and service requirements have been met.
Retain evidence of conformity with acceptance criteria.
The release products and services to the customer
should not proceed until the planned arrangements for
verification of conformity have been satisfactorily
completed unless otherwise approved by a relevant
authority and, as applicable, by customer.
8.6 Release of Products and Services
The organization should retain documented

information for traceability to the person(s)
authorizing the release of products and services for
delivery to the customer.
The organization should also retain documented
information for evidence of conformity with the
acceptance criteria
8.7 Control of Nonconforming Process Outputs,
Products, and Service
8.7.1
The organization should ensure process outputs,
products, and services that do not conform to
requirements are identified and controlled to
prevent unintended use or delivery.
 The organization should take appropriate action

based on the nature of nonconformity and its
impact on the conformity of products and
services. This is applicable also to nonconforming
products and services detected after delivery of
products during or after the provision of service.
8.7.1
 The organization should deal with nonconforming outputs in

one or more of these ways:
 correction;
 segregation, containment, return, or suspension of
provision of products and services;
 informing the customer;
 obtaining authorization for acceptance under concession.
The organization should verify conformity to requirements when

nonconforming process out puts, products, and services are
corrected.
8.7.2
The organization should retain documented
information that
a) describes the nonconformity,

b) action taken,
c) concessions obtained,
d) identifies the person or authority that made the
decision regarding dealing with nonconformity.
8.7.2
Simply to say that ,You should record what you do when things go
wrong:-
a) About what is wrong;
b) What you did as a result;
c) What concessions you gave (e.g. did the customer accept it but
you altered the cost?);
d) Who had the authority to make the change.
Example
Handover documentation signed by the client needs to ensure that

a change is tracked and that you may need to revisit to rectify of
that .the client accepts the modification.
Guarding organizations may track this through contract review
meetings.
Clause 9 - Performance evaluation
9.1 - Monitoring, measurement, analysis and evaluation
9.1.1 - General
The organization should determine
what needs to be monitored and measured.
It must also determine the methods for monitoring,
measurement, analysis, and evaluation needed to
ensure valid results.
When the monitoring and measuring must be
performed.
Also when the results from monitoring and

measurement must be analyzed and evaluated. T
he organization should also evaluate the
performance and effectiveness of the quality
management system. I
t must retain appropriate documented information
as evidence of the results.
Clause 9 - Performance evaluation
9.1 - Monitoring, measurement, analysis and evaluation
9.1.1 - General
Checklist Questions
 Show how does the organization determine what
needs to be monitored and measured?
 Show how does the organization determine what
methods for monitoring, measurement, analysis and
evaluation to ensure valid results?
 Show how does the organization determine what to
perform monitoring and measuring?
9.1.1 - General
 Show how does the organization determine what results

shall be analyzed and evaluated?
 What documented information can you show that
monitoring and measurement activities have been
implemented in accordance with determined requirements?
 Show how the organization evaluates the quality
performance and the effectiveness of the QMS.
9.1.1 - General
Implementation Guidelines
The organization must plan and implement processes that
monitors, measure, analyze and evaluate the health of your
QMS. The focus of these processes must be on product/service
conformity, process conformity and improving QMS effectiveness.
You must monitor your processes:
a) First to determine and establish capability of new processes to
conform to requirements.
b) And secondly, to monitor these processes over time to verify
ongoing stability and capability to meet requirements.
c) And thirdly to determine and achieve levels of continual
improvement
The monitoring and measurement techniques, sampling plans,

acceptance criteria should be documented or referenced in your
quality plan, or you could use a combination of specific practices,
procedures, documents and methods.
9.1.1 - General
Example: If you are working in a new field, e.g. installing
of access systems, and have new staff with limited
experience, then operationally this is a higher risk and
perhaps may need monitoring more closely than those
engineers who have been installing intruder alarms for
many more years.
So decide:
a) what you monitor and measure;

b) how you will do it effectively;
c) when you expect it to be done, at the end of a job,
mid-way through, beginning
of the recruitment process;
d) what you do with the results to check the business is
working as it should be.
9.1.1 - General
You need to keep records of this.
What if you have just started and have no evidence as

yet? This is accepted but should have a clear
understanding of what these are for the future and be
able to show the measures that you will be used
9.1.2 Customer Satisfaction
The Requirement
The organization should monitor customer perceptions of

the degree to which their needs and expectations have
been fulfilled and must determine the methods for
obtaining, monitoring, and using this information.
Some of the methods by which monitoring of customer

perceptions can include
customer surveys,
customer feedback
on delivered products or services,
meetings with customers,
market-share analysis,
compliments,
warranty claims, and
dealer reports.
9.1.2 Customer Satisfaction
Checklist Questions
 How does the organization monitor customer perception of the
degree to which requirements have been met?
 How does the organization obtain information relating to customer
views and opinions of products and services?
 What are the methods for obtaining and using this information?
Implementation
 Information related to customer views can include customer
satisfaction or opinion surveys, customer data on delivered
products or services quality, market-share analysis, compliments,
warranty claims and dealer reports.
 Customer requirements may relate to the design, manufacture,
delivery, servicing and support of product, QMS, communication
and financial requirements, etc.
 The organization should consider both external as well as internal
customer satisfaction. The organization must monitor trends in
customer satisfaction indicators and use these as a baseline for
continual improvement.
9.1.3 - Analysis and evaluation
The Requirement
The organization should analyze and evaluate appropriate
data and information arising from monitoring and
measurement. Use the results of the analysis to
 Evaluate conformity of products and services,
 the degree of customer satisfaction,
 the performance and effectiveness of the quality
management system.
 The organization must also evaluate if planning has been
effectively implemented.
 The effectiveness of actions taken to address risks and
opportunities.
 The performance of external providers and the need for
improvements within the quality management system must
also be evaluated.
 Methods to analyze data can include statistical techniques.
All companies already measure and carry out some form of

analysis but there is now an
additional requirement to evaluate the data.
There are some key expectations:
 Ensure the data is used to check what you sell is as it should
be.
 How happy are your customers?
 How well did the company perform?
 Did it go to plan or were there hiccups along the way?
 Safety measures put in place – did they work?
 Did subcontractors perform as you expected?
 What do you need to change now to make the QMS better?
Checklist Questions
Show how does the organization analyse and evaluate data and
information arising from monitoring, measurement and other sources.
Show how the output of analysis and evaluation is used to:
a) Demonstrate conformity of products and services to requirements?
b) Assess and enhance customer satisfaction?
c) Ensure conformity and effectiveness of the QMS?
d) Demonstrate that planning has been successfully implemented?
e) Assess process performance?
f) Assess performance of external providers?
g) Determine the need or opportunities for improvements within the QMS?
Show me where the results of analysis and evaluation are used to provide
inputs to management review.
 You must collect and analyze QMS data that relate to the
performance, effectiveness and efficiency of products, services,
QMS processes, production output, external provider (supplier)
performance, use of resources, cost of poor quality, customer
satisfaction, etc.
 You must sort and summarize the data you collect into things
gone right and things gone wrong and present them separately.
Management can then focus on continual improvement of
things gone right and take corrective action on things gone
wrong.
 A summary of QMS performance data must be included in your
periodic management review.
9.2 Internal Audit
9.2.1
The organization should conduct internal audits at planned
intervals to provide information on
 whether the quality management system conforms to

the organization’s own requirements,
 the requirement of ISO 9001:2015 standards and
is effectively implemented and maintained
9.2.2 Internal Audit
The organization must plan, establish, implement, and
maintain an audit program, which must include
frequency, methods, and responsibilities, planning
requirements and reporting.
 While making an audit program, consideration must

be given to the importance of concerned
processes, changes impacting the organization
and the results of previous audits.
 It must define audit criteria and scope for each audit.
 It must select auditors and conduct audits for

impartial and objective audit process.
 It must ensure results of audits are reported to
relevant management.
 it must take necessary correction and corrective

actions without undue delay.
 It must retain evidence of audit program

implementation and audit results.
Checklist Questions
Are internal audits being conducted at planned intervals? Do
they determine whether the QMS conforms to the
requirements of ISO 9001 and to the other requirements
established by Organization? (Review records to demonstrate
conformance)
 Do they determine whether the QMS is effectively

implemented and maintained? (Review records)
 Can you show audit programme(s) that takes into
consideration the quality objectives, importance of the
processes, customer feedback, changes impacting the
organization and the results of previous audits?
 What are the audit criteria and scope for audit?

Checklist Questions
 Can you demonstrate that selection of auditors and the

conduct of audits are objective and impartial and that auditors
don’t audit their own work?
 How are audit results reported to relevant management?
 Can you demonstrate that necessary correction and corrective

actions are taken without undue delay?
 Can you show documented information of the audit
programme and the audit results?
 Audit process must address the responsibilities for conducting
the audits, ensuring independence, recording results, and
reporting to management.
 Audits obtain objective evidence of conformity with

requirements. The evidence must be based on fact and may
be obtained through observation, measurement, test, or by
other means. Evaluating the extent to which audit criteria are
fulfilled involves an assessment of both implementation and
effectiveness.
The scope of your internal audit program must cover the
a) Audit of operation processes to determine conformity of

product / services and their processes to customer and applicable
regulatory requirements.
b) Audit of the QMS to determine conformity to the ISO 9001

standard and organizational requirement.
c) Audit of QMS processes and their interaction to determine if the

QMS has been effectively implemented and maintained
 In determining the time frame for your audit

program, you should consider organization size,
complexity of product and processes, health of the
QMS, customer, registrar and regulatory
requirements, etc. The most common time frame is
six months.
 Consider adjusting the audit frequency and perhaps

even the audit scope, of specific processes or group of
processes, when:
a) You experience internal or external

nonconformities.
b) Get customer complaints.
c) Have critical or high risk processes.
d) Have frequent or significant changes to
processes and product.
 During the audit Auditors should ensure that the

objectivity and impartiality of the audit is not
compromised. Auditors cannot audit their own work.
9.3 Management Review
9.3.1 General
The Top Management of the organization should
review the Organization’s QMS at planned intervals
to ensure its continuing suitable, adequacy,
effectiveness and it should be aligned with the
strategic direction of the organization.
9.3.1 General
9.3.2 Management review inputs
Plan and carry out management review
 considering status of actions from previous

management reviews,
 changes in external and internal issues relevant to

QMS,
 the adequacy of resources,
 opportunities for improvement and the effectiveness of

actions taken to address risks and opportunities as
explained in clause 6.1.
 The organization must also consider information on

quality performance and
 effectiveness including trends in non conformities and
corrective actions,

 customer satisfaction and feedback from relevant
interested parties,
 Monitoring and measurement results,
 Audit results,
 extent to which quality objectives have been met,
 process performance, conformity of product and

services,
 the performance of external providers

9.3.3 Management review outputs
Outputs from the management review must include

decisions and actions related to
a) opportunities for improvement,
b) any need for changes to QMS,
c) and resource needs.
The organization should retain documented information

as evidence of the results of management reviews
Checklist Questions
What is the frequency that top management reviews the
organization’s QMS? How is the QMS deemed suitable, adequate
and effective?
What kinds of information are reviewed in management reviews?
Do they include:
a) actions status of previous reviews;
b) changes to internal/external issues relevant to the QMS;
c) issues that affect strategy;
d) KPIs for nonconformities and corrective actions;
e) monitor and measurement of results;
f) audit results;
g) customer satisfaction;
h) issues concerning external providers;
i) issues concerning other relevant parties;
Checklist Questions
m) actions taken to address risks and opportunities and their

effectiveness;
n) new potential opportunities for continual improvement.
Show that management reviews include decisions and actions

relating to:
a) Continual improvement opportunities;
b) The need for changes to the QMS including resource needs.
Show what documented information you have as evidence of
management reviews.
 Though not required by the standard, there should be a

procedure for management review as it has specific
requirements for management review inputs, value-adding
review activities and outputs. The procedure should address
the frequency, schedule, quorum and agenda for review
meetings to be attended by top management.
 For the management review process itself to be effective,

top management must plan the review all agenda items with
some regularity and take timely action to change or improve
any part of it, including the quality policy and objectives.
 The Top Management can incorporate QMS agenda items

into regular monthly or quarterly operational meetings
 Management review input should preferably be in summary

form, showing QMS and operational performance measured
against the business and quality plans, customer and
regulatory objectives and goals.
 Review decisions and actions must relate to improving products

and processes or even creating new ones, providing more
resources or perhaps improving the efficiency of existing
resources, improving QMS controls, objectives, improving
overall QMS effectiveness and customer satisfaction
 Responsibilities and timelines should accompany these decisions and
actions.
 The performance of these actions must be followed up at subsequent
management review meetings.
 You must also identify what specific documents are needed for
effective planning, operation and control of this process . These
documents may include – a documented information, review on,
schedule, agenda and action forms etc., combined with unwritten
practices, procedures and methods.
 Management review records must include topics discussed, decisions,

responsibilities for corrective or improvement actions and related
timelines, provision of resources, and follow-up actions from previous
management reviews.
10 Improvement
10.1 General
The organization must determine and select opportunities

for improvement and implement any necessary actions to
meet customer requirements and enhance customer
satisfaction.
 These actions must include improving products and

services to meet requirements, as well as, address future
needs and expectations;
 correcting, preventing, or reducing undesired effects;
 improving the performance and effectiveness of the

quality management system.
10 Improvement
10.1 General
Examples of improvement can include correction,

corrective action, continual improvement,
breakthrough change, innovation, and reorganization
This is a new clause.
There is now a requirement for organizations to focus clearly

on customer satisfaction and
customer needs, not only that but to look for ways to
improve:
a) products and services, now and for the future;
b) fixing and controlling business issues to reduce things
going wrong;
c) improving the QMS.
10.2 – Non-conformity and corrective
action
10.2.1 When a nonconformity occurs, including any arising
from complaints, the organization must
a. react to the nonconformity and, as applicable take action
to control and correct it;
b. and deal with the consequences.
The organization must also evaluate the need for action to

eliminate the causes of the nonconformity so it does not
recur or occur elsewhere,
 by reviewing and analyzing the nonconformity,

 determining the causes of the nonconformity and
 determining if similar nonconformities exist, or could
potentially occur.
10.2 – Non-conformity and corrective
action
The organization must implement any action needed and
review the effectiveness of any corrective action taken;
It must update risks and opportunities determined

during planning,
if necessary and make changes to the quality

management system, if necessary.
The corrective actions must be appropriate to the effects

of the nonconformities encountered.
10.2.1 – Non-conformity and corrective
action
Example
Installations organizations
An installation may have been allocated for a one week

program but, due to supplier issues, this will start and finish
late. This may leave the site vulnerable and a temporary
solution may be required to protect the premises and restore
the customer’s confidence. Root cause may determine that
supplier relations need to be resolved and improved
communication between those parties.
10.2.1 – Non-conformity and corrective
action
Guarding organizations
Guarding organizations may identify during a site visit that
patrols have lapsed and the
newer staff have not clearly understood the requirement.
The non-conformance would highlight the root cause, e.g.
training and perhaps insufficient detail in the assignment
instructions, and then what has been done to rectify this and
monitor that it has not lapsed again after a period of time.
The risk to be client could have been theft, lack of confidence in
the service and damage to reputation.
10.2.2 Non-conformity and corrective
action
The organization must “retain” documented information as
evidence of
 the nature of the nonconformities and any subsequent
actions taken and
 results of any corrective action.
This is a new clause.

Keep records of all non-conformities, what you did to
resolve them, implement additional measures, etc.
No requirement for a corrective action procedure now.

10.2.2 Non-conformity and corrective
action
Example
Non-conformance has been identified during an
installation / customer visit. Make notes of what went
wrong, e.g. insufficient cable provision, additional needs to
be purchased, does this impact the length of the job, the
client impact, etc. and the cost / time?
Amend assignment instructions to reflect the change.
10.3 Continual Improvement
The organization must continually improve the suitability,
adequacy, and effectiveness of the quality management
system.
The organization must consider the results of analysis

and evaluation, and the outputs from management
review, to determine if there are needs or opportunities
that must be addressed as part of continual improvement
The organization must continually improve the suitability,

adequacy, and effectiveness of the quality management
system.
The organization must consider the results of analysis and

evaluation, and the outputs from management review, to
determine if there are needs or opportunities that must be
addressed as part of continual improvement
Essentially the data you use must be for improving the

business and identifying
underperformance
Example
Minutes of meetings would detail that actions have been taken

and that improvements have been made. For some
organizations, they may have charts and trend analysis in place
that highlights positive trends, e.g. staff retention has
improved, sales conversion has increased, customer complaints
have declined, profitability is growing.
Directors and senior management should be able to review

these top levels results and have a good understanding that
improvement is taking place and/or is planned.
The continual improvement process can be conducted by:
Significant breakthrough projects that either revise or improve

existing processes or lead to new processes. These are usually
done by cross-functional teams outside routine operations
(Business Process Re-engineering).
Small-step ongoing improvement activities conducted by

personnel within existing processes (Kaizen Events).
Use of the continual improvement tools includes:
 Audit Results – Results of product, process, and QMS

audits usually provide many opportunities to improve
QMS effectiveness and efficiency. Opportunities may
relate to communications, information systems,
processes, controls, use of resources, technology, etc.
The management representative must report these
opportunities to top management as included as part of
the management review agenda. They can also be
reported and reviewed at regular operational meetings,
etc.
Use of the continual improvement tools includes:
 Other Audits – Besides product, process, and QMS audits, you

might find it very productive to conduct financial, health and
safety, environmental, technology, product profitability, social
responsibility, information and communication systems audits.
 In using ‘result of analysis and evaluations’ as a tool for

continual improvement, use the things gone right and Things
Gone Wrong approach to classifying your data for decision-
making.
 Examples of situations which might lead to improvement
projects include: machine set-up, die change, machine
changeover times, cycle time, scrap, non value-added use of
floor space, variation in process parameters, less than 100%
first run capability, process averages not centered on target
values, testing requirements not justified by accumulated
results, waste of labor and materials, difficult manufacture,
assembly and installation of product, excessive handling and
storage, etc.

QMS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QMS

Uploaded by

Copyright:

Available Formats

BACKGROUND OF ISO

 ISO is an independent, non-governmental

 On 23 February 1947, ISO began operations.

 ISO from Greek means equal

Prepared By: Reza Seifollahy

 building on 25 years of success, ISO

Prepared by: Reza Seifollahy

Seven Quality Management

1. Customer Focus 1. Customer Focused Organization

3. Engagement of People 3. Involvement of People

4. Process Approach 4. Process Approach

5. Improvement 5. System Approach to Management

8. Mutually Beneficial Supplier Relationship

How is the Process Matured ?

Efficient - No Effective- Desired

Input Activity Output

Right Resources:- Desired

“ Shall ” “Such as”

Act Check Products and

Supplier 06/08/2023 External provider

Understanding Actions to Monitoring,

In normal language, this concept is also known as the

The “Context of Organization” clause has four sub-clauses :-

The organization should determine external and internal issues

The Organization should monitor and review the information

The organization must consider issues related to values, culture

The organization must consider issues related to arising

An organization’s internal context is the internal environment within

Political, economic, social, technological, legal and regulatory — Laws

The organization shall determine relevant interested parties

 Relevant interested parties to be considered are those that

 Monitor and review information related to interested parties

 The organization should monitor and review information

 There will be those external interested parties that impose

Additional required considerations for the QMS scope are products,

The scope of the organization’s quality management system

a) determine the inputs required and the outputs expected

d) determine the resources needed for these processes and

4.4.2 To the extent necessary, the organization must:

Top management must:

Top management must:

 the requirements set out in ISO 9001:2015 are met;

Top management shall demonstrate leadership and commitment

a) customer and applicable statutory and regulatory requirements

 knowing the customer’s expectations and delivering it;

Top management Must establish, implement and maintain a

The quality policy shall:

 Consistently meeting or exceeding our customer’s expectations

Top management shall ensure that the responsibilities and

a) ensuring that the quality management system conforms

c) reporting on the performance of the quality management

Responsibilities and authorities must be precisely defined

6.1.1 When planning for the quality management system, the

Actions taken to address risks and opportunities shall be

Avoiding risk, taking risk in order to pursue an opportunity,

Opportunities can lead to

The adoption of new practices, launching new products, opening

1. Determine the categories of risk from – strategic,

2. The risk management methodology must be

3. The methodology should include the following steps to:

Methods to identify risks

 Identify each potential risk;

 Rate the probability of early detection of the outcome should it

5.) As indicated earlier the purpose of risk management controls