International Organization for Standardization
Business needs and expectations have changed significantly since the last major revision of ISO 9001
in the year 2000. Examples of these changes are ever more demanding customers, the emergence of
new technologies, increasingly more complex supply chains and a much greater awareness of the
need for sustainable development initiatives.
The concept of the standard has not changed; it's applicable to any type of organization, regardless
of the size, type or its core business.
The structure has been changed to align with the common 10-clause high level structure developed
by ISO to ensure greater harmonization among its many different management system standards.
The new revision to ISO 14001 will also adopt this same structure, which is built around the PDCA
(Plan-Do-Check-Act) sequence. All ISO management system standards are now required to adopt this
structure. This will make it easier for organizations to address the requirements of more than one ISO
Management System Standard within a single, integrated system.
• The adoption of the high level structure as set out in Annex SL of ISO Directives Part 1
• An explicit requirement for risk-based thinking to support and improve the understanding and
application of the process approach
• Fewer prescriptive requirements
• More flexibility regarding documentation
• Improved applicability for services
• A requirement to define the boundaries of the QMS
• Increased emphasis on organizational context
• Increased leadership requirements
• Greater emphasis on achieving desired process results to improve customer satisfaction
Specific documented procedures are no longer mentioned; it is the responsibility of the organization
to maintain documented information to support the operation of its processes and retain the
documented information necessary to have confidence that the processes are being carried out as
planned. The extent of the documentation that is needed will depend on the business context.
A quality manual is no longer specifically required. The new standard requires the organization to
maintain documented information necessary for the effectiveness of the quality management
system (QMS). There are many ways to do this and a quality manual is just one. If it is convenient
and appropriate for an organization to continue to describe its quality management system in a
quality manual then that is perfectly acceptable.
The sequence of the new version of ISO 9001 is based on the Plan, Do, Check, Act cycle and so, in
order to evaluate quality management system performance, it makes sense for management review
to follow the measurement of the system performance.
Although the prescriptive title of a management representative has been deleted, it is up to top
management to ensure that the roles and responsibilities are assigned for reporting on the
performance of the QMS. Some organizations might find it convenient to maintain their current
structure, with a single person carrying out this role. Others might take advantage of the additional
flexibility to consider other structures depending on their organizational context.
ISO 9001:2008 already made it clear that the term product in the previous version of the standard
also includes service, so there is no impact in practical terms. The term product and service is now
used throughout the standard to reflect the far greater use of the standard outside of the
manufacturing sector, and to emphasize its applicability in the service industries.
The phrase risk-based thinking is used to describe the way in which ISO 9001:2015 addresses the
question of risk. The concept of risk has always been implicit in ISO 9001, by requiring the
organization to plan its processes and manage its business to avoid undesirable results. Organizations
have typically done this by putting greater emphasis on planning and controlling processes that have
the biggest impact on the quality of the products and services they provide. The way in which
organizations manage risk varies depending on their business context (e.g. the criticality of the
products and services being provided, complexity of the processes, and the potential consequences
of failure). Use of the phrase risk-based thinking is intended to make it clear that while an awareness
of risk is important, formal risk-management methodologies and risk assessment are not necessarily
appropriate for all business situations and organizations. For further information about risk-based
thinking (see Annex A).
ISO 9001:2015 requires the organization to address risks and opportunities, quality objectives and
planning of changes throughout the oganization. As new products, technologies, markets and
business opportunities arise, it is to be expected that organizations will want to take full advantage of
these opportunities. This has to done in a controlled manner, and be balanced against the potential
risks involved, which could lead to undesirable side-effects.
ISO 9001:2015 no longer refers to “exclusions” in relation to the applicability of its requirements to
the organization’s quality management system. However, an organization can determine the
applicability of requirements. All requirements in the new standard are intended to apply. The
organization can only decide that a requirement is not applicable if its decision will not affect its
ability or responsibility to ensure the conformity of products and services and the enhancement of
The process approach is a way of obtaining a desired result, by managing activities and related
resources as a process. Although the clause structure of ISO 9001:2015 follows the Plan-Do-Check-
Act sequence, the process approach is still the underlying concept for the QMS. For further guidance,
please refer to the Support Package module: Guidance on the Concept and Use of the Process
Approach for management systems.
- Less prescriptive, but with greater focus on achieving conforming products and services
- More user friendly for service and knowledge-based organizations
- Greater leadership engagement
- More structured planning for setting objectives
- Management review is aligned to organizational results
- The opportunity for more flexible documented information
- Addresses organizational risks and opportunities in a structured manner
- Addresses supply chain management more effectively
- Opportunity for an integrated management system that addresses other elements such as
environment, health & safety, business continuity, etc.
Questions relating to specific clauses in the standard
This is the combination of those internal and external factors that affect an organization's approach
to the way in which it provides products and services that are delivered to its customer.
External factors can include, for example, cultural, social, political, legal, regulatory, financial,
technological, economic, and competitive environment, at the international, national, regional or
Internal factors typically include the organization’s corporate culture, governance, organizational
structure, technologies, information systems, and decision-making processes (both formal and
The organization wi l l n e e d to determine the interested parties that are relevant to
the quality management system and the requirements of those interested parties, as
outlined in clause 4.2. This does not extend past the quality management system
requirements and the scope of this International Standard.
As stated in the scope, this International Standard is applicable where an organization
needs to demonstrate its ability to consistently provide products and services that meet
customer and applicable statutory and regulatory requirements, and aims to enhance
Organizational knowledge is knowledge specific to the organization; it is gained by experience. It is
information that is used and shared to achieve the organization’s objectives. Requirements regarding
organizational knowledge were introduced for the purpose of safeguarding the organization from
loss of knowledge and encouraging the organization to acquire new knowledge as its business
Documentation, documents and records are now collectively referred to as documented
information. Where that documented information might be subject to change (as in the case of
procedures, work instructions, etc), organizations are required to MAINTAIN the information up-todate;
where the information is not normally subject to change (for example records) the organization
is required to RETAIN that information.
This change reflects the fact that not all products, services or processes that an organization acquires
are necessarily purchased in the traditional sense. Some may be acquired from other parts of a
corporate entity, for example, as part of a shared pool of resources, products donated by
benefactors or services provided by volunteers.
Although there is no longer a standalone sub-clause, this requirement continues, and has been
incorporated into the sub-clause on control of production and service provision.
This means that based on customer agreements or other requirements, the organization may be
responsible for providing support for their product or service after delivery. This could include, for
example, technical support, routine maintenance, or in some cases recall.
ISO 9001:2008 used the term continual improvement to emphasize the fact that this is an ongoing
activity. However, it is important to recognize that there are a number of ways in which an
organization may improve. Small step continual improvement is only one of these. Others may
include breakthrough improvements, re-engineering initiatives or innovation. ISO 9001:2015
therefore uses the more general term improvement, of which continual improvement is one but not
the only component.