Featured Video
This Week in Quality Digest Live
Management Features
Roger Lehman
We all naturally and unthinkingly adopt a role in all our relationships
Steve Daum
Avoid these and amplify your QA efforts
Phanish Puranam
Real-life social experiment compares pay-for-performance vs. fixed salary outcomes
Mike Richman
Report from Hexagon Live 2017 and two great guests
Kelly Graves
Above all else, tell team members why they should follow you

More Features

Management News
If you want to understand a system, try and change it
How to engage, retain, and develop talent for maximum performance
Eastern Michigan University offers program in managing quality and continuous improvement
Dreamscape Foundation employees with disabilities will work as accessibility testers
Modernizing the website and digital offerings
Leadership is not about job titles—it’s about action and behavior
Three phases and challenges

More News

Timothy Woodcome


ISO 9001:2015—Three Steps to a Smooth Transition

How to eat an elephant

Published: Thursday, December 8, 2016 - 11:36

Sponsored Content

If your organization has yet to make the transition from ISO 9001:2008 to ISO 9001:2015, you’re not alone. It’s estimated that less than 20 percent of the more than one million organizations certified globally have made the transition to the latest version of the standard (as of late 2016). The September 2018 deadline continues to loom large, however, and your quality management system (QMS) isn’t going to transition itself. So where do you start? And once started, then what? Hopefully this article will help you “eat the elephant” that is the ISO 9001:2015 transition.

As with any successful endeavor, it’s good to start with an objective and a plan to achieve it. Clearly, the main objective is to successfully address the new and changed requirements within the standard and have them pass muster in your organization’s transition audit, but what does that entail? Following are three steps to a successful transition to ISO 9001:2015.

Step 1: Get the “Big Picture”

You can search the web for an endless stream of individual analysis of the new standard, and opinions on the merits and intents of the changes, but if you’re already working with an accredited certification body (CB), know that they’ve had to develop a plan (which was subsequently vetted by their accreditation body) to facilitate the transition. Thus, your CB likely have their own analysis and expectations for the transition. Therefore, cut to the chase; skip the chat rooms and talk to your CB. Chances are they have some sort of “Transition Guidance” ready-made for you.

This type of guidance will give you some background and any key policies that may affect your organization’s transition. For example:
• Transition deadline. This will certainly be no later than Sept. 14, 2018, but it actually may be earlier based on your CB’s policies.
• Transition audits. You likely can have your transition conducted as part of a regularly scheduled surveillance or recertification, but some CB’s may offer separate standalone transition audits. In either case, it should be determined what this audit will look and feel like—it may have some time added to address the changes, it may require certain preparation, and it certainly will cover specific aspects of the new standards.
• Existing certification. Presumably you will want to maintain your existing ISO 9001:2008 certification until your organization has successfully completed the transition—what will be required to do so? When does your current certification expire? What’s the best way to have a seamless transition?
• Overview of the standard. Ideally your CB will give you a glimpse of what to expect in the new standard (and what they might expect from you), from the new clause structure to the new requirements. The first taste of this may be at a high level, but look for more detail.

Once you have an idea of the process and potential effects based on this high-level guidance, you can start to fill in your plan. Target the audit at which you wish to have your transition, and work backwards from there to develop a plan. Be sure to communicate with your CB to ensure the expectations and availability for your transition audit in advance, and make sure your target date works within the deadlines, gives you enough time to address any potential nonconformances, doesn’t risk any lapse of coverage, etc.

Finally, work on how you’ll address the new structure; start thinking about some of the “marquee” changes such as risk and context.

Step 2: Read the book (or at least the Cliff Notes)

Plain and simple: Get the standard. How can you have a hope of addressing requirements you haven’t even read? It’s a short document; if you want more detail, consider getting the companion ISO 9000 document as well. This provides guidance on terms and fundamental concepts used in the new standard.

The standard can also be a bit vague, however; that’s again where you should leverage your relationship with your CB. Many have produced annotated versions of the key changes (for language involving the context of the organization, leadership, risks and opportunities, organizational knowledge, etc.) that distill the various changes down to the pertinent ones for transition, and in many cases offering interpretive guidance on the expected outcomes of these changes.

GAP analysis documents of this sort can cut through the chatter of minor wording changes and get straight to the changes that may need to be addressed within your organization’s QMS—sort of like the Cliff Notes you used to get through Moby Dick back in ninth grade.

Once you have your areas of focus, use the standard to understand the actual requirement within the context of the document as a whole, and determine what gap your organization has in meeting the new requirement. In some cases, you may find existing processes that address these requirements (e.g., business environment scans that could tie into context of the organization or apprenticeship programs that could serve as examples of organizational knowledge). Leverage these whenever possible. One of the objectives of ISO 9001:2015 is to incorporate an alignment with the business activities as a whole, so looking outside of the “quality corner” and spreading the responsibilities around actually helps support that intent.

Some new (or changed) requirements may need additional work to address, but again, use provided guidance so as to follow the intent and not overthink the requirement (or over-engineer the solution). While we’re at it, let’s talk about documentation (or documented information). The new standard does not require any specific documented procedures, however, based on the context of your organization, documented information in the form of procedures, forms, records, etc. may be beneficial for any new or changed requirements (even if temporarily as the organization adjusts to the changes). Certainly, having some objective evidence to review during a transition audit will help things go more smoothly.

Step 3: Implement and review

Now that you’ve digested the big picture and the substance of the new standard and developed your plan of attack, it’s time to implement whatever changes and improvements your QMS may need... and then review them. Consider this similar to the preparation you did for your initial audits (only easier). After working with the appropriate players throughout the organization to develop and implement changes, take the time to review for yourself before your transition audit. A month or two prior to your scheduled transition audit, conduct your own internal audit to the new requirements, then follow that up with a management review to go over the results and determine the effectiveness of the updated QMS. Again, a good rule of thumb here would be to give enough time to react to any internal audit findings or management review actions items prior to your transition audit.

CB’s may have expectations for internal preparations and reviews such as this, and some may even have tools to use. Consider the checklist transition tools they may have developed for your use; look for any transition checklists, transition audit plans, or transition requirements to leverage in your own internal audits.

Also look for any lessons learned that might help you avoid pitfalls in your journey. Here are a few for consideration:
• Don’t sweat the small stuff. Renumbering your documents is not required; you don’t necessarily have to eliminate all your documentation, nor your management representative, nor your quality manual. You have the flexibility to do so (either partly or completely) if it fits the context of your organization, but just because the new standard is silent on such things doesn’t prohibit you from keeping such approaches if they work for your organization.
• Context of the Organization (subclause 4.1). This can (and should) be addressed within management review as a minimum, but additional consideration may be adding support to this in whatever quality manual you do retain, or other planning components of your QMS. In short, the context of your organization should drive the approach your QMS (and all applicable processes) takes.
• Leadership (subclause 5.1). The bar has been raised a bit here, but not unreasonably. Expect auditors to ask for time with top management, see their active involvement in the QMS, and the applicable processes (e.g. objectives, resources, and management reviews).
• Organizational Knowledge (subclause 7.1.6). Have something for this; it a new requirement but not one that can be overlooked. Auditors will expect to see some approach to this, but realize it will be an ever-evolving process. Focus on getting it up and running without being overwhelmed by the potential; work on expanding and improving the process down the road.
• Risks and Opportunities­ (subclause 6.1). With so much talk about risk and risk-based thinking, it’s easy to forget the other half of the equation—opportunities. Don’t “risk” a transition finding by not considering the opportunity side of this requirement; you’ll be virtually guaranteed bonus points for speaking to opportunities in the QMS, as well as risks.
• And about those risks... Risk (and more specifically, risk-based thinking) is likely everyone’s No. 1 topic when discussing ISO 9001:2015—we all know that, but how will you demonstrate it? Is it simply by addressing subclause 6.1? Well that’s part of it, as would be the inclusion of it in Management Review (subclause 9.3.2.e), but it shouldn’t necessarily stop there. Also, this is not intended to solely consider product-focused risks via the failure mode and effects analysis (FMEA) process. Rather, incorporate risk into the language of any and all processes and departments (chances are those process owners already have). Look at every process with “risk-colored glasses”—in other words, understand that the actions to address identified risks will beget improvements, which again is synonymous with the overall intent of ISO 9001:2015.

If you follow a methodical and logical approach, a successful transition to ISO 9001:2015 with minimal risks can be managed. Remember to work with your CB and employ tools to help you achieve a successful transition during your three-step process.


About The Author

Timothy Woodcome’s picture

Timothy Woodcome

Timothy Woodcome, business unit director at the certification body, NQA, is responsible for business development and technical management aspects of the unit. As a certified management systems lead auditor, Woodcome has led and participated in hundreds of third-party audits for compliance and certification to international standards including ISO 9001, ISO 14001, ISO 27001, TL 9000, ESD S20.20, ISO 20000-1, ISO 22301 in the transportation, finance, manufacturing, service, and information and communications technology industries. Additionally, Woodcome serves on various industry groups charged with developing and overseeing international management system standards and oversight of third-party certification to such standards.


ISO 9001:2015

Great read with informative pointers on ISO 9001:2015...

Bad advice

Taking advice on upgrading a QMS from a registrar is like asking the guy who sold you your car's undercoat and extended warranty to fix your transmission. These are SALES reps and not vetted quality experts in any sense of the word.

Furthermore, the "chat rooms" that Mr. Woodcome wants you to avoid typically have sensible and practical advice, which sometimes points out the glaring problems exhibited by registrars such as NQA and others. The real reason he doesn't want you to read that information is that you might find out just how woefully unprepared the registrars are, and how horrible their advice is.

Finally, it's a gross conflict of interest to take ANY advice from the registrar that audits your company. Anyone paying attention to the Enron fallout knows this, of course, but the registrars hope you forget. They make far less from registration fees than they do from selling training and seminars, and thus their push for these services. But in the end your QMS will look like something designed by your registrar, and not something that reflects the particular requirements and needs of your company, its industry, and your customers.