Featured Product
This Week in Quality Digest Live
Standards Features
Lily Chen
The cornerstone of cybersecurity
The reliable products we buy depend on our attention to detail
Review will assess how program can best advance U.S. competitiveness and address today’s business challenges
Marc Lepere
The current system for rating ethical credentials is meaningless

More Features

Standards News
Program inspires leaders to consider systems perspective for continuous improvement and innovation
Collaboration produces online software for collecting quality inspection data
First responders may benefit from NIST contest to reward high-quality incident command dashboards
The QM certification is awarded for excellence in curriculum design and quality
Three webinars to increase participation and understanding within the world of quality assurance
PRI will provide two additional related certification services: ISO 27017 and ISO 27018
An early warning system lets Arctic people know when bears approach
Appointments are the first for recently established committee to advise the President
ASQ’s five quality certifications are the only ones to earn global recognition by ANSI

More News

Craig Cochran


ISO 9001:2015—An Introduction

Getting acquainted with the standard

Published: Thursday, December 10, 2015 - 12:51

ISO 9001 might be the most confusing document in business history. I first became aware of the standard in the late 1980s when my manager handed it to me and said, “See if you can figure this thing out. Our plant has to get certified.”

I took the document back to my desk and attempted to read it. The first attempt was a failure. On the second attempt, I got a little further. On the third attempt, I think I read the whole thing, but I still wasn’t sure what it said. All I could remember was “blah, blah, blah… quality system.” And we were supposed to get certified to this? Impossible.

We did get certified, of course. It was the first step in a long relationship with ISO 9001. With every subsequent experience, there were new discoveries and revelations, and it was common to hear employees say that they wished the standard was easier to understand. What lies at heart of all this confusion? The crux of the problem is that ISO 9001 was written to apply to any kind of organization. When you write a document that’s applicable to everyone, you end up with something that’s not very well suited to anyone. Another problem is that ISO 9001 was written by committee. There were a lot of hands stirring the pot, so the resulting standard is more complex than it would be had it been the work of a single person.

The basics

Before we get too much further, let’s rewind with some basics. ISO 9001 is an international quality management system (QMS) standard. It presents fundamental management and quality assurance practices that can be applied by any organization. The requirements represent an excellent foundation of planning, control, and improvement for just about any enterprise. Without a QMS, organizations have little chance of sustaining any improvements or innovations they might realize. I believe that ISO 9001 is a basic model for managing any enterprise. It goes beyond what many people traditionally consider “quality.” In fact, I avoid using the word quality in relation to the standard anytime I can get away with it. ISO 9001 is a management system standard, period.

Because it’s generic, ISO 9001 is also quite flexible. In few places does it specify exactly what an organization must do. In most cases, the standard leaves a great deal of discretion to the organization in terms of how it will design its processes and procedures. This enables organizations to customize it to ensure individual success, instead of just blindly following a standard. The drawback, of course, is that the organization has to customize its approach to ISO 9001 compliance. I’ve had more than a few clients tell me, “I just wish ISO 9001 would come out and say exactly what we need to do.” Well, that’s not the way it works. The organization must figure out the best way to meet the requirements, and this is both liberating and challenging.

“Shall” is the operative word in ISO 9001. This word indicates a requirement wherever it appears. This can take a variety of forms, depending on the specificity of the requirement and the needs of the company. A “shall” can often be satisfied by communicating a requirement, developing a process, documenting a procedure, keeping a record, training personnel, inspecting a product, or any number of other controls. In many cases, ISO 9001 leaves it up to the organization to decide exactly how it will address each requirement. The “shalls” of ISO 9001 start in section 4 and continue through section 10. Materials outside of these sections, such as the introductory text at the beginning of the standard and sections 1–3, are for guidance and illustration purposes only. This material is not auditable, and an organization is not expected to interpret it as requirements.

History of ISO 9001

The present version of ISO 9001—ISO 9001:2015—is the fifth iteration of the standard. Here is a brief history of ISO 9001 through the years:
ISO 9001:1987. The first publication of ISO 9001. Truly a manufacturing standard and very heavily focused on documentation. The requirements were based on U.S. military standards used by government contractors since World War II.
ISO 9001:1994. A minor revision to the standard. Still very proscriptive and focused on manufacturing. Difficult for services providers to interpret and apply.
ISO 9001:2000. A significant revision of the standard with a focus on continuous improvement, customer satisfaction, leadership, and process management. An attempt to make the standard more applicable to service providers, and to make it more flexible in general.
ISO 9001:2008. A very minor revision with only slight changes in wording. No actual requirements were added, removed, or changed.
ISO 9001:2015. A significant revision to the standard and another step away from its manufacturing origins. Much more of a model for managing and improving an organization, with risk lying at the heart of the standard. An excellent framework for long-term success and customer satisfaction.

No one-size-fits-all approach

Until ISO 9001:2015, the standard has simply been a set of requirements. Organizations did their best to understand and implement them. The approach was similar to trying on clothes labeled one-size-fits-all. You might get lucky with a good fit, but more likely there would be a number of places where ISO 9001 simply didn’t feel right. ISO 9001:2015 is now a risk-based standard. The risks and opportunities that an organization identifies are drawn from each company’s unique circumstances. There’s nothing one-size-fits-all about this approach. You determine what’s most important to your success and build your QMS around these unique issues. The result is a management system that you can truly say is built for your business. Is the identification of risks and opportunities an important step in implementing ISO 9001:2015? Yes, possibly the most important step.

Planning is another key theme of ISO 9001:2015. This theme is embodied through a number of different sections, and clauses in the standard. Clause 4.1 asks you to examine the internal and external issues that are key to your success. ISO 9001:2015 refers to these as the context of the organization. This is fundamental environmental scanning intended to answer the question, “Who are we and what does our competitive environment look like?” This is followed by clause 4.2, which asks you to identify your interested parties. You not only identify these entities, but you attempt to determine what their needs and expectations are. Clauses 4.1 and 4.2 constitute the raw material that is fed into your process for determining risks and opportunities.

ISO 9001:2015 emphasizes change management. Expected change must be carefully and deliberately planned, with all pieces in place ahead of time. For production changes that happen more in real time, the organization is required to evaluate the effect of the changes. These requirements are embodied in two different clauses of the standard: 6.3 and 8.5.6.

Organizational knowledge is an interesting new requirement. It asks the question, “What are we learning from our experiences?” Successful organizations seize every experience, whether good or bad, as an opportunity to build a storehouse of learning and knowledge. They must learn and build their knowledge or they won’t survive. ISO 9001:2015 asks you to establish a process for capturing this organizational knowledge. Once you capture it, you must maintain it and make it available to your personnel.

The role of top management has been expanded significantly. ISO 9001:2015 asks top management to demonstrate leadership on a number of important topics. These include taking accountability for the effectiveness of the QMS, promoting the process approach and risk-based thinking, and promoting improvement. These requirements serve to raise the stakes significantly for top management’s involvement within the scope of the QMS. The leader of the QMS is no longer a quality manager or quality director. The leader of the QMS is top management.

The concept of the process approach has been strengthened and reinforced. Process management has long been a mainstay of the QMS, but ISO 9001:2015 nudges it a bit further. The standard defines all the various components of a process (such as inputs, outputs, criteria and methods, resources, responsibilities and authorities, risks and opportunities, evaluation, and improvement) and requires that these processes be documented where necessary. Documentation that reflects this way of thinking is inherently simpler and easier to grasp, and it tends to be more inclusive of all the factors of success for each job, activity, or task.

One of the baffling changes within ISO 9001:2015 is the disappearance of the terms “document” and “record.” The very concept of a document and a record has been turned on its head, and the standard addresses them as if they’re the same. In reality, there are distinct differences between documents and records. Thankfully, ISO 9001:2015 gives us some code words to differentiate the terms. If the standard talks about maintaining documented information, it’s talking about a document: living information that is subject to change. If the standard talks about retaining documented information, it’s referring to a record: historical proof of having done something. The difference hinges on maintaining vs. retaining.

How it all fits together           

Let’s take a quick look at ISO 9001:2015’s introduction and ten sections. This will be the only mention of the introduction and sections 1–3, as they are only in the standard for guidance purposes. You don’t have to implement them. Sections 4–10 (covered in much detail in the remainder of the book) include the “shalls” (requirements) of the standard.

0.1 General. Implementing a management system is a strategic decision, intended to drive the success of the organization. The process approach is a key theme of ISO 9001:2015, as is risk-based thinking.
0.2 Quality management principles. Seven principles are at the foundation of ISO 9001:2015: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management.
0.3.1 Process approach—General. An organization is composed of linked activities—processes that transform inputs to outputs. The requirements of ISO 9001:2015 are organized as processes, with explicit connections from one process to the next.
0.3.2 Plan-Do-Check-Act cycle. The plan-do-check-act (PDCA) cycle is an improvement methodology that can be applied to any process.
0.3.3 Risk-based thinking. Risk-based thinking has been implicit in previous revisions of ISO 9001, but now it as an explicit requirement in ISO 9001:2015. Actions to address risks and opportunities are key drivers of the QMS.
0.4 Relationship with other management system standards. The structure of ISO 9001:2015 was modified to make it more compatible with other management system standards, such as ISO 14001. ISO 9001:2015 makes use of two guidance documents that are designed to aid users in the interpretation of the standard. These guidance documents are ISO 9000:2015 (“Quality management systems—Fundamentals and vocabulary”) and ISO 9004:2009 (“Managing for the sustained success of an organization”).

1. Scope
ISO 9001:2015 is intended to be used by organizations that desire to produce products and services that meet customer and applicable statutory and regulatory requirements, and that wish to enhance customer satisfaction through the use of a QMS. ISO 9001:2015 was written to apply to any organization, no matter what kind of product or services it produces, or what kind of processes it employs.

2. Normative references
ISO 9000:2015, the fundamentals and vocabulary standard, is the normative reference for ISO 9001:2015. In theory, this means that the definitions it provides may be used to clarify and reinforce requirements in ISO 9001:2015.

3. Terms and definitions
The guidance document ISO 9000:2015 provides the terms to be used in ISO 9001:2015.

4. Context of the organization
This section comprises foundational activities that influence the way the rest of the standard is applied in the organization. These activities include understanding the organization and its context, understanding the needs and expectations of interested parties, and determining the scope of the QMS and its processes. These are not only the first auditable sections of ISO 9001:2015, but they also represent the first sections that an organization would need to implement. A number of subsequent requirements rely on clauses 4.1 and 4.2 as inputs.

5. Leadership
Top management plays an integral role in ISO 9001:2015, and one could realistically say that the success of the QMS depends on their engagement and leadership. This section includes leadership and commitment; developing and communicating the quality policy; and roles, responsibilities, and authorities. The requirements for management review—another staple of top management involvement—can be found in clause 9.3.

6. Planning
This section builds on the requirements defined in section 4, “Context of the organization.” Much of section 6 uses section 4 as inputs. This section includes such key requirements as actions to address risks and opportunities, quality objectives and planning, and planning of changes.

7. Support
This section represents key activities that facilitate the core production processes. These requirements encompass resources that must be determined and provided, along with administrative activities. Specific requirements include people, infrastructure, environment for the operation of processes, monitoring and measuring resources (also known as calibration), organizational knowledge, competence, awareness, communication, and documented information (also known as document control and record control).

8. Operation
This is the longest section of ISO 9001:2015, and it represents the production requirements of the standard. Production, of course, can refer to the manufacturing of a product or the execution of a service. Requirements in section 8 include operation planning and control; requirements for products and services; design and development; control of externally provided processes, products, and services (also known as purchasing); production and service provision; release of products and services; and control of nonconforming outputs.

9. Performance evaluation
The essence of improvement is an organization’s ability to monitor, measure, analyze, and evaluate. This section addresses the processes that drive improvement within an organization, including customer satisfaction, analysis and evaluation, internal audit, and management review. Yes, the very next section of ISO 9001:2015 is titled “Improvement,” but from a practical standpoint, section 9 is where the action is.

10. Improvement
The requirements in this final section of ISO 9001:2015 are a fitting capstone for your QMS. They include improvement—general, nonconformity and corrective action, and continuous improvement. Strictly for the sake of continuity, section 10 could have easily been incorporated into section 9. Sections 9 and 10 really flow together as one integrated set of requirements.

Don’t be intimidated by ISO 9001:2015. It’s a model for success that can be utilized by any organization.

This article is excerpted from Craig Cochran’s new book, ISO 9001:2015 in Plain English (Paton Professional, 2015).


About The Author

Craig Cochran’s picture

Craig Cochran

Craig Cochran is a project manager with Georgia Tech’s Enterprise Innovation Institute. Cochran is the author of The Seven Lessons: Management Tools for Success; Problem Solving in Plain English; ISO 9001 in Plain English; Customer Satisfaction: Tools, Techniques, and Formulas for Success; The Continual Improvement Process: From Strategy to the Bottom Line; and Becoming a Customer-Focused Organization, all available from Paton Professional. His most recent book is ISO 9001:2015 in Plain English, also available from Paton Professional.



Deming has long been forgotten by ISO 9001, and the bulk of the text and management principles CONTRADICT his work. The ISO committee trots out his name only to give ISO 9001 an illusion of validity, and it's obscene. Deming is spinning in his grave at the notion that an international standard would promote concepts such as management by objective, management through command and control, and one-way control over suppliers. The invoking of Deming to promote ISO 9001 is akin to using dead celebrities to sell Coca Cola, without their permission. But there's not much Deming can do about, since he's dead. It's ghoulish.

ISO 9001:2015 structure

Looks like the main body of the standard is structured on Plan-Do-Check-Act (aka PDCA). Pretty easy to grasp if you're already familiar with that concept.


Wonderful to see that Deming is not forgotten.