ISO 9001 FAQs
ISO 9001 2008 Revision – FAQs
|Statement of where and who can use the standard now includes statutory requirements as well as customer and regulatory and clarifies that these requirements are restricted to those applicable to the product|
|0.4||A comment has been added that the development of ISO 9001:2008 made due consideration to ISO 14001:2004|
|1.1 & 1.2||Statutory requirements have been added (as in 0.1) and Note 1 has been amended to include comments regarding purchased product as well as product from realization processes. Note 2 has been added explaining that statutory and regulatory requirements may be expressed as legal requirements|
|2||The reference to ISO 9000 now states the fact that is at version 2005|
|3||The explanation of who the ‘customer’, ‘organisation’ and ‘supplier’ are, has been removed|
|4.1||a) The word ‘identify’ has been replaced with ‘determine’The statement regarding outsourced processes has been slightly re-worded but the intent is the same. Note 2 has been added to reflect the fact that outsourced processes may be linked to clause 7.4 (purchasing) and Note 3 expands on the type of control that may be applied to outsourced processes in order to ensure control over them|
|4.2.1||The wording has been slightly re-modeled but the intent stays the same.Note 2 has been added to clarify that a single document may include the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document. e.g. you may combine the documented procedures for corrective and preventive action if you wish|
|4.2.3 f||Clarification that the external documents referred to are those needed for use in the QMS|
|4.2.4||This clause has been significantly reduced in length but the requirement remains unchanged|
|5.1 a||The word statutory has again been added|
|5.5.2||The requirement that the management representative needs to be a member of the organisation’s management has been added|
|6.2||Change in title but keeps same words (change in their order)Where the current version mentions ‘… affecting product quality’, it now states ‘… affecting conformity to product requirements’.6.2.2 b) now states that ‘where applicable’ training needs to be provided to achieve the ‘necessary competence’6.2.2 c) now requires that the achievement of competence has been ensured rather than checking the effectiveness of training|
|6.3||c) now includes information systems|
|6.4||A note has been added to clarify what work environment includes and gives some examples such as noise, temperature, humidity|
|7.1 c||The word measurement has been added|
|7.2.1||a) slightly re-wordedc) the word ‘related’ has changed to ‘applicable’d) the statement about additional requirements determined by the organization becomes “considered necessary” by the organizationA note has been added to explain what the phrase ‘post delivery activities’ may include i.e. warranty provisions, etc|
|7.3.1||A note has been added to explain that design review, verification and validation are separate activities though they may be performed separately or in any combination e.g. verification and validation may be performed together|
|7.3.2||‘These’ inputs becomes ‘the’ inputs (last paragraph)|
|7.3.3||The word ‘provided’ has been removed and the phrase ‘suitable for’ replaces ‘that enables’b) the word ‘for’ (service provision) has been removedA note has been added regarding the inclusion of ‘preservation of product’|
|7.5.3||An added requirement to clarify that inspection and test status must be identified ‘throughout product realisation’Slight re-wording of record requirement under traceability|
|7.5.4||Re-wording of the requirement to inform the customer if there is a problem and keep recordsThe phrase ‘and personal data’ has been added to the note about intellectual property|
|7.5.5||Re-wording of ‘conformity of’ to ‘in order to maintain conformity to requirements’‘Where appropriate, this’ has changed to ‘as applicable’|
|7.6||The word ‘devices’ in the title has been changed to ‘equipment’The reference to 7.1 has been removedc) ‘be identified to enable the’ has been changed to ‘have identification to enable their’
Note 1 has been amended to remove the reference to ISO 10012-2 and has been replaced by a Note 3 to explain about the verification and configuration management of computer software (where it is used to monitor and measure)
|8.2.1||A Note has been added to provide some ideas as to how customer satisfaction can be measured|
|8.2.2||The requirement for a documented procedure has been re-worded but remains unchangedA requirement for records of the audits and their results has been addedA requirement for management responsible for the area audited to ensure that ‘necessary corrections and corrective actions’ has been addedThe Note that makes reference to the fact that ISO 10011 has changed and now refers to ISO 19011|
|8.2.3||The phrase ‘to ensure conformity of the product’ has been removedA Note has been added to explain that the organization should consider the type of monitoring and measuring of processes and the extent to which they affect quality and the QMS|
|8.2.4||The requirement to ‘maintain evidence of conformity with acceptance criteria’ has moved but is still a requirementClarification of the fact that product release/service delivery is ‘to the customer’ has been added|
|8.3||The requirement for a documented procedure has been re-worded but remains unchangedThe phrase ‘where applicable’ has been added to the methods for dealing with nonconforming productThe requirement to deal with nonconforming product discovered after delivery has been moved to be bullet point d) but is unchangedThe records requirement has moved but is unchanged|
The ISO 9001:2008 as in ISO 9001:2000 is the quality management system requirements standard. This International Standard specifies requirements for a quality management system where an organization:
- needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements, and
- aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
ISO 9001:2008 does not contain any new requirements
They have recognized that ISO 9001:2008 introduces no new requirements. ISO 9001:2008 only introduces clarifications to the existing requirements of ISO 9001:2000 based on eight years of experience of implementing the standard world wide with about one million certificates issued in 170 countries to date. It also introduces changes intended to improve consistency with ISO14001:2004
The agreed implementation plan in relation to accredited certification is therefore the following:
- Accredited certification to the ISO 9001:2008 shall not be granted until the publication of ISO 9001:2008 as an International Standard.
- Certification of conformity to ISO 9001:2008 and/or national equivalents shall only be issued after official publication of ISO 9001:2008 (which should take place before the end of 2008) and after a routine surveillance or recertification audit against ISO 9001:2008.
Validity of certifications to ISO 9001:2000
- One year after publication of ISO 9001:2008 all accredited certifications issued (new certifications or recertifications) shall be to ISO 9001:2008.
- Twenty four months after publication by ISO of ISO 9001:2008, any existing certification issued to ISO 9001:2000 shall not be valid.
When the ISO 9001 standard was upgraded from the 1994 revision to the 2000 revision, the changes were significant and profound, not just in format but in content. The entire view of how the standard should be viewed and applied changed, as the concept of Process Approach, Continual Improvement, Data and Customer Satisfaction were greatly elevated. The 2008 revision of the standard proposes changes that are more based on the clarification of points already in the standard rather than the inclusion of new requirements.
ISO 9001 FAQs
o Many customers work with only ISO 9001 certified vendors as a minimum requirement.
o Having ISO 9001 will give you an edge in new markets.
o It will lead to the improvement of product & services quality.
o Work processes will be standardized.
In a nutshell, the organization seeking ISO 9001 certification has to implement all the requirements set forth in the ISO 9001 standard. The requirements not only include establishing policies, objectives and minor documentation but it also includes having an internal audit and a management review. Once the company feels they are ready, they will be audited by a Registrar- hired by the organization-who will make sure the company satisfies the requirements of the standard or has shortcomings that need to be addressed.
Speaking in detail, an organization must implement the requirements of the ISO 9001 standard which will result in the establishment of a quality management system or QMS. This QMS should contain the policies and other documentation required by the standard, such as Quality Policy, Corrective/Preventive Action procedures, etc. The QMS also has to be audited at least once internally – by trained company employees – or by a consultant. This Internal Audit is geared to identify gaps and compliance between the organization’s QMS and the ISO standard and the company’s own established procedures. The organization’s top management also has to conduct a “Management Review” among other things. At this point the company cannot receive a certificate yet. In order to received the actual certificate the organization must be audited by a ‘Certification Body’ commonly known as Registrars – who must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. Independence is important here: the assessor must be independent of consultancy and training.
Early on in the process, when the organization is certain and committed to obtaining ISO 9001 certification, is it necessary to begin the registrar selection and approval process. Once the organization has selected a registrar, they must work together to establish an attainable date to conduct the external audit. You should account that in such timeframe, you will have to address and adequately implement all requirements of the standard. In addition, most registrar like to see at least 3 months of data after your system has been successfully put in place, prior to their initial audit.
By certifying to this standard you are agreeing to have your company audit yearly or at a certain frequency, by a third-party entity, called Registrar, who will provide recognition of your company to the standard. This will further assure your customers and others, that you do comply with the said standard.
By far, your company will benefit the most by the process-approach way of thinking, by the continual improvement state of mind and the tremendous focus on internal and external customer satisfaction.
In the PDCA cycle, first, you plan or identify your core processes. Second, you do or implement those processes. Third, you check or establish how those processes will be measured. Fourth, you act based on the performance of the processes obtained through the measures, and make the necessary changes to improve them. When the cycle ends and starts again, you are basically engage in continual improvement.
- Quality Policy
- Quality Manual
- Processes and their interaction
- Six procedures:
- Control of documents
- Control of records
- Internal audits
- Control of nonconforming product
- Corrective action
- Preventive action
- Other procedures necessary to carry on the company processes
- Management reviews
- Education, training, skills and experience
- Evidence that processes and product or service meet requirements
- Review of customer requirements and any related actions
- Design and development including: inputs, reviews, verification, validation and changes
- Results of supplier evaluations
- Traceability where it is an industry requirement
- Notification to customer of damaged or lost property
- Internal audit
- Product testing results
- Nonconforming product and actions taken
- Corrective action
- Preventive action
- Records you need to provide evidence of following your processes.
- One completed Internal Audit cycle
- One Management Review cycle
Periodic audits are typically conducted every 6 months or every year – depending on the registrar and the contract signed with the organization. Periodic audits are normally lesser in days than the original certification audits.
A re-certification audit involves the auditing of all requirements of the standard and may be equal in length as the original certification audit.
Our President and Senior ISO 9001 and ISO 27001 consultant, Miriam Boudreaux, has over 10 years experience working in a traditional and hi-tech manufacturing industries. She held several positions in her companies, thus learning how the processes and departments interact. Miriam has been in the operations field during the recession of the early ’90s and the booming late ’90s, and lived through years of extensive cost cutting measures as well years of abundance and mega bonuses. During these years, she helped her companies maintain high productivity, reduce costs while obtaining ISO certifications to increase market exposure. Miriam actually used a similar Web-Based Management System which she now offers as part of her portfolio of products and services. Her extensive hands-on experience are what makes her company an invaluable partner and consultant.
An organization must implement the requirements of the ISO 9001 standard which will result in the establishment of a quality management system or QMS. This QMS should contain the policies and other documentation required by the standard, such as Quality Policy, Corrective/Preventive Action procedures, etc. The QMS also has to be audited at least once internally -by trained company employees- or by a consultant. This Internal Audit is geared to identify gaps and compliance between the organization’s QMS and the ISO standard and the company’s own established procedures. The organization’s top management also has to conduct a “Management Review” among other things. At this point the company cannot receive a certificate yet. In order to received the actual certificate the organization must be audited by a ‘Certification Body’ commonly known as Registrars – who must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. Independence is important here: the assessor must be independent of consultancy and training.
You should account that in development timeframe allotted, you will have to address and adequately implement all requirements of the standard. In addition, most registrar like to see at least 3 months of data after your system has been successfully put in place, prior to their initial audit.
When the registrar comes to the organization facility to conduct the audit, they will conduct a sample audit of all the processes identified in the organization’s scope of registration. After the audit is final, the organization is either “Recommended” to obtain the ISO 9001 certification or if major non-conformities were found, a follow-up audit would be necessary before the organization can be recommended. The organization can be recommended for certification even if there are non-conformities, so long they are “minor” and not “major” non-conformities.
After the registrar’s due diligence, i.e. reporting, documenting, etc., the company will receive a certificate declaring them ISO 9001 certified.
ISO (International Organization for Standardization) is the world’s largest developer and publisher of International Standards. ISO began operations on 23 February 1947.
ISO is a network of the national standards institutes of more than 150 countries, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. More than 100 of ISO’s members are from developing countries.
Every full member of ISO has the right to take part in the development of any standard which it judges to be important to its country’s economy. No matter what the size or strength of that economy, each participating member in ISO has one vote.
ISO standards are voluntary. As a non-governmental organization, ISO does not regulate or legislate. However, countries may decide to adopt ISO standards as regulations or refer to them in legislation. In addition, ISO standards may become a market requirement.
ISO has more than 16 500 International Standards in its current portfolio. ISO’s work programme ranges from standards for traditional activities, such as agriculture and construction, through mechanical engineering, manufacturing and distribution, to transport, medical devices, the environment, safety, information and communication technologies, and to standards for good practice and for services.
ISO launches the development of new standards in response to the sectors that express a clearly established need for them.
At the end of 2006, the ISO standards-development system comprised 3 041 technical bodies in the ISO system, including 193 ISO technical committees.
The costs of developing standards are mainly borne by the ISO members that manage the specific standards development projects and the business organizations that provide experts to participate in this work.
An average of eight ISO technical meetings takes place every working day somewhere in the world. An increasing amount of the work is carried out electronically, which saves time and costs. The time it takes to develop and publish an ISO standard is down from an average of 4.2 years in 2001 to 2.8 years in 2006.