Last reviewed 23 November 2015

ISO 9001:2015 on quality management systems has now been published by the International Standards Organisation. Alan Field looks at the changes that will soon be in place.

ISO 9001:2015 Quality Management Systems (the Standard) has not been significantly updated for 15 years — the current 2008 version of ISO 9001 only required some small, specific changes to requirements from the 2000 version. This means that there will need to some management attention to what the Standard will entail, bearing mind that full transition to the new requirements will need to be completed — by those who currently hold ISO 9001:2008 — within three years of the publication date of the Standard itself.

September 2018 may sound like a long time away but, as we will see, some organisations will need to do both planning and implementation work to achieve transition and its benefits of which, potentially, there will be many.

What are the changes?

One thing that has not changed is that ISO 9001 is a process-based management system based on a Plan-Do-Check-Act (PDCA) cycle, sometimes referred to as the Deming Cycle (after its first proponent, the American management guru, W Edwards Deming).

Also, many of the clauses in the Standard sound familiar to those in the 2008 version, eg design and development and management review to mention just a few, although careful reading will show there are some changes among these.

However, the two biggest changes are

  • the PDCA system needs to be risk based

  • the level of leadership involvement required to achieve ongoing certification to ISO 9001.

There are other smaller changes to the Standard, but understanding what these two areas require can assist organisations in planning how other more specific matters can be put into place.

Implementing these changes can also provide opportunities for improvement for the organisation — this can be a driver in itself and provides a focus away from just meeting the requirements of the new Standard.

What is risk?

The Standard follows the requirements of Annex SL, an International Standards Organisation (ISO) document which all assessable Standards — such as ISO 14001 and ISO 27001 — now follow. (Of course, not all ISO Standards can be subject to third party assessment.)

One of the tenets of Annex SL is that process based management systems should be directed by a “risk and opportunities” based approach. With this, the leadership of the organisation decides the key risks and opportunities to the management system concerned — in the case of ISO 9001:2015 this is still in respect of quality management systems (QMS).

Before we define risk, it is worth remembering that one significant change to the Standard is that the documented management system (now referred to as “documented information”) needs to support the risks and opportunities defined by the leadership team. This means that it is not only the quality objectives (as currently defined by ISO 9001:2008) that will need to be re-defined in terms of risk and opportunities. Rather, it seems, the whole of the documented information will need to support the risk based approach to process management. It is also interesting to speculate whether the third party assessment bodies will start to want to assess work instructions and procedures again, just as was required prior to the 2000 version of the Standard.

Risk is defined by ISO as “the effect of uncertainty”. This is a broad and simple definition of risk. It will probably be seen as an advantage by many organisations as it is not too prescriptive and can be defined to embrace both sector and specific organisational needs. Leadership teams can define the key risks to them and, like the current quality objectives, can be reviewed and amended any time they wish.

The opportunities are the positive outcome of uncertainty, ie risk does not necessarily imply only negative outcomes. At this early stage, “opportunities” are probably going to be interpreted in ways such as unplanned, significant increases in the order book or broader changes in sector regulation — both scenarios putting pressure on an individual organisation’s processes and available resources to meet customer demands. In other words, how would the QMS respond to this?

The way that leadership teams define risk and opportunities will be influenced by many things. For some organisations it will be very straightforward; risk based management systems already exist. However, some leadership teams would not see quality and risk in the same way as they would see safety and risk or finance and risk. Some may even need consultancy advice in the way their particular organisation should align risk, opportunities and QMS.

One practical approach would be to look at the organisation’s risk register (if there is one) and then adapt or cull those that relate to the QMS. Typically, a corporate risk register may have many risks defined; however, for the purposes of the Standard, there should never be more risk and opportunities based objectives than can be readily monitored and measured. If anything, the new Standard will require an even wider appreciation of monitoring and measuring the QMS, eg there is a new requirement that the QMS understands the needs and expectations of interested parties.

Also, in the new Standard the requirement for preventive action contained in ISO 9001:2008 no longer exists — the risk based approach to management should take into account the potential for non-conformities that could arise and the leadership team needs to take this into account when defining risk based quality objectives.

The two key factors to consider are that the risk defined must also include at least an element of opportunity — positive as well as negative risk and, secondly, the risks must not stray too far (if at all) from the QMS.

Leadership and commitment

ISO 9001:2008 talks about senior management, and the 2015 Standard requires "leadership and commitment”. One pointer to what this means is that there is no longer a requirement for a management representative (who is often the quality manager). This does not mean all quality managers will vanish — rather it indicates that senior management will be directly accountable for the QMS.

How this requirement will be assessed by the third party assessment bodies remains to be seen. We know that defining risk, opportunities and interested parties will fall within leadership responsibilities. Also, the way in which the management review meetings (already required by ISO 9001:2008) will become more dynamic in many organisations — simply because leadership has more involvement with setting policies, parameters and goals for the QMS.

The word leadership does not necessarily mean simply the most senior manager. This is why we have used the term “leadership team” throughout this article. In other words, leadership can comprise all or part of the senior management team. This spreads the strategic resources available, in particular to ensure the QMS is integrated into the organisation’s business processes.

This spread of strategic resource can also help ensure commitment to the QMS is achieved by all staff and contractors and, possibly, wider interested parties.


As with all new Standards, there will be a learning curve for third party assessment bodies as well as their clients and regulators. Also, the consultancy community will have slightly different views and approaches until something of an understanding is reached as to how concepts such as “risk”, “leadership” and “interested parties” are to be interpreted. Arguably, trying to achieve the minimum level of compliance to a Standard does not achieve the optimum level of benefit from the new Standard but, of course, in certain sectors — such as facilities management — the amount of implementation will be dictated by contractual requirements and budgetary limitations.

In short, organisations need to be looking at their policy and expectations of the Standard at an early opportunity, even if they should decide to delay assessment to a later date.