ISO 9001:2008

Pages

Appendix1

Appendix2

References

FAQs on ISO 9001:2008

This list of Frequently Asked Questions (FAQs) has been prepared by ISO/TC 176/SC 2 to support the publication of ISO 9001:2008 and the revision of ISO 9004. Input has been obtained from experts and users of the ISO 9000 standards, expressed during seminars and presentations around the world.

The list will be reviewed and updated on a regular basis to maintain its accuracy, and to include new questions where appropriate. It is intended that this list will also provide a good source of information for new users of the standards.

1. What is ISO?

The International Organization for Standardization (ISO) was established in 1947 and is (currently) an association of 163 members, which each represent their own country. ISO employs a system of Technical Committees, Sub-committees and Working Groups to develop International Standards. Besides the National Standards Bodies, ISO permits other international organizations that develop standards to participate in its work, by accepting them as Liaison members. ISO works in accordance with an agreed set of rules of procedure, the ISO/IEC Directives, which also include requirements on the presentation of standards.

2. Who are the National Standards Bodies, and who represents my country at ISO?

Please see the relevant page on ISO Online that gives details, including contact information, of the National Standards Bodies.

3. What are the ISO 9000 standards ?

The ISO 9000 standards are a collection of formal International Standards, Technical Specifications, Technical Reports, Handbooks and web based documents on Quality Management. There are approximately 25 documents in the collection altogether, with new or revised documents being developed on an ongoing basis.

(It should be noted that many of the International Standards in the ISO 9000 family are numbered in the ISO 10000 range.)

4. Who is responsible for developing the ISO 9000 standards?

ISO Technical Committee (TC) number 176 (ISO/TC 176), and its Sub-committees, are responsible for the development of the standards. The work is conducted on the basis of "consensus" among quality and industry experts nominated by the National Standards Bodies, representing a wide range of interested parties.

5. Where can copies of the standards be obtained?

Copies of the standards may be purchased from your National Standards Body (see list with contact details), or from ISO Central Secretariat through the ISO Store of by contacting the Marketing and Communication department (sales@iso.org). Many National Standards Bodies have them available in local-language versions.

6. Where can copies of the supporting ISO 9000 guidance notes or other documents be found ?

Copies of the ISO 9000 Introduction and Support Package modules:

as well as details of the Quality Management Principles can be found at: www.iso.org/tc176/sc2

Copies of the ISO 9001 Auditing Practices Group guidance notes.

Copies of the sanctioned ISO/TC 176 sanctioned “Interpretations” of ISO 9001 can be found at: http://www.tc176.org/

7. Where can information be obtained on the ISO 9000 standards?

There are a number of sources of information on the ISO 9000 quality management system standards, including ISO's web site (www.iso.org), which carry information on the standards. Your National Standards Body should be able to provide copies of the standards, and registrars/certification bodies will be able to provide guidance on registration arrangements.

8. Why are the standards being revised?

ISO’s formal review process:

Requires continual review to keep standards up to date. Must be initiated within 3 years of publication of a standard.

User inputs from:

A global user questionnaire/survey
A market Justification Study
Suggestions arising from the interpretation process
Opportunities for increased compatibility with ISO 14001
The need for greater clarity, ease of use, and improved translation

Current trends:

Keeping up with recent developments in management system practices.

9. Who is responsible for revising the standards?

The revision process is the responsibility of ISO Technical Committee no.176, Sub-committee no.2 (ISO/TC 176/SC 2) and is conducted on the basis of consensus among quality and industry experts nominated by ISO Member bodies, and representing all interested parties.

10. When will the revised standards be available?

The revised quality management system standards (ISO 9000, 9001 and 9004) are scheduled as follows:

ISO 9000:2005 already published – no major changes expected for 2009
Current plan is for small changes to ISO 9001 (an “amendment”) to be published in November 2008.
More significant changes are planned for ISO 9004 (a “revision”) to be published in mid 2009.

11. How much is the implementation of the new standard going to cost?

One of the goals of ISO/TC 176/SC 2 is to produce standards that will minimize any potential costs during a smooth implementation. Any additional costs may be considered as a value-adding investment. A key factor in the development of ISO 9001:2008 was to limit the impact of changes on users.

12. Where can I obtain information on the revised standards?

See the ISO Catalogue on ISO Online web site that carries general information on the revision program. Your National Standards Body will give you additional information and the certification/registration bodies will be able to provide guidance on transitional arrangements in due course.

13. Where can my organization go if it needs additional clarification or interpretation of the ISO 9001:2008 standard?

The starting point for any individual request for an interpretation should be with the enquirer's National Standards Body. ISO Central Secretariat and ISO/TC 176/SC 2 cannot accept direct requests from individuals for interpretations of the ISO 9000 standards. ISO/TC 176 has a Working Group that only accepts formal requests for interpretations from the National Standards Bodies. The agreed interpretations can be found at http://www.tc176.org/.

14. Will my organization need a full reassessment once the revised standards are available?

This is primarily an issue between your organization and your registration/certification body. ISO/TC 176 is working with the IAF (International Accreditation Forum) and ISO/CASCO (the ISO Policy Committee for Conformity Assessment) in order to provide relevant information in a timely manner. ISO/CASCO is responsible for the standards to which the Certification Bodies work (ISO/IEC 17021), and the Accreditation Bodies are responsible for monitoring and approving the performance of Certification Bodies within their geographical area.

It is expected that conformity to the new ISO 9001:2008 standard will be evaluated by certification bodies during regular surveillance visits and that full reassessment will only take place once current certificates expire. However, it should be noted that ISO and the IAF have agreed that all certificates to ISO 9001 should be upgraded to ISO 9001:2008 within 2 years of publication of the amended standard.

15. Will the revised standards be available in my national language immediately after they are published by ISO?

The active participation of experts from around the world in the preparation of the new standards, and the broad distribution of the draft standards, will facilitate the timely translation of the International Standards.

Given the global importance of the quality management system standards, many National Standards Bodies are already working on the translation issue. ISO itself will publish the new standards in English and French, but if national language translations of the standards are currently available from your National Standards Body, we expect that they will have the translation of the revised standards ready at the time of publication by ISO or very soon thereafter.

For further details contact your National Standards Body.

16. Will my organization have to re-write all its documentation?

No. ISO 9001:2008 doesn’t introduce major changes to the requirements, when compared to ISO 9001:2000. However, to benefit from the changes, we suggest you get acquainted with the new version of the standard and the clarifications introduced. If, during your analysis of the clarifications you find there are differences from your current interpretation of ISO 9001:2000, then you should analyse the impact on your current documentation and make the necessary arrangements to update it. It is intended that the amendment of ISO 9001 will have minimal or no impacts on documentation.

17. Will the revised standards address financial issues?

Financial issues are not addressed in ISO 9001:2008, which is a requirements standard.

The ISO 10014:2006 and ISO 9004:2000, Guidelines for performance improvementsstandards will emphasize the financial resources needed for the implementation and improvement of a quality management system.

18. What are the benefits of the revised standards?

For ISO 9001:2008 the major benefits are:

Simple to use
Clear in language
Readily translatable and easily understandable
Compatibility with other management systems such as ISO 14001.

For ISO 9004:

Facilitates improvement in users’ quality management systems.
Provides guidance to an organization for the creation of a quality management system that:
- creates value for its customers, via the products it provides
- creates value for all other interested parties
- balances all interested-party viewpoints.
Provides guidance for managers on leading their organization towards sustained success.
Forward compatibility to allow organizations to build on existing quality management systems.

19. What are the main changes in ISO 9001:2008?

ISO 9001:2008 has been developed in order to introduce clarifications to the existing requirements of ISO 9001:2000 and changes that are intended to improve compatibility with ISO 14001:2004. ISO 9001:2008 does not introduce additional requirements nor does it change the intent of the ISO 9001:2000 standard.

Certification to ISO 9001:2008 is not an “upgrade”, and organizations that are certified to ISO 9001:2000 should be afforded the same status as those who have already received a new certificate to ISO 9001:2008

All changes between ISO 9001:2000 and ISO 9001:2008 are detailed in Annex B to ISO 9001:2008.

20. What are the main benefits to be derived from implementing an ISO 9000 quality management system?

The ISO 9000 standards give organizations an opportunity to increase value to their activities and to improve their performance continually, by focusing on their major processes. The standards place great emphasis on making quality management systems closer to the processes of organizations and on continual improvement. As a result, they direct users to the achievement of business results, including the satisfaction of customers and other interested parties.

The management of an organization should be able to view the adoption of the quality management system standards as a profitable business investment, not just as a required certification issue.

Among the perceived benefits of using the standards are:

The connection of quality management systems to organizational processes
The encouragement of a natural progression towards improved organizational performance, via:
- the use of the Quality Management Principles
- the adoption of a "process approach"
- emphasis of the role of top management
- requirements for the establishment of measurable objectives at relevant functions and levels
- being orientated toward "continual improvement" and "customer satisfaction", including the monitoring of information on "customer satisfaction" as a measure of system performance.
- measurement of the quality management system, processes, and product
- consideration of statutory and regulatory requirements.
- attention to resource availability

21. How will the implementation of the amended standard help my organization to improve its efficiency?

ISO 9001:2008 aims at guaranteeing the effectiveness (but not necessarily the efficiency) of the organization. For improved organizational efficiency, however, the best results can be obtained by using ISO 9004 in addition to ISO 9001:2008. The guiding quality management principles are intended to assist an organization in continual improvement, which should lead to efficiencies throughout the organization.

22. What benefits are there to an organization implementing ISO 9004 ?

If a quality management system is appropriately implemented, utilizing the eight Quality Management Principles, and in accordance with ISO 9004, all of an organization's interested parties should benefit. For example:

Customers and users will benefit by receiving the products (see ISO 9000:2005, Fundamentals and vocabulary) that are:

Conforming to the requirements
Dependable and reliable
Available when needed
Maintainable

People in the organization will benefit by:

Better working conditions
Increased job satisfaction
Improved health and safety
Improved morale
Improved stability of employment

Owners and investors will benefit by:

Increased return on investment
Improved operational results
Increased market share
Increased profits

Suppliers and partners will benefit by:

Stability
Growth
Partnership and mutual understanding

Society will benefit by:

Fulfilment of legal and regulatory requirements
Improved health and safety
Reduced environmental impact
Increased security

23. Are the standards compatible with national quality award criteria?

The standards are based on 8 Quality Management Principles, which are aligned with the philosophy and objectives of most quality award programs.
These principles are:

Customer focus,
Leadership,
Involvement of people,
Process approach,
System approach to management,
Continual improvement,
Factual approach to decision making, and
Mutually beneficial supplier relationships.

ISO 9004 recommends that organizations perform self-assessments as part of their management of systems and processes, and includes an annex giving guidance on this approach. This is similar to many quality awards programmes.

24. Why is the requirement for monitoring "customer satisfaction" included in ISO 9001?

"Customer satisfaction" is recognized as one of the driving criteria for any organization. In order to evaluate if a product meets customer needs and expectations, it is necessary to monitor the extent of customer satisfaction. Improvements can be made by taking action to address any identified issues and concerns.

25. Can the standards improve "customer satisfaction"?

The quality management system details that are described in the standards are based on Quality Management Principles that include the "process approach" and "customer focus". The adoption of these principles should provide customers with a higher level of confidence that products will meet their needs and increase their satisfaction.

26. What is meant by "continual improvement"?

Continual improvement is the process focused on continually increasing the effectiveness and/or efficiency of the organization to fulfil its policies and objectives. Continual improvement (where "continual" highlights that an improvement process requires progressive consolidation steps) responds to the growing needs and expectations of the customers and ensures a dynamic evolution of the quality management system.

27. What is a process?

Any activity or operation, which receives inputs and converts them to outputs, can be considered as a process. Almost all activities and operations involved in generating a product or providing a service are processes.

For organizations to function, they have to define and manage numerous inter-linked processes. Often the output from one process will directly form the input into the next process. The systematic identification and management of the various processes employed within an organization, and particularly the interactions between such processes, may be referred to as the ‘process approach’ to management.

For further information, refer to the paper Guidance on the Concept and Use of the Process Approach, available from www.iso.org/tc176/sc2.

28. What is the "process approach"?

The "process approach" is a way of obtaining a desired result, by managing activities and related resources as a process. The "process approach" is a key element of the ISO 9000 standards. For further guidance, please refer to the ISO 9000 Introduction and Support Package module: Guidance on the Concept and Use of the Process Approach for management systems.

29. Can the "process approach" be applied to other management systems?

Yes. The "process approach" is a generic management principle, which can enhance an organization’s effectiveness and efficiency in achieving defined objectives.

30. How can the PDCA cycle be used in the "process approach"?

The PDCA cycle is an established, logical, method that can be used to improve a process.

This requires:

(P) planning (what to do and how to do it),
(D) executing the plan (do what was planned),
(C) checking the results (did things happened according to plan) and
(A) act to improve the process (how to improve next time).

The PDCA cycle can be applied within an individual process, or across a group of processes.

31. Can any organization apply the "process approach"?

Yes. Many organizations already apply a "process approach" without recognizing it. They could achieve additional benefits by understanding and controlling it.

32. Why should an organization apply the "process approach"?

By applying the "process approach" an organization should be able to obtain the following types of benefits:

The integration and alignment of its processes to enable the achievement of its planned results.
An ability to focus effort on process effectiveness and efficiency.
An increase in the confidence of customers and other interested parties as to the consistent performance of the organization.
Transparency of operations within the organization.
Lower costs and shorter cycle times through effective and efficient use of resources.
Improved, consistent and predictable results.
The identification of opportunities for focused and prioritized improvement initiatives.
The encouragement and involvement of people, and the clarification of their responsibilities.
The elimination of barriers between different functional units and the unification of their focus to the objectives of the organization.
Improved management of process interfaces.

33. What is meant by the “sequence” of processes and their "interactions"?

The "sequence" of processes shows how the processes follow, or link, to each other to result in a final output.

For example, the output from one process may become the input of the next process or processes.

The "interactions" show how each process affects or influences one or more of the other processes. For example, the monitoring or controlling of a process may be established in a separate process.

34. How can the processes in an organization be determined?

Identify the organization's intended outputs, and the processes needed for achieving them. These will need to include processes for Management, Resources, Realization and Measurement and Improvement.

Identify all process inputs and outputs, along with the suppliers and customers, who may be internal or external.
Identify the sequence and interactions of the processes.

35. Should an organization define and document all its processes?

The main purpose of documentation is to enable the consistent and stable operation of an organization's processes.

Although statutory, standards' or customer requirements may require certain documentation, there is no defined “catalogue”, or list of processes that has to be documented in ISO 9001, apart from the 6 indicated ones.

The organization should determine which processes are to be documented on the basis of:

The size of the organization and type of its activities,
The complexity of its processes and their interactions,
The criticality of the processes and
Availability of competent personnel.

A number of different methods can be used to document processes, such as graphical representations, written instructions, checklists, flow charts, visual media, or electronic methods.

36. How much detail is required in process documentation?

The extent of detail is likely to depend upon factors such as:

the size of an organisation and its types of activities,
the complexity of its processes and their interactions, and
the competence (level of education, training, skills and experience) of its personnel.

37. Is there a standard way of describing a process?

No, there is no standard way to describe a process. It depends on the culture, management style, staff literacy, personal attributes and their interactions.

A process may be described using a flow chart, block diagram, responsibility matrix, written procedures or pictures.

Process flowcharts or block diagrams can show how policies, objectives, influential factors, job functions, activities, material, equipment, resources, information, people and decision making interact and/or interrelate in a logical order.

38. What should an organization do to adopt the "process approach"?

To adopt the "process approach" an organization should apply the following steps:

Identify the processes of the organization,
Plan the processes,
Implement and measure the processes,
Analyse the processes,
Improve the processes.

39. What is a "process owner"?

A person who is given the responsibility and authority for managing a particular process is sometimes referred to as the "process owner".

It may be useful for an organization's Management to appoint individual "process owners" and to define their roles and responsibilities; these should include the responsibility for ensuring the implementation, maintenance and improvement of their specific process and its interactions.

It should be noted, however, that ISO 9001:2008 does not specifically require the appointment of "process owners".

40. How can a process be measured?

There are various methods of measuring process controls and process performance, ranging from simple monitoring systems up to sophisticated statistically based systems (e.g. statistical process control, or SPC, systems). The selection and use of any particular method will be dependent on the nature and complexity of an organization's processes and products. The effectiveness of an individual process may be measured by the conformity of its output or product to customer requirements. Its efficiency may be measured from its use of resources. In all cases the measurement of the process determines if its (measurable) objectives have been achieved. Sometimes it only requires monitoring to confirm process operations.

Typical factors that are useful to consider when identifying measures of process control and process performance include:

Conformity with requirements,
Customer satisfaction,
Supplier performance,
On time delivery,
Lead times,
Failure rates,
Waste,
Process costs.
Incident frequency

41. What is the difference between a "process" and a "procedure"?

A "process" may be explained as a set of interacting or interrelated activities, which are employed to add value. A "procedure" is a method of describing the way or How in which all or part of that process activities shall/should be performed.

ISO 9000:2005 defines a procedure as a "specified way to carry out an activity or a process", which does not necessarily have to be documented.

42. An organization has a well-established set of procedures. Can these procedures be used to help describe its processes?

Yes, if the procedures describe inputs and outputs, appropriate responsibilities, controls and resources needed to satisfy customer requirements.

43. What documentation is required by ISO 9001?

ISO 9001:2008 refers specifically to only 6 documented procedures; however, other documentation (including more documented procedures not specifically mentioned in ISO 9001:2008) may be required by an organization, in order to manage the processes that are necessary for the effective operation of the quality management system. This will vary depending on the size of the organization, the kind of activities in which it is involved and their complexity. For further guidance, please also refer to the ISO 9000 Introduction and Support Package module "Guidance on the Documentation Requirements of ISO 9001:2008"

44. Which standard are organizations registered/certified to?

Organizations have their quality management system registered/certified to ISO 9001:2008. The scope of registration/ certification will need to reflect precisely and clearly the activities covered by the organization's quality management system; any exclusion to non-applicable requirements of the standard (permitted through ISO 9001 clause 1.2 "Application") will need to be documented and justified in the quality manual (see also the ISO/TC 176/SC2 ISO 9000 Introduction and Support Package module Guidance on ISO 9001:2008 clause 1.2 'Application').

45. What does an organization need to do to comply with ISO 9001?

When initially starting to use ISO 9001, an organization should familiarize its personnel with the Quality Management Principles, analyze the standards (especially ISO 9000 and ISO 9004), and consider how their guidance and requirements may affect your activities and related processes. If it then wishes to proceed to registration/certification, it should perform a gap analysis against the requirements of ISO 9001 to determine where its current quality management system does not address the applicable ISO 9001:2008 requirements, before developing and implementing additional processes to ensure that compliance will be achieved.

46. What will happen to the 2000 version of ISO 9001?

ISO 9001:2008 will supersede ISO 9001:2000 However, noting the IAF/ISO-CASCO/ISO TC176 agreement that accredited certification to the 2000 edition should remain possible for up to 2 years after the publication of ISO 9001:2008, copies of the 2000 edition will still be available on request from ISO and the national standards bodies during that period, and possibly for even longer.

47. Can organizations remain certified/registered to the 2000 version?

Yes. Certification to ISO 9001:2008 is not an “upgrade”, and organizations that are certified to ISO 9001:2000 should be afforded the same status as those who have already received a new certificate to ISO 9001:2008. However, certificates to ISO 9001:2000 will only remain valid until 2 years after the publication of ISO 9001:2008. Contact your certification/registration body to get details on the certificates transition process.

48. What will happen to the other standards and documents in the current (2000) ISO 9000 family?

The four primary standards of the current ISO 9000 family are the following:

ISO 9000:2005 already published – no major changes expected for 2009
ISO 9001:2000 to be superseded by ISO 9001:2008
More significant changes are planned for ISO 9004 with a planned publication date of late 2009.
ISO 19011:2002 is currently beginning the revision process, with a new version expected in 2011.

The other standards and documents will be reviewed and updated as necessary

49. How soon can my organization seek certification to ISO 9001:2008?

ISO 9001: 2008 certificates can only be granted after its publication as an International Standard.

50. Will I be able to certify/register my organization to ISO 9004:2009?

Since ISO 9004:2009 will be a guidance document, it is not intended to be used for third party certification purposes.

51. My organization is thinking about developing a Quality Management System to ISO 9001. Should we wait until the revised standards are published?

No, you should not delay the introduction of the quality management system in your organization. Like those who are currently in the process of being registered/certified, anything you do now to lay the foundation of a quality management system within your organization will be beneficial.

52. My organization is applying for ISO 9001 certification in 2008. What should I do?

Organizations in the process of certification to ISO 9001:2000 are recommended to apply for certification to ISO 9001:2008, as soon it is published. Up to its publication you can still apply for certification to ISO 9001:2000.

53. Can an organization be certified/registered to ISO 9004?

ISO 9004 is a guidance standard, which is not intended to be used for third party registration/certification purposes. A key element of ISO 9004 is the ability to perform self-assessments. Third party quality management system certifications/ registrations are performed to ISO 9001:2008.

54. Is an organization's ISO 9001 certificate applicable to all of its products ?

When an organization seeks to have its quality management system registered/certified to ISO 9001:2008, it is required to agree a "scope of certification" with its registrar/certification body. This will define the products to which the organization's quality management system is applicable, and against which it will be assessed. An organization is not obliged to include within its "scope of certification" all the products that it provides (note that the ISO 9000:2005 definition of "Product" includes "services"), but may be selective about those that are included. All applicable requirements of ISO 9001:2008 will need to be addressed by the organization's quality management system that covers those products that are included in the "scope of certification".

Customers should ensure that a potential supplier's "scope of certification"covers the products that they wish to order. Caveat Emptor!

55. What can an organization do if it is not able to comply with all of the requirements of ISO 9001?

ISO 9001 allows for the exclusion of some of its requirements (via clause 1.2“Application”), but only if it can be shown that these requirements are not applicable to the organization.

Exclusions are limited to the requirements given in Section 7 ("Product Realization"), where individual requirements may only be excluded if it can be shown that they do not affect the organization's ability to provide product that meets customer and applicable statutory or regulatory requirements. Justification for such exclusions is also required to be detailed within the organization's quality manual.

For example, if design activities are not required by an organization to demonstrate its capability to meet customer and applicable statutory /regulatory requirements, or if its product is provided on the basis of established design, then it may be able to exclude some of the "design" requirements but still be able to be registered/certified to ISO 9001:2008.

For further guidance, see the ISO 9000 Introduction and Support Package module: Guidance on ISO 9001:2008 clause 1.2 'Application'.

56. How will a small organization be able to adapt the requirements of ISO 9001? What flexibility will be allowed?

The requirements of the amended ISO 9001:2008 remain applicable to small, medium, and large organizations alike, and such organizations should acquaint themselves with the clarifications in ISO 9001:2008. ISO/TC 176 has published a handbook “ISO 9001 for Small Businesses – What to do ?” giving specific advice to small businesses.

The requirements of ISO 9001 are applicable to small, medium, and large organizations alike. ISO 9001:2008 provides some flexibility, through clause 1.2 “Application”, on the exclusion of certain requirements for specific processes that may not be performed by the organization.

If, for example, the nature of your products does not require you to perform design activities, or if your product is provided on the basis of established design, you could discuss and justify the exclusion of these requirements with your certification/registration body (see also the ISO 9000 Introduction and Support Package module Guidance on ISO 9001:2008 clause 1.2 'Application'). However, individual organizations will still need to be able demonstrate their capability to meet customer and applicable statutory or regulatory requirements for their products, and will need to consider this when determining the complexity of their quality management systems.

Further guidance for small businesses may be found in the ISO handbook: ISO 9001 for Small Businesses – What to do, Advice from ISO/TC 176

57. What will happen to the ISO handbook “ISO 9001 for Small Businesses”?

It remains fully applicable. A project has been started to update the handbook to reflect the changes in ISO 9001:2008.

58. What’s the relationship between the revised ISO 9001 and ISO 14001?

Compatibility with ISO 14001:2004 has been maintained and enhanced. “Compatibility” means that common elements of the standards can be implemented by organizations in a shared manner, in whole or in part, without unnecessary duplication or the imposition of conflicting requirements.

59. Are there any guidelines covering joint implementation of ISO 9001 and ISO 14001?

The two standards are compatible. It is not expected that an ISO guideline will be prepared on this subject at the present time. If the need for such a document arises, ISO will consider the request as a new project. However, both ISO 9001 and ISO 14001 include an annex to show the correspondence between the two standards.

60. Is there a common guideline standard for auditing QMS and EMS according to ISO 9001 and 14001?

Yes, ISO 19011:2002 provides guidelines for quality and/or environmental management systems auditing. Note that a project to revise ISO 19011 was started in 2008, and is expected to be completed in 2011.

61. How are the standards applicable to organizations that provide services. ?

The standards are applicable to all types of organizations, operating in all types of sectors, including service providers.

(Note: the definition of the term 'product' in ISO 9000:2005 also includes 'services'. ISO 9001:2008 and ISO 9004:2000 have been written to reflect this definition.)

62. My organization provides services. Is the new ISO 9001:2008 applicable to us?

ISO 9001 is equally appropriate to all sectors, including service providers. The standard is applicable to all types of organizations.

63. What do quality management practitioners (consultant, auditor, or trainer) need to know about the standards?

As a minimum, quality management practitioners should familiarize themselves with the requirements of ISO 9001:2008, and also with the content and philosophies of ISO 9000:2005, ISO 9004 and the Quality Management Principles.

Practitioners who are already familiar with ISO 9001:2000 should become aware of the clarifications introduced in ISO 9001:2008, and their implications, prior to conducting audits to that standard, or giving training and consultancy.

They should understand their client’s activities and processes, before providing appropriate interpretations of the requirements of the standards, to add value to the client's operations.

ISO/TC 176 has developed the standard ISO 10019 Guidelines for the selection of quality management system consultants and use of their services, which may be useful to refer to for further guidance.

64. How should regulatory bodies use the standards?

Regulatory bodies should review their regulations currently in effect (or under development) and identify points where reference to the quality management system standards would be appropriate, before making recommendations to the legislative body.

65. What do auditors need to know about the standards?

Auditors, whether external or internal, should be able to demonstrate their competence on the structure, content and terminology of the standards, and also on the underlying Quality Management Principles.

The standards require that auditors are able to understand the organization's activities and processes and appropriately audit against the requirements of the ISO 9001 in relation to the organization's objectives. According to joint advice from the International Accreditation Forum (IAF), ISO's Policy Committee for Conformity Assessment (ISO-CASCO) and ISO TC 176, auditors should be able to demonstrate competency in:

The requirements of the ISO 9001:2008.
The concepts and terminology of the ISO 9000:2005.
The eight Quality Management Principles
A general understanding of ISO 9004
Familiarity with the auditing guidance standard ISO 19011.

ISO/TC 176, ISO/CASCO and the IAF have established an ISO 9001 Auditing Practices Group, which has issued a number of web based guidance notes to assist auditors (see www.iso.org/tc176/ISO9001AuditingPracticesGroup)

66. How will ISO 9001:2008 relate to the needs of specific business sectors?

ISO 9001:2008 remains compatible with the existing management systems standards for specific business sectors like ISO/TS 16949, AS 9000/EN 9100 and TL 9000.

Users of a specific sector scheme are recommended to refer to the organization that is responsible for that sector scheme, e.g. for:

ISO/TS 16 949 refer to the IATF,
TL 9000 refer to the QuEST Forum
For AS 9000/EN 9100 refer to the IAQG

67. My organisation fulfils the ISO 9001:2000 requirements. What do I need to do?

An organization who’s QMS fulfils the requirements of ISO 9001:2000 should check that they are following the clarifications introduced in the amended standard ISO 9001:2008.

ISO 9001:2008 has been developed in order to introduce clarifications to the existing requirements of ISO 9001:2000. It does not introduce additional requirements nor does it change the intent of the ISO 9001:2000 standard.

68. What is the impact of ISO 9001:2008 on certification?

ISO and the International Accreditation Forum (IAF) have agreed the following “Implementation Plan” with respect to accredited certification to ISO 9001:2008:

“Accredited certification to the ISO 9001:2008 shall not be granted until the publication of ISO 9001:2008 as an International Standard.

Certification of conformity to ISO 9001:2008 and/or national equivalents shall only be issued after official publication of ISO 9001:2008 (which should take place before the end of 2008) and after a routine surveillance or re-certification audit against ISO 9001:2008.

Validity of certifications to ISO 9001:2000

One year after publication of ISO 9001:2008 all accredited certifications issued (new certifications or re-certifications) shall be to ISO 9001:2008.

Twenty four months after publication by ISO of ISO 9001:2008, any existing certification issued to ISO 9001:2000 shall not be valid.”

69. Is there any way I can participate in the development of standards?

Yes. If you are interested you should contact your National Standards Body for further details.

Information on ISO’s member National Standards Bodies can be found at:http://www.iso.org/iso/about/iso_members.htm

Introduction and support package :
Guidance on ISO 9001:2008
Sub-clause 1.2 'Application'

Document: ISO/TC 176/SC 2/N 524R6
October 2008

1. Introduction

ISO 9001:2008 has been developed in order to introduce clarifications to the existing requirements of ISO 9001:2000 and to improve compatibility with ISO 14001:2004. ISO 9001:2008 does not introduce additional requirements nor does it change the intent of the ISO 9001:2000 standard.

No new requirements were introduced in ISO 9001:2008 edition but, in order to benefit from the clarifications of ISO 9001:2008, users of the former version will need to take into consideration whether the clarifications introduced have an impact on their current interpretation of ISO 9001:2000, as changes may be necessary to their QMS.

ISO 9001:2008 is intended to be generic and applicable to all organizations, regardless of type, size and product category. It is recognized, however, that not all the requirements of this standard will necessarily be relevant to all organizations. Under certain circumstances, an organization may consider the exclusion of the application of some requirements of ISO 9001:2008 from its QMS. ISO 9001:2008 makes allowance for such situations, through sub-clause 1.2 Application.

This module of the ISO 9001:2008 Support Package has been developed by ISO/TC 176/SC 2 to provide users with information regarding the intent of ISO 9001:2008 sub-clause 1.2 Application, including some typical examples of its use in practical situations (see Annex A).

2. The concept of exclusions

Sub-clause1.2 Application of ISO 9001:2008 states:

“1.2 Application

All requirements of this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and product provided.

Where any requirement(s) of this International Standard cannot be applied due to the nature of an organization and its product, this can be considered for exclusion.

Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within clause 7, and such exclusions do not affect the organization's ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements.."

Therefore, an organization should consider whether all the requirements of the standard are relevant to its activities, based on the nature of the organization itself, its products, and the processes it uses to meet customer, statutory and regulatory requirements. In addition, the organization should take into account any commitments it has made in its quality policy and objectives and how these could affect the need to undertake particular realization processes. All of these can affect the scope of the organization’s QMS.

3. Justification for exclusion

If an organization identifies requirements of clause 7 of ISO 9001:2008 that cannot be applied to its activities, the organization can consider exclusion of these requirements, provided there is valid justification.

The exclusion of requirements of clause 7 of ISO 9001:2008 is only acceptable if “such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.” The appropriateness of the exclusion depends on considerations of items such as:

Who is the customer ?
What is the product ?
What are the requirements (stated and not stated) related to the product ?

In some cases the exclusion may not be justified depending on who is the customer, and what is the product.

It should be noted that ISO 9001:2008 sub-clause 1.2 Application can be applied to individual requirements or sub-clauses of clause 7 Product realization. For example, an organization may exclude part of (f) of sub-clause 7.5.1 Control of production and service provision, if the organization has no accountability for post-delivery activities.

Sub-clause 4.2.2 Quality manual of ISO 9001:2008 states:

“The organization shall establish and maintain a quality manual that includes

(a) the scope of the quality management system, including details of and justification for any exclusions (see 1.2),..…”

All exclusions need to be expressed in the quality manual (with valid justifications) and have to be consistent with the scope of the organization’s QMS. Any publicly available documents, promoting conformance to ISO 9001:2008, should clearly state the scope of the QMS in a way that will not mislead customers and end users. This should ensure that the necessary information is available for the user to determine which categories of product and product realization processes are included. In addition, the scope of the QMS should be explicit in stating the responsibility for product design and development and other principal realization processes such as manufacturing, sales and services.

When an organization is evaluating whether it can exclude requirements from its QMS, it should carefully evaluate the impact of such exclusions from the viewpoint of its customer. If there is an impact on the customer, the exclusion would not be justified, since ensuring the conformity of delivered products to customer requirements is a key element of ISO 9001:2008.

Also, organizations considering exclusions should recognize that customers often have no knowledge of the internal operations of the organization from whom they purchase products (and really do not care how or where organizations design, manufacture or support products). The customer looks at the organization as an entity and expects all elements of the organization (e.g. design, manufacturing, purchasing, repair) to work together to ensure the conformity of its products.

4. Claims of conformity

The final paragraph of sub-clause 1.2 Application of ISO 9001:2008 states:

“Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within clause 7, and such exclusions do not affect the organization's ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements.”

If an organization excludes requirements from its QMS which do not meet the criteria presented in sub-clause 1.2 Application, conformity to ISO 9001:2008 should not be claimed or implied. Examples of situations where conformity to ISO 9001:2008 should not be claimed are:

Where requirements in clause 7 have been excluded because regulatory bodies do not demand compliance to them, but the requirements affect the organization’s ability to meet customer requirements, Where an organization excludes a requirement in clause 7 based only on the justification that this had not been previously included in the organization’s QMS, without taking into consideration whether the clarifications introduced in ISO 9001:2008 have an impact on their current interpretation of ISO 9001:2000. If the organization’s former interpretation of ISO 9001:2000 is different from the clarifications provided in ISO 9001:2008 then changes may be necessary to its QMS

Where an organization excludes a requirement on the basis that the activity has been outsourced (for further guidance see the ISO 9000 Introduction and Support Package module: N630 R3 - Guidance on Outsourced Processes).

ANNEX A

Given below are a number of examples designed to show the reasoning used to determine which requirements of ISO 9001:2008 are applicable to an organization. It is stressed that these are only hypothetical examples and that in reality each organization’s particular circumstances will have to be analyzed carefully.

The standard allows for the exclusion of either individual requirements, or where applicable, the requirements from entire sub-clauses.

In all examples, it is assumed that the exclusions mentioned do not affect the organization’s ability or responsibility, to provide product that fulfills customer and applicable statutory and regulatory requirements.

Example 1 – Customer property (intellectual property) controlled by a bank.

Situation:

A bank provides a variety of services to its customers (i.e. personal and company bank accounts), but chooses to implement a QMS only for its Internet banking services. For this service the bank has claimed conformity to ISO 9001:2008. The bank clearly states in its Quality Manual which services are covered by the QMS. The bank applies all the requirements of ISO 9001:2008 for the realization of its Internet banking services, with the exception of sub-clause 7.5.4 Customer property. The bank does not feel that it has possession of any customer property as part of its Internet banking services and has stated this in the justification for the exclusion of sub-clause 7.5.4 Customer propertyfrom its QMS.

Issue(s):

Can the bank exclude sub-clause 7.5.4 Customer property from its QMS and claim conformity to ISO 9001:2008?

Analysis and Conclusion:

The decision made by the bank to exclude sub-clause 7.5.4 Customer property was not justified because the bank does receive information from its customers such as personal and confidential data. ISO 9001, 7.5.4 Customer property requires an organization to exercise care with customer property while it is under the organization’s control or being used by the organization. And the note of sub-clause 7.5.4 Customer property, clearly indicates “Customer property can include intellectual property and personal data”. In this situation, the bank’s customers provide important information in confidence when using the service, which constitutes “Customer property”. Therefore the bank has to address the requirements for customer property in its QMS.

Example 2 – Exclusion of design and development by a contract manufacturer

Situation:

XYZ Electronics is building a new factory to perform manufacturing of mobile phones, as a subcontractor. It has only one customer and this customer maintains responsibility and authority for product design. XYZ Electronics is responsible for purchasing of all components and for performing the manufacturing activities. The customer provides XYZ with the manufacturing and parts specifications, and is also responsible for notifying XYZ of any design changes and providing the appropriate change information.

XYZ Electronics, in the development of its QMS, has excluded the requirements of ISO 9001:2008 sub-clause 7.3 Design and development. XYZ Electronics considers the customer specifications as a customer supplied product and therefore controls this according to ISO 9001:2008 sub-clause 7.5.4 Customer property.

Issue(s):

Can the XYZ Electronics exclude sub-clause 7.3 Design and development from its QMS and claim conformity to ISO 9001:2008?

Analysis and Conclusion:

XYZ Electronics was justified with its decision to exclude sub-clause 7.3 Design and development from its QMS since it does not have any authority or accountability for design of the mobile phone product. Its customer provides the design.

Example 3 – Regulators permit the exclusion of design development

Situation:

KML designs and fabricates pressure vessels for electricity generating stations, in accordance with various mandatory pressure vessel regulations.

The regulatory authority has not yet revised its requirements to take ISO 9001:2008 into account, but has confirmed that it will continue not to require manufacturer’s QMSs to include design. On this basis KML decides to exclude sub-clause 7.3 Design and development from its QMS and to claim conformity to ISO 9001:2008.

Issue(s):

Can KML exclude sub-clause 7.3 Design and development from its QMS and claim conformity to ISO 9001:2008?

Analysis and Conclusions:

This situation deals with the issue of claiming conformity to ISO 9001:2008 with the exclusion of sub-clause 7.3 Design and development because the regulatory authority does not require the fabricator to include design and development in its QMS.

KML’s claims of conformity to ISO 9001:2008 are not justified, because design and development can impact the organization’s ability to conform to customer requirements. Therefore, KML should not exclude sub-clause 7.3 Design and development, even if the regulatory body allows such exclusions.

Example 4 – Outsourced design and development activities

Situation:

CDH Construction Ltd. provides engineering and construction services for various developers, but does not have in-house design capabilities. The company employs a project manager who is responsible for the management of design activities. These activities are outsourced to TPL Engineering Ltd, an engineering consulting company.

The activities of TPL Engineering Ltd. are managed through the application of the requirements of sub-clause 7.4 Purchasing. The project manager of CDH Construction Ltd. oversees the design activities and is involved in design review meetings and design verification and validation activities. In addition, the project manager is responsible for ensuring that the design activities are carried out in accordance with the requirements of ISO 9001:2008 sub-clause 7.3 Design and development. However, CDH Construction Ltd. has excluded sub-clause 7.3 Design and development from its QMS, since the design activities have been outsourced.

Issue(s):

Can CDH Construction Ltd. exclude sub-clause 7.3 Design and development from its QMS and claim conformity to ISO 9001:2008?

Analysis and Conclusion:

CDH Construction Ltd cannot exclude sub-clause 7.3 Design and development since it has the responsibility for the design and development.

Note: See also the ISO 9000 Introduction and Support Package module: N630 R3 - Guidance on Outsourced Processes

Example 5 – Traceability

Situation:

AKP Corp. is a company that manufactures electric motors for sale by licensed distributors. Traceability of the component parts of the product is not an internal or external requirement of this company. The organization has excluded the traceability requirement of sub-clause 7.5.3 Identification and traceability from its QMS, while claiming conformity to ISO 9001:2008.

Issue(s):

Can AKP Corp. exclude the traceability requirement of sub-clause 7.5.3 Identification and traceability from its QMS and claim conformity to ISO 9001:2008?

Analysis and conclusion:

The organization’s decision to exclude the requirements for traceability is justified. However this exclusion is not necessary, since ISO 9001:2008 only requires traceability when it “is a requirement”.

Example 6 – Design of services

Situation:

JWB is a consulting firm that performs internal audits for small organizations that have implemented quality management systems that conform to ISO 9001:2008. JWB developed its methodology and tools for performing customer’s internal audits based on the guidance of ISO 19011:2002. It delivers a customized service that has as its output a written internal audit report and all the supporting data from the audit. The organization wishes to exclude clause 7.3 Design and development with the justification that, as a service provider, it cannot have any design and development activities.

Issue(s):

Can JWB exclude sub-clause 7.3 Design and development from its QMS and claim conformity to ISO 9001:2008?

Analysis and conclusion:

The organization is not justified in the exclusion of sub-clause 7.3 Design and development since it has developed a customized service to meet its customer’s requirements, including the development of its methodology and tools for performing the audits and delivery of a written report.

Example 7 – Post delivery activities

Situation:

The ABC consultancy organization provides financial auditing services to large manufacturing organizations. The product delivered to its customers is an internal financial audit report. Contracts for internal financial audit services state that a contract is completed when ABC has issued, clarified and reviewed its report with the customer, and that the customer has finally signed-off the report as being fully agreed; any activity beyond that the sign-off would be subject to a supplementary contract. The consulting firm claims its QMS conforms to ISO 9001:2008 with the exclusion of post-delivery requirement (f) of sub-clause 7.5.1.Control of production and service provision.

Issue(s):

Can the ABC consultancy organization exclude the post-delivery requirement in bullet (f) of sub-clause 7.5.1.Control of production and service provision from its QMS and claim conformity to ISO 9001:2008?

Analysis and conclusion:

The relevant parts of Sub-clause 7.5.1 Control of production and service provisionstate:
“The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable………………
f) the implementation of release, delivery and post-delivery activities.”

This is an example where the organization has chosen to exclude a single requirement of the Standard, contained within a sub-clause.

The organization is justified in its decision to exclude the post-delivery requirement in sub-clause 7.5.1(f) Control of production and service provision as all its contracts exclude any provision of follow up activities related to the delivered service.

Note also that sub-clause 7.5.1 only requires control of post-delivery activities “as applicable”, making a formal exclusion unnecessary. In addition, all the other requirements of bullet (f) for the "release" or "delivery" of product cannot be excluded.

Example 8 – Validation of processes

Situation:

A small garment manufacturer carries out cutting work on textiles that are delivered to an internal sewing department for the next phase of the process. The quality of the output of the cutting work can be checked after finalization of the work. It has implemented a QMS and claims conformity to ISO 9001:2008 , with the exclusion of sub-clause 7.5.2 Validation of processes for production and service provision.

Issue(s):

Can the small garment manufacturer exclude sub-clause 7.5.2 Validation processes for production and service provision from its QMS and claim conformity to ISO 9001:2008?

Analysis and conclusion:

The organization is justified in the exclusion of the requirements of sub-clause 7.5.2 Validation of processes for production and service provision since it can inspect the result of the cutting process to determine conformance or nonconformance to specification.

Example 9 – Monitoring and measuring devices

Situation:

A small training organization provides training to people who are not currently working and would like to upgrade their skills. The organization carries out practical skills training. In this process the participants practice the use of simple measuring equipment such as rulers, spirit levels and plumb lines. The organization’s product is the skills development, and not the crafted items produced by the participants. The training organization has implemented ISO 9001: 2000 QMS and claims conformity to the standard with the exclusion of sub-clause 7.6 Control of monitoring and measuring devices.

Issue(s):

Can the small training organization exclude sub-clause 7.6 Control of monitoring and measuring devices from its QMS and claim conformity to ISO 9001:2008.

Analysis and conclusion:

In this example the simple measuring devices that have been mentioned (rules, spirit-levels and plumb lines) are a diversion and are not the correct items to be focusing on when considering the exclusion of sub-clause 7.6. Instead, it is the training that is the product being delivered and to which attention should be given. The organization should be controlling the monitoring and measuring devices that are needed to provide evidence of the conformity of the product (training/education) to requirements, e.g. tests and student satisfaction surveys, reports related to students finding jobs, etc. (In this instance, the necessary control may be demonstrated through verification or validation of the measuring and monitoring devices, e.g. though pilot testing of the survey questionnaires).

The organization may be able to justify the exclusion of those requirements in the sub-clause that specifically relate to the calibration of measuring equipment [in 7.6 bullets (a) to (e)], if it decides that the simple measuring equipment does not need to be calibrated. It may however be necessary for the organization to provide the students with training in checking the accuracy of their equipment (rules, sprit levels etc.), in which case even these requirements could not be excluded.

In conclusion, sub-clause 7.6 could not be excluded in its entirety, only in part.

Example 10. Complex Organization (Global TV)

10.1 Introduction

This example illustrates some of the key issues a multinational organization with multiple work centres faces when implementing ISO 9001:2008 throughout the entire organization.

Global TV (GTV) is an organization that designs, manufactures, sells, distributes and services televisions (TVs) worldwide. GTV sells its product to retail outlets, which in-turn sell the TVs to end-user customers. Headquarters provides global support for quality management, all purchasing functions and sales and distribution contracts for its operations worldwide. GTV consists of a design centre, a sub-assembly plant, a manufacturing centre and a distribution centre, all of which are wholly owned by GTV.

GTV management has decided to implement ISO 9001:2008 in all its facilities worldwide, and expects all facilities of GTV to have their own quality management system (QMS). However, not all facilities are required to obtain certification. In addition, all facilities have to comply with the contents of the corporate quality policy, which is “To provide customers of GTV with products and services that meet their needs and expectations, and to continually improve the QMS”.

NOTE:

For the purpose of simplifying the example for a complex organization, the number of centres and plants has been reduced to one of each (design centre, sub-assembly plant, manufacturing centre and distribution centre).
ISO 9001:2008 allows for the exclusion of any requirement(s) within clause 7, where such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.
When applying clause 1.2 Application to a complex organization (Global TV) we have to take into consideration the organization’s customer. Global TV’s ultimate customer is the end user who purchases the product from a retail distributor. The customer of the individual centres and plants is the centre or plant that receives its product (i.e., the design centre’s customers are the sub-assembly plant and the manufacturing centre).

GTV chart

10.2 Manufacturing Centre (MC)

Situation:

MC receives orders from headquarters and delivers products to the distribution centre. It has established its QMS guided by, and in conformity with, the quality policy of GTV. All aspects of quality management required by ISO 9001:2008 are performed within the MC, with the sole exception of product design and development. The MC decided to exclude Sub-Clause 7.3 Design and development from the scope of its QMS since it performs no design activities. The MC does include a statement and justification in its quality manual that it is excluding the product design and development process and further indicates that a) its customer is Global TV headquarters who provide orders to the manufacturing plant, and b) Global TV headquarters is responsible for ensuring the Design Centre conforms to ISO 9001:2008.

Issue(s):

Can the MC exclude Sub-Clause 7.3 Design and development from its QMS and claim conformity with ISO 9001:2008?

Analysis and Conclusion:

The exclusion of Sub-Clause 7.3 Design and development is justified, since Global TV Headquarters (the customer) orders product to be manufactured in accordance with the design provided to the MC by the Design Centre. Global TV headquarters is responsible for ensuring that the Design Centre’s quality management system conforms to ISO 9001:2008 requirements. The manufacturing centre properly justified the exclusion by specifying that its customer is Global TV Headquarters. As such, any certificate of conformity for the GTV MC will reference the internal customer and will be of no direct value to the external customer of GTV, the end user customer who buys their TVs.

10.3 Global TV

Situation:

Global TV Headquarters distributes its products through retail outlets to the end user customer. The organization has implemented ISO 9001:2008 at it headquarters and has requested that all its facilities implement a quality management system conforming to ISO 9001:2008. To date the only facility that has not implemented a quality management system is the Design Centre. In its quality management system manual Global TV headquarters states that all of its facilities conform to ISO 9001:2008 and the organization has not taken any exceptions.

Issue(s):

Can Global TV claim conformity with ISO 9001:2008?

Analysis and Conclusion:

Global TV cannot justify its claim of conformity to ISO 9001:2008 since GTV is responsible for product design and development and its Design Centre has not implemented a quality management system that conforms to ISO 9001:2008.

10.4 Summary

Any complex organization (such as Global TV) has to be careful of its claim that its quality management system conforms to ISO 9001:2008. The organization has responsibility for all ISO 9001:2008 requirements that can affect the organization’s ability to provide products that meet its customer and statutory and regulatory requirements. Therefore, in order to claim conformity to ISO 9001:2008 at the corporate level, it has to ensure that all its relevant facilities are conforming to ISO 9001:2008. The organization’s individual facilities may exclude requirements within Clause 7 based on a justification making it clear that their customer is another division of the corporation, and not the end-user. The certificates of conformity referencing internal customers are of no direct value to the external customers of the organization.

Introduction and support package:
Guidance on the documentation requirements of ISO 9001:2008

Document: ISO/TC 176/SC 2/N525R2
October 2008

1. Introduction

Two of the most important objectives in the revision of the ISO 9000 series of standards have been

to develop a simplified set of standards that will be equally applicable to small as well as medium and large organizations, and
for the amount and detail of documentation required to be more relevant to the desired results of the organization’s process activities.

ISO 9001:2008, Quality management systems – Requirements has achieved these objectives, and the purpose of this additional guidance is to explain the intent of the new standard with specific regard to documentation.

ISO 9001:2008 allows an organization flexibility in the way it chooses to document its quality management system (QMS). This enables each individual organization to develop the minimum amount of documentation needed in order to demonstrate the effective planning, operation and control of its processes and the implementation and continual improvement of the effectiveness of its QMS.

It is stressed that ISO 9001 requires (and always has required) a “Documented quality management system”, and not a “system of documents”.

2 What is a “document”? - Definitions and references

The following are some of the main objectives of an organization’s documentation, independent of whether or not it has implemented a formal QMS;

a) Communication of Information

as a tool for information transmission and communication. The type and extent of the documentation will depend on the nature of the organization’s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.

b) Evidence of conformity

provision of evidence that what was planned, has actually been done.

c) Knowledge sharing

to disseminate and preserve the organization’s experiences. A typical example would be a technical specification, which can be used as a base for design and development of a new product.

A list of commonly used terms relating to documentation is presented in Annex A (taken from ISO 9000:2005). It must be stressed that, according to ISO 9001:2008 clause 4.2 Documentation requirements documents may be in any form or type of medium, and the definition of “document” in ISO 9000:2005 clause 3.7.2 gives the following examples:

paper
magnetic
electronic or optical computer disc
photograph
master sample

Users are also referred to ISO/TR 10013:2001, Guidelines for quality management systems documentation for further guidance.

3 ISO 9001:2008 Documentation Requirements

ISO 9001:2008 clause 4.1 General requirements requires an organization to “establish, document, implement, and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard”

Clause 4.2.1 General explains that the quality management system documentation shall include:

documented statements of a quality policy and quality objectives;
a quality manual
documented procedures required by this International Standard
documents needed by the organization to ensure the effective planning, operation and control of its processes, and
records required by this International Standard;

The notes after Clause 4.2 make it clear that where the standard specifically requires a “documented procedure”, the procedure has to be established, documented, implemented and maintained. It also emphasizes that the extent of the QMS documentation may differ from one organization to another due to:

the size of organization and type of activities;
the complexity of processes and their interactions, and
the competence of personnel.

All the documents that form part of the QMS have to be controlled in accordance with clause 4.2.3 of ISO 9001:2008, or, for the particular case of records, according to clause 4.2.4.

4 Guidance on Clause 4.2 of ISO 9001:2008

The following comments are intended to assist users of ISO 9001:2008 in understanding the intent of the general documentation requirements of the International Standard.

a) Documented statements of a quality policy and objectives:

Requirements for the quality policy are defined in clause 5.3 of ISO 9001:2008. The documented quality policy has to be controlled according to the requirements of clause 4.2.3.
Note: Organizations that are revising their quality policy for the first time, or in order to meet the amended requirements in ISO 9001:2008, should pay particular attention to clause 4.2.3 (c), (d) and (g).
Requirements for quality objectives are defined in clause 5.4.1 of ISO 9001:2008. These documented quality objectives are also subject to the document control requirements of clause 4.2.3.

b) Quality Manual:

Clause 4.2.2 of ISO 9001:2008 specifies the minimum content for a quality manual. The format and structure of the manual is a decision for each organization, and will depend on the organization’s size, culture and complexity. Some organizations may choose to use the quality manual for other purposes besides that of simply documenting the QMS
A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard.
Large, multi-national organizations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.
The quality manual is a document that has to be controlled in accordance with the requirements of clause 4.2.3.

c) Documented procedures:

ISO 9001:2008 specifically requires the organization to have “documented procedures” for the following six activities:
4.2.3 Control of documents
4.2.4 Control of records
8.2.2 Internal audit
8.3 Control of nonconforming product
8.5.2 Corrective action
8.5.3 Preventive action
These documented procedures have to be controlled in accordance with the requirements of clause 4.2.3
Some organizations may find it convenient to combine the procedure for several activities into a single documented procedure (for example, corrective action and preventive action). Others may choose to document a given activity by using more than one documented procedure (for example, internal audits). Both are acceptable.
Some organizations (particularly larger organizations, or those with more complex processes) may require additional documented procedures (particularly those relating to product realization processes) to implement an effective QMS.
Other organizations may require additional procedures, but the size and/or culture of the organization could enable these to be effectively implemented without necessarily being documented. However, in order to demonstrate compliance with ISO 9001:2008, the organization has to be able to provide objective evidence (not necessarily documented) that its QMS has been effectively implemented.

d) Documents needed by the organization to ensure the effective planning, operation and control of its processes:

In order for an organization to demonstrate the effective implementation of its QMS, it may be necessary to develop documents other than documented procedures. However, the only documents specifically mentioned in ISO 9001:2008 are:
- Quality policy (clause 4.2.1.a)
- Quality objectives (clause 4.2.1.a)
- Quality manual (clause 4.2.1.b)
There are several requirements of ISO 9001:2008 where an organization could add value to its QMS and demonstrate conformity by the preparation of other documents, even though the standard does not specifically require them. Examples may include:
- Process maps, process flow charts and/or process descriptions
- Organization charts
- Specifications
- Work and/or test instructions
- Documents containing internal communications
- Production schedules
- Approved supplier lists
- Test and inspection plans
- Quality plans
All such documents have to be controlled in accordance with the requirements of clause 4.2.3 and/or 4.2.4, as applicable

e) Records:

Examples of records specifically required by ISO 9001:2008 are presented in Annex B.
Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products and quality management system.
Requirements for the control of records are different from those for other documents, and all records have to be controlled according to those of clause 4.2.4 of ISO 9001:2008.

5 Organizations preparing to implement a QMS

For organizations that are in the process of implementing a QMS, and wish to meet the requirements of ISO 9001:2008, the following comments may be useful.

For organizations that are in the process of implementing or have yet to implement a QMS, ISO 9001:2008 emphasizes a process approach. This includes:
- Identifying the processes necessary for the effective implementation of the quality management system
- understanding the interactions between these processes.
- documenting the processes to the extent necessary to assure their effective operation and control. (It may be appropriate to document the processes using process maps. It is emphasized, however, that documented process maps are not a requirement of ISO 9001:2008.)
These processes include the management, resource, product realization and measurement processes that are relevant to the effective operation of the QMS.
Analysis of the processes should be the driving force for defining the amount of documentation needed for the quality management system, taking into account the requirements of ISO 9001:2008. It should not be the documentation that drives the processes.

6 Organizations wishing to adapt an existing QMS

For organizations that currently have a QMS the following comments are intended to assist in understanding the changes to documentation that may be required or facilitated by the transition to ISO 9001:2008

An organization with an existing QMS should not need to rewrite all of its documentation in order to meet the requirements of ISO 9001:2008. This is particularly true if an organization has structured its QMS based on the way it effectively operates, using a process approach. In this case, the existing documentation may be adequate and can be simply referenced in the revised quality manual.
An organization that has not used a process approach in the past will need to pay particular attention to the definition of its processes, their sequence and interaction.
An organization may be able to carry out some simplification and/or consolidation of existing documents, in order to simplify its QMS.

7 Demonstrating conformity with ISO 9001:2008

For organizations wishing to demonstrate conformity with the requirements of ISO 9001:2008, for the purposes of certification/registration, contractual, or other reasons, it is important to remember the need to provide evidence of the effective implementation of the QMS.

Organizations may be able to demonstrate conformity without the need for extensive documentation.
To claim conformity with ISO 9001:2008, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1 of ISO 9000:2005 defines “objective evidence” as “data supporting the existence or variety of something” and notes that “objective evidence may be obtained through observation, measurement, test, or other means.”
Objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in ISO 9001:2008. In some cases, (for example, in clause 7.1(d) Planning of product realization, and clause 8.2.4 Monitoring and measurement of product), it is up to the organization to determine what records are necessary in order to provide this objective evidence.
Where the organization has no specific internal procedure for a particular activity, and this is not required by the standard, (for example, clause 5.6 Management Review), it is acceptable for this activity to be conducted using as a basis the relevant clause of ISO 9001:2008. In these situations, both internal and external audits may use the text of ISO 9001:2008 for conformity assessment purposes.

Annex A

Terms and Definitions relating to Documents

The following terms and definitions are taken from ISO 9000:2005:

Term	ISO 9000:2005 Clause	Definition
Document	3.7.2	information and its supporting medium
Procedure	3.4.5	specified way to carry out an activity or a process (Note: Procedures can be documented or not)
Quality Manual	3.7.4	document specifying the quality management system of an organization
Quality Plan	3.7.5	document specifying which procedures and associated resources shall be applied by whom and when to a specific project, product, process or contract
Record	3.7.6	document stating results achieved or providing evidence of activities performed
Specification	3.7.3	document stating requirements

Annex B

Records required by ISO 9001:2008

Clause	Record required
5.6.1	Management reviews
6.2.2 e)	Education, training, skills and experience
7.1 d)	Evidence that the realization processes and resulting product fulfil requirements
7.2.2	Results of the review of requirements related to the product and actions arising from the review
7.3.2	Design and development inputs relating to product requirements
7.3.4	Results of design and development reviews and any necessary actions
7.3.5	Results of design and development verification and any necessary actions
7.3.6	Results of design and development validation and any necessary actions
7.3.7	Results of the review of design and development changes and any necessary actions
7.4.1	Results of supplier evaluations and any necessary actions arising from the evaluations
7.5.2 d)	As required by the organization to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement
7.5.3	The unique identification of the product, where traceability is a requirement
7.5.4	Customer property that is lost, damaged or otherwise found to be unsuitable for use
7.6 a)	Basis used for calibration or verification of measuring equipment where no international or national measurement standards exist
7.6	Validity of the previous measuring results when the measuring equipment is found not to conform to requirements
7.6	Results of calibration and verification of measuring equipment
8.2.2	Internal audit results and follow-up actions
8.2.4	Indication of the person(s) authorizing release of product.
8.3	Nature of the product nonconformities and any subsequent actions taken, including concessions obtained
8.5.2 e)	Results of corrective action
8.5.3 d)	Results of preventive action

Site Policy

Disclosure Policy

Suggested Operating Environment

1. What is ISO?

2. Who are the National Standards Bodies, and who represents my country at ISO?

3. What are the ISO 9000 standards ?

4. Who is responsible for developing the ISO 9000 standards?

5. Where can copies of the standards be obtained?

6. Where can copies of the supporting ISO 9000 guidance notes or other documents be found ?

7. Where can information be obtained on the ISO 9000 standards?

8. Why are the standards being revised?

9. Who is responsible for revising the standards?

10. When will the revised standards be available?

11. How much is the implementation of the new standard going to cost?

12. Where can I obtain information on the revised standards?

13. Where can my organization go if it needs additional clarification or interpretation of the ISO 9001:2008 standard?

14. Will my organization need a full reassessment once the revised standards are available?

15. Will the revised standards be available in my national language immediately after they are published by ISO?

16. Will my organization have to re-write all its documentation?

17. Will the revised standards address financial issues?

18. What are the benefits of the revised standards?

19. What are the main changes in ISO 9001:2008?

20. What are the main benefits to be derived from implementing an ISO 9000 quality management system?

21. How will the implementation of the amended standard help my organization to improve its efficiency?

22. What benefits are there to an organization implementing ISO 9004 ?

23. Are the standards compatible with national quality award criteria?

24. Why is the requirement for monitoring "customer satisfaction" included in ISO 9001?

25. Can the standards improve "customer satisfaction"?

26. What is meant by "continual improvement"?

27. What is a process?

28. What is the "process approach"?

29. Can the "process approach" be applied to other management systems?

30. How can the PDCA cycle be used in the "process approach"?

31. Can any organization apply the "process approach"?

32. Why should an organization apply the "process approach"?

33. What is meant by the “sequence” of processes and their "interactions"?

34. How can the processes in an organization be determined?

35. Should an organization define and document all its processes?

36. How much detail is required in process documentation?

37. Is there a standard way of describing a process?

38. What should an organization do to adopt the "process approach"?

39. What is a "process owner"?

40. How can a process be measured?

41. What is the difference between a "process" and a "procedure"?

42. An organization has a well-established set of procedures. Can these procedures be used to help describe its processes?

43. What documentation is required by ISO 9001?

44. Which standard are organizations registered/certified to?

45. What does an organization need to do to comply with ISO 9001?

46. What will happen to the 2000 version of ISO 9001?

47. Can organizations remain certified/registered to the 2000 version?

48. What will happen to the other standards and documents in the current (2000) ISO 9000 family?

49. How soon can my organization seek certification to ISO 9001:2008?

50. Will I be able to certify/register my organization to ISO 9004:2009?

51. My organization is thinking about developing a Quality Management System to ISO 9001. Should we wait until the revised standards are published?

52. My organization is applying for ISO 9001 certification in 2008. What should I do?

53. Can an organization be certified/registered to ISO 9004?

54. Is an organization's ISO 9001 certificate applicable to all of its products ?

55. What can an organization do if it is not able to comply with all of the requirements of ISO 9001?

56. How will a small organization be able to adapt the requirements of ISO 9001? What flexibility will be allowed?

57. What will happen to the ISO handbook “ISO 9001 for Small Businesses”?

58. What’s the relationship between the revised ISO 9001 and ISO 14001?

59. Are there any guidelines covering joint implementation of ISO 9001 and ISO 14001?

60. Is there a common guideline standard for auditing QMS and EMS according to ISO 9001 and 14001?

61. How are the standards applicable to organizations that provide services. ?

62. My organization provides services. Is the new ISO 9001:2008 applicable to us?

63. What do quality management practitioners (consultant, auditor, or trainer) need to know about the standards?

64. How should regulatory bodies use the standards?

65. What do auditors need to know about the standards?

66. How will ISO 9001:2008 relate to the needs of specific business sectors?

67. My organisation fulfils the ISO 9001:2000 requirements. What do I need to do?

68. What is the impact of ISO 9001:2008 on certification?

69. Is there any way I can participate in the development of standards?

Introduction and support package :Guidance on ISO 9001:2008 Sub-clause 1.2 'Application'

1. Introduction

2. The concept of exclusions

3. Justification for exclusion

ANNEX A

Example 1 – Customer property (intellectual property) controlled by a bank.

Example 2 – Exclusion of design and development by a contract manufacturer

Example 3 – Regulators permit the exclusion of design development

Example 4 – Outsourced design and development activities

Example 5 – Traceability

Example 6 – Design of services

Introduction and support package :
Guidance on ISO 9001:2008
Sub-clause 1.2 'Application'

Introduction and support package:
Guidance on the documentation requirements of ISO 9001:2008