ISO 9001 FAQs

ISO 9001:2008 has been revised and the new standard (ISO 9001:2015) was published in September 2015. Organizations that are currently registered to ISO 9001:2008 will have until the 14th September 2018 to transition to the 2015 standard. Here are some FAQs to help you as you begin to explore the standard changes.

You Mentioned New And Revised Areas In ISO 9001:2015; What Are These?

Annex SL is the single biggest change to the ISO 9001:2015 document. Our Gap Analysis Document provides more details on all of the expected changes as well as Annex SL.

The 2015 Version Of The Standard Does Not Contain A Requirement For There To Be A Management Rep?

NQA will still need a nominated contact for all matters related to certification and the organization of certification visits. NQA do not expect this to have much impact on our relationship with our clients.

Can You Give An Example Of Risk In Exporting Business?

Complete and accurately complete the export documentation. Full licences need to be in place.

Can Exchange Rate Fluctuation Also Be A Potential Risk Within The Export Business?

Yes, and generally, price fluctuations may also be a risk or an opportunity.

Do You Think ISO 9001:2015 Is The Most Complicated Version Of ISO 9001?

Not complicated, but professionally challenging. There is much more high level, professional judgement required.

Do All The Elements Of Management Review Have To Be Covered In One Meeting?

Yes, they can be covered in separate meetings. However, the requirement is to have a management review process, which may be a meeting or meetings, but could also take the form of other events or documentation. The requirement is to “…retain documented information as evidence of the results of management reviews.”

How Do You Document The Risks You're Looking For And The Results You Find?

There are various ways of doing this – e.g. a risk register and mitigation actions, identification of risk points on a process flow, recognizing that your procedures are carried out in a particular way to reduce risk – see question above too.

Can You Give Some Examples Of Incorporating Risk From A Paragraph In The Standard?

Examples of requirements that relate to risk include, for example: 8.4.2 Type and extent of control The organization shall ensure that externally provided processes, products and services do not adversely affect the organisation’s ability to consistently deliver conforming products and services to its customers. And 6.3 Planning of changes When the organisation determines the need for changes… shall consider the purpose of the changes and their potential consequences…

Are Risks Identified In A Process Also Inputs To That Process Or Are They Control Parameters?

Risks will influence the control parameters needed to reduce or mitigate that risk.

The New Version Expects Referring To Sources Of Inputs, Could You Explain What The Expectations Are?

The process requirements are in reality no different to the 2008 standard. The determination of inputs and outputs, and the importance of processes are enhanced and made more explicit in the 2015 standard.

Should We Use The Same Approach For ISO 14001 - Seems Sensible To Apply A Common Approach To Managing Other Risks

Agreed – the same approach can be used, although the specific risks may differ.

Do We Need To Identify Risks For Each Process And Show Them In That Process?

Yes you do need to identify your risks in some way. When you say “how” I assume this means document. If your processes are documented, it is useful to document the risks also.

Would You Suggest That All Processes Are Process Mapped As A Visual Document, As Well As Having Procedures That Support The Process?

It is not a requirement but it would be a very helpful thing to do.

Will Auditors Be Looking For More Robust Systems Than In The Past Since, There Are Fewer Requirements?

The only requirements that have reduced are the requirements for documented procedures. There are still very specific requirements for documented evidence, (records). Any management system, whether highly documented or not, needs to be robust to be effective.

Are The Differences Between "Retained And "Maintained" Documented Information?

You maintain elements of the system, e.g. infrastructure and retain documented evidence, i.e. records.

Any Tips On How You Engage Senior Management In More Risk Base Approach?

Approach the requirements of the system from a risk perspective, (using the vocabulary of risk, but not necessarily the word “risk”), and you will very likely get a positive response. The management review or internal audit process might be a good place to start.

What Are The Criteria For Differentiating Between Management Oriented Processes And Support Oriented Processes?

Management oriented processes relate directly to the overall system, e.g. management review. The support processes support the system, e.g. training and competence, document control, calibration.

Do You Have A Template Of The Regular Layout Of A Documented Business Risk Register And Should This Include External/Internal And Also Interested Parties?

NQA does not promote specific templates. It would certainly be helpful to include interested parties. The primary purpose of a risk register is to help the organization identify its own needs.

Do You Have To Re-Number Your QMS To Match The Standard Or Can You Use Your Existing QMS And Expand Sections To Cover The New Criteria?

You do not have to renumber your QMS. There is no requirement, and never was a requirement to number your documentation as per the standard. You may well find it necessary and useful to expand your documentation to address the additional 2015 requirements.

How Integrated Would You Expect A 9001 And 27001 System To Be E.G. Would You Expect A Joint Risk Identification Approach?

We do not expect anything, other than whatever approach you use makes sense and is effective for your needs. In this case, a joint risk assessment approach would appear to make sense.

Please Could You Give Example Of Leadership And How To Measure It Clause 5?

Visibility, inclusiveness and good communications. Employees should be aware of vision, mission, strategy, policy.

How Do I Find Out How Far We Are Through The Transition Process?

Our Assessors and Client Executives will be working closely with our clients to track your progression towards the new standard. You should speak to your Client Executive to establish exactly where you are in the transition process.

I Have An Integrated System Including ISO 14001 And OHSAS 18001, How Will The Changes To ISO 9001 And These Standards Affect My System And Transition?

The introduction of Annex SL will aid the integration process for ISO 9001, ISO 14001 and ISO 45001. You will need to think about transition dates and transition plans carefully though due to the different publication dates.