ISO 9001 can be a confusing Standard when you read it for the first time.
The language is formal, some requirements appear in more than one place and the Standard tells organizations what they need to achieve without always telling them how to do it.
This is intentional.
ISO 9001 needs to work for a small consultancy, a software company, a factory, a hospital and a major construction contractor.
It would be impossible for one Standard to prescribe the exact procedures, forms and controls that every organization should use.
Instead, ISO 9001 establishes a framework.
The organization then needs to decide how to apply that framework according to its activities, size, risks, customers and legal requirements.
In this guide, I will explain the main ISO 9001 requirements from Clauses 4 to 10 in plain English and provide practical examples of what they can mean inside a real business.
Revision update: ISO 9001:2015 remains the current published edition. It includes Amendment 1:2024 concerning climate action. A revised edition is expected to be published in September 2026. This guide explains the current published requirements and will be updated after the new edition is officially released.
How is ISO 9001 structured?
ISO 9001 contains ten main clauses.
Clauses 1 to 3 provide introductory information:
- Scope
- Normative references
- Terms and definitions
The requirements against which an organization is audited are mainly found in Clauses 4 to 10:
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
These clauses follow a logical sequence.
The organization first needs to understand its business and establish the scope of its Quality Management System.
Management then needs to lead the system, plan how requirements will be met, provide the necessary resources, control operations, measure performance and improve when problems or opportunities are identified.
The structure can also be connected to the Plan-Do-Check-Act cycle:
- Plan: Clauses 4, 5, 6 and parts of Clause 7
- Do: Clauses 7 and 8
- Check: Clause 9
- Act: Clause 10
However, the clauses are connected and should not be treated as separate boxes.
A failure in one part of the system will normally affect several others.
For example, if an employee is not competent to complete a task, the issue may involve operational control under Clause 8. However, it may also point to failures in competence, planning, risk management, supervision and management oversight.
This is why a Quality Management System needs to be understood as a group of connected processes rather than a collection of isolated procedures.
Does every requirement apply?
ISO 9001 is intended to be applicable to all types of organizations.
However, there may be requirements within Clause 8 that do not apply because of the organization’s activities.
The most common example is design and development under Clause 8.3.
An organization that manufactures products entirely to customer-provided designs may determine that it has no design responsibility.
That decision needs to be justified.
The company cannot simply declare a requirement inapplicable because it is difficult, inconvenient or poorly controlled.
It also cannot remove a requirement if doing so would affect its ability to provide conforming products and services or improve customer satisfaction.
The applicability of requirements should be addressed when defining the scope of the QMS.
Clause 4: Context of the organization
Clause 4 is where the organization establishes the foundations of its Quality Management System.
Before writing procedures, setting objectives or preparing for certification, the company needs to understand:
- What it does
- Where it operates
- What can affect it
- Who has relevant requirements
- Which activities the QMS covers
- Which processes are needed
Clause 4.1: Understanding the organization and its context
The organization needs to determine the internal and external issues that can affect its ability to achieve the intended results of the QMS.
This does not necessarily require a particular document or analysis method.
Organizations commonly use:
- SWOT analysis
- PESTLE analysis
- Business plans
- Risk registers
- Management workshops
- Strategic reviews
- Market reports
- Lessons learned
External issues could include:
- Changes in legislation
- Economic conditions
- New technology
- Customer expectations
- Supply-chain disruption
- Competitor activity
- Skills shortages
- Environmental conditions
- Political changes
Internal issues could include:
- Company structure
- Available resources
- Employee competence
- Information systems
- Organizational culture
- Existing processes
- Previous performance
- Knowledge and experience
The company should not complete a SWOT analysis simply because an auditor expects to see one.
The real requirement is to understand the issues that can influence the QMS and monitor them as they change.
Climate change and Clause 4.1
ISO 9001:2015 Amendment 1:2024 added a requirement for the organization to determine whether climate change is a relevant issue.
This does not mean that every company needs a separate climate-change procedure.
The organization needs to consider whether climate change could affect the QMS and its intended results.
Depending on the organization, relevant issues might include:
- Extreme weather
- Material availability
- Changes in customer requirements
- New legislation
- Supply-chain disruption
- Temperature-sensitive processes
- Site access
- Infrastructure resilience
The conclusion could be that climate change is not currently a significant quality issue. What matters is that the organization has considered it rather than ignored it.
Clause 4.2: Interested parties
The organization needs to determine which interested parties are relevant to the QMS and what requirements from those parties need to be addressed.
Interested parties could include:
- Customers
- Employees
- Suppliers
- Subcontractors
- Regulators
- Certification bodies
- Owners or shareholders
- Insurers
- Local communities
- End users
Not every person or organization that has an interest in the business will automatically have a relevant QMS requirement.
The company needs to decide which needs and expectations could affect its ability to provide conforming products and services.
Examples include:
- Customer specifications
- Contract requirements
- Statutory obligations
- Delivery commitments
- Professional competence requirements
- Reporting obligations
- Product-safety requirements
- Record-retention periods
The 2024 amendment also added a note explaining that relevant interested parties may have climate-related requirements.
Clause 4.3: Scope of the QMS
The scope defines the boundaries and applicability of the Quality Management System.
It should consider:
- The organization’s context
- Relevant interested-party requirements
- Products and services
- Locations
- Activities
- Applicable requirements
A scope could cover the entire organization or particular operations and locations.
For example:
The provision of design, manufacture, installation and maintenance services from the company’s London and Manchester offices.
The wording should accurately describe what is covered.
Avoid misleading or overly vague scopes such as “quality construction services” or “all business operations” without further explanation.
The scope should be maintained as documented information and be available to interested parties.
Clause 4.4: QMS processes
The organization needs to establish, implement, maintain and continually improve the processes required for its QMS.
For each important process, the company should understand:
- Inputs
- Outputs
- Sequence and interaction
- Responsibilities
- Resources
- Risks and opportunities
- Controls
- Performance measures
- Required records
A process does not need to be documented as a complicated flowchart.
However, the organization should be able to explain how work moves from one activity to another and how the required result is achieved.
A typical business may have processes for:
- Sales
- Contract review
- Design
- Purchasing
- Production
- Service delivery
- Inspection
- Document control
- Training
- Internal audit
- Corrective action
The process approach is one of the most important elements of ISO 9001.
Departments do not operate independently.
The output from sales becomes an input to contract review. Contract requirements become inputs to design, purchasing and delivery. Inspection results become inputs to performance evaluation and improvement.
A good QMS controls these connections.
Clause 5: Leadership
Clause 5 makes top management accountable for the effectiveness of the Quality Management System.
Senior management can assign tasks, but it cannot delegate overall accountability for the QMS to the Quality Manager.
Clause 5.1: Leadership and commitment
Top management needs to demonstrate leadership by:
- Taking accountability for the QMS
- Making sure quality objectives are established
- Integrating QMS requirements into business processes
- Promoting the process approach
- Providing resources
- Communicating the importance of effective quality management
- Supporting people
- Promoting improvement
- Ensuring the system achieves its intended results
Leadership should be demonstrated through actions.
Approving a Quality Policy once a year is not enough.
Management commitment becomes visible when leaders:
- Review performance
- Provide competent people
- Challenge repeated problems
- Support corrective actions
- Make resources available
- Include quality in commercial and operational decisions
- Refuse to ignore requirements when the programme becomes difficult
The Standard also requires top management to maintain customer focus.
This means understanding customer and applicable legal requirements, addressing relevant risks and maintaining the focus on customer satisfaction.
Customer focus does not mean agreeing to every request.
It means reliably meeting agreed requirements and dealing properly with changes, concerns and complaints.
Clause 5.2: Quality Policy
Top management needs to establish a Quality Policy appropriate to the organization.
The policy should:
- Support the organization’s purpose and direction
- Provide a framework for quality objectives
- Include a commitment to meet applicable requirements
- Include a commitment to continual improvement
It should be maintained as documented information, communicated within the organization and available to relevant interested parties.
A Quality Policy should not be a generic page downloaded from the internet.
Employees do not necessarily need to repeat it word for word, but they should understand what it means for their roles.
Clause 5.3: Roles and responsibilities
Responsibilities and authorities need to be assigned and communicated.
People should understand:
- What they are responsible for
- What they can approve
- Who they report to
- When issues should be escalated
- Who monitors each process
- Who reports QMS performance to management
ISO 9001 does not require a person with the job title “Management Representative.”
It also does not require the company to employ a Quality Manager.
However, the responsibilities needed to operate and monitor the QMS must still be assigned.
Clause 6: Planning
Clause 6 requires the organization to consider risks, opportunities, objectives and changes.
Planning should prevent the QMS from becoming a reactive system that only responds after something has gone wrong.
Clause 6.1: Risks and opportunities
The organization needs to determine the risks and opportunities that should be addressed to:
- Give assurance that the QMS can achieve its intended results
- Increase desirable effects
- Prevent or reduce undesirable effects
- Achieve improvement
ISO 9001 does not require one particular risk-management method.
A small company may use process reviews, meeting actions and a simple risk register.
A larger or higher-risk organization may need formal assessments, scoring systems and dedicated controls.
Examples of quality risks include:
- Unclear customer requirements
- Supplier failure
- Employee turnover
- Equipment breakdown
- Incorrect information
- Inadequate competence
- Late delivery
- Poor change control
- Loss of organizational knowledge
Opportunities could include:
- Process automation
- Improved supplier relationships
- Better training
- Standardised templates
- New monitoring technology
- Simplified approval routes
- Improved customer communication
Actions should be proportionate to the potential effect.
Risk-based thinking should not become a paperwork exercise where every minor activity receives a complicated score.
Clause 6.2: Quality objectives
The organization needs to establish quality objectives at relevant levels and functions.
Objectives should be:
- Consistent with the Quality Policy
- Measurable
- Relevant to conformity and customer satisfaction
- Monitored
- Communicated
- Updated where appropriate
Examples include:
- Reduce customer complaints by 15%.
- Achieve 95% on-time delivery.
- Close 90% of corrective actions within 30 days.
- Reduce rejected products.
- Improve supplier performance.
- Complete the internal-audit programme.
- Improve the customer satisfaction score.
The company also needs to plan:
- What will be done
- What resources are required
- Who is responsible
- When the objective will be completed
- How the result will be evaluated
An objective such as “provide excellent quality” cannot be measured and is not particularly useful.
Clause 6.3: Planning changes
Changes to the QMS should be planned.
The organization needs to consider:
- The purpose of the change
- Potential consequences
- QMS integrity
- Resources
- Responsibilities and authorities
Relevant changes could include:
- New software
- Restructuring
- Opening another office
- Introducing a new product
- Changing an important supplier
- Outsourcing a process
- Revising an approval workflow
This requirement is intended to prevent improvements in one area from causing problems somewhere else.
Clause 7: Support
Clause 7 covers the resources and supporting controls needed for the QMS.
This includes people, infrastructure, competence, communication and documented information.
Clause 7.1: Resources
The organization needs to determine and provide the resources required to operate and improve the QMS.
People
Enough competent people need to be available to complete and control the work.
This does not mean that the company needs a large Quality Department.
It means that resource decisions should consider the work, its risks and the controls required.
Infrastructure
Infrastructure can include:
- Buildings
- Equipment
- Vehicles
- Software
- Communication systems
- Utilities
- Information technology
These resources should be suitable and maintained as necessary.
Environment for operating processes
The working environment may involve physical, social and psychological factors.
Depending on the organization, this could include:
- Temperature
- Lighting
- Cleanliness
- Noise
- Ergonomics
- Workplace behaviour
- Stress
- Employee wellbeing
The relevant controls depend on how the working environment affects products, services and processes.
Monitoring and measuring resources
Equipment used to verify conformity needs to be suitable.
Where measurement traceability is required, equipment may need to be:
- Calibrated or verified
- Identified
- Protected
- Stored appropriately
- Checked at defined intervals
If equipment is found to be unsuitable, the organization should assess whether previous measurements may have been affected.
Organizational knowledge
The company needs to identify and maintain the knowledge necessary to operate its processes.
Knowledge may come from:
- Experienced employees
- Procedures
- Standards
- Lessons learned
- Design information
- Customer feedback
- Previous projects
- Training
- Technical specialists
This requirement becomes particularly important when experienced employees leave the organization.
Clause 7.2: Competence
People whose work affects QMS performance need to be competent.
The organization should:
- Determine the required competence
- Confirm that people are competent
- Take action where gaps exist
- Evaluate the effectiveness of those actions
- Retain appropriate evidence
Competence can be based on education, training or experience.
Training attendance alone does not always demonstrate competence.
A person may complete a course and still require supervision, practical assessment or additional experience.
Clause 7.3: Awareness
People need to be aware of:
- The Quality Policy
- Relevant objectives
- Their contribution to the QMS
- Benefits of improved performance
- Consequences of not meeting requirements
Awareness should be relevant to the person’s work.
A warehouse employee does not need a detailed explanation of every ISO 9001 clause, but they should understand the controls that apply to receiving, identifying, storing and releasing materials.
Clause 7.4: Communication
The organization needs to determine:
- What will be communicated
- When
- With whom
- How
- Who communicates it
This applies to internal and external communication.
Examples include:
- Customer updates
- Supplier instructions
- Employee briefings
- Management reports
- Regulatory notifications
- Project meetings
- Changes to controlled documents
A procedure can be perfect, but the process may still fail if the right information does not reach the right person at the right time.
Clause 7.5: Documented information
ISO 9001 requires documented information specifically identified by the Standard, along with any other documentation the organization decides is necessary.
Documented information may include:
- Policies
- Procedures
- Process maps
- Forms
- Records
- Specifications
- Instructions
- Registers
- Reports
- Electronic data
Documents need to be appropriately:
- Identified
- Reviewed
- Approved
- Available
- Protected
- Controlled when changed
- Retained or disposed of
The organization must also control relevant external documents such as customer specifications, legislation and industry standards.
ISO 9001 does not require a procedure for every clause.
It also does not specifically require a Quality Manual.
The amount of documentation should reflect the size of the organization, complexity of its processes, competence of its people and risks involved.
Clause 8: Operation
Clause 8 covers the planning and control of the activities needed to provide products and services.
This is normally the largest and most operational part of the QMS.
Clause 8.1: Operational planning and control
The organization needs to plan, implement and control its operational processes.
This includes determining:
- Requirements
- Acceptance criteria
- Resources
- Controls
- Necessary records
Planned changes should be controlled and unintended changes reviewed.
Outsourced processes also need to be controlled.
Operational controls could include:
- Procedures
- Work instructions
- Checklists
- Inspection plans
- Approval stages
- Competence requirements
- Software controls
- Tests
- Reviews
The amount of control should be proportionate to the risk and complexity of the work.
Clause 8.2: Requirements for products and services
The organization needs to communicate with customers and understand their requirements.
This can include:
- Product or service information
- Enquiries and contracts
- Changes
- Complaints
- Customer property
- Contingency arrangements
Before accepting work, the organization should review whether it can meet the requirements.
The review should consider:
- Customer-stated requirements
- Requirements necessary for intended use
- Legal requirements
- Company requirements
- Differences from previous quotations or agreements
Changes to requirements should be controlled and communicated.
A problem discovered after delivery may have started with an incomplete contract review months earlier.
Clause 8.3: Design and development
Where design applies, the organization needs a controlled process covering:
- Planning
- Inputs
- Controls
- Outputs
- Changes
Design planning
The organization should consider stages, reviews, responsibilities, resources, interfaces and customer involvement.
Design inputs
Inputs may include:
- Functional requirements
- Performance requirements
- Legal requirements
- Standards
- Previous designs
- Potential consequences of failure
Inputs should be complete, clear and suitable.
Conflicting inputs need to be resolved.
Design controls
Design controls include review, verification and validation.
Although these activities can overlap, they are not exactly the same:
- Review: Is the design progressing correctly?
- Verification: Does the output meet the design inputs?
- Validation: Will the finished result perform as intended?
Design outputs
Outputs should be suitable for subsequent processes and include necessary acceptance criteria and characteristics.
Design changes
Changes should be identified, reviewed and controlled.
The organization should consider how a change affects connected components, completed work and customer requirements.
Clause 8.4: External providers
Externally provided products, services and processes need to be controlled.
This includes suppliers, subcontractors, consultants and outsourced processes.
The organization should determine:
- Selection criteria
- Evaluation methods
- Monitoring requirements
- Re-evaluation
- Necessary inspections
- Information that must be communicated
The level of control should reflect the potential effect of the external provider.
An approved-supplier list is not enough by itself.
The organization should monitor actual performance.
Clause 8.5: Production and service provision
Products and services should be provided under controlled conditions.
Depending on the organization, controls may include:
- Current specifications
- Work instructions
- Suitable equipment
- Competent people
- Inspections
- Monitoring
- Defined approval stages
- Error-prevention methods
- Release and delivery activities
Identification and traceability
Products, components, materials or records may need to be identified and traced.
Traceability requirements depend on the product, contract, law and associated risk.
Customer or supplier property
Property belonging to customers or external providers needs to be protected.
This may include:
- Materials
- Equipment
- Information
- Designs
- Personal data
- Intellectual property
- Premises
Loss, damage or unsuitability should be reported and recorded.
Preservation
Products and outputs should be preserved during production and delivery.
Preservation can include:
- Handling
- Packaging
- Storage
- Protection
- Transportation
- Contamination control
Post-delivery activities
The organization needs to consider activities required after delivery, such as:
- Warranties
- Maintenance
- Servicing
- Returns
- Recycling
- Legal obligations
- Customer support
Control of changes
Changes during production or service delivery should be reviewed and controlled.
Evidence of the review, the person authorizing the change and any necessary actions should be retained.
Clause 8.6: Release of products and services
The organization needs to verify that requirements have been met before products or services are released to the customer.
Release records should identify:
- Evidence of conformity
- The person authorizing release
Products should not be released until planned checks have been completed unless an appropriate authority—and where relevant the customer—approves otherwise.
Clause 8.7: Nonconforming outputs
Outputs that do not meet requirements need to be identified and controlled.
The organization may deal with nonconforming outputs by:
- Correcting them
- Preventing their use
- Segregating them
- Suspending delivery
- Informing the customer
- Obtaining an authorized concession
Corrected outputs should be verified again.
Records should describe:
- The nonconformity
- Actions taken
- Concessions obtained
- Who made the decision
This clause controls the immediate nonconforming output.
Corrective action under Clause 10 addresses why the problem occurred and whether action is required to prevent recurrence.
Clause 9: Performance evaluation
Clause 9 requires the organization to check whether the QMS is working.
It covers monitoring, measurement, customer satisfaction, internal audit and management review.
Clause 9.1: Monitoring and measurement
The organization needs to decide:
- What should be monitored
- How it will be measured
- When monitoring takes place
- When results are analysed
- How performance is evaluated
Useful measurements may include:
- On-time delivery
- Complaints
- Defects
- Rework
- Inspection results
- Supplier performance
- Process times
- Corrective-action closure
- Customer satisfaction
The company should not collect data simply because it is easy to produce.
The measurement needs to help management understand performance and make decisions.
Customer satisfaction
The organization needs to monitor how customers perceive whether their needs and expectations have been fulfilled.
Methods may include:
- Surveys
- Feedback
- Complaints
- Repeat orders
- Customer meetings
- Contract-performance reviews
- Lost-business analysis
A lack of formal complaints does not necessarily mean that customers are satisfied.
Analysis and evaluation
The collected information should be analysed to evaluate:
- Conformity
- Customer satisfaction
- QMS performance
- Planning effectiveness
- Risks and opportunities
- Supplier performance
- Need for improvement
Clause 9.2: Internal audit
The organization needs to carry out internal audits at planned intervals.
Audits should determine whether the QMS:
- Meets the organization’s own requirements
- Meets ISO 9001 requirements
- Is effectively implemented and maintained
The audit programme should consider:
- Process importance
- Changes
- Previous audit results
Auditors should be objective and impartial.
They should not normally audit their own work.
Audit findings need to be reported, and appropriate corrections and corrective actions should be completed without unnecessary delay.
An internal audit should not be treated as a rehearsal for the certification audit.
Its purpose is to help the organization understand whether its controls are effective.
Clause 9.3: Management review
Top management needs to review the QMS at planned intervals.
The review should consider information including:
- Previous actions
- Changes affecting the QMS
- Customer satisfaction
- Quality objectives
- Process performance
- Product and service conformity
- Nonconformities and corrective actions
- Monitoring results
- Audit results
- Supplier performance
- Resources
- Risks and opportunities
- Improvement opportunities
The review should result in decisions and actions relating to:
- Improvement
- QMS changes
- Resource needs
Management review does not have to be a single annual meeting.
Relevant reviews may take place through established management meetings, provided all necessary inputs and outputs are addressed and evidence is retained.
Clause 10: Improvement
Clause 10 requires the organization to identify and implement opportunities for improvement.
Improvement can involve:
- Correcting problems
- Preventing recurrence
- Improving products and services
- Reducing undesirable effects
- Improving QMS performance
Clause 10.2: Nonconformity and corrective action
When a nonconformity occurs, the organization needs to:
- Control and correct it.
- Deal with its consequences.
- Evaluate whether action is needed to prevent recurrence.
- Investigate the cause where appropriate.
- Check whether similar problems exist elsewhere.
- Implement corrective action.
- Review whether the action was effective.
- Update risks and the QMS where necessary.
Correction and corrective action are different.
If a defective component is replaced, that is a correction.
If the organization investigates why the wrong component was supplied and changes the purchasing and verification process, that is corrective action.
Not every minor problem requires a complicated root-cause analysis.
The response should be proportionate to the effects and risks of the nonconformity.
Records should provide evidence of:
- The nature of the problem
- Actions taken
- Results of corrective action
Clause 10.3: Continual improvement
The organization needs to continually improve the suitability, adequacy and effectiveness of its QMS.
Continual improvement does not mean that every process must improve every month.
It means that the organization should use information from:
- Audits
- Performance data
- Customer feedback
- Nonconformities
- Management review
- Risk assessments
- Lessons learned
to identify and implement appropriate improvements over time.
What documents are mandatory?
ISO 9001:2015 does not provide a simple list of mandatory procedures.
Instead, it requires specific documented information and any additional documentation needed for effective process control.
Typical documented information includes:
- QMS scope
- Quality Policy
- Quality objectives
- Evidence of competence
- Monitoring and calibration records
- Operational records
- Design records
- Supplier evaluation results
- Product-release evidence
- Nonconformity records
- Internal-audit results
- Management-review results
- Corrective-action records
Organizations may also decide to maintain:
- Quality Manual
- Procedures
- Process maps
- Responsibility matrix
- Risk register
- Approved-supplier register
- Document register
- Training matrix
- Inspection plans
- Forms and templates
The question should not be, “How many procedures do we need?”
The better question is, “What information do our people need to operate the process consistently, and what evidence do we need to demonstrate that requirements have been met?”
Common mistakes when interpreting ISO 9001
Some of the most common mistakes include:
- Creating one procedure for every clause
- Copying another company’s Quality Manual
- Treating every “shall” as a requirement for a separate document
- Making the Quality Manager responsible for the entire system
- Declaring difficult requirements inapplicable
- Creating risk registers that nobody uses
- Setting objectives that cannot be measured
- Treating training attendance as proof of competence
- Measuring activities without evaluating results
- Completing internal audits only before certification visits
- Closing problems without checking corrective-action effectiveness
- Keeping the QMS separate from normal business management
ISO 9001 should be built into the way the organization operates.
A separate “ISO system” that exists only for auditors will eventually become outdated and ineffective.
Practical ISO 9001 requirements checklist
Ask the following questions:
- Have we defined the QMS scope?
- Do we understand relevant internal and external issues?
- Have we considered whether climate change is relevant?
- Do we know which interested-party requirements matter?
- Have we identified our main processes?
- Are responsibilities clear?
- Is senior management actively involved?
- Do we have measurable quality objectives?
- Are risks and opportunities addressed?
- Are sufficient resources available?
- Are people competent?
- Is important organizational knowledge retained?
- Are documents controlled?
- Are customer requirements reviewed?
- Is design controlled where applicable?
- Are suppliers evaluated and monitored?
- Are operational activities properly controlled?
- Is release evidence retained?
- Are nonconforming outputs controlled?
- Is customer satisfaction monitored?
- Are internal audits effective?
- Does management review produce decisions?
- Are corrective actions checked for effectiveness?
- Can we demonstrate continual improvement?
If the answer to one of these questions is no, the next step is not automatically to write another procedure.
First understand why the requirement is not being achieved.
The solution could involve clearer responsibility, better communication, additional resources, improved competence, simpler documentation or stronger management involvement.
Final thoughts
Clauses 4 to 10 of ISO 9001 follow a practical management sequence.
Understand the business.
Provide leadership.
Plan what needs to happen.
Support the people doing the work.
Control operations.
Check performance.
Improve the system.
The difficulty is not understanding what each clause says individually.
The real challenge is connecting the requirements into a management system that reflects what the organization actually does.
A good QMS should make responsibilities clearer, processes more reliable and problems easier to identify and correct.
It should not exist simply to produce enough documents for an auditor.
At the end of the day, the objective is not to manage ISO 9001.
The objective is to manage the organization properly while using ISO 9001 as the framework.
Frequently asked questions
Which clauses of ISO 9001 are audited?
Certification audits assess applicable requirements in Clauses 4 to 10. Clauses 1 to 3 provide scope, references and definitions rather than auditable QMS requirements.
What are the seven main clauses of ISO 9001?
The seven main requirement clauses are Context, Leadership, Planning, Support, Operation, Performance Evaluation and Improvement.
Is Clause 8 the only clause that can be excluded?
ISO 9001 uses the concept of applicability rather than exclusions. Requirements may be determined not applicable only when that decision does not affect the organization’s ability or responsibility to provide conforming products and services. In practice, non-applicability most commonly concerns requirements within Clause 8, particularly design and development.
Does ISO 9001 require a Quality Manual?
No. ISO 9001:2015 does not specifically require a Quality Manual. Organizations may still use one when it provides a helpful overview of the QMS.
Does ISO 9001 require documented procedures?
The Standard requires particular documented information but does not prescribe a separate procedure for every process or clause. Organizations need to maintain the documentation necessary for their processes to operate effectively.
What is the most important ISO 9001 clause?
There is no single most important clause because the requirements work together. However, leadership is critical. A QMS is unlikely to remain effective without active management involvement.
What is the difference between Clause 8.7 and Clause 10.2?
Clause 8.7 controls the immediate nonconforming output. Clause 10.2 addresses the broader nonconformity, its cause and any action needed to prevent recurrence.
What changed with ISO 9001 Amendment 1:2024?
Organizations must determine whether climate change is a relevant issue under Clause 4.1. A note under Clause 4.2 also recognises that relevant interested parties may have climate-related requirements.
Is ISO 9001:2026 already published?
No. ISO 9001:2015 remains the current published edition. The revised edition is expected in September 2026.