ISO 9001 Requirements Explained: Clauses 4 to 10 in Plain English

ISO 9001 can be a confusing Standard when you read it for the first time.

The language is formal, some requirements appear in more than one place and the Standard tells organizations what they need to achieve without always telling them how to do it.

This is intentional.

ISO 9001 needs to work for a small consultancy, a software company, a factory, a hospital and a major construction contractor.

It would be impossible for one Standard to prescribe the exact procedures, forms and controls that every organization should use.

Instead, ISO 9001 establishes a framework.

The organization then needs to decide how to apply that framework according to its activities, size, risks, customers and legal requirements.

In this guide, I will explain the main ISO 9001 requirements from Clauses 4 to 10 in plain English and provide practical examples of what they can mean inside a real business.

Revision update: ISO 9001:2015 remains the current published edition. It includes Amendment 1:2024 concerning climate action. A revised edition is expected to be published in September 2026. This guide explains the current published requirements and will be updated after the new edition is officially released.

How is ISO 9001 structured?

ISO 9001 contains ten main clauses.

Clauses 1 to 3 provide introductory information:

  1. Scope
  2. Normative references
  3. Terms and definitions

The requirements against which an organization is audited are mainly found in Clauses 4 to 10:

  1. Context of the organization
  2. Leadership
  3. Planning
  4. Support
  5. Operation
  6. Performance evaluation
  7. Improvement

These clauses follow a logical sequence.

The organization first needs to understand its business and establish the scope of its Quality Management System.

Management then needs to lead the system, plan how requirements will be met, provide the necessary resources, control operations, measure performance and improve when problems or opportunities are identified.

PDCA Cycle

The structure can also be connected to the Plan-Do-Check-Act cycle:

  • Plan: Clauses 4, 5, 6 and parts of Clause 7
  • Do: Clauses 7 and 8
  • Check: Clause 9
  • Act: Clause 10

However, the clauses are connected and should not be treated as separate boxes.

A failure in one part of the system will normally affect several others.

For example, if an employee is not competent to complete a task, the issue may involve operational control under Clause 8. However, it may also point to failures in competence, planning, risk management, supervision and management oversight.

This is why a Quality Management System needs to be understood as a group of connected processes rather than a collection of isolated procedures.

Does every requirement apply?

ISO 9001 is intended to be applicable to all types of organizations.

However, there may be requirements within Clause 8 that do not apply because of the organization’s activities.

The most common example is design and development under Clause 8.3.

An organization that manufactures products entirely to customer-provided designs may determine that it has no design responsibility.

That decision needs to be justified.

The company cannot simply declare a requirement inapplicable because it is difficult, inconvenient or poorly controlled.

It also cannot remove a requirement if doing so would affect its ability to provide conforming products and services or improve customer satisfaction.

The applicability of requirements should be addressed when defining the scope of the QMS.

Clause 4: Context of the organization

Clause 4 is where the organization establishes the foundations of its Quality Management System.

Before writing procedures, setting objectives or preparing for certification, the company needs to understand:

  • What it does
  • Where it operates
  • What can affect it
  • Who has relevant requirements
  • Which activities the QMS covers
  • Which processes are needed

Clause 4.1: Understanding the organization and its context

The organization needs to determine the internal and external issues that can affect its ability to achieve the intended results of the QMS.

This does not necessarily require a particular document or analysis method.

Organizations commonly use:

  • SWOT analysis
  • PESTLE analysis
  • Business plans
  • Risk registers
  • Management workshops
  • Strategic reviews
  • Market reports
  • Lessons learned

External issues could include:

  • Changes in legislation
  • Economic conditions
  • New technology
  • Customer expectations
  • Supply-chain disruption
  • Competitor activity
  • Skills shortages
  • Environmental conditions
  • Political changes

Internal issues could include:

  • Company structure
  • Available resources
  • Employee competence
  • Information systems
  • Organizational culture
  • Existing processes
  • Previous performance
  • Knowledge and experience

The company should not complete a SWOT analysis simply because an auditor expects to see one.

The real requirement is to understand the issues that can influence the QMS and monitor them as they change.

Climate change and Clause 4.1

ISO 9001:2015 Amendment 1:2024 added a requirement for the organization to determine whether climate change is a relevant issue.

This does not mean that every company needs a separate climate-change procedure.

The organization needs to consider whether climate change could affect the QMS and its intended results.

Depending on the organization, relevant issues might include:

  • Extreme weather
  • Material availability
  • Changes in customer requirements
  • New legislation
  • Supply-chain disruption
  • Temperature-sensitive processes
  • Site access
  • Infrastructure resilience

The conclusion could be that climate change is not currently a significant quality issue. What matters is that the organization has considered it rather than ignored it.

Clause 4.2: Interested parties

The organization needs to determine which interested parties are relevant to the QMS and what requirements from those parties need to be addressed.

Interested parties could include:

  • Customers
  • Employees
  • Suppliers
  • Subcontractors
  • Regulators
  • Certification bodies
  • Owners or shareholders
  • Insurers
  • Local communities
  • End users

Not every person or organization that has an interest in the business will automatically have a relevant QMS requirement.

The company needs to decide which needs and expectations could affect its ability to provide conforming products and services.

Examples include:

  • Customer specifications
  • Contract requirements
  • Statutory obligations
  • Delivery commitments
  • Professional competence requirements
  • Reporting obligations
  • Product-safety requirements
  • Record-retention periods

The 2024 amendment also added a note explaining that relevant interested parties may have climate-related requirements.

Clause 4.3: Scope of the QMS

The scope defines the boundaries and applicability of the Quality Management System.

It should consider:

  • The organization’s context
  • Relevant interested-party requirements
  • Products and services
  • Locations
  • Activities
  • Applicable requirements

A scope could cover the entire organization or particular operations and locations.

For example:

The provision of design, manufacture, installation and maintenance services from the company’s London and Manchester offices.

The wording should accurately describe what is covered.

Avoid misleading or overly vague scopes such as “quality construction services” or “all business operations” without further explanation.

The scope should be maintained as documented information and be available to interested parties.

Clause 4.4: QMS processes

The organization needs to establish, implement, maintain and continually improve the processes required for its QMS.

For each important process, the company should understand:

  • Inputs
  • Outputs
  • Sequence and interaction
  • Responsibilities
  • Resources
  • Risks and opportunities
  • Controls
  • Performance measures
  • Required records

A process does not need to be documented as a complicated flowchart.

However, the organization should be able to explain how work moves from one activity to another and how the required result is achieved.

A typical business may have processes for:

  • Sales
  • Contract review
  • Design
  • Purchasing
  • Production
  • Service delivery
  • Inspection
  • Document control
  • Training
  • Internal audit
  • Corrective action

The process approach is one of the most important elements of ISO 9001.

Departments do not operate independently.

The output from sales becomes an input to contract review. Contract requirements become inputs to design, purchasing and delivery. Inspection results become inputs to performance evaluation and improvement.

A good QMS controls these connections.

Clause 5: Leadership

Clause 5 makes top management accountable for the effectiveness of the Quality Management System.

Senior management can assign tasks, but it cannot delegate overall accountability for the QMS to the Quality Manager.

Clause 5.1: Leadership and commitment

Top management needs to demonstrate leadership by:

  • Taking accountability for the QMS
  • Making sure quality objectives are established
  • Integrating QMS requirements into business processes
  • Promoting the process approach
  • Providing resources
  • Communicating the importance of effective quality management
  • Supporting people
  • Promoting improvement
  • Ensuring the system achieves its intended results

Leadership should be demonstrated through actions.

Approving a Quality Policy once a year is not enough.

Management commitment becomes visible when leaders:

  • Review performance
  • Provide competent people
  • Challenge repeated problems
  • Support corrective actions
  • Make resources available
  • Include quality in commercial and operational decisions
  • Refuse to ignore requirements when the programme becomes difficult

The Standard also requires top management to maintain customer focus.

This means understanding customer and applicable legal requirements, addressing relevant risks and maintaining the focus on customer satisfaction.

Customer focus does not mean agreeing to every request.

It means reliably meeting agreed requirements and dealing properly with changes, concerns and complaints.

Clause 5.2: Quality Policy

Top management needs to establish a Quality Policy appropriate to the organization.

The policy should:

  • Support the organization’s purpose and direction
  • Provide a framework for quality objectives
  • Include a commitment to meet applicable requirements
  • Include a commitment to continual improvement

It should be maintained as documented information, communicated within the organization and available to relevant interested parties.

A Quality Policy should not be a generic page downloaded from the internet.

Employees do not necessarily need to repeat it word for word, but they should understand what it means for their roles.

Clause 5.3: Roles and responsibilities

Responsibilities and authorities need to be assigned and communicated.

People should understand:

  • What they are responsible for
  • What they can approve
  • Who they report to
  • When issues should be escalated
  • Who monitors each process
  • Who reports QMS performance to management

ISO 9001 does not require a person with the job title “Management Representative.”

It also does not require the company to employ a Quality Manager.

However, the responsibilities needed to operate and monitor the QMS must still be assigned.

Clause 6: Planning

Clause 6 requires the organization to consider risks, opportunities, objectives and changes.

Planning should prevent the QMS from becoming a reactive system that only responds after something has gone wrong.

Clause 6.1: Risks and opportunities

The organization needs to determine the risks and opportunities that should be addressed to:

  • Give assurance that the QMS can achieve its intended results
  • Increase desirable effects
  • Prevent or reduce undesirable effects
  • Achieve improvement

ISO 9001 does not require one particular risk-management method.

A small company may use process reviews, meeting actions and a simple risk register.

A larger or higher-risk organization may need formal assessments, scoring systems and dedicated controls.

Examples of quality risks include:

  • Unclear customer requirements
  • Supplier failure
  • Employee turnover
  • Equipment breakdown
  • Incorrect information
  • Inadequate competence
  • Late delivery
  • Poor change control
  • Loss of organizational knowledge

Opportunities could include:

  • Process automation
  • Improved supplier relationships
  • Better training
  • Standardised templates
  • New monitoring technology
  • Simplified approval routes
  • Improved customer communication

Actions should be proportionate to the potential effect.

Risk-based thinking should not become a paperwork exercise where every minor activity receives a complicated score.

Clause 6.2: Quality objectives

The organization needs to establish quality objectives at relevant levels and functions.

Objectives should be:

  • Consistent with the Quality Policy
  • Measurable
  • Relevant to conformity and customer satisfaction
  • Monitored
  • Communicated
  • Updated where appropriate

Examples include:

  • Reduce customer complaints by 15%.
  • Achieve 95% on-time delivery.
  • Close 90% of corrective actions within 30 days.
  • Reduce rejected products.
  • Improve supplier performance.
  • Complete the internal-audit programme.
  • Improve the customer satisfaction score.

The company also needs to plan:

  • What will be done
  • What resources are required
  • Who is responsible
  • When the objective will be completed
  • How the result will be evaluated

An objective such as “provide excellent quality” cannot be measured and is not particularly useful.

Clause 6.3: Planning changes

Changes to the QMS should be planned.

The organization needs to consider:

  • The purpose of the change
  • Potential consequences
  • QMS integrity
  • Resources
  • Responsibilities and authorities

Relevant changes could include:

  • New software
  • Restructuring
  • Opening another office
  • Introducing a new product
  • Changing an important supplier
  • Outsourcing a process
  • Revising an approval workflow

This requirement is intended to prevent improvements in one area from causing problems somewhere else.

Clause 7: Support

Clause 7 covers the resources and supporting controls needed for the QMS.

This includes people, infrastructure, competence, communication and documented information.

Clause 7.1: Resources

The organization needs to determine and provide the resources required to operate and improve the QMS.

People

Enough competent people need to be available to complete and control the work.

This does not mean that the company needs a large Quality Department.

It means that resource decisions should consider the work, its risks and the controls required.

Infrastructure

Infrastructure can include:

  • Buildings
  • Equipment
  • Vehicles
  • Software
  • Communication systems
  • Utilities
  • Information technology

These resources should be suitable and maintained as necessary.

Environment for operating processes

The working environment may involve physical, social and psychological factors.

Depending on the organization, this could include:

  • Temperature
  • Lighting
  • Cleanliness
  • Noise
  • Ergonomics
  • Workplace behaviour
  • Stress
  • Employee wellbeing

The relevant controls depend on how the working environment affects products, services and processes.

Monitoring and measuring resources

Equipment used to verify conformity needs to be suitable.

Where measurement traceability is required, equipment may need to be:

  • Calibrated or verified
  • Identified
  • Protected
  • Stored appropriately
  • Checked at defined intervals

If equipment is found to be unsuitable, the organization should assess whether previous measurements may have been affected.

Organizational knowledge

The company needs to identify and maintain the knowledge necessary to operate its processes.

Knowledge may come from:

  • Experienced employees
  • Procedures
  • Standards
  • Lessons learned
  • Design information
  • Customer feedback
  • Previous projects
  • Training
  • Technical specialists

This requirement becomes particularly important when experienced employees leave the organization.

Clause 7.2: Competence

People whose work affects QMS performance need to be competent.

The organization should:

  • Determine the required competence
  • Confirm that people are competent
  • Take action where gaps exist
  • Evaluate the effectiveness of those actions
  • Retain appropriate evidence

Competence can be based on education, training or experience.

Training attendance alone does not always demonstrate competence.

A person may complete a course and still require supervision, practical assessment or additional experience.

Clause 7.3: Awareness

People need to be aware of:

  • The Quality Policy
  • Relevant objectives
  • Their contribution to the QMS
  • Benefits of improved performance
  • Consequences of not meeting requirements

Awareness should be relevant to the person’s work.

A warehouse employee does not need a detailed explanation of every ISO 9001 clause, but they should understand the controls that apply to receiving, identifying, storing and releasing materials.

Clause 7.4: Communication

The organization needs to determine:

  • What will be communicated
  • When
  • With whom
  • How
  • Who communicates it

This applies to internal and external communication.

Examples include:

  • Customer updates
  • Supplier instructions
  • Employee briefings
  • Management reports
  • Regulatory notifications
  • Project meetings
  • Changes to controlled documents

A procedure can be perfect, but the process may still fail if the right information does not reach the right person at the right time.

Clause 7.5: Documented information

ISO 9001 requires documented information specifically identified by the Standard, along with any other documentation the organization decides is necessary.

Documented information may include:

  • Policies
  • Procedures
  • Process maps
  • Forms
  • Records
  • Specifications
  • Instructions
  • Registers
  • Reports
  • Electronic data

Documents need to be appropriately:

  • Identified
  • Reviewed
  • Approved
  • Available
  • Protected
  • Controlled when changed
  • Retained or disposed of

The organization must also control relevant external documents such as customer specifications, legislation and industry standards.

ISO 9001 does not require a procedure for every clause.

It also does not specifically require a Quality Manual.

The amount of documentation should reflect the size of the organization, complexity of its processes, competence of its people and risks involved.

Clause 8: Operation

Clause 8 covers the planning and control of the activities needed to provide products and services.

This is normally the largest and most operational part of the QMS.

Clause 8.1: Operational planning and control

The organization needs to plan, implement and control its operational processes.

This includes determining:

  • Requirements
  • Acceptance criteria
  • Resources
  • Controls
  • Necessary records

Planned changes should be controlled and unintended changes reviewed.

Outsourced processes also need to be controlled.

Operational controls could include:

  • Procedures
  • Work instructions
  • Checklists
  • Inspection plans
  • Approval stages
  • Competence requirements
  • Software controls
  • Tests
  • Reviews

The amount of control should be proportionate to the risk and complexity of the work.

Clause 8.2: Requirements for products and services

The organization needs to communicate with customers and understand their requirements.

This can include:

  • Product or service information
  • Enquiries and contracts
  • Changes
  • Complaints
  • Customer property
  • Contingency arrangements

Before accepting work, the organization should review whether it can meet the requirements.

The review should consider:

  • Customer-stated requirements
  • Requirements necessary for intended use
  • Legal requirements
  • Company requirements
  • Differences from previous quotations or agreements

Changes to requirements should be controlled and communicated.

A problem discovered after delivery may have started with an incomplete contract review months earlier.

Clause 8.3: Design and development

Where design applies, the organization needs a controlled process covering:

  • Planning
  • Inputs
  • Controls
  • Outputs
  • Changes

Design planning

The organization should consider stages, reviews, responsibilities, resources, interfaces and customer involvement.

Design inputs

Inputs may include:

  • Functional requirements
  • Performance requirements
  • Legal requirements
  • Standards
  • Previous designs
  • Potential consequences of failure

Inputs should be complete, clear and suitable.

Conflicting inputs need to be resolved.

Design controls

Design controls include review, verification and validation.

Although these activities can overlap, they are not exactly the same:

  • Review: Is the design progressing correctly?
  • Verification: Does the output meet the design inputs?
  • Validation: Will the finished result perform as intended?

Design outputs

Outputs should be suitable for subsequent processes and include necessary acceptance criteria and characteristics.

Design changes

Changes should be identified, reviewed and controlled.

The organization should consider how a change affects connected components, completed work and customer requirements.

Clause 8.4: External providers

Externally provided products, services and processes need to be controlled.

This includes suppliers, subcontractors, consultants and outsourced processes.

The organization should determine:

  • Selection criteria
  • Evaluation methods
  • Monitoring requirements
  • Re-evaluation
  • Necessary inspections
  • Information that must be communicated

The level of control should reflect the potential effect of the external provider.

An approved-supplier list is not enough by itself.

The organization should monitor actual performance.

Clause 8.5: Production and service provision

Products and services should be provided under controlled conditions.

Depending on the organization, controls may include:

  • Current specifications
  • Work instructions
  • Suitable equipment
  • Competent people
  • Inspections
  • Monitoring
  • Defined approval stages
  • Error-prevention methods
  • Release and delivery activities

Identification and traceability

Products, components, materials or records may need to be identified and traced.

Traceability requirements depend on the product, contract, law and associated risk.

Customer or supplier property

Property belonging to customers or external providers needs to be protected.

This may include:

  • Materials
  • Equipment
  • Information
  • Designs
  • Personal data
  • Intellectual property
  • Premises

Loss, damage or unsuitability should be reported and recorded.

Preservation

Products and outputs should be preserved during production and delivery.

Preservation can include:

  • Handling
  • Packaging
  • Storage
  • Protection
  • Transportation
  • Contamination control

Post-delivery activities

The organization needs to consider activities required after delivery, such as:

  • Warranties
  • Maintenance
  • Servicing
  • Returns
  • Recycling
  • Legal obligations
  • Customer support

Control of changes

Changes during production or service delivery should be reviewed and controlled.

Evidence of the review, the person authorizing the change and any necessary actions should be retained.

Clause 8.6: Release of products and services

The organization needs to verify that requirements have been met before products or services are released to the customer.

Release records should identify:

  • Evidence of conformity
  • The person authorizing release

Products should not be released until planned checks have been completed unless an appropriate authority—and where relevant the customer—approves otherwise.

Clause 8.7: Nonconforming outputs

Outputs that do not meet requirements need to be identified and controlled.

The organization may deal with nonconforming outputs by:

  • Correcting them
  • Preventing their use
  • Segregating them
  • Suspending delivery
  • Informing the customer
  • Obtaining an authorized concession

Corrected outputs should be verified again.

Records should describe:

  • The nonconformity
  • Actions taken
  • Concessions obtained
  • Who made the decision

This clause controls the immediate nonconforming output.

Corrective action under Clause 10 addresses why the problem occurred and whether action is required to prevent recurrence.

Clause 9: Performance evaluation

Clause 9 requires the organization to check whether the QMS is working.

It covers monitoring, measurement, customer satisfaction, internal audit and management review.

Clause 9.1: Monitoring and measurement

The organization needs to decide:

  • What should be monitored
  • How it will be measured
  • When monitoring takes place
  • When results are analysed
  • How performance is evaluated

Useful measurements may include:

  • On-time delivery
  • Complaints
  • Defects
  • Rework
  • Inspection results
  • Supplier performance
  • Process times
  • Corrective-action closure
  • Customer satisfaction

The company should not collect data simply because it is easy to produce.

The measurement needs to help management understand performance and make decisions.

Customer satisfaction

The organization needs to monitor how customers perceive whether their needs and expectations have been fulfilled.

Methods may include:

  • Surveys
  • Feedback
  • Complaints
  • Repeat orders
  • Customer meetings
  • Contract-performance reviews
  • Lost-business analysis

A lack of formal complaints does not necessarily mean that customers are satisfied.

Analysis and evaluation

The collected information should be analysed to evaluate:

  • Conformity
  • Customer satisfaction
  • QMS performance
  • Planning effectiveness
  • Risks and opportunities
  • Supplier performance
  • Need for improvement

Clause 9.2: Internal audit

The organization needs to carry out internal audits at planned intervals.

Audits should determine whether the QMS:

  • Meets the organization’s own requirements
  • Meets ISO 9001 requirements
  • Is effectively implemented and maintained

The audit programme should consider:

  • Process importance
  • Changes
  • Previous audit results

Auditors should be objective and impartial.

They should not normally audit their own work.

Audit findings need to be reported, and appropriate corrections and corrective actions should be completed without unnecessary delay.

An internal audit should not be treated as a rehearsal for the certification audit.

Its purpose is to help the organization understand whether its controls are effective.

Clause 9.3: Management review

Top management needs to review the QMS at planned intervals.

The review should consider information including:

  • Previous actions
  • Changes affecting the QMS
  • Customer satisfaction
  • Quality objectives
  • Process performance
  • Product and service conformity
  • Nonconformities and corrective actions
  • Monitoring results
  • Audit results
  • Supplier performance
  • Resources
  • Risks and opportunities
  • Improvement opportunities

The review should result in decisions and actions relating to:

  • Improvement
  • QMS changes
  • Resource needs

Management review does not have to be a single annual meeting.

Relevant reviews may take place through established management meetings, provided all necessary inputs and outputs are addressed and evidence is retained.

Clause 10: Improvement

Clause 10 requires the organization to identify and implement opportunities for improvement.

Improvement can involve:

  • Correcting problems
  • Preventing recurrence
  • Improving products and services
  • Reducing undesirable effects
  • Improving QMS performance

Clause 10.2: Nonconformity and corrective action

When a nonconformity occurs, the organization needs to:

  1. Control and correct it.
  2. Deal with its consequences.
  3. Evaluate whether action is needed to prevent recurrence.
  4. Investigate the cause where appropriate.
  5. Check whether similar problems exist elsewhere.
  6. Implement corrective action.
  7. Review whether the action was effective.
  8. Update risks and the QMS where necessary.

Correction and corrective action are different.

If a defective component is replaced, that is a correction.

If the organization investigates why the wrong component was supplied and changes the purchasing and verification process, that is corrective action.

Not every minor problem requires a complicated root-cause analysis.

The response should be proportionate to the effects and risks of the nonconformity.

Records should provide evidence of:

  • The nature of the problem
  • Actions taken
  • Results of corrective action

Clause 10.3: Continual improvement

The organization needs to continually improve the suitability, adequacy and effectiveness of its QMS.

Continual improvement does not mean that every process must improve every month.

It means that the organization should use information from:

  • Audits
  • Performance data
  • Customer feedback
  • Nonconformities
  • Management review
  • Risk assessments
  • Lessons learned

to identify and implement appropriate improvements over time.

What documents are mandatory?

ISO 9001:2015 does not provide a simple list of mandatory procedures.

Instead, it requires specific documented information and any additional documentation needed for effective process control.

Typical documented information includes:

  • QMS scope
  • Quality Policy
  • Quality objectives
  • Evidence of competence
  • Monitoring and calibration records
  • Operational records
  • Design records
  • Supplier evaluation results
  • Product-release evidence
  • Nonconformity records
  • Internal-audit results
  • Management-review results
  • Corrective-action records

Organizations may also decide to maintain:

  • Quality Manual
  • Procedures
  • Process maps
  • Responsibility matrix
  • Risk register
  • Approved-supplier register
  • Document register
  • Training matrix
  • Inspection plans
  • Forms and templates

The question should not be, “How many procedures do we need?”

The better question is, “What information do our people need to operate the process consistently, and what evidence do we need to demonstrate that requirements have been met?”

Common mistakes when interpreting ISO 9001

Some of the most common mistakes include:

  • Creating one procedure for every clause
  • Copying another company’s Quality Manual
  • Treating every “shall” as a requirement for a separate document
  • Making the Quality Manager responsible for the entire system
  • Declaring difficult requirements inapplicable
  • Creating risk registers that nobody uses
  • Setting objectives that cannot be measured
  • Treating training attendance as proof of competence
  • Measuring activities without evaluating results
  • Completing internal audits only before certification visits
  • Closing problems without checking corrective-action effectiveness
  • Keeping the QMS separate from normal business management

ISO 9001 should be built into the way the organization operates.

A separate “ISO system” that exists only for auditors will eventually become outdated and ineffective.

Practical ISO 9001 requirements checklist

Ask the following questions:

  • Have we defined the QMS scope?
  • Do we understand relevant internal and external issues?
  • Have we considered whether climate change is relevant?
  • Do we know which interested-party requirements matter?
  • Have we identified our main processes?
  • Are responsibilities clear?
  • Is senior management actively involved?
  • Do we have measurable quality objectives?
  • Are risks and opportunities addressed?
  • Are sufficient resources available?
  • Are people competent?
  • Is important organizational knowledge retained?
  • Are documents controlled?
  • Are customer requirements reviewed?
  • Is design controlled where applicable?
  • Are suppliers evaluated and monitored?
  • Are operational activities properly controlled?
  • Is release evidence retained?
  • Are nonconforming outputs controlled?
  • Is customer satisfaction monitored?
  • Are internal audits effective?
  • Does management review produce decisions?
  • Are corrective actions checked for effectiveness?
  • Can we demonstrate continual improvement?

If the answer to one of these questions is no, the next step is not automatically to write another procedure.

First understand why the requirement is not being achieved.

The solution could involve clearer responsibility, better communication, additional resources, improved competence, simpler documentation or stronger management involvement.

Final thoughts

Clauses 4 to 10 of ISO 9001 follow a practical management sequence.

Understand the business.

Provide leadership.

Plan what needs to happen.

Support the people doing the work.

Control operations.

Check performance.

Improve the system.

The difficulty is not understanding what each clause says individually.

The real challenge is connecting the requirements into a management system that reflects what the organization actually does.

A good QMS should make responsibilities clearer, processes more reliable and problems easier to identify and correct.

It should not exist simply to produce enough documents for an auditor.

At the end of the day, the objective is not to manage ISO 9001.

The objective is to manage the organization properly while using ISO 9001 as the framework.

Frequently asked questions

Which clauses of ISO 9001 are audited?

Certification audits assess applicable requirements in Clauses 4 to 10. Clauses 1 to 3 provide scope, references and definitions rather than auditable QMS requirements.

What are the seven main clauses of ISO 9001?

The seven main requirement clauses are Context, Leadership, Planning, Support, Operation, Performance Evaluation and Improvement.

Is Clause 8 the only clause that can be excluded?

ISO 9001 uses the concept of applicability rather than exclusions. Requirements may be determined not applicable only when that decision does not affect the organization’s ability or responsibility to provide conforming products and services. In practice, non-applicability most commonly concerns requirements within Clause 8, particularly design and development.

Does ISO 9001 require a Quality Manual?

No. ISO 9001:2015 does not specifically require a Quality Manual. Organizations may still use one when it provides a helpful overview of the QMS.

Does ISO 9001 require documented procedures?

The Standard requires particular documented information but does not prescribe a separate procedure for every process or clause. Organizations need to maintain the documentation necessary for their processes to operate effectively.

What is the most important ISO 9001 clause?

There is no single most important clause because the requirements work together. However, leadership is critical. A QMS is unlikely to remain effective without active management involvement.

What is the difference between Clause 8.7 and Clause 10.2?

Clause 8.7 controls the immediate nonconforming output. Clause 10.2 addresses the broader nonconformity, its cause and any action needed to prevent recurrence.

What changed with ISO 9001 Amendment 1:2024?

Organizations must determine whether climate change is a relevant issue under Clause 4.1. A note under Clause 4.2 also recognises that relevant interested parties may have climate-related requirements.

Is ISO 9001:2026 already published?

No. ISO 9001:2015 remains the current published edition. The revised edition is expected in September 2026.

FREE EXCEL TEMPLATE

Plan Your Quality Control Inspections with Confidence

Download the editable Excel Inspection and Test Plan template for recording inspections, tests, acceptance criteria, responsibilities and quality records.

Need more than an ITP? The Construction Quality Pack includes 12 editable templates for managing inspections, audits, nonconformances, reporting and project quality records.

Leave a Comment