ISO 9001 in 25 steps
There’s quite a bit of sorcery surrounding ISO 9001 and it’s often consultants who perpetuate it. We aim to provide the simplest explanation of how to comply with ISO 9001, in as few words as possible (or in just 25 steps).
ISO 9001:2015 is 19 pages long and around 7000 words excluding the Forward, Introduction and Annexes. This article aims to distil ISO 9001 into something smaller and easier to digest. Meeting these requirements should get an organisation through a certification audit. But please don’t hold us to that or use it as an excuse to not buy the standard. 😊
We have developed a set of instructions one tenth the size of the ISO standard. Just 25 steps to compliance. It also provides some links to more resources for additional guidance material if required:
The 25 Steps
- Understand what your organisation does, where it does it, and who for.
- Understand who has an interest or stake in your organisation and what they expect from you and when.
- Establish who does what in your organisation, what qualifications, competencies, and experience they need, and who reports to who.
- Write a policy to include Item 1, the general quality requirements you intend to meet, and your commitment to improving your management system. Include that you intend to look after your customers and how you intend to set and manage objectives.
- Understand what risks and opportunities your organisation faces and prioritise them.
- Establish objectives for the organisation. Where possible establish them around activities that reduce the significant risks and promote the progress of the significant opportunities (e.g. your business strategy and plans).
- Where not covered by objectives, establish controls to address the other risks and opportunities in order of priority.
- Understand what your processes are and determine what risks they present. All processes have a risk of failure, so understand what controls each process needs to ensure it doesn’t fail.
- Controls must include activities to confirm requirements have been met (e.g. stakeholder requirements).
- When you provide your customer with products or services, make sure you know what ‘good quality’ is. Establish processes so you know, and your customers acknowledge you are delivering ‘good quality’.
- Know what you need to undertake your work. Delivery will not be successful unless you know what requirements you need to meet and what you need in terms of materials, plant, equipment, resources, environment, infrastructure, etc. Provide what is needed, maintain it, and periodically review it to ensure it continues to serve its purpose.
- Ensure your staff are competent to undertake their work and where they aren’t, provide supervision and training until they are.
- Ensure your external providers who provide quality critical goods, services and processes know what your requirements are and meet them. Establish this before engaging them and then manage their performance against the requirements once engaged.
- Understand your customer’s requirements (even things they might not say or know). Ensure the requirements and what you are providing is agreed in writing with the customer (especially if it changes). Then these records will prove invaluable in any disputes.
- Make sure any design activity documents the requirements, is controlled, considers risks, and confirms that the output addresses the requirements. See the Design procedure resource for more information.
- Make sure records exist to allow the tracing of critical quality information. When issues arise you will need this data to determine the causes and the true extent of the issue. Examples of critical information are material specifications, equipment used, certificates of conformity, purchasing records, people, external providers, dates, procedure versions, etc.
- Where things go wrong have a process for assessing them. The process must investigate the extent and cause(s) and immediately take action to prevent further things from going wrong. The process then must notify the necessary stakeholders, take action to fix the issue, confirm it was effective and prevent it (or anything similar elsewhere in the organisation) from happening again.
- Monitor and measure what is important to:
>the success of your products, services, and processes (focus on controls established under 8. and 9.)
>provide evidence of compliance (evidence must identify when and who provided the evidence)
>the organisation (i.e. what the management system says you will monitor and measure)
- Conduct internal audits using trained auditors against a program. The program must focus on the implementation of the controls established to manage the risks and opportunities.
- Establish a process to identify risks and opportunities from the analysis of significant data obtained from Item 18.
- Establish a process that plans and prioritises actions to be taken in response to feedback, defects, conformance issues, audit findings, and changes to risks or opportunities. The process must assign responsibility and timescales for the action.
- Document all of the above (as a requirement in your system and as records providing proof of meeting requirements). Records must note who is responsible, the records produced, and any timings where critical. Include any external documents necessary for staff to do their work. Records must be trustworthy and found when needed. Make the Management System content available to staff and protect it from unauthorised amendment. Make sure staff can find information important to them and that it is obvious what is and isn’t current. Determine how long you need to keep historical documents and records and document this within your system.
- Ensure staff understand how they contribute to quality and the organisations objectives.
- Establish your management system as the backbone of the business. Important things tend to be put in writing. And these things tend to be records of activities or something which should be part of your management system.
- Review the management system and items 1-24 at least annually. Take action (Item 21) where the review identifies requirement changes or the system requires maintenance.