ISO 9001 in 25 steps
There’s quite a bit of sorcery surrounding ISO 9001 and it’s often consultants who proliferate that view, but we’re going to provide the simplest explanation of what you have to do to comply with ISO 9001 in as few words as possible.
ISO 9001:2015 is 19 pages long and around 7000 words excluding the Forward, Introduction and Annexes. This article aims to distil ISO 9001 into something smaller and easier to digest which if complied with should still get an organisation through a certification audit (please don’t hold us to that or use this as an excuse not to own a copy of the standard 😊).
What we have developed is a set of instructions one tenth the size of the standard which has just 25 steps to compliance. It also provides some links to more resources for additional guidance material if required:
- Understand what your organisation does, where it does it and who for.
- Understand who has an interest or stake in your organisation and what they expect from you and when.
- Establish who does what in your organisation, what qualifications, competences and experience they need and who reports to who.
- Write a policy to encompass item 1, the general quality requirements you intend to abide by, the fact that you intend to improve your system and how you intend to set and manage objectives.
- Understand what risks and opportunities your organisation faces and prioritise them.
- Establish objectives for the organisation and where possible establish them around activities which reduce the significant risks and promote the progress of significant opportunities (i.e. controls).
- Where not covered by objectives, establish plans to address the other risks and opportunities.
- Understand what your processes are and determine what risks they present. All processes have a risk of failure, so understand what controls each process needs to have in place to ensure it doesn’t fail.
- Some of the process controls should include activities to satisfy those who have an interest or stake in your organisation.
- Whether you provide products or services to your customer, make sure you know what constitutes ‘good quality’, establish processes so you know, and your customers confirm, you are delivering it.
- Know what you need to undertake your work: materials, plant, equipment, resources, environment, infrastructure, etc and any requirements these must meet. Provide what you need, maintain it and periodically review it to ensure it continues to be available.
- Ensure your staff are competent to undertake their work and where they aren’t, provide supervision and training until they are.
- Ensure your external providers providing quality critical goods, services and processes know what your quality requirements are and meet them. Establish this before engaging them and then manage their performance once engaged.
- Understand your customer’s requirements (even things they might not say or know) and ensure those requirements and what you are providing are is agreed between you in writing (even if it changes) so that it can’t be disputed.
- Make sure any design activity adequately documents requirements, is controlled, considers risks and confirms that the output effectively addresses all the requirements (see Design procedure resource).
- Makes sure information exists to allow you to trace critical information for issues to determine their cause and the true extent of the issue (critical info. such as materials, equipment, people, external providers, dates, procedure versions, etc).
- Where things go wrong have a process for assessing them which investigates the cause, immediately takes action to prevent further things going wrong, notifies the necessary stakeholders, takes action to fix the issue, confirms it was effective and prevents it (or anything similar) from happening again by addressing the cause throughout the organisation.
- Monitor and measure what is important to:
>the success of your products, services and processes (focus on controls established under 8. and 9.)
>provide evidence of compliance
>the organisation (i.e. what the manage system says you will monitor and measure)
- Conduct internal audits using trained auditors against a program focused on the implementation of the controls established to manage the risks and opportunities.
- Where significant quantities of data are obtained through monitoring and measurement, analyse the data and establish methods to predict future risks or opportunities to be acted on.
- Have a process which plans and prioritises actions to be taken in response to feedback, audits and new risks or opportunities. The process must assign responsibility and timescales for the action.
- Document all of the above (as a requirement in your system and as records providing proof of meeting requirements), include any external documents necessary for staff to do their work, make it available to staff, protect it from unauthorised amendment, make sure staff can find the information that is important to them and that it is obvious what is and isn’t current. Determine how long you need to keep historical documents and records and document this within your system.
- Ensure staff understand how they contribute to quality and the organisations objectives.
- Ensure your system is being used, by establishing it as the backbone of your business. If it’s important, it should be written down. If it’s written down it’s either part of your management system or a record of activities and must be trusted and found when needed.
- Review the management system and items 1-24 at least annually and if the review finds things have changed or failed to keep up with change then take action in accordance with Item 21.