F103-12-QMS-2015 ISO 9001 2015 Checklist Guidance

ISO 9001:2015 Checklist/ Guidance Document
Clause #
Requirements
Context of the organization
4.1
Understanding the organization and its context
Has the organization identified the external and internal issues

that are relevant to its context and that affect its ability to
achieve the intended result(s) of its quality management system?
Does the organization continue to monitor and review those
issues to establish whether any changes to them will affect its
QMS or its purpose?
Yes
N
o
Objective evidence/ Remarks
Describe the process used by the organization to identify the internal and
external issues and monitoring process;
Notes:
The context of the organization (also known as its business or organizational environment) refers to the combination of internal and external factors and conditions that can
have an effect on an organization's approach to its products, services, investments and intended outcome of its QMS.
An organizations context may include:

Specific objectives & targets of the organization.
Needs and expectations of its customers and any other relevant interested parties e.g. Shareholders, employees, end used, suppliers, regulators etc.
Products and services it provides;
Complexity of organizational processes and their interaction.
Competence of personnel working within or on behalf of the organization.
The size and structure of the organization.
Auditors will need to understand the internal and external issues typically experienced in type of organisations and must be prepared and able to challenge an organisation if
they believe the organisations interpretation of their context is having deficiency or incorrect.
The standard does not ask for any specific requirement that these internal and external issues, or their monitoring and review, have to be documented by an organization, so
auditors cannot simply ask for a list of issues or records of reviews. However, the information may be obtained from different sources (refer examples below). The auditors
will also need a change in the audit approach and will have to more likely interview the senior management in relation to the organizations context and its strategic direction
and related issues.
An evidence of conformity needs to be obtained to assure that organisations are reviewing internal and external issues periodically.
Examples:
External context can include issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national,
regional or local.
Internal context can include issues related to values, culture, knowledge and performance of the organization.
Auditors can obtain information from sources including; Business plan or strategy, Information provided on the organizations website, Annual reports, Management meeting
minutes having these issues addressed etc.
Use of Process approach by organization to identify relevant internal and external issues right from sources of input to receiver of output covering both internal & external
context issues as above. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
4.2
Understanding the needs and expectations of interested parties
F103-12-QMS-2015 Issue date: 08-OCT-2015

Clause #
Requirements
Yes
N
o
a) Has the organization determined the interested parties

that are relevant to its QMS, who can effect or potentially
effect on the organisations ability to consistently provide
products and services that meet customer and
applicable statutory and regulatory requirements and
which requirements are relevant to its QMS?
Describe the process used by the organization to fully identify the interested
parties;
b) Does the organization monitor and review the

information about these interested parties and their
relevant requirements?
Describe that how they monitor these interested parties and their relevant
requirements;
Notes:
An interested party is any person or organization that can affect, be affected by, or perceive themselves to be affected by the decisions or activities of the organization
implementing the QMS.
In order to determine whether an interested party, or its requirements, are relevant to their QMS, the organization must consider whether or not they have an effect on the
organizations ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or to enhance customer
satisfaction.
Each organisation will have its own set of relevant interested parties and these may change over time. Similarly, each interested party may also have its own set of
requirements, but all of these may not be relevant to an organizations QMS. For any difference in opinion with client organization regarding the relevant interest of the
interested parties, the Auditors should be well prepared to challenge it.
Auditors will have to ensure that the organisation has been through a process of initially identifying these interested parties/ groups and then to identify their requirements
that are relevant to the organisations QMS.
They will also need to ensure that this process is revisited periodically because the relevant requirements of the interested parties may change over time.
Again, as there are no specific requirements for documented information in the standard, the auditor need to use the same approach, as in clause 4.1, to obtain information
through several sources/ documents and interviews with senior management to obtain the objective evidences when there is no direct documentation provided by the client
for this purpose. Where the organization has determined that any interested party and/or its requirements are not relevant to QMS, then it does not have to take any action to
address them.
Examples:
Interested parties could include the organizations shareholders, employees, customers, end users, suppliers, regulators etc.
4.3
Requirement of Interested parties may include; Specs from raw materials manufacturers/ suppliers, Concerns on employee feedback forms, Contractual requirements from
Customers, Corporate policies & procedures, Legal requirements etc.
Determining the scope of the quality management system

Clause #
Requirements
N
o
The scope of the Quality management system sets its

boundaries, identifying what the requirements of the Quality
management system are applicable to, and to what they are not.
a) When defining the scope of QMS, has the organization
considered its context (e.g. the internal and external
issues it faces and the requirements of relevant
interested parties), and also products and/ or services it
intends to deliver?
Yes
b)
Is the scope made available and maintained as

documented information?
c)
Does the scope include any justification or instances

where specific elements of the standard cannot be
applied?
Does the scope include all consideration in point a) as well as geographical

locations;
Notes:
The scope of a management system may include the whole of the organization or specific functions, section of the organization, or one or more functions across a group of
organizations. Boundaries for the scope may even include specific geographic location(s), Processes, activities etc. Outsourced functions or processes are considered within
the organizations scope of Quality management system.
Although there is no longer any requirement that the scope of an organizations QMS must be documented in a Quality Manual (which is no longer required), it need be
available and maintained as documented information (ISO 9001:2015clause 7.5). The scope must include reference to the products and services covered by the QMS.
Where a requirement cannot be applied (e.g. the organization does not perform any design activity), the organization can determine that the requirement is not applicable.
However, this should not result in failure to achieve conformity of products and services or to meet the organizations aim to enhance customer satisfaction (Annex-A. A5)
If the organization has excluded any requirement, this must be clearly recorded and the organization must be able to justify the exclusion.
Auditors will need to verify that the organisations scope is documented, and evidence that it has been produced in consideration of organizations context and products and
services. If exclusions have been applied by the organisation, auditors must ensure that they are recorded and that the rationale for the exclusion is stated and justified.
4.4
Quality management system and its processes

a)
Has the organization adopted the process approach

while establishing, implementing, maintaining and
continually improving the effectiveness of its quality
management system?
b) Has the organization determined the processes needed

for the quality management system and their application
throughout the organization including;
Inputs required and the outputs expected,
Sequence and interaction of processes,
Is the process approach understood in the organization;
Ensure requirements in point b) has met and upload organizations processes to

demonstrate the Process approach is fully understood;

Clause #
Requirements
Yes
N
o
Measurements and related performance indicators,

Availability of resources needed,
Responsibilities and authorities assigned,
Risks and opportunities associated and planned and
implemented appropriate actions to address them,
Evaluation of processes, andImprovement opportunities
for the established processes and QMS.
c) Does the organisation maintain the documented
information necessary to support the operation of its
processes? Do they also retain documented information
that evidences thatprocesses are being carried out as
planned?
Objective evidence can be indicated on process audit notes F103-16 or the

organizations identified processes if point b) above implemented;
Notes:
ISO 9001:2015 includes specific requirements necessary for the adoption of a process approach when developing, implementing and improving the effectiveness of a quality
management system. This requires an organization to systematically define and manage processes and their interactions so as to achieve the intended results in
accordance with both the quality policy and strategic direction of the organization.
There needs to be evidence that these process requirements are included e.g. in the design, operation and on-going update of the organizations QMS. The organizations will
have to pay attention to use the performance indicators to control and monitor processes, and the risks and opportunities associated with them.
Although there is no longer any reference to Records (ISO 9001: 2008 clause 4.2.4), there is still a requirement to demonstrate evidence of compliance with QMS
requirements and processes (ISO 9001:2015 clause 7.5).
Auditor must note that there are explicit requirement for a process-based quality management system now. They should also note the additional new requirements regarding
use of performance indicators to control and monitor processes, and the requirement for processes to be assessed from a risk and opportunity perspective. In effect, auditors
will need to review how the organisation has designed its process-based management system.
Examples:
Existing operational procedures, work instructions and flow charts are valid examples of documented information and can be used to evidence that the requirement for
documented information to support the operation of processes is being met. If these are working well for the organisation then there is no need to replace them.
Use of Turtle diagram by the organization for identifying the Process related Inputs, Outputs, Resources used (Human & Infrastructure), Monitoring and measuring processes
and documentation.
Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, and
the risks and opportunities associated with them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
Leadership
5.1
Leadership and commitment
5.1.1
General

Clause #
Requirements
Yes
N
o
Has top management exhibited their leadership and

commitment towards its Quality Management system by:
Objective evidence must include an interview with Top management covering the elements of
points a) to h) to ensure thorough understanding and leadership at the highest level. If the
Top management is not involved, a non-conformance needs to be raised.
a) Taking accountability of QMS effectiveness?

b) ensuringQuality policy and Quality objectives are
established and, are consistent with its overall strategic
direction and the context in which the organization
operates?
c) ensuring that quality management system requirements
are integral to the organizations business processes
(i.e. Core to the purpose to Organizations existence)?
d) promoting the adoption of the process approach and
risk-based thinking& improvement?
e) ensuring resources required for the effective operation
of the quality management system are made available?
f)
communicating the importance conforming to the quality

management system requirements& its effectiveness?
g) ensuring that quality management system attain its

intended outcome?
h) involving, directing and providing support people& for
them to demonstrate leadership in their relevant
processes/ areas to contribute to theeffective operation
of the QMS?
Notes:
Top management need to emphasize the importance of conforming to the QMS requirements. Additionally, they mustalso ensure that the QMS is achieving its intended
results and continual improvement driven within the organization.
Auditors should look forevidences that top management has a hands-on approach to the management of their quality management system during interviews and auditing
other requirements e.g. Context of the organization, Quality policy, Quality objectives, Management review minutes, Resources etc.
Where top management have effectively delegated responsibility for the QMS down to the MR, then they will now have to demonstrate much more direct involvement in the
QMS with an exception where ISO 9001:2015 indicates that the Top Management is responsible for ensuring that a task is done, but otherwise the specified requirements
must be seen to be undertaken by top management directly. Auditors must understand which ISO 9001:2015 requirements top management can delegate and which they
cannot.
Auditors should ensure that they are well prepared to interview the top management in respect of theircommitment to their quality management systems. Auditing at this level
is likely to be a newexperience and challenging at same time. A good understanding of management related processes and language used by top management can be
helping tool to engage with management on range of issues.

Clause #
5.1.2
Requirements
Yes
N
o
Customer focus
Has top management taken the lead in demonstrating the
organizations commitment to its customers by ensuring:
Objective evidence must include an interview with Top management covering the elements of
points a) to c) to ensure thorough understanding and leadership at the highest level. Top
management is not involved, a non-conformance needs to be raised.
a) Customer and applicable statutory and regulatory

requirements are identified and met?
b) Determination and addressing the risks and
opportunities that can affect conformity of products and
services and its ability to enhance customer
satisfaction?
c) Remain focused on providing products and services that
meetcustomer, applicable statutory & regulatory
requirements and, on enhancing the customer
satisfaction?
Notes:
Auditors will need to seek evidence that top management are ensuring that any risks and opportunitieswith the potential to impact the organisations ability to supply products
and services that conformto customer requirements and applicable statutory or regulatory requirements, or that may affectcustomer satisfaction, are being identified and
addressed by the organisation.
Auditors should expectto find a focus on risks, but should note that opportunities must also be considered too.
The requirement is to maintain a customer focus, so it will not be a one-time exercise,but must be evidenced as on-going activity.
5.2
5.2.1
Quality policy
a) Has the Top management established, implemented &
maintained a Quality policy that is consistent with the
purpose and context of the organization and its strategic
direction?
b) provides a framework for the setting the quality

objectives?
c) includes commitments to satisfy any applicable
requirements and continually to improve their quality
management system?
Objective evidence must include an interview with Top management

covering the elements of points a) to c) to ensure thorough
understanding and leadership at the highest level. Top management is
not involved, a non-conformance needs to be raised.

Clause #
5.2.2
Requirements
Yes
N
o
Is the Quality policy;

a) available as documented information?
b) communicated, understood andapplied across the
organization and available to relevant interested
parties?
Interview with Top management down to different levels of the

organization to ensure the Quality policy is communicated,
understoodand implemented.How is it made available to interested
parties?
Notes:
ISO 9001:2015 now requires that an organizations quality policy is appropriate to both its purpose and context. This means that once the organization has determined its
context and the relevant requirements of its interested parties, Top management need to have a review its quality policy in light of that information.
They will have to continue to review the quality policy to ensure that any changes in its context, interested parties or their requirements is reflected in the Quality policy and
whether the organizations quality objectives are effected (6.2a).
The auditors will also have to check that how the Quality policy is made available to relevant interested parties, where it is appropriate to do so.
5.3
Organizational roles, responsibilities and authorities

Does top management of the organization ensures assignment,
communication & understanding of the necessary
responsibilities and authorities to individuals within the
organization?
Objective evidence must include an interview with Top management

through different levels covering the elements of points a) to d) to ensure
leadership and thorough understanding at the highest level.
Has top management assigned the responsibility and authority

for:
a) ensuring that the requirements of this International
Standard are conformed and QMS processes are
delivering their intended results?
b) reporting on the QMS performance and any
opportunities for improvement, especially to top
management?
c) ensuring the promotion of customer focus throughout the
organization?
Interview through different level in the organization to ensure

understanding the customer requirements;

Clause #
Requirements
Yes
N
o
d) ensuringwhenever changes to QMS is planned and

implemented, the integrity of the system is maintained?
Notes:
Auditors should note that there is no longer a requirement for appointment of Management Representative (MR), though the duties currently assigned to the MR under
ISO 9001:2008 must still be undertaken and can be assigned to different personnel.
Auditor must seek evidence that Organizations personnel have not only been advised of their QMS responsibilities& authorities, but also that they understand these in the
context of the overall purpose of the Quality management system.
Auditors must also seek evidence that top management have assigned responsibility and authority forpreserving the integrity of the organisations QMS during revisions or
updates.
6
6.1
6.1.1
Planning for the Quality Management system

Actions to address risks and opportunities
Has the organization considered their context when planning for

the Quality management system covering issues referred to in
4.1 and the requirements referred to in 4.2 and determined the
risks and opportunities that need to be addressed to:
What process did the organization used to identify the risks?
a) to provide assurance that the quality management

system can achieve its intended outcomes, enhance
desirable effects, to prevent or reduce undesired effects,
and to achieve improvement.
6.1.2
a) Has the organization planned actions to address these

risks and opportunities?
How the organization addressing those risks?
b) Has the organization integrate and implement the

actions into its quality management system processes
and evaluate the effectiveness of these actions?
c) Are the actions taken to address risks and opportunities
proportionate to the potential impact on the conformity
of products and services?
Auditor to verify the effectiveness of the identified actions by the

organization in addressing the risk;

Clause #
Requirements
Yes
N
o
Notes:
Risk is defined as the effect of uncertainty on an expected result. Risk is often characterized by reference to potential events and consequences as well as the
likelihood of occurrence.
Although risks and opportunities have to be determined and addressed, there is no requirement for a formal, documented risk management process. Auditors should seek
evidence that confirms that an organization has a methodology in place that enables them to effectively identify risks and opportunities in respect of the planning of their
quality management system.
The role of the auditorisnot to carry out their own determination of risks and opportunities, but to ensure that the organisation is applying their methodology consistently and
effectively.
All of the processes of a QMS do not represent the same level of risk in terms of the organizations ability to meet its objectives. Due to this reason, the consequences of
failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations. When deciding how to plan and control its
QMS, therefore, including its component processes and activities, the organization needs to consider both the type and level of risk associated with them.
Options to address risks and opportunities can include:

avoiding risk,
taking risk in order to pursue an opportunity,
eliminating the risk source,
changing the likelihood or consequences,
sharing the risk, or
retaining risk by informed decision.
Auditors should ensure that the organisation is taking a planned approach to addressing risks and realising opportunities, and that any actions taken have been recorded. For
those actions that have been completed, auditors should ensure that each actions effectiveness has subsequently been assessed. They should also ensure that the action
taken was proportionate to the risk or opportunity.
Examples:
SWOT analysis by the organization as part of their business strategy to identify the external risk and opportunities and action plan to address them.
Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan.
Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, the
risks and opportunities associated with them and action plan to address them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
6.2
6.2.1
Quality objectives and planning to achieve them

Has the organization established quality objectives at relevant
functions, levels and processes? Are the Quality objectives;
Have the Quality objective been identified throughout the organization?
a) consistent with the organizations quality policy and be

relevant to the conformity of products and services, and
the enhancement of customer satisfaction?
What Quality objectives are established to enhance customer

satisfaction?
b) measurable, take into account applicable customer and

statutory and regulatory requirements, and be monitored
Objectives must be measureable and whats the process to monitor?

Clause #
Requirements
Yes
N
o
in order to determine whether they are being met?

c) communicated across the organization and be updated
as and when the need arises?
What process does the organization used to communicate the objectives

to process owners and update when needed?
d) maintained as documented information?

6.2.2
Has the organization carried out planning in order to determine;
a) the work required in order to realize its quality

objectives, the resources necessary to undertake this
work, who will be responsible for ensuring that the work
is done and when the work needs to be completed by?
What strategic action plans established to ensure achieving the Quality

objectives?
b) how it will evaluate the work done to determinewhether

it has led to the objective being realized?
What process has been used to evaluate that the objectives have been
met?
Notes:
ISO 9001:2015 now requires organizations to set quality objectives at functions, levels and processes that are relevant to conformity of product and the enhancement of
customer satisfaction. There will need to be evidence that the established quality objectives add value to the relevant functions, levels and processes within the organization.
Organizations are now required to determine what resources will be required to achieve quality objectives, who will be responsible for them, what will be done and when, as
well as how achievement of the objectives will be evaluated. In many cases, this will require organizations to undertake more detailed monitoring of objectives and targets
than they currently do.
Auditors should ensure that organizations are able to evidence that they are complying with these new requirements.
6.3
Planning of changes
Where the organization determines the need for change to the

quality management system (4.4), are changes carried out in a
planned and systematic manner?
Does the organization consider:
Does the organizationhave the management change process?

Clause #
Requirements
Yes
N
o
a) the purpose of the change and any of its potential

consequences (both positive & negative)?
The change identified include all potential risks and related actions;
b) the integrity of the quality management system may be

compromised (or indeed improved)?
How does the organizationmaintain the integrity of the QMS while

changes carried out within the organization?
c) the availability of resources to effect the change?
What resources the organization has put in place to control the

changes?
d) any changes required in responsibilities and authorities

to drive the change through?
Notes:
Clause 6.3 is an enhancement of ISO 9001:2008 clause 5.4.2b. When the organization determines there is a need to change the quality management system, clause 6.3 of
ISO 9001:2015 requires such changes to be carried out in a controlled manner by planning first and then logically enacted.
Auditors should ensure that the organization is able to evidence that it has taken into account the considerations of ISO 9001:2015 Clause 6.3, when planning and
implementing changes to its quality management system.
Clause #
7
7.1
7.1.1
Requirements
Yes
No
Support
Resources
General
a) Has the organization determined and provided the
resources necessary to establish, implement,
maintain and continual improve its quality
management system?
b) Has the organization considered both the

capabilities and constraints on its existing internal
resources and what need to be obtained from
What process the organization used to determine the internal resources as

well as external resources needed?

Clause #
Requirements
external providers?
Yes
No
Notes:
Organizations need to demonstrate that they have considered both internal and external resource requirements and capabilities e.g. training, software, appropriate work
instructions, competency skills, contract requirements, supply chain etc.
Auditors must now evidence that organizations have considered their need for external resources inaddition to their need for internal ones.
7.1.2
People
To ensure that the organization can consistently meet
customer and applicable statutory and regulatory
requirements, has the organization provided the persons
necessary for the effective operation of the quality
management system, including the processes needed?
What the process used to ensure that there is sufficient manpower?
Notes:
Essentially the same requirements as in ISO 9001: 2008, though the obligation to meet statutory and regulatory requirements is now explicit.
No change in the audit approach required here.
7.1.3
Infrastructure
Has the organization determined, provided and
maintained the infrastructure for the operation of its
processes to achieve conformity of products and
services?
What infrastructure determined by the organization? During the onsite audit

ensure that how the infrastructure been maintained?
Notes:
Essentially the same requirements as in ISO 9001: 2008, but it is made clear that Infrastructure can include:buildings and associated utilities;equipment including hardware
and software;transportation; and information and communication technology.
No change in the audit approach required here.
7.1.4
Environment for the operation of processes

Has the organization determined, provided and
maintained the environment necessary for the operation
of its processes and to achieve conformity of products
and services?
During the site tour, ensure that the environment determined by the
organization based on the product and service provided is verified.

Clause #
Requirements
Yes
No
Notes:
The key change here is that work environment now becomes environment necessary for the operation of processes reflecting an increased focus throughout the standard
on a process-based approach. Organizations to not only to determine what is a work environment suitable to ensure conformity of products and services, but also to provide
and maintain it.
Environment for the operation of processes can include physical, social, psychological, environmental and other factors (such as temperature, humidity, ergonomics and
cleanliness).
Organizations will need to demonstrate that it is applying this updated requirement to the processes it has determined are necessary for the effective operation of its QMS.
Auditors will need to audit the organizations process environment, not its work environment. As wellas physical factors, this now includes social and psychological factors too.
7.1.5
7.1.5.1
7.1.5.2
Monitoring and measuring resources

a) Where an organization uses monitoring or
measuring to demonstrate that its products and
services conform to requirements, has the
organization provided the necessary resources to
ensure that monitoring and measuring results are
valid?
Upgrade audit: The delta would be to determine resources to ensure

measuring results are valid.
b) Does the organization ensure that the resources

provided are suitable to the type of monitoring or
measurement being undertaken and maintained in
order to ensure they remain fit for purpose?
Upgrade audit: The delta would be that does the organization have expertise
to the type of monitoring & measurement being undertaken.
c) Does the organization retain appropriate

documented information that the monitoring and
measurement resources are fit for purpose?
No change from ISO 9001:2008 version.
In instances, where measurement traceability is a

statutory or regulatory requirement; a customer or relevant
interested party expectation; or considered by the
organization to be an essential part of providing
Initial audit: The complete requirements from the point a) to c) to be

established;
Initial audit: The complete requirements from the point b) to be established;
No change from ISO 9001:2008 version

Clause #
Requirements
confidence in the validity of measurement results.Are the
measuring equipment;
Yes
No
a) verified or calibrated against international or

national measurement standards at specific
intervals or prior to their use. If no such standards
exist, is the basis used for calibration or
verification retained as documented information?
b) identified in such a way that their calibration status
can be determined? They must also be protected
to prevent them being adjusted, damaged or
subjected to deterioration.
c) found to be defective during its planned
verification or calibration, or during its use,
previous results need to be revisited and
anynecessary corrective action implemented.
Notes:
Organizations will need to demonstrate that they retain documented information to evidence that not just monitoring and measuring equipment is fit for purpose, but that all
monitoring and measuring resources are.
Auditors should note that where measurement traceability is required, measuring equipments are subject to additional controls. If measurement traceability is not required then
auditors must satisfy themselves that themonitoring and measuring resources an organization has employed are suitable and fit for purpose,and that arrangements are in place
to ensure their continued fitness for purpose.
Auditors should also ensure that documented information is being maintained by the organization todemonstrate that monitoring and measuring resources are fit for purpose
in these instances.
7.1.6
Organizational knowledge
Does the organization take steps to capture and preserve

the knowledge necessary for the effective operation of its
processes and for ensuring the conformity of products
and services?
What processes does the organization used to determine the knowledge

necessary for ensuring conformity to products & services?

Clause #
Requirements
Is this knowledge maintained and made available to the
extent necessary?
Does the organization consider its current knowledge and
determine how to acquire or access the necessary
additional knowledge, when addressing changing needs
and trends?
Yes
No

How the knowledge is preserved?
When changes occur at the organization, what processes do they use to
determine the necessary additional knowledge?
Notes:
Organizational knowledge addresses the need to determine and maintain the knowledge obtained by the organization, including by its personnel, to ensure that it can achieve
conformity of products and services. The process for considering and controlling past, existing and additional knowledge needs to take account of the organizations context,
including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge.
The balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization, provided that conformity of
products and services can be achieved. Organizational knowledge can include information such as intellectual property and lessons learned.
To obtain the knowledge required, the organization can consider:

a) internal sources (e.g. learning from failures and successful projects, capturing undocumented knowledge and experience of topical experts within the organization);
b) external sources (e.g. standards, academia, conferences, gathering knowledge with customers or providers).
Organizations need to demonstrate that, if they are planning to make changes to their QMS, they re-assess the extent of their current organizational knowledge and take steps
to improve it if it is determined to be insufficient to accommodate the planned changes.
7.2
Competence
Has the organization;
What process does the organization used to determine competence?
a) determined the necessary competence of those

people working under its control that affects its
quality performance?
b) ensured that those people possesses the
necessary competence either on the basis of
appropriate education, training, or experience?
c) taken actions, where applicable, to acquire the
necessary competence, and evaluated the
effectiveness of the actions taken?
What actions are taken to address competency gaps?
d) retained appropriate documented information to

evidence of the competence of its people?
Notes:
Competence is defined as the ability to apply knowledge and skills to achieve intended results

Clause #
Requirements
Yes
No
Organizations are still required to take action to address any competency issues and subsequentlyto check that this action has been effective. Additionally, organizations are
still required to maintainevidence to demonstrate that people doing work under its control are competent. This evidenceneeds to be maintained as documented information. For
example, a clean driving license can be evidence of competence for a driver)
As these requirements apply to personnel under its control this will include any sub-contract/agency personnel, as well as anyone undertaking outsourced processes and
functions see reference to the need to communicate competence requirements to external providers in ISO 9001:2015 clause 8.4.3 (c).
7.3
Awareness
Are persons doing work under the organizations control

aware of:
the organizations quality policy, any quality objectives that
are relevant to them, how they are contributing to the
effectiveness of the QMS and what the implications are of
them not conforming to QMS requirements?
What processes have been established by the organization to make people,

working on behalf of organization, aware of the stated requirements?
Notes:
The important factor here is the addition of requirement to make people aware both of the organizations quality objectives as well as the consequences of non-conformance
with its QMS requirements.
Auditors should note that additional information as set out above must be communicated to these individuals both (internal and external).
7.4
Communication
Has the organization determined those QMS related

matters on which it wishes to communicate internally and
externally including;
a) on what it will communicate, when it will
communicate, withwhom it will communicate and
how it will communicate?
Has communication strategy been developed and implemented?
Notes:
ISO 9001:2015 now makes communication with persons outside the organization a specific requirement.
Auditors should ensure that organizations are identifying external communications as well as internal communications that need to take place in respect of the operation of its
quality management system. They should also ensure that the organization has determined what it needs to communicate, when it will communicate, with whom it will
communicate and how it will communicate.
7.5
7.5.1
Documented Information
General

Clause #
7.5.2
7.5.3
7.5.3.1
7.5.3.2
Requirements
Does the organizations quality management system
include:both documented information identified as
required in standard and documented information
identified by the organization as necessary for the
effective operation of its quality management system.
Yes
No

Creating and updating

a) When creating and updating documented
information, does the organization ensure that it
is appropriately identified and described (e.g. title,
date, author, reference number), in an
appropriate format (e.g. language, software
version, graphics) and on appropriate media (e.g.
paper, electronic)?
Requirements are more explicit, but changes are insignificant.
b) Does the documented information reviewed and

approved for suitability and adequacy?
Upgrade audit: No changes
Control of documented information

a) Is the documented information controlled in order
to ensure that it is available where needed and
that it is suitable for use?
Upgrade audit: No changes
b) Is it adequately protected against improperuse,

loss of integrity and loss of confidentiality?
What processes established by the organization to comply with point b)

requirements?
For the control of documented information, has the

organization addressed the following activities, as
applicable:
a) how it will distribute, access, retrieve and use
documentedinformation?
b) how it will store and preserve documented
information, and how it will controlany
changes to the documented information?
No change from ISO 9001:2008 version

Clause #
Requirements
Yes
No
c) its retention and disposalarrangements?
d) Has the organization identified any

documented information of external origin that
it considers necessary for the planning and
operation of the organizations
qualitymanagement system
Notes:
The terms documented procedure and record used in ISO 9001: 2008 have both been replaced throughout ISO 9001:2015 by the term documented information, which is
defined as information required to be controlled and maintained by an organization, as well as the medium on which it is contained. Documented information can be in any
format and media and from any source.
There is no longer a requirement to establish and maintain a Quality Manual (2008 clause 4.2.2) or for mandatory documented QMS procedures.
The extent of documented information required for a quality management system can differ from one organization to another. This can be due to:
a)
the size of organization and its type of activities, processes, products and services; b) the complexity of processes and their interactions; or c) the competence of persons.
The organization needs to determine the level of documented information necessary to control its QMS.
Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented
information.
Examples:
Operational procedures, work instructions, flow charts, process maps, etc. are all examples of documented information. Organizations do not have to remove their current
Quality Manual or documented procedures. If an organization wishes to retain these then they can do so.
Operation
8.1
Operational planning and control
Does the organization plan, implement and control those

processes that it has previously identified (clause 4.4) as
necessary in order for it to meet product or service
requirements and to implements the actions determined in
6.1 by;
Is the organizational process identified for Production or service in control and where not,
are appropriate action taken for those identified risks and opportunities?
a) determining the product and services

requirements;
This should include organizational internal requirements and external

customer requirements.
b) establishing criteria for the processes and for the

acceptance of products and services?
What criteria established for controlling the processes and the resulting
output?

Clause #
Requirements
c) determining resources needed to support each
process and implementing control of the
processes in accordance with the criteria?
d) retaining documented information to the extent
necessary to ensure that its processes are being
carried out as planned, and that the products and
services that are being produced conform to the
identified requirements and acceptance criteria?
Is the output of operational planning and control suitable
for the organization's operations?
Yes
No

Objective evidences for control of processes to demonstrate adequate
resources;
Objective evidence to demonstrate that processes are carried out as planned
and the output meets the requirements of acceptance criteria.
Objective evidence that KPIs/ measuring of the processes have been met
and/ or the action taken if they are not.
Does the organization control planned changes and

review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary?
Does the organization ensure that outsourced processes
are controlled in accordance with clause 8.4?
Have the organization identified the controls to be applied to outsourced

processes?
Notes:
The term product realization has been withdrawn and replaced by operation, and the requirement for Planning of product realization has been replaced by Operational
planning and control.
The new control-focused requirements centre on ensuring that processes are implemented as planned, including actions to address risks and opportunities. This needs to be
evidenced by means of documented information.
ISO 9001:2015 introduces a requirement to establish the criteria for the processes and to implement controls in accordance with the criteria. The emphasis is on controlling
the processes and organizations need to demonstrate that they have planned and implemented the appropriate process criteria:
inputs, outputs, resources, controls, criteria, process measurement indicators, etc., plus
any actions required to address identified risks and opportunities.
Additional requirements are included in ISO 9001:2015 relating to the control and review of changes to process controls (including unintended changes). Auditors should also
gather and evaluate evidence related to it.

Clause #
8.2
8.2.1
Requirements
Yes
Determination of requirements for products and services
No
Customer communication
Has the organization established the processes for
communicating with customers on matter related to;
a) its products and services, enquiries, contracts or

order handling (including amendments?
b) obtaining customer views and perceptions,

including customer complaints?
c) the handling or treatment of customer property?
d) specific requirements for contingency actions,
when customer requirements are not met?
Notes:
These requirements are essentially the same as for ISO 9001:2008 sub-clause 7.2.3 Customer communication, but with the addition of new requirements to communicate in respect of
the handling or treatment of customer property and specific requirements for contingency actions where relevant. The requirement to obtain customer feedback has been amended to
obtain customer views and perceptions.
8.2.2
Determination of requirements related to products and services

Has the organization put in place a process to ensure that
requirements for the products and services it intends to
offer to customers have been defined? This includesany
applicable statutory and regulatory requirements (and
those considered necessary by the organisation).
No changes from the ISO 9001:2008 version.
Does the organization ensure that it has the ability to meet

the defined requirements and substantiate the claims for
the products and services it intends to supply?
Notes:
ISO 9001:2015 starts from the position that the organization has already determined the products and services it intends to offer to customers, taking into account customer

Clause #
Requirements
Yes
No
requirements.
Auditors should also evidence that the organization is able to substantiate any claims it is making for the products and services it offers e.g. Claims for mileage per litre of
petrol by the Car manufacturer, an ISO 9001 certified company catalogue/ website or in media claiming certification for full range of products against a limited scope of
certification etc.
8.2.3
8.2.3.1
Review of requirements related to products and services

Does the organization review, as applicable:
a) requirements relating to its products and services,
consideration of requirements set by the
customer, including ones relating to delivery and
post-delivery
b) consideration of any requirements not expressly
stated by the customer but that are known to be
necessary for the product or service to be suitable
for thecustomers intended use?
c) consideration of any statutory or regulatory
requirements relating to the product or service,
and any new or changed requirements that differ
from those previouslydetermined?
d) Is this review conducted prior to the organizations
commitment to supply products and services to
the customer and does it ensure that contract or
order requirements differing from those previously
defined are resolved?
e) Where the customer does not provide a
documented statement of their requirements, are
the customer requirements shall be confirmed by
the organization before acceptance?
8.2.3.2
Is documented information retained which describes the

results of the review, including any new or changed
No changes from the ISO 9001:2008 version.

Clause #
8.2.4
Requirements
requirements for the products and services?
Yes
No
Where requirements for products and services are

changed, does the organization ensure that relevant
documented information is amended and that relevant
personnel are made aware of the changed requirements?
Notes:
There is no substantive change to content, though there is recognition that when reviewing requirements relating to products or services, these requirements could now include
those arising from relevant interested parties not just from customers.
Auditors should ensure that requirements from relevant interested parties are considered as part of an organizations product and service requirement review process.
8.3
Design and development of products and services
8.3.1
General
Has the organization established, implemented and

maintained a design and development process that it is
adequate for subsequent production or service provision?
Notes:
ISO 9001:2015 now makes clear the circumstances when design and development is required; there is also a specific requirement for a design and development process to be in
place:
where the organisation has not established detailed requirements for products or services, or
where these have not been defined by the customer or other interested parties
Increased knowledge of the products and services, and methods of arriving at them, will be required by auditors in order to be able to verify whether the organizations QMS should or
should not include design and development.
8.3.2
Design and development planning

When determining the stages and controls to be applied to
its design and development process, does the
organization considered:
Does the organizations design process include the stages and evidences of a) through h)
as below?
Note: The organizations current product or service in the design phase should be the
objective evidence.

Clause #
Requirements
a) the nature, duration and complexity of the design
and development activities?
Yes
No
b) anyrequirements that specify particular process

stages must be included, for example design and
development reviews, verification & validation?
c) the responsibilities and authorities of those
involved in the design and development process?
d) the internal and external resource needed for the
design and development of products and
services?
e) the need to ensure that interfaces between
individuals and parties involved in the design and
development process are controlled?
f)
the need for involvement and control expected by

the customer and user groups in the design and
development process?
g) the requirements for subsequent provision of

products and services?
h) the necessary documented information to confirm

that design and development requirements have
been met?
Notes:
ISO 9001: 2015 is more explicit in terms of the elements that must be considered as part of the design planning process.
Auditors should ensure that organizations are able to evidence that they have taken into consideration the explicitly referenced considerations relating to the design and
development process set out above.
They should also ensure that the organization has retained documented information to confirm that its identified design and development requirements have been met.
8.3.3
Design and development inputs
Does the organization determine:

Clause #
Requirements
Yes No
as below?
objective evidence.
a) requirements essential for the specific type of
products and services being designed and
developed, including, as applicable, functional and
performance requirements?
b) applicable statutory and regulatory requirements?
c) anystandards or codes of practice that the
organization has committed to implement?
d) any resources needed, whether internal and
external for the design and development of
e) the potential consequences of failure due to the
nature of the products and services?
f)
Are inputs adequate for design and development

purposes, complete and unambiguous?
g) Are conflicts on design & development inputs

resolved?
h) Are the documented information maintained for

the design and development input?
Notes:
Auditors need to verify that the organization has addressed the specific new requirements set out in ISO 9001:2015, sub-clause: 8.3.3 specifically, those relating to resource
requirement and the consequences of design or development failure.
8.3.4
Design and development controls

Has the organization applied controls to its design and
Does the Organizations design process include the stages and evidences of a) through d)

Clause #
Requirements
development process to ensure that:
Yes No
as below?
Note: The Organizations current product or service in the design phase should be the
objective evidence.
a) the results from undertaking the design and
development process are clearly defined?
b) design and development reviews takes place as
per planned arrangements?
c) design and development outputs meets the input
requirements (verification)?
d) the resulting products and services are fit for their
intended use and specified application, where
known to the organization (Validation)?
Notes:
This is a new clause introduced by ISO9001:2015, which is basically a combination of the requirements in ISO 9001: 2008 relating to design review, verification and validation.
There is no change in the audit approach required. However, the requirement in ISO 9001: 2008 that, where practicable, validation should be completed prior to the delivery or
implementation of the product/service has been removed.
8.3.5
Design and development outputs

Does the organization ensure that design and
development outputs:
as below?
objective evidence.
a) meet the input requirements for design and

development and suitable for use in subsequent
processes?
b) As applicable, includes or reference any related
monitoring and measuring requirements, and
acceptance criteria?

Clause #
Requirements
c) Finally, does the organization ensure that the
products that are to be produced or the services
that are to be delivered are fit for their intended
purpose and are safe to use?
Yes
No
d) Does the organization retain the documented

information resulting from the design and
development process?
Notes:
The requirements are essentially unchanged, except that the requirement to include or reference monitoring and measuring requirements, where appropriate has been
added.
Auditors should note the additional requirement for documented information in respect of sub-clause 8.3.5. They should also note the need for design outputs to reference
monitoring and measuring requirements, as applicable.
8.3.6
Design and development changes
as below?
objective evidence.
a) Does the organization review, control and identify

changes made to design inputs and design
outputs during the design and development of
products and services or subsequently, to the
extent that there is no adverse impact on
conformity to requirements?
b) Is documented information on design and

development changes retained?
Notes:
The ISO 9001:2015 requirements are essentially the same, though there is no longer any reference for design and development changes having to be verified, validated and
approved before implementation (ISO 9001: 2008 clause 7.3.7).
No change in the audit approach would require.
8.4
8.4.1
Control of externally provided processes, products and services

General

Clause #
Requirements
Does the organization ensure that externally provided

processes, products and services meet the organizations
specified requirements?
Does the organization apply the specified requirements for
the control of externally provided products and services
when:
Yes
No
Has the organization identified risks and actions for the products and services
provided by the external providers?
Has the organization determined the requirements to demonstrate adequate controls over
external providers for a) through c) as below?
a) products and services from the external providers

for incorporation into the organizations own
b) products and services to be provided directly to
the customer by external providers on the
organizations behalf?
c) outsourced processes or part of a process from
an external provider?
Has the organization established and applied criteria that

allows it to evaluate and select external providers and,
that allows it to subsequently monitor their performance?
Criteria relating to the re-evaluation of external providers
also need to be established and implemented.
Does the organization retain appropriate documented

information for the results of external providers
evaluation, re-evaluation and monitoring of their
performance?
Does the organizations process include monitoring the performance of

external providers?
Notes:
The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided
products and services.
Auditors should note the new requirement for the organization to establish criteria to allow it additionally to monitor the performance of external providers. This must be
maintained as documented information.
They should also note the requirement for organization to provide a record of the results of their monitoring of the external providers performance as documented information.

Clause #
8.4.2
Requirements
Type and extent of control
Yes
No
In determining the type and extent of controls to be

applied to the external provision of processes, products
and services, does the organisation take into
consideration:
What processes are established by the organization to demonstrate control over

processes, products and services provided by the external provider for the points a)
through e) as below?
a) the externally provided processes are part of its

Quality management system?
b) the controls it intends to apply to both the external
provider and the resulting output?
c) the potential impact that the externally provided
processes, products or services could have on its
ability to supply conforming products and services
to its customers and meeting statutory and
regulatory requirements?
d) how effective it considers the controls that are
being applied by the provider are?
e) verification or other activities necessary to ensure
the externally provided processes, products and
services conforms to its customer requirements?
Notes:
ISO 9001:2015 now requires the organizations to control both, the external providers and the potential impact of the externally provided processes, products or services on the
organizations ability consistently to meet customer and applicable statutory and regulatory requirements.
There is a greater emphasis on the organizations need to satisfy itself that the controls applied by its external providers (to ensure that it meets the organizations
requirements) are adequate.
8.4.3
Information for external providers

Does the organization ensure that the requirements it
intends to communicate to the external provider are
reviewed for adequacy prior to their being communicated?

Clause #
Requirements
Does the organization communicate to external providers
applicable requirements for the following:
Yes
No
a) products or services to be provided or the

processes to beperformed by the external
provider on behalf of the organization?
b) approval or release of products and services,
methods, processes or equipment?
c) competence of personnel, including
necessary qualification they must possess?
d) their appropriate interactions with the
organization's quality management system?
e) details as to how the external providers
performance will be monitored and controlled
by theorganisation?
f)
New requirement as covered in section 8.4.1.
details of any verification or validation

activities that the organisation (or its
customer) intends to perform atthe external
providers premises?
Notes:
Essentially, these requirements are unchanged. However few requirements are expanded such as;
there is an acknowledgement that organizations may need to communicate not just the products or services they wish to receive, but also any processes they want the external
provider to undertake on their behalf.
The requirement for the organization to communicate, as applicable, the necessary qualification of personnel to cover the competency and qualification of personnel.
- The requirement for the organization to communicate any quality management system requirements, as applicable, to their (ie the external providers) interactions with the
organizations quality management system.
8.5
8.5.1
Production and service provision

Control of production and service provision
Has the organization implemented controlled conditions

Clause #
Requirements
for production and service provision, including delivery
and post-delivery activities?
Do those controlled conditions include, as applicable:
a) documented information that defines the

characteristics of the products and services is
available?
b) documented information that defines the activities

to be performed and the results to be achieved is
available?
Yes
No
c) suitable monitoring and measuring resources are

made available?
d) monitoring and measurement takes place at
appropriate stages in the production process to
ensure that both the processes themselves and
the process outputs meet the organizations
acceptance criteria
e) the process environment and infrastructure are
suitable?
f)
personnel are competent and, where necessary,

appropriately qualified?
g) for processes where the results cannot be verified

by subsequent monitoring or measurement, the
process itself is initially validated and then
periodically re-evaluated?
h) products and services release, delivery and postdelivery activities are implemented?
Notes:
This clause is essentially the amalgamation of clause 7.5.1 and 7.5.2 of ISO 9001:2008 with few modifications as below;

Clause #
Requirements
Yes
No
The reference to work instructions has been replaced by a reference to documented information that defines the activities to be performed and the results to be achieved.
The results to be achieved is an important addition. These may not appear in existing documentation describing the activities to be performed or in records generated from
them.
There is now an explicit requirement to ensure monitoring and measurement activities are undertaken at appropriate points. This is in order to verify processes are being
controlled and that process outputs, products and services are meeting their acceptance criteria.
Reference is made to monitoring and measuring resources as opposed to monitoring and measuring equipment, reflecting the fact that monitoring may be being carried out
by humans.
The qualification of personnel has modified to the competency and, where applicable, required qualification of persons emphasizing competency over qualification
8.5.2
Identification and traceability

Where necessary to ensure conformity of products and
services, does the organization use suitable means to
identify process outputs?
Does the organization able to identify the status of
process outputs in respect of any monitoringand
measurement requirements it has set, at all stages of
production or service provision?
Where traceability is a requirement, does the organization

control the unique identification of the process outputs and
retain any documented information necessary to maintain
traceability?
Notes:
These requirements are essentially the same as ISO 9001: 2008 clause 7.5.3, but the emphasis now is on process outputs rather than products.
Process outputs are the results of any activities which are ready for delivery to the organizations customer or to an internal customer (e.g. receiver of the inputs to the next
process). They can include products, services, intermediate parts, components, etc.
8.5.3
Property belonging to customers or external providers

Does the organization take care of property that has been
supplied to it forincorporation into its products or services
by customers or by external providers?
Objective evidence for the property belonging to customer or external

providers;

Clause #
Requirements
Does the organization ensure that any such property is
identified, verified, protectedand safeguarded?
Yes
No
If the property is lost or damaged, or found unsuitable for

use, has the organization made ensure that this isreported
back to the customer or external provider including
retaining documented information?
Notes:
These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.4), but the definition of customer property has been widened to specify that it can include
material, components, tools and equipment, customer premises, intellectual property and personal data.
The evidence is required to confirm that the controls appearing in ISO 9001:2008 relating to customer property have been extended to cover property from external providers.
8.5.4
Preservation
Does the organization ensure preservation of process
outputs during production and service provision, to the
extent necessary to maintain conformity to requirements?
Notes:
These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.5), but again the emphasis now is on process outputs rather than product.
8.5.5
Post-delivery activities
Does the organization fulfil requirements for post-delivery
activities related to its products and services?
When making this decision, does the organisation

consider:
a) the risks associated with the particular product or
service, the nature of the product or service, how
the product or service will be used andwhat the
product or services intended lifetime is.
b) any post-delivery activities also needs to take into
account customer feedback and any applicable
The processes established by the organization to address the post-delivery activities and
associated risk identified based on the nature product or service;

Clause #
Requirements
statutory or legal requirements?
Yes
No
Notes:
This clause expands the ISO 9001: 2008 requirement that post-delivery activities are carried out under controlled conditions clause 7.5.1 (f) and now also requires the
organization to consider a list of issues as above when determining what post-delivery activities are required.
Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenance services and supplementary services such as recycling or
final disposal.
8.5.6
Control of changes
Does the organization control any unplanned changes that

are considered essential in orderto ensure that products
or services continue to meet their specified requirements?
The processes established to address any sudden changes and related

objective evidence;
Does the organization retain documented information

describing the results of thereview of the changes, the
person(s) authorizing the changes and any necessary
actions?
Notes:
These are new specific requirements (though they are implicit in ISO 9001: 2008 clauses 7.5.1 & 2).
Organizations need to demonstrate that where it has to make unplanned changes to its processes in order to ensure its products or services conform to specified requirements,
these changes must be made in a controlled manner.
8.6
Auditors should evidence that the organisation has controlled unplanned changes in accordance withthe requirements set out above
Release of products and services
a) Does the organization carry out predetermined
verification at appropriate stages in the
production/delivery process in order to verify that
products and services meet agreed acceptance
criteria?
b) Does the release of Products or services not
normally proceed to the customer until all of the
planned tests and checks have been satisfactorily

Clause #
Requirements
completed, unless otherwise approved by a
relevant authority and where applicable,
permission for early release must also be
obtained from the customer?
Yes
No
c) Does documented information retained provide

evidence of conformity to acceptance criteria and
traceability to the person(s) authorizing release of
products and services for delivery to the
customer?
Notes:
These requirements are essentially the same as those in ISO 9001: 2008.
8.7
8.7.1
Control of nonconforming outputs

Does the organization identified process outputs, products
or services that do not conform to their intended
requirements? Controls need to be established and
implemented to ensure that these nonconforming
process outputs, products or services are not delivered to
the customer or used unintentionally.
Where nonconforming process outputs, products or
services are identified, does the organization take
corrective action proportionate, reflecting both the nature
of the nonconformity and its ability to impact the
organizations intended product or service?
Is this also applied to nonconforming products and
services detected after delivery of the products or during
the provision of the service?
Does the organization deal with nonconforming process

outputs, products or services in one or more of the
following ways:
by correcting the fault;
The processes established to deal with non-conforming product/ or service

and clients notified, where appropriate;

Clause #
Requirements
Yes
No
8.7.2
by segregation, containment, return or suspension

of provision of product and services;
by informing the customer;
by obtaining authorization for acceptance under a
concession.
Does the organization retain documented information of
on nonconforming description, actions taken, any
concessions obtained and on the person or authority that
made the decision regarding dealing with the
nonconformity?
Notes:
These requirements are essentially the same as those in ISO 9001: 2008 (clause 8.3), but once again, process outputs are a key focus of the requirements, though the
options available when non-conformities are identified are more explicitly detailed; in particular, the need to take corrective action.
Documented procedure is no longer required, but documented information relating to non-conformities now has to include details of the person(s), who authorized the action
taken to deal with it.
9
9.1
9.1.1
Performance evaluation
Monitoring, measurement, analysis and evaluation
General
Has the organization determined;
a) what it needs to monitor andmeasure?
b) the requirement for methods to ensurevalid results
also extends to the organisations analysis and
evaluation activities?
c) when monitoring and measurement should be
carried out and atwhat stage the results of
monitoring and measurement should be analysed
and evaluated?
Objective evidence of evaluating of the results of monitoring and

measurement and analysis;

Clause #
Requirements
Has the organizations subsequently ensured that
monitoring and measurement takes placein accordance
with the requirements the organization has set itself?
Yes
No
Has the organization ensured that wheremonitoring and

measurement takes place, documented information is
retained to evidencethe results?
Notes:
The auditors should confirm that the organization identify the what how and when of the monitoring and measurement, along with when the results should be evaluated.
Auditors should note the additional requirement for organizations to evidence evaluation of the results of monitoring and measurement, not just their analysis.
They should also note a new requirement to monitor the performance and effectiveness of the organizations quality management system.
9.1.2
Customer satisfaction
Does the organization monitor the degree to which
customers believe their requirements for products and
services have been met?
Have the methods for obtaining, monitoring and reviewing
this information been determined?
What methods determined by the organization to monitor & review customer

perception;
Notes:
Organizations now need to demonstrate that they have sought out information relating to how customers view the organization itself as well as its products and services. They
also must have a defined methodology identifying both how they will obtain, monitor and review this information.
Information related to customer views can include customer satisfaction or opinion surveys, customer data on delivered products or services quality, market-share analysis,
compliments, warranty claims and dealer reports, etc.
9.1.3
Analysis and evaluation

Does the organization analyze and evaluate appropriate
data and informationthat it has obtained either internally or
externally for a variety of pre-defined purposes?
Is the output of analysis and evaluation used to:

Clause #
Requirements
demonstrate that the organizations products and

services conform to requirements;
to assess and enhance customer satisfaction;
to ensure the performance and effectiveness of
the quality management system;
to demonstrate that planning has
beensuccessfully implemented;
the effectiveness of actions pertaining to risk and
opportunities;
assess the performance of external providers;
improvements needed in the organizations QMS.
Yes
No

Objective evidence of analysis of data carried out and the effectiveness of
actions related to identified risk & opportunities;
Notes:
Although these requirements are similar to those in ISO 9001: 2008 (clause 8.4) there are now explicit requirements relating to how the analysis and evaluation data must be
used. Organizations now need to demonstrate evaluation as well as analysis of data (from measurement, monitoring or other sources);
There has to be evidence of interpretation of the data analysis they carry out including effectiveness of actions pertaining to risk & opportunities identified.
Auditors should note that organisations now need to evidence both analysis and evaluation of data and information. It is not sufficient just to carry out an analysis without
interpreting the results. They should ensure that organisations are able to evidence through analysis and evaluation thatplanning has been effective.
9.2
9.2.1
Internal audit
Does the organization carry out internal audits at planned
intervals in order to determine whether the quality
management system;
a) conforms to both the organizations own
requirements and the requirements of ISO 9001?
b) is being effectively implemented and maintained?
9.2.2
Does the organization:

a) When planning, establishing and implementing an
audit programme including frequency, methods,
responsibilities, planning requirements and
reporting, does the organization consider the
importance of the processes concerned, changes
within the organization, and the results of previous
audits?

Clause #
Requirements
Yes
No
b) have a defined scope and its own audit criteria

each audit?
c) ensure audits and auditors be impartial and
objective of the process audited?
d) ensure that the findings from audits fed back to
the relevant management with any required
corrections or corrective actions being taken in a
timely manner?
e) retain documented information to provide

evidence that the audit programme has been
implemented and the results of audits?
Notes:
Organizations are not necessarily required to have a documented internal audit procedure, however auditors must be able to access documented information confirming the
implementation of anaudit programme by the organization including evidences related to results of audits.
While reviewing the internal audit programme of the organization, auditors should ensure thatconsiderations are given to the importance of the processes concerned,
changes within the organization, and the results of previous audits .

9.3
Management review
9.3.1
Does reviews of the quality management system

undertaken by top management at planned intervals in
order to ensure the quality management systems
continuing suitability, adequacy and effectiveness?
9.3.2
Is the management review planned and carried out taking

into consideration;
a) thereview of actions decided during previous
management reviews?
b) thechanges to context (internal/ external issues)
of the organization that are relevant to its QMS?
c) information on the performance and QMS

effectiveness, including trends and indicators for;
feedback from Customer and relevant interested
parties,
achievements related to the Quality objectives,

Clause #
Requirements
Yes
No
process performance and conformity of products

and services,
non-conformities and related corrective actions,
results of monitoring and measurement, and
external providers performance.
d) adequacy of resources required for maintaining an

effective QMS?
e) process performance and conformity of products
and services?
f)
9.3.3
reviewing the effectiveness of actions

implemented to address risks and opportunities?
g) new potential opportunities for continual

improvement?
Does the outputs of the management review include
decisions and actions related to:
a) improvement opportunities?
b) any need for changes to the quality management
system, including resources needed?
Does the organization retain documented information as
evidence of the results of management reviews?
Note:
Organizations are now required to retain documented information as evidence of the results of the management reviews (rather than records of management review as stated
in 9001:2008)
Auditors should expect to evidence the same outputs from management reviews as at present. However, they should note that the results of management reviews can now be
held in any format that the organization chooses.
10
Improvement
10.1
General
Does the organization decide and choose improvement

opportunities and take necessary actions that will better
What processes are planned and implemented by the organization to improve

Clause #
Requirements
enable the organization to meet customer requirements
and enhance their customers satisfaction?
Yes
No

the Quality performance and effectiveness of QMS?
Does this include, as appropriate:

a) improving process output to fulfill the
requirements and to address future requirements?
b) correction, prevention and reduction of unwanted
results?
c) improvement of performance and QMS
effectiveness?
Note:
This is a new section which emphasises the general need to improve processes, products and services, as well as the performance of QMS overall, in order to meet customer
current and future requirements and enhance customer satisfaction.
The associated note reminds that Improvement can be effected reactively (e.g. corrective action), incrementally (e.g. continual improvement), by step change (e.g.
breakthrough), creatively (e.g. innovation) or by re-organisation (e.g. transformation).
Auditors should note that there is no longer a requirement to audit preventive action as a separate entity.
10.2
10.2.1
Nonconformity and corrective action

When a nonconformity is identified including complaints,
does the organization:
a) take whatever action is necessary to control and
correct the nonconformity, and to deal with any
resultant consequences
b) consider whether any further action is required to
eliminate the causes of the nonconformities to
avoid their re-occurrence or occurrence
elsewhere, by review of nonconformity, cause
analysis, and determine if similar nonconformity
exist or may occur in future?
c) implement any actions identified as needed,
review theireffectiveness and make changes to
the quality management system if required?

Clause #
Yes
No
Does the evidences of nature of nonconformity and any

subsequent action taken, and corrective action results are
retained as documented information by the organization?
Note:
Requirements
Are the corrective actions appropriate to the effects of the
nonconformities encountered?
Auditors should evidence that, where nonconformities have been identified by an organization, an investigation has been conducted to determine whether other similar
nonconformities actually do or potentially could exist.This covers some of the requirements previously included under Preventive Action.
They should also evidence that where nonconformity has occurred, the organization has considered whether it needs to make changes to the wider quality management
system to prevent a re-occurrence.
10.3
Continual Improvement
Does the organization work continually to improve its
quality management system in terms of suitability,
adequacy and effectiveness?
Does the organization consider the outputs of analysis
and evaluation, and from management review, to confirm
if there are areas of underperformance or opportunities
that need to be addressed to ensure continual
improvement?
Note:
Organizations now need to demonstrate that they are using the outputs from their analysis and evaluation processes to identify areas of unsatisfactory performance and
opportunities for improvement.
Auditors should evidence that organizations are using the outputs from their analysis, evaluation and management review processes to identify improvement opportunities and
quality management system performance.
Legend:
Symbol
Description
Documented information to be either maintained (document) or retained (record)

Delta for additional requirements with the existing once
New clause/ requirements introduced in ISO 9001:2015 version

F103-12-QMS-2015 ISO 9001 2015 Checklist Guidance

Uploaded by

Copyright:

Available Formats

F103-12-QMS-2015 ISO 9001 2015 Checklist Guidance

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

F103-12-QMS-2015 ISO 9001 2015 Checklist Guidance

Uploaded by

Copyright:

Available Formats

ISO 9001:2015 Checklist/ Guidance Document

Context of the organization

Understanding the organization and its context

Has the organization identified the external and internal issues

Objective evidence/ Remarks

An organizations context may include:

Understanding the needs and expectations of interested parties

F103-12-QMS-2015 Issue date: 08-OCT-2015

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

a) Has the organization determined the interested parties

b) Does the organization monitor and review the

Determining the scope of the quality management system

F103-12-QMS-2015 Issue date: 08-OCT-2015

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

The scope of the Quality management system sets its

Is the scope made available and maintained as

Does the scope include any justification or instances

Does the scope include all consideration in point a) as well as geographical

Quality management system and its processes

Has the organization adopted the process approach

b) Has the organization determined the processes needed

F103-12-QMS-2015 Issue date: 08-OCT-2015

Is the process approach understood in the organization;

Ensure requirements in point b) has met and upload organizations processes to

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

Measurements and related performance indicators,

Objective evidence can be indicated on process audit notes F103-16 or the

Leadership and commitment

F103-12-QMS-2015 Issue date: 08-OCT-2015

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

Has top management exhibited their leadership and

a) Taking accountability of QMS effectiveness?

communicating the importance conforming to the quality

g) ensuring that quality management system attain its

F103-12-QMS-2015 Issue date: 08-OCT-2015

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

a) Customer and applicable statutory and regulatory

b) provides a framework for the setting the quality

F103-12-QMS-2015 Issue date: 08-OCT-2015

Objective evidence must include an interview with Top management

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

Is the Quality policy;

Interview with Top management down to different levels of the

Organizational roles, responsibilities and authorities

Objective evidence must include an interview with Top management

Has top management assigned the responsibility and authority

F103-12-QMS-2015 Issue date: 08-OCT-2015

Interview through different level in the organization to ensure

ISO 9001:2015 Checklist/ Guidance Document

Objective evidence/ Remarks

d) ensuringwhenever changes to QMS is planned and

Planning for the Quality Management system