The ultimate plan involves:

1. Understanding how the ISO 9001 model should operate within your organization
2. Planning the quality management system so as to achieve your quality objectives
3. Documenting the quality management system
4. Implementing the quality management system
5. Auditing the performance of the quality management system
6. Reviewing the performance of the quality management system

For organizations that are in the process of implementing or have yet to implement a QMS, ISO 9001:2008 emphasizes a process approach. This includes:

1. Identifying the processes necessary for the effective implementation of the quality management system
2. Understanding the interactions between these processes
3. Documenting the processes to the extent necessary to assure their effective operation and control. (It may be appropriate to document the processes using process maps.

It is emphasized, however, that documented process maps are not a requirement of ISO 9001:2008.)  These processes include the management, resource, product realization and measurement processes that are relevant to the effective operation of the QMS.

Analysis of the processes should be the driving force for defining the amount of documentation needed for the quality management system, taking into account the requirements of ISO 9001:2008. It should not be the documentation that drives the processes.

For organizations that currently have a QMS, the following is intended to assist in understanding the changes to documentation that may be required or facilitated by the transition to ISO 9001:2008. An organization with an existing QMS should not need to rewrite all of its documentation in order to meet the requirements of ISO 9001:2008.

This is particularly true if an organization has structured its QMS based on the way it effectively operates, using a process approach. In this case, the existing documentation may be adequate and can be simply referenced in the revised quality manual.

An organization that has not used a process approach in the past will need to pay particular attention to the definition of its processes, their sequence and interaction. An organization may be able to carry out some simplification and/or consolidation of existing documents, in order to simplify its QMS.

For organizations wishing to demonstrate conformity with the requirements of ISO 9001:2008, for the purposes of certification/registration, contractual, or other reasons, it is important to remember the need to provide evidence of the effective implementation of the QMS. Organizations may be able to demonstrate conformity without the need for extensive documentation.

To claim conformity with ISO 9001:2008, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1 of ISO 9000:2005 defines “objective evidence” as “data supporting the existence or variety of something” and notes that “objective evidence may be obtained through observation, measurement, test, or other means.” Objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in ISO 9001:2008.

In some cases, (for example, in clause 7.1(d) Planning of product realization, and clause 8.2.4 Monitoring and measurement of product), it is up to the organization to determine what records are necessary in order to provide this objective evidence.

Where the organization has no specific internal procedure for a particular activity, and this is not required by the standard, (for example, clause 5.6 Management Review), it is acceptable for this activity to be conducted using as a basis the relevant clause of ISO 9001:2008. In these situations, both internal and external audits may use the text of ISO 9001:2008 for conformity assessment purposes.

Read more on the ISO 9001 implementation guidance at http://iso9001malaysia.wordpress.com/2010/04/05/iso-9001-implementation-guide/.

Certifying your quality management system means having an accredited Certification Body or Registrar verify that your quality management system is in conformance with the requirements of ISO 9001:2008.

Proof of this independent verification is presented in a form of a certificate, thus an “ISO 9001 Certificate”.  However, there is a bit of confusion with regards to the related terms.  In the context of ISO 9001:2008, “certification” refers to the issuing of written assurance (the certificate) by an independent external body that it has audited a management system and verified that it conforms to the requirements specified in the standard, while “registration” means that the auditing body then records the certification in its client register.  Therefore, the organization’s management system has been both certified and registered.

The difference between the two terms is not significant and both are acceptable for general use. “Certification” is the term most widely used worldwide, although registration is often preferred in North America, and the two are used interchangeably.  On the contrary, using “accreditation” as an interchangeable alternative for certification or registration is a mistake, because it means something different.

Accreditation refers to the formal recognition by a specialized body – an accreditation body – that a certification body is competent to carry out ISO 9001 certification in specified business sectors.

In any audit, your organization must provide evidence of the effective implementation of the QMS.  Clause 3.8.1 of ISO 9000:2005 defines “objective evidence” as “data supporting the existence or variety of something” and notes that “objective evidence may be obtained through observation, measurement, test, or other means.”  

Objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in ISO 9001:2008.  In some cases, (for example, in clause 7.1(d) Planning of product realization, and clause 8.2.4 Monitoring and measurement of product), it is up to the organization to determine what records are necessary in order to provide this objective evidence.

Before you go for the ISO 9001 certification by an independent Certification Body, you must be able to demonstrate that you have already established, documented, implemented, maintained and improved your quality management system as per the ISO 9001 standard. 

Quality records must have been generated for at least 3 to 6 months before you go for that certification process.   You have to appoint an ISO 9001 Registrar to certify your QMS.  Self-declaration of conformance is possible but it is without merit.  The best practice approach is to have an independent auditor to verify your QMS conformance to ISO 9001 requirements.  You may choose to certify your QMS if,

• it is a contractual or regulatory requirement;
• it is a market requirement or to meet customer preferences; or
• it increases internal and external values.

Normally, the audit process comprises of two stages.  Stage 1 represents the documentation audit.  Here, the auditors will assess for adequacy of your QMS based on your documentation.  The objective is to assess if you QMS is in conformance to ISO 9001 requirements.  If there is any deficiency, you will be asked to review the documented quality management system.

Stage 2 is the physical audit.  The auditors will interview relevant personnel, make observations of your process performance and inspect your records in order to verify that you have implemented what you planned to do.  If they find any nonconformances, don’t panic.  Make corrective actions and re-audit.  You will be given ample time to make the corrective actions- the time frame is negotiable with the auditors.

Audit methodologies include interviews with relevant personnel at all levels, inspection of records and processes, and observations of work activities and the work environment.  Ensure that everyone is aware of the role they play within the quality management system, quality records are in order and the procedures are observed.  Remember, an audit’s purpose is to verify your quality management system’s conformance to specified requirements and its effectiveness in achieving its objectives.

Besides the financial aspect of selecting your Registrar/Certification Body, here are the vital criteria:

1. Establish whether the certification body has auditors with experience in the organization’s sector of activity;
2. Establish whether the certification body implements, or is migrating to ISO/IEC 17021:2006, Conformity assessment – Requirements for bodies providing audit and certification of management systems ;
3. Another point to clarify is whether or not the certification body has been accredited and, if so, by whom.

Accreditation, in simple terms, means that a certification body has been officially approved as competent to carry out certification in specified business sectors by a national accreditation body.

Does your organization need to to get certified?  The answer is no.  The ISO 9001 standard does not require your organization to certify its Quality Management System.   But if you do certify your QMS, then it is only a voluntary effort to meet national and global best practices, with regard to product quality management.

It is crucial that the QMS that you establish and implement demonstrate these principles in action.  One key to better understanding of the requirements of ISO 9001 is to understand these underlying principles, and in the operation of the quality management system, these principles must be adhered to, without fail:

1. Customer focus ~ Organizations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations.
2. Leadership ~ Leaders establish unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization’s objectives.
3. Involvement of people ~ People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization’s benefit.
4. Process approach ~ A desired result is achieved more efficiently when activities and related resources are managed as a process.
5. Systems approach to management ~ Identifying, understanding and managing interrelated processes as a system contributes to the organization’s effectiveness and efficiency in achieving its objectives.
6. Continual improvement ~ Continual improvement of the organization’s overall performance should be a permanent objective of the organization.
7. Factual approach to decision making ~ Effective decisions are based on the analysis of data and information.
8. Mutually beneficial supplier relationships ~ An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value.

The ISO 9001 standard specifies a quality management system model that universally applicable to any kinds of organizations.  The focus is on meeting customer requirements and enhancing customer satisfaction levels.  These objectives must be specific and measureable.  So, if you have an organization (no matter how small), have a product (includes both tangible and intangible) and have customers, then you ought to be implementing this standard.

Preparation of ISO 9001:2008

The ISO 9001 international standard was prepared by ISO’s technical committee, aptly called ISO TC/176 , Quality Management and Quality Assurance, Subcommittee SC 2, Quality systems.

The latest revision of ISO 9001 was officially published on November 14th, 2008. The ISO 9001:2008 version cancels the previous version of ISO 9001:2000. The reasons for the revision are to clarify certain points within the text and enhance its compatibility with ISO 14001:2004.

Process Approach

The ISO 9001 advocates and promotes the use of the process approach in the planning, implementation an improvement of a quality management system, where the Plan-Do-Check-Act method serves as the methodology for the application of this approach.

Integrated Management System

ISO 9001 enables the integration of a quality management system model with other management system models. ISO 9001 could be integrated with ISO 14001 since they are highly compatible. And since OHSAS 18001 takes after ISO 14001 model, it can also be integrated into ISO 9001 quality management system model. Integrated systems induce managent efficiency.

Scope of ISO 9001

The scope or purpose of ISO 9001 is to enable an organization to demonstrate its ability to consistently provide products that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.

ISO 9001 is intended to be generic and applicable to all kinds of organization, regardless of types, sizes or products.

Terms and definitions

The terminology and definitions which are used within the standard are derived from ISO 9000:2005.

Within the context of ISO 9001, the term “product” may also represent intangible services.

General Requirements of the Quality Management System

ISO 9001 requires that an organization to establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with its (ISO 9001) requirements. In order to do this, the organization shall/must

1. determine the processes needed for the quality management system and their application throughout the organization,
2. determine the sequence and interaction of these processes,
3. determine the criteria and methods to ensure the effective operation and control of these processes,
4. ensure the availability of resources and information to support the operation and monitoring of these processes,
5. monitor, measure and analyze these processes,
6. implement necessary actions to achieve planned results and continual improvement of these processes.

Outsourced processes within the quality management system must be adequately controlled and defined.

The processes within the quality management system must relate to management activities (Clause 5), resource management (Clause 6), product realization and measurement (Clause 7), analysis and improvement (Clause 8).

Documentation requirements

ISO 9001 requires the quality management system to be documented, which includes:

1. A documented quality policy
2. Documented quality objectives
3. A documented quality manual
4. Six specifically defined documented procedures
5. Documents that ensure the effective planning, operation, and control of processes such as process documents/SOPs/quality plans, procedures/work instructions , forms, etc.
6. Records (filled and filed forms that can occur at any tier level).

Quality Manual

The organization shall/must establish and maintain a quality manual that includes

1. the scope of the quality management system, including details of and justification for any exclusions
2. the documented procedures that have been established or reference to them,
3. a description of the interaction of the processes within the quality management system.

Control of Documents

All documents that are used within the quality management system must be adequately controlled. A documented procedure shall/must be established to define this control, in terms of:

1. approval for adequacy prior to issue,
2. review, update and re-approval,
3. identification of changes and current revision status,
4. availability at points of use,
5. legibility and identifiability
6. identification and control of external documents,
7. prevention of unintended use of obsolete documents, and their identification if retained for any purpose.

Control of Records

Records that are generated from the operation of the quality management system shall/must be controlled. Records are documents that provide evidence of conformance and effectiveness of the quality management system. A documented procedure shall/must be established to defined the controls for their

1. identification,Bulleted List
2. storage,
3. protection,
4. retrieval,
5. retention, and
6. disposition.

All records shall/must remain legible, readily identifiable and retrievable.

1. Systemic, and
2. Process.

The first output of your Quality Management System (QMS) planning should be the Quality Manual.  This is where you describe the QMS in its entirety. It is a top-level document so it does not have to go into much detail, unless a certain process is not covered by a documented procedure.  Where a process is not covered by a procedure, make a precise description of it in the Quality Manual.

All associated procedures and records must be referenced within the manual, wherever appropriate.  This will ensure that the reader will be able to paint an adequate mental picture of your QMS and retrieve the related documentation effectively.

The Quality Management System is controlled by these documents:

1. Quality Manual
2. Quality Policy
3. Quality Objectives Register
4. Control of Documents Procedure
5. Control of Records Procedure
6. Internal Audit Procedure
7. Control of Nonconforming Product Procedure
8. Corrective Action Procedure
9. Preventive Action Procedure
10. plus all related forms and formats

These documents define the QMS at the very top-level. This is why these documents are required by the ISO 9001 standard. They are universal in nature and are applicable to all kinds of organizations.

The Management Representative or his representative should be the author and controller of these documents, while the CEO or Managing Director should be the one approving them for implementation.  I call these documents “System-level Documents”.  At this level, the four levels of documentation applies:

1. Level 1 – Manual, policies, objectives
2. Level 2 – Procedures
3. Level 3 – Work Instructions (these are sub-procedures within the procedures, if any)
4. Level 4 – Forms, formats, etc. (these are documents designed to provide evidence of performance or implementation of processes and they become quality records once implemented/filled up)

Apart from the system-level documents, a lower level of documents are probably be necessary.  I call these documents the “Process-level documents”.

The structure is similar.  There could be manuals, procedures, work instructions and forms/formats. The only difference is the mileage they cover.  Process-level documents only apply to the respective process areas.

For example, the Purchasing Department might want to establish a manual to cover its processes and followed by specific procedures and forms.  Process-level documents should be authored and controlled by the Department Manager and the approval should be done by the Management Representative.

This way the responsibility is trickled down the hierarchy, thereby placing the relevant scope of responsibility where it should be, wouldn’t you think?

First and formost, you need to understand the Plan-Do-Check-Act concept.  This concept is applied at the QMS (systemic) and the process levels.   Always apply this concept when preparing your audit checklist.  And also, always audit a process.  Never audit a clause from the ISO 9001 standard. This is called process auditing.

Secondly, the QMR or the QMS Committee (whichever is convenient or relevant) must come up with questions derived from the ISO 9001 standard – for every clause, where appropriate.  To do this, just re-phrase the requirements into questions.  You may need to develop several questions for a single requirement – you decide what’s best for your organization because you know best! Then you need to review the questions to see if they are adequate and effective in extracting the necessary information out of the auditees (remember, the three audit methodologies: Interview; Inspection; Observation)

Thirdly, add and/or modify those questions to suit the process that is to be audited.  For example, you are going to audit the Purchasing/Procurement Department and you’re sitting down with the Audit Team trying to come up with relevant questions.

Note 1: As an Audit Team Leader/Lead Auditor, you need to do this with your Audit Team so that everyone is aware of the audit objectives or what to look for.

Note 2: Audit Checklists serve as guidelines only. You must be able to introduce and/or modify a particular question in order to meet the objectives of your audits.

Modify the audit questions so that they are relevant to the Purchasing process only. Further additions or modifications to the Audit Checklist may happen during the actual audit. If this happens, just make sure you record everything in your Audit Notes.

Note 1: You may need to review/refer to the specific documentation related to that process in order to do this effectively.

The main objective in auditing any process is to extract adequate information and evidence in order to verify that the process is conformant to the ISO 9001 requirements and that, it is effective in achieving its objectives. As an auditor, you need to be able to investigate, assess and verify the conformity and effectiveness of a given process, in terms of its planning, implementation, monitoring & measurement and improvement. As a Lead Auditor, preparing your Audit Team for the actual audit is crucial in ensuring success of the audit excercise.  There is no better way to do that than by developing the audit questions with them.

In conclusion, the steps are:

1. Develop audit questions from the ISO 9001 standard (Previously prepared by QMR)
2. Review related documents of the process that is to be audited (To be done by the Audit Team)
3. Modify/Add/Delete/Rephrase the questions to suit the process that is to be audited (To be done by the Audit Team, under the direction of the Lead Auditor)

ISO 9001:2008 has been developed in order to introduce clarifications to the existing requirements of ISO 9001:2000 and to improve compatibility with ISO 14001:2004.

ISO 9001:2008 does not introduce additional requirements nor does it change the intent of the ISO 9001:2000 standard. Certification to ISO 9001:2008 is not an “upgrade”, and organizations that are certified to ISO 9001:2000 should be afforded the same status as those who have already received a new certificate to ISO 9001:2008.

No new requirements were introduced in this edition but, in order to benefit from the clarifications of ISO 9001:2008, users of the former version will need to take into consideration whether the clarifications introduced have an impact on their current interpretation of ISO 9001:2000, as changes may be necessary to their QMS.

In order to assist organizations to have a full understanding of the new ISO 9001:2008, it may be useful to have an insight on the revision process, how this revision reflects the inputs received from users of the standard, and the consideration given to benefits and impacts during its development.

Prior to the commencement of a revision (or amendment) to a management system standard, ISO/Guide 72:2001, Guidelines for the justification and development of management system standards recommends that a “Justification Study” is prepared to present a case for the proposed project and that it outlines details of the data and inputs used to support its arguments.

In relation to the development of ISO 9001:2008 user needs were identified from the following:

1. the results of a formal “Systematic Review” on ISO 9001:2000 that was performed by the members of ISO/TC 176/SC2 during 2003-2004
2. feedback from the ISO/TC 176/Working Group on “Interpretations”
3. the results of an extensive worldwide “User Feedback Survey on ISO 9001 and ISO 9004” by ISO/TC 176/SC 2/WG 18 and similar national surveys.

The Justification Study identified the need for an amendment, provided that the impact on users would be limited and that changes would only be introduced when there were clear benefits to users. The key focuses of the ISO 9001:2008 amendment were to enhance the clarity of ISO 9001:2000 and to enhance its compatibility with ISO 14001:2004.

A tool for assessing the impacts versus benefits for proposed changes was created to assist the drafters of the amendment in deciding which changes should be included, and to assist in the verification of drafts against the identified user needs. The following decision making principles were applied:

1. No changes with high impact would be incorporated into the standard;
2. Changes with medium impact would only be incorporated when they provided a correspondingly medium or highbenefit to users of the standard;
3. Even where a change was low impact, it had to be justified by the benefits it delivered to users, before being incorporated.

The changes incorporated in this ISO 9001:2008 edition were classified in terms of impact into the following categories:

1. No changes or minimum changes on user documents, including records
2. No changes or minimum changes to existing processes of the organization
3. No additional training required or minimal training required
4. No effects on current certifications

The benefits identified for the ISO 9001:2008 edition fall into the following categories:

1. Provides clarity
2. Increases compatibility with ISO 14001
3. Maintains consistency with ISO 9000 family of standards.
4. Improves translatability.

The ultimate conclusion from the latest revision of the ISO 9001 standard:

No new requirements were introduced in this edition but, in order to benefit from the clarifications of ISO9001:2008, users of the former version will need to take into consideration whether the clarifications introduced have an impact on their current interpretation of ISO 9001:2000, as changes may be necessary to their QMS.

No new requirements were introduced in this edition but, in order to benefit from the clarifications of ISO 9001:2008,users of the former version will need to take into consideration whether the clarifications introduced have an impact ontheir current interpretation of ISO 9001:2000, as changes may be necessary to their QMS.

It is applicable to all organizations needing to conduct intemal or external audits of quality, environmental management systems, etc. or to manage an audit programme.

Auditing is characterized by reliance on a number of principles. These make the audit an effective and reliable tool in support of management policies and controls, providing information on which an organization can act to improve its performance. Adherence to these principles is a prerequisite for providing audit conclusions that are relevant and sufficient and for enabling auditors working independently from one another to reach similar conclusions in similar circumstances.

The following principles relate to auditors

• Ethical conduct: the foundation of professionalism
• Trust, integrity, confidentiality and discretion are essential to auditing.
• Fair presentation: the obligation to report truthfully and accurately

Audit findings, audit conclusions and audit reports reflect truthfully and accurately the audit activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee are reported.

Due professional care: the application of diligence and judgement in auditing
Auditors exercise care in accordance with the importance of the task they perform and the confidence placed in them by audit clients and other interested parties. Having the necessary competence is an important factor. Further principles relate to the audit, which is by definition independent and systematic

Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
Auditors are independent of the activity being audited and are free from bias and conflict of interest. Auditors maintain an objective state of mind throughout the audit process to ensure that the audit findings and conclusions will be based only on the audit evidence.

Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process.
Audit evidence is verifiable. It is based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. The appropriate use of sampling is closely related to the confidence that can be placed in the audit conclusions.

An audit programme may include one or more audits, depending upon the size, nature and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint or combined audits.  An audit programme also includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the specified time frames. An organization may establish more than one audit programme.  The organization’s top management should grant the authority for managing the audit programme.

Those assigned the responsibility for managing the audit programme should

• establish, implement, monitor, review and improve the audit programme, and
• identify the necessary resources and ensure they are provided.

Audit programme procedures should address the following:

• planning and scheduling audits;
• assuring the competence of auditors and audit team leaders;
• selecting appropriate audit teams and assigning their roles and responsibilities;
• conducting audits;
• conducting audit follow-up, if applicable;
• maintaining audit programme records;
• monitoring the performance and effectiveness of the audit programme;
• reporting to top management on the overall achievements of the audit programme.

The implementation of an audit programme should address the following:

• communicating the audit programme to relevant parties;
• coordinating and scheduling audits and other activities relevant to the audit programme;
• establishing and maintaining a process for the evaluation of the auditors and their continual professional development;
• ensuring the selection of audit teams;
• providing necessary resources to the audit teams;
• ensuring the conduct of audits according to the audit programme;
• ensuring the control of records of the audit activities;
• ensuring review and approval of audit reports, and ensuring their distribution to the audit client and other specified parties;
• ensuring audit follow-up, if applicable.

Records should be retained and suitably safeguarded. Records should be maintained to demonstrate the implementation of the audit programme and should include the following:

• records related to individual audits, such as audit plans, audit reports, nonconformity reports, corrective and preventive action reports, and audit follow-up reports, if applicable;
• results of audit programme review;
• records related to audit personnel covering subjects such as auditor competence and performance evaluation, audit team selection, and maintenance and improvement of competence.

The implementation of the audit programme should be monitored and, at appropriate intervals, reviewed to assess whether its objectives have been met and to identify opportunities for improvement. The results should be reported to top management. Performance indicators should be used to monitor characteristics such as  the ability of the audit teams to implement the audit plan, conformity with audit programmes and schedules, and feedback from audit clients, auditees and auditors.

The audit programme review should consider results and trends from monitoring, conformity with procedures, evolving needs and expectations of interested parties, audit programme records, altemative or new auditing practices, and consistency in performance between audit teams in similar situations.  Results of audit programme reviews can lead to corrective and preventive actions and the improvement of the audit programme.

Those assigned the responsibility for managing the audit programme should appoint the audit team leader for the specific audit.  Where a joint audit is conducted, it is important to reach agreement among the auditing organizations before the audit commences on the specific responsibilities of each organization, particularly with regard to the authority of the team leader appointed for the audit.

Within the overall objectives of an audit programme, an individual audit should be based on documented objectives, scope and criteria. The audit objectives define what is to be accomplished by the audit and may include the following:
determination of the extent of conformity of the auditee’s management system, or parts of it, with audit criteria;
evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements;

• evaluatation of the effectiveness of the management system in meeting its specified objectives;
• identification of areas for potential improvement of the management system.
• The audit scope describes the extent and boundaries of the audit, such as physical locations, organizational units, activities and processes to be audited, as well as the time period covered by the audit.

The audit criteria are used as a reference against which conformity is determined and may include applicable policies, procedures, standards, laws and regulations, management system requirements, contractual requirements or industry/business sector codes of conduct.

The audit objectives should be defined by the audit client. The audit scope and criteria should be defined between the audit client and the audit team leader in accordance with audit programme procedures. Any changes to the audit objectives, scope or criteria should be agreed to by the same parties.

Where a combined audit is to be conducted, it is important that the audit team leader ensures that the audit objectives, scope and criteria are appropriate to the nature of the combined audit.

The feasibility of the audit should be determined, taking into consideration such factors as the availability of sufficient and appropriate information for planning the audit, adequate cooperation from the auditee, and  adequate time and resources.  Where the audit is not feasible, an altemative should be proposed to the audit client, in consultation with the auditee.

When the audit has been declared feasible, an audit team should be selected, taking into account the competence needed to achieve the objectives of the audit. If there is only one auditor, the auditor should perform all applicable duties of an audit team leader. Clause 7 contains guidance on determining the competence needed and describes processes for evaluating auditors.  In deciding the size and composition of the audit team, consideration should be given to the following:

• audit objectives, scope, criteria and estimated duration of the audit;
• whether the audit is a combined or joint audit;
• the overall competence of the audit team needed to achieve the objectives of the audit;
• statutory, regulatory, contractual and accreditation/certifcation requirements, as applicable;
• the need to ensure the independence of the audit team from the activities to be audited and to avoid conflict of interest;
• the ability of the audit team members to interact effectively with the auditee and to work together;
• the language of the audit, and an understanding of the auditee’s particular social and cultural characteristics; these issues may be addressed either by the auditor’s own skills or through the support of a technical expert.

The process of assuring the overall competence of the audit team should include identification of the knowledge and skills needed to achieve the objectives of the audit and selection of the audit team members such that all of the necessary knowledge and skills are present in the audit team.  If not fully covered by the auditors in the audit team, the necessary knowledge and skills may be satisfied by including technical experts. Technical experts should operate under the direction of an auditor.

Auditors-in-training may be included in the audit team, but should not audit without direction or guidance.
Both the audit client and the auditee can request the replacement of particular audit team members on reasonable grounds based on the principles of auditing described in clause 4.

Examples of reasonable grounds include conflict of interest situations (such as an audit team member having been a former employee of the auditee or having provided consultancy services to the auditee) and previous unethical behaviour. Such grounds should be communicated to the audit team leader and to those assigned responsibility for managing the audit programme, who should resolve the issue with the audit client and auditee before making any decisions on replacing audit team members.

The initial contact for the audit with the auditee may be informal or formal, but should be made by those assigned responsibility for managing the audit programme or the audit team leader. The purpose of the initial contact is

• to establish communication channels with the auditee’s representative,
• to confirm the authority to conduct the audit,
• to provide information on the proposed timing and audit team composition,
• to request access to relevant documents, including records,
• to determine applicable site safety rules,
• to make arrangements for the audit, and
• to agree on the attendance of observers and the need for guides for the audit team.

Prior to the on-site audit activities the auditee’s documentation should be reviewed to determine the conformity of the system, as documented, with audit criteria. The documentation may include relevant management system documents and records, and previous audit reports. The review should take into account the size, nature and complexity of the organization, and the objectives and scope of the audit. In some situations, this review may be deferred until the on-site activities commence, if this is not detrimental to the effectiveness of the conduct of the audit.

In other situations, a preliminary site visit may be conducted to obtain a suitable overview of available information.  If the documentation is found to be inadequate, the audit team leader should inform the audit client, those assigned responsibility for managing the audit programme, and the auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved.

The audit team leader should prepare an audit plan to provide the basis for the agreement among the audit client, audit team and the auditee regarding the conduct of the audit. The plan should facilitate scheduling and coordination of the audit activities. The amount of detail provided in the audit plan should reflect the scope and complexity of the audit. The details may differ, for example, between initial and subsequent audits and also between internal and external audits.

The audit plan should be sufficiently flexible to permit changes, such as changes in the audit scope, which can become necessary as the on-site audit activities progress. The audit plan should cover

• the audit objectives;
• the audit criteria and any reference documents;
• the audit scope, including identification of the organizational and functional units and processes to be audited;
• the dates and places where the on-site audit activities are to be conducted;
• the expected time and duration of on-site audit activities, including meetings with the auditee’s management and audit team meetings;
• the roles and responsibilities of the audit team members and accompanying persons;
• the allocation of appropriate resources to critical areas of the audit.
• identification of the auditee’s representative for the audit;
• the working and reporting language of the audit where this is different from the language of the auditor and/or the auditee;
• the audit report topics;
• logistic arrangements (travel, on-site facilities, etc.);
• matters related to confidentiality;
• any audit follow-up actions.

The plan should be reviewed and accepted by the audit client, and presented to the auditee, before the on-site audit activities begin. Any objections by the auditee should be resolved between the audit team leader, the auditee and the audit client. Any revised audit plan should be agreed among the parties concemed before continuing the audit.

The audit team leader, in consultation with the audit team, should assign to each team member responsibility for auditing specific processes, functions, sites, areas or activities. Such assignments should take into account the need for the independence and competence of auditors and the effective use of resources, as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Changes to the work assignments may be made as the audit progresses to ensure the achievement of the audit objectives.

The audit team members should review the information relevant to their audit assignments and prepare work documents as necessary for reference and for recording audit proceedings. Such work documents may include checklists and audit sampling plans and forms for recording information, such as supporting evidence, audit findings and records of meetings.  The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit.

Work documents, including records resulting from their use, should be retained at least until audit completion.  Those documents involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members.

An opening meeting should be held with the auditee’s management or, where appropriate, those responsible for the functions or processes to be audited. The purpose of an opening meeting is
a) to confirm the audit plan,
b) to provide a short summary of how the audit activities will be undertaken,
c) to confirm communication channels, and
d) to provide an opportunity for the auditee to ask questions

In many instances, for example internal audits in a small organization, the opening meeting may simply consist of communicating that an audit is being conducted and explaining the nature of the audit.  For other audit situations, the meeting should be formal and records of the attendance should be kept.

The meeting should be chaired by the audit team leader, and the following items should be considered, as appropriate:

• introduction of the participants, including an outline of their roles;
• confirmation of the audit objectives, scope and criteria;
• confirmation of the audit timetable and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings between the audit team and the auditee’s management, and any late changes;
• methods and procedures to be used to conduct the audit, including advising the auditee that the audit evidence will only be based on a sample of the information available and that therefore there is an element of uncertainty in auditing;
• confirmation of formal communication channels between the audit team and the auditee;
• confirmation of the language to be used dunng the audit;
• confirmation that, during the audit, the auditee will be kept informed of audit progress;
• confirmation that the resources and facilities needed by the audit team are available;
• confirmation of matters relating to confidentiality;
• confirmation of relevant work safety, emergency and security procedures for the audit team;
• confirmation of the availability, roles and identities of any guides;
• the method of reporting, including any grading of nonconformities;
• information about conditions under which the audit may be terminated;
• any information about any appeal system on the conduct or conclusions of the audit.

Depending upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication within the audit team and with the auditee during the audit. The audit team should confer periodically to exchange information, assess audit progress, and to reassign work between the audit team members as needed.

During the audit. the audit team leader should periodically communicate the progress of the audit and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk (e.g. safety, environmental or quality) should be reported without delay to the auditee and, as appropriate, to the audit client. Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the audit client and auditee.

Where the available audit evidence indicates that the audit objectives are unattainable, the audit team leader should report the reasons to the audit client and the auditee to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit.  Any need for changes to the audit scope which can become apparent as on-site auditing activities progress should be reviewed with and approved by the audit client and, as appropriate, the auditee.

Guides and observers may accompany the audit team but are not a part of it. They should not influence or interfere with the conduct of the audit.  When guides are appointed by the auditee, they should assist the audit team and act on the request of the audit team leader.

Their responsibilities may include the following:

• establishing contacts and timing for interviews;
• arranging visits to specific parts of the site or organization;
• ensuring that rules concerning site safety and security procedures are known and respected by the audit team members;
• witnessing the audit on behalf of the auditee;
• providing clarification or assisting in collecting information

During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded.

The audit evidence is based on samples of the available information. Therefore there is an element of uncertainty in auditing, and those acting upon the audit conclusions should be aware of this uncertainty.

The sources of information chosen may vary according to the scope and complexity of the audit and may include the following:

• interviews with employees and other persons;
• observations of activities and the surrounding work environment and conditions;
• documents, such as policy, objectives, plans, procedures, standards, instructions, licences and permits, specifications, drawings, contracts and orders; records, such as inspection records, minutes of meetlngs, audlt reports, records of monitoring programmes and the results of measurements; data summaries, analyses and performance indicators; information on the auditee’s sampling programmes and on procedures for the control of sampling and measurement processes; reports from other sources, for example, customer feedback, other relevant information from external parties and supplier ratings; computerized databases and web sites.

Interviews are one of the important means of collecting information and should be carried out in a manner adapted to the situation and the person interviewed. However, the auditor should consider the following:

• interviews should be held with persons from appropriate levels and functions performing activities or tasks within the scope of the audit;
• interviews should be conducted during the normal working hours and, where practical, at the normal workplace of the person being interviewed;
• every attempt should be made to put the person being interviewed at ease prior to and during the interview;
• the reason for the interview and any note taking should be explained;
• interviews can be initiated by asking the persons to describe their work;
• questions that bias the answers (i.e. leading questions) should be avoided;
• the results from the interview should be summarized and reviewed with the interviewed person;
• the interviewed persons should be thanked for their participation and cooperation.

Audit evidence should be evaluated against the audit criteria to generate the audit findings. Audit findings can indicate either conformity or nonconformity with audit criteria. When specified by the audit objectives, audit findings can identify an opportunity for improvement.  The audit team should meet as needed to review the audit findings at appropriate stages during the audit.

Conformity with audit criteria should be summarized to indicate locations, functions or processes that were audited.  If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded.  Nonconformities and their supporting audit evidence should be recorded.

Nonconformities may be graded. They should be reviewed with the auditee to obtain acknowledgement that the audit evidence is accurate, and that the nonconformities are understood. Every attempt should be made to resolve any diverging opinions concerning the audit evidence and/or findings, and unresolved points should be recorded.

The audit team should confer prior to the closing meeting

• to review the audit findings, and any other appropriate information collected during the audit, against the audit objectives,
• to agree on the audit conclusions, taking into account the uncertainty inherent in the audit process,
• to prepare recommendations. if specified by the audit objectives, and
• to discuss audit follow-up, if included in the audit plan.

Audit conclusions can address issues such as

• the extent of conformity of the management system with the audit criteria,
• the effective implementation, maintenance and improvement of the management system, and
• the capability of the management review process to ensure the continuing suitability, adequacy, effectiveness and improvement of the management system.

If specified by the audit objectives, audit conclusions can lead to recommendations regarding improvements business relationships, certification/registration or future auditing activities.

A closing meeting, chaired by the audit team leader, should be held to present the audit findings and conclusions in such a manner that they are understood and acknowledged by the auditee, and to agree, if appropriate, on the timeframe for the auditee to present a corrective and preventive action plan.

Participants in the closing meeting should include the auditee, and may also include the audit client and other parties. If necessary, the audit team leader should advise the auditee of situations encountered during the audit that may decrease the reliance that can be placed on the audit conclusions.

In many instances, for example intemal audits in a small organization, the closing meeting may consist of just communicating the audit findings and conclusions.  For other audit situations, the meeting should be formal and minutes, including records of attendance, should be kept.  Any diverging opinions regarding the audit findings andlor conclusions between the audit team and the auditee should be discussed and if possible resolved. If not resolved, all opinions should be recorded.

If specified by the audit objectives, recommendations for improvements should be presented. It should be emphasized that recommendations are not binding.

The audit team leader should be responsible for the preparation and contents of the audit report.  The audit report should provide a complete, accurate, concise and clear record of the audit, and should include

• the audit objectives;
• the audit scope, particularly identification of the organizational and functional units or processes audited and the time period covered;
• identification of the audit client;
• identification of audit team leader and members;
• the dates and places where the on-site audit activities were conducted;
• the audit criteria;
• the audit findings;
• the audit conclusions;
• the audit plan;
• a list of auditee representatives;
• a summary of the audit process, including the uncertainty and/or any obstacles encountered that could decrease the reliability of the audit conclusions;
• confirmation that the audit objectives have been accomplished within the audit scope in accordance with the audit plan;
• any areas not covered, although within the audit scope;
• any unresolved diverging opinions between the audit team and the auditee;
• recommendations for improvement, if specified in the audit objectives;
• agreed follow-up action plans, if any;
• a statement of the confidential nature of the contents;
• the distribution list for the audit report.

The audit report should be issued within the agreed time period. If this is not possible, the reasons for the delay should be communicated to the audit client and a new issue date should be agreed.  The audit report should be dated, reviewed and approved in accordance with audit programme procedures .

The approved audit report should then be distributed to recipients designated by the audit client.  The audit report is the property of the audit client. The audit team members and all report recipients should respect and maintain the confidentiality of the report.

The audit is completed when all activities described in the audit plan have been carried out and the approved audit report has been distributed.  Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with audit programme procedures and applicable statutory, regulatory and contractual requirements.

Unless required by law, the audit team and those responsible for managing the audit programme should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the audit client and, where appropriate, the approval of the auditee. If disclosure of the contents of an audit document is required, the audit client and auditee should be informed as soon as possible.

The conclusions of the audit may indicate the need for corrective, preventive or improvement actions, as applicable. Such actions are usually decided and undertaken by the auditee within an agreed timeframe and are not considered to be part of the audit. The auditee should keep the audit client informed of the status of these actions. The completion and effectiveness of corrective action should be verified. This verification may be part of a subsequent audit.  The audit programme may specify follow-up by members of the audit team, which adds value by using their expertise. In such cases, care should be taken to maintain independence in subsequent audit activities.

Confidence and reliance in the audit process depends on the competence of those conducting the audit. This competence is based on the demonstration of the personal attributes and the ability to apply the audit knowledge and skills gained through the education, work experience, auditor training and audit experience.

Auditors should possess personal attributes to enable them to act in accordance with the principles of auditing.  An auditor should be:

• ethical – fair, truthful, sincere, honest and discreet;
• open-minded – willing to consider alternative ideas or points of view;
• diplomatic – tactful in dealing with people;
• observant – actively aware of physical surroundings and activities;
• perceptive – instinctively aware of and able to understand situations;
• versatile – adjusts readily to different situations;
• tenacious – persistent, focused on achieving objectives;
• decisive – reaches timely conclusions based on logical reasoning and analysis; and
• self-reliant – acts and functions independently while interacting effectively with others

Auditors should have knowledge and skills in the following areas:

1. Audit principles, procedures and techniques: to enable the auditor to apply those appropriate to different audits and ensure that audits are conducted in a consistent and systematic manner. An auditor should be able

• to apply audit principles, procedures and techniques,
• to plan and organize the work effectively,
• to conduct the audit within the agreed time schedule,
• to prioritize and focus on matters of significance,
• to collect information through effective interviewing, listening, observing and reviewing documents, records and data,
• to understand the appropriateness and consequences of using sampling techniques for auditing,
• to verify the accuracy of collected information,
• to confirm the sufficiency and appropriateness of audit evidence to support audit findings and conclusions,
• to assess those factors that can affect the reliability of the audit findings and conclusions,
• to use work documents to record audit activities,
• to prepare audit reports,
• to maintain the confidentiality and security of information, and
• to communicate effectively, either through personal linguistic skills or through an interpreter.

1. Management system and reference documents: to enable the auditor to comprehend the scope of the audit and apply audit criteria. Knowledge and skills in this area should cover

• the application of management systems to different organizations,
• interaction between the components of the management system,
• quality or environmental management system standards, applicable procedures or other management system documents used as audit criteria,
• recognizing differences between and priority of the reference documents,
• application of the reference documents to different audit situations, and
• information systems and technology for, authorization, security, distribution and control of documents, data and records.

1. Organizational situations: to enable the auditor to comprehend the organization’s operational context.  Knowledge and skills in this area should cover

• organizational size, structure, functions and relationships,
• general business processes and related terminology, and
• cultural and social customs of the auditee.

1. Applicable laws, regulations and other requirements relevant to the discipline: to enable the auditor to work within, and be aware of, the requirements that apply to the organization being audited. Knowledge and skills in this area should cover

• local, regional and national codes, laws and regulations,
• contracts and agreements,
• international treaties and conventions, and
• other requirements to which the organization subscribes.

1. Audit team leaders should have additional knowledge and skills in audit leadership to facilitate the efficient and effective conduct of the audit. An audit team leader should be able

• to plan the audit and make effective use of resources during the audit,
• to represent the audit team in communications with the audit client and auditee,
• to organize and direct audit team members,
• to provide direction and guidance to auditors-in-training,
• to lead the audit team to reach the audit conclusions,
• to prevent and resolve conflicts, and
• to prepare and complete the audit report.

Quality management system auditors should have knowledge and skills in quality-related methods and techniques in order to enable the auditor to examine quality management systems and to generate appropriate audit findings and conclusions.

Knowledge and skills in this area should cover quality terminology, quality management principles and their application, and quality management tools and their application (for example statistical process control, failure mode and effect analysis, etc., and processes and products, including services: to enable the auditor to comprehend the technological context in which the audit is being conducted. Knowledge and skills in this area should cover sector-specific terminology, technical characteristics of processes and products, including services, and sector-specific processes and practices.

Auditors should have the following education, work experience, auditor training and audit experience.

• They should have completed an education sufficient to acquire the knowledge and skills of auditing
• They should have work experience that contributes to the development of the knowledge and skills.  This work experience should be in a technical, managerial or professional position involvingthe exercise of judgment, problem solving, and communication with other managerial or professional personnel, peers, customers and/or other interested parties. Part of the work experience should be in a position where the activities undertaken contribute to the development of knowledge and skills in the quality management field for quality management system auditors, and the environmental management field for environmental management system auditors.
• They should have completed auditor training that contributes to the development of the knowledge and skills.  This training may be provided by the person’s own organization or by an external organization.
• They should have audit experience. This experience should have been gained under the direction and guidance of an auditor who is competent as an audit team leader in the same discipline.

NOTE:

The extent of direction and guidance needed during an audit is at the discretion of those assigned the responsibility for managing the audit programme and the audit team leader. The provision of direction and guidance does not imply constant supervision and does not require someone to be assigned solely to the task.

An audit team leader should have acquired additional audit experience to develop the knowledge and skills.  This additional experience should have been gained while acting in the role of an audit team leader under the direction and guidance of another auditor who is competent as an audit team leader.

Quality management system or environmental management system auditors who wish to become auditors in the second discipline should have the training and work experience needed to acquire the knowledge and skills for the second discipline, and should have conducted audits covering the management system in the second discipline under the direction and guidance of an auditor who is competent as an audit team leader in the second discipline.

An audit team leader in one discipline should meet the above recommendations to become an audit team leader in the second discipline.

A new edition of ISO 9001, the quality management system standard, has been introduced in November 2008.  This will be the fourth edition of the standard, first published in 1987.   Revisions were later made in 1994 and 2000.

In terms of changes, ISO 9001:2008 represents fine-tuning, rather than the thorough overhaul that took place for its update in 2000.

ISO 9001:2008 clarifies the requirements that have been in place since 2000, based on user experience over the last eight years.  It includes changes that are intended to improve further compatibility with ISO 14001:2004 Environmental management systems standards.

The new edition has the same numerical system as the current version of ISO 9001:2000.  The changes that have been made are minor representing clarifications and modifications.

The following are the revisions that were made to the ISO 9001:2000 version:

Clause 4.1

The new standard makes it clear that an outsourced process is still part of your QMS.  While the responsibility for a process may have been outsourced, your organization is, nevertheless, still responsible for ensuring that it meets all customer, regulatory, and statutory requirements.  In essence, the the revised clause requires to you define the type, nature, and extent of controls that are effective in ensuring planned quality levels.

Clause 4.2.1

The new standard has expanded the definition of documentation to include all QMS process records.  Part 4.2.1 makes it clear that a single document may contain several procedures or several documents may be used to describe a single procedure. While this has always been an option, the new standard makes this possibility explicit.   And the new standard requires you to identify and control the distribution of only those external documents that you need in order to be able to plan and operate your QMS.  In other words, only relevant external QMS documents need to be controlled, not all of them.

Clause 5.5.2

It is a requirement now that the management representative must be a member of the organization’s own management. Outsiders may no longer perform this important function.

Clause 6.2.1

All QMS personnel must be competent in any within the QMS which may directly or indirectly affect the organization’s ability or willingness to meet product requirements.  Personnel competence must be assured.

Clause 6.3

ISO 9001:2008 has now added information systems to the previous list of support services. Both old and new standards expect you to provide the infrastructure (including information systems) that your organization needs in order to ensure that product requirements are being met.

Clause 6.4

ISO 9001:2008 says that the term work environment now refers to working conditions.  These working conditions include physical and environmental conditions, as well as things like noise, temperature, humidity, lighting, and weather.  All of these conditions need to be managed in order to help ensure that product requirements are being met.

Clause 7.2.1

According to ISO 9001:2008, post delivery requirements include things like warranty provisions, contractual obligations (such as maintenance), and supplementary services (such as recycling and final disposal).

Clause 7.3

Both old and new standards expect organizations to plan and perform product design and development review, verification, and validation activities (Part 7.3.1).   While each of these three activities serves a different purpose, ISO 9001:2008 makes it clear that these three activities can be carried out and recorded separately or in any combination as long as it makes sense for the product and the organization.

Clause 7.3.3

Part 7.3.3 of ISO 9001:2000 wants you to make sure that the design and development process generates information (outputs) that your purchasing, production, and service provision processes need to have.  ISO 9001:2008 now also says that design and development outputs could include information that explains how products can be preserved during production and service provision.

Clause 7.6

While ISO 9001:2008, Part 7.6, refers to the need to control monitoring and measuring equipment, the old standard talked about controlling devices. Since the term device can refer to almost anything from a literary contrivance to a machine, its meaning wasn’t exactly clear. The new ISO 9001 standard has removed this ambiguity by using the term equipment.  Both the old and the new standard wants you to confirm that monitoring and measuring software is capable of doing the job you want it to do. In addition to this requirement, the new standard suggests (in a note) that configuration management and well established verification methods can be used to ensure the ongoing suitability of monitoring and measuring software.  However, this is not a requirement, just a statement that explains how the ongoing suitability of software can be maintained.

Clause 8.2.1

Both old and new standards want you to monitor and measure customer satisfaction (perceptions). A new note to ISO 9001:2008, Part 8.2.1, explains that there are many ways to monitor and measure customer satisfaction. You could use customer satisfaction and opinion surveys. And you could collect product quality data (post delivery), track warranty claims, examine dealer reports, study customer compliments and criticisms, and analyze lost business opportunities.

Clause 8.2.2

Both old and new standards refer to the need to establish a procedure to define how internal audits should be planned, performed, reported, and recorded (Part 8.2.2). However, the old standard did not explicitly state that audit records must actually be maintained. This oversight has now been corrected. ISO 9001:2008 now explicitly says that you must maintain a record of your internal audit activities and results.

Clause 8.2.3

Both old and new standards expect you to monitor and measure your QMS processes. A new note to ISO 9001:2008, Part 8.2.3, wants you to consider the impact each process has on the overall effectiveness of your QMS and the impact it has on your ability to meet product requirements, when you’re making decisions about what kinds of process monitoring and measurement methods should be used.

Clause 8.2.4

According to ISO 9001:2000, Part 8.2.4, you must make sure that product monitoring and measuring records indicate who was responsible for authorizing the release of products. However, the old standard did not specify who must be on the receiving end.  This has now been clarified.  ISO 9001 2008 now makes it clear that records must now indicate who releases products for delivery to customers.

1. Communication of Information
2. Evidence of conformity
3. Knowledge sharing

The following terms and definitions are taken from ISO 9000:2005:

1. A document is information and its supporting medium
2. A procedure is a specified way to carry out an activity or a process (Note: Procedures can be documented or not)
3. A Quality Manual is a document specifying the quality management system of an organization
4. A Quality Plan is a document specifying which procedures and associated resources shall be applied by whom and when to a specific project, product, process or contract
5. A record is a document stating results achieved or providing evidence of activities performed
6. A specification is a document stating requirements

The extent and magnitude of an organization’s documentation may depend on the size and type of its activities; the complexity of its processes and their interactions, and the competence of its personnel.  And its documentation could be in the of

1. paper
2. magnetic
3. electronic or optical computer disc
4. photograph
5. master sample

ISO 9001:2008 clause 4.1 General requirements requires an organization to “establish, document, implement, and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard”.

Clause 4.2.1 General of the ISO 9001:2008 standard explains that the quality management system documentation shall include:

1. documented statements of a quality policy and quality objectives;
2. a quality manual;
3. documented procedures required by this International Standard;
4. documents needed by the organization to ensure the effective planning, operation and control of its processes, and
5. records required by this International Standard.

All of the documents that form part of the QMS have to be controlled in accordance with clause 4.2.3 of ISO 9001:2008, or, for the particular case of records, according to clause 4.2.4.

The following comments are intended to assist users of ISO 9001:2008 in understanding the intent of the general documentation requirements of the International Standard:

• Documented statements of a quality policy and objectives

Requirements for the quality policy are defined in clause 5.3 of ISO 9001:2008. The documented quality policy has to be controlled according to the requirements of clause 4.2.3.

Note: Organizations that are revising their quality policy for the first time, or in order to meet the amended requirements in ISO 9001:2008, should pay particular attention to clause 4.2.3 (c), (d) and (g).  Requirements for quality objectives are defined in clause 5.4.1 of ISO 9001:2008. These documented quality objectives are also subject to the document control requirements of clause 4.2.3.

• Quality Manual

Clause 4.2.2 of ISO 9001:2008 specifies the minimum content for a quality manual. The format and structure of the manual is a decision for each organization, and will depend on the organization’s size, culture and complexity.
A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard.

Large, multi-national organizations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.  The quality manual is a document that has to be controlled in accordance with the requirements of clause 4.2.3.

• Documented procedures

These documented procedures have to be controlled in accordance with the requirements of clause 4.2.3

• 4.2.3 Control of documents
• 4.2.4 Control of records
• 8.2.2 Internal audit
• 8.3 Control of nonconforming product
• 8.5.2 Corrective action
• 8.5.3 Preventive action

Some organizations may find it convenient to combine the procedure for several activities into a single documented procedure (for example, corrective action and preventive action). Others may choose to document a given activity by using more than one documented procedure (for example, internal audits). Both are acceptable.

Some organizations (particularly larger organizations, or those with more complex processes) may require additional documented procedures (particularly those relating to product realization processes) to implement an effective QMS.
Other organizations may require additional procedures, but the size and/or culture of the organization could enable these to be effectively implemented without necessarily being documented. However, in order to demonstrate compliance with ISO 9001:2008, the organization has to be able to provide objective evidence (not necessarily documented) that its QMS has been effectively implemented.

Documents needed by the organization to ensure the effective planning, operation and control of its processes
In order for an organization to demonstrate the effective implementation of its QMS, it may be necessary to develop documents other than documented procedures.  However, the only documents specifically mentioned in ISO 9001:2008 are:

1. Quality policy (clause 4.2.1.a)
2. Quality objectives (clause 4.2.1.a)
3. Quality manual (clause 4.2.1.b)

There are several requirements of ISO 9001:2008 where an organization could add value to its QMS and demonstrate conformity by the preparation of other documents, even though the standard does not specifically require them. Examples may include:

1. Process maps, process flow charts and/or process descriptions
2. Organization charts
3. Specifications
4. Work and/or test instructions
5. Documents containing internal communications
6. Production schedules
7. Approved supplier lists
8. Test and inspection plans
9. Quality plans

All such documents have to be controlled in accordance with the requirements of clause 4.2.3 and/or 4.2.4, as applicable.

Records

Requirements for the control of records are different from those for other documents, and all records have to be controlled according to those of clause 4.2.4 of ISO 9001:2008.

Records required by ISO 9001:2008 are (where applicable):

1. Management reviews
2. Education, training, skills and experience
3. Evidence that the realization processes and resulting product fulfil requirements
4. Design and development inputs relating to product requirements
5. Results of design and development reviews and any necessary actions
6. Results of design and development verification and any necessary actions
7. Results of the review of requirements related to the product and actions arising from the review
8. Results of the review of design and development changes and any necessary actions
9. Results of supplier evaluations and any necessary actions arising from the evaluations
10. Results of design and development validation and any necessary actions
11. The unique identification of the product, where traceability is a requirement
12. Customer property that is lost, damaged or otherwise found to be unsuitable for use
13. As required by the organization to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or
14. measurement
15. Validity of the previous measuring results when the measuring equipment is found not to conform to requirements
16. Results of calibration and verification of measuring equipment
17. Internal audit results and follow-up actions
18. Indication of the person(s) authorizing release of product.
19. Basis used for calibration or verification of measuring equipment where no international or national measurement standards exist
20. Nature of the product nonconformities and any subsequent actions taken, including concessions obtained
21. Results of corrective action
22. Results of preventive action