Documente Academic
Documente Profesional
Documente Cultură
b) Does the organization monitor and review the Describe that how they monitor these interested parties and their relevant
information about these interested parties and their requirements;
relevant requirements?
Notes:
An ‘interested party’ is any person or organization that can affect, be affected by, or perceive themselves to be affected by the decisions or activities of the organization
implementing the QMS.
In order to determine whether an interested party, or its requirements, are relevant to their QMS, the organization must consider whether or not they have an effect on the
organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or to enhance customer
satisfaction.
Each organisation will have its own set of relevant interested parties and these may change over time. Similarly, each interested party may also have its own set of
requirements, but all of these may not be relevant to an organization’s QMS. For any difference in opinion with client organization regarding the relevant interest of the
interested parties, the Auditors should be well prepared to challenge it.
Auditors will have to ensure that the organisation has been through a process of initially identifying these interested parties/ groups and then to identify their requirements
that are relevant to the organisation’s QMS.
They will also need to ensure that this process is revisited periodically because the relevant requirements of the interested parties may change over time.
Again, as there are no specific requirements for documented information in the standard, the auditor need to use the same approach, as in clause 4.1, to obtain information
through several sources/ documents and interviews with senior management to obtain the objective evidences when there is no direct documentation provided by the client
for this purpose. Where the organization has determined that any interested party and/or its requirements are not relevant to QMS, then it does not have to take any action to
address them.
Examples:
Interested parties could include the organization’s shareholders, employees, customers, end users, suppliers, regulators etc.
Requirement of Interested parties may include; Specs from raw materials manufacturers/ suppliers, Concerns on employee feedback forms, Contractual requirements from
Customers, Corporate policies & procedures, Legal requirements etc.
Examples:
Existing operational procedures, work instructions and flow charts are valid examples of documented information and can be used to evidence that the requirement for
documented information to support the operation of processes is being met. If these are working well for the organisation then there is no need to replace them.
Use of Turtle diagram by the organization for identifying the Process related Inputs, Outputs, Resources used (Human & Infrastructure), Monitoring and measuring processes
and documentation.
Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, and
the risks and opportunities associated with them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
5 Leadership
5.1 Leadership and commitment
5.1.1 General
Notes:
ISO 9001:2015 now requires that an organization’s quality policy is appropriate to both its purpose and context. This means that once the organization has determined its
context and the relevant requirements of its interested parties, Top management need to have a review its quality policy in light of that information.
They will have to continue to review the quality policy to ensure that any changes in its context, interested parties or their requirements is reflected in the Quality policy and
whether the organization’s quality objectives are effected (6.2a).
The auditors will also have to check that how the Quality policy is made available to relevant interested parties, where it is appropriate to do so.
6.1.2 a) Has the organization planned actions to address these How the organization addressing those risks?
risks and opportunities?
c) Are the actions taken to address risks and opportunities Auditor to verify the effectiveness of the identified actions by the
proportionate to the potential impact on the conformity organization in addressing the risk;
of products and services?
6.2.1 Has the organization established quality objectives at relevant Have the Quality objective been identified throughout the organization?
functions, levels and processes? Are the Quality objectives;
Δ
a) consistent with the organization’s quality policy and be What Quality objectives are established to enhance customer
relevant to the conformity of products and services, and satisfaction?
the enhancement of customer satisfaction?
b) measurable, take into account applicable customer and Objectives must be measureable and what’s the process to monitor?
statutory and regulatory requirements, and be monitored
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document
Notes:
ISO 9001:2015 now requires organizations to set quality objectives at functions, levels and processes that are relevant to conformity of product and the enhancement of
customer satisfaction. There will need to be evidence that the established quality objectives add value to the relevant functions, levels and processes within the organization.
Organizations are now required to determine what resources will be required to achieve quality objectives, who will be responsible for them, what will be done and when, as
well as how achievement of the objectives will be evaluated. In many cases, this will require organizations to undertake more detailed monitoring of objectives and targets
than they currently do.
Auditors should ensure that organizations are able to evidence that they are complying with these new requirements.
c) the availability of resources to effect the change? What resources the organization has put in place to control the
changes?
7.1 Resources
7.1.1 General
Δ b) Has the organization considered both the What process the organization used to determine the internal resources as
capabilities and constraints on its existing internal well as external resources needed?
resources and what need to be obtained from
Notes:
Organizations need to demonstrate that they have considered both internal and external resource requirements and capabilities e.g. training, software, appropriate work
instructions, competency skills, contract requirements, supply chain etc.
Auditors must now evidence that organizations have considered their need for external resources inaddition to their need for internal ones.
7.1.2 People
To ensure that the organization can consistently meet What the process used to ensure that there is sufficient manpower?
customer and applicable statutory and regulatory
Δ requirements, has the organization provided the persons
necessary for the effective operation of the quality
management system, including the processes needed?
Notes:
Essentially the same requirements as in ISO 9001: 2008, though the obligation to meet statutory and regulatory requirements is now explicit.
No change in the audit approach required here.
7.1.3 Infrastructure
Has the organization determined, provided and What infrastructure determined by the organization? During the onsite audit
maintained the infrastructure for the operation of its ensure that how the infrastructure been maintained?
processes to achieve conformity of products and
services?
Notes:
Essentially the same requirements as in ISO 9001: 2008, but it is made clear that ‘Infrastructure’ can include:buildings and associated utilities;equipment including hardware
and software;transportation; and information and communication technology.
No change in the audit approach required here.
Has the organization determined, provided and During the site tour, ensure that the environment determined by the
maintained the environment necessary for the operation organization based on the product and service provided is verified.
Δ of its processes and to achieve conformity of products
and services?
7.1.5.1 a) Where an organization uses monitoring or Upgrade audit: The delta would be to determine resources to ensure
measuring to demonstrate that its products and measuring results are valid.
services conform to requirements, has the
organization provided the necessary resources to Initial audit: The complete requirements from the point a) to c) to be
Δ ensure that monitoring and measuring results are established;
valid?
b) Does the organization ensure that the resources Upgrade audit: The delta would be that does the organization have expertise
provided are suitable to the type of monitoring or to the type of monitoring & measurement being undertaken.
measurement being undertaken and maintained in
order to ensure they remain fit for purpose? Initial audit: The complete requirements from the point b) to be established;
Δ
c) Does the organization retain appropriate No change from ISO 9001:2008 version.
documented information that the monitoring and
measurement resources are fit for purpose?
Notes:
Organizations will need to demonstrate that they retain documented information to evidence that not just monitoring and measuring equipment is fit for purpose, but that all
monitoring and measuring ‘resources’ are.
Auditors should note that where measurement traceability is required, measuring equipments are subject to additional controls. If measurement traceability is not required then
auditors must satisfy themselves that themonitoring and measuring resources an organization has employed are suitable and fit for purpose,and that arrangements are in place
to ensure their continued fitness for purpose.
Auditors should also ensure that documented information is being maintained by the organization todemonstrate that monitoring and measuring resources are fit for purpose
in these instances.
Does the organization consider its current knowledge and When changes occur at the organization, what processes do they use to
determine how to acquire or access the necessary determine the necessary additional knowledge?
additional knowledge, when addressing changing needs
and trends?
Notes:
‘Organizational knowledge’ addresses the need to determine and maintain the knowledge obtained by the organization, including by its personnel, to ensure that it can achieve
conformity of products and services. The process for considering and controlling past, existing and additional knowledge needs to take account of the organization’s context,
including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge.
The balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization, provided that conformity of
products and services can be achieved. Organizational knowledge can include information such as intellectual property and lessons learned.
To obtain the knowledge required, the organization can consider:
a) internal sources (e.g. learning from failures and successful projects, capturing undocumented knowledge and experience of topical experts within the organization);
b) external sources (e.g. standards, academia, conferences, gathering knowledge with customers or providers).
Organizations need to demonstrate that, if they are planning to make changes to their QMS, they re-assess the extent of their current organizational knowledge and take steps
to improve it if it is determined to be insufficient to accommodate the planned changes.
7.2 Competence
Has the organization; What process does the organization used to determine competence?
the organization’s quality policy, any quality objectives that What processes have been established by the organization to make people,
are relevant to them, how they are contributing to the working on behalf of organization, aware of the stated requirements?
effectiveness of the QMS and what the implications are of
them not conforming to QMS requirements?
Notes:
The important factor here is the addition of requirement to make people aware both of the organization’s quality objectives as well as the consequences of non-conformance
with its QMS requirements.
Auditors should note that additional information as set out above must be communicated to these individuals both (internal and external).
7.4 Communication
7.5.1 General
a) When creating and updating documented Requirements are more explicit, but changes are insignificant.
information, does the organization ensure that it
is appropriately identified and described (e.g. title,
Δ date, author, reference number), in an
appropriate format (e.g. language, software
version, graphics) and on appropriate media (e.g.
paper, electronic)?
Does the organization plan, implement and control those Is the organizational process identified for Production or service in control and where not,
processes that it has previously identified (clause 4.4) as are appropriate action taken for those identified risks and opportunities?
Δ necessary in order for it to meet product or service
requirements and to implements the actions determined in
6.1 by;
a) determining the product and services This should include organizational internal requirements and external
requirements; customer requirements.
b) establishing criteria for the processes and for the What criteria established for controlling the processes and the resulting
acceptance of products and services? output?
d) retaining documented information to the extent Objective evidence to demonstrate that processes are carried out as planned
necessary to ensure that its processes are being and the output meets the requirements of acceptance criteria.
carried out as planned, and that the products and
services that are being produced conform to the
identified requirements and acceptance criteria?
Is the output of operational planning and control suitable Objective evidence that KPIs/ measuring of the processes have been met
for the organization's operations? and/ or the action taken if they are not.
Does the organization ensure that outsourced processes Have the organization identified the controls to be applied to outsourced
are controlled in accordance with clause 8.4? processes?
Notes:
The term “product realization” has been withdrawn and replaced by “operation”, and the requirement for “Planning of product realization” has been replaced by “Operational
planning and control”.
The new control-focused requirements centre on ensuring that processes are implemented as planned, including actions to address risks and opportunities. This needs to be
evidenced by means of documented information.
ISO 9001:2015 introduces a requirement to establish the ‘criteria for the processes’ and to implement controls ‘in accordance with the criteria’. The emphasis is on controlling
the processes and organizations need to demonstrate that they have planned and implemented the appropriate process criteria:
- inputs, outputs, resources, controls, criteria, process measurement indicators, etc., plus
Additional requirements are included in ISO 9001:2015 relating to the control and review of changes to process controls (including unintended changes). Auditors should also
gather and evaluate evidence related to it.
Notes:
These requirements are essentially the same as for ISO 9001:2008 sub-clause 7.2.3 “Customer communication”, but with the addition of new requirements to communicate in respect of
the handling or treatment of customer property and specific requirements for contingency actions where relevant. The requirement to obtain “customer feedback” has been amended to
obtain “customer views and perceptions”.
Has the organization put in place a process to ensure that No changes from the ISO 9001:2008 version.
requirements for the products and services it intends to
offer to customers have been defined? This includesany
applicable statutory and regulatory requirements (and
those considered necessary by the organisation).
Notes:
ISO 9001:2015 starts from the position that the organization has already determined the products and services it intends to offer to customers, taking into account customer
a) requirements relating to its products and services, No changes from the ISO 9001:2008 version.
consideration of requirements set by the
customer, including ones relating to delivery and
post-delivery
Notes:
There is no substantive change to content, though there is recognition that when reviewing requirements relating to products or services, these requirements could now include
those arising from relevant interested parties – not just from customers.
Auditors should ensure that requirements from relevant interested parties are considered as part of an organization’s product and service requirement review process.
8.3.1 General
Notes:
ISO 9001:2015 now makes clear the circumstances when ‘design and development’ is required; there is also a specific requirement for a design and development process to be in
place:
where the organisation has not established detailed requirements for products or services, or
where these have not been defined by the customer or other interested parties
Increased knowledge of the products and services, and methods of arriving at them, will be required by auditors in order to be able to verify whether the organization’s QMS should or
should not include design and development.
When determining the stages and controls to be applied to Does the organization’s design process include the stages and evidences of a) through h)
its design and development process, does the as below?
Δ organization considered:
Note: The organization’s current product or service in the design phase should be the
objective evidence.
Notes:
ISO 9001: 2015 is more explicit in terms of the elements that must be considered as part of the design planning process.
Auditors should ensure that organizations are able to evidence that they have taken into consideration the explicitly referenced considerations relating to the design and
development process set out above.
They should also ensure that the organization has retained documented information to confirm that its identified design and development requirements have been met.
Δ Does the organization determine: Does the organization’s design process include the stages and evidences of a) through h)
Note: The organization’s current product or service in the design phase should be the
objective evidence.
Notes:
Auditors need to verify that the organization has addressed the specific new requirements set out in ISO 9001:2015, sub-clause: 8.3.3 – specifically, those relating to ‘resource
requirement and the consequences of design or development failure’.
Δ Has the organization applied controls to its design and Does the Organization’s design process include the stages and evidences of a) through d)
Note: The Organization’s current product or service in the design phase should be the
objective evidence.
Notes:
This is a new clause introduced by ISO9001:2015, which is basically a combination of the requirements in ISO 9001: 2008 relating to design review, verification and validation.
There is no change in the audit approach required. However, the requirement in ISO 9001: 2008 that, where practicable, validation should be completed prior to the delivery or
implementation of the product/service has been removed.
Does the organization ensure that design and Does the organization’s design process include the stages and evidences of a) through h)
development outputs: as below?
Note: The organization’s current product or service in the design phase should be the
objective evidence.
Notes:
The requirements are essentially unchanged, except that the requirement to “include or reference monitoring and measuring requirements, where appropriate” has been
added.
Auditors should note the additional requirement for documented information in respect of sub-clause 8.3.5. They should also note the need for design outputs to reference
monitoring and measuring requirements, as applicable.
8.3.6 Design and development changes Does the organization’s design process include the stages and evidences of a) through h)
as below?
Note: The organization’s current product or service in the design phase should be the
objective evidence.
Notes:
The ISO 9001:2015 requirements are essentially the same, though there is no longer any reference for design and development changes having to be ‘verified’, ‘validated and
approved before implementation’ (ISO 9001: 2008 clause 7.3.7).
No change in the audit approach would require.
8.4.1 General
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document
Does the organization ensure that externally provided Has the organization identified risks and actions for the products and services
processes, products and services meet the organization’s provided by the external providers?
specified requirements?
Has the organization established and applied criteria that No change from ISO 9001:2008 version.
allows it to evaluate and select external providers and,
that allows it to subsequently monitor their performance?
Criteria relating to the re-evaluation of external providers
also need to be established and implemented.
Does the organization retain appropriate documented Does the organization’s process include monitoring the performance of
information for the results of external provider’s external providers?
evaluation, re-evaluation and monitoring of their
performance?
Notes:
The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided
products and services.
Auditors should note the new requirement for the organization to establish criteria to allow it additionally to monitor the performance of external providers. This must be
maintained as documented information.
They should also note the requirement for organization to provide a record of the results of their monitoring of the external provider’s performance as documented information.
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document
In determining the type and extent of controls to be What processes are established by the organization to demonstrate control over
applied to the external provision of processes, products processes, products and services provided by the external provider for the points a)
Δ and services, does the organisation take into through e) as below?
consideration:
Notes:
ISO 9001:2015 now requires the organizations to control both, “the external providers and the potential impact of the externally provided processes, products or services on the
organization’s ability consistently to meet customer and applicable statutory and regulatory requirements”.
There is a greater emphasis on the organization’s need to satisfy itself that the controls applied by its external providers (to ensure that it meets the organization’s
requirements) are adequate.
e) details as to how the external provider’s New requirement as covered in section 8.4.1.
performance will be monitored and controlled
by theorganisation?
Notes:
Essentially, these requirements are unchanged. However few requirements are expanded such as;
- there is an acknowledgement that organizations may need to communicate not just the products or services they wish to receive, but also any processes they want the external
provider to undertake on their behalf.
- The requirement for the organization to communicate, as applicable, the necessary qualification of personnel to cover the competency and qualification of personnel.
- The requirement for the organization to communicate any “quality management system requirements”, as applicable, to “their (ie the external provider’s) interactions with the
organization’s quality management system”.
Notes:
This clause is essentially the amalgamation of clause 7.5.1 and 7.5.2 of ISO 9001:2008 with few modifications as below;
Notes:
These requirements are essentially the same as ISO 9001: 2008 clause 7.5.3, but the emphasis now is on ‘process outputs’ rather than products.
Process outputs are the results of any activities which are ready for delivery to the organization’s customer or to an internal customer (e.g. receiver of the inputs to the next
process). They can include products, services, intermediate parts, components, etc.
Does the organization take care of property that has been Objective evidence for the property belonging to customer or external
supplied to it forincorporation into its products or services providers;
by customers or by external providers?
Notes:
These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.4), but the definition of customer property has been widened to specify that it can include
material, components, tools and equipment, customer premises, intellectual property and personal data.
The evidence is required to confirm that the controls appearing in ISO 9001:2008 relating to customer property have been extended to cover property from external providers.
8.5.4 Preservation
Notes:
These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.5), but again the emphasis now is on ‘process outputs’ rather than product.
When making this decision, does the organisation The processes established by the organization to address the post-delivery activities and
Δ consider: associated risk identified based on the nature product or service;
Notes:
This clause expands the ISO 9001: 2008 requirement that post-delivery activities are carried out under ‘controlled conditions’ – clause 7.5.1 (f) – and now also requires the
organization to consider a list of issues as above when determining what post-delivery activities are required.
‘Post-delivery activities’ can include actions under warranty provisions, contractual obligations such as maintenance services and supplementary services such as recycling or
final disposal.
Notes:
These are new specific requirements (though they are implicit in ISO 9001: 2008 clauses 7.5.1 & 2).
Organizations need to demonstrate that where it has to make unplanned changes to its processes in order to ensure its products or services conform to specified requirements,
these changes must be made in a controlled manner.
Auditors should evidence that the organisation has controlled unplanned changes in accordance withthe requirements set out above
Notes:
These requirements are essentially the same as those in ISO 9001: 2008.
Δ Does the organization deal with nonconforming process The processes established to deal with non-conforming product/ or service
outputs, products or services in one or more of the and clients notified, where appropriate;
following ways:
by correcting the fault;
Notes:
These requirements are essentially the same as those in ISO 9001: 2008 (clause 8.3), but once again, ‘process outputs’ are a key focus of the requirements, though the
options available when non-conformities are identified are more explicitly detailed; in particular, the need to take ‘corrective’ action.
Documented procedure is no longer required, but documented information relating to non-conformities now has to include details of the person(s), who authorized the action
taken to deal with it.
9 Performance evaluation
9.1.1 General
Has the organization determined; Objective evidence of evaluating of the results of monitoring and
Δ measurement and analysis;
Notes:
The auditors should confirm that the organization identify the ‘what’ ‘how’ and ‘when’ of the monitoring and measurement, along with when the results should be evaluated.
Auditors should note the additional requirement for organizations to evidence evaluation of the results of monitoring and measurement, not just their analysis.
They should also note a new requirement to monitor the performance and effectiveness of the organization’s quality management system.
Have the methods for obtaining, monitoring and reviewing What methods determined by the organization to monitor & review customer
this information been determined? perception;
Notes:
Organizations now need to demonstrate that they have sought out information relating to how customers view the organization itself as well as its products and services. They
also must have a defined methodology identifying both how they will obtain, monitor and review this information.
Information related to customer views can include customer satisfaction or opinion surveys, customer data on delivered products or services quality, market-share analysis,
compliments, warranty claims and dealer reports, etc.
a) improvement opportunities?
Note:
Organizations are now required to retain documented information as evidence of the results of the management reviews (rather than records of management review as stated
in 9001:2008)
Auditors should expect to evidence the same outputs from management reviews as at present. However, they should note that the results of management reviews can now be
held in any format that the organization chooses.
10 Improvement
10.1 General
Does the organization decide and choose improvement What processes are planned and implemented by the organization to improve
opportunities and take necessary actions that will better
Note:
Auditors should evidence that, where nonconformities have been identified by an organization, an investigation has been conducted to determine whether other similar
nonconformities actually do or potentially could exist.This covers some of the requirements previously included under Preventive Action.
They should also evidence that where nonconformity has occurred, the organization has considered whether it needs to make changes to the wider quality management
system to prevent a re-occurrence.
Note:
Organizations now need to demonstrate that they are using the outputs from their analysis and evaluation processes to identify areas of unsatisfactory performance and
opportunities for improvement.
Auditors should evidence that organizations are using the outputs from their analysis, evaluation and management review processes to identify improvement opportunities and
quality management system performance.
Legend:
Symbol Description