ISO 9001:2015 – Dealing with Deadlines – Part 3

We have seen that ISO 9001 has changed significantly with this 2015 revision. With the addition of context, interested-party expectations, and risk-based thinking, one would think ISO 9001:2015 has changed the most, but actually, ISO 14001 has changed in the most dramatic fashion, requiring companies to rethink their EMS. I add EMS back in at this point for those of you who have or are considering an Environmental System or are thinking about “Planting Seeds” as I have recommended.



One of the key changes in ISO 14001 is the concept of “strategic environmental management,” where the organization is asked to give more importance to environmental management in the strategic planning process. This idea is further expanded by calling for increased participation of the organization in the EMS.

This, along with life cycle thinking, protection of the environment, and environmental performance, have fundamentally changed the Standard. Organizations should give themselves a chance to rethink their management system.

Culture can be described as: ‘The way things are done around here.’ However, this culture will have to be reviewed and revised, if necessary, as a consequence of the adoption of Annex SL as the basis for ISO 14001:2015. This includes the behaviors of everyone connected with the environmental system, and in particular, of those operating at the most senior level within an organization.

The 2015 edition has been revised to meet the needs of today’s business world. Every organization is different, so the steps needed to adjust your management system are likely to be unique to your situation. However, here are some tips that will help you get started on the journey.

Tip 1 – Familiarize yourself with the new document(s). While some things have indeed changed, many remain the same. A correlation matrix is available from ISO/TC 176/SC 2, which will help you identify if parts of the standard have been moved to other sections.

Tip 2 – Identify any organizational gaps which need to be addressed to meet the new requirements.

Tip 3 – Develop an implementation plan. Tip 4 – Provide appropriate training and awareness for all parties that have an impact on the effectiveness of the organization.

Tip 5 – Update your existing quality management system to meet the revised requirements.

Tip 6 – If you are certified to an ISO Standard, talk to your certification body about transitioning to the new version.

The next steps

It’s important to create an implementation leader and a steering committee for this important transition. When creating the leader and team, management should stress that both management systems are for the organization’s benefit overall, and not for a specific department. The steering and leadership teams, championed by top management, ensure the completion of the processes shown below.

Discuss and plan the approach to management system changes. The strategy must be determined before a gap analysis can be conducted. Key strategies include:

  • Implementing a strategy for addressing risk
  • Considering proactive preventive processes for risk during the product-realization processes
  • Determining how top management can be pulled into the planning and implementation ofthe QMS and EMS
  • Integrating QMS and EMS processes into the same process approach (as required by clause 5.1.1 in the HLS)
  • Integrating social responsibility, including “protecting the environment” to the EMS system

Following this strategic planning process, the next steps are:

  • Conduct a gap analysis to analyze where the organization is in relationship to the overall plan and strategy, including ISO 9001:2015 and ISO 14001:2015 management systems.
  • Create an implementation plan with a steering committee and process owners.
  • Develop the key strategies and initiatives.
  • Document the (new) processes and procedures.
  • Implement the new system.
  • Conduct internal audits.
  • Conduct a management review.
  • Conduct third-party audits.

To efficiently implement the changes required by ISO 9001:2015 and ISO 14001:2015, and to do so with a value-added focus, organizations must begin the process now. As the surveillance audit and final deadlines draw near, organizations should avoid waiting until the last minute to begin this process. Otherwise they will find themselves forced to focus only on conformance to the standards (at a minimum), rather than building true value into their management systems.

As usual, sincere hopes that you find our posts informative. TKG

ISO 9001:2015 – Dealing with Deadlines – Part 2

In Part 1 we discussed not putting off until tomorrow what we can do today. We introduced the concepts of Risk-Based Thinking and the Process Approach as it relates to an integrated business system. And, we re-addressed some additional requirements, I believe, will be on the horizon sometime in the future.

Now in Part 2 we’ll get into the details… Key Changes to ISO 9001:2015

High level changes to all management system standards – The most significant changes in the 2015 Standard are in Clauses 4, 5 and 6, i.e. Context of the organization, Leadership and Planning, but there are many others throughout the Standard.

The Standard is rewritten according to the HLS (High Level Structure) -The ISO 9001:2015 standard has been restructured: chapter and sub-chapter titles, as well as the order of clauses and paragraphs, were completely revised.

deadlines-2Overall, this restructuring does not affect the Standard’s content or requirements. When examining the text in detail, however, the structure has changed to comply with new composition guidelines and topic sequences.

This change reflects a strategic choice that will gradually be applied all ISO standards of management system. Initiated on ISO 55001 (Asset Management System), the new structure is consistent with Appendix SL to the ISO Directives, Part I.

With this new common structure, ISO aims to help businesses and organizations more easily integrate all or parts of their various management systems and ultimately achieve a truly unified management system.

This consistent common structure makes it easier for companies to include components of other standards that it deems relevant: parts of the environmental standard ISO 14001:2015, the asset management standard ISO 55001 and even the future ISO 45001 standard on occupational health and safety management.


This is a new concept and relates to the external factors and conditions that could affect an organization and its ability to provide products and services to customer requirements. Examples could include governance, regulation, sector, stakeholders and shareholders to name but a few.

Importance given to the context surrounding the certified organization and to its stakeholders – Two new clauses (4.1 and 4.2) require greater consideration of the context surrounding the organization. They require a context analysis, as well as the stakeholder identification and the understanding of their expectations.

A standard purposely open to the service industry – The context in which organizations evolve has changed and the revision of the standard takes into account the evolutions in the way organizations do their business or activities. Originally drawn up for manufacturing and industrial sectors, ISO 9001 has been a victim of its own success, and many organizations from other areas have made it their own.

The ISO 9001:2015 revision has taken these changes into consideration. Its choice of vocabulary and level of abstraction simplify implementation in all industries, including services.

Tip: The context will influence the type and complexity of management system needed.


There are enhanced requirements for top management to demonstrate leadership and commitment directly with the QMS.

Leadership – The commitment to quality through strong and visible leadership is strengthened:

  • The idea of a “management representative” disappears completely.
  • The quality policy and stated goals must be deeply in keeping with the strategic orientations.
  • QMS requirements must be merged into business processes.

Tip: Top management is expected to be “hands on” and to ensure that the quality policy and quality objectives are consistent with the overall strategy and context.


Planning is a new term introduced to the high level structure, with a requirement to address risks and opportunities and to carefully plan changes within the quality management system.

Risk management becomes a foundation of the standard – Each major revision of the Standard introduces a concept that allows certified companies to reach a new level of maturity.

Risk management based on a “risk-based thinking” approach has become fundamental in the 2015 revision: risk identification, qualification and management. Quality results from proper management of these risks, which go beyond the strict scope of the product or service delivered. Quality cannot exist unless the organization can provide its client a conforming product or service over the long term.

Risk has its counterpart: opportunity. The ISO 9001:2015 standard also embraces this concept of positive uncertainty.

Of course, risk is an additional concept that in no way supersedes the concept already present in the standard. Risk is incorporated into the fundamentals and rounds out these notions. As such, the process approach and PDCA remain two essential pillars.

Managing risk also means working towards continuous improvement. Corrective action corresponds to an unidentified, wrongly qualified or mismanaged risk; preventive action addresses a risk of possible but un-occurred noncompliance.

Tip: Risks and opportunities, for example, could relate to the use of electronic systems within the management system. Introducing such systems would require change and transition arrangements, which should be planned within the management system.


This new section builds upon the 2008 requirements for competence and awareness (now extended to include persons under the organization’s control, not just employees) and communication.

Tip: With the increasing use of outsourced providers, this requirement reminds organizations that this resource must be managed effectively just as internal providers are managed.

Human Factors – ISO 9004:2008 section 6.6 Work environment advises: The work environment should encourage productivity, creativity and well-being for the people who are working in or visiting the organization’s premises (e.g. customers, suppliers, and partners). At the same time, the environment complies with applicable statutory and regulatory requirements and addresses applicable standards (such as those for environmental and occupational health and safety management). See previous post “The Touchy-Feely Employee” for more on this.

Knowledge is a resource like any other – In its 2015 revision, ISO 9001 is once again adapting to its times. Knowledge has become key to successful projects and business development. The new standard considers knowledge like any other resource to be managed:

  • Identify the knowledge necessary to carry out the activity in compliance with the QMS and to achieve the defined objectives.
  • Knowledge must be maintained, protected and made available where necessary.
  • Anticipate changes in knowledge needs and manage the risk of failing to acquire knowledge in due time.

This is my take on the Key Changes and with them, the importance of care and planning. But do not minimize the lesser changes, especially due to omission i.e. 9.2 Internal Audit – the concept that auditors must not audit their own work is no longer included (see ISO 19011:2011) or Management Representative and Quality Manual. Duties and documented information is still required.

Next time, Environmental Management – ISO 14001 in Part 3.

ISO 9001:2015 – Dealing with Deadlines – Part 1

The deadline for ISO 9001:2015 registration seems far off in the distance. But, we only have about 20 months left to get registered to the new revision but some related timelines are fast approaching. This post will attempt to address the steps necessary to achieve transition while maintaining your sanity (and that of your consultant, should you choose to use one.) The bottom line is don’t wait until the last minute. And, since all other management systems are based upon ISO 9001:2015, this post applies to all registered management systems.

Transition strategies for ISO 9001

deadlines-1Some organizations have already passed their surveillance audits since the Standard’s publication in September of 2015, but most audits have yet to take place. Many organizations will begin their re-certification cycle around the middle of 2017. This doesn’t leave a lot of time for updating management systems to comply with new requirements if you are planning on transitioning this go around.

There are several strategic changes to ISO 9001:2015. One of them, seen by many as the most important, is risk-based thinking which allows organizations to think beyond measuring risk and become proactive in preventing it. Risk-based thinking addresses multiple ISO 9001:2015 requirements, including but not limited to: planning of products and processes, changes, both planned and unplanned as well as positive and negative impacts to the customer and other interested parties.

Now, I am not aware of any successful organization that is devoid of risk consideration and I presume these same entities actively pursue opportunities but I would bet that many small ‘Mom and Pop Shops’ that only have limited risk management competencies.

There are always concerns with the product realization processes—project risk, design risk, manufacturing process risk, and shop floor control. Those of you who are familiar with other disciplines, Automotive, Medical, Aerospace or just have a basic knowledge of risk avoidance may be familiar with FEMA (Failure Mode Effects Analysis.) You can be sure that your auditor isand may be expecting to see how you have embraced this tool. But don’t make the mistake and FMEA(ing) everything – you won’t be compliant! FMEA only addresses negative risk, is for the most part, too subjective and will make your heads hurt.

Risk is seen as both a positive (opportunity) and a negative (loss) so it takes more than “one way to skin a cat” to fully realize this addition. ISO 31010 Risk Management – Risk assessment techniques, describes 30 or so of the most popular tools and how to use them. I highly recommend buying a copy to keep in your arsenal. It may be worth its weight in ‘Get Out of Jail Free’ cards.

With ISO 9001:2015, organizations will also be required to rethink their process approach. In previous revisions, ISO 9001 only required procedures (which were defined as processes, although not very well) and did not use any language similar to ISO 9001’s process approach. Clause 4.4, now specifically uses the word “process.” This, along with the requirement that top management integrate quality management system (QMS) requirements into the organization’s business processes (per clause 5.1.1 c), means that companies must integrate these systems’ requirements into one process approach. This is an important element of the 2015 revision that’s not getting enough attention.

Although not presently a requirement, I predict that other important opportunities should be considered by organizations transitioning to ISO 9001:2015. I believe, integrating concepts (planting the seeds if you will) for “protecting the environment” ISO 14001 and social responsibility (sustainability) ISO 26000 into their QMS would be a wise move. This is especially important with the new IATF 16949:2016 standard that requires a code of conduct for ethics in environmental and social responsibility. Additionally, many organizations have sustainability standards and are being required by their customers to create social responsibility-related initiatives. This is an organization’s chance to integrate all their requirements and standards into one system. I also believe that requirements for Occupational Health & Safety ISO 45001 and Information Security ISO 27001 & 2 will eventually creep into the mix, but that’s farther down the road – maybe the 2022 or 2030 revisions.

We’ll continue with the specifics in Part 2

An IOP by Any Other Name – Part 3

OK, so here we are. We have been asked and answered a question in Part 1. We have looked at why the question came about in Part 2. Now we’ll look at how (at least) one approach for dealing with the requirement.

Do you remember that I said there was a NCR written to the IOP in the AS9100 Registration Audit? Well, that was because there was no dotted line around Continual Improvement as a Management R&A Process (MRP.) We argued that Continual Improvement was a result and not a process but the auditor challenged back that because it was a stand-alone with no relationship to MRP the organization had misrepresented its processes and actually had five, not four processes as claimed. The interim correction was to place the dotted line around it, thereby including it in the MRP and Corrective Action was to re-draw the IOP and reposition Continual Improvement as a Measurement, Analysis and Improvement sub-process.

Figure 5, in its present form, is simple and elegant and is ‘father to the man’ (Figure 1) in Part 1. You will note that each of the four processes include a finite number of sub-processes that may include related sub-sub-processes (yes, I meant to say that) but does not muddy the presentation by including everything. It also clearly depicts the four Key Process Indicators (KPIs) which are themselves determined by a combination of sub-processes.

iop5You will note that there are two major divisions COPs (Customer Oriented Process) or the Realization Process (old clause 7, now 8) and MOPs (Management Oriented Processes) support processes (everything else) broken into neat little packages that identifies a concept without including every element. This aids internal auditing – you can focus on either Realization or QMS which then facilitates identification of status and importance (remember that one?)

Within each of the 4 processes are the sub-processes and this shows how the pieces relate to the whole.

Continual Improvement, as mentioned earlier is included in the Management R&A Process but is not really a sub-process. It is more a planned result and is included to demonstrate commitment to improvement. (This was the only thing that might have, and did give rise to question and trying to explain it away by saying it’s an expectation that planned results will be achieved didn’t work.) Move along – these are not the droids you’re looking for… Correction took care of the problem and corrective action repositioned it where it rightfully belongs.

Now, as you move toward transition, process definition and sequence become more important and as we are reminded, as auditors, all you have is the IOP. If you ‘nail’ this one, everything else falls into place. You might also want to document Tuttle Diagrams for each “process” to describe inputs, outputs and how planned results are achieved because that will be the next question. The easier you make it for the auditor, the smoother the audit will go.

So how do we do that? Well, Mr. Philip Crosby (Remember him from the Quality Gurus?) makes it very easy. Basically, just recreate the diagram below (copy and paste from our website or Google it until you find a workable version) and connect the dots.

The process model worksheet is a simple yet powerful tool for defining new processes, analyzing an existing process to make it zero defect. It is very useful even to explain a process. The steps are as follows;

1. Name the process

2. Scope the process by defining the starting activity and the ending activity

3. Identify the outputs, customers and output requirements

4. Identify the inputs, suppliers and input requirements

5. Define the controlling inputs

Once this much is clarified, the work/process under consideration can be well understood, so that it proofed to perfection

iop6iop7Once you’ve defined your processes and sub-processes, mapped out their interaction, have identified inputs and outputs then you can decide which process (and sub-processes) are most important – KEY, and it very becomes easy to determine what you will measure to find out how effective your system actually is.

I hope this post series has been helpful.

An IOP by Any Other Name – Part 2

In Part 1 we answered a question, now we look at the why of the question.

Our author, just as so many before him, is struggling with a basic flaw in the system; that being a general acceptance (on the part of the auditors and not entirely their fault) of incomplete IOPs over the years and the rebounding that resulted from it.

The following is a good example.

iop2Up until ISO 9001:2000, the 20 elements, most if not all of which required procedures, were considered (interpreted) as ‘the processes.’ The planned results of which was supposed to be a quality product.

You probably noticed I didn’t add ‘service.’ That’s because it was a manufacturing standard. And up until now, everything revolved around product quality and its consistency because (as previously discussed) the Standard was based upon military purchasing requirements and everybody – auditor and auditee was on board with that.

The 2000 revision introduced the Process Approach and in 4.2.2(c) required that, “a description of the interaction between the processes of the quality management system” be included in the quality manual.

So what we saw (Figure 2) was a good representation of what transpired from the time the phone rang with an RFQ to the time product went out the door. And all was well with the world.

This model was easy for the auditor to follow and verify so they were happy and if the auditor was happy, the organization was happy and they paid the Registrar (CB), so they were happy and the Registrar paid the ANAB, RAB in those days (AB) who paid the IAF, so everyone got paid and everybody was happy and it went along this way for the next eight years.

I believe, although not 100% certain, that I mentioned at some point there is a mandatory revision process the Standard must go through, and so it did. In 2008, the next iteration which, by most accounts is nothing more than a re-packaging of the 2000 revision, ISO (is in essence, a publishing house and profiting from the sale of the Standards) needed to find a way to market its ‘latest and greatest’ offering and did so by pointing out that the 2000 revision, ‘rich in new concepts’ had largely been misunderstood, so the 2008 version was everybody’s last, best, chance to get it right – Ka Ching!

Guess what? Most, including the auditors, CBs and ABs didn’t get the message – Again! Figure 2 above, or something like it, depicting an incomplete interaction of processes (IOP) persisted. In some cases, the addition of a ‘rogue’ measurement and analysis, (i.e. Internal Audit) management or resource process found its way into the mix but it wasn’t until sometime later on that full understanding of intent evolved. And, with the introduction of ALL the elements, most IOPs continued as a hodgepodge of jumbled elements (Figure 3) that more closely resembled progression of a bacterial infection than what the organization was actually doing.

iop3There were some solid attempts at creativity (as seen in Figure 4) but for the most part organizations limped along as best they could and the auditors were letting it happen.

iop4For most it remained business as usual with every element included in the IOP and NCRs written for a single omission, hence my brother’s question.

For others it was ‘The Awakening,’ a realization that the Standard was a business model and I’ll share that revelation with you in Part 3.

An IOP by Any Other Name – Part 1

Yours truly recently received a question from one of our many followers, a brother auditor, who writes;

“I blew off… today so that I could conduct an internal audit for a repeat customer. One of their big changes is that they changed their IOP around. My question to you is; does an IOP have to specifically reference the internal audit & calibration processes? Or is reference to the analysis of data and MR sufficient enough? Their IOP last year referenced internal audits, but the new revision doesn’t. I think it should be referenced, but maybe I’m wrong.

”I answered back, “Excellent question! And, I’m impressed that you ask because it shows a level of maturity.” The level of maturity, in this case, is he’s starting to get it. He recognizes that it is the organizations responsibility, not the auditor’s, to define the processes and their interaction. It is the auditor’s responsibility to assess the organization’s compliance with the Standard and demonstrate that they are following documented activities to achieve planned results.

As I penned (typed) these words, it occurred to me that there may be others out there who are uncertain as to the requirements and I decided to share my response.

I went on to say, “I’ve attached a sample Interaction of Processes (IOP) and the following explanation. Caution – should you adopt my model – you will need to be prepared to defend it. Also note that I developed it for a specific client’s AS9100 audit, so in your case, it most likely will be challenged. And, I wouldn’t suggest this as a better way. It’s just another way.”

“Go back to your AS9100 training and think about PEAR (process effectiveness assessment report). The answer to your question lies somewhere between client opinion, your opinion, the interfaces between processes and sub-processes and supporting documentation. If everything hangs together, they’re good, if not, well, Houston, We Have a Problem.”

“Here’s my spin on it…


As you look at my graphic, (Figure 1) you will see, in the middle, the Realization Process (not processes) and surrounding the Realization Process are the Supporting Management Processes each with multiple sub-processes.

My goal was to distill the processes down and keep it as simple as possible so they could then argue, to more or lesser degree, what they do and how they go about doing it – verbally rather than graphically – connecting the dots. That way they had a lot more flexibility and their response could be tailored to fit the conversion at hand.”

“So they successfully argued that the organization had a total of 4 processes (we don’t count process development – bottom left-hand corner, which is more of a place holder and to balance the diagram – Note: this is not Design & Development, which is actually a Realization sub-process.)”

“The Realization Process (that thing which the company does) needs to be clear and match up with what they are actually doing, and theirs [addressing the author’s, client’s IOP] appears to be – although it’s muddy and convoluted which happens when you throw every element into the mix. I would have liked to see what they are measuring, and this is why I listed KPIs in my IOP model, but it’s not a requirement. And (I presume) there will be greater latitude given as auditors become more comfortable with 2015.”

This approach minimized the impact of PEAR (the auditor had only four to write, which made him very happy) and with only one ‘low score’ which had been previously, well documented, CAPA and Management Review, they passed the Registration audit with six minor findings (one of which was written against the IOP. Corrective Action was a slight revision as seen in Figure 1.)

More to come and the why of the question in Part 2.

Internal audit

If you are like most people with a quality system, you have procedures; one of which is concerned with Internal Audits. The standard states:

9.2.1 – The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1. the organization’s own requirements for its quality management system;
2. the requirements of this International Standard;
b) is effectively implemented and maintained, and,

9.2.2 – The organization shall:
a) plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
e) take appropriate correction and corrective actions without undue delay;
f) retain documented information as evidence of the implementation of the audit program and the audit results.

if you are like most people with Internal Audit procedures, you have carefully word-smithed the verbiage to address all the “shalls,” individually, just in case. And, if you are like most people who have addressed all the points, you most likely have a sentence in your procedure that addresses the requirement; “Auditors shall not audit their own work” which was passed down to us from time immemorial.

I understand what ISO was trying to communicate with this requirement and I also understand, in some cases, it is absolutely impossible for a small organization to meet the letter of the law. It is also regrettable that most Auditors looked upon this requirement as ‘Etched in Stone’ and woe unto you, poor quality guy, whose senior management wouldn’t spring for a team of trained in-house auditors or for a 3rd party audit of the processes you manage.

Yep – The MR Audit came into being for no other reason but to give you ulcers and a new line item in your annual budget! For the auditor it was just too easy to say;” Who audits you?” and wait as you stutter the name of an amorphic entity obviously made up internal-auditof Day-Glow Ectoplasm, the name of whom (if you have been really creative) may be on some sort of training record to prove competence, but whose handwriting is remarkably ‘similar’ to yours.

This is not exactly what ISO had in mind.

From the very beginning, ISO had presented us with a ‘Best in Class’ set of practices, their business model, if you will, to address the various issues organizations face, that if done so ‘properly,’ would lead to improvements in efficiency and effectiveness of performance processes.

The purpose of not auditing your own work was to prevent ‘cheating.’ Best Practices are transparent. Best Practices hold you accountable. So the point was to promote truth in disclosure.Internal Auditing is intended to be a process which honestly looks at the systems and assesses them fairly in order to make a recommendation as to the level of compliance with a particular requirement and if found to be not compliant, to make the necessary changes to bring about compliance. So, what’s a QA guy to do? You do the best you can. You audit fairly and honestly. You document weaknesses and initiate corrective actions regardless of who the process owner is. In short, you do your job!

The good news is with the advent of the revision to ISO 19011 (in 2011) and ISO 9001 (which has omitted that critical line, “Auditors shall not audit their own work”) and then provided ‘a way out’ with the inclusion of the guidance note: NOTE See ISO 19011 for guidance, all is now well with the world. Did you stay with me? Do you understand what this means? Have you read ISO 19011:2011 – Guidelines for auditing management systems?

It means we can ‘legally” audit our own work (if we have to) because *ISO 19011:2011 Section 4(e) states, “For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity.”

Audit and be happy… and I suggest that, if you are like most people who have an Internal Audit procedure which addresses ALL the requirements of the International Standard you might want to make a small change to that verbiage with something like: “The MR ensures that auditors are independent of the area audited, wherever possible*.”

*See *ISO 19011:2011 Section 4(e).

Royalty-Free Image courtesy of

Organizational Knowledge is Now Part of the Mix

ISO has now introduced the term “knowledge.” Since knowledge was not addressed previously the complexity of this subject and our approach to it are brand new. ISO 9001:2015 defines requirements for the handling of organizational knowledge in the following four phases, which are analogous to the PDCA cycle:

7.1.6 Organizational knowledge:

1. The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services.
2. This knowledge shall be maintained and be made available to the extent necessary.
3. When addressing changing needs and trends, the organization shall consider its current knowledge, and,
4. Determine how to acquire or access any necessary additional knowledge and required updates.

NOTE 1 Organizational knowledge is knowledge specific to the organization; it is generally gained by experience. It is information that is used and shared to achieve the organization’s objectives.

NOTE 2 Organizational knowledge can be based on:

a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements in processes, products and services);
b) external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers).

By introducing the term “knowledge,” ISO is trying to raise organizational awareness of the management and linking of know-how in order to position them for the future.


Knowledge is a very subjective term with individual definitions, so each organization must define it for themselves. Depending on the scope and context of the organization, their definition for knowledge can be completely different. A large-scale car manufacturer, for example, might define other target areas than a small law firm or Human Services provider.

These new requirements are not for the purpose of establishing administrative information or document management, but to ensure a controlled process for handling organizational knowledge in conformity with the quality management framework conditions.

Organizational knowledge: The two types

Knowledge Management best practices address both:

a) Explicit Knowledge – a type of knowledge that is formalized and codified, and is sometimes referred to as know-what, and
b) Tacit Knowledge – a type of knowledge that resides within an employee, sometimes referred to as know-how.

Organizational knowledge: The four phases

The four phases that define the requirements for obtaining and processing organizational knowledge include the many process points that provide purpose for the organization. It is a good idea to establish knowledge and competence objective up front – something (I would think) that has already been accomplished in most firms.

In phase 1, the organization should determine knowledge of customer expectations and requirements and the specific production / service-provision processes. Afterwards, they can plan how they can achieve the identified goals and objectives by means of learning, on the job training, certificate programs, etc.

knowledge-2In phase 2, the organization should determine specific methods to share knowledge in-house and to maintain this knowledge. Encouraging employees to pass on their experience from completed projects or failures to their colleagues as in “lessons learned” is a good start. Employees leaving the company (or refusing to share their experience and know-how) represent a major risk of loss of knowledge. Organizations wishing to mitigate these risks should collect and maintain the knowledge and know-how when it is available.

In phase 3 the organization should evaluate new knowledge, such as that communicated in a training session, interview with an employee on the status of knowledge, where appropriate, and identify opportunities for improvement. Another challenge involves monitoring changes in market trends or in technology and analyzing the extent to which they can influence the knowledge that the organization needs.

In phase four, the organization should identify opportunities for improvement in specific areas where targeted measures could be taken. Depending on circumstances, the organization might improve the processes for collection, storage and safeguarding organizational knowledge. It might also be a good idea at this time to re-validate critical knowledge or to improve the protection of existing know-how. In addition to continued training, the organization can use external sources including newsletters, industry magazines, strategic partnerships, etc. to expand their knowledge.

The Touchy-Feely Employee – Introduction of Human Factors

On December 13th the much awaited 2000 revision was released and the world changed forever! How significant the changes were, however, has taken sometime to fully realize. In a previous post we talked about the presence of Risk in the Standards – where it appeared and where it didn’t. Yes, 2000 was a big year… inclusion of so much but conspicuously devoid of risk (but that was then, this is now.)

Changes from 1994 to 2000

The text was reworded for easier adaptation to a wider range of organizations. Some definitions were changed. The standard had shifted from product to process-oriented thinking including a process model based on the Plan-Do-Check-Act cycle, which outlined the product and/or service cycle and the management control cycle.

The 20-element format was replaced. The text of the standard was now organized into four major processes:

  • Section 5. Management Responsibility
  • Section 6. Resource Management
  • Section 7. Product Realization
  • Section 8. Measurement, Analysis, and Improvement

Management Responsibility

  • Top management had to provide evidence of its commitment to the development and improvement of the quality management system.
  • The evidence needed to include communicating to the organization the importance of meeting customer needs, as well as regulatory and legal requirements.
  • The quality objectives were now measurable, had to be consistent with the quality policy and had to include a commitment to continual improvement.
  • Quality planning had to include continual improvement of the quality management system.
  • Top management had to ensure that customer needs and expectations were determined, converted into requirements, and fulfilled with the aim of achieving customer satisfaction.
  • Top management had to ensure communication of quality management system processes and of process effectiveness took place at all levels and functions of the organization.

Resource Management

  • The organization had to identify, provide and maintain the facilities it needed to achieve conformity of product, including: workspace and associated facilities; equipment, hardware and software; and supporting services.
  • The organization had to identify and manage the work environment with consideration of the human and physical factors needed to achieve conformity of product.

Product Realization

  • The organization had to determine customer requirements including: product requirements not specified by the customer but necessary for intended product use; and obligation related to the product, including regulatory and legal requirements.
  • The organization had to identify and implement arrangements for customer communications relating to: inquiries, order handling, or contracts (including amendments); customer feedback (including complaints).

Measurement, Analysis and Improvement

  • The organization had to collect and analyze appropriate data to determine the suitability and effectiveness of the quality management system and to identify potential improvements. Data had to be generated by measuring and monitoring quality system implementation and/or maintenance activities.
  • The organization had to analyze collected data to provide information on customer satisfaction and/or dissatisfaction and conformance to customer requirements. These methods had to confirm the continuing ability of each process to satisfy its intended purpose.
  • At appropriate stages of the product realization process, the organization had to measure and monitor the characteristics of the product to verify that requirements are met.
  • The organization had to plan and manage the processes necessary for the continuous improvement of the quality management system. The organization had to facilitate the continuous improvement of the quality management system through the use of the quality policies, objectives, audit results, data analyses, corrective and preventive actions, and management review.
  • The organization had to monitor information on customer feedback – satisfaction and/or dissatisfaction as one of the measurements of quality management system performance. The methodologies for obtaining and using this information had to be determined.

Human Factors was not expressly called out in ISO 9001:2000 Element 6.4 Work environment, which only required, “The organization shall determine and manage the work environment needed to achieve conformity to product requirements.” ISO 9004 screamed it out…

ISO 9004:2000 6.4 Work environment

Management should ensure that the work environment has a positive influence on motivation, satisfaction and performance of people I order to enhance the performance of the organization. Creation of a suitable work environment, as a combination of human and physical factors, should include consideration of:

  • Creative work methods and opportunities for greater involvement to realize the potential of people in the organization,
  • Safety rules and guidance and the use of protective equipment,
  • ergonomics,
  • workplace location,
  • social interaction,
  • facilities for people in the organization,
  • heat, humidity, light, airflow, and
  • hygiene, cleanliness, noise, vibration and pollution.

The 2008 revision of ISO 9001 continued with the same language but did add the guidance note below:

NOTE The term “work environment” relates to those conditions under which work is performed including physical,environmental and other factors (such as noise, temperature, humidity, lighting or weather).

This note then becomes the bridge between ISO 9004 (Guidance document) and ISO 9001 (Requirements) and although the term Human Factor is not specifically defined, it is categorized among ‘other’ factors such as, health & safety and environmental.

Finally, the 2009 revision of ISO 9004 took the subject to a whole new level with:

human-factorsISO 9004:2009 (current revision) 6.6 Work environment

The organization should provide and manage a suitable work environment to achieve and maintain the sustained success of the organization and the competitiveness of its products. A suitable work environment, as a combination of human and physical factors, should include consideration of:

  • creative work methods and opportunities for greater involvement to realize the potential of people in the organization,
  • safety rules and guidance and the use of protective equipment,
  • ergonomics,
  • psychological factors, including workload and stress,
  • workplace location,
  • facilities for people in the organization,
  • maximization of efficiency and minimization of waste,
  • heat, humidity, light, airflow, and
  • hygiene, cleanliness, noise, vibration and pollution.

The work environment should encourage productivity, creativity and well-being for the people who are working in or visiting the organization’s premises (e.g. customers, suppliers, and partners). At the same time, the organization should ensure that its work environment complies with applicable statutory and regulatory requirements and addresses applicable standards (such as those for environmental and occupational health and safety management).

How do you suppose an auditor is going to assess an ‘emotionally protective’ environment? Truth…They’re not! They’re going to keep auditing the way they have done so since 2000, going merrily along ignoring the fact that it’s there. So what about now? The concept is now codified in ISO 9001 in this latest 2015 revision

ISO 9001:2015 7.1.4 Environment for the operation of processes

The organization shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services.

NOTE A suitable environment can be a combination of human and physical factors, such as:

a) social (e.g. non-discriminatory, calm, non-confrontational);
b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective);
c) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).

These factors can differ substantially depending on the products and services provided.

And now the fun starts…

Change Management and ISO 9001:2015

To be compliant, ISO 9001:2015 requires the organization to identify and implement any changes to the quality management system, its processes or its outputs (products or services) in a planned manner.

The following clauses of ISO 9001:2015 focuses on change management:

1. Clause 4.4.1 g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;

2. Clause 5.3 e) ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.

3. Clause 6.3 Planning of changes: When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner (see 4.4).

The organization shall consider:

a) the purpose of the changes and their potential consequences;
b) the integrity of the quality management system;
c) the availability of resources;
d) the allocation or reallocation of responsibilities and authorities.

4. Clause Control of Documented information c): control of changes (e.g. version control)

5. Clause 8.1 Operational planning and control: The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

6. Clause 8.2.1 b) Communication with customers shall include; handling inquiries, contracts or orders, including changes;

7. Clause 8.2.4 Changes to requirements for products and services: The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed.

8. Clause 8.3.6 Design and development changes The organization shall retain documented information on: The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements:

a) design and development changes;
b) the results of reviews;
c) the authorization of the changes;
d) the actions taken to prevent adverse impacts.

9. Clause 8.5.6 Control of changes: The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements. The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.

10. Clause 9.2.2 a) The organization shall plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

11. Clause 9.3.2 b) (Management Review inputs) The management review shall be planned and carried out taking into consideration: b) changes in external and internal issues that are relevant to the quality management system;

12. Clause 9.3.3 b) the outputs of Management review shall include decisions and actions related to: any need for changes to the Quality Management System.

13. Clause 10 NOTE Examples of improvement can include correction, corrective action, continual improvement, breakthrough change, innovation and re-organization.

14. Clause 10.2.1 f) when a nonconformity occurs, including any arising from complaints, the organization shall: make changes to the quality management system, if necessary.

The three stages of Controlled Change Management:


Change management starts with identifying the change requirement. The following are the some of the changes that generally take place in an organization:

1. Change in the scope of the Quality Management system

2. Policy change

3. Product change (technology improvement, raw material change, change in customer requirement etc.)

4. Process change (Quality Improvements and Productivity increase)

5. Procedure change (equipment changes, new equipment, Raw material changes etc.)

6. Change in Employees (new positions, New recruitments, resignations, Long leave etc.)

7. Change in Management (Mergers, take-overs etc.)

8. Changes in Requirements (customer requirements, Legal requirements, QMS requirements etc.)

The change control process is as follow:



Simple Change Management Plan as per clause 6.3 of ISO 9001:2015:


(This template may be used as input to Management review, as required by Clause 9.3.2)