top of page


Over 400 Articles To Help Elevate Your Compliance

ISO 9001:2015 – More Than Re-writing Procedures

ISO 9001:2015

Every company currently certified for ISO 9001 will need to re-certify at some point in time. This is an opportunity to go beyond just re-writing procedures and introduce new behaviours and practices to generate better quality outcomes.

In this blog, I will discuss four new behaviours introduced in 2015 that companies still struggle with today.

Key Drivers of ISO 9001:2015

The changes introduced in 2015 in many ways were a response to the low adoption of the process approach when it was originally introduced in 1990. At that time the standard was very prescriptive which, although not intended, created the conditions that favoured a check box approach to quality. It was common for companies to become certified without seeing any real improvement in the quality of their products or services.

This was not the case for all companies as many did in fact improve their quality processes by adopting the standard. However, the original goals were still largely unmet and legitimacy of the standard itself was at risk.

The 2015 version addressed those issues along with other needed improvements by promoting a more holistic approach with less prescription but with broader scope. The following changes are key examples of the direction the standard has taken:

  • Risked Based Thinking over Reactive Practices

  • Process Based Approach over Disparate Activities

  • Outcomes over Check-Box Compliance

  • Continuous Improvement over Audit-Fix cycle

More Than Rewriting Procedures

Having a standard that is now performance-based leaves flexibility for each company to determine the "how" part to best achieve the intended outcomes. This means that a prescriptive check-box strategy to compliance is no longer the best or preferred option. Additionally, this will rule out a cookie cutter approach and a one-size fits all mentality.

The specific methods and level of rigor that will be needed will depend on the maturity of other processes and practices within the organization. These will be different for every company.

The International Accreditation Forum (IAF) Guidelines for ISO 9001:2015 makes the following statement:

"[iso9001] promotes the need to demonstrate system effectiveness and the application of risk-based thinking through the process approach. This may result in the need for a variation of auditing techniques, therefore witnessed assessments may be necessary as part of the transition program."

Making risk-based thinking part of a quality program is not only a matter of writing a procedure that says you will conduct risk assessments every two years. While this may be a place to start, embedding risk-based thinking requires a change in mindset along with the introduction of new skills and tools.

While risk is inherent in every organization it manifests itself more whenever changes are introduced. Therefore, the way in which a company manages changes should provide significant evidence on how well risked-based thinking is embedded throughout the organization.

Even More than Process and Risk-Based Thinking

While adopting the process approach and risked-based thinking are essential to achieving re-certification, another perhaps even more important change is the focus on outcomes instead of on prescriptive compliance.

Defining, measuring and providing evidence that outcomes are being achieved is what drives an effective quality program. Also, outcomes are defined through the eyes of the customer and not by what a company believes is good quality.

This is precisely the difference between verification and validation required in the Pharma and Medical device industry. While you can verify that a product meets: quality, safety, and regulatory standards, it may not function well for the intended use for the product. As an example, it is possible to have a pacemaker that was designed per spec but still fails to keep your heart pumping. This failure results from confusing quality output over quality outcomes.

The adoption of continuous improvement is also required by ISO 9001:2015 along with almost every other compliance regulation and guideline. Many of which have adopted the same Plan-Do-Check-Act vocabulary.

Continuous improvement, however, means more than just re-framing activity under the letters PDCA as many are tempted to do. Instead, continuous improvement involves a more profound change from being reactive to being proactive. Planning once a year for improvements while good is not the type of continuous improvement that is expected.

Evidence of this change will be seen by how companies resource this approach. Many companies today seldom fund improvement activity of any kind and instead wait for things to break before they are fixed. Without a finding from an audit some companies will not invest in changes no matter how good they might be.

Waiting for failure has not worked for servicing equipment and as many now realize doesn't work for processes either. No longer can companies wait until complaints arrive, or until non-conformance is measured to create improvement actions. Improvement (done safely and in a compliant manner) now needs to be a routine occurrence and not an exception. This is not an easy mindset to change. However, LEAN has much to teach us about how to do continuous improvement well as many who have adopted it will tell.

Better Outcomes

Companies that want to move beyond basic compliance by embracing a proactive mindset focused more on customers, systems, risk management, and continuous improvement will be rewarded in the marketplace.

For others, who believe that a simple re-writing of procedures is all that is necessary, they will find their work will not deliver the promised benefits.


Related Posts

See All


The Book

Learn more about our upcoming book coming soon.

bottom of page