Written by John Flynn, Principal Security Consultant at Conosco
Do you want to improve operational efficiency and streamline processes? Maybe you want to differentiate your organisation from the competition? Or perhaps you want to demonstrate your commitment to quality management?
Whatever the reason, there are multiple benefits of implementing the ISO 9001:2015 standard into your business. According to a study by BSI, 66% of respondents saw an improvement in their products and services and 54% said they gained a competitive edge.
As businesses increasingly seek out ISO accredited partners and suppliers, we’ve created a step-by-step ISO 9001 checklist that will help you on your journey.
But first, what is ISO 9001:2015?
ISO 9001 is the internationally recognised standard for Quality Management Systems. The main goal of the standard is to monitor and measure performance across your business so that you can continuously improve processes and capabilities to deliver quality products or services. Recently revised in 2015, the standard also emphasises a risk-based approach, encouraging businesses to analyse the impact and potential threat to quality when making changes.
Used by over a million organisations worldwide, ISO 9001 is attainable by any company regardless of size or sector and can be adapted to any business model.
Why do businesses choose to become ISO 9001 Certified?
ISO 9001 improves overall business performance and creates a culture that facilitates sustainable development initiatives.
Certified businesses have proven their commitment to delivering excellence, by showing that they are quality focussed, reliable and safe to do business with. This can bring long-term success and financial gain as customer satisfaction improves and confidence is built in the brand. It can also open up new opportunities in global markets that may otherwise have been unattainable.
It also helps businesses to:
- Improve operational efficiency
- Manage risks and create a secure, structured environment
- Save money through improved efficiency and productivity
- Stand out from competitors
- Achieve greater employee satisfaction and engagement
- Win and retain new business
- Define employee roles and responsibilities
- Identify deficiencies in products and services
- Reduce waste, rejected work and customer complaints
10 Clauses of ISO 9001
Before we delve into the checklist, it is prudent to understand the 10 clauses of ISO 9001.
The 10 clauses were added to the current 2015 revision of the standard. Under each clause, there are 56 sub-clauses that lay out the requirements that businesses must implement within their own Quality Management System. Seven of the clauses are mandatory (4 to 10) whilst the first three provide general information.
- Scope – Encourages businesses to implement processes and systems to achieve consistent quality of output.
- Normative References – Gives a deeper understanding of the ISO 9000:2015 terminology.
- Terms and Definitions – Defines the QMS fundamentals and vocabulary.
- Context of the Organisation – Businesses must provide a high-level overview of the requirements of the Quality Management System and show an understanding of the context of the organisation. This may include presenting documented information such as business plans and strategies, annual reports, process maps and analysis work etc. The clause also requires the business to take a critical look at whether processes are understood throughout the organisation and whether the Quality Management System achieves its intended outcome.
- Leadership – The organisation must show that it is committed to delivering quality services and is customer focussed. They must demonstrate that they have the resources and leadership to govern processes and establish a quality policy.
- Planning – Businesses must identify the quality objectives, risks and opportunities and outline how they plan to achieve any changes that need to be made.
- Support – To implement a successful Quality Management System organisations must have the right people, resources, infrastructure, tooling, operational environment, skills, knowledge, training and processes in place. They must ensure all documented information is maintained and communicated to the business.
- Operation – Clause 8 covers operational planning and control. It requires businesses to take a critical look at their products and services, identifying, reviewing and changing operations to make production and service provision more efficient. This clause also requires a deeper analysis of external processes, such as suppliers and contractors.
- Performance Evaluation – Businesses must measure the performance of their QMS operations and activities to evaluate whether they are meeting objectives. They may measure and record this data using client satisfaction surveys, internal audits and management reviews.
- Improvement – Businesses must continually improve their QMS and take corrective action when needed.
12 Step Checklist for achieving ISO 9001
So, you’ve decided to take the leap and start on your journey towards ISO 9001 certification. Where do you begin?
Below we’ve outlined a checklist of 12 key steps that will give you the greatest chance of success.
Step 1: Leadership buy-in
Step 2: Perform a Gap Analysis
Step 3: The scope
Step 4: Implement the QMS and create the QMS Manual
Step 5: Internally communicate
Step 6: Create an audit plan
Step 7: Identify roles and responsibilities
Step 8: Refine the QMS and implement system changes
Step 9: Internally audit
Step 10: Apply for Stage 1 Audit
Step 11: The external audit
Step 12: Congratulations you’ve passed! Now what?
Step 1: Leadership buy-in
Embarking on ISO 9001 certification is not something you should take lightly. It requires the dedication of your entire organisation and a strong leadership team who will be accountable for the implementation and continued success of the Quality Management System.
The main sponsor of your ISO 9001 project will be governed by the size of your business but should ultimately fall to the most senior person. In many instances, it is the CEO that sets the direction for quality and will therefore champion the project, working closely with other stakeholders such as:
- Head of Quality (Strategy)
- Senior Management Team
- Heads of Department
- Internal Audit Team
- All owners of process
Resourcing is key to the accomplishment of ISO 9001, without the right team, tooling, infrastructure, budget and allocated time businesses may struggle to meet the requirements of the standard. However, having the full support of the leadership team up front, will not only ensure that your commitment to quality is led top-down, but will also make it easier to implement change or ask for additional resource when needed.
Once you have leadership buy-in the next stage is to identify the roles and responsibilities of the project team. This should be documented in an implementation plan and announced to the organisation. Keeping all employees abreast of the ISO 9001 certification process is vital as they are equally responsible for following the Quality Management System. It will also ensure that they are receptive to any changes and ready to adopt new processes.
In step 1 you should be asking the following questions:
- Why do we want to achieve ISO 9001 certification?
- How will ISO 9001 impact our business?
- What is the budget for the project?
- What resources do we have available, and will we need additional third-party support?
- Who are the ISO 9001 champions responsible for the project completion?
Step 2: Perform a Gap Analysis (GA)
Step 2 of the ISO 9001 checklist aligns with Clause 4 (see above) – Context of the Organisation. A Gap Analysis will enable your business to formally identify the gaps in your current QMS and the remediation work required to comply with the standard.
It will form a key milestone in your project plan and help you come up with a scope of works (see step 3). It can be performed by your internal team, although in our experience organisations will often outsource the Gap Analysis to a professional consultant that has a deeper understanding of what auditors are looking for. A third party provider is also more likely to have an open mind and provide a clear, non-bias report.
The Gap Analysis will cover questions like:
- Has the business identified core processes and defined how they are operated and controlled?
- Can you measure the success of core processes?
- Are processes regularly reviewed?
- Where using third parties that could affect the quality of your products and services have you put controls in place?
- Are management committed to the system and are they involved in management reviews?
- Has management defined the activities that are critical to meeting customer requirements?
- Are you meeting agreed SLAs?
- Have all staff that can affect quality been sufficiently trained?
- Is infrastructure and tooling suitable for meeting customer and regulatory standards?
Another factor to consider when performing the Gap Analysis is a risk assessment. Auditors will take a risk-based approach when reviewing processes, asking questions like:
- What could go wrong?
- What is the likelihood of it going wrong?
- What is the impact if it goes wrong?
These may seem basic, but key elements of risk are often missed by businesses and can cause unforeseen issues that impact quality further down the line.
Step 3: The scope
At this stage, you will need to formulate a scope of works based on the recommendations from the Gap Analysis.
The scope needs to be specific and should include:
- All actions, tasks and activities to remediate gaps
- Set out timeframes for changes to be implemented
- Include financials (where infrastructure/resourcing changes are needed)
- Outline roles and responsibilities
- Layout objectives and set measurables
Step 4: Implement the QMS and create the QMS Manual
When we talk about a Quality Management System, we are referring to all of the mandatory policies, procedures and processes that a business must enforce to ensure they deliver quality products and services and improve business performance.
The QMS is then presented in the form of multiple documents, registers, and manuals. Creating your QMS policy is a lengthy task as it must address all of the regulatory requirements of ISO 9001. It will be used by every employee, from management to administration, and therefore needs to provide clear, workable instructions that define expectations, responsibilities, and actions. Policies for control and maintenance of the document will also need to be created along with rules for continual improvement.
Step 5: Internally communicate
Once you’ve done the hard work crafting your QMS Policy you need to distribute it to the wider business. This will require strong, well-thought-out communication and the full commitment of your leadership team. Not only will they be responsible for enforcing policies, but they will need to lead by example and instil the QMS into the business culture.
Furthermore, employees will need to be re-trained on updated processes and new starters should be given your QMS Policy as part of their onboarding. Provided everyone is following the rules your products and services should be of a consistently high standard.
Step 6: Create registers and an audit plan
Your system has been implemented and your employees are comfortable following your documented procedures – it’s time to start an audit plan. Schedule internal audits which cover all departments in your business and take corrective action where needed. A robust audit plan is key to measuring the success of your QMS and identifying shortcomings.
During the audit planning phase you will also need to begin collating evidence in the form of records, customer satisfaction results and employee interviews, to demonstrate that you have been running your systems effectively several months prior to the external audit.
Step 7: Identify roles and responsibilities
Every process will consist of people that review and approve certain elements. Identifying and documenting these roles is essential as it ensures accountability and consistently high-quality output.
These are some of the roles you will need to identify:
- Policy/Process Author – This is the person responsible for documenting the process. They must be notified of any changes so that they can update the policy and ensure the wider business is aware.
- Reviewer – There may be several ‘Reviewers’ within any given process. These people are responsible for performing quality checks at specified intervals.
- Approver – The Approver will give final sign-off once they feel the product/service/activity has been completed to a high standard. They will be held accountable if the customer is unsatisfied.
Depending on the process you may need to allocate roles and responsibilities across different departments and areas of the business. Strong communication and a collaborative culture will ensure your systems operate seamlessly.
Step 8: Refine the QMS and implement any system changes
After several weeks of undertaking internal reviews, you’ll no doubt have uncovered areas that need refinement. Spend 2-3 months prior to your external audit, ironing out any issues and implementing changes. Follow this up with regular Management Reviews to ensure changes are having a positive effect and meeting your quality goals.
Step 9: Internally audit
Before you commit to the external audit, which will be conducted by an independent certification body, run a final internal audit. This will allow you to assess conformity, evaluate efficiency and identify opportunities for further improvement. See it as a dry run that will help you prepare for the real thing.
Select a group of internal auditors who are trained in auditing (or work alongside a third party like Conosco). They will be responsible for determining whether your ISO 9001 QMS is effective.
Step 10: Apply for the Stage 1 Audit
You’ve made it through the strategising, analysing, implementation and internal auditing, now you’re ready to book your external audit. It can take several weeks to complete the application and get a date for the assessment so it is wise to book in advance.
As soon as you have a date, communicate it to the rest of the business and put a reminder in everyone’s diary.
Step 11: The external audit
The auditor will be looking for evidence that your business is complying with the QMS. Encourage staff to be open and honest and ensure that they are prepared. The auditor is not trying to catch you out, they understand that employees do not have the answer to every question, instead, they will want you to demonstrate how you find the answers and information requested.
Other tips to help the audit go smoothly include:
- Prepare the office by ensuring workspaces are tidy and that there are no uncontrolled documents on desks or in common areas
- Make sure documents are available when needed
- Have a copy of the QMS manual ready for the auditor on arrival
- Give them a private space in which to work on their documentation
- Assign someone to go with the auditor and introduce them to the relevant people
Step 12: Congratulations you’ve passed! Now what?
Now the hard work begins!
You’ve achieved ISO 9001 certification, of course, you’ll want to plaster it all over your website and shout about it to your customers.
BUT, the work doesn’t stop there. To remain ISO 9001 certified businesses must continually review, monitor, measure, evaluate, identify and act on risks to improve procedures. You must continue to perform management reviews and internal audits and ensure the QMS is adequately resourced.
An external certification body will assess your QMS annually and will only renew your certification if it continues to meet the regulatory standards.
Round-Up
ISO 9001 is the only standard (of its kind) that requires organisations to align their processes and procedures with their broader business strategy. Whether you are looking to scale your business, introduce new product lines or install new infrastructure, your QMS will be the foundation on which your goals can be successfully achieved, ensuring there is minimal disruption to quality or risk to the business.
Although it may seem daunting, the financial, operational and cultural benefits are numerous. By following our ISO 9001 checklist and becoming certified your employees, stakeholders and suppliers will be empowered to deliver the highest quality products and services.
How can Conosco help?
Conosco can help you with all the documented procedures, policies, registers, processes and templates, these include:
- QMS Policy Register and Document List
- Document Control Policy (including classification and categorisation of data and retention periods)
- Change Requests
- Risk Register
- Risk Identification Process and Treatment
- Risk Appetite (scoring risk process)
- Risk Evaluation of Suppliers (register of suppliers and analysis of suppliers)
- Training Matrix (including attendance stats and evaluation reporting)
- SWOT Analysis Reporting tool
- Opportunities for Improvement Register
- Control of Equipment Register
- Pestle Analysis
- Calibration Logs
- Inspection Logs (goods in and goods out)
- Software Registers and Logs
- Performance Logs
- Legal and Compliance Register
- 9001 Performance Dashboards
- Audit Schedule
- Audit Policies
- Corrective Action Plan
- Root Cause Analysis
- Management Review Agenda’s and Minutes
- Monitoring Customer Satisfaction
- Supplier Audit Questionnaires
- Audit Report
- Audit Findings CAP Report
- Audit Agendas (requirements criteria of audit)
- Customer Satisfaction Results
- Project Plans Template
As a BSI partner, our experienced auditors are also qualified to certify your business meaning we’ve got you covered from start to finish.
Get in touch with our team to find out more.