+ Sidebar

Auditing the Tapestry of ISO 9001:2015 Requirements

Many new requirements in ISO…

Many new requirements in ISO 9001:2015 challenge auditors to look beyond typically prescribed audit evidence and explore the interconnected nature of an organization’s quality management system (QMS) processes. In addition, these new ISO 9001:2015 requirements can be considered from multiple levels of an organization. Figure 1 shows that there are five levels an organization can directly control.


The ISO 9001:2015 requirements can be viewed from this business ladder structure relative to defining and auditing the QMS activities. The business itself weaves the horizontal layers in a kind of tapestry. As an example, let’s consider ISO 9001:2015 requirement section 4.1 Understanding the organization and its context, which requires organizations to “Determine external and internal issues relevant to its purpose and its strategic direction.”

At the system level, this requirement can be considered from the standpoint of initially defining the QMS and its activities. For example, in defining the scope of an organization’s QMS, consideration is given to such external and internal issues, (illustrated in ISO 9001:2015 section 4.1). The external issues could include markets served and products and services offered. From an internal perspective, the organization’s technical competencies, available equipment, and location, etc., affect the definition of the organization’s QMS scope. Auditors look to the scope of an organization’s QMS to determine what technical expertise is required in auditing that organization’s QMS, as well as in anticipating the types of processes that would be included.

ISO 9001:2015 requirements can also be viewed from a strategic perspective, where the influence changes to the QMS at the system level. Looking at the “Context of the Organization” requirement again, the organization’s leadership would consider external and internal issues when formulating its business plan, whether this is long term (more than five) or near term (one to three years).

Certainly, changes in external and internal issues (refer to ISO 9001:2015 subsection 9.3.2, Management Review Inputs), could shape an organization’s strategic direction going forward. For instance, if new technology alternatives are quickly absorbing market share, the organization would need to consider whether to adopt such new technology or identify an alternative business strategy that may in turn change the scope of the organization’s QMS. Likewise, organizations faced with an aging work force internally need to consider succession planning and retention of organizational knowledge (refer to ISO 9001:2015 subsection 7.1.6) as part of their strategic direction. Auditors will find evidence of consideration for these changing external and internal issues in strategic/business planning discussions, management review results, and even annual reports for publicly traded companies.

For the Planning level of the business ladder, specific customer requirements may also drive external and internal issues that affect the organization’s QMS. If a customer were to request a new product that require the organization to perform extensive development activity, feasibility and risk consideration would highlight potential internal issues. This could include limitations in existing resources (refer to ISO 9001:2015 subsection 7.1.1) and external issues, such as availability of technology and employee competency to support the organization’s development process. Thus, connections between context of the organization, (which is discussed in ISO 9001:2015 section 4.1), actions to address risks and opportunities, (ISO 9001:2015 section 6.1), and operational planning and control (ISO 9001:2015 section 8.1), are recognized. Audit evidence at this level may include results from gathering customer and other project requirements and review of these requirements relative to the organization’s capabilities.

Considering external and internal issues from the process level of the business ladder, organizations encounter daily issues in their ability to consistently control their processes needed for producing products and/or delivering services (refer to ISO 9001:2015 subsection 8.5.1). Daily internal issues could include  attendance of the work force—especially during cold and flu season, unexpected equipment breakdowns, or even a workplace fire or other disaster. External issues that affect an organization’s operations could include availability of material/inputs, especially if there is a supply shortage or disruptions in utility services such as electricity.  Auditors can look for evidence of how organizations identify these issues,  (ISO 9001:2015 section 6.1), communicate them (ISO 9001:2015 section 7.4), and act upon them (ISO 9001:2015 subsection 8.5.1).This evidence might be found in production schedules, daily operations meetings, or shift changeover activities.

Finally, external and internal issues can exist at the the product level of the business ladder, as well. For example, external issues could include near-term changes in customer demand affecting operating schedules and inventory levels. Recalls or other field events of competitors could also affect the sales of an organization’s product. Internal issues at the product level could include processing errors that generate a large quantity of nonconforming outputs (ISO 9001:2015 section 8.7), or inventory inaccuracies that affect availability of product for shipment to customers. These events are excellent triggers for selecting appropriate audit samples to evaluate the effectiveness of an organization’s QMS in consistently fulfilling customer requirements.

To adequately define and audit an organization’s QMS, the application of each ISO 9001:2015 requirement at these different business ladder levels should be considered. In doing so, the interaction of ISO 9001:2015’s requirements—and therefore an organization’s QMS processes—becomes apparent.

In addition, each of these processes along the business ladder that address ISO 9001:2015 requirements should also be viewed from the Plan-Do-Check-Act perspective. This is the “wrap” that holds the tapestry of the organization’s business ladder together.

Rather than viewing ISO 9001:2015’s requirements linearly or only relative to one level of the business, auditors can assist organizations in recognizing the tapestry these requirements weave for defining, implementing, maintaining, and improving their QMS which optimally should function at all levels of the business.

Challenge: Select any ISO 9001:2015 requirement. Identify what processes in your organization’s QMS relate to that requirement at each of the business ladder levels. Also consider what audit evidence would be available in these processes to support the selected ISO 9001:2015 requirement. Remember  audit evidence can be tangible, observation, or statement of fact. Share your ideas in the comments below.

The post Auditing the Tapestry of ISO 9001:2015 Requirements appeared first on The Auditor.