Everything you need to know about the ISO 9000 series

What is the ISO?

The ISO, or International Organization for Standardization, is a non-governmental organisation that sets proprietary, industrial, and commercial standards, with a membership comprising 166 national standards organisations. The organisation’s name – ISO – is not an acronym, but in fact originates from the ancient Greek word ísos, meaning equal or equivalent. This name was chosen by its founders to ensure that the organisation did not have differing acronyms in each language. 

What is the ISO 9000 series?

The ISO 9000 series deals with quality management and is aimed at organisations looking to improve the quality of their products and services and ensure they consistently meet customer expectations. The ISO 9000 series is founded on 7 quality management principles, which are designed to aid performance improvement.

7 Quality Management Principles of ISO 9000 Series

The seven principles of ISO 900 are:

  1. Customer focus: Meeting customer requirements contributes to sustained success 
  1. Leadership: Leaders must create a unified purpose to help achieve goals
  1. Engagement of people: Competent and engaged staff help create and deliver value 
  1. Process approach: Activities, procedures, and processes should be viewed as an integrated system 
  1. Improvement: Successful organisations have a continuous focus on improvement
  1. Evidence-based decision making: Decisions should be based on analysis and evaluation of data 
  1. Relationship management: Relationships with interested parties (such as suppliers) should be managed for the long-term

What is ISO 9001? 

ISO 9001 sets out the criteria for a quality management system (QMS). A QMS is a set of procedures and policies which help organisations meet their goals. This is achieved by building a system around the quality management principles set out above. 

ISO 9001 is the only standard in the 9000 series which can be certified to, with over a million certified organisations worldwide. However, whilst an independent body can be enlisted to certify that an organisation meets the standard, that isn’t a requirement. There are many organisations which adhere to the standard without seeking certification.

What are the advantages of ISO 9001? 

ISO 9001 is suitable for any organisation, regardless of its size or activities. ISO 9001 helps ensure that customers get consistent, good quality products and services which can, in turn, bring many benefits to an organisation, including:

  • Increased productivity, leading to lower overall costs 
  • Repeat business, due to improved customer experience 
  • Enhanced reputation by gaining ISO 9001 certification 

Are there any downsides of ISO 9001? 

Detractors of ISO 9001 say that it is an outdated standard. This criticism is based on the fact that as it was first published in the 1980s, it is not based on the way people currently do business. A response to that critique is that while it’s true that ISO 9001 is not a new standard, it is updated regularly. The ISO website states, “Like all ISO standards, ISO 9001 undergoes a systematic review every five years to decide whether it is still valid or needs updating.” The latest version was produced in 2015 and the result of a recent review found, “that no revision was needed and the latest version… still provides as much value to those implementing the standard as it did when it was last updated”.

An additional perceived downside to ISO 9001 is the administrative burden and additional documents that need to be produced. But those worried about this can be assured that whilst there are items which must be documented, these are actually quite limited in number. 

Finally, there may be those who consider that ‘quality’ and ‘management’ are simply not things that can be standardised. It is argued that it is not possible to create rigid criteria for a quality management system for all types of organisations. However, the ISO 9001 standard itself states that: “all the requirements of this International Standard are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides”. It is thus apparent that the standard is intentionally generic in places, to enable organisations to build their own QMS within the ISO 9001 framework, rather than being overly prescriptive as to how this is accomplished. Furthermore, whilst the standard may be somewhat generic, there are a range of standards based on ISO 9001 which have been adapted to specific sectors. These include quality management systems for local government, petroleum and gas industries and software engineering.

ISO 9001: What is contained in the standard?

ISO 9001 is intended to bridge the gap between customer requirements and customer satisfaction. This is achieved by implementing a QMS which follows the ‘Plan Do Check Act’ cycle (PDCA):

  • Plan: establish objectives and processes 
  • Do: implement what was planned 
  • Check: monitor results against planned activities 
  • Act: take any required action to improve performance

The standard is made up of 10 clauses, which provide the criteria for establishing a quality management system. These clauses deal with matters such as ensuring: 

  • Objectives are established at relevant levels within the organisation;  
  • Customer requirements are defined and met; and 
  • Customer satisfaction is monitored. 

How to obtain certification 

As mentioned above, there is no obligation for organisations to obtain certification. If an organisation does wish to do so, it must first find a certification body, as ISO doesn’t perform certification. It is also important to ensure that the certification body is accredited, with independent confirmation of its competence. Once an organisation chooses a certification body, there are three broad steps to certification:  

  1. Prepare: put a documented quality management system in place, ensuring it complies with the standard. Some certification bodies will assist with this process. 
  2. Assess: the certification body will usually undertake an initial review of the QMS documents before visiting the site to ensure the system is operating as intended. The body is also likely to provide the organisation with an opportunity to remedy any failings. 
  3. Certify: provided the organisation’s QMS meets the ISO 9001 criteria, a certificate will be issued. 

Once an organisation is certified, it must review its certificate annually, and ensure that it is renewed every 3 years.  

It may display its certificate both on its physical premises and its website. When labelling a product or system as certified to an ISO standard, an organisation should avoid saying “ISO certified”, but instead specify “ISO 9001:2015 certified”.

How can VinciWorks help? 

Omnitrack is VinciWorks’ data collection and reporting tool which can help with all your compliance needs. Whether they have built their own workflows, or are using one of our templates, our clients rely on Omnitrack for a wide range of uses, from anti-bribery to GDPR compliance. As with these other use cases, Omnitrack can assist with ISO 9001 compliance, with benefits including: 

  1. Automatic reminders: ensure your quality management system is periodically reviewed and updated once implemented 
  2. Produce documentation: certain documents need to be retained and updated, to comply with ISO 9001. Reports can be generated directly from Omnitrack, based on answers to specific questions in the workflow. 
  3. Customisable: as mentioned above, ISO 9001 is deliberately generic, so that its principles can be applied to organisations of any size and in any industry. The flexibility of the Omnitrack platform means that any organisation can ensure the workflow questions are suited to its needs. 
Omnitrack screenshot

Omnitrack can help you whether you are looking to undertake an internal audit prior to assessment by a certification body or simply wish to implement the ISO 9001 standard without certification.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.