1.

Context of the organization

 Understanding the organization and its context: 

o How has your organization determined the external and internal

issues affecting its purpose and strategic direction? How do these
affect your QMS’s ability to achieve its intended result?

o How do you monitor and review the information about these

external and internal issues?

 Understanding the needs and expectations of interested parties:

o How have you determined which interested parties are relevant to

your QMS? How have you determined which relevant
requirements those parties must meet? How have you determined
their potential impact?

o How do you monitor and review the information about interested

parties and their relevant requirements?

 Determining the scope of the quality management system

o How have you used the boundaries and applicability of the QMS
to establish the scope for your ISO 9001 audit?

o Have you considered these factors when determining the scope of

the organization? How?

 The external and internal issues

 The requirements of relevant interested parties

  The products and services of the organization 

o Have you determined how to apply ISO 9001 within the scope,
and done so? How?  

o Have you deemed any ISO 9001 requirements not applicable to

your QMS? How did you make that determination? Your auditor
will want to see documentation, and evidence that the quality of
your products and services is not affected.

o Where is the scope available? Where is it maintained as

documented information? (The auditor will want to see this
documentation.) Does it state which products and services the
QMS covers? Does it justify your determination that certain ISO
9001 requirements needn’t be applied to your QMS?

 Quality management system and its processes

o How was your QMS established? Your auditor will want to see
how you implemented it, and how you maintain and improve it. 

o How were your QMS’s processes determined, and how do they

interact?

 What are the inputs and outputs? 

 What is their sequence and interaction? 

 What are the criteria, methods, measurement, and other

performance indicators needed to operate and control these
processes?
  What resources are needed, and how are these made
available?

 How are responsibilities and authorities assigned for those

processes?

o How are risks and opportunities considered, and what plans and
actions address them?

o What methods do you use to monitor, measure and evaluate

processes? How do you make changes where needed to achieve
your goals?

o How do you find ways to improve your QMS and its processes?

o Which documented information exists to support your QMS

processes? How do you preserve this information? Your auditor
will want to see it.  

o How do you know that the processes are being carried out as
planned?

      2. Leadership
 Leadership and commitment for the quality management system

o Your auditor will want evidence that your top management

demonstrates leadership and commitment regarding the QMS. Do
they accept accountability for the QMS’s effectiveness?
o How did you establish the quality policy and objectives for your
QMS? How are these compatible with the strategic direction and
the organizational context?

o How do you communicate your quality policy within your

organization? Your auditor will want to see those
communications. 

o How have you integrated the requirements of the QMS into your
business processes?

o How does your leadership educate staff about the QMS

approach?

o How do you ensure that necessary resources are available for the
QMS?

o How do you communicate the importance of effective quality

management? 

o How do you communicate the importance of conforming to the

QMS requirements?

o How do you ensure that the QMS achieves its intended results?

o How do you engage, direct, and support people to contribute to

the effectiveness of the QMS? 

o How do you promote continual improvement?

o How do you support other relevant management roles to

demonstrate leadership in their areas of responsibility?
 Customer focus

o The auditor will want to see how top management demonstrates

leadership and commitment to customer focus, and ensures that
your business meets statutory and regulatory requirements.

o How do you determine the risks and opportunities that can affect
how your products and services conform to these requirements?

o How do you work to enhance customer satisfaction?

o How do you stay focused on consistently providing products and

services that satisfy your customers and meet statutory and
regulatory requirements?

o How do you maintain customer satisfaction?

 Quality policy

o How does top management establish, review, and maintain a

quality policy? How does doing so conform to your enterprise’s
purpose and context?

o Does your quality policy provide a framework for setting and

reviewing quality objectives?

o Does it contain a commitment to satisfy ISO 9001 requirements?

o Does it include a commitment to continual improvement of the

QMS?

o Where is the quality policy available as documented information?

How is it communicated? Your auditor will want to see evidence
 that this policy is understood and applied throughout your
organization.

o How have you made your quality policy available to others?

 Organizational role, responsibility, and authorities

o How does top management ensure that responsibilities and

authority for relevant roles are assigned, communicated, and
understood organization-wide?

o How does top management assign the responsibility and authority

for:

 Ensuring that the QMS conforms to the 9001 standard?

 Ensuring that processes deliver their intended outputs?

o How are the performance of the QMS, opportunities for

improvement, and the need for change or innovation reported to
top management?

o How does a focus on the customer get promoted within the

organization?

o When your organization makes changes to its QMS, how does it

maintain the QMS’s integrity?

      3. Planning for the quality management

system
 Actions to address risks and opportunities
o How do you consider internal and external issues when planning
for the QMS?

o How do you determine and address risks and opportunities so

that the QMS can do the following:

 achieve its intended results

 Prevent or reduce undesired effects

 Achieve continual improvement

o How do you plan actions to address risks and opportunities?

o How do you integrate actions implemented into your  QMS

processes?

o How do you evaluate the effectiveness of the actions?

o How do you address the potential impact of risks and

opportunities on the conformity of your products and services?
These might include avoiding the risk, taking the risk to pursue an
opportunity, eliminating the risk source, changing the likelihood of
consequences, sharing the risk, or retaining the risk by informed
decision.

o Product design skills

o How do you determine that the personnel responsible for product

design are competent enough to achieve design requirements? 

o How do you determine which skills are required in applicable tools

and techniques? 
 o How do you identify those applicable tools and techniques?

o Quality objectives and planning to achieve them

 Where are the quality objectives kept, and do they apply at all relevant
functions, levels, and processes?

 Are they consistent with the quality policy?

 Are they measureable?

 Do they consider applicable requirements?

 Are they relevant to the conformity of products and services? Do they

enhance customer satisfaction?

 Are they monitored? How? How often?

 How do you communicate the objectives?

 How do you update them?

 Where is the documented information on the quality objectives? (The

auditor will want to see it.)

 How does your organization determine what will be done, with what
resources, and how results will be evaluated for quality objectives?

 Planning of changes

o How are changes to the QMS planned systematically?

 o Demonstrate the purpose and potential consequences of
changes.

o Demonstrate the integrity of the QMS.

o Demonstrate how resources are made available for changes to

the QMS.

o Demonstrate how you allocate responsibility and authority for

changes.

     4. Support
 Resources

o Demonstrate how you determine resources for the establishment,

implementation, maintenance, and improvement of the QMS.

o Show how you consider the capabilities of, and constraints on,
internal resources.

o Show how you consider the needs of external providers.

 People

o How do you provide the people necessary to consistently meet

customer, statutory, and regulatory requirements for the QMS,
including the necessary processes?

 Infrastructure
 o How do you determine, provide, and maintain, the infrastructure
for the operation of processes to achieve product and service
conformity?

 Environment for the operation of processes

o How do you determine, provide, and maintain the environment for

the operation of processes to achieve product and service
conformity?

 Monitoring and measuring resources

 How do you determine the resources needed to ensure

valid and reliable monitoring and measuring results, where
used?

o How do you ensure that provided resources are suitable for the
specific monitoring and measurement activities, and are
maintained to ensure that they fit their purpose?

o Show the documented information providing evidence of fitness

for the purpose of monitoring and measurement resources.

o Show how measurement instruments are verified or calibrated at

specified intervals according to national or international
measurement standards. If there are no standards, show the
documented information used as the basis for calibration or
verification.

o Show how measurement instruments are identified to determine

their calibration status.
 o Show how those instruments are safeguarded from being
adjusted.

o Show how they are safeguarded from damage and deterioration.

o How do you determine the validity of previous measurements if

you find an instrument to be defective during verification or
calibration? What actions can you take?

 Organizational knowledge

o How do you determine the knowledge necessary for the operation

of processes?

o How do you determine the knowledge necessary to achieve

conformity of products and services?

o How do you maintain this knowledge, and how do you make it

available to the extent necessary?

o How do you consider current knowledge, and how do you acquire

additional knowledge when addressing changing needs and
trends?

Organizational knowledge can include information such as intellectual

property and lessons learned. To obtain the knowledge required, the
organization can consider internal sources (such as learning from failures and
successful projects, capturing undocumented knowledge, and listening to
topical experts within the organization), and external sources (including
standards, academia, conferences, and gathering knowledge with customers
or providers).

 Competence
 o Show how you determine the necessary competence of people
working under your control that affects quality performance.

o How do you determine competence on the basis of appropriate

education, training, or experience?

o How do you take actions to acquire necessary competence, and

how do you evaluate the effectiveness of those actions?

o Show documented information of competence

 Awareness

o How are people aware of:

 Your quality policy?

 Relevant quality objectives?

 Their contribution to the effectiveness of the QMS?

 The benefits of improved performance?

 The implications of not conforming with the QMS

requirements?

o Communication

o How do you determine internal and external communications

relevant to the QMS?
o How do you determine the dissemination of those
communications: What is communicated? When? With whom?
How?

o Documented information

o What documented information do you have as required by this

standard?

o What documented information do you have that’s necessary for

the effectiveness of your QMS?

o Show that your documented information contains

 Identification

 Description

 Media format

o Show how the documented information is reviewed and approved

for suitability and adequacy.

o Show how you control documented information.

o Show how you make the information available and suitable for
use.

o Explain how you protect your documented information.

o When controlling documented information, how do you address:

 Distribution
  Access

 Retrieval

 Use

 Storage and preservation

 Legibility

 Control of changes

 Retention and disposition

o How do you identify and control documented information of

external origin that you have determined as necessary for the
QMS?

     5. Operation
 Operational planning and control

o How do you plan, implement, and control the processes you have
to follow to meet requirements for providing products and
services?

o How do you determine the requirements for your products and

services?

o How do you determine the processes and acceptance for your

products and services?

o How do you determine resources for operations?

 o How do you implement process control? Be prepared to show
documented information showing that the processes have been
carried out as planned, and to demonstrate that your products and
services conform. 

o How have you determined that the output from the planning
process is suitable for your operations?

o How do you control planned changes? How do you review the

consequences of unintended changes? What action is taken to
mitigate any adverse effects?

o How do you control outsourced processes?

 Determination of requirements for products and services: Customer

communication

o What are your processes for communicating with customers?

How do you communicate information related to the following?

 Products

 Services

 Enquiries

 Contracts

 Order handling

 Customer views, perceptions, and complaints

 Handling or treatment of customer property

  Specific requirements for contingency actions

o Determining the requirements related to products and

services

o What is your process to determine the requirements for products

and services offered to potential customers? How do you
establish, implement, and maintain this process?

o How do you define product and service requirements, including

statutory and regulatory requirements?

o How do you ensure that you can meet the defined requirements
and substantiate any claims for your products and services?

o Review of requirements related to products and services

o How do you review the following?

 Customer requirements for delivery and post-delivery

 Requirements necessary for customers’ specified or

intended use

 Additional statutory and regulatory requirements applicable

to products and services

 Any other contract or order requirements

o You will need to show the auditor documented evidence that you
conduct these reviews before supplying products and services to
your customers. 
o How do you resolve contract or order requirements that differ from
those previously defined?

o How do you confirm customer requirements where the customer

does not provide a documented statement?

o Be prepared to show the auditor documented information that

describes results of the review, including any new or changed
requirements.

o Be prepared to show documented information about changes to

products and services. How do you ensure that relevant
personnel know about these changes?

o Design and development of products and services

o How do you establish, implement, and maintain a design and

development process, if detailed requirements of your products
and services are not already established or defined by the
customer or other parties

o Design and development planning

o When determining the stages and controls for design and

development, be prepared to show the auditor how you consider
the following: 

 The nature, duration, and complexity of these activities

 Requirements that specify process stages, including

reviews

 Required verification and validation

  Responsibilities and authorities

 How interfaces are controlled between individuals and

parties

 The need for involvement of customer and user groups

o Be prepared to provide evidence confirming that design and

development requirements have been met.

o Design and development inputs

o Be prepared to show how you determine which requirements are

essential for the type of products and services you are designing
and developing, including:

 Functional and performance requirements

 Statutory and regulatory requirements

 Standards or codes of practice where there is a

commitment to implement

 Internal and external resources needed for the design and

development of products and services 

 Potential consequences of failure

 Level of control expected of the design and development

process by customers and other relevant parties
o How do you determine that inputs are adequate, complete, and
unambiguous for design and development? How do you resolve
conflicts among inputs?

o Design and development controls

o How do controls that are applied to the design and development

process ensure that:

 Results to be achieved by design and development

activities are clearly defined?

 Design and development reviews are conducted as

planned?

 Outputs meet the input requirements by verification?

 Validation is conducted to ensure that the resulting products

and services are capable of meeting the requirements for
the specified application or intended use (when known)?

o Design and development outputs

o How do you ensure that design and development outputs

 Meet the input requirements for design and development?

 Are adequate for the subsequent processes for the

provision of products and services?

 Include or reference monitoring and measuring

requirements, and acceptance criteria, when applicable?
  Ensure that products to be produced, or services to be
provided, are fit for their intended purpose and their safe
and proper use?

o Be prepared to show the documented information that results

from the design and development process.

o Design and development changes

o How do you review, control and identify changes made to the

design inputs and outputs during design and development of
products and services, while ensuring that these changes don’t
affect their conformity to requirements?

o Be prepared to show documented information for design and

development changes.

o Control of externally provided products and services

o How do you ensure that externally provided processes, products,

and services conform to specified requirements?

o Be prepared to show how you apply specified requirements for

the control of externally provided products and services when:

 Products and services are provided by external providers

for incorporation into your own products and services

 You provide products and services directly to customers by

external providers on your behalf
  A process or part-process is provided by an external
provider as a result of a decision to outsource a process or
function

o Be prepared to show how you establish and apply criteria for

evaluating, selecting, performance monitoring, and re-evaluating
external providers. 

o How do you assess third parties’ ability to provide processes,

products, and services in accordance with specified
requirements?

o What documented information do you have of evaluation results,

performance monitoring, and re-evaluation of external providers?

o Type and extent of control of external provision

o How do you determine which controls to apply to the external

provision of processes, products and services, considering 

 Possible effects of the externally provided processes,

products, and services on your ability to consistently meet
customer, statutory and regulatory requirements?

 The perceived effectiveness of the controls applied by the

external provider?

o What verification or other activities do you have to ensure that

externally provided processes, products, and services do not
adversely affect your ability to consistently deliver quality products
and services to your customers?
o When processes or functions have been outsourced to external
providers, how do you consider the quality controls for their

 Products and services incorporated into your organization’s

products and services?

 Products and services provided directly to your customers?

o How do you define the controls to be applied to the external

provider and to the resulting process output?

o Information for external providers

o Show how you communicate to third parties your requirements

for:

 Products and services they are providing or processes they

are performing on behalf of your organization

 Approval or release of products and services, methods,

processes or equipment

 Competence of personnel, including necessary

qualifications

 Their interactions with your organization’s quality

management system

 Your organization’s control and monitoring of their

performance

 Verification activities that your organization or customer

intends to perform at the third party’s premises.
o Before you communicate with external providers, how do you
ensure that the requirements you specify are adequate? 

o Production and service provision

o What controlled conditions do you have for production and

service, including delivery and post-delivery activities?

o Be prepared to show evidence of controlled conditions for:

 The availability of documented information defining the

characteristics of the products and services

 The availability of documented information defining the

activities to be performed and the results to be achieved

 Monitoring and measurement of your products and services

at appropriate stages to verify that criteria have been met
for process and process-output controls and acceptance 

 The use and control of suitable infrastructure and process

environment

 The availability and use of suitable monitoring and

measuring resources

 The competence and, where applicable, required

qualification of personnel

 The validation, and periodic revalidation, that you can

achieve desired results using any process for production
and service provision where the resulting output cannot be
verified by subsequent monitoring or measurement
  Products and services release, delivery and post-delivery
activities

o Identification and traceability

o How do you identify process outputs to ensure conformity of

products and services?

o How do you identify the status of process outputs?

o How do you control the unique identification of process outputs,

where applicable?

o What documented information do you retain?

o Property belonging to customers or external providers

o What care do you provide for your customer’s or external

provider’s property while it’s under your control? Customer
property can include material, components, tools and equipment,
customer premises, intellectual property, and personal data.

o How do you identify, verify, protect, and safeguard property that is

provided for use with or incorporation into your products or
services?

o How do you report to the customer or external provider if their

property is incorrectly used, lost, or damaged, or found to be
unsuitable for use?

o Preservation 
o How do you ensure that your process outputs get preserved
during production and while you are providing services, so that
your products and services conform to requirements?
Preservation includes identification, handling, packaging, storage,
transmission or transportation, and protection.

o Post-delivery activities

o How do you meet requirements for post-delivery activities

associated with your products and services?

o When determining the extent of post-delivery activities required

for your products and services, how do you determine

 Risk?

 Nature, use, and intended lifetime?

 Customer feedback?

 Statutory and regulatory requirements?

o Control of changes

o How do you review and control unplanned changes to ensure

your processes, products, and services continue to conform with
specified requirements?

o What documented information can you show describing the

results of reviews of changes, the personnel authorizing change,
and any necessary actions?

o Release of products and services

o Be prepared to show documented evidence that you have
implemented planned arrangements at appropriate stages to
verify that your products and services are meeting your
requirements.

o Be prepared to show documented evidence that you hold the

release of your products and services until the planned
arrangements for verification of their conformity have been how
the release of products and services have been satisfactorily
completed, unless approved by a relevant authority or the
customer. Your documentation should also show that these
approvals are coming from the person authorizing these products’
and services’ release.  

o Control of non-conforming process outputs, products and

services

o How do you identify and control process outputs, products, and

services that do not conform to requirements, and prevent their
being used or delivered?

o What appropriate corrective actions does your organization take

concerning nonconforming products and services? How do you
take into account the nature of the nonconformity and its effects
on the conformity of products and services? 

o What do you do when nonconformities are discovered after a

product or service has already been delivered?

o When you find nonconforming process outputs, products, or

services, how do you
  Correct the problem?

 Segregate, contain, return, or suspend of provision of

nonconforming products and services?

 Inform the customer?

 Obtain authorization for use as-is?

 Release, continue or re-provision the products and

services?

 Accept the nonconformities under concession?

o How do you verify conformance where process outputs, products

and services are corrected following nonconformance?

o What documented information do you keep regarding any actions

taken to address nonconformities, including any concessions
obtained and the person or authority who dealt with the issue? Be
prepared to show these documents.

     6. Performance Evaluation
 Monitoring, measurement, analysis, and evaluation

o How do you determine the following?

 What needs to be monitored and measured

 Methods for monitoring, measurement, analysis, and

evaluation to ensure valid results
  When to perform monitoring and measuring

 When results should be analyzed and evaluated

o Be prepared to provide documented information showing that you

have monitored and measured the performance of products and
services according to your determined requirements.

o How do you evaluate the quality performance and the

effectiveness of your QMS?

o Customer satisfaction

o How do you monitor customers’ perceptions of the degree to

which your requirements for quality have been met?

o How do you find out what customers think of your products and
services?

o How do you use this information?

o Analysis and evaluation

o How do you analyze and evaluate data and information arising

from monitoring, measurement, and other sources?

o How do you use analysis and evaluation results to

 Demonstrate that your products and services meet

requirements?

 Assess and enhance customer satisfaction?

  Ensure conformity and effectiveness of the QMS?

 Demonstrate that you have produced goods and provided

services according to your plans?

 Assess how well your process works?

 Assess the performance of your third-party providers?

 Determine the need or opportunities for improvements

within the QMS?

 Be prepared to show where and how you use the results of

your analyses and evaluations to inform management
review

o Internal audit

o Are you conducting internal audits at planned intervals? Do these

audits determine whether your QMS conforms to the requirements
of ISO 9001 and to the other requirements established by the
International Organization for Standardization?

o Do your records demonstrate whether your QMS is effectively

implemented and maintained?

o Be prepared to provide evidence that your audit programs

consider the quality objectives, importance of the processes,
customer feedback, changes affecting the organization, and the
results of previous audits.

o Where are the audit criteria and scope for each audit?
o Be prepared to show how your selection of auditors and the
conduct of audits are objective and impartial, and that auditors
don’t audit their own work.

o How are audit results reported to relevant management?

o Can you demonstrate that, in the event of negative findings, your

organization takes necessary corrective actions without undue
delay?

o Can you show documented information about the audit program

and the audit results?

o Management review

o How often does top management review your QMS? Under what
circumstances does it deem the QMS suitable, adequate, and
effective?

o What kinds of information do management reviews consider?

These must include

 The status of actions taken in response to previous reviews

 Changes to internal/external issues relevant to your QMS

 Issues that affect your organizational strategy

 Key performance indicators (KPIs) for nonconformities and

corrective actions

 Monitoring and measurement of results

  Audit results

 Customer satisfaction

 Issues concerning external providers

 Issues concerning other relevant parties

 Adequacy of resources and effectiveness of the QMS

 The performance of your processes

 The conformity of your products and services

 The actions you’ve taken to address risks and opportunities

and their effectiveness

 New potential opportunities for continual improvement

o Show that management reviews include decisions and actions

regarding

 Continual improvement opportunities

 The need for changes to the QMS including resource needs

o Be prepared to show your documented information as evidence of

management reviews.

     7. Improvement
 General
o How do you determine and select opportunities for improvement? 

o What actions have you taken to meet customer requirements and

enhance customer satisfaction?

o Be prepared to show how you have

 Improved processes to prevent nonconformities

 Improved products and services to meet known and

predicted requirements

 Improved QMS results

o Nonconformity and corrective action

o When nonconformities occur, how do you

 React

 Take action to control and correct them

 Deal with the consequences

 Evaluate what you need to do to ensure that the problem

does not recur or occur elsewhere

 Review the nonconformity

 Determine the cause of the nonconformity

 Determine whether similar nonconformities exist or could

occur
  Make sure the proper actions take place

 Review the effectiveness of corrective actions

 Make necessary changes to the QMS

o Be prepared to provide evidence that corrective actions were

appropriate

o Be prepared to provide evidence of 

 The nature of all nonconformities and your responses

 The results of corrective actions

o Continual improvement

o Demonstrate that you continually improve the suitability,

adequacy, and effectiveness of your QMS.

o Demonstrate that, as part of continual improvement, you use

analysis and evaluation results and the results from management
reviews to find areas of underperformance and opportunities that
need addressing.

o What tools and methodologies do you use to investigate the

causes of underperformance and to support continual
improvement?

‘Be Prepared’ Is a Must 

This comprehensive ISO 9001:2015 checklist will help you satisfy your auditor
that your process for producing products and providing services meets
customer and regulatory requirements.  

Remember: The ISO 9001 standard doesn’t govern the development of

products or delivery of services per se, but rather the processes for
establishing and maintaining those products’ and services’ performance. 

When your enterprise can prove that it follows the ISO 9001 requirements, it
will receive ISO 9001 certification — a must for doing business in today’s
competitive environment.

Get Help if You Need It

There is no way to self-assess for the ISO 9001 standard. A qualified

professional must audit your organization’s compliance. Nor can you rest on
your laurels once you achieve certification: you’ll indeed to recertify every
several years.

As you can see from this checklist, ISO 9001 is a lengthy, complicated
standard. Most companies use a governance, risk, and compliance (GRC)
solution to help them comply.

Some of the world’s leading enterprises use ZenGRC for their risk
management and compliance needs.

They like Zen’s user-friendly, color-coded dashboards telling them in real time
where they’re in compliance, where they fall short, and how to fill gaps.

They like how Zen tracks and manages workflows, and our ZenConnect plug-
in’s ability to integrate our solution with any other business solution they use.
They appreciate Zen’s vendor risk management features, the unlimited self-
audits it conducts for them, and the “single source of truth” repository where
all compliance and risk management documentation is stored for easy
retrieval come audit time.