ISO 9001:2015 TRANSITION GUIDE

Instructions For Use

This document is intended to help organisations to manage the transition between ISO 9001:2008 and ISO 9001:2015, or, it can be used to
assist an organisation looking to implement a quality management system from the start.

It is not the standard – you will also need a copy of the standard because the information given under the column significant requirements, has
been paraphrased, not copied. ISO 9001:2015 is a copyrighted document and as such cannot be reproduced in full.

The suggested actions column is designed to help an organisation to decide what they need to do with their existing system in order to bring it in
line with the 2015 version of the standard. Not knowing what your existing system looks like, makes it difficult to be specific but I hope there will
be a few ideas that may help you.

www.cpatraining.co.uk

ISO 9001:2015 Transition Guide V2 Copyright CPA Page 1 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

4.1
You will need to write this
Understanding down somewhere (the
the organisation New requirement quality manual is an option)
What do you do as an organisation? Do you
and its context so that others can read it
manufacture products, are you a service
Identify internal and external issues and understand a bit about
organisation, etc. What are the key factors that
that are relevant to your ability to you and your business.
impact on you as a business? Is it customers,
achieve intended results – include Your strengths and
new product development, legislation,
future monitoring of these issues weaknesses. In fact, it is a
overseas influence, cost of raw materials?
good idea to do a SWOT
analysis or something
similar.

4.2
New requirement
As above, you need to
Understanding You need to identify which organisations, personalise this and
Identify interested parties that are
the needs and groups of people, regulatory bodies, etc. affect document it. Don’t forget,
relevant to and/or support the
expectations of what you do. This could include employees, things change so you will
strategic direction of your
interested customers, neighbouring businesses, and need to do this more than
organisation – include future
parties society in general. once – why not at
monitoring of these parties
management review?

4.3
4.2.2
The scope can be important
Determining the This is not new to 9001:2015 but it has been as it tells others what
The scope of the QMS must be
scope of the formalised. Clearly, 4.1 & 4.2 will have an activities you are certificated
defined – taking into account 4.1 &
quality effect on the scope. It is quite likely that the for.
4.2 above.
management existing scope you have will remain unchanged If there are any clauses not
system but it is an opportunity to revisit it and amend if included in the system, you
The scope is to be available and
required. must explain why they are
any exclusions justified
not applicable.

ISO 9001:2015 Transition Guide V2 Page 2 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant
9001:2015
requirements from the 2015
Clause
standard
4.4 4.2
Quality The quality management system
management must be built around the processes
system and its of your organisation. The inputs and
processes outputs, sequence and interaction
are to be defined.
These processes must be
monitored and measured and
documented to the extent
necessary to support their
operation.
There must be documented
information available to provide
confidence that the processes are
being carried out as planned.
5.1
5.1, 5.2 & New requirement
Leadership and
commitment
Top management still required to
demonstrate their commitment to
the QMS, their focus on customer
satisfaction and now also their
ability to lead quality initiatives
ISO 9001:2015 Transition Guide V2
Suggested Actions
Comments
ISO 9001:2015 does not
Your QMS should be constructed around the require a documented
processes of your organisation – it always quality manual or
should have been, it makes more sense to do documented procedures.
so rather than slavishly following the clause However, it does require
numbers of the standard as many have done you to ‘provide confidence
previously. that processes are being
Get together with a few key people in the carried out as planned’.
organisation and sketch out a simple flowchart Ultimately, it will be your
which depicts the key stages of the business decision as to whether you
e.g. sales followed by design, then purchasing, keep the manual and
etc. procedures but you can
Then decide how you will control each of the expect more probing
processes identified. The most common questions from an auditor if
method used is to have documented they are not there as s/he
procedures, although these are no longer will need to seek other
mandated by ISO 9001. assurances regarding the
control of your processes.
You can expect the auditor
to want to talk to top
The new element here is leadership. Top
management more than
management must demonstrate that they are
was previously the case.
‘on board’ and involved in leading the activities
S/he will want to hear from
required by the standard such as attending
top management their views
management review, dealing with quality
on quality and why the
issues at a senior level, supporting the quality
policy says what it does and
manager when required.
how that translates into day
to day actions.
Page 3 of 12
 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

5.2
These changes shouldn’t
5.3
Quality policy cause much of a problem
This requirement is very similar to the previous but it raises the question “do
Policy to be appropriate to the
version except that it requires the policy to we know the strategic
purpose and context of the
support the ‘strategic direction’ of the direction of the
organisation and to support the
company. It also requires the policy to be organisation?” If there is a
strategic direction of the company. It
communicated and understood internally and business plan, however
must also be communicated
available to external parties as required. simple, it could be
demonstrated that it
supports the quality policy.

5.3
5.5
Job descriptions are still not
Organisational mandatory but they an
Top management to define roles, No significant differences here, the
roles, example of how roles and
responsibilities and authorities – requirement for a specific management
responsibilities responsibilities could be
specifically the responsibilities for representative has gone but the activities that
and authorities defined. As are procedures
maintaining the QMS were required of him/her are still there.
which allocate specific tasks
to nominated people.

6.1 It may be that the

introduction of a risk register
New Requirement
Actions to This is one of the big changes in the standard. could help – identify the
address risks It brings in the concept of risk and risks (remember the SWOT
When developing the QMS, risks to
and opportunities. It does not state that risk analysis from earlier?) and
not achieving objectives must be
opportunities assessments need to be conducted – this may record each identified risk.
identified and plans put into place
or may not help. It is hard to conceive that You can then decide how to
accordingly – i.e. what problems or
businesses do not consider risk e.g. taking on manage the risk e.g. reduce
mistakes might occur, what impact
a new type of work or buying a new piece of it, accept it and identify who
could they have and how can they
equipment. The difference is that there should is ultimately responsible for
be avoided. To include actions
be some evidence of this risk management these risks. Don’t forget to
required following changes
process. analyse the risks ready for
management review later.

ISO 9001:2015 Transition Guide V2 Page 4 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

6.2

Quality To be of use, objectives

objectives and 5.4.1
planning to
achieve them
Quality objectives are needed to
support the policy which is aligned
with the strategic direction of the
organisation.
There must be a plan in place for
how objectives will be achieved
really need to be SMART
(look it up on the web).
This is little different than before but the
They need to complement
worthiness of the objectives may be
the quality policy and they
challenged more. It is unlikely that objectives
need to be evaluated and
such as ‘retain certification to ISO 9001’ will be
amended as necessary.
acceptable.
See here for more
There also must be a plan to achieve the
information
objectives.
http://www.cpatraining.co.uk
/files/download/80

6.3 5.4.2
There is no real change here, just apply the
Planning of When changes occur, they must be No comment
risk management concept to any changes that
changes planned and consideration given to
are planned in order to better manage the
the potential consequences of those
changes.
changes

7.1.1/7.1.2 6.1
The only change here is the addition of People
Resources Resource needs to be determined No comment
as a resource.
and provided, including people

7.1.3 – 7.1.4 6.3, 6.4

Resources The infrastructure and environment

(Infrastructure determined, provided and A slight change in wording but no change to No comment
and maintained to ensure that they the requirements
Environment) support the operation of the
processes

ISO 9001:2015 Transition Guide V2 Page 5 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

7.1.5 7.6
This is what was previously under control of
Monitoring and Any measuring equipment used to
monitoring and measuring equipment – or
measuring determine conformity with
calibration as we often know it. No significant
resources requirements to be calibrated. No comment
changes again, just measurement traceability
Where applicable, measurements to
has been separated out, suggesting that it may
be traceable to International of
not always be necessary.
National standards

7.1.6 New Requirement This is a completely new requirement and it A responsibility matrix
relates to how the organisation would deal with would help – list the roles
Organisational Establish the knowledge needed to the loss of key resources (people). It could tie on 1 axis and the people on
knowledge operate the processes in order to in with ‘succession planning’ and also the other. This should help
achieve requirements and satisfy ‘business continuity’ planning. Access to identify where you have
customers – consider succession suitable resource could come from external cover and where you do
planning sources e.g. temporary workers. not.

7.2 A robust but simple

6.2
Competence
Ensure that competence needs are
identified and that people
performing tasks are competent
A small change in that they have dropped the mechanism should be
word ‘training’ and simply state that people developed and implemented
must be competent to do the work they are to ensure that people are
assigned. able to fulfil the duties
Good records of what competencies people expected of them.
have achieved are essential, especially if there Competence can be judged
are no documented procedures or work by another competent
instructions. person.

7.3 6.2.2 This can be easily achieved

Awareness Ensure that people are aware of the
quality policy and objectives and of
the implications of conforming/not
conforming with the quality
management system
via ‘toolbox talks’ or
briefings for existing staff
This is not strictly new but it has been included and via inductions for new
as a separate topic, which makes it more staff. Don’t forget to ‘top it
obvious. up’ from time to time –
people forget.

ISO 9001:2015 Transition Guide V2 Page 6 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

7.4 5.5.3 All that should be required

This has been expanded slightly, not only does is a strategy for
Communication Develop and implement a strategy it require internal communications, but also communications to pull
for both internal and external external communication with ‘relevant’ parties together all the meetings
communications e.g. customers, regulatory bodies, certification that are held and also keep
bodies, etc. evidence in one form or
another.
7.5 You will already have
4.2.3, 4.2.4 procedures for records and
There has long been confusion between
Documented documents because they
records and documents so the answer has
information Existing requirement to control were mandatory under the
been to put them in the same clause and call
documents and records has now 2008 version. Make a brief
them ‘documented information’ – there is very
been integrated into 1 clause check on them but it most
little different, though there is a bit of guidance
likely that you will have
to good practice when creating documents.
nothing to do on this one.

8.1 7.1 Most of what is needed will

Section 8 contains what was section 7 in 2008 already be in place apart
Operational Risks to achieving product/service – it follows a very similar path. Starting with the from formalising the
planning and conformance must be considered need to plan how production or service delivery consideration of risks – see
control as part of your planning of will be controlled but also including some 6.1 for discussion on a risk
operations element of consideration of risks which may register
prevent successful completion.

8.2 7.2 Apart from the inclusion of

risk management, there
This clause relates to finding out what the
Determination Organisation to have a process in should be no need for any
customer wants and evaluating our ability to
of requirements place to ensure that it can significant change in order
achieve their requirements. The sequence of
for products communicate with customers, to continue meeting the
the sub-clauses has changed but the content is
and services establish what their requirements requirements of this clause.
very similar. They include maintaining good
are and verify whether their needs
communications with customers, establishing
can be met.
the customer’s requirements, reviewing our
Risks to achieving product/service
ability to meet those requirements and
conformance must be considered
managing any changes to the requirements,
when determining and reviewing
especially once an order has been placed.
your customer requirements.

ISO 9001:2015 Transition Guide V2 Page 7 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant
9001:2015
requirements from the 2015
Clause
standard
8.3
Design and 7.3
development of
products and The design process must consider
services the risk and complexity of product or
service to be provided. Establish a
design plan and obtain the design
inputs, produce the outputs, review
to ensure the outputs meet the
inputs and verify that it meets
requirements. If required, validate
the design before use and control
any changes that may be made.
8.4 7.4
Control of Previously called purchasing and
externally depending on the criticality of what
provided is being outsourced, there is a
products and requirement to evaluate the
services capability of providers of products
and services. Adequate information
to be sent to the supplier and
products/services verified as
meeting requirements when
received
ISO 9001:2015 Transition Guide V2
Suggested Actions
Comments
Possibly the clause which causes more There should be very little to
concern than most others. The structure of the do for those who already
clause has been re-modelled a little but the have design procedures in
concepts are the same. First plan how the place. Those who have
design will evolve, take the inputs and produce previously claimed not to be
a draft design, including what methods will be involved in design when
used to control the design. The design outputs really they are, will need to
e.g. drawings/specifications/BOM’s can then get a system developed and
be reviewed and verified as being suitable (or implemented sooner rather
not, in which case it goes around the loop than later.
again). From there, the design can be verified
by tests or calculations or the use of models
and simulation for example. Consideration
should be given to validating the design in the
‘real world’ e.g. running a full scale
implementation and also consider how
changes to designs will be managed.
As long as you have a
decent purchasing process
in place now, you won’t
have to change much in
your system. You don’t
Once again, there has been a slight re-
have to send out
ordering of the clauses but in truth, there are
questionnaires to all of your
few changes to be found here. Once again,
suppliers – use ‘risk’ as the
risk should rear its head. Is it a critical product
driving factor i.e. high risk
or service?
products or services will
benefit from greater controls
Page 8 of 12
 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

8.5.1 7.5
Make sure that you have methods of working
which give confidence that the product or
Control of Little change in this section. It No changes should be
service will be correct. This might include work
production and includes ensuring that operations necessary to meet this
instructions or job cards etc., providing
service are carried out ‘under controlled clause.
additional information on how to carry out a
provision conditions’ and where the outcomes
task. This should dovetail well with your
cannot be inspected or tested fully,
system for ensuring people are competent too.
the processes and equipment and
people need to be validated.
Identification and traceability are both
unchanged – traceability is only required where
8.5.2 Other sub-clauses include the No changes should be
it is a stated requirement – typically this might
identification of items at all stages necessary to meet this
be a legal requirement as in food production or
and if applicable, batch traceability. clause.
a customer requirement.

Anything you get from your customers or

8.5.3 The control of property belonging to
suppliers which belongs to them e.g. the
the customer or other body.
customer might supply you with a plastic mould
No changes should be
tool to be used to make some products for
necessary to meet this
them. You are required to verify this is correct
clause.
and if anything happens to it e.g. you damage
it, you need to report it to the customer.
8.5.4 Preservation - Maintaining the As with most of these
Preservation of product is the same as
condition of items with specific requirements, they will vary
previously.
needs e.g. temperature, handling, for each type of
etc. organisation but will most
This is new and refers to the need to ensure
likely already be in the
that any services required after delivery must
8.5.5 The provision of post-delivery system.
also be controlled. This might include warranty
activities such as warranty provision
services or maintenance provision.
8.5.6 New requirement Make sure that your
processing systems
Control of changes is a new clause but is quite
Control of changes – ensuring that if properly include how
straight forward in that it calls for the
processes are changed for any changes will be managed
organisation to manage any changes to the
reason, they will be authorised and with the minimum disruption
production/delivery of service process.
checked to verify that requirements to supply of product or
are still being met service

ISO 9001:2015 Transition Guide V2 Page 9 of 12

 ISO 9001:2008 Cross Reference
ISO
and the significant
9001:2015
requirements from the 2015
Clause
standard
8.6 8.2.4
Release of As a final check, there must be
products and planned arrangements for product
services release and who is authorised to do
so. This should be linked to risk
identification i.e. based upon likely
consequences if failures do occur
8.7 8.3
Control of Segregation and containment are
nonconforming now options for addressing
outputs nonconforming outputs and there is
more detail regarding the records to
be kept regarding nonconformities
9.1 8.1, 8.2.1, 8.4
Monitoring, Requirement to review and analyse
measurement, feedback from customers,
analysis and nonconformities and other sources
evaluation of information to determine how well
the QMS is working.
There should be some linkage
between risk identification to what
needs to be measured and
monitored and then evidence that
this data is not just being collected
but also evaluated.
ISO 9001:2015 Transition Guide V2
Suggested Actions
Comments
Ultimately, someone has to
This is not new but there appears to be a
take the responsibility for
greater emphasis on the control required to
saying that the products
make sure that only good products are shipped
and/or services are ready to
and only the correct services are delivered.
go.
Your existing NC system
Slight changes in the wording but still requires
should work fine with the
detailed control over the handling of products
new standard – but only if
or services that don’t meet the specification
you use it! Perhaps start by
laid down for them. There is more detail
documenting some of the
required when it comes to completing the
larger problems you have
documentation following discovery of a
and then spread out to the
nonconformity but it is still the same concept.
rest of the system.
This clause is a step forward from the old 8.2.1
as it now tells us that we must monitor and Don’t make it too
measure specific things, not just say that we complicated but do take
will do them. The information gathered can be advantage of the data that a
analysed and used as inputs to the well functioning system can
management review. produce. Don’t do it just for
the sake of it – this can
As previously, use risk as a tool to assist when really help your business to
deciding what your organisation needs to run better.
improve on – all companies are different.
Page 10 of 12
 ISO 9001:2008 Cross Reference
ISO
and the significant
9001:2015
requirements from the 2015
Clause
standard
9.2 8.2.2, 8.2.3
Internal audit Almost no change in the
requirement to conduct internal
audits. Schedule of audits to
consider the risks involved and
there needs to be evidence
recorded of what was seen during
audits
9.3 5.6
Management Still requires a management review
review to be performed but there is a more
comprehensive list of topics to be
discussed now – linked to risk and
to internal and external issues (4.1
& 4.2)
10.1
Improvement -
General
8.5.1
Still a requirement to seek
improvements but there is more
information regarding what should
be considered for improvement e.g.
products, processes, systems.
ISO 9001:2015 Transition Guide V2
Suggested Actions
Comments
Keep on conducting internal audits on your Why not consider an auditor
system – record what you see – including the refresher course for your
evidence you collect. Develop a programme for internal auditors? If audits
the audits based on risk factors – not just must be done, get
alphabetically or numerically. something out of them.
A good management review process is vital if
Re-visit your agenda, the
your QMS is to be effective. We now need to
new standard requires more
see the involvement of senior management
topics to be included. Make
more than ever before (see Leadership) and
sure senior management
make sure that you produce outputs from the
are present and produce
reviews or it is simply a ‘talking shop’.
outpts.
The key tools for helping
improvements to take place
include setting meaningful
objectives, performing
internal audits with an eye
Improvements will rarely happen of their own on effectiveness as well as
accord, they need to be managed. It is a good compliance, dealing well
idea to have a strategy for how improvements with complaints and
can happen – it does not have to have a nonconformities and using
documented procedure but feel free if you wish management reviews to
to do so, highlight where changes
can be made for the
improvement of products,
services, processes and
systems.
Page 11 of 12
 ISO 9001:2008 Cross Reference
ISO
and the significant Suggested Actions
9001:2015 Comments
requirements from the 2015
Clause
standard

10.2 8.5.2

Nonconformity Nonconformity has been moved into Your existing procedure

and corrective the same clause as corrective
action action because they are strongly
linked together.
There is more detail regarding the
methods used to ensure actions
taken are effective in removing the
root causes of nonconformities
No great changes here but there is more detail
regarding the differences between correction
and corrective action. The clause details the
stages in dealing with an NC, through to its
conclusion and once again, risk is part of the
process.
should be a good start point
for this but is likely that most
organisations will need to
enhance it a little in order to
satisfy the added elements
of the clause.

10.3 8.5.1
No real changes here but it does refer to other As long as you are
Continual Whilst the wording has changed, monitoring and measuring activities which can participating in improvement
improvement the requirement to seek continual be used to generate data and this can be programmes there should
improvement remains analysed to determine how well or not be little or nothing else to
processes are working. add.

ISO 9001:2015 Transition Guide V2 Page 12 of 12