ISO 9001 Lead Auditor en v.9.0 - Day 1

© Professional Evaluation and Certification Board, 2022. All rights reserved.
Version 9.0
Document number: QMSLAD1V9.0
Documents provided to participants are strictly reserved for training purposes. No part of these documents may
be published, distributed, posted on the internet or an intranet, extracted, or reproduced in any form or by any
mean, electronic or mechanical, including photocopying, without prior written permission from PECB.
Licensed to Yone Smith James (yonesmithjames@yahoo.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2024-06-10
1/140
Day 1: Introduction to the quality management system (QMS) and ISO 9001
Section 1: Training course objectives and structure
Section 2: Overview of ISO, management systems, and ISO 9000 family
Section 3: Certification process
Section 4: Fundamental concepts and principles of quality management
Section 5: ISO 9001 requirements for a QMS – Clauses 4 to 10
Day 2: Audit principles and the preparation for and initiation of an audit
Section 6: Fundamental audit concepts and principles
Section 7: The impact of trends and technology in auditing
Section 8: Evidence-based auditing
Section 9: Risk-based auditing
Section 10: Initiation of the audit process
Section 11: Stage 1 audit
Day 3: On-site audit activities
Section 12: Preparing for stage 2 audit
Section 13: Stage 2 audit
Section 14: Communication during the audit
Section 15: Audit procedures
Section 16: Creating audit test plans

2/140
Day 4: Closing of the audit
Section 17: Drafting audit findings and nonconformity reports
Section 18: Audit documentation and quality review
Section 19: Closing of the audit
Section 20: Evaluation of action plans by the auditor
Section 21: Beyond the initial audit
Section 22: Managing an internal audit program
Section 23: Closing of the training course
Day 5: Certification exam
In order to optimize the learning experience,PECB recommends scheduling two short breaks (15 minutes), and a
lunch break (one hour) per training day. Time of the breaks can be adjusted accordingly.

3/140
Other references cited in this training course:
ISO/TS 9002:2016, Quality management systems — Guidelines for the application of ISO 9001:2015
ISO 31000:2018, Risk management — Guidelines
ISO/IEC 17024:2012, Conformity assessment — General requirements for bodies operating certification of
persons
ISO/IEC 17065:2012, Conformity assessment — Requirements for bodies certifying products, processes
and services
ISO/IEC 27006:2015, Information technology — Security techniques — Requirements for bodies providing
audit and certification of information security management systems
ISO/IEC Directives, Part 1: 2019, Procedures for the technical work

4/140
Other acronyms used throughout this training course:
AICPA: American Institute of Certified Public Accountants
ANAB: The ANSI National Accreditation Board
ANSI: American National Standards Institute
ASCII: American Standard Code for Information Interchange
BELAC: Belgian Accreditation Body
BS: British Standard
BSI: British Standards Institute
CAATs: Computer Assisted Audit Techniques
COFRAC: Comité Français d‘Accreditation
DAkkS: Deutsche Akkreditierungsstelle
DNV: Det Norske Veritas
EA: European co-operation for Accreditation
ENAC: Entidad Nacional de Acreditación
GAAS: Generally Accepted Auditing Standards
HLS: High-Level Structure
IAF: International Accreditation Forum
IAS: International Accreditation Service

5/140
IFAC: International Federation of Accountants
IIA: Institute of Internal Auditors
MS: Management System
MSS: Management System Standard
NCR: Nonconformity Report
NGO: Non-governmental Organization
OECD: Organisation for Economic Co-operation and Development
PIMS: Privacy Information Management System
SAS: Swiss Accreditation Services
SQL: Structured Query Language
TC: Technical Committee
TQM: Total Quality Management

6/140
Note on Terminology Used
The terminology used throughout this training course is based on the following standards: ISO 19011:2018,
ISO/IEC 17021-1:2015, and ISO 9001:2015.
In this training course, we have strived to bring together the best practices from several international standards.
Practitioners of this field sometimes use different terminology or can use the same or similar terminology to mean
different things.
The meaning of a word or specific term depends on the context. Therefore, please pay attention to the context in
which terms are used, along with their standard reference.
For example:
“Documented information” is the term that has replaced the terms documents and records in the revised
management system standards which are based on the high-level structure (HLS) of the Annex L format. This
term is defined as “information required to be controlled and maintained by an organization and the medium on
which it is contained.”
Therefore, according to ISO
(https://www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/documented_information.pdf), documented
information can refer to:
1. Documented information that should be maintained (e.g., policies, procedures)
2. Documented information that should be retained (e.g., records)
In particular instances throughout this training course, we may speak of records without referring to them as
“documented information.” The presentation of the ISO clauses is an example of such an approach:
ISO 19011, clause 5.5.7 Managing and maintaining audit programme records
The individual(s) managing the audit programme should ensure that audit records are generated, managed and
maintained to demonstrate the implementation of the audit programme. Processes should be established to
ensure that any information security and confidentiality needs associated with the audit records are addressed.

7/140
This section presents the objectives of the training course and its structure, including the examination and
certification process and the importance of being a certified auditor.

8/140
To break the ice, trainer(s) and participants introduce themselves by stating their:
Name
Current position
Knowledge and experience regarding quality management
Knowledge and experience regarding ISO 9001 and other related standards (ISO 9000, ISO 9004, ISO
10004, ISO 10005, etc.)
Knowledge and experience regarding auditing practices
Training course expectations

9/140
PECB helps professionals show commitment and competence by providing them with valuable education,
evaluation, and certiﬁcation against internationally recognized standards.
Our principal objectives and activities are:
1. Establishing the minimum requirements necessary to certify professionals
2. Reviewing and verifying the qualifications of applicants for eligibility to be considered for the certification
evaluation
3. Developing and maintaining reliable, valid, and current certification evaluations
4. Granting certificates to qualified candidates, maintaining records, and publishing a directory of the holders
of valid certificates
5. Establishing requirements for the periodic renewal of certification and determining compliance with those
requirements
6. Ascertaining that our clients meet ethical standards in their professional practice
7. Representing its members, where appropriate, in matters of common interest

10/140
All should be aware of the exit doors in the facility in case any emergency arises.
All should agree on the training course schedule. All should arrive on time.
All should set their smartphones on silent or vibrate mode (if you need to take a call, please do so outside
the classroom).
Recording devices are prohibited because they restrict free discussions.
All sessions are designed to encourage participants to interact and take the most out of the training course.
Customer Service
To ensure customer satisfaction and continual improvement, PECB Customer Service has established a support
ticket system for handling complaints.
In case of inconvenience, we invite you to discuss the situation with the trainer first. If necessary, do not hesitate
to contact the head of the training organization where you are registered. In all cases, we remain at your disposal
to arbitrate any dispute that may arise between you and the training organization.
To send comments, questions, or complaints, please open a support ticket on the PECB website, at the PECB
Help Center (https://pecb.com/help).
In case of dissatisfaction with the training (trainer, training room, equipment, etc.), the examination, or the
certification processes, please open a ticket under Make a complaint category on the PECB Help Center
(https://pecb.com/help).
If you have suggestions for improving PECB’s training course materials, we are willing to read and evaluate your
feedback. You can do so directly from our KATE application or you can open a ticket directed to the Training
Development Department on the PECB Help Center (https://pecb.com/help).

11/140
This training course is intended to help participants strengthen their knowledge and skills which will help them in
auditing a quality management system. From an educational perspective, competence consists of the following
three elements:
1. Knowledge
2. Skill
3. Behavior (attitude)
Several exercises will allow participants to strengthen their personal skills which are necessary to conduct audit
activities, such as decision-making, teamwork, presentation, and report-writing skills. The case study and
discussions simulate real-life situations.
Important note: The PECB Certified ISO 9001 Lead Auditor training course is intended for both internal
and external auditors. The necessary competencies of auditors and the audit techniques used are common to
all types of audits. The characteristics of the different types of audits will be explained during this training course.
Internal audits will be discussed in a dedicated section of Day 4.
The objective of this training course is to help participants acquire knowledge on audit techniques, not acquire
expertise in quality management. However, basic knowledge of quality management concepts is necessary for
the successful completion of this training course.
If participants wish to obtain in-depth knowledge on the implementation and the management of a QMS, we
recommend them to take the PECB Certified ISO 9001 Lead Implementer training course.

12/140
To successfully complete this training course, two factors are crucial:
Trainer instructions
Participant involvement
Interaction by means of questions and suggestions is highly encouraged. Participants can best contribute to the
training course by partaking in exercises, case studies, and discussions. Participants are also advised to take
personal notes.
Quizzes, in particular, are important since they help preparing for the certification exam.
Remember: This training course is yours; you are the main contributor to its success.
In addition to the training course materials, PECB also offers free content to help trainees get additional
information and stay updated. Such free materials include:
Articles
Whitepapers
InfoKits
Magazine
Webinars

13/140
ISO 19011 provides guidance on auditing management systems, including the principles of auditing, managing
an audit program, and conducting management system audits, as well as guidance on the evaluation of
competence of individuals involved in the audit process. It applies to all organizations that wish to conduct
internal and external audits.
Source: https://www.iso.org
International Federation of Accountants (IFAC) is a global organization for accounting. It operates in more
than 130 countries with over 175 members and associates to protect public interest by encouraging the use of the
best practices in accounting. Standards developed by the IFAC provide guidance in the following fields: audit,
insurance, control, and services related to quality, training, ethics, and accounting.
Source: https://www.ifac.org/
The Institute of Internal Auditors (IIA) is a global organization that advocates, educates, and connects internal
auditors worldwide. It also develops international guidance almost exclusively for internal audits. This guidance is
based on careful analysis, consultations, and the fundamental principles concerning the performance of internal
audit services by members of the IIA.
Source: https://na.theiia.org/
Generally Accepted Auditing Standards (GAAS) are auditing standards developed by the AICPA (American
Institute of Certified Public Accountants), including general standards, standards by activity sector, and report
standards with interpretations.
Source: https://www.aicpa.org/

14/140
The purpose of the certification exam is to evaluate whether candidates have grasped the audit concepts and
techniques so that they are able to plan and manage an audit program and lead a team of auditors.
The PECB Examination Committee ensures that the exam questions are adequate and based on professional
practice.
All competency domains are covered in the exam. To read a detailed description of each competency domain,
please visit the PECB website.

15/140
Individuals who do not meet all the prerequisites for certification cannot claim to be PECB ISO 9001 Lead
Auditor-certified.
A less experienced candidate can apply for and obtain the “PECB Certified ISO 9001 Auditor” credential or
“PECB Certified ISO 9001 Provisional Auditor” credential.
PECB certifications are valid for three years. In order to maintain and renew a certification, PECB certified
professionals must comply with certain requirements.
The certification process, including its maintenance and renewal, will be explained in detail in the last day of this
training course.

16/140
After passing the exam, candidates have a maximum period of three years to apply for the respective credential.

17/140
Important note:
Only a certification body accredited under ISO/IEC 17024 ensures international recognition. It is important to
validate the status of a certification body with the associated accreditation authority such as UKAS, IAS, or ANSI.
For further information regarding the accreditation of PECB, please visit: https://pecb.com/en/affiliations.

18/140
Certification is a formal recognition of your professional competence to perform job-related responsibilities.
An internationally recognized certification can help you maximize your career potential and reach your
professional goals.
Research shows that certified auditors earn considerably higher salaries than noncertified auditors.

19/140
20/140
This section introduces the International Organization for Standardization (ISO) and provides a detailed
explanation of management systems as well as a definition of a quality management system. It provides a
summary on the development of ISO 9001 and elaborates on the ISO 9000 family of standards and other
standards related to quality management. In addition, the benefits that organizations can obtain by implementing
a QMS based on ISO 9001 are also discussed. Lastly, an explanation of the common misconceptions about ISO
9001 is also provided.

21/140
ISO applies the following principles when developing international standards:
1.ISO standards respond to a need in the market.
ISO only develops standards for which a market demand exists, as a response to formal requests from industry
sectors or stakeholders (e.g., consumer groups). Typically, the request for a standard is communicated to
national members who then contact ISO.
2.ISO standards are based on global expert opinion.
ISO standards are developed by various technical committees (TCs) with experts from all over the world. These
experts negotiate all aspects of the standard, including its scope, key definitions, and content.
3.ISO standards are developed through a multi-stakeholder process.
The technical committees consist of experts from relevant industries, but also from consumer associations,
academia, NGOs, and governments.
4.ISO standards are based on consensus.
The development of ISO standards is based on a consensus approach, and comments from all stakeholders are
taken into account. All ISO country members, regardless of the size or strength of the economy, are on the same
footing in terms of their influence in standard development.
For more information, please visit: https://www.iso.org.

22/140
ISO/IEC Directives (Part 1), clause 3.4 (cont’d)
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and
operation.
Note 3 to entry: The scope of a management system can include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
Organizations implement management systems to improve their operations and enhance their business
performance, while also increasing customer satisfaction. An organization may have several management
systems in place, such as a quality management system, information security management system, business
continuity management system, etc.
Note: What is implemented must be controlled and measured, and what is controlled and measured must
be managed. The “Performance evaluation” clause is an essential component of any management system
because without the evaluation of the effectiveness of processes and controls in place, it is impossible to check if
the organization has reached its objectives.

23/140
24/140
ISO publications range from traditional activities, such as agriculture and construction, to the most recent
developments in information technologies, such as the digital coding of audiovisual signals for multimedia
applications.
ISO 9000 and ISO 14000 families of standards are among the best known. ISO 9001 has become an
international reference with regard to quality. ISO 14001, on the other hand, helps organizations enhance their
environmental performance. Both standards are generic and applicable to any organization, regardless of size or
complexity of processes.
For detailed information on each standard, please visit https://pecb.com or https://www.iso.org.
If you would like to purchase any of the standards, PECB offers discounted prices to all trainees that purchase
them via PECB Store.

25/140
As organizations manage several management systems simultaneously, it is recommended to implement an
integrated management system (IMS). An IMS is a management system which integrates all the components of
a business into a coherent system so as to enable the achievement of its purpose and mission. The table on the
slide presents the requirements that are common to all management systems which allow for integration.
There are several good reasons for integration, including to:
Harmonize and optimize practices
Formalize informal systems
Reduce duplication and therefore costs
Reduce risks and increase profitability
Shift focus toward achieving business goals
Create and maintain consistency
Improve communication

26/140
1979
The first quality assurance standard was published by the British Standards Institute (BSI) in 1979. This
standard was developed for the electronics industry and was named BS 9000.
BS 5750 was created to avoid the problems that the British munition industry was experiencing during the
World War II.
This standard was developed to address the issues in the munition industry because there were many
cases of bomb explosion during assembly. Factories were required to document all their manufacturing
processes and prove they have a recordkeeping procedure in place and that that procedure is being
followed.
1987
In 1987, ISO published the first edition of ISO 9000 based on BS 5750. The new ISO standard kept the
same structure as BS 5750, with three “models” for quality assurance, and they are selected based on the
organization’s scope of activities.
ISO 9001:1987 was aimed at organizations involved in the creation of new products. The standard set the
model for quality assurance in design, development, production, installation, and servicing.
ISO 9002:1987 was similar to ISO 9001, but did not include the creation of new products.
ISO 9003:1987 was used only as a guideline to inspect the finished products without taking into
consideration the production process.
1994
ISO 9000:1994 did not only focus on finished products but also on quality assurance via preventive actions.
Similar to the old version, the new version required evidence of compliance with documented procedures.

27/140
2000
The ISO 9001:2000 version was a combination of ISO 9001, ISO 9002, and ISO 9003. The new version
introduced the concept of “process management,” focusing on monitoring and optimizing all activities of an
organization rather than only inspecting the final product.
In order for the quality objectives to be aligned with the business objectives, ISO 9001:2000 required
involvement of the top management.
Another thing that was added in the new version of the standard was the numerical measurement of the
effectiveness of the business activities. In addition, continual improvement process and tracking customer
satisfaction were evident in ISO 9001:2000.
2008
ISO 9001:2000 revision was published in 2008. No changes were made to the numbering system, which
made the new version very much similar to the old one. However, some requirements were added and
some others were modified.
Taking into consideration that organizations need a specific period of time to transition to the new version,
they were given that amount of time as with the release of previous versions.
2015
ISO published the new version of ISO 9001:2015.
The new version had a different structure, as part of the ISO’s work of unifying all Management System
Standards (MMS).
The new version of the standard provides specific requirements for process approach of adopting ISO
9001.
The preventive action procedure has been replaced by the risk-based approach, which requires that
organizations address risks but does not determine the assessment methodology.
Changes were also made to the quality management principles, new clauses were added, and the old
ones were modified.

28/140
Standards of each category that derived from ISO 9001 will be explained in the following slides.

29/140
ISO 9000, clause 1 Scope
This International Standard describes the fundamental concepts and principles of quality management which are
universally applicable to the following:
organizations seeking sustained success through the implementation of a quality management system;
customers seeking confidence in an organization’s ability to consistently provide products and services
conforming to their requirements;
organizations seeking confidence in their supply chain that product and service requirements will be met;
organizations and interested parties seeking to improve communication through a common understanding
of the vocabulary used in quality management;
organizations performing conformity assessments against the requirements of ISO 9001;
providers of training, assessment or advice in quality management;
developers of related standards.
This International Standard specifies the terms and definitions that apply to all quality management and quality
management system standards developed by ISO/TC 176.

30/140
This International Standard specifies requirements for a quality management system when an organization:
a. needs to demonstrate its ability to consistently provide products and services that meet customer and
applicable statutory and regulatory requirements, and
b. aims to enhance customer satisfaction through the effective application of the system, including processes
for improvement of the system and the assurance of conformity to customer and applicable statutory and
regulatory requirements.
All the requirements of this International Standard are generic and are intended to be applicable to any
organization, regardless of its type or size, or the products and services it provides.
NOTE 1 In this International Standard, the terms “product” or “service” only apply to products and services
intended for, or required by, a customer.
NOTE 2 Statutory and regulatory requirements can be expressed as legal requirements.

31/140
ISO/TS 9002, clause 1 Scope
This document provides guidance on the intent of the requirements in ISO 9001:2015, with examples of possible
steps an organization can take to meet the requirements. It does not add to, subtract from, or in any way modify
those requirements.
This document does not prescribe mandatory approaches to implementation, or provide any preferred method of
interpretation.

32/140
This document gives guidelines for enhancing an organization’s ability to achieve sustained success. This
guidance is consistent with the quality management principles given in ISO 9000:2015.
This document provides a self-assessment tool to review the extent to which the organization has adopted the
concepts in this document.
This document is applicable to any organization, regardless of its size, type and activity.

33/140
ISO has a range of other standards for QMS that are based on ISO 9001 and adapted to specific sectors and
industries, such as:
ISO 13485 specifies requirements for a quality management system where an organization needs to
demonstrate its ability to provide medical devices and related services that consistently meet customer and
applicable regulatory requirements.
ISO/TS 54001 specifies requirements for a quality management system when an organization needs to
demonstrate its ability to consistently provide products and services that meet customer and applicable
statutory and regulatory requirements, and aims to enhance customer satisfaction through the effective
application of the system, including processes for improvement of the system and the assurance of
conformity to customer and applicable statutory and regulatory requirements.
ISO 18091 specifies requirements for a quality management system when an organization needs to
ISO/TS 22163 specifies requirements for a quality management system when an organization needs to
ISO 29001 defines quality management system requirements for product and service supply organizations
to the petroleum, petrochemical and natural gas industries.
ISO/IEC/IEEE 90003 provides guidance for organizations in the application of ISO 9001 to the acquisition,
supply, development, operation and maintenance of computer software and related support services. It
does not add to or otherwise change the requirements of ISO 9001.
Source: https://www.iso.org.

34/140
ISO 9001, clause 0.1 General
The adoption of a quality management system is a strategic decision for an organization that can help to improve
its overall performance and provide a sound basis for sustainable development initiatives.
The potential benefits to an organization of implementing a quality management system based on this International
Standard are:
a. the ability to consistently provide products and services that meet customer and applicable statutory and
regulatory requirements;
b. facilitating opportunities to enhance customer satisfaction;
c. addressing risks and opportunities associated with its context and objectives;
d. the ability to demonstrate conformity to specified quality management system requirements.

35/140
1. ISO 9001 is designed for the way organizations worked in the 1990s: ISO 9001 has been around for
many years, but it is regularly updated to remain relevant to the ever-evolving business environment.
Updates have been made based on feedback, industry trends, and worldwide demand changes. The latest
version of the standard focuses on stakeholders and the wider context of an organization in order to fulfill
the needs and requirements of modern business environment. Therefore, ISO 9001 is designed to be used
by different types of organizations.
2. Implementing and maintaining a QMS based on ISO 9001 is a complex task: At first glance, ISO 9001
might seem a bit complicated. However, the ideas behind the standard are actually quite simple. The
quality management principles presented in the standard are the foundation of a QMS. In addition, there
are a lot of support and information-based documents available from ISO members, group of experts, or
the ISO website itself.
3. ISO 9001 is mainly applicable to large organizations: ISO 9001 is designed to be generic and flexible,
and can be used by any organization, regardless of size or type. Even though small organizations might
not have staff or a separate department dedicated to quality, they can still benefit from the implementation
of a QMS. In addition, Technical Committee ISO/TC 176 has published a document “ISO 9001:2015 for
Small Enterprises. What to do?” providing tips for small organizations interested in implementing a QMS
based on ISO 9001.

36/140
4.A QMS based on ISO 9001 incurs significant costs: The implementation of a QMS based on ISO 9001 does
incur costs, but these do not have to be beyond what the organization is able or willing to invest. Organizations
are subject to extra costs when they apply for a third-party audit in order to get certified against the standard,
which is not compulsory. The price of the audit and certification can vary depending on the certification body, the
size and type of the organization, the maturity of the QMS, etc. However, getting the QMS certified usually yields
a return on investment, as the organization benefits from the recognition of an independent third party.
In addition, there are organizations that decide to hire consultants (such as PECB Certified ISO 9001 Lead
Implementer) to implement a QMS based on ISO 9001. However, this is not mandatory as a lot of helpful advice
can be found in free publications of ISO. In general, the implementation of a QMS does incur an investment cost
but, if implemented and integrated properly, the investment has the potential to provide benefits that outweigh by
far the expenses.
5.ISO 9001 is aimed at manufacturers that produce tangible goods: ISO 9001 is applicable to all types of
organizations, regardless of whether they provide products or services. Service providers, such as banks,
government applications, educational institutions, can derive value from the implementation of a QMS based on
ISO 9001. ISO 9001:2015 is tailored to be even more accessible to organizations outside the manufacturing
sector, for example, through the language used in the standard which constantly emphasizes the “products and
services” of the organization.
6.A QMS based on ISO 9001 burdens organizations with extensive documentation requirements: Although
the saying “document what you do and do what you document” might be seen as reasonable in the first glance, it
has led to a path that was more problematic than useful as many organizations have interpreted ISO 9001 as a
document that lays out the requirements for a system that “requires the documentation of everything.” This has
proven to be impractical, ineffective, and often impossible.
Since the initial publication, every updated edition of ISO 9001 has slowly decreased the requirements for
documentation, and the latest edition, ISO 9001:2015, allows for a greater flexibility in this regard. While the
newest edition of the standard does require a degree of documentation (most often identified through
requirements for maintaining and retaining documented information), it also states that the extent of
documentation should be reasonable so as to support the operation of the processes and to have confidence that
processes are being carried out as planned. What is reasonable can be determined by the organization itself.

37/140
Quality circle: This program refers to a group of employees from the same work area (generally 6-12
volunteers) that meet regularly to identify and analyze the causes of work-related problems, and employ
advanced problem-solving techniques to provide solutions. Typical objectives of quality circle include quality
improvement, productivity enhancement, and employee involvement.
Total quality management (TQM): This approach aims at ensuring continual success by satisfying the needs of
customers. TQM effort is based on the principle that each employee must be committed to maintain high
standards of work, thus improving organization’s products, services, and processes.
Six sigma: This method provides the tools and techniques that aim to identify and eliminate the causes of
defects (errors) and minimize variability in manufacturing and business processes in order to increase the quality
of process outputs. The term “six sigma quality” indicates that a process is well controlled.
Lean: This process focuses on eliminating non-value-added waste in a process with the goal of reducing process
cycle times, improving on-time delivery performance, and reducing costs. The main objective of this process is to
increase the value for customers by using a value creation process with zero waste.
Kaizen: This systematic approach aims to combine employees of all levels to work together to create a powerful
engine for business improvement. Implementation of the Kaizen approach leads to a successful continual
improvement culture and to enhanced progression of quality, productivity, and labor-management relations.
Just-in-time: This production strategy aims to facilitate production in high quantity using minimal inventories and
eliminating waste in production. According to this method, materials are ordered only when needed and as
needed in the production process. In order for this method to be effective, it is important that the demand for
goods and services is calculated in advance.

38/140
1. Which statement regarding management systems is correct?
A. All organizations have some form of a management system
B. An organization is considered to have a management system only when such a system is well
defined and documented
C. Once an organization establishes a management system, the management system cannot change
2. What is a quality management system?
A. The feedback of customers that organizations receive regarding the quality of their products or
services
B. Part of a management system with regard to quality
C. Activities which specifically ensure compliance with applicable laws and regulations
3. What does ISO 9000 provide?
A. Guidance for achieving sustained success, with reference to the quality management principles
B. Guidance on the application of ISO 9001
C. Fundamental concepts and principles of quality management systems
4. There are several sector-specific standards related to ISO 9001. What is special about these types
of standards?
A. These standards are based on quality management, but they only provide requirements that are
relevant for the sector which they are aimed at
B. These standards contain all the requirements of ISO 9001 but also add sector-specific requirements
C. Organizations cannot obtain certification against these standards

39/140
5.What is a common misconception about ISO 9001?
A. Organizations cannot obtain a certification against ISO 9001
B. ISO 9001 is applicable only to the organizations that provide services
C. ISO 9001 is mainly applicable to large organizations

40/140
41/140
This section presents the steps of obtaining a certification, describes briefly the main parties involved in the
certification scheme, and provides information on the accreditation and certification bodies, respectively.

42/140
Note:
Continual improvement refers to the ongoing process that an organization undergoes in order to improve
their procedures, processes, and products or services.
Surveillance audit refers to the activity that is performed once a year (sometimes more, based on the
organization’s needs) to ensure that their management system is in conformity to the respective
management system standard.

43/140
As displayed on the slide, the following parties are involved in the certification scheme:
Accreditation bodies are organizations responsible for the assessment and accreditation of certification
bodies
Management system certification bodies are organizations which perform audits on their clients’
management systems and grant certifications
Personnel certification bodies are organizations which certify individuals (not only auditors but also
trainers, implementers, etc.)
Auditees are organizations whose management system is subject to audit
Important note: The accreditation and certification activities are not performed by ISO but by specialized and
independent accreditation and certification bodies. The mission of ISO is to develop international standards, not
to verify whether ISO standards are implemented in accordance with the requirements defined in those
standards.

44/140
ISO/IEC 17011 provides general requirements for accreditation bodies in assessing and accrediting certification
bodies. Compliance with the requirements of ISO/IEC 17011 proves that the accreditation bodies are competent
and reliable in offering accreditation services.
Commonly, there is only one accreditation authority in each country. However, in the United States, there are
several accreditation bodies: IAS and ANAB.
The International Accreditation Service (IAS) accredits certification programs for persons, products, and
management systems according to ISO/IEC 17024, ISO/IEC 17065, and ISO/IEC 17021-1.
The ANSI National Accreditation Board (ANAB) supervises the certification bodies accredited against
ISO/IEC 17021-1.
Accreditation authority groups:
European co-operation for Accreditation (EA) is the European network of accreditation organizations based in
Europe. The members include UKAS, COFRAC, DAkkS, ENAC, etc.
Source: https://european-accreditation.org
International Accreditation Forum (IAF) is the international association of accreditation organizations for
systems in management, product, services, individuals, and other programs. The objective of IAF is to ensure
that the member organizations only certify competent organizations and establish agreements of mutual
recognition among its members.
Source: https://www.iaf.nu

45/140
The following is a list of accreditation authorities for several countries (see the complete list on the IAF website:
https://www.iaf.nu):
Argentina: Organismo Argentino de Acreditación (OAA), www.oaa.org.ar
Australia and New Zealand: Joint Accreditation System of Australia and New Zealand (JAS-ANZ), www.jas-
anz.org
Austria: Federal Ministry of Economy, Family and Youth (BMWFJ), www.en.bmdw.gv.at
Belgium: Belgian Accreditation Body (BELAC), www.belac.fgov.be
Brazil: General Coordination for Accreditation (CGCRE), www.inmetro.gov.br
Canada: Standards Council of Canada (SCC), www.scc.ca
Chile: Instituto Nacional de Normalizacion (INN), www.inn.cl
China: China National Accreditation Service for Conformity Assessment (CNAS),
https://www.cnas.org.cn/english/index.shtml
Egypt: Egyptian Accreditation Council (EGAC), www.egac.gov.eg
Finland: Finnish Accreditation Service (FINAS), www.finas.fi
France: Comité Français d’Accréditation (COFRAC), www.cofrac.fr
Germany: Deutsche Akkreditierungsstelle GmbH (DAkkS), www.dakks.de
Hong Kong, China: Hong Kong Accreditation Service (HKAS), www.itc.gov.hk/hkas
India: National Accreditation Board for Certification Bodies (NABCB), www.qcin.org
Iran: National Accreditation Center of Iran (NACI), http://www.naci.isiri.org
Ireland: Irish National Accreditation Board (INAB), www.inab.ie
46/140
Japan: International Accreditation Japan (IAJapan), www.jab.or.jp
Korea: Korea Accreditation System (KAS), www.iaf.nu/articles/IAF_MEM_Korea_Republic_of_/86
Malaysia: Standards Malaysia (DSM), www.jsm.gov.my
Mexico: Mexican Accreditation Entity (EMA), www.ema.org.mx
Netherlands: Dutch Accreditation Council (Raad Voor Accreditatie) (RvA), www.rva.nl
Norway: Norwegian Accreditation (NA), www.akkreditert.no
Pakistan: Pakistan National Accreditation Council (PNAC), www.pnac.org.pk
Philippines: Philippine Accreditation Office (PAB), www.dti.gov.ph
Portugal: Portuguese Institute for Accreditation (IPAC), www.ipac.pt
Romania: Romanian Accreditation Association (RENAR), www.renar.ro
Russian Federation: Scientific Technical Center on Industrial Safety (STC-IS), www.oaontc.ru/en/
Singapore: Singapore Accreditation Council (SAC), www.sac-accreditation.gov.sg
Slovenia: Slovenska Akreditacija (SA), www.slo-akreditacija.si
South Africa: South African National Accreditation System (SANAS), www.sanas.co.za
Spain: Entidad Nacional de Acreditacion (ENAC), www.enac.es
Sweden: Swedish Board for Accreditation and Conformity Assessment (SWEDAC), www.swedac.se/?lang=en
Switzerland: State Secretariat for Economic Affairs, Swiss Accreditation Service (SAS), www.sas.ch
Thailand: National Standardization Council of Thailand (NSC), www.tisi.go.th
Tunisia: Tunisian Accreditation Council (TUNAC), www.tunac.tn
Turkey: Turkish Accreditation Agency (TURKAK), www.turkak.org.tr
United Arab Emirates: Emirates International Accreditation Center (EIAC), www.eiac.gov.ae
United Kingdom: United Kingdom Accreditation Service (UKAS), www.ukas.com
United States: ANSI-ASQ National Accreditation Board (ANAB), www.anab.org
United States: American National Standards Institute (ANSI), www.ansi.org
United States: International Accreditation Services (IAS), www.iasonline.org
Uruguay: Organismo Uruguayo de Acreditacion (OUA)
Vietnam: Bureau of Accreditation (BoA), www.boa.gov.vn/en

47/140
ISO/IEC 17021-1, Introduction
Certification of a management system provides independent demonstration that the management system of the
organization:
a. conforms to specified requirements;
b. is capable of consistently achieving its stated policy and objectives;
c. is effectively implemented.
ISO/IEC 17024, Introduction
This International Standard has been developed with the objective of achieving and promoting a globally accepted
benchmark for organizations operating certification of persons. Certification for persons is one means of providing
assurance that the certified person meets the requirements of the certification scheme.
In either case, this International Standard can serve as the basis for the recognition of the certification bodies for
persons and the certification schemes under which persons are certified, in order to facilitate their acceptance at
the national and international levels.
ISO/IEC 17065, Introduction
The overall aim of certifying products, processes or services is to give confidence to all interested parties that a
product, process or service fulfils specified requirements.
Parties that have an interest in certification include, but are not limited to:
a. the clients of the certification bodies;
b. the customers of the organizations whose products, processes or services are certified;
c. governmental authorities;
d. non-governmental organizations; and
e. consumers and other members of the public.

48/140
Apart from the aforementioned requirements, ISO/IEC 17021-1 acknowledges the fact that varying competences
are needed for auditing different management systems. This acknowledgment is reflected in the fact that ISO has
developed a series of parts of the main ISO/IEC 17021 standard that deal with auditor competence for different
types of management systems.
The following standards specify competence requirements for auditing and certification in the following areas:
ISO/IEC 17021-2: Environmental management systems
ISO/IEC 17021-3: Quality management systems
ISO/IEC TS 17021-4: Event sustainability management systems
ISO/IEC TS 17021-5: Asset management systems
ISO/IEC TS 17021-6: Business continuity management systems
ISO/IEC TS 17021-7: Road traffic safety management systems
ISO/IEC TS 17021-8: Management systems for sustainable development in communities
ISO/IEC TS 17021-9: Anti-bribery management systems
ISO/IEC TS 17021-10: Occupational health and safety management systems
ISO/IEC TS 17021-11: Facility management systems
ISO/IEC TS 17021-12: Collaborative business relationship management systems

49/140
1. When is an organization subject to a surveillance audit?
A. Once the stage 2 audit is completed
B. Once the audit follow-up is completed
C. After the organization obtains the certification, usually after a year
2. Which following statement is correct?
A. Certification bodies are accredited by accreditation bodies
B. Certification bodies assess and certify accreditation bodies
C. Certification bodies are hired by accreditation bodies
3. Who certifies management systems?
A. Auditees
B. Accreditation bodies
C. Certification bodies
4. Compass is a market research company which provides its customers with insights on market
trends and demands. Compass is currently undergoing an ISO 9001 certification audit. What is
Compass in this case?
A. An auditee
B. An accreditation body
C. A certification body

50/140
51/140
This section gives an introduction to quality management, including the main definitions, principles, methods and
techniques, determinants of product and service quality, and consequences of poor quality. It also discusses the
process approach, the PDCA cycle, and the risk-based thinking.

52/140
Early signs of quality tools can be traced back to the construction of the Great Pyramid of Giza, for which
scientists claimed that workers must have used special tools in order to ensure its quality. Later on, Ancient
Greece and The Roman Empire as well, developed their own systems for quality management. The focus toward
quality management increased even more during the Industrial Revolution. However, significant paradigm shifts
for the development and improvement of quality management systems occurred after the end of the 19th century,
which introduced the first quality management process, the Quality Inspection Paradigm.
Quality inspection (1900-1940): This paradigm emerged during the time of flow production. It gave emphasis to
the quality of the final product during the delivery process. The main objective of organizations during this time
was to provide a qualitative final product in order to avoid receiving any complaints or requests for compensation
from customers. To do this, organizations controlled and examined final products and removed defective
products. In addition, during this period, new philosophies started to be introduced, such as Taylorism in the
1900s, which aimed at achieving more productivity without having to hire more employees.
Quality control (1940s): This paradigm surfaced as a result of a necessity to minimize the loss of defective
products after the quality inspection process. During this period, the focus was not only on the outcome of the
final product, but also on its manufacturing process. Hence, instead of focusing on fixing the errors at the end,
manufacturers tried to find the root causes of those errors and tried to eliminate them. Strategies, such as “Five-
times-Why,” were created in order to identify and address errors. Furthermore, Walter Shewhart’s idea of using
statistics to control the process of production and analyze and address the root causes of error is considered to
have contributed vastly to the development of quality management. Lastly, 1946 was the pivotal year in the
history of quality management due to the establishment of the American Society for Quality, the International
Organization for Standardization, and the Japanese Union for Scientist and Engineering.

53/140
Quality assurance (1960-1980): In comparison to the previous paradigms, this one did not only focus on the
quality of the final product or its manufacturing process, but it also put emphasis on the identification and
prevention of potential errors and issues that might have surfaced during the production process. A special focus
was given to the early stages of production that made an impact on the products’ quality, cost, and time of
production. Important innovations in the 60s for the quality management include Joseph Juran’s publication of the
book Quality Control Handbook, the invention of the Deming Wheel, and Dr. Ishikawa’s quality tools, which are
used to this day.
Quality management (1990s): This paradigm emerged due to the formation of more complex partnerships that
raised the need for the creation of standard rules in order to ensure credence and reliance between partners.
During this time, ISO 9000 was released, which provided organizations with fundamental requisites for quality
management. Due to these developments, partners and customers expected organizations to be certified from
certification bodies in order to prove compliance to those requirements. Another significant development was the
introduction of Six Sigma, a method used to enhance improvement and customer satisfaction and decrease
defects. A pivotal advantage that this paradigm had in comparison to previous ones was the creation of
internationally recognized and accepted standards that ensured reciprocal reliance between partners and
customers.
Total quality management (TQM) (2000s): For the last paradigm shift, because of the widespread application
of standards in various disciplines, a special emphasis was given to quality management, not because of the
market pressure but because of a shared purpose and desire for offering high-quality products. Hence, fields
such as education or health care applied standards’ requirements for quality management systems for the sake
of advancement and not competition. In addition, the well-being of employees was of interest to organizations
due to their inclusion in the total quality management, which consisted of a cycle comprising the top
management, employees, customers, etc.
The current situation: Nowadays, ISO 9001, Six Sigma, and Lean manufacturing are the most utilized quality
management systems by organizations in various disciplines. However, with the evolution of the modern society
and the advancement of technology, quality management systems have changed drastically in the 21st century.
Christensen writes in his book, The Innovator’s Dilemma, that technology has impacted and transformed not only
an organization’s products and services but also its financial, marketing, and managerial processes. As such,
organizations do not have to focus only on the quality of the product, but on its marketing as well. In addition, the
reputation of the organization now impacts the sales for a product regardless of its quality. Hence, in order for
54/140
organizations to build and retain a good reputation, they have to consider social responsibility, such as
environmental issues, employee policy, and work sustainably. Another challenge for organizations is the difficulty
of achieving customer satisfaction with the products they sell, due to the increased diversity of customers.
Sources:
Christensen, Clayton M. The innovator’s dilemma. New York, NY: Harper Business, 2011.
Hellman, Pasi, and Yang Liu. “Development of quality management systems: How have disruptive technological
innovations in quality management affected organizations?”Department of Production 17, no. 1 (2013): 104–119.
Accessed August 25, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-133479.
Weckenmann, Albert, Goekhan Akkasoglu, and Teresa Werner. “Quality management — history and trends.”
The TQM Journal27, no. 3 (2015): 281–293. Accessed August 25, 2021. http://dx.doi.org/10.1108/TQM-11-2013-
0125.

55/140
Deming: The famous quote “quality is everyone’s responsibility” was introduced by W. Edwards Deming.
He was an American engineer, physicist, and statistician and is considered to be the father of quality
management. He shared his knowledge on statistical quality control with influential businesses and
corporations by advising, consulting, teaching, and writing books. Deming is praised for his role in the
recovery of Japan’s industry after WW2. His philosophy holds the top management accountable for quality
control. Deming’s promotion of the PDCA (Plan, Do, Check, Act) cycle and his 14 points on quality
management have built a strong foundation for the overall development of quality management. Deming
stated that, by improving quality through statistical process control, productivity will be increased and costs
reduced.
Juran: Joseph Juran wrote the Quality Control Handbook which may have been the first book on quality
management. Juran was an American engineer and consultant whose work was focused on quality
management. He is also known for his influence on the Japanese Industrial Revolution along with Deming.
Juran also put emphasis on the role of the top management in quality control. He is widely known for his
Quality Trilogy which highlights the importance of planning, controlling, and improving quality
management. In addition to this, Juran noticed that the Pareto Principle (the 80/20 Rule) also applies to
defects — 20% of the defects cause 80% of the problems in an organization. Thus, when focusing on the
defects, great results will be achieved with minimal effort. Juran received many awards for his work.
Taguchi: Genichi Taguchi was a famous Japanese statistician and engineer who contributed to the field of
quality management. His method is focused on improving the quality of input in the organization’s
processes and reducing overall costs. According to Taguchi, a process design is more important than the
operational processes for good quality management. This way, the need for mass inspection in the
organization would be reduced by controlling the quality of the process design. According to Taguchi,
customer satisfaction was important and that is why he defined quality as “the loss imparted to society
from the time a product is shipped to customer.” Taguchi wrote several books on quality management and
was awarded for his work.

56/140
Feigenbaum: Former president and CEO of General Systems Co., Armand V. Fegeinbaum dealt with
quality management and quality control in an international scope. His most famous work is Total Quality
Control, where he put emphasis on developing, controlling, and improving quality management in all
functions of a company. According to Feigenbaum, “to ensure effectiveness, control must start with the
design of the product and end only when the product has been placed in the hands of a customer who
remains satisfied.”
Ishikawa: The company-wide quality control (CWQC) is attributed to Kaoru Ishikawa, a Japanese
engineer and author. CWQC suggests the inclusion of all functions and members of the company in quality
control and an integrated process control. This strategy indicates that processes, products, and services of
an organization should be continuously improved. Ishikawa is also known for The Fishbone Diagram,
which shows the causes of an error, thus, helping in identifying the source of problems in manufacturing.
Even though Ishikawa focused on practical issues throughout his career, he always followed a larger
philosophical framework.
Crosby: Crosby was a businessman with experience in quality management and is known for quoting the
phrases “zero defects” and “getting it right first time.” According to him, mistakes may happen while
working, however, each company should have a system that does not allow mistakes to happen. Crosby
highlights the importance of establishing a corporate culture to focus on doing things the right way the first
time. This theory ensures greater efficiency and reduces costs. The Quality College that he founded has
trained over 60,000 managers.
Shainin: The Shainin System (SS) has facilitated problem solving in companies for many years. This
system was developed by Dorian Shainin, an American engineer, consultant, and professor who worked
with more than 900 organizations. This system is based on the principle that there is a main cause of
defects in the output which needs to be fixed in order to eliminate waste. Shainin’s philosophy was “do not
let engineers do the guessing, let the parts do the talking.” He wrote books and articles, won many awards,
and contributed greatly to the field of quality management.
Masing: Walter Masing was a famous German physicist, entrepreneur, and professor who dealt with
quality management in Germany. He was a founder of the International Academy for Quality (IAQ) and the
European Organization for Quality (EOQ). In order to satisfy his customers’ needs, Masing created a
quality assurance system from the knowledge he gained from trainings and autodidactic learning. Masing
is famous for writing and editing The Masing Quality Management Handbook, which was the one of the
most famous books for quality management in the German language.
For more information, please visit: Honorary Members | ASQ
57/140
Source: Beckword, John. Quality: A Critical Introduction. London: Routledge, 2016.

58/140
59/140
60/140
61/140
62/140
If a product fulfills the customer’s expectations, the customer will be pleased and consider that the product is of
acceptable quality. In contrast, if the customer’s expectations are not fulfilled, then the customer will consider that
the product is of low quality.
Quality needs are determined in terms of different parameters and characteristics and may vary from one product
to the other. Examples:
For a mechanical or an electronic product, quality can be determined by the product’s performance,
reliability, safety, and appearance.
For a pharmaceutical product, parameters such as physical and chemical characteristics, medicinal effect,
side effects, toxicity, and taste can be used to determine whether the medicine fulfills quality requirements,
i.e., if the medicines is or is not qualitative.
For a food product, the quality will be determined by the taste, nutritional properties, texture, packaging,
and so on.
Source: Sower, Victor E. Essentials of Quality: with Cases and Experiential Exercises. Hoboken, NJ: Wiley,
2011.

63/140
Source: Goetsch, David L., and Stanley Davis. Quality Management for Organizational Excellence: Introduction
to Total Quality. Pearson, 2014.

64/140
65/140
ISO 9001, clause 0.2 Quality management principles (cont’d)
This International Standard is based on the quality management principles described in ISO 9000. The
descriptions include a statement of each principle, a rationale of why the principle is important for the organization,
some examples of benefits associated with the principle and examples of typical actions to improve the
organization’s performance when applying the principle.
The statements provided on each principle below are taken from clause 2.3 Quality management principles of
ISO 9000.
1.Customer focus: The primary focus of quality management is to meet customer requirements and to strive to
exceed customer expectations.
Implications:
Understanding customer needs and expectations
Meeting customer requirements
Communicating the customer needs and expectations throughout the organization
Measuring customer satisfaction
Understanding and managing customer relationships
2.Leadership: Leaders at all levels establish unity of purpose and direction and create conditions in which people
are engaged in achieving the organization’s quality objectives.
Implications:
Establishing and promoting leaders as a positive example at all levels of the organization
Establishing and communicating a clear vision of the organization
Providing the necessary resources for the QMS
Promoting open and honest communication
Setting quality objectives aligned with the organization’s mission
Building trust and eliminating fear

66/140
3.Engagement of people: Competent, empowered and engaged people at all levels throughout the organization
are essential to enhance the organization’s capability to create and deliver value.
Implications:
Feeling personally and emotionally connected to the organization
Understanding the importance of contribution and role in the organization
Feeling a close attachment to the values, ethics, and norms of the organization
Actively seeking opportunities to enhance competence, knowledge, and experience
4.Process approach: Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a coherent system.
Implications:
Having clear responsibility, authority, and accountability for the results
Understanding the resources, information, and competences necessary to improve key activities of the
organization
Assessing risks, consequences, and impacts before taking any action
Defining the activities necessary to obtain the desired results
5.Improvement: Successful organizations have an ongoing focus on improvement.
Implications:
Employing a consistent organization-wide approach to continual improvement of the organization’s
performance
Providing employees with appropriate training in the methods and tools to achieve continual improvement
Making continual improvement of products, processes, and systems an objective for every individual in the
organization
Establishing goals to track continual improvement
Recognizing and acknowledging improvements
6.Evidence-based decision making: Decisions based on the analysis and evaluation of data and information
are more likely to produce desired results.
Implications:
67/140
Ensuring that data and information are sufficiently accurate and reliable
Collecting data and information relevant to the product, service, or process
Analyzing data and information using valid methods
Making decisions and taking actions based on factual analysis, balanced with experience and intuition
7.Relationship management: For sustained success, organizations manage their relationships with relevant
interested parties, such as providers.
Implications:
Identifying and understanding interested parties on which the organization’s success depends
Establishing relationships that balance short-term gains with long-term considerations
Creating clear and open communication channels
Establishing joint development and improvement activities
Sharing information and future plans
Source: Hoyle, David. ISO 9000 Quality Systems Handbook Increasing the Quality of an Organization’s Outputs.
New York: Routledge, 2018.

68/140
ISO 9001, clause 0.3.1 General
Understanding and managing interrelated processes as a system contributes to the organization’s effectiveness
and efficiency in achieving its intended results. This approach enables the organization to control the
interrelationships and interdependencies among the processes of the system, so that the overall performance of
the organization can be enhanced.
The process approach involves the systematic definition and management of processes, and their interactions, so
as to achieve the intended results in accordance with the quality policy and strategic direction of the organization.
Management of the processes and the system as a whole can be achieved using the PDCA cycle with an overall
focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results.
ISO 9000, clause 3.4.1 Process
Note 1 to entry: Whether the “intended result” of a process is called output, product or service depends on the
context of the reference.
Note 2 to entry: Inputs to a process are generally the outputs of other processes and outputs of a process are
generally the inputs to other processes.
Note 3 to entry: Two or more interrelated and interacting processes in series can also be referred to as a process.
Note 4 to entry: Processes in an organization are generally planned and carried out under controlled conditions to
add value.
Note 5 to entry: A process where the conformity of the resulting output cannot be readily or economically validated
is frequently referred to as a “special process”.

69/140
The application of the process approach in a quality management system enables:
a. understanding and consistency in meeting requirements;
b. the consideration of processes in terms of added value;
c. the achievement of effective process performance;
d. improvement of processes based on evaluation of data and information
Any activity, or set of activities, that uses resources to transform inputs into outputs can be considered as a
process. The output is the intended result by the organization which can also serve as an input of other
processes. Inputs and outputs can be tangible or intangible, e.g., a physical object and a mobile app,
respectively.

70/140
The figure presented on slide illustrates the grouping of clauses 4 to 10 in relation to the PDCA cycle.
ISO 9001, clause 0.3.2 Plan-Do-Check-Act cycle
The PDCA cycle can be applied to all processes and to the quality management system as a whole.
The PDCA cycle can be briefly described as follows:
Plan: establish the objectives of the system and its processes, and the resources needed to deliver results
in accordance with customers’ requirements and the organization’s policies, and identify and address risks
and opportunities;
Do: implement what was planned;
Check: monitor and (where applicable) measure processes and the resulting products and services against
policies, objectives, requirements and planned activities, and report the results;
Act: take actions to improve performance, as necessary.

71/140
Plan: Recognize an opportunity and plan the changes
Failures, losses, near-misses, and nonconformities are recognized as opportunities for improvement.
Do: Test the changes
The organization tests, preferably in a smaller scale, the changes that need to be made. A smaller scale allows
the organization to assess the effectiveness of the intended actions while causing minimal disruption to the rest
of the organization.
Check: Review the test, analyze the results, and identify the learning opportunities
At this stage, the organization analyzes the result of the testing and decides whether the results are satisfactory.
If the changes are considered satisfactory, the organization continues with the next stage, but if the organization
chooses to try other changes with the hopes of finding better solutions, then the organization moves back and
forth between Do and Check stages.
Act: Take action based on what was learned in the previous step
At this stage, the organization implements the changes, records the lessons learned, and communicates them to
the relevant stakeholders.
It is noteworthy that the PDCA is not a process with a beginning and an end; it is rather a loop. The cycle restarts
as more opportunities are identified.

72/140
ISO 9001, clause 0.3.3 Risk-based thinking (cont’d)
Opportunities can arise as a result of a situation favourable to achieving an intended result, for example, a set of
circumstances that allow the organization to attract customers, develop new products and services, reduce waste
or improve productivity. Actions to address opportunities can also include consideration of associated risks. Risk
is the effect of uncertainty and any such uncertainty can have positive or negative effects. A positive deviation
arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities.

73/140
74/140
Source: ISO/TC 176/SC2. “Risk-based Thinking in ISO 9001:2015.”

75/140
ISO 31000, clause 3.1 Risk (cont’d)
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,
create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their
likelihood.
Source: Mardsen, Erik. “The ISO 31000 standard on risk management.” Risk Engineering.

76/140
1. Who is responsible for establishing unity of purpose and direction and create the conditions under
which organization’s quality objectives are achieved?
A. Leaders at all levels
B. The chief executive officer
C. Quality manager(s)
2. Which of the following is a determinant of product quality?
A. Security
B. Durability
C. Assurance
3. Which quality management principle requires organizations to manage their activities as
interrelated processes that function as a coherent system?
A. Evidence-based decision making
B. Process approach
C. Relationship management
4. According to ISO 31000, what is the definition of risk?
A. The effect of uncertainty on objectives
B. A negative deviation from what was expected
C. A non-fulfillment of a requirement
5. How should organizations apply risk-based thinking with regard to the QMS?
A. Only during the design stage of the QMS
B. Only during the implementation process of the QMS
C. Throughout the design and use of the QMS

77/140
78/140
This section provides an overview of the ISO 9001 requirements for a QMS.

79/140
This clause requires organizations to:
Understand the external and internal issues that are relevant to their purpose and strategic direction and
that can affect, either positively or negatively, their ability to achieve the objectives of the QMS
Take into account the needs, expectations, and requirements of relevant interested parties
Determine the boundaries and applicability of the QMS so that the intended results are achieved
Determine the processes needed for their QMS in accordance with the requirements of ISO 9001

80/140
ISO 9001, clause 4.1 Understanding the organization and its context (cont’d)
The organization shall monitor and review information about these external and internal issues.
NOTE 1 Issues can include positive and negative factors or conditions for consideration.
NOTE 2 Understanding the external context can be facilitated by considering issues arising from legal,
technological, competitive, market, cultural, social and economic environments, whether international, national,
regional or local.
NOTE 3 Understanding the internal context can be facilitated by considering issues related to values, culture,
knowledge and performance of the organization.

81/140
Identifying and analyzing interested parties can be challenging due to many issues that may arise, including
conceptual ones, such as dealing with cultural or procedural differences:
How to approach the interested parties and how to manage them in the long term?
How to balance the different opinions and needs of interested parties?
How to categorize the interested parties when there are no clear boundaries between them, when multiple
interested parties groups exist, or when there is an obvious strong coalition between some of the groups?

82/140
ISO 9001, clause 4.3 Determining the scope of the quality management system (cont’d)
The organization shall apply all the requirements of this International Standard if they are applicable within the
determined scope of its quality management system.
The scope of the organization’s quality management system shall be available and be maintained as documented
information. The scope shall state the types of products and services covered, and provide justification for any
requirement of this International Standard that the organization determines is not applicable to the scope of its
quality management system.
Conformity to this International Standard may only be claimed if the requirements determined as not being
applicable do not affect the organization’s ability or responsibility to ensure the conformity of its products and
services and the enhancement of customer satisfaction.
A clear definition of the scope is an important factor for the successful implementation of the QMS as it makes it
easier to:
Determine the main quality risks that the organization is facing
Determine the geographical or organizational boundaries, or both, to which the QMS will apply
Encourage the support of the interested parties for the implementation project
Justify added value to the interested parties

83/140
ISO 9001, clause 4.4.1 (cont’d)
The organization shall determine the processes needed for the quality management system and their application
throughout the organization, and shall:
a. determine the inputs required and the outputs expected from these processes;
b. determine the sequence and interaction of these processes;
c. determine and apply the criteria and methods (including monitoring, measurements and related
performance indicators) needed to ensure the effective operation and control of these processes;
d. determine the resources needed for these processes and ensure their availability;
e. assign the responsibilities and authorities for these processes;
f. address the risks and opportunities as determined in accordance with the requirements of 6.1;
g. evaluate these processes and implement any changes needed to ensure that these processes achieve their
intended results;
h. improve the processes and the quality management system.

84/140
This clause requires organizations’ top management to:
Demonstrate leadership and commitment through the active promotion, communication, and monitoring of
the QMS
Establish a quality policy based on the quality principles, which is consistent with the strategic direction of
the organization
Assign roles and responsibilities to the relevant persons in the QMS, in order to achieve the intended
results

85/140
ISO 9001, clause 5.1.1 General (cont’d)
NOTE Reference to “business” in this International Standard can be interpreted broadly to mean those activities
that are core to the purposes of the organization’s existence, whether the organization is public, private, for profit
or not for profit.
ISO 9001, clause 5.1.2 Customer focus
Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a. customer and applicable statutory and regulatory requirements are determined, understood and
consistently met;
b. the risks and opportunities that can affect conformity of products and services and the ability to enhance
customer satisfaction are determined and addressed;
c. the focus on enhancing customer satisfaction is maintained.

86/140
ISO 9001, clause 5.2.1 Establishing the quality policy
Top management shall establish, implement and maintain a quality policy that:
a. is appropriate to the purpose and context of the organization and supports its strategic direction;
b. provides a framework for setting quality objectives;
c. includes a commitment to satisfy applicable requirements;
d. includes a commitment to continual improvement of the quality management system.
ISO 9001, clause 5.2.2 Communicating the quality policy
The quality policy shall:
a. be available and be maintained as documented information;
b. be communicated, understood and applied within the organization;
c. be available to relevant interested parties, as appropriate.

87/140
Top management should demonstrate commitment to implement the QMS. It should define the structure,
hierarchy, and lines of reporting. In addition (perhaps, through the assistance of the HR function), it should ensure
that duties, responsibilities, and authority of all personnel are defined and communicated.
Some of the methods that the top management can use to define and document the roles, responsibilities, and
authorities include organizational charts, job descriptions, procedures, and work instructions. These should be
communicated throughout the organization as appropriate. There are many ways to accomplish this, e.g.,
through orientation packages, appointment postings, sign-off on job descriptions, training on procedures, and
work instructions.
The organization structure and lines of reporting, responsibility, and authority of managerial functions and
departments may be established by top management, whereas the responsibilities and authorities for the rest of
the organization may be established by the HR function working with various process owners. This would depend
on the size, complexity, and culture of the organization.
Source: Abuhav, Itay. ISO 9001 2015 — A Complete Guide to Quality Management Systems. Boca Raton:
Chapman and Hall/CRC, 2017.

88/140
Determine the risks and opportunities and plan actions to address them, implement the actions, and
analyze and evaluate the effectiveness of the actions taken
Establish QMS objectives and plan appropriate actions to achieve them
Determine the need for QMS changes and ensure that any proposed changes are planned, introduced, and
implemented in a controlled manner

89/140
The risk management process consists of scope, context, criteria, risk assessment, risk treatment, risk
communication and consultation, risk recording and reporting, and risk monitoring and review.
The risk management process should be iterative for risk assessment and risk treatment activities. If the risk
assessment activities have provided sufficient evidence that the determined actions will bring risk exposure to an
acceptable level, the next step is to implement risk treatment options. However, if there is insufficient evidence to
determine the risk level, and if the risk treatment process appears to be unacceptable, an iteration of risk
assessment will be conducted on some or all the items of the application domain. If the risk treatment option is
not satisfactory, but the scope, context, criteria and risk assessment are correct, a new iteration of risk treatment
will be conducted. Otherwise, a new iteration of scope, context, criteria will also have to be applied.
The effectiveness of risk treatment may depend partially on the accuracy of risk assessment. It is possible that
risk treatment may not directly lead to an acceptable level of residual risk. If that is the case, a new iteration of
risk assessment should be undertaken.
Risk communication to the organization’s interested parties is an ongoing activity, as is risk monitoring.

90/140
NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity,
eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed
decision.
NOTE 2 Opportunities can lead to the adoption of new practices, launching new products, opening new markets,
addressing new customers, building partnerships, using new technology and other desirable and viable
possibilities to address the organization’s or its customers’ needs.

91/140
The organization shall maintain documented information on the quality objectives.
ISO 9001, clause 6.2.2
When planning how to achieve its quality objectives, the organization shall determine:
a. what will be done;
b. what resources will be required;
c. who will be responsible;
d. when it will be completed;
e. how the results will be evaluated.
The objectives of the QMS are the expression of the organization’s intent to treat the identified risks and ensure
that the QMS requirements are aligned with organizational needs. Initially, it is necessary to establish the
objectives of the QMS in consultation and collaboration with interested parties.

92/140
ISO 9001, clause 6.3 Planning of changes
When the organization determines the need for changes to the quality management system, the changes shall be
carried out in a planned manner.
The organization shall consider:
a. the purpose of the changes and their potential consequences;
b. the integrity of the quality management system;
c. the availability of resources;
d. the allocation or reallocation of responsibilities and authorities.
Possible types of changes
Changes in the input or output of the process
Environmental changes
Economic changes
Organizational changes
Design changes
Changes in the documented information
Changes required from the interested parties
Changes required as a result of the performed corrective actions
Changes resulting from nonconformities
Changes resulting from adjustments of the business strategy

93/140
Provide the necessary resources for implementing, maintaining, and continually improving the QMS
Determine the required competence for the jobs and activities in the organization and whether employees
are competent for the activities they are performing
Raise employee awareness on the important aspects of the QMS, such as the quality policy, objectives,
their contribution in regard to the effectiveness of the QMS, and the implications of not complying with the
QMS requirements
Establish internal and external communications relevant to the QMS
Include the documented information required by ISO 9001, and the documented information that is
necessary for the QMS to be effective

94/140
ISO 9001, clause 7.1.2 People
The organization shall determine and provide the persons necessary for the effective implementation of its quality
management system and for the operation and control of its processes.
ISO 9001, clause 7.1.3 Infrastructure
The organization shall determine, provide and maintain the infrastructure necessary for the operation of its
processes and to achieve conformity of products and services.
NOTE Infrastructure can include:
a. buildings and associated utilities;
b. equipment, including hardware and software;
c. transportation resources;
d. information and communication technology.
ISO 9001, clause 7.1.4 Environment for the operation of processes
The organization shall determine, provide and maintain the environment necessary for the operation of its
processes and to achieve conformity of products and services.
NOTE A suitable environment can be a combination of human and physical factors, such as:
a. social (e.g. non-discriminatory, calm, non-confrontational);
b. psychological (e.g. stress-reducing, burnout prevention, emotionally protective);
c. physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).
These factors can differ substantially depending on the products and services provided.

95/140
ISO 9001, clause 7.1.5.2 Measurement traceability
When measurement traceability is a requirement, or is considered by the organization to be an essential part of
providing confidence in the validity of measurement results, measuring equipment shall be:
a. calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards
traceable to international or national measurement standards; when no such standards exist, the basis
used for calibration or verification shall be retained as documented information;
b. identified in order to determine their status;
c. safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and
subsequent measurement results.
The organization shall determine if the validity of previous measurement results has been adversely affected when
measuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary.

96/140
ISO 9001, clause 7.1.6 Organizational knowledge (cont’d)
NOTE 1 Organizational knowledge is knowledge specific to the organization; it is generally gained by experience.
It is information that is used and shared to achieve the organization’s objectives.
NOTE 2 Organizational knowledge can be based on:
a. internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from
failures and successful projects; capturing and sharing undocumented knowledge and experience; the
results of improvements in processes, products and services);
b. external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external
providers).

97/140
ISO 9001, clause 7.2 Competence (cont’d)
NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the
reassignment of currently employed persons; or the hiring or contracting of competent persons.

98/140
Organizations should raise their employees’ awareness on the importance of quality management and
commitment to the QMS. This will make it easier for employees to embrace the QMS and contribute to its
effectiveness.
Note: An employee who is neither aware nor trained represents a potential risk to the organization.
ISO/TS 9002, clause 7.3 Awareness
The organization can create awareness in many ways, such as:
a. clarifying what is expected (e.g. visual tools such as pictures of acceptable and unacceptable products and
services);
b. communicating clear requirements for products and services;
c. designing processes to clearly segregate nonconforming outputs;
d. communicating clearly how to handle complaints and the internal escalation steps in the case of
nonconforming outputs.

99/140
ISO/TS 9002, clause 7.4 Communication
The organization should determine on what it needs to communicate. This might be different for internal and
external parties. For example, the organization could communicate about the status of the quality management
system with persons of the organization, but communicate with external providers about new terms and conditions
on purchase orders.
The organization should determine those relevant internal and external parties with whom they need to
communicate, to ensure the effective operation of the quality management system. This can include relevant
persons within the organization at all levels and relevant interested parties (such as customers, external providers
used to source products and services, or regulatory bodies).
Different communication methods are often required for different situations. More formal communication, such as
reports, specifications, invoices or service level agreements, might be required for external relevant interested
parties. For internal communication, methods such as daily contact, regular department meetings, briefing
sessions, email or an intranet may be used. More formal methods such as written reports or job specifications
could also be required for internal communication, depending on the nature of the information and how critical the
issues are that need to be communicated.
The organization should also determine who will communicate. This will depend on the nature of the
communication and with whom the organization is communicating. For example, top management might
communicate with persons of the organization while the owner of the purchasing process might communicate with
external providers.

100/140
The principles of an efficient communication strategy are:
Transparency: Properly communicate the processes, procedures, methods, data sources, and
assumptions to all interested parties, taking into account the confidentiality of information
Appropriateness: Provide relevant information to interested parties using formats, language, and media
that meet their interests and needs, enabling them to fully participate
Credibility: Communicate in an honest and fair manner and provide information that is truthful, accurate,
and substantive; develop information and data using recognized and reproducible methods and indicators
Responsiveness: Respond to the queries and concerns of interested parties in a full and timely manner;
make interested parties aware of how their queries and concerns have been addressed
Clarity: Ensure that communication approaches and language are understandable to interested parties in
order to avoid ambiguity

101/140
NOTE The extent of documented information for a quality management system can differ from one organization to
another due to:
the size of organization and its type of activities, processes, products and services;
the complexity of processes and their interactions;
the competence of persons.
ISO 9001, clause 7.5.2 Creating and updating
When creating and updating documented information, the organization shall ensure appropriate:
a. identification and description (e.g. a title, date, author, or reference number);
b. format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
c. review and approval for suitability and adequacy.

102/140
ISO 9001, clause 7.5.3.1
Documented information required by the quality management system and by this International Standard shall be
controlled to ensure:
a. it is available and suitable for use, where and when it is needed;
b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
ISO 9001, clause 7.5.3.2
For the control of documented information, the organization shall address the following activities, as applicable:
a. distribution, access, retrieval and use;
b. storage and preservation, including preservation of legibility;
c. control of changes (e.g. version control);
d. retention and disposition.
Documented information of external origin determined by the organization to be necessary for the planning and
operation of the quality management system shall be identified as appropriate, and be controlled.
Documented information retained as evidence of conformity shall be protected from unintended alterations.
NOTE Access can imply a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information.

103/140
Exercise 1: Support
List at least three pieces of evidence that you as an auditor would collect in order to evaluate an organization’s
conformity to clause 7 Support of ISO 9001.
Duration of the exercise: 10 minutes

Comments: 10 minutes

104/140
Implement and control the processes needed for the provision of its products and services, and outsourced
processes
Communicate with its customers in order to determine their requirements regarding their products and
services
Implement a design and development process so that the products and services meet requirements
Control the externally provided processes, products, and services
Ensure products and services meet all applicable requirements before being delivered to customers
Prevent the delivery or use of nonconforming outputs

105/140
ISO 9001, clause 8.1 Operational planning and control (cont’d)
The output of this planning shall be suitable for the organization’s operations.
The organization shall control planned changes and review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced processes are controlled.

106/140
ISO/TS 9002, clause 8.2.1 Customer communication
The intent of this subclause is to ensure there is clear communication between the organization and its customer
when determining requirements for the products and services to be provided.
ISO 9001, clause 8.2.2 Determining the requirements for products and services
When determining the requirements for the products and services to be offered to customers, the organization
shall ensure that:
a. the requirements for the products and services are defined, including:
1. any applicable statutory and regulatory requirements;
2. those considered necessary by the organization;
b. the organization can meet the claims for the products and services it offers.

107/140
ISO 9001, clause 8.2.3.1 (cont’d)
The organization shall ensure that contract or order requirements differing from those previously defined are
resolved.
The customer’s requirements shall be confirmed by the organization before acceptance, when the customer does
not provide a documented statement of their requirements.
NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review
can cover relevant product information, such as catalogues.
ISO 9001, clause 8.2.3.2
The organization shall retain documented information, as applicable:
a. on the results of the review;
b. on any new requirements for the products and services.
ISO 9001, clause 8.2.4 Changes to requirements for products and services
The organization shall ensure that relevant documented information is amended, and that relevant persons are
made aware of the changed requirements, when the requirements for products and services are changed.

108/140
Design and development planning is crucial in the product’s final performance and profitability. Steps to be
carried out to ensure the adequate design includes control of:
1. The design and development stages (clear division of responsibilities, time frames, necessary resources,
reviews, outcomes, and a specific checklist for respective products)
2. The review, verification, and validation that are appropriate for each design and development stage (This
step is necessary to minimize errors. Whether parts of or final manufacturing production are bought or
even outsourced at times, the organization should review, verify, and validate what goes further for
production and what parts are sent back or not accepted at all.)
3. The responsibilities and authorities for design and development (The organization should clearly assign the
responsibilities for each stage and appoint specific people to carry out reviews and validations and
manage interfaces between groups involved in product design and development.)

109/140
110/140
ISO 9001, clause 8.3.3 Design and development inputs (cont’d)
Inputs shall be adequate for design and development purposes, complete and unambiguous.
Conflicting design and development inputs shall be resolved.
The organization shall retain documented information on design and development inputs.

111/140
ISO 9001, clause 8.3.4 Design and development controls (cont’d)
NOTE Design and development reviews, verification and validation have distinct purposes. They can be
conducted separately or in any combination, as is suitable for the products and services of the organization.

112/140
113/140
The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and
re-evaluation of external providers, based on their ability to provide processes or products and services in
accordance with requirements. The organization shall retain documented information of these activities and any
necessary actions arising from the evaluations.
ISO 9001, clause 8.4.2 Type and extent of control
The organization shall ensure that externally provided processes, products and services do not adversely affect
the organization’s ability to consistently deliver conforming products and services to its customers.
The organization shall:
a. ensure that externally provided processes remain within the control of its quality management system;
b. define both the controls that it intends to apply to an external provider and those it intends to apply to the
resulting output;
c. take into consideration:
1. the potential impact of the externally provided processes, products and services on the organization’s
ability to consistently meet customer and applicable statutory and regulatory requirements;
2. the effectiveness of the controls applied by the external provider;
d. determine the verification, or other activities, necessary to ensure that the externally provided processes,
products and services meet requirements.

114/140
ISO 9001, clause 8.4.3 Information for external providers (cont’d)
The organization shall communicate to external providers its requirements for:
a. the processes, products and services to be provided;
b. the approval of:
1. products and services;
2. methods, processes and equipment;
3. the release of products and services;
c. competence, including any required qualification of persons;
d. the external providers’ interactions with the organization;
e. control and monitoring of the external providers’ performance to be applied by the organization;
f. verification or validation activities that the organization, or its customer, intends to perform at the external
providers’ premises.

115/140
ISO 9001, clause 8.5.1 Control of production and service provision
The organization shall implement production and service provision under controlled conditions.
Controlled conditions shall include, as applicable:
a. the availability of documented information that defines:
1. the characteristics of the products to be produced, the services to be provided, or the activities to be
performed;
2. the results to be achieved;
b. the availability and use of suitable monitoring and measuring resources;
c. the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for
control of processes or outputs, and acceptance criteria for products and services, have been met;
d. the use of suitable infrastructure and environment for the operation of processes;
e. the appointment of competent persons, including any required qualification;
f. the validation, and periodic revalidation, of the ability to achieve planned results of the processes for
production and service provision, where the resulting output cannot be verified by subsequent monitoring or
measurement;
g. the implementation of actions to prevent human error;
h. the implementation of release, delivery and post-delivery activities.

116/140
ISO 9001, clause 8.5.4 Preservation
The organization shall preserve the outputs during production and service provision, to the extent necessary to
ensure conformity to requirements.
NOTE Preservation can include identification, handling, contamination control, packaging, storage, transmission
or transportation, and protection.
ISO 9001, clause 8.5.5 Post-delivery activities
The organization shall meet requirements for post-delivery activities associated with the products and services.
In determining the extent of post-delivery activities that are required, the organization shall consider:
a. statutory and regulatory requirements;
b. he potential undesired consequences associated with its products and services;
c. the nature, use and intended lifetime of its products and services;
d. customer requirements;
e. customer feedback.
NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations such as
maintenance services, and supplementary services such as recycling or final disposal.
ISO 9001, clause 8.5.6 Control of changes
The organization shall review and control changes for production or service provision, to the extent necessary to
ensure continuing conformity with requirements.
The organization shall retain documented information describing the results of the review of changes, the
person(s) authorizing the change, and any necessary actions arising from the review.

117/140
118/140
ISO 9001, clause 8.7.2
The organization shall retain documented information that:
a. describes the nonconformity;
b. describes the actions taken;
c. describes any concessions obtained;
d. identifies the authority deciding the action in respect of the nonconformity.
ISO/TS 9002, clause 8.7.2
Examples of documented information can include:
databases with information about nonconforming outputs;
completed forms that are retained with the product;
the production system that keeps information about the provision of the products and services;
mobile application.

119/140
Organizational documented procedure for nonconforming outputs should include controls and responsibilities to
identify, contain, keep records of the nature and other details of the nonconformity, notify the appropriate
personnel and customers, where appropriate, evaluate what disposition action needs to be taken, carry out timely
disposition, and so on.
Products and services with no identification, or if their quality status is not known, should be treated as
nonconforming outputs and controlled by the procedure specified above.
If a nonconforming product or service has been released, without a customer concession, organizations should
take appropriate actions to reduce the immediate and consequential effect of the nonconformity.
Depending upon the seriousness and scope of the nonconformity, organizations might consider taking action to
eliminate the nonconformity as well as corrective action to eliminate the root causes of the nonconformity. While
there is no requirement to notify the customer (unless contractually required), it might be appropriate in specific
circumstances to notify the customer and resolve the situation to your customer’s satisfaction.

120/140
This clause requires organizations to conduct:
Monitoring, measurement, analysis, and evaluation in order to evaluate the effectiveness of the QMS
Internal audits to evaluate whether the QMS conforms to the requirements of the organization and of the
standard
Management reviews

121/140
When planning what to monitor and measure, the organization should review the quality objectives established in
clause6.2 Quality objectives and planning to achieve them and all the performance indicators established for each
of the QMS processes and activities. The organization should be careful not to set unrealistic objectives, as this
may cause more frustration than positive results.
The following parameters are commonly subject to monitoring and measurement:
1. The extent to which the quality policy and objectives are met
2. The critical processes and functions of the QMS
3. Applicable legal and regulatory requirements
The organization shall determine:
a. what needs to be monitored and measured;
b. the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results;
c. when the monitoring and measuring shall be performed;
d. when the results from monitoring and measurement shall be analysed and evaluated.
The organization shall evaluate the performance and the effectiveness of the quality management system.
The organization shall retain appropriate documented information as evidence of the results.

122/140
ISO 9001, clause 9.1.3 Analysis and evaluation
The organization shall analyse and evaluate appropriate data and information arising from monitoring and
measurement.
The results of analysis shall be used to evaluate:
a. conformity of products and services;
b. the degree of customer satisfaction;
c. the performance and effectiveness of the quality management system;
d. if planning has been implemented effectively;
e. the effectiveness of actions taken to address risks and opportunities;
f. the performance of external providers;
g. the need for improvements to the quality management system.
NOTE Methods to analyse data can include statistical techniques.

123/140
The objective of internal audits is to assess the extent to which an organization has fulfilled the requirements of
the standard. Conducting internal audits regularly allows for the continual assessment of the effectiveness of the
QMS and the identification of opportunities for improvement.
The organization must establish an internal audit program to determine if the QMS has achieved the defined
objectives, continues to conform to the requirements of the standard, as well to other internal, legal, regulatory,
and contractual requirements, and is kept up to date in an efficient manner.
Note: The implementation and management of an internal audit program will be explained on Day4.

124/140
There is no specific requirement regarding the frequency of management review meetings, but the most
common practice is to keep a meeting each quarter. An annual meeting may be insufficient to prevent or resolve
issues in a timely manner.

125/140
126/140
Continually improve the suitability, adequacy, and effectiveness of their QMS
Manage nonconformities and implement corrective actions appropriately, and retain documented
information in order to provide evidence that the corrective actions have been completed as required

127/140
128/140
129/140
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
ISO 9001, clause 10.2.2
The organization shall retain documented information as evidence of:
a. the nature of the nonconformities and any subsequent actions taken;
b. the results of any corrective action.

130/140
A corrective action is an action taken to eliminate the root causes of a nonconformity or of any other undesirable
existing event and prevent its recurrence. Thus, a corrective action is a term that includes the reaction to a
problem, to gaps in reaching objectives, to nonconformities, etc.
The corrective action process should include the following steps:
1. Identification and documentation of the nonconformity: The persons responsible define and document
the nonconformity and analyze its impacts on the organization.
2. Analysis of the root causes: The persons responsible determine the source of the nonconformity and
analyze the root causes.
3. Evaluation of solutions: The persons responsible develop a list of possible corrective actions and
evaluate different action plans. At this stage, if the problem is significant or if the likelihood of reoccurrence
is high, temporary corrective actions can be taken.
4. Selection of solutions: The persons responsible select one or more corrective actions to correct the
situation and determine the improvement objectives. The selected solution must correct the problem and
should also be able to avoid its recurrence.
5. Implementation of corrective actions: The persons responsible implement the corrective action plan
that was approved and document all the actions described in the plan.
6. Follow-up on corrective actions: The persons responsible check whether the new corrective processes
are in place and effective. The follow-up is usually performed by the person responsible for the project and
the audit department.
7. Review of corrective actions: The persons responsible periodically evaluate whether the objectives are
being accomplished based on the defined corrective actions and whether those actions remain effective
over time.

131/140
Exercise 2: Evaluation of conformity to ISO 9001 requirements
List at least two actions for each of the clauses below that you as an auditor would take to verify if the
organization meets their requirements.
Example: Clause 9.3.2 Management review inputs
Check if management reviews are conducted at planned intervals
Check if the adequacy of resources was considered in management review meetings
1. Clause 9.2 Internal audit
2. Clause 8.5.3 Property belonging to customers or external providers
3. Clause 8.6 Release of products and services
4. Clause 8.7 Control of nonconforming outputs
5. Clause 9.1.2 Customer satisfaction
Duration of the exercise: 20 minutes
Comments: 25 minutes

132/140
1. What must an organization do if a requirement of ISO 9001 is not applicable to their scope of the
QMS?
A. Change the scope of the QMS
B. Provide a justification
C. Make the necessary changes to ensure the applicability of the requirement
2. A company recently hired a content writer. As part of the onboarding program, the new employee
is required to attend a workshop about plagiarism. They learn about the specific requirements of
content developing strategy and about the potential legal consequences if a text is plagiarized. In
this case, which specific requirement of clause 7.3 Awareness of ISO 9001 is the company
fulfilling?
A. Raising awareness about the implications of not conforming to QMS requirements
B. Raising awareness about the quality policy
C. Raising awareness about the quality objectives
3. A new internet service provider is entering the market and is preparing a marketing campaign to
attract customers. In the campaign, they want to mention that their download speed can go up to
150 Mbps. One technician pointed out that it is very unlikely that they will be able to offer internet
with that speed during the first two years. In addition, the technician claimed that it would be more
realistic to advertise it as 75 Mbps. However, the management decided to go ahead with the claim
of 150 Mbps, ignoring the suggestion of the technician. Are the actions of the organization in
accordance with the requirements of ISO 9001?
A. Yes, considering that ISO 9001 does not address matters related to marketing, the organization is
free to make any claim
B. No, the organization must ensure that the claims for the products and services they offer can be met
C. Yes, when making claims about services, a certain degree of ambiguity is self-evident and
customers are implicitly aware of this fact

133/140
4.According to clause 8.2.4 of ISO 9001, what must organization do when a change to the requirements
for a product and service occurs?
A. Ensure that only the employees of the organization are made aware of the change
B. Review the whole QMS as soon as possible
C. Ensure that relevant persons are made aware of the changed requirements
5.When the QMS was established two years ago, the top management decided to conduct management
reviews on a monthly basis. However, in the past six management reviews, the top management did not
have much to discuss about the QMS, as the QMS was operating smoothly. In addition, the feedback of
customers indicated a high degree of satisfaction. To save time, one of the managers suggested to
change this arrangement and conduct management reviews only when there was something significant
to discuss. Is this suggestion in accordance with the requirements of ISO 9001?
A. Yes, the top management of an organization can decide to conduct management reviews on an ad-hoc
basis
B. No, because ISO 9001 requires organizations to conduct management reviews on a monthly basis, as they
are a key factor in ensuring the effectiveness of the QMS and the quality of products and services
C. No, management reviews must be conducted at planned intervals; however, the top management can
change their frequency

134/140
135/140
D-Hill is an American renowned manufacturer of electronic, engineering, and tech components. They
manufacture parts for automobiles, solar power systems, and communications-electronics.
Even though D-Hill’s business has been steady, they recently have received several customer complaints. While
trying to address these concerns, the company noticed some other internal issues as well. Some documents
related to the production process were misplaced and some of them were lost. Ben, the production manager of
D-Hill, claimed that due to the increased workload and other priorities, he was not aware of this issue.
Following these issues, the top management of D-Hill decided to implement a quality management system
(QMS) based on ISO 9001 to enhance customer satisfaction and operate efficiently. They appointed Lisa, the
executive coordinator of D-Hill, as the quality manager and assigned her the responsibility of developing a quality
policy. Once the policy was developed, the top management reviewed and approved it and required from Lisa to
communicate it to the Production Department.
In addition, the top management asked Ben to implement monitoring and measuring activities at appropriate
stages in order to verify whether the criteria for control of processes or outputs and acceptance criteria for
products and services are being met.
Moreover, the top management assigned the responsibility of managing the documented information related to
the QMS implementation to a recently hired and inexperienced employee of the Administration Department. Lisa
did not agree with the top management’s decision and suggested to assign this responsibility to a more
experienced employee. However, the top management decided to stick to their decision and claimed that they
would personally be involved in the documentation management.
Based on the scenario above, answer the following questions:

136/140
1. The top management asked from Lisa to develop the quality policy. Is this compliant with ISO
9001?
A. Yes, the top management can assign the responsibility to develop the quality policy to any relevant
employee
B. No, only the top management should develop the quality policy
C. Yes, ISO 9001 explicitly states that the quality manager is responsible for developing the quality
policy
2. The top management decided to communicate the quality policy only to the Production
Department. Is this acceptable?
A. Yes, because only the Production Department must address the complaints received from
customers
B. No, because only the production manager must have access to the quality policy
C. No, because the quality policy must be communicated to the whole personnel of the organization
and made available to relevant interested parties
3. A requirement of which clause of ISO 9001 is Ben addressing in the scenario?
A. Clause 8.5.1 Control of production and service provision
B. Clause 8.3.6 Design and development controls
C. Clause 8.5.2 Identification and traceability
4. The top management assigned the responsibility of managing documented information related to
the QMS implementation to an inexperienced employee. Is this acceptable?
A. No, the top management must ensure that competent persons are doing the work that affects the
effectiveness of the QMS
B. Yes, because the employee will gain the necessary competence while performing the work
C. No, this responsibility falls only on the quality manager
5. D-Hill decided to implement a QMS to enhance customer satisfaction and operate efficiently. What
does this indicate?
A. D-Hill has identified the requirements for products and services
B. D-Hill has determined the QMS scope
C. D-Hill has established their main quality objectives

137/140
138/140
139/140
140/140

ISO 9001 Lead Auditor en v.9.0 - Day 1

Uploaded by

Copyright:

Available Formats

You might also like

ISO 9001 Lead Auditor en v.9.0 - Day 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 9001 Lead Auditor en v.9.0 - Day 1

Uploaded by

Copyright:

Available Formats

© Professional Evaluation and Certification Board, 2022. All rights reserved.

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)

Licensed to Yone Smith James (yonesmithjames@yahoo.com)