FR

Clause by clause explanation of

ISO 9001:2015 WHITE PAPER
Prepared by:
Mohamed Mostafa Magd
ISO Consultant
WhatsApp: +966563773923 Copyright © Ltd. All rights reserved.
Email: [email protected]
Table of Contents

Executive Summary ................................................................................................................................ 3

Introduction ........................................................................................................................................... 3
1. Process approach ................................................................................................................................ 4
2. Plan-Do-Check-Act cycle ..................................................................................................................... 5
3. Terms and definitions ......................................................................................................................... 6
4. Context of the organization ................................................................................................................ 7
5. Leadership .......................................................................................................................................... 9
6. Planning ............................................................................................................................................ 10
7. Support ............................................................................................................................................. 11
8. Operation ......................................................................................................................................... 13
9. Performance evaluation ................................................................................................................... 17
10. Improvements ................................................................................................................................ 19
Conclusion ............................................................................................................................................ 20

Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 2

Executive Summary
Striving toward quality and customer satisfaction is the mission of every modern company. ISO 9001
provides a framework on how to achieve this, and the first step in the implementation is to really
understand what the standard requires. This white paper is designed to help top management and
employees in organizations that decided to establish and maintain an ISO 9001:2015-based Quality
Management System and clear up any misconceptions regarding the standard requirements.

In this document you will find each clause of ISO 9001 explained in plain English in order to facilitate
understanding of the standard, in the same order and number of the clauses as ISO 9001:2015,

Introduction
Management systems are often seen as a difficult administrative burden that has marginal contribution
to a business. This could be because some people think that ISO 9001 separates them from the way they
do their “business” and limits their management system to simple checklists and work instructions. By
sticking to these beliefs, organizations are missing significant chances to improve their business.

How can this standard be used to help daily operations of a company?

In this white paper you’ll find the explanation of each clause of the ISO 9001:2015 standard in plain
English, so that you’ll be able to use those requirements to improve your processes. You’ll notice that the
numbers of the subtitles are the same as the clauses in the standard.

Mohamed Mostafa Magd – ISO Consultant 3

1. Process approach
The process approach is the key to an effective Quality Management System. It basically means that every
operation of the company must be observed as a process, meaning you should identify all inputs,
necessary resources, documents, activities, and outputs from each operation. Once you set up your
system based on the processes, you will be able to monitor and measure your processes, their
effectiveness, and efficiency and improve them, which is the reason why it is emphasized at the beginning
of the implementation, before going into any other details regarding the standard requirements.

In simple terms, the process approach represents the concept of observing all operations in the company
as processes. This includes breaking the company down into its processes, and determining their
sequence, interaction, inputs, and outputs; as well as identifying the processes in the company, which
processes can start before other processes are finished, resources and information needed to start the
process, and what results we expect from the process.

The best way to start implementing the process approach is to create a process map that will include all
processes in your company and their interconnections. For example, the delivery process cannot be done
before the production and sales process, and the production cannot be done before the purchasing of
raw materials. Once you create this global process map and identify all the processes and their
interrelations, you can start defining your processes in terms of what are necessary inputs, what controls
need to be applied, and what are the outputs of the process. But this will be done throughout the
implementation; it doesn’t have to be done at once.

Mohamed Mostafa Magd – ISO Consultant 4

2. Plan-Do-Check-Act cycle
The core of this standard, and many other management system standards, is the so-called Plan-Do-Check-
Act (PDCA) cycle, which says that, in order to have an effective management system. The first step in the
cycle is planning, which includes defining objectives, policies, procedures, and processes, including
measuring aimed to show whether the processes are delivering the expected results. The next step is the
Do phase, which represents the realization of the planned arrangements, applying policies and
procedures, performing processes, and producing records. After the Do phase comes the Check phase,
where the results of the Do phase are analyzed to determine performance and effectiveness of the
activities and actions that were taken during the Do phase, which includes analyzing, monitoring, and
measuring results, audits, and management reviews. As the final stage of the cycle, the Act phase is where
the organization needs to take actions according to the results of the Act phase in order to achieve
continual improvement. The PDCA cycle should be an ongoing cycle that drives the organization towards
continual improvement.

Quality Management System

Organization
and its
Support
context and
(4) Operation Customer
(7,8) satisfaction
Plan Do

Customer
requirements
Planning Performance
Leadership
(6) Evaluation
(5)
(9)

Act Check Products and

Needs and services
expectations Improvement
(10)
of interested
parties
(4)

Mohamed Mostafa Magd – ISO Consultant 5

3. Terms and definitions
All terms and definitions related to ISO 9001:2015 can be found in the standard. Unfortunately, ISO
9001:2015 does not provide any definitions for the terms used, and it is very important to get an
understanding of the terms before the company starts implementing the requirements of the standard.
Here are some of the most important terms and definitions.

Top management – An individual or group of individuals who coordinate and control an organization at
the highest level. In cases when the scope of the management system covers just part of an organization,
then top management refers to the individuals who direct and control that part of the organization.

Organization – A person or group of people who has their own functions with responsibilities, authorities,
and relationships to achieve the objectives.

Context of the organization – A combination of internal and external factors that can have an effect on
purpose, objectives, performance, and sustainability of the organization. Internal factors include values,
culture, knowledge, and performance of the organization. External factors include legal, technological,
competitive, market, cultural, social, and economic environment.

Interested party (stakeholder) – A person or organization that is involved in or perceives itself to be

affected by activities and actions taken by the organization. Interested parties can be customers,
suppliers, contractors, local community, government, etc.

Process – A sequence of activities that use inputs to deliver an intended result. For example, the
production process has several steps that must be conducted in the appropriate sequence; inputs in this
process are raw materials, product specifications, and work instructions, while the outputs are the
product, quality check report, etc.

Procedure – A defined way to execute an activity or a process. Procedures can be documented or not.

Quality – Quality is the difference between a customer’s expectations and the customer’s perception of
the product or service that he received – the higher the difference, the better perceived quality.

Nonconformity – The failure to meet a requirement.

Risk – Risk is the “effect of uncertainty on objectives,” and an effect is a positive or negative deviation
from what is expected. For example, the company plans to deliver its products to the customers, but there
is a risk of product nonconformity due to a poorly controlled production process.

Effectiveness – The level of success in achieving or producing a desired result. For example, the
production process is effective if it is able to produce the products.

Mohamed Mostafa Magd – ISO Consultant 6

Documented information – Information required to be controlled and maintained by an organization,
and the medium on which it is contained. For example, the documented policies, procedures, work
instructions, and records represent documented information.

4. Context of the organization

4.1 Understanding organization and its context

This clause brings new requirements compared to the 2008 version of the standard, and requires the
organization to determine all internal and external issues that may be relevant to the achievement of the
objectives of the QMS itself. This includes all elements that are, and may be capable of, affecting these
objectives and outcomes in the future.

4.2 Understanding needs and expectations of interested

parties
Due to the effect that interested parties may have on the organization in terms of quality of products and
services, customer satisfaction, and statutory and regulatory requirements, the standard requires the
organization to determine interested parties relevant to the QMS and their needs and expectations.

4.3. Determining the scope of Quality Management System

Determining the scope of the QMS is one of the main milestones in the implementation. The scope must
be examined and defined considering the internal and external issues, interested parties and their needs
and expectations, as well as legal and regulatory compliance obligations.

Additional required considerations for the QMS scope are products, services, and organizational size,
nature and complexity. The scope and justified exclusions must be kept as documented information.

Mohamed Mostafa Magd – ISO Consultant 7

4.4. Quality Management System and its processes
The organization needs to establish, implement, maintain, and continually improve its QMS, including the
processes needed and their interactions, in accordance with the requirements of the standard.

This is where the process approach comes into action. The organization will need to determine inputs and
outputs of the processes, sequence and interaction of the processes, resources needed, and
responsibilities, and ensure the effectiveness of the processes.

In addition, the organization will have to maintain necessary documented information to support the
operation of the processes and keep records to evidence that the processes were carried out as planned.

Mohamed Mostafa Magd – ISO Consultant 8

5. Leadership

5.1 Leadership and commitment

QMS implementation is your strategic decision that demonstrates your commitment to development and
application of the QMS and continual improvement of its effectiveness. This commitment must be
demonstrated through informing the organization about the importance of fulfilling customer
requirements, compliance with legal and other requirements, establishing a Quality Policy and objectives,
conducting management reviews, and providing needed resources.

5.2 Policy
The Quality Policy is a high-level document containing statements about the general direction of the
organization, and its commitment to quality and customer satisfaction. It provides a framework for quality
objectives. Meeting compliance and regulatory factors is obviously a key element. Finally, and vitally, the
policy must provide a commitment to the continual improvement of the QMS and its results. Critically,
the Quality Policy must be maintained as documented information, be communicated within the
organization, and be available to all interested parties.

5.3 Organizational roles, responsibilities and authorities

Responsibilities and authorities must be precisely defined and communicated to all hierarchical levels of
the organization. In specific situations (seasonal fluctuation of labor force, emergency situations, etc.), it
is necessary to precisely document and communicate authorities, and especially the responsibilities of
temporarily employed workers.

Mohamed Mostafa Magd – ISO Consultant 9

6. Planning

6.1 Actions to address risks and opportunities

When planning the QMS, the organization will have to consider context of the organization (section 4.1)
and the needs and expectations of interested parties (section 4.2) in order to determine risks and
opportunities that need to be addressed.

The purpose of addressing risks and opportunities is to ensure that the QMS will achieve the intended
results, enhance desirable effects, and achieve improvements. The actions have to be planned and
implemented in the QMS, and later evaluated for their effectiveness.

6.2 Quality objectives and planning to achieve them

The standard requires top-level management to establish quality objectives for appropriate functions and
departments in the organization (HR, production, purchase, etc.).

Quality objectives must be measurable, quantitative, and timed. They must be in line with the Quality
Policy so it can be determined whether objectives are met, and if not, what should be done.

6.3 Planning changes

When the organization determines the need for changes to the QMS, the changes should be carried out
in a planned manner. This includes considering their purpose and consequences, the integrity of the QMS,
availability of resources, and allocation of responsibilities and authorities.

Mohamed Mostafa Magd – ISO Consultant 10

7. Support

7.1 Resources
The standard requires the organization to determine and provide resources for the establishment,
implementation, maintenance, and continual improvement of the QMS, taking into account the
capabilities and constraints of existing internal resources and the need to obtain additional resources
from external providers.

Resources to be obtained include people, infrastructure, environment for operation of the processes,
monitoring and measuring resources, and organizational knowledge.

7.2 Competence
The organization needs to determine the necessary competence of its employees, and ensure those
employees are competent on the basis of appropriate education, training, and experience. This means
that the organization will need to have a process for determining the necessary competence and achieving
it through trainings and other means.

7.3 Awareness
Awareness is closely related to competence in the standard. Employees must be made aware of the
Quality Policy and its contents, any current and future impacts that may affect their tasks, what their
personal performance means to the QMS and its objectives, including the positives or improved
performance, and what the implications of poor performance may be to the QMS.

Mohamed Mostafa Magd – ISO Consultant 11

7.4 Communication
Processes for internal and external communication need to be established within the QMS. The key
elements that need to be decided and actioned are what needs to be communicated, when it needs to
be communicated, how it should be done, who needs to receive the communication, and who will
communicate. It should be noted here that any communication outputs should be consistent with related
information and content generated by the QMS for the sake of consistency.

7.5 Documented information

QMS documentation is comprised not only of the documents and records required explicitly by the
standard, but also of the documents and records the organization finds necessary to execute its activities
and processes. The volume of the documentation is affected by many factors: it will depend on the size
of the organization and the complexity of its processes, products, and services; the organization’s
compliance obligations; and by the competence of the employees.

The standard requires that documented information created or updated in the scope of the QMS must
be properly identified and described, also considering its content presentation, and media used. All
documented information must go under proper review and approval procedures to ensure it is fit for its
intended purpose.

For proper control of documented information, the organization must consider the provision of processes
regarding the distribution, retention, access, usage, retrieval, preservation and storage, control, and
disposition of such information.

It should also be noted that there must be controls in place to prevent the unintentional use of obsolete
information.

Mohamed Mostafa Magd – ISO Consultant 12

8. Operation

8.1 Operational planning and control

In order to meet the requirements for delivery of products and services, the organization needs to plan,
implement, and control its processes. The first step is to determine the requirements for products and
services, meaning what features the product or service will have. Then, the organization needs to define
how processes will be performed and what criteria the product or service needs to meet to be accepted
for release. Finally, the organization needs to determine the resources needed for the processes and the
records needed to demonstrate that the processes were carried out as planned.

8.2 Requirements for products and services

Requirements for products and services are closely related to communication with customers. This
communication must include information related to the products or services, handling inquiries, contracts
or orders, customer feedback, handling and controlling customer property and, if needed, establishing
specific requirements for contingency actions.

Before offering the product or service to the customer, the organization needs to ensure that the
requirements for the products and services are defined, and that the organization is able to deliver such
products or services. Requirements for products and services include any applicable legislation and the
requirements that the organization considers to be necessary.

After receiving the order, the organization must, prior to delivery, review the requirements related to the
product and keep records about the review. If the customer changes its requirements, these also must
be reviewed and recorded. In case of changes, the organization must ensure that all documented
information is amended and all relevant persons are aware of the changes.

8.3 Design and development of products and services

This clause refers to design and development management, from the initial idea to final acceptance of
the product. ISO 9000 explains that the terms “design” and “development” are often used as synonyms,
and sometimes define different phases of overall design and development. This means that design can’t
be used apart from development, and that they represent one single process.

Mohamed Mostafa Magd – ISO Consultant 13

During design and development planning, all its phases must be defined with appropriate activities of
reviewing, verification, and validation for each phase. Considering that ISO 9001 refers to design and
development of product (not design and development of processes), design and development inputs
relate to product requirements that include:

 Functional requirements and product performance requirements

 Legal and regulatory requirements for product
 Information from previous similar projects
 Other requirements relevant to design and development, usually customer requirements,
market information, package, etc.

Design and development outputs must be in a form suitable for verification related to input elements,
and must be approved before acceptance. They can be in the form of a drawing, engineering
documentation, plans, etc.

The organization also needs to define design and development review activities. The purpose of these
activities is to determine whether the design and development process goes in the intended direction.
The review can be done in appropriate phases or at the end of project. The review identifies problems
during design and development and suggests actions to resolve them; it can include other interested
parties. The design and development review must be documented.

Also, the company needs to identify, review, and control changes during the design and development of
products and services. Documented information should be kept regarding the changes, results of reviews,
authorization of the change, and actions taken to prevent adverse effects.

8.4 Control of externally provided processes, products and

services
This robust title of the clause refers to purchasing. The purchasing includes products and services you
acquire from suppliers and outsourced processes. The organization needs to establish and document
criteria for suppliers selection, which includes how crucial the purchased product or service is to the
quality of your product. Results of the supplier evaluation must be kept.

In order to ensure that externally provided processes, products, and services do not have an adverse
effect on the conformance of the organization’s products and services, the organization needs to establish
controls including verification and other activities. As part of the controls, the organization needs to
communicate to external providers its requirements for:

Mohamed Mostafa Magd – ISO Consultant 14

  the processes, products, and services to be provided
 the approval of methods, processes, and equipment
 competence
 verification or validation activities that the organization intends to perform

8.5 Production and service provision

The production and services provision process needs to be performed under controlled conditions that
will ensure that the product or service delivered is compliant with initial requirements. This includes a
sufficient level of documentation, like procedures, work instructions and records, monitoring and
measurement equipment, appropriate infrastructure, etc.

The organization must use suitable means to identify outputs when it is necessary to ensure products and
services conformance. When the traceability is a requirement, the organization needs to control the
unique identification of outputs and retain documented information necessary to enable traceability.

In cases when the organization uses property belonging to a customer or external provider, it is required
to identify, verify, protect, and safeguard this property. When the property of the customer or external
provider is lost or damaged, the organization will have to report to the owner and retain documented
information on what has occurred.

The decision on the extent of post-delivery activities will be affected by the following:

 Statutory and regulatory requirements

 Potential undesired consequences related to products and services
 Lifetime, use, and the nature of the products and services
 Customer requirements and feedback.

In case of changes in the production and service provision process, the organization must review and
control the changes in order to ensure continuing conformity with the requirements.

8.6 Release of products and services

Release of the products and services shouldn’t be performed until the organization ensures that the
products and services are conforming to the requirements. Demonstrating the conformance can be done

Mohamed Mostafa Magd – ISO Consultant 15

by documenting evidence of the conformance, which includes criteria for the acceptance and information
about the person who authorized release of the product or service.

8.7 Control of nonconforming outputs

Nonconforming outputs must be prevented from unintended use or delivery, so the organization must
identify and control nonconforming outputs that emerge from any phase of production or service
delivery. Depending on the nature of the nonconformity, the organization can take one or more of the
following actions:

 correction
 segregation, containment, return, or suspension of provision of products and services
 informing the customer
 obtaining authorization for acceptance under concession

Conformity to the requirements must be verified when the nonconforming output is corrected. The
organization also needs to keep documented information that describes the nonconformity, the action
taken, concessions obtained, and the authority deciding the action with respect to the nonconformity.

Mohamed Mostafa Magd – ISO Consultant 16

9. Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

This requirement should not be equated with the requirement for managing equipment for monitoring
and measuring from clause 7.1.5 of the standard. This is about a wider aspect of monitoring and
measuring. Information derived from monitoring, measurement, and analysis represents inputs in the
process of improvement and management review.

The organization needs to determine what needs to be monitored and measured, how, and when, as well
as when the results will be analyzed.

It is required to measure your own performance as a supplier in order to get information about users’
observations, and the extent to which you fulfilled their requirements. Monitoring customer satisfaction
levels must be a constant activity in order to determine trends, and because opinions about your
performance can change. Information about customer satisfaction can be collected via phone, interview
or questionnaire, direct contact with the user on the field, etc.

Once the monitoring and measuring is performed and the results are gathered, the organization needs to
analyze the results in order to evaluate conformity of products and services, degree of customer
satisfaction, performance of the QMS, effectiveness of actions taken to address risks and opportunities,
performance of external providers, and need for improvements to the QMS.

9.2 Internal audit

The goal of an internal audit is not to determine nonconformity; its goal is to check whether your QMS:

a) complies with the requirements of ISO 9001 and the requirements of your organization
b) is effectively implemented and maintained

At the end of the audit, you will get audit results by evaluating the data you collected during the audit.
Audit results can be manifested as: praise, recommendations for improvements, and nonconformities
(major and minor). Verification of actions taken may be needed, and in that case, the next step is a follow-
up audit.

Mohamed Mostafa Magd – ISO Consultant 17

9.3 Management review
At least once a year, the top-level management must review the QMS in order to determine its:

 Appropriateness – does it serve its purpose and satisfy the needs of the organization?
 Adequacy – does the QMS conform to standard requirements?
 Applicability – are activities performed according to procedures?
 Effectiveness – does it accomplish the planned results?

This review must evaluate possibilities for improvement and needs for changing the QMS, Quality Policy,
and objectives. Considering the inputs for the management review, such as the results of the previous
management reviews, changes in the context, customer satisfaction survey results, performance of the
QMS and suppliers, etc., the top management must make decisions regarding opportunities for
improvement, need for changes in the QMS, and resources needed for the upcoming period.

Mohamed Mostafa Magd – ISO Consultant 18

10. Improvements

10.1 General
Based on the results of the management review, the organization must make decisions and take actions
that will drive it towards continual improvement. Those actions can be in the form of corrective actions,
trainings, reorganization, innovation, and so on.

10.2 Nonconformity and corrective action

Any nonconformity needs to be reacted upon by taking actions to control it and deal with the
consequences. Once identified, a nonconformity should trigger a corrective action in order to remove the
cause of the nonconformity and prevent its recurrence.

The effectiveness of actions taken must be evaluated and documented, along with the originally reported
information about the nonconformity / corrective action and the results achieved.

10.3 Continual improvement

Continual improvement is a key aspect of the QMS, to achieve and maintain the Quality Management
System’s suitability, adequacy, and effectiveness regarding the organizations’ objectives.

Mohamed Mostafa Magd – ISO Consultant 19

Conclusion
ISO 9001:2015 provides organizations with guidance as to the quality of their products and services, with
the ultimate goal of achieving customer satisfaction. Delivering all of the clauses of the standard and truly
understanding them can benefit your organization, and drive your company on the road of continual
improvement. Certification and compliance can bring reputational, motivational, and financial benefits to
your organization through improved efficiency, quality of products and services, and avoiding
nonconformities and customer complaints, along with improvements in your supply chain. All of these
elements are closely related to your organization’s ability to deliver satisfaction to your customers, and
fulfill the expectations and wishes of your stakeholders. Having all this in mind, can your organization
afford not to have ISO 9001:2015?
Australia: +61 3 4000 0020

FR
h

Thank you!
Mohamed Mostafa
ISO Consultant