Management system guidance

How to set-up your quality management system

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

Twelve-step implementation plan

Begin implementing ISO 9001:2015

Twelve-step implementation plan

When planning to implement ISO 9001, begin with the assumption that your business's processes and operations already comply with most of what ISO 9001 requires!

We suggest that you use the familiar Plan-Do-Check-Act (PDCA) cycle to manage your organization’s implementation and integration of quality management system requirements into your business's processes and operations.

The following methodology provides an effective, twelve-step plan to implementing and verifing the successful integration of ISO 9001 using the process outlined below:

Twelve-step implementation plan Process approach
Step 1 Assign resources and budget Plan – Identify system deficiencies and develop a plan. Identify the processes and clauses needed for the QMS. Identify the processes that comprise your management system and determine which processes are responsible for meeting which requirements, and any gaps.
Step 2 – Adopt the standards
Step 3 – Gap analysis and action plan
Step 4 – Management review Do – Implement changes and promote awareness. Developing and documenting processes and procedures that are currently being followed is a critical component of a QMS. Focus on developing and implementing processes and procedures that capture core QMS activities.
Step 5 – Begin closing the gaps
Step 6 – Select and train internal auditors
Step 7 – Management review Check – Ensure the changes are implemented. Perform an elemental internal audit of selected functions and areas using the audit programme and the audit checklists. Ensure that the auditors do not audit their own functions or processes.
Step 8 – Begin internal auditing
Step 9 – Implement corrective actions
Step 10 – Management review Act – Take action to address the audit findings. The process owners should implement the corrective actions to address the audit findings. Documented corrective actions are verified by the Certification Body for final approval.
Step 11 – Certification Body audit
Step 12 – Verification and certification
 

Implementing ISO 9001 in twelve easy steps

Step 1 – Assign resources and budget

Top management must ensure that the resources and finances exist to support the implementation of the quality management system are available. The first critical step in the development and implementation of any management system is the formal endorsement and commitment of Top management.

The proposed development and implementation of the quality management system should be formally documented, approved and include the proposed implementation strategy, a broad timeline and an estimated budget.

The appointment of a professional Quality Manager or 'Management Representative' is a key factor successful quality management system implementation. It is strongly recommended that a full-time member of staff is appointed at a senior level; it is beneficial for the implementation process if they have knowledge of your business.

Step 2 – Adopt the standards

Purchase and read copies of ISO 9000:2015 and ISO 9001:2015. Read them both and make yourself familiar with their language, concepts and requirements. Although they are both written in a dense, formal language, the clause titles in ISO 9001:2015 are fairly self-explanatory.

Identify the processes and clauses needed for the quality management system. Identify the processes that comprise your management system and determine which processes are responsible for meeting which requirements. Identify the processes that comprise your management system and determine which processes are responsible for meeting which requirements.

We suggest using a process matrix to map out the standard's clause numbers against your business's processes and functional departments. Work-out which processes and departments are responsible for maintaining conformance to each requirement. Where two or more processes or departments are responsible for conforming to a requirement, this denotes an interaction between those processes.

There are two main types of process that you should focus on. Key processes are steps that you go through to give the customer what they want, e.g. from order acceptance to design through to delivery while support processes are those processes that do not contribute directly to what the customer wants but do help the key processes to achieve it. Support processes include human resources, training and facilities maintenance, etc.

A good way to do this is to think about how workflows through your organization. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how the departments interface with each other.

Once you have defined the processes and interfaces; go back to the standard and determine which processes are responsible for meeting which requirements. When defining your organization’s processes, think about each process and department and assign try to define those processes around the current organizational model and not around the requirements of the standard.

Establish the quality management system Implementation Team who will undertake the gap analysis in Step 3. An introductory training session for all staff involved in the quality management system should be organized, starting with the quality management system Implementation Team and Top management.

Provide an overview of the ISO 9001:2015 requirements to key personnel, including those taking part in the quality management system Implementation Team. A basic CQI and IRCA Certified 1-day introductory ISO training course helps to ensure the successful implementation by providing sound understanding of the principles and practices pertaining to ISO 9001.

Ideally, this course should be provided by a registered training organization with expertise in this area. If a staff member has to conduct the training session, they must have a sound and demonstrated background in the subject matter combined with, wherever possible, formal training skills. Involve employees in developing and improving the quality management system through awareness sessions, flow-charting, team reviews and experience feedback.

Awareness training should be given to all employees about the new elements of the quality management system and how it might affect their work. Employees should be made of the quality policy and its objectives. After training, employees should be comfortable with using the revised quality management system and will demonstrate their knowledge by being able to locate and use the documented information that relates to their work. Employees should know:

  1. Types of documented information that applies to their work;
  2. Which forms to use, how to complete and process them;
  3. Know the quality policy and how quality objectives relate to their work;
  4. How to report non-conformances and issues for corrective action;
  5. Understand the context of the organization;
  6. Understand the risk and opportunities that affect their work.

Step 3 – Gap analysis and action plan

The unique knowledge obtained about the status your existing quality management system will be the key driver of the subsequent implementation approach. Armed with this knowledge, it allows you to establish accurate budgets, resources, timelines and expectations which are proportional to the state of your current management system when directly compared to the requirements of the new standard.

Your organization may already have in place an compliant quality management system or you might be running an uncertified system. If this is the case, you will want to determine how closely your system conforms to the requirements of ISO 9001:2015.

A gap analysis is a technique to clearly identify which clauses of ISO 9001 are currently not being fully addressed (or not addressed at all) and to develop remedial actions. The gap analysis should be conducted by members of the quality management system Implementation Team. The gap analysis should be conducted with small groups of staff, including the owner of each process or department.

Review all existing management system practices, controls and documentation using the requirements of ISO 9001:2015 as the criteria. Try to understand each business process in context of each of the requirements of the standards by comparing different activities and processes with what the standards requires.

The results of a gap analysis exercise will help to determine the differences, or gaps, between your existing management system and the new requirements. Prepare the results and draft the gap analysis action plan detailing the tasks/actions, deliverables, owners and timeframes. Submit to the Management Representative for approval before proceeding.

Step 4 – Management review

Undertake the 1st management review and select a Certification Body. It is important that a member of Top management chairs the management review meetings. The meetings will provide useful insight into the organization’s processes and enable the management team to respond accordingly.

It is imperative that the Top management fully understand and appreciate the requirements under clause 9.3 and subclauses 9.3.2 and 9.3.3 of ISO 9001:2015. Top management should perform a review of the gap analysis results, identify areas of weakness, prioritize the gaps observed and authorise corrective action as required. Approve the resulting gap analysis action plan.

Review and document your organization's vision; consistent with its mission, to identify the strategic directions and interested party requirements consistent to its context. Ensure that any risks and opportunities arising are captured using the risk and opportunity register.

At the reviewing meeting, discuss the requirements of ISO 9001 Clause 7.1 and Clause 8.1 and the quality management system, and consider:

  1. The capabilities of existing internal resources;
  2. The constraints on existing internal resources;
  3. What needs to be obtained from external providers.

Focus on developing and implementing processes and procedures that capture the core quality activities. Review the quality policy to determine whether it is appropriate to the context of the organization and its purpose. Staff must know the quality policy and how the objectives relate to their work. Set objectives per function and identify measurable performance indicators to enable the tracking of their status. Ensure the quality objectives are consistent with the quality policy.

Step 5 – Begin closing the gaps

Once you have identified the gaps in the system and have a committed implementation team, it is now possible to develop an achievable and manageable gap mplementation plan that identifies the necessary resources needed to fill the gaps. The gap implementation plan should focus on the results of the gap analysis by prioritizing the correction of noncompliant processes.

Commence work on rectifying identified gaps. The outcomes of the gap analysis and actions resulting from the first Management Review Meeting set the priority for rectifying the identified gaps. It is important to monitor progress and to document the actions and results; using the gap analysis action plan, as these will need to be considered at the next Management Review Meeting.

Ensure that the gap implementation plan has clear milestones and is supported by Top Management. Implementation planning is about controlling the development process. The organization must ensure that all related activities take place under controlled conditions. The implementation plan is a culmination of events that transfer the requirements of ISO 9001:2015 into quality management system.

A good plan is often the key to any successful project and without a plan; projects tend to run indefinitely and without showing measurable progress. By having a plan, you have specific deadlines to meet.

You can show progress as you meet the deadlines and take action if you are not meeting deadlines. If the implementation team is not expected to meet deadlines, other tasks will take precedence, the project will drag on and lose momentum. The implementation team must be watching the timeline and milestones while coordinating and implementing the plan.

Step 6 – Select and train internal auditors

Select external training providers and begin internal auditor training. Top Management and the Management Representative to meet and discuss the requirements for internal auditing. Plan to provide training to the internal auditors on how to audit a QMS. Based on education and experience internal auditors should undertake and a CQI and IRCA Certified ISO 9001:2015 Internal Quality Management Systems (QMS) Auditor training course online or in person, from an external provider.

Step 7 – Management review

Undertake the 2nd management review and amend the quality manual template. Members of Top Management should assist the Management Representative in drafting the quality management system manual and updating its scope based on the review from Step 4. If your existing quality manual fits your business and your customers require it, keep it!

Top management to perform a review of the current gap analysis action plan results, identify areas of weakness, prioritize any issues observed and authorise corrective action as required.

Step 8 – Begin internal auditing

Begin internal auditing (ISO 9001:2015 Clause 9.2). Perform an elemental internal audit of selected functions and areas using the audit programme and the audit checklists. Ensure that the auditors do not audit their own functions or processes.

During the implementation phase, you should carry out one or two system audits covering all of the requirements that are relevant to your quality management system. All staff should be provided with adequate resources and lead time to prepare for the audit and to implement any subsequent corrective actions.

Prepare the narrative for each section of the internal audit report and copy and paste the trend tables and charts to summarize your findings. Ensure the audit report is reviewed and approved. Submit the audit report to Top management for review and action.

Top management should ensure that corrective action is undertaken on any adverse audit findings without delay. Make any necessary changes to the quality management system and the documentation information.

Certification bodies will wish to see at least three months of records. The new system will likely generate numerous corrective actions; if they are not investigated and completed, your quality management system will not be ready for a registration audit.

Once the quality management system is complete and everyone is following the new system, you should conduct an audit of each key process. Begin by selecting a key process and identifying the inputs needed by the process and the outputs that are generated by the process.

Once the questions from the checklist are answered, you will be able to quickly identify and summarize the process by determining its performance level against the requirements of the standard or customer specifications. Consider these points:

  1. Is the process planned?
  2. Is there is an appropriate review to verify output?
  3. Is there confirmation that the output meets the input requirements?
  4. Is the process is verified for effectiveness? (measured)
  5. Is there validation to ensure that the process meets intended results?
  6. Is there continuity between the various processes in the organization?
  7. Is the task done consistently on a person-to-person basis
  8. Is the task done consistently on a day-to-day basis?
  9. Do the interfaces between the departments operate smoothly?
  10. Are corrective actions being used adequately in this process?
  11. Does product information flow freely?
  12. How are changes controlled?

Ensure that the results of the internal audits are reported to Top management and that appropriate action is taken to correct nonconformities.

Step 9 – Implement corrective actions

Implement the corrective actions from the previous step. The Management Representative should assist the process owners in determining root-causes and finding solutions through workshops and training on 5-Whys analysis, Fishbone Diagrams, or 8 Dimensions (8D) analysis techniques deemed appropriate.

The process owners should implement the corrective actions to address the audit findings. The documented corrective actions must be submitted to the Management Representative for approval.

Once you have implemented the new key requirements and have dealt with any corrective actions, it is suggested that businesses conduct at least one other internal (element) audit as per the defined milestones that were established by the implementation plan.

Step 10 – Management review

Undertake the 3rd management review. Top management to perform a review of the current gap analysis action plan results, identify areas of weakness, prioritize any issues observed and authorise corrective action as required.

  1. Quality objective and their performance indicators;
  2. Verification of completed corrective actions;
  3. Results of internal audits and their analysis;
  4. Results of the core QMS processes and procedures developed and implemented.

Once you have implemented the new key requirements and have dealt with any corrective actions from the previous steps, it is suggested that the Management Representative should carry out at least one other internal (element-based) audit in readiness for the Certification Body’s audit.

Top management should ensure that corrective action is undertaken on any adverse management review findings. Make any necessary changes to the quality management system and the documentation information.

Step 11 – Certification Body audit

Certification Body audit and address audit findings. The organization should liaise with the certification body to establish dates for the audit that suit all concerned. All staff should be provided with adequate lead time to prepare for the certification audit. All documentation that may be needed during the audit should be easily accessible.

Top management should ensure that corrective action is undertaken on any adverse audit findings without delay. Make any necessary changes to the quality management system and the documentation information. The Management Representative should address the issues raised by the Certification Body to ensure a successful re-audit.

Step 12 – Verification and certification

Certification Body to verify and close-out audit findings. The documented corrective actions are verified by the Certification Body for final approval for certification to ISO 9001:2015. It is imperative that the achievement of certification of compliance to ISO 9001:2015 is appropriately recognized by Top management and celebrated by all staff. Certification of compliance provides an excellent baseline on which to measure ongoing improvement of the organization.

Clause 10.3 of ISO 9001:2015 requires organizations to ‘continually improve the effectiveness of the quality management system and its process’. Most auditors would expect you to revise the quality system documentation and processes as the quality management system matures or when a new process is implemented.

Processes can always be made more efficient and effective, even when they are producing conforming products. The aim of a continual improvement program is to increase the odds of satisfying customers by identifying areas that need improvement. It requires the organization to plan improvement systems and to take into account many other activities that can be used in the improvement process. Typically, these will be the results from the data analysis.

You will be required to ensure that you continually improve the degree to which your products and services meet customer requirements and to measure effectiveness of your processes. To this end the continual improvement principle implies that you should adopt the attitude that improvement is always possible and that organizations should develop the skills and tools necessary to drive improvement.

The PDCA cycle is a perfect way of introducing continual improvement to your organization’s activities. Each step to improvement can be defined by four sub steps, Plan, Do, Check and Act:

Plan Establish a timetable for internal audits and management reviews. Establish the objectives and processes necessary to deliver results in accordance with customer requirements and your organization’s policy. To improve the operation by finding what is going wrong (customer complaints, internal complaints, rework etc.) and come up with ideas for solving the problem.
Do Implement changes designed to solve the problems on a small scale first to see the effect. This minimizes disruption to routine activity while testing whether the changes will work or not.
Check Monitor and measure processes and product against policies, objectives and requirements and report the results. Also check on key activities to ensure that the quality of the output is conforming and not influenced by the changes.
Act Monitor and measure processes and product against policies, objectives and requirements and report the results. Also check on key activities to ensure that the quality of the output is conforming and not influenced by the changes.
 

Also act to involve other people, departments or suppliers affected by the changes and whose co-operation is needed to implement them on a larger scale. Make sure that changes are documented properly according to the documentation requirements.

All management reviews must be documented. Observations, conclusions, and recommendations for further necessary action from the review must be recorded. If any corrective action must be taken, top management should follow up to ensure that the action was effectively implemented.

The purpose and final outcome of the management review should be continual improvement of the QMS. As your organization’s QMS increases in its effectiveness and efficiency, your environmental performance will likewise increase.

Here's what ISO 9001:2015 is really all about: defining a policy, creating a plan devising with relevant objectives. You then implement the system according to the plan. You then begin auditing, monitoring and measuring performance against the plan and reacting to your findings. Bi-annual management reviews are insufficient in frequency to be able react to any issues effectively.

Performance metrics should be monitored with varying frequencies, some hourly, some daily, some weekly and some monthly. Management cannot wait for six months to respond, if they do, it will be too late. Every time management convenes to review and react to performance, it is considered as a management review. Whether they are reviewing an individual's performance, departmental programmes and projects, etc., this should be considered as valid management review.

More on ISO 9001:2015

 

More information on PDCA

Planning

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System
 
ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities/Authorities 5.3 Roles, Responsibilities/Authorities 5.3 Roles, Responsibilities/Authorities
    5.4 Consultation & Participation
 
ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives
 

Doing

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
7.1.1 Resources - General
7.1 Resources 7.1 Resources
7.1.2 People 7.2 Competence 7.2 Competence
7.1.3 Infrastructure
7.3 Awareness 7.3 Awareness
7.1.4 Operational Environment 7.4.1 Communcation - General 7.4.1 Communcation - General
7.1.5 Monitoring & Measuring 7.4.2 Internal Communcation 7.4.2 Internal Communcation
7.1.6 Organizational Knowledge 7.4.3 External Communcation 7.4.3 External Communcation
7.2 Competence 7.5 Documented Information 7.5 Documented Information
7.3 Awareness    
7.4 Communcation    
7.5 Documented Information    
 
ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
8.1 Operational Planning & Control
8.1 Operational Planning & Control 8.1.1 General
8.2.1 Customer Communication 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.2.2 Determining Requirements
  8.1.3 Management of Change
8.2.3 Reviewing Requirements   8.1.4 Outsourcing
8.2.4 Changes in Requirements
  8.2 Emergency Preparedness
8.3.1 Design Development - General    
8.3.2 Design Development - Planning
   
8.3.3 Design Development - Inputs    
8.3.4 Design Development - Controls    
8.3.5 Design Development - Outputs    
8.3.6 Design Development - Changes    
8.4.1 External Processes - General    
8.4.2 Purchasing Controls    
8.4.3 Purchasing Information    
8.5.1 Production & Service Provision    
8.5.2 Identification & Traceability    
8.5.3 3rd Party Property    
8.5.4 Preservation    
8.5.5 Post-delivery Activities    
8.5.6 Control of Changes    
8.6 Release of Products & Services    
8.7 Nonconforming Outputs    
 

Checking

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
9.1.1 Performance Evaluation 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.1.2 Customer Satisfaction 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.1.3 Analysis & Evaluation 9.2 Internal Audit 9.2 Internal Audit
9.2 Internal Audit 9.3 Management Review 9.3 Management Review
9.3 Management Review    
 

Acting

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement
 

How to apply the latest quality management principles

The latest and current quality management principles (QMPs), stated in ISO 9000:2015, are intended to provide the foundation by which any organization can continually improve its performance.

You can learn to apply the latest quality management principles in the context of your business's own particular operations by reviewing and documenting its activities in the context of each quality management principle.

Want to know more?

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.