Introduction: ISO 9001 Quality Management Systems
ISO 9001 is the world's most widely adopted management system standard, with over one million certified organisations across more than 170 countries. Published by the International Organization for Standardization (ISO), it defines the requirements for a Quality Management System (QMS) that an organisation can implement to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and to enhance customer satisfaction through effective application of the system. The current edition, ISO 9001:2015, remains in force and is structured on the High-Level Structure (Annex SL) that harmonises it with other ISO management system standards such as ISO 14001 (environment), ISO 27001 (information security) and ISO 45001 (occupational health and safety).
For CyberSigma clients, ISO 9001 is frequently the foundational management-system certification that opens the door to tenders, government contracts and enterprise supply chains, and that demonstrates process discipline underpinning downstream certifications. This guide provides an auditor-grade walkthrough of every clause and requirement, a master assessment checklist mapped to typical evidence, a phased implementation approach, and mappings to adjacent frameworks. It reflects the perspective of a certification-body lead auditor and a management-system consultant.
What is ISO 9001
ISO 9001 specifies requirements for a quality management system where an organisation needs to demonstrate its ability to consistently provide products and services that meet customer, statutory and regulatory requirements, and aims to enhance customer satisfaction. It is a requirements standard (the '9001' in the ISO 9000 family), meaning it is auditable and certifiable, unlike ISO 9000 (vocabulary and fundamentals) or ISO 9004 (guidance for sustained success), which are guidance documents and not certifiable.
The standard is built on seven quality management principles: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. It embeds the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking throughout its clause structure, moving away from the prescriptive documented-procedure model of earlier editions toward a flexible, outcome-focused model. ISO 9001:2015 deliberately reduced mandatory documented procedures, replacing the older 'documents' and 'records' terminology with the unified concept of 'documented information'.
Certification is granted by an accredited certification body (registrar) following a two-stage initial audit, and is maintained through annual surveillance audits over a three-year cycle, culminating in a recertification audit. Accreditation of the certification body (for example by NABCB in India, UKAS in the UK, or ANAB in the US, all IAF signatories) gives the certificate international recognition.
The seven quality management principles
| Principle | What it means in practice |
|---|---|
| QMP1 Customer focus | Meeting and exceeding customer requirements to sustain success; understanding current and future customer needs. |
| QMP2 Leadership | Unity of purpose and direction; leaders create conditions in which people are engaged in achieving quality objectives. |
| QMP3 Engagement of people | Competent, empowered and engaged people at all levels enhance capability to create and deliver value. |
| QMP4 Process approach | Consistent and predictable results are achieved when activities are managed as interrelated processes forming a coherent system. |
| QMP5 Improvement | Ongoing focus on improvement is essential to maintain performance and react to changing conditions. |
| QMP6 Evidence-based decision making | Decisions based on analysis and evaluation of data and information are more likely to produce desired results. |
| QMP7 Relationship management | Managing relationships with interested parties such as suppliers optimises impact on performance. |
Who must comply with ISO 9001
ISO 9001 certification is voluntary in the sense that no single global law mandates it, but it is functionally mandatory for many organisations because customers, regulators and tender authorities require it. It is deliberately generic and applicable to any organisation regardless of type, size or product/service category.
| Organisation / driver | Why ISO 9001 applies |
|---|---|
| Manufacturers and product companies | Customer and OEM supply-chain requirements; prerequisite to sector schemes such as IATF 16949 (automotive) and AS9100 (aerospace). |
| IT / software / SaaS providers | Frequently required in RFPs and enterprise vendor onboarding as evidence of process maturity. |
| Government / public-sector suppliers | Many tenders (India GeM, EU public procurement, UK frameworks) award marks for or mandate ISO 9001 certification. |
| Healthcare, medical devices | Foundation for ISO 13485 (medical devices QMS); demanded by hospital and distributor supply chains. |
| Construction and engineering EPC firms | Commonly a prequalification criterion for large infrastructure and EPC contracts. |
| Professional and managed services | Consulting, BPO, logistics and facilities firms use it to demonstrate service consistency. |
| Exporters | Overseas buyers and importers often stipulate ISO 9001 to satisfy their own supplier assurance. |
| Any organisation seeking process discipline | Voluntary adoption to reduce defects, rework and customer complaints and to enable growth. |
Structure of ISO 9001:2015 (clauses and requirements)
ISO 9001:2015 follows the Annex SL High-Level Structure of ten clauses. Clauses 1 to 3 (Scope, Normative references, Terms and definitions) are introductory and non-auditable. The auditable requirements sit in Clauses 4 to 10, which map onto the PDCA cycle as shown below.
| Clause | Title | PDCA phase / focus |
|---|---|---|
| 4 | Context of the organisation | Plan — understand the organisation, interested parties, QMS scope and processes |
| 5 | Leadership | Plan — top management commitment, policy, roles and customer focus |
| 6 | Planning | Plan — risks and opportunities, quality objectives, planning of changes |
| 7 | Support | Do — resources, competence, awareness, communication, documented information |
| 8 | Operation | Do — operational planning, requirements, design, external providers, production, release, nonconforming output |
| 9 | Performance evaluation | Check — monitoring, measurement, analysis, internal audit, management review |
| 10 | Improvement | Act — nonconformity and corrective action, continual improvement |
Master assessment checklist
This is the core of the guide. Each auditable clause (4 to 10) is expanded below into its sub-clauses, with the specific matters an auditor verifies and the typical objective evidence that demonstrates conformity. Use this as a gap-analysis and internal-audit workbook, walking each row against your QMS. No requirement area has been omitted.
Clause 4 — Context of the organisation
| What to verify | Typical evidence |
|---|---|
| 4.1 External and internal issues relevant to purpose and strategic direction are determined and monitored | Context analysis, PESTLE/SWOT records, business plan, strategy review minutes |
| 4.2 Interested parties relevant to the QMS and their relevant requirements are determined and monitored | Interested-party register, stakeholder-requirements matrix, review evidence |
| 4.3 QMS scope is determined considering context, interested parties and products/services, and is documented | Documented scope statement with justified exclusions/non-applicability |
| 4.4 QMS processes, their sequence, interaction, inputs, outputs, criteria, resources, risks and owners are established | Process map / turtle diagrams, process register, KPIs, RACI, documented information |
Clause 5 — Leadership
| What to verify | Typical evidence |
|---|---|
| 5.1.1 Top management demonstrates leadership and commitment to the QMS and its effectiveness | Management review minutes, resource decisions, communication of importance, objectives sign-off |
| 5.1.2 Customer focus is ensured — customer, statutory, regulatory requirements and risks addressed, satisfaction focus maintained | Customer requirement reviews, satisfaction data, risk records |
| 5.2.1 Quality policy is established, appropriate to purpose and context, and supports strategic direction | Signed quality policy document |
| 5.2.2 Quality policy is communicated, understood, applied and available to interested parties | Induction records, notice boards/intranet, awareness interviews |
| 5.3 Roles, responsibilities and authorities are assigned, communicated and understood | Org chart, job descriptions, RACI matrix, appointment letters |
Clause 6 — Planning
| What to verify | Typical evidence |
|---|---|
| 6.1.1/6.1.2 Risks and opportunities from context (4.1) and interested parties (4.2) are determined and actions planned, integrated and evaluated | Risk and opportunity register, risk-treatment plan, effectiveness review |
| 6.2.1 Quality objectives are established at relevant functions/levels, measurable, monitored, communicated and updated | Objectives register, SMART objectives, dashboards |
| 6.2.2 Planning for objectives defines what, resources, responsibility, timeframe and evaluation of results | Objective action plans with owners and target dates |
| 6.3 Changes to the QMS are planned in a controlled manner considering purpose, integrity, resources and responsibilities | Change management records, change-impact assessments |
Clause 7 — Support
| What to verify | Typical evidence |
|---|---|
| 7.1.1 General resources needed for the QMS are determined and provided | Budget, resource plans, capacity records |
| 7.1.2 People necessary for effective QMS operation are provided | Staffing plans, org structure, competency coverage |
| 7.1.3 Infrastructure (buildings, equipment, hardware/software, transport, ICT) is provided and maintained | Asset register, maintenance schedules, facility records |
| 7.1.4 Environment for operation of processes is determined and managed (social, psychological, physical) | Workplace/environment controls, ergonomics, cleanroom logs where relevant |
| 7.1.5 Monitoring and measuring resources are suitable, and measurement traceability maintained where required (calibration) | Calibration certificates, equipment register, verification records, out-of-calibration procedure |
| 7.1.6 Organisational knowledge is determined, maintained and made available; changes anticipated | Lessons-learned logs, knowledge base, SME documentation |
| 7.2 Competence is determined, ensured through education/training/experience, and effectiveness of actions evaluated | Competency matrix, training records, certificates, evaluation of training |
| 7.3 Awareness of policy, objectives, own contribution and consequences of nonconformity is ensured | Awareness training, toolbox talks, interview evidence |
| 7.4 Internal and external communication relevant to the QMS is determined (what, when, whom, how, who) | Communication plan/matrix, meeting cadence, notices |
| 7.5.1/7.5.2 Documented information required by the standard and by the organisation exists, is properly identified, formatted, reviewed and approved | Document register, controlled templates, approval records |
| 7.5.3 Documented information is controlled — available, protected, distributed, stored, retained and disposed; external documents controlled | Document control procedure, version control, access controls, retention schedule |
Clause 8 — Operation
| What to verify | Typical evidence |
|---|---|
| 8.1 Operational processes are planned and controlled — criteria, resources, controlled changes and outsourced processes | Production/service plans, work instructions, control plans |
| 8.2.1 Customer communication covers product info, enquiries/orders/changes, feedback/complaints, property handling and contingency | Enquiry logs, complaint records, order-confirmation process |
| 8.2.2 Requirements for products/services are determined including statutory/regulatory and organisation's own claims | Requirement specifications, regulatory register |
| 8.2.3/8.2.4 Requirements are reviewed before commitment; ability to meet confirmed; changes managed and documented | Contract review records, quotations, order-acceptance records, amendment logs |
| 8.3 Design and development is planned and controlled — inputs, controls, outputs and changes (where applicable) | Design plans, DFMEA, design reviews, verification/validation, change records |
| 8.4.1 External providers are evaluated, selected, monitored and re-evaluated against criteria | Approved-supplier list, evaluation scorecards, audit reports |
| 8.4.2 Type and extent of control over external providers ensures conformity | Purchase controls, incoming inspection, SLA monitoring |
| 8.4.3 Information for external providers is adequate before communication (requirements, approval, competence, control, verification) | Purchase orders with specifications, supplier requirement documents |
| 8.5.1 Production and service provision is controlled — documented info, monitoring, infrastructure, competent people, validation, release/delivery/post-delivery | Work instructions, process monitoring, inspection records |
| 8.5.2 Outputs are identified and traceable throughout production/service provision where required | Batch/lot traceability, serial numbers, labelling |
| 8.5.3 Property belonging to customers or external providers is identified, verified, protected and safeguarded | Customer-property register, incident reports |
| 8.5.4 Outputs are preserved during production and delivery (handling, contamination, packaging, storage) | Storage conditions, packaging specs, FIFO/shelf-life controls |
| 8.5.5 Post-delivery activities meet requirements (warranty, maintenance, recycling/disposal) | Warranty records, service contracts, feedback |
| 8.5.6 Changes to production/service provision are reviewed and controlled to ensure continuing conformity | Change control records, authorisation logs |
| 8.6 Release of products/services is verified against acceptance criteria before release; traceable to authorising person | Inspection/test records, release authorisation, dispatch approval |
| 8.7 Nonconforming outputs are identified, controlled, corrected/segregated/returned, and actions documented | Nonconformance reports (NCRs), concession/deviation records, disposition logs |
Clause 9 — Performance evaluation
| What to verify | Typical evidence |
|---|---|
| 9.1.1 What, how and when to monitor and measure is determined; results evaluated; QMS performance/effectiveness assessed | Monitoring plan, KPI dashboards, measurement records |
| 9.1.2 Customer satisfaction / customer perception is monitored, with methods to obtain and use the information | Satisfaction surveys, NPS, complaint analysis, review data |
| 9.1.3 Data and information from monitoring is analysed and evaluated (conformity, satisfaction, QMS performance, suppliers, risks) | Trend analysis, statistical reports, management-review inputs |
| 9.2.1/9.2.2 Internal audits are conducted at planned intervals per a programme; results reported; corrections taken without delay | Audit programme, audit plans, checklists, audit reports, auditor competence |
| 9.3.1/9.3.2 Management review is conducted at planned intervals with all required inputs (status of actions, changes, performance, feedback, audits, suppliers, resources, risks, improvement) | Management review agenda and minutes with all input topics |
| 9.3.3 Management review outputs include decisions on improvement, QMS changes and resource needs | Documented decisions and actions with owners |
Clause 10 — Improvement
| What to verify | Typical evidence |
|---|---|
| 10.1 Opportunities for improvement are determined and selected to meet requirements and enhance customer satisfaction | Improvement register, kaizen/project records, objective updates |
| 10.2.1 Nonconformities (including from complaints) are reacted to, controlled, corrected, consequences dealt with; root cause evaluated; corrective action taken; effectiveness reviewed; QMS updated | CAPA records, root-cause analysis, effectiveness verification |
| 10.2.2 Documented information on nature of nonconformities, actions taken and results is retained | Corrective-action logs, NCR closure records |
| 10.3 Continual improvement of suitability, adequacy and effectiveness of the QMS is pursued using analysis, review outputs | Trend of KPIs, improvement projects, management review outputs |
Scoping the QMS
Scope definition under Clause 4.3 is the single most consequential decision in an ISO 9001 project because it determines what is audited and what appears on the certificate. A poorly bounded scope either overstates coverage (creating audit findings) or understates it (limiting commercial value).
- Define boundaries by products/services, sites/locations, and organisational units that will be covered by the certificate.
- Consider the external and internal issues (4.1) and interested-party requirements (4.2) when setting boundaries.
- State the scope in a clear, customer-facing sentence, for example: 'Design, development and delivery of managed cybersecurity and cloud services.'
- Justify any requirement determined as not applicable (typically parts of Clause 8, such as 8.3 Design where the organisation does no design).
- For multi-site organisations, decide between a single certificate with sampling of sites or separate certificates; align with the certification body's IAF multi-site sampling rules.
- Ensure outsourced processes remain within scope for control purposes even though they are performed externally (Clause 8.4).
- Avoid excluding functions merely to reduce audit effort — customers scrutinise scope wording closely.
Implementation approach
CyberSigma delivers ISO 9001 through a structured, phased programme, typically spanning three to six months for a small-to-medium organisation depending on maturity, size and number of sites. Each phase produces defined deliverables that become the audit evidence base.
Phase 1 — Initiation and gap analysis
- Activities: appoint a management representative/QMS lead and steering group; secure top-management commitment; conduct awareness briefing; perform a clause-by-clause gap analysis against Clauses 4 to 10; define preliminary scope.
- Deliverables: gap-analysis report with prioritised findings, project charter and plan, preliminary scope statement, RACI.
Phase 2 — Context, leadership and planning
- Activities: document context (4.1), interested parties (4.2) and scope (4.3); build the process map (4.4); draft quality policy and objectives; establish risk-and-opportunity register (6.1); assign roles and authorities (5.3).
- Deliverables: context analysis, interested-party register, quality policy, quality objectives, risk register, process map, QMS scope document.
Phase 3 — Documentation and process design
- Activities: develop documented information — QMS manual (optional but useful), procedures, work instructions, forms and templates; establish document control (7.5); define competence matrix and communication plan.
- Deliverables: controlled document set, document register, competency matrix, communication matrix, calibration/maintenance schedules.
Phase 4 — Implementation and operation
- Activities: roll out processes across operations (Clause 8); train staff and raise awareness (7.2/7.3); begin generating records — contract reviews, supplier evaluations, inspection and release records, NCRs.
- Deliverables: operational records, supplier evaluations, training records, initial performance data.
Phase 5 — Internal audit and management review
- Activities: train internal auditors; execute a full internal-audit cycle covering all clauses and processes (9.2); raise and close corrective actions (10.2); conduct the first management review (9.3).
- Deliverables: internal-audit programme and reports, corrective-action records, management-review minutes with decisions.
Phase 6 — Certification audit
- Activities: select an accredited certification body; undergo Stage 1 (readiness/documentation review) and Stage 2 (implementation audit); close any nonconformities within the agreed timeframe.
- Deliverables: Stage 1 report and readiness confirmation, Stage 2 audit report, corrective-action closure evidence, ISO 9001:2015 certificate.
Maturity and capability model
ISO 9001 itself is a pass/fail conformity standard, not a maturity model, but ISO 9004 and process-maturity frameworks provide a useful capability lens. CyberSigma uses the following five-level model to assess QMS maturity beyond mere certification conformity, drawing on ISO 9004 self-assessment guidance.
| Level | Maturity stage | Characteristics |
|---|---|---|
| 1 | Initial / ad hoc | Processes undocumented and reactive; quality dependent on individuals; frequent firefighting and customer complaints. |
| 2 | Managed / basic | Core procedures documented to satisfy the standard; records generated but improvement is minimal; audits find recurring issues. |
| 3 | Defined / consistent | Process approach embedded; risk-based thinking applied; objectives tracked; corrective action effective; certification comfortably maintained. |
| 4 | Predictable / measured | Data-driven decision making; statistical monitoring; strong supplier management; proactive risk and opportunity handling; low nonconformity rates. |
| 5 | Optimising / excellence | Continual improvement culture; benchmarking; innovation; sustained success per ISO 9004; QMS drives strategy and customer loyalty. |
Assessment and audit approach
- Define audit scope and objectives, referencing the QMS scope (4.3) and the clauses/processes to be examined.
- Prepare an audit programme and per-audit plan (9.2), scheduling coverage of all processes over the audit cycle based on importance and prior results.
- Assemble a competent, objective and impartial audit team (auditors must not audit their own work).
- Conduct Stage 1 (documentation and readiness review) to confirm the QMS is designed and documented before the implementation audit.
- Conduct the opening meeting, confirming scope, criteria, logistics and safety.
- Gather objective evidence through interviews, observation of processes, and examination of documented information, following audit trails from policy to records.
- Evaluate evidence against ISO 9001:2015 requirements and the organisation's own documented information; record conformities and nonconformities.
- Classify findings as major nonconformity, minor nonconformity, or opportunity for improvement/observation.
- Hold the closing meeting to present findings, agree timelines for corrective action, and confirm the certification recommendation.
- Issue the audit report; verify corrective actions and root-cause analysis for any nonconformities before certification or continuation.
- Maintain the certificate through annual surveillance audits and a full recertification audit every three years.
Evidence request list
The following categorised evidence set is what CyberSigma requests during a gap analysis or what a certification body will sample during audit.
- Context and planning: context analysis, SWOT/PESTLE, interested-party register, QMS scope statement, process map, risk and opportunity register.
- Leadership: quality policy, quality objectives with plans, organisation chart, roles/responsibilities/authorities matrix, management commitment evidence.
- Support — resources: resource plans, infrastructure/asset register, maintenance schedules, calibration certificates and equipment list, work-environment controls.
- Support — people and knowledge: competency matrix, training plans and records, awareness evidence, organisational knowledge base.
- Support — documented information: document register, controlled procedures and work instructions, version control and retention schedule, external-document control.
- Operation — customer and requirements: enquiry and contract-review records, order confirmations, complaint and feedback logs, requirement/regulatory specifications.
- Operation — design (if applicable): design plans, inputs, reviews, verification and validation, design change records.
- Operation — suppliers: approved-supplier list, evaluation and re-evaluation scorecards, purchase orders, incoming inspection records.
- Operation — production/service: work instructions, process-monitoring and inspection records, traceability records, preservation and delivery records, release authorisations.
- Operation — nonconformity: nonconformance reports, concession/deviation records, disposition logs.
- Performance evaluation: KPI dashboards, customer satisfaction data, data-analysis reports, internal-audit programme and reports, management-review minutes.
- Improvement: corrective-action (CAPA) records, root-cause analyses, improvement register and project records.
Roles and responsibilities
| Role | QMS responsibilities |
|---|---|
| Top management / CEO | Accountable for QMS effectiveness (Clause 5); sets policy and direction; provides resources; chairs management review; drives customer focus. |
| Management representative / QMS lead | Coordinates QMS implementation and maintenance; ensures processes deliver intended outputs; reports on performance; liaises with certification body. (Role no longer mandatory in 2015 but widely retained.) |
| Process owners | Own and operate assigned QMS processes; monitor process KPIs; ensure conformity and improvement within their process. |
| Quality manager / QA team | Manages document control, internal-audit programme, corrective actions and calibration; analyses quality data. |
| Internal auditors | Conduct impartial internal audits (9.2); report findings objectively; must not audit their own work. |
| Line managers and supervisors | Ensure competence, awareness and adherence to procedures within their teams; manage nonconforming output at source. |
| All employees | Follow documented procedures; report nonconformities and improvement ideas; understand their contribution to quality. |
| Certification body (external) | Conducts Stage 1/Stage 2 and surveillance audits; issues and maintains the accredited certificate. |
KPIs to track
- Customer satisfaction score / Net Promoter Score (NPS) and trend.
- Number and severity of customer complaints per period, and complaint resolution time.
- On-time delivery (OTD) percentage against commitments.
- First-pass yield / defect rate / rework and scrap rate.
- Nonconformity count (internal and external) and recurrence rate.
- Corrective-action closure rate and average time to close.
- Internal-audit completion against programme, and findings by clause.
- Quality objective achievement rate against targets.
- Supplier performance: on-time and quality acceptance rate, supplier NCRs.
- Cost of poor quality (COPQ) as a percentage of revenue.
- Training completion and competency-coverage percentage.
- Calibration compliance and equipment out-of-calibration incidents.
Readiness checklist
- QMS scope (4.3) is documented with justified non-applicability determinations.
- Context (4.1) and interested-party requirements (4.2) are analysed and reviewed.
- Process map (4.4) defines sequence, interaction, inputs, outputs and owners.
- Top management has approved and communicated the quality policy (5.2).
- Roles, responsibilities and authorities are assigned and understood (5.3).
- Risk and opportunity register (6.1) exists with treatment actions.
- Measurable quality objectives (6.2) are set with action plans.
- Competency matrix and training records (7.2) are current.
- Document control (7.5) is operating with version control and retention.
- Supplier evaluation and monitoring (8.4) records are in place.
- Product/service release and inspection records (8.6) are generated.
- Nonconforming output (8.7) is controlled and documented.
- A full internal-audit cycle (9.2) covering all clauses is complete.
- At least one management review (9.3) with all inputs and documented outputs is held.
- Corrective actions (10.2) show root-cause analysis and effectiveness verification.
- An accredited certification body is selected and Stage 1 is scheduled.
Common gaps
- Scope statement copied generically without justifying non-applicability or reflecting actual operations.
- Context (4.1) and interested-party (4.2) analysis done once at implementation and never reviewed, becoming stale.
- Risk-based thinking (6.1) reduced to a token risk register with no linkage to processes, objectives or actions.
- Quality objectives (6.2) that are not measurable or not cascaded to relevant functions and levels.
- Corrective action (10.2) that fixes the symptom (correction) without genuine root-cause analysis or effectiveness verification.
- Internal audits (9.2) treated as a documentation tick-box, conducted by auditors lacking independence or competence.
- Management review (9.3) missing mandatory inputs (for example supplier performance, risk status, or resource adequacy).
- Calibration/measurement traceability (7.1.5) gaps — expired calibration or no out-of-calibration impact assessment.
- Supplier evaluation (8.4) that lists approved suppliers but never re-evaluates or monitors performance.
- Documented information (7.5) uncontrolled — obsolete versions in use, no retention schedule, external documents uncontrolled.
- Competence (7.2) asserted without objective evidence or evaluation of training effectiveness.
- Change management (6.3 / 8.5.6) not applied — changes made informally without impact assessment or authorisation.
ISO 9001 mapped to other frameworks
Because ISO 9001:2015 uses the Annex SL High-Level Structure, its clauses align closely with other management-system standards, enabling integrated management systems (IMS) and shared audits.
| ISO 9001:2015 clause / theme | Corresponding requirement in other frameworks |
|---|---|
| Clause 4 Context and interested parties | ISO 27001:2022 Cl.4; ISO 14001 Cl.4; ISO 45001 Cl.4 (identical Annex SL structure) |
| Clause 5 Leadership and policy | ISO 27001 Cl.5; ISO 14001 Cl.5; ISO 45001 Cl.5; NIST CSF 2.0 GOVERN function |
| Clause 6 Planning / risk and objectives | ISO 27001 Cl.6 and risk treatment; ISO 14001 Cl.6; NIST CSF IDENTIFY |
| Clause 7 Support / competence / documented information | ISO 27001 Cl.7; ISO 14001 Cl.7; ISO 45001 Cl.7 |
| Clause 8 Operation | ISO 27001 Cl.8 and Annex A controls; IATF 16949 (automotive sector-specific); AS9100 (aerospace); ISO 13485 (medical devices) |
| Clause 9 Performance evaluation / internal audit / management review | ISO 27001 Cl.9; ISO 14001 Cl.9; ISO 45001 Cl.9 |
| Clause 10 Improvement / nonconformity / corrective action | ISO 27001 Cl.10; ISO 14001 Cl.10; ISO 45001 Cl.10 |
| Process approach and PDCA | CMMI process maturity; Lean/Six Sigma DMAIC; ITIL continual service improvement |
| Customer focus and satisfaction | ISO 10002 (complaints handling); ISO 10004 (satisfaction monitoring) |
Frequently asked questions
Need help with ISO 9001?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
