Pre Course Pack

QMS Auditor/Lead Auditor
Pre-Course Notes
Improving performance,
reducing risk
Contents
Page
Introduction
Section A - The ISO 9000 Series of Documents
Section B - ISO Terms and Definitions
Section C - Quality Management Principles
The Seven Quality Management Principles
ISO 9001 requirements to the quality management principles
Section D - Context of the organization
10
Risk-based approach
16
The process-approach
21
Section E - ISO 9001 Structure and Contents
26
ISO 9001 Model of a process-based quality management system
27
Pre-course preparation
30
Section F - Introduction to Auditing
31
Audit terms and definitions
31
Audit types and purpose
32
Certification and accreditation
33
Section G - Verification of Pre-Course Work
34
Section H - Defining Personal Course Objectives
37
Appendix - Guide to ISO 9001 Requirements
39
Note:
The following spelling is used throughout for consistency with the ISO 9000 series of
documents: Organization.
Version 4 - Revision 0.0

Precourse Notes.docx
LRQA Training 2015
Page 1 of 62
Introduction
Introduction
Welcome to the Quality Management Systems Auditor/Lead Auditor training course.
Thank you for choosing LRQA.
We have designed the course to give you the knowledge and skills to perform audits of
management systems against ISO 9001 effectively and with confidence.
It meets the requirements of the International Register of Certificated Auditors (IRCA)
www.irca.org
Complete the course successfully and you will satisfy the formal training requirements
for IRCA certification to all grades of a Quality Management System auditor.
Course hours
The course duration is 40 hours over 4 days.
100% attendance is required.

You will be asked to complete evening work each day, which will take approximately
1 hour.
Delegate assessment
We will fully explain at the start of the course the assessment criteria and
performance standards you need to achieve.
We will give you written feedback each day, and guidance on any improvements
needed.
You will complete a two hour written examination at the end of the course.
What is this pre-course work for?
You must have some understanding of quality management principles and concepts
and knowledge of ISO 9001 requirements before starting the course. You may find
the Appendix useful to help your understanding of ISO 9001.
We are giving you this information in advance so we can make the course practical
and activity-based. This will help you to learn and make the course enjoyable.
This pack is part of your course notes.
How long will it take?
Plan on taking approximately two hours in total to complete it.
What happens if I do not complete this pre-course work before the course
starts?
You will have missed a valuable opportunity to start building your knowledge.
You will almost certainly find it difficult to participate in some of the course exercises
and you will need to complete it in your own time in addition to your evening work.
You may well reduce your chance of successfully completing the course.

LRQA Training 2015
Page 2 of 62
Introduction
Am I expected to remember all of the information in this pack?
No, the course is not a test of memory but it will test your understanding. To be
successful you will need to apply this information during the course and show
during the exam that you understand the concepts covered in this pack. The exam
questions could relate to any aspect of this pre-course information, any aspects
covered on the course, and any requirements of ISO 9001.
During the exam you will be able to refer to a clean copy of ISO 9001 (i.e. one that
has not been annotated in any way). If appropriate you can also use a paper-based
bilingual dictionary. These are the only items permitted for reference.
Important
Please complete Section G Verification of pre-course work and Section H

Defining Personal Course Objectives. This is very important. It will help you prepare
for the course.
Please be sure you bring the completed pack and your personal copy of ISO 9001
with you when you attend the course.
Please complete your personal course objectives at the end of the pack. We will ask
you to present these at the start of the course.

LRQA Training 2015
Page 3 of 62
Section A ISO 9000 Series of Documents
The ISO 9000 Series of Documents

Purpose
This section contains information on the ISO 9000 series of documents.
The ISO 9000 series of documents comprise:
ISO 9000 - Quality management systems Fundamentals and vocabulary

ISO 9000 explains the fundamentals of quality management. It defines terms used in
ISO 9001 and ISO 9004.
ISO 9001 - Quality management systems Requirements

ISO 9001 specifies requirements for a quality management system that aims to
enhance customer satisfaction by meeting customer and applicable statutory and
regulatory requirements. It can be used for internal application by organizations, for
certification and for contractual purposes.
ISO 9001 is an auditable standard. The others are not.
ISO 9004 Managing for the sustained success of an organization A quality

management approach
ISO 9004 is a guide for organizations that wish to achieve sustained success using a
quality management approach. ISO 9004 provides a wider focus on quality
management than ISO 9001, addressing the needs of a wide range of stakeholders
and giving guidance for the systematic and continual improvement of the
organizations overall performance. As a guidance document, ISO 9004 is not
auditable for certification, but it does promote self-assessment by organizations to
identify opportunities for improvements and/ or innovations.
ISO 9001 and ISO 9004 are designed to complement each other, but can also be used
independently.
Most standards require periodic revision. Several factors combine to render a standard
out of date: technological evolution, new methods and materials, new quality and safety
requirements. To take account of these factors, ISO has established the general rule that
all ISO standards should be reviewed at intervals of not more than five years.

LRQA Training 2015
Page 4 of 62
Section B ISO Terms and Definitions
ISO Terms and Definitions

Purpose
This section introduces some essential quality terms and definitions. These will help you
interpret and audit ISO 9001 requirements. You may want to refer back to these
definitions as you read through the other sections of this pack.
Definitions
The following terms and definitions are quoted from ISO 9000 Quality management
systems - Fundamentals and vocabulary.
To help your understanding, we have grouped related terms together and separated
groups using this bullet symbol.
Quality
Degree to which a set of inherent characteristics of an object fulfils requirements.
System
Set of interrelated or interacting elements.
Management system
Set of interrelated or interacting elements of an organization to establish policies and
objectives and processes to achieve those objectives.
Quality management system
Part of a management system with regard to quality.
Process
Set of interrelated or interacting activities that use inputs to deliver an intended result.
Product
Output of an organization that can be produced without any transaction taking place
between the organization and the customer.
Procedure
Specified way to carry out an activity or a process.
Requirement
Need or expectation that is stated, generally implied or obligatory.
Nonconformity
Non-fulfilment of a requirement.
Correction
Action to eliminate a detected nonconformity.
for example rework.
Corrective action
Action to eliminate the cause of a nonconformity and to prevent recurrence.

LRQA Training 2015
Page 5 of 62
Section B ISO Terms and Definitions
Context of an organization
Combination of internal and external issues that can have an effect on an organizations
approach to developing and achieving its objectives.
Interested parties
(stakeholder)
Person or organization that can affect, be affected by, or perceive itself to be affected
by a decision or activity.
Risk
Effect of uncertainty.

LRQA Training 2015
Page 6 of 62
Section C - ISO 9000 Quality Management Principles

Quality Management Principles
Purpose
ISO 9000 introduces seven Quality Management Principles that can be used to lead an
organization towards improvement. ISO 9001 includes requirements that can be traced
back to these principles.
By reading this section and working through an example of how requirements of ISO
9001 can be linked back to the principles you will help to develop your understanding of
ISO 9001 and the underlying purpose of specific requirements.
The Seven Quality Management Principles

The seven quality management principles given in ISO 9000 are:
QMP 1 Customer Focus
a) Statement
The primary focus of quality management is to meet customer requirements and to
strive to exceed customer expectations.
b) Rationale
Sustained success is achieved when an organization attracts and retains the confidence
of customers and other relevant interested parties. Every aspect of customer interaction
provides an opportunity to create more value for the customer. Understanding current
and future needs of customers and other interested parties contributes to sustained
success of an organization.
QMP 2 Leadership
a) Statement
Leaders at all levels establish unity of purpose and direction and create conditions
in which people are engaged in achieving the organizations quality objectives.
b) Rationale
Creation of unity of purpose and the direction and engagement of people enable an
organization to align its strategies, policies, processes and resources to achieve its
objectives.
QMP 3 Engagement of People
a) Statement
Competent, empowered and engaged people at all levels throughout the organization are
essential to enhance the organizations capability to create and deliver value.
b) Rationale
In order to manage an organization effectively and efficiently, it is important to respect
and involve all people at all levels. Recognition, empowerment and enhancement of
competence facilitate the engagement of people in achieving the organizations quality
objectives.

LRQA Training 2015
Page 7 of 62

QMP 4 Process Approach
a) Statement
Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a
coherent system.
b) Rationale
The quality management system consists of interrelated processes. Understanding how
results are produced by this system enables an organization to optimize the system and
its performance.
QMP 5 Improvement
a) Statement
Successful organizations have an ongoing focus on improvement.
b) Rationale
Improvement is essential for an organization to maintain current levels of performance,
to react to changes in its internal and external conditions and to create new
opportunities.
QMP 6 Evidence-based Decision Making
a) Statement
Decisions based on the analysis and evaluation of data and information are more likely
to produce desired results.
b) Rationale
Decision making can be a complex process, and it always involves some uncertainty. It
often involves multiple types and sources of inputs, as well as their interpretation,
which can be subjective. It is important to understand cause and effect relationships
and potential unintended consequences. Facts, evidence and data analysis lead to
greater objectivity and confidence in decisions made.
QMP 7 Relationship Management
a) Statement
For sustained success, organizations manage their relationships with relevant interested
parties, such as providers.
b) Rationale
Relevant interested parties influence the performance of an organization. Sustained
success is m ore likely to be achieved when the organization manages relationships
with all of its interested parties to optimize their impact on its performance. Relationship
management with its provider and partner networks is of particular importance.
(Reproduced from ISO 9000)

LRQA Training 2015
Page 8 of 62

ISO 9001 requirements to the quality management principles
For each quality management principle supporting evidence can be found in ISO 9001.
An example of this is shown below.
Use this example to start to familiarise yourself with ISO 9001.
Principle
Process-approach
ISO 9001 requirements that support the principle

4.4.1 organization shall determine the processes
needed for the quality management system and their
application throughout the organization, and shall:
a) determine the inputs required and the outputs
expected;
b) determine the sequence and interaction of these
processes;
c) determine and apply the criteria and methods needed
to ensure the effective operation and control of these
processes;
Now refer to ISO 9001. Read what it says in the sections
listed below and see how these requirements support the
process-approach principle.
4.4.1 a to h
8.1
9.1.1
9.1.3
Complete the Quality Management Principle and ISO 9001 cross reference section
that is part of the Verification of pre-course work section.

LRQA Training 2015
Page 9 of 62
Section D Context, Risk and Process Approach

Context of the organization
This section gives an explanation of the following subjects:
Context of the organization.
Risk-based approach.
Process approach.
Purpose
ISO 9001 introduces the concept of context of the organization to determine the
business environment of an organization. The concept of promoting the processapproach has been explicit and the concept of the risk-based approach has been implicit
in the previous edition of this International Standard. These three elements are the
basis inputs for a quality management system.
Determining the context of the organization is a new requirement of ISO 9001:2015.
The context of an organization is referred as Combination of internal and external
issues that can have an effect on an organizations approach to developing and
achieving its objectives.
Why is context important?
Because each organization is unique.
The intended purpose of a quality management system is to enable an organization to
consistently meet customer, statutory and regulatory requirements applicable to the
products and services it provides. Therefore a quality management system should be
designed and implemented to meet the specific needs of the organization, its
customers, its products and services and the business environment in which it operates
and the risks associated with that environment. This approach was promoted in ISO
9001:2008.
ISO 9001:2015 expands the concept of the organizational environment referenced in
ISO 9001:2008 to include not only the business environment, but also internal factors,
such as organizational culture, and external factors, such as socio-economic conditions
under which it operates. Moreover, ISO 9001:2015 moves from simply promoting such
an approach to introducing new and auditable requirements on context of the
organization.

LRQA Training 2015
Page 10 of 62

Context of the organization ISO 9001:2015 Section 4
Section 4 dedicates itself to the organizational context.
This section is divided into four sub-clauses:
4.1 - Understanding the organization and its context.
4.2 - Understanding the needs and expectations of interested parties.
4.3 - Determining the scope of the quality management system.
4.4 - Quality management system and its processes.
The latter two of these find counterparts in section 4.1 General, of the current
standard but the former two are new requirements and they require an organization to
think about the issues that can affect it as well as the parties that have an interest in it
including how to garner these parties relevant requirements.
Understanding the organization and its context
ISO 9001:2015 requires organizations to identify, monitor and review internal and
external issues that are relevant to its purpose and strategic direction, and that have the
ability to impact the quality management systems intended results.
An issue is an important topic or problem. An organizations consideration of issues is
not therefore confined to only a consideration of problems. It includes issues that could
have a positive effect. This is why the standard in clause 6.1 (planning the QMS)
requires the organization to plan actions to address risks and opportunities.
Examples of issues include:
Political, legal and regulatory, financial, economic, technological, competitive and

natural environment.
Organizations policies, objectives and strategies to achieve them.
Drivers and trends that have an impact on the organization and its objectives.
Relationships with and perceptions and values of external interested parties.
Relationships with and perceptions and values of members of the organization.
Capabilities and resources.
Contractual relationships.
Issues are likely to change over time, some more slowly than others.
requirement is to monitor and review internal and external issues.
Hence the
Issues identified should be tested for relevance - are they relevant to the organizations
purpose and strategic direction, and do they have the ability to impact the quality
management systems intended results.

LRQA Training 2015
Page 11 of 62

Understanding the needs and expectations of interested parties
ISO 9001:2015 requires organizations to go through a process initially to identify these
groups and then to identify their requirements that are relevant to the organizations
quality management system.
Relevant interested parties are groups or individuals who have the ability to impact (or
potentially impact or be impacted by) the organizations ability to supply consistently
products and services that meet customer and applicable statutory and regulatory
requirements. Examples of relevant interested parties are:
Customers, consumers past, present and future (potential).
Sister/group companies.
Suppliers, partners, agents, contractors past, present and future (potential).
Regulatory authorities, Boards.
Relevant requirements are likely to be documented; for example in contracts, regulations
and service level agreements. However, relevant requirements may also be a need or
expectation that is generally implied.
The following diagram illustrates the interaction between clause 4.1 and clause 4.2.
Meeting the requirements of Clauses 4.1 and 4.2

It is very likely that the internal and external issues and the relevant interested parties
and their relevant needs will be known to the organization. However, this information
may not necessarily be held in ways that will readily demonstrate conformance. Where
information is already held it may currently sit outside of what the organization thinks of
as being part of the management system. For example, much of the information on
internal and external issues may be held in business plans, strategy documents and
annual reports. Or it may not be documented at all and there is no requirement in ISO
9001:2015 for this information to be retained as documented information. It is more
likely that the needs of interested parties will be documented, for example in contracts,
regulations and service level agreements.
The starting point for organizations will be to review what they do currently.

LRQA Training 2015
Page 12 of 62

Determining the scope of the quality management system
There is a counterpart to this requirement in ISO 9001:2008 clause 4.1. ISO 9001:2015
has some additional requirements that aim to clarify ISO 9001:2008.
ISO 9001:2015 requires The organization shall determine the boundaries and
applicability of the quality management system to establish its scope.
When
determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements of relevant interested parties referred to in 4.2;
c) the products and services of the organization referred to in 4.3.
Its important not to confuse the scope of the management system with the scope of a
certification audit.
The scope of the management system will need to include activities, processes etc. that
are of relevance to the organization but performed by other organizations, including
other parts of the same organization that do not come under the control of top
management, for example a central procurement function. These entities would be
classed as external to the organization. If there is a dependency or interface to that
activity, then its likely it should be included within the scope of the management
system. Issues associated with entities external to the organization should be identified
in accordance with clause 4.1 and the relevant needs and expectations of the entities
identified in accordance with clause 4.2. For example, consider a case where the
organization uses a third party to host a website for taking customer orders. The thirdparty organization itself is outside the scope of the management system; however the
website and customer activity of using the website ought to be included within the
scope of the management system.
Quality management system and its processes
Clause 4.4 states, The organization shall establish, implement, maintain and continually
improve a quality management system, including the processes needed and their
interactions, in accordance with the requirements of this International Standard.
Comparing this with ISO 9001:2008 clause 4.1 shows the two are very similar, although
ISO 9001:2015 introduces some more specific requirements relating to determination of
process requirements.
The diagram below illustrates the interaction between the sub-clauses of clause 4 (i.e.
4.1, 4.2, 4.3 and 4.4).

LRQA Training 2015
Page 13 of 62
As with ISO 9001:2008 where clause 4.1 follows the continual improvement cycle
(PDCA) and sets out general (high-level) requirements for the quality management
system, which are then developed in more detail in subsequent clauses, so it is with ISO
9001:2015. The significant new requirements throughout ISO 9001:2015 often have
their origins in clauses 4.1 and 4.2, in particular requirements to consider internal and
external issues and the associated risks and opportunities.
Planning for the quality management system Clause 6
ISO 9001:2015 requires that When planning for the quality management system, the
organization shall consider the issues referred to in 4.1 and the requirements of
interested parties referred to in 4.2 and determine the risks and opportunities that need
to be addressed.
The following slide illustrates the relationship between clause 4 Context of the
organization and clause 6 Planning for the quality management system.

LRQA Training 2015
Page 14 of 62
Plan
Plan
Act
Determine
scope of
your QMS
Do
considering:
External
issues
Check
Internal
issues
Risks
Opportunities
determine:
QMS and its processes
controlled by:
Interested
parties and
their
requirements
Purpose
Strategic
direction
Summary
Section 4 Context of the organization requires the organization to:
Determine external issues and internal issues that are relevant to its purpose and
strategic direction.
Determine the interested parties that are relevant to the QMS.
Determine the requirements of these interested parties that are relevant to the QMS.
Monitor and review (all of the above).
These issues and requirements shall be considered when planning the quality
management system. The interrelating clauses of ISO 9001:2015 are 6.1 (actions to
address risks and opportunities) and 8.1 (Operational planning and control).
Typically actions to address risks and opportunities and actions needed to address the
needs of relevant interested parties will feature in the quality management system as
quality objectives and process criteria.

LRQA Training 2015
Page 15 of 62

Risk-based approach
Risk-based thinking is essential for achieving an effective quality management system.
The concept of risk-based thinking has been implicit in previous editions of this
International Standard including, for example, carrying out preventive action to
eliminate potential nonconformities, analyzing any nonconformities that do occur, and
taking action to prevent recurrence that is appropriate for the effects of the
nonconformity.
What does the term risk mean?
ISO 9000:2015 defines risk as effect of uncertainty.
An effect is a deviation from the expected positive or negative.
Risk is often characterised by reference to potential events.
Risk is often expressed in terms of a combination of the consequences of an event

(including changes in circumstances) and the associated likelihood.
The term risk is sometimes used when there is only the possibility of negative
consequences.
However, risk is generally interpreted as being about negative things whilst those
uncertainties that could bring additional benefits if they were to occur are known as
opportunities.
ISO 9001:2015 refers to risks and opportunities; so for general understanding its
reasonable to think of risk as negative and opportunity as positive.
For example, an organization may have identified changes in currency exchange rates as
an external issue that could lead to the risk of increasing the costs of materials and
components. The same issue could similarly open up opportunities to sell more
products in certain overseas markets.
As well as identifying and addressing negative threats, it is equally important to seek
and maximise opportunities, in order to optimise achievement of objectives. Some
opportunities come from removing threats, for example removing the threats that come
from being dependent upon a sole supplier could, through increased supplier
competition, create opportunity for reducing the cost of bought in items. Others are
pure opportunities unrelated to threats, which would produce real additional benefits if
they could be captured proactively and exploited.
Options to address risks and opportunities can include:
Avoiding risk.
Taking risk in order to pursue an opportunity.
Eliminating the risk source.
Changing the likelihood or consequences.
Sharing the risk.
Retaining risk by informed decision.

LRQA Training 2015
Page 16 of 62

Organizational and operational risks and opportunities
Some organizations may choose to consider risks and opportunities as organizational or
operational; where organizational are those that impact upon competitive advantage
and operational are those that impact upon customer satisfaction. When treated this
way, organizational risks and opportunities may often be addressed through quality
objectives and specific improvement projects, for example implementing new
technology. Operational risks and opportunities may be addressed through process
management, for example delivery performance. Some may find this approach useful
although there is no requirement for this within ISO 9001:2015.
Risk-based thinking
ISO 9001:2015 has adopted the phrase risk-based thinking referring in the
Introduction section 0.3.3 to:
Risk-based thinking is essential for achieving an effective quality management
system. The concept of risk-based thinking has been implicit in previous editions of
ISO 9001 including, for example, carrying out preventive action to eliminate
potential nonconformities that do occur, and taking action to prevent recurrence
that is appropriate for the effects of the nonconformity.
To conform to the requirements of ISO 9001:2015, an organization needs to plan
and implement actions to address risks and opportunities. Addressing both risks and
opportunities establishes a basis for increasing the effectiveness of the quality
management system, achieving improved results and preventing negative effects.
(Source ISO 9001:2015)
So, put simply, high-risk processes need more rigorous and formal control than low risk
processes.
Although risks and opportunities have to be determined and addressed, there is no
requirement for formal risk management or a documented risk management process.
ISO 31000 provides guidelines on risk management which can be appropriate in certain
organizational contexts.
ISO 9001:2015 Risk-based approach
Quoting from Annex A of ISO 9001:2015:
One of the key purposes of a quality management system is to act as a preventive

tool. Consequently, this International Standard does not have a separate clause or
sub-clause on preventive action. The concept of preventive action is expressed
through the use of risk-based thinking in formulating quality management system
requirements.
(Source ISO 9001:2015)

LRQA Training 2015
Page 17 of 62

What does ISO 9001:2015 require in practice?
The slide below illustrates the requirements and references the applicable clauses of ISO
9001:2015.
Determine external and internal issues (4.1)

Determine relevant interested parties and their requirements (4.2)
Consider the issues and requirements and determine the risks and
opportunities that need to be addressed (6.1.1)
Plan actions to address these risks and opportunities and integrate and
implement the actions into the QMS processes (6.1.2) (8.1)
Plan how to evaluate the effectiveness of these actions (6.1.2)
Evaluate performance (9.1)
Review information, including trends and indicators on the
effectiveness of actions taken to address risks and opportunities (9.3)
The purpose of a quality management system is to achieve conformity and customer

satisfaction.
ISO 9001:2015 uses risk-based thinking to achieve this in the following way:
Clause 4 (Context) the organization is required to determine the issues and

requirements which may affect this.
Clause 6 (Planning) the organization is required to take action to identify risks and
opportunities.
Clause 8 (Operation) the organization is required to implement actions to address

risks and opportunities and integrate the actions into the QMS processes.
Clause 9 (Performance evaluation) the organization is required to evaluate the

effectiveness of actions taken to address the risks and opportunities.
Clause 10 (Improvement) the organization is required to improve by responding to

any underperformance and changes in risk.
Whilst the requirements appear to be clear, organizations are asking how do we

demonstrate conformity do we need a documented risk management process and
records?
There is no specific requirement for organizations to maintain or retain documented
information relating to clause 6.1 Actions to address risks and opportunities.

LRQA Training 2015
Page 18 of 62

Organizations may choose to do so and this will be influenced by the size and nature of
the organization. Many organizations already maintain a risks and opportunities
register.
Depending upon the context of the organization, other requirements such as statutory
and regulatory requirements and customer requirements may require them to maintain
documented risk assessment procedures, adopt formal risk management processes and
maintain records of risk assessments and actions taken. Typically organizations in the
food, pharmaceutical, aerospace, automotive, energy-oil and gas sectors, construction,
legal and financial services, medical and health, and other similar risk sectors have
adopted these practices and will use appropriate risk tools and techniques, for example:
HACCP - Hazard Analysis and Critical Control Point.
HAZOP - Hazard and Operability Analysis.
FMEA - Failure Modes and Effects Analysis.
FTA Fault Tree Analysis.
The organization is required to plan, implement and control the processes needed to
meet requirements and to implement the actions determined in clause 6.1 including by:
Establishing criteria for processes.
Implementing control of the processes in accordance with the criteria.
Maintaining documented information to the extent necessary to support the

operation of processes and retaining documented information to the extent
necessary to have confidence that the processes are being carried out as planned.
Following planning and implementation of actions to address risks and opportunities the
requirement is to evaluate the effectiveness of the actions taken. An organization may
do this by monitoring and measurement activities, as set out in clause 9.1 Monitoring,
measurement, analysis and evaluation. Here there is a requirement to retain appropriate
documented information as evidence of the results of monitoring and measurement
activities. Information on the quality performance is an input to management review of
the effectiveness of the actions taken to address risks and opportunities.

LRQA Training 2015
Page 19 of 62

Applying the risk-based approach
Identify issues and

requirements
Monitor and review
Consider the issues and

requirements and
determine risks and
opportunities that
need to be addressed
Plan actions to address

risks and opportunities.
Plan how to evaluate
the effectiveness of
these actions
ISO 9001:2015 requirements follow a structured approach as shown above.

Identify issues and requirements Refer back to Session 5 and Session 6.
Consider the issues and determine risks and opportunities that need to be
addressed - not all issues and requirements will necessarily lead to risks and
opportunities. As discussed earlier, the relevancy and dynamic nature of issues need to
be taken into account. Those issues that are deemed relevant should be evaluated.
Plan actions to address the risks and opportunities ISO 9001:2015 states:
Actions taken to address risks and opportunities shall be proportionate to the potential
impact on the conformity of products and services.
Plan actions to address the risks and opportunities Its important to focus on the
potential impact of risks and opportunities on the conformity of products and services.
That said, the potential impact on customer satisfaction, quality policy and objectives
and the strategic direction of the organization also need to be taken into account.
In practice it is likely that actions to address operational risks and opportunities will be
embedded into operational process activities, for example enhanced process controls.
Actions to address organizational risks and opportunities are likely to be enacted
through quality improvement activities, including quality objectives. In addition to
planning the actions to address risks and opportunities there is the requirement to plan
how to evaluate the effectiveness of these actions. Again this will typically fall within
process monitoring and measurement activities and/or measurement of results relating
to the achievement of quality objectives.

LRQA Training 2015
Page 20 of 62

The process-approach
Understanding processes
The Process-improvement model
ACT
PLAN
CHECK
DO
This is the Plan-Do-Check-Act improvement cycle. You may hear it called the PDCA
cycle or the Deming cycle. You can apply it to all processes and you can use it to plan
and implement process change.
Plan Plan the improvement and plan how you will know if it has worked.
Do - Do what you planned to do and measure it as planned.
Check - Check the results against expectations.
Act Act to maintain the improvement, address any shortfall and learn from
experience.
ISO 9001 aims to bring about continual improvement through the Plan-Do-Check-Act
cycle, which is embedded into ISO 9001 requirements.
The Process model

ISO 9000:2015 defines a process as set of interrelated or interacting activities that use
inputs to deliver an intended result.
The ISO 9000 series of documents make frequent reference to processes and processbased quality management systems. It will be useful if you understand the relevant ISO
terms, what is meant by a process and how any process can be represented by a simple
model. We will use this process model during the course.

LRQA Training 2015
Page 21 of 62

Process
Set of interrelated or interacting activities that use inputs to deliver an intended result.
Intended result
Intended result of a process can be called output, product or service depending on the
context or reference.
Product
Output of an organization that can be produced without any transaction between the
organization and the customer.
Procedure
Specified way to carry out an activity or a process.
Service
Output of an organization with at least one activity necessarily performed between the
organization and the customer.
You can describe a business or organization as a collection of processes. Processes use
resources to transform the inputs into the outputs. People and equipment are examples
of resources.
The purpose of a quality management system based on ISO 9001 is to ensure the
product of the organization meets customer, statutory and regulatory requirements, and
the organizations own requirements. Using the PDCA approach, ISO 9001 requires
processes to be designed, monitored and improved so they consistently deliver a
product that meets these requirements.
When the way in which an activity or process is carried out can affect the products
ability to meet requirements a procedure (a specified way to carry out the process) is
needed. The procedure may be implemented by training the process operator or by
automating the process.
It is useful to be able to represent a process by a simple diagram. The Process model
shown below is one recognised way of doing this and it will be used in the course.

LRQA Training 2015
Page 22 of 62

The Process model shown below is one recognised way of illustrating a process by a
simple diagram.
ISO 9001:2015 clause 4.4.1 requirements

ISO 9001:2008 promoted the adoption of a process-approach. However the extent by
which the process-approach has in practice been adopted by organizations is reported
to be variable. ISO 9001:2015 both clarifies the intent of the ISO 9001:2008 processapproach requirements and expands them. Clause 4.4.1 specifies requirements for the
QMS and its processes.
Monitoring, measurement and evaluation of processes
ISO 9001:2015 clarifies the ISO 9001:2008 requirements for monitoring and
measurement of processes. To fully understand clause 4.4.1 and the monitoring and
measurement requirements you first need to understand some of the terminology.
Process terms
The organization shall establish, maintain, implement and continually improve a
QMS, including processes
shall determine the processes needed
determine and apply the criteria and methods (including monitoring, measurements,
and related performance indicators)
.evaluate these processes.

LRQA Training 2015
Page 23 of 62

These are the terms used in setting out the process-approach and associated monitoring
and measurement requirements. Some of these terms, for example the term
measurement, are defined in ISO 9000:2015. Others are not, for example the term
evaluation, and we need to refer to an appropriate dictionary.
In summary the requirements for monitoring, measurement, as appropriate, and
evaluation of processes are:
Clause
4.4.1 c)
4.4.1 g)
8.5.1 c)
9.1.3 e)
9.3.2 c)
Requirement
Determine and apply the criteria and methods (including monitoring,
measurements and related performance indicators) needed to ensure
the effective operation and control of these processes.
Evaluate these processes and implement any changes needed to ensure
that these processes achieve their intended results.
Implementation of monitoring and measurement activities at
appropriate stages to verify that criteria for control of processes or
outputs, and acceptance criteria for products and services, have been
met.
Analyse and evaluate appropriate data and information arising from
monitoring and measurement. The results of analysis shall be used for
evaluation purposes.
Management review shall take into consideration information on the
performance and effectiveness of the quality management system,
including trends in:
3) process performance and conformity of products and services;
5) monitoring and measurement results.
The sequence above shows the PDCA cycle being applied through process monitoring
and measurement; leading to identification of process improvement opportunities as an
output of the review process.
ISO 9001:2015 clause 4.4 requirements
Organizations will need to demonstrate conformance with the requirements specified in
clause 4.4.1 of ISO 9001:2015; requirements 4.4.1 a) through to 4.4.1 h).
How an organization approaches demonstrating conformance and the extent to which
the organization uses documented information for this purpose will of course be up to
the organization, taking into consideration the context of the organization and the
needs of interested parties. One way would be to use a process template to provide a
documented overview of each process.

LRQA Training 2015
Page 24 of 62

Process conformity and effectiveness
Conformity fulfillment of a requirement.
The term conformity is used when discussing ISO management system standards in
preference to the term compliant, which is used when discussing statutory and
regulatory standards.
Effectiveness extent to which planned activities are realized and planned results
achieved.
A process is conforming when carried out in accordance with planned arrangements.

The planned inputs, resources and controls have been used to produce the planned
output. But a conforming process is not automatically an effective process. For
example, the planned output may not meet the requirements of the customer.
Checking a process has been carried out in accordance with planned arrangements is a
conformance audit. Checking the results of a process meet requirements is an
effectiveness audit. Auditors must consider the purpose of a process to determine its
effectiveness.
For example, consider a purchasing process. The purpose of a purchasing process is to
have the right product, in the right quantities, at the right time, in the right place, to the
right specification and at the right price. An effective purchasing process will achieve
these results. So for example, the procedure for purchasing should take account of how
much lead time suppliers need. If specified lead times are too short it is possible to have
a conforming, but ineffective purchasing process. This could result in late delivery.

LRQA Training 2015
Page 25 of 62
ISO 9001 Structure and Contents

Purpose
Read this section and start to familiarise yourself with ISO 9001. It will help you during
the course, the exam and later as an auditor, if you can navigate your way around ISO
9001 requirements quickly and accurately.
Quality management systems

ISO 9000 defines a quality management system as a management system to direct and
control an organization with regard to quality.
A management system should provide a framework that supports an organization in
determining policy and objectives, and in managing the interrelating elements effectively
to ensure those objectives are achieved. In the case of a quality management system,
the policy and objectives would focus on fulfilling the requirements and expectations of
customers.
The Plan, Do, Check, Act cycle you looked at in section D is probably the simplest
framework for a management system. ISO 9001 uses this framework as its underlying
structure; specific auditable requirements have been established to support
organizations in the effective application of this underlying framework.
ISO 9001 specifies requirements for a quality management system that aims to enhance
customer satisfaction by meeting customer and applicable statutory and regulatory
requirements, and continual improvement of the system. It can be used for internal
application by organizations, for certification and for contractual purposes.
Other quality management systems models are available including:
The Malcolm Baldridge National Quality Award.
The European Foundation for Quality Management Excellence Awards.
Customer Service Excellence Standard.
ISO 9004 Managing for the sustained success of an organization.
Applying a quality management system framework can help an organization meet the
current and future needs of its customers in an effective and efficient way, and ensure
that products and services consistently meet customer and regulatory requirements.
The achievement of certification to a standard by an independent body, or an award
against a recognised framework, provides public recognition that an organization meets
those standards, and can be a useful marketing tool.

LRQA Training 2015
Page 26 of 62
ISO 9001 Model of a process-based quality management system

ISO 9001 includes the diagram below. It illustrates in simple terms how a business
works following the principles of ISO 9001 and it provides a framework around which
ISO 9001 is structured.
The diagram illustrates the relationship between customers and the supplying
organization. On the left-hand we have customer requirements. In the middle we have
the organization supplying the customer. On the right-hand we have the customers
perception as to whether the organization has met their requirements and of course the
products and/or services delivered.
The numbers are referring to the clauses in the standard:
4. Context of the organization (Plan)
Purpose: Clauses 4.1 and 4.2 help organizations to identify the variables that could
impact on their ability to carry out their operational activities and achieve their goals.
Using this information, organizations can prepare for a range of eventualities.
Clauses 4.3 and 4.4 ensure that organizations have all of the processes in place they
need for their management system to work effectively, given the unique characteristics
of their business.

LRQA Training 2015
Page 27 of 62
5. Leadership (Plan)
People do what their managers pay attention to. If meeting customer and regulatory
requirements, enhancing customer satisfaction and improvement of systems and
processes are important to top management, these will be the things they pay attention
to, and so will get done. Section 5 describes specific requirements for how top
management make their commitment to, and prioritising of, the customer and the
quality management system, and how they support these commitments in a practical
sense.
6. Planning (Plan)
This section is all about transforming ideas and words into tangible goals and actions, to
ensure that things get done, and making sure that changes are implemented in a
managed and coordinated way.
7. Support (Plan, D, C, A)
The purpose of this section is to make sure that all the processes and the people
operating them that are needed for the management system have the resources and
support they need to operate properly; including the tools and equipment, competent
people and up-to-date information.
8. Operation (Do)
This section covers the processes through which your organization provides products
and services for your customers. Its likely that most of what you do as an organization
is covered by the requirements in this section. Its purpose is to ensure that your
operational activities are planned and controlled systematically, so they work properly
and enable you to deliver products and services that meet customers needs and
expectations.
9. Performance evaluation (Check)
To ensure that all the processes in the management system are delivering their intended
results, and that the processes interact effectively in the overall system.
10. Improvement (Act)
The purpose of this section is to close the loop, making sure that improvements
identified in section 9 are implemented, which can be both reactive and proactive, and
that improvement objectives are fed back into plans (section 6).

LRQA Training 2015
Page 28 of 62

LRQA Training 2015
Page 29 of 62

Pre-course preparation
Exercises
Before attending the course you are required to have knowledge of the requirements of
ISO 9001.
Depending on your previous knowledge and experience, you may find it useful to
complete the following activities before the course, to consolidate your existing
knowledge and understanding:
1. Read through the guide to ISO 9001 requirements that is in the appendix to this
document.
2. Select some of the sections from the guide, maybe those that you are less familiar
with and find out what processes and procedures your own organization uses to
address these requirements. Now compare these with the requirements as they are
detailed in ISO 9001.
3. Review some of the internal and external audit reports for your organization, and
compare their findings with the relevant sections of ISO 9001.
4. Look at your organizations quality policy, quality objectives and documented
information, and compare their contents with the relevant ISO 9001 requirements.
5. If available, look at the inputs and outputs from your organizations management
review. How do they meet the requirements of 9.3.2 and 9.3.3? What is your
organization seeking to improve?

LRQA Training 2015
Page 30 of 62
Section F Introduction to Auditing
Introduction to Auditing
Purpose
This section introduces some basic concepts of auditing. It contains essential
information, which you should know and understand before attending the course.
Read this section carefully. You will have an opportunity during the course to clarify any
points with the trainer.
Audit terms and definitions

The following terms and definitions are quoted from ISO 19011 Guidelines for quality
and/or environmental management systems auditing, which is referred to in ISO 9001.
ISO 19011 is a guidance document, not a set of requirements.
Audit
Systematic, independent and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which audit criteria are fulfilled.
Audit evidence
Records, statements of fact or other information, which are relevant to the audit criteria
and verifiable.
Audit criteria
Set of policies, procedures or requirements used as a reference against which objective
evidence is compared.
Auditor
Person who conducts an audit.
Audit team
One or more auditors conducting an audit, supported, if needed, by technical experts.
Note one auditor of the audit team is appointed as the audit team leader.
Technical expert
Person who provides specific knowledge or expertise to the audit team.
Audit client
Organization or person requesting an audit.
Auditee
Organization being audited.

LRQA Training 2015
Page 31 of 62
Audit programme
Set of one or more audits planned for a specific time frame and directed towards a
specific purpose.
Audit plan
Description of the activities and arrangements for an audit.
Audit scope
Extent and boundaries of an audit.
Audit types and purpose

Audits are done for a variety of reasons. For example to check a process is carried out in
accordance with the planned arrangements.
Quality management system audits may be used to:
Verify conformance to planned arrangements.
Identify opportunities for improvement.
Assess the effectiveness of quality management systems.
Assist with selection and monitoring of suppliers.
Verify compliance with contractual requirements.
Determine conformity with ISO 9001 requirements.
First, second and third party audits.
These terms describe the relationship the auditor has with the organization being
audited.
First party or internal audit is the term used when the auditor works for the
organization being audited. First party audits are used for internal purposes. The
person managing the audit programme will decide the scope of the audit.
Second party or supplier audit is the term used when the auditor works for the
client buying from the auditee. Second party audits are used to help select and
monitor suppliers. The audit client will decide the scope of the audit.
Third party or independent audit is the term used when the auditor works for an
independent auditing organization. For example those carrying out certification
audits. The auditee organization may include all of its products within the audit, or
it may want to limit the audit to a selected range. The independent audit body will
audit all applicable parts of the organizations quality management system and
evaluate conformance with all applicable requirements of ISO 9001.
Note determining conformity with ISO 9001 or another recognised standard is the
primary purpose of a third party audit.

LRQA Training 2015
Page 32 of 62
Certification and accreditation

At some stage you will almost certainly need to explain the terms certification and
accreditation to people who do not understand them.
In overview the system works like this.
Accreditation bodies, for example the United Kingdom Accreditation Service (UKAS):
Audit and award accreditation to:
Certification bodies, for example LRQA;

Who audit and award certification to:
Organizations.
Accreditation bodies audit certification bodies against the requirements of ISO 17021
Conformity assessment Requirements for bodies providing audit and certification of
management systems.
Accredited certification bodies will generally follow the guidelines contained in ISO
19011 Guidelines for auditing management systems.
ISO 19011 is a guidance document whereas ISO 17021 is an auditable document. And
where ISO 17021 only applies to certification bodies, ISO 19011 is also referenced by
many organizations operating first party (internal) or second party (supplier) audit
systems.
There is no statutory requirement for certification bodies to be accredited, but the
credibility of certification can be greatly undermined if they are not. Using an accredited
certification body gives stakeholders the assurance that:
Certification auditors are competent and have relevant industry experience;
They conduct rigorous, evidence-based audits and their recommendations are

validated;
Certified organizations have systems and processes that enable them to consistently
meet the requirements of their customers, and of ISO 9001;
Certified organizations are audited regularly to ensure that they continue to conform
to requirements, and certification will be withdrawn if they do not.

LRQA Training 2015
Page 33 of 62
Section G Verification of Pre-course Work
Verification of Pre-Course Work

The purpose of this section is to check your understanding of the information given in
this pre-course work.
1. Match the definition to the term and write the letter of the correct definition against
the term. There are two definitions for which there is no term listed.
No.
TERM
Def.
DEFINITION
Specified way to carry out an activity or a
process.
Management system.
Procedure.
Action to eliminate
nonconformity.
Corrective action.
Set of interrelated or interacting activities

that use inputs to deliver an intended
result.
Nonconformity.
Set of interrelated or interacting

elements of an organization to
establish policies and objectives and
processes to achieve those objectives.
Process.
Set of interrelated
elements.
Non-fulfilment of a requirement.
Effect of uncertainty.
or
detected
interacting
2. In the space below, describe the difference between correction and corrective action
and give an example of each.
3. Which of the following are guidance documents?

a) ISO 9000
b) ISO 19011
c) ISO 9004
d) None of the above
e) All of the above

LRQA Training 2015
Page 34 of 62
4. Complete this cross reference guide by identifying five specific requirements in ISO
9001 that support each of the quality management principles listed below.
Quality Management
Principle
ISO 9001 requirements that support the principle
Customer focus
Leadership
Engagement of people
Improvement
Evidence-based
Decision Making

LRQA Training 2015
Page 35 of 62
5. With reference to this pre-course work and ISO 9001, who has overall responsibility
for the organizations quality policy and quality objectives?
6. With reference to this pre-course work and ISO 9001 describe in the space below
the purpose of Management review.
-----------------------------------------------------------------------------------------------------------------

LRQA Training 2015
Page 36 of 62
Section H Personal Course Objectives
Defining Personal Course Objectives

Purpose
Each delegate will have their own reason for coming on the course. For example you
may be an internal auditor (first party audits) who wants now to audit against ISO 9001.
Or you may be coming on the course as part of your personal development. It will help
you and the trainer if, before you arrive, you think about and plan what you want to get
from the course. We have designed this section to help you with this. It forms a bridge
between the pre-course pack and the course itself.
In thinking about your objectives for the course you also want to consider:
What you need to do to meet the IRCA requirements for Auditors. You may find it
beneficial to visit the IRCA website for more details of the requirements for
becoming an IRCA certificated auditor www.irca.org
Your familiarity with ISO 9001 and quality management systems.
Any other expectations which you or your employer have from the course.
Please now write your personal objectives using the form on the next page and bring it
with you to the course.

LRQA Training 2015
Page 37 of 62
Section H Personal Course Objectives
Personal Course Objectives

Name:
Course Name:
Company:
QMS Auditor/ Lead Auditor
My current auditing experience is: (please give a brief description of your auditing
experience including the type of audits you have completed or been involved in).
My future auditing role will be: (please give a brief description of how you see
your role as an auditor developing in the future and include also the type of audits
you expect to be involved in).
My objectives for the course are: (please list between three and five specific
things that you want to be able to do as a result of completing the course).
Do you intend to apply to become an IRCA certificated auditor or lead

auditor?
Yes
No
Dont know
Please take a copy of this page and bring it with you to the course. You will be asked to
discuss and present your course objectives to your group and LRQA trainer.

LRQA Training 2015
Page 38 of 62
Appendix: Guide to ISO 9001 Requirements
Guide to ISO 9001 Requirements

Introduction
This document provides a laypersons guide to the requirements of ISO 9001. It is
intended to help you understand the purpose of the requirements and explain what the
requirements mean, using everyday language.
Caution!
ISO 9001 specifies requirements for quality management systems. It does not prescribe
how these requirements are to be met. Rather, it encourages organizations to carefully
design their management system and processes to reflect the unique characteristics and
needs of the organization, and the environment in which it operates.
If your organizations quality management system has been certified as conforming to
the requirements of ISO 9001, it has found a way of meeting the requirements that suits
its business needs. But what suits one organization may not suit another. For example,
where one organization chooses to have many documented procedures, another may
choose to rely on other means to ensure the effective planning, operation and control of
its processes.
Also your organization may have additional requirements that it needs to conform to,
such as customer or regulatory requirements that may prescribe ways of working, which
ISO 9001 does not.
Using this guide
Remember that this document gives guidance to help you interpret and understand the
requirements. Always refer to the specific text in ISO 9001 for the definitive version of
the requirement.
For each requirement we have given an indication of its purpose, i.e., what it is trying to
achieve. We have also provided a summary of the requirements and where needed,
some further guidance; usually examples or explanations of the requirements.

LRQA Training 2015
Page 39 of 62
1 Scope
This section describes the overall purpose of ISO 9001, which can be thought of as a
tool to help organizations to:
Consistently provide products and services that meet customer and regulatory
requirements.
Enhance customer satisfaction.
Improve the quality management system.
2 Normative references
Some of the terms used in ISO 9001 are defined in a document called ISO 9000. This
document also describes the quality management principles that underpin ISO 9001
requirements, so this is a useful document to refer to.
3 Terms and definitions

These are defined in ISO 9000.
Auditable requirements
Sections 4 to 10 of ISO 9001 contain the auditable requirements. These are what
auditors and certification bodies will audit against. Organizations who have gained
certification to ISO 9001 will have demonstrated that they meet the requirements in
sections 4 to 10.
4 Context of the organization

All organizations are unique and all operate in a changing and often complex external
environment. The purpose of section 4 is to help organizations design a management
system that is suitable for achieving its purpose and strategic direction, given the unique
characteristics of the organization, its stakeholders and the external environment in
which it operates.
This section supports the Plan phase of the Plan-Do-Check-Act cycle.
4.1 Understanding the organization and its context

Purpose: To identify the variables that could impact on the organizations ability to
achieve its purpose and strategy and the goals of the quality management system (see
1 Scope above). Using this information, organizations can prepare for a range of
eventualities.
Requirements
Firstly, organizations need to be clear about their purpose and strategic direction;
this would include the products and services they offer, the markets they serve and
their approach or business model for how they will operate.
Then they can determine the external and internal issues that could affect, positively
or negatively, achievement of the organizations strategy and goals.
Having identified issues that might be relevant, the organization needs to monitor
and review these, i.e., keep an eye on them so that they have early warning of
changes that they need to react to and plan for.

LRQA Training 2015
Page 40 of 62
Guidance
We often use the term issue in a negative context, focussing on problems. But in this
context an issue can be seen as an important topic or characteristic, which might have
positive or negative implications for the organization.
External issues might include political, financial, economic, social, technological,
legal/regulatory and environmental.
Internal issues would include the size, structure and locations of the organization, its
values and culture, how it performs, its internal resources, including the competence
and demographics of the workforce, the nature of plant and equipment, IT resources
etc.
Issues are likely to change over time, some more slowly than others. Hence the
requirement is to monitor and review internal and external issues.
Issues identified should be tested for relevance - are they relevant to the organizations
purpose and strategic direction and could they impact the quality management systems
intended results?
4.2 Understanding the needs and expectations of interested parties

Purpose: To ensure that the quality management system is designed to take account of
the needs of individuals or groups who could impact upon or be impacted by the quality
management system.
Requirements
Identify individuals and groups who could impact upon or be impacted by the
organizations ability to consistently provide products and services that meet
customer and regulatory requirements.
Determine what they might need or expect that is relevant to the organization and
its quality management system.
Keep track of (monitor) information about these parties and their interest in, or what
they need and expect from, the organization.
Guidance
Examples of relevant interested parties are:
Customers, consumers past, present and future (potential).
Employees.
Sister/group companies.
Suppliers, partners, agents, contractors past, present and future (potential).
Regulatory authorities.
Competitors.
Neighbours, interest groups.
Relevant requirements may be documented; for example in contracts, regulations and
service level agreements. However relevant requirements may also be a need or
expectation that is generally implied rather than explicit.
The potential impact of interested parties is likely to change over time, hence the need
to monitor and review. For example, a business that wishes to build an extension to its
warehouse to support its strategy for growth, may find that at this point in time, its
neighbours become a critical interested party with potential to significantly impact its
strategic direction by supporting or objecting to planning applications.

LRQA Training 2015
Page 41 of 62
4.3 Determining the scope of the quality management system

Purpose: To make sure that the extent and boundaries of the management system are
clear and that it includes all the processes and activities needed to provide the products
and services required, whilst reflecting the internal and external issues and needs of
interested parties.
Requirements
Produce and maintain a documented statement of the scope of the management
system, including the products and services covered by the quality management
system
Include details of any products, services or ISO 9001 requirement that are not
covered and reasons for this.
Guidance
The scope should include any activities that are outsourced to another organization,
including activities outsourced to other independent parts of your own organization.
For example, if your organization has an arrangement whereby another organization
carries out design activities on your behalf, the responsibility for ensuring that the design
process is controlled will rest with your organization and so this would be included in
the scope of your management system.
If the quality management system does not cover all the products and services your
organization delivers, an explanation of their exclusion from the scope should be
included.
Similarly, if your organization cannot apply a requirement of the standard because it is
not relevant to your organization, the reason for this should also be included. In
practice this would be limited to operational activities, e.g. an organization that cannot
apply the design and development requirements of 8.3 because there is no design
activity involved in what it does.
4.4 Quality management systems and its processes

Purpose: To ensure that organizations design a system that includes all of the processes
they need for the quality management system to work effectively, given the unique
characteristics of their organization.
Requirements
Firstly, determine all the processes that need to be covered by the quality
management system.
Determine the inputs and outputs for each process, and how the processes fit
together (their sequence and interaction).
Decide what the effective operation of each process would look like and how to
control and check the process to make sure its working as planned.
Make sure the resources needed to operate each process are known and available
and that the roles of people involved in the process are clear, including their
authority to make decisions.
Identify any risks and opportunities that apply to the process and make sure these
are addressed (e.g., through the process controls).
Evaluate processes to see if they are operating as planned and achieving the results
expected and make relevant changes and improvements.

LRQA Training 2015
Page 42 of 62
Decide what documented information, if any, needs to be maintained to support the

operation of the process, (e.g., process maps, procedures, work instructions,
checklists, specifications, drawings etc.) and what records need to be maintained to
be confident that the process was carried out as planned.
Guidance
A process is something that happens; all activities are processes or parts of processes. A
well designed process will deliver its intended results and fit snugly with the other
processes in the system. This requirement encourages organizations to consciously and
deliberately design and manage processes so that collectively they achieve the purpose,
strategy and results the organization desires.
Processes needed for the quality management system would include:
Operational processes needed to produce products and services for customers.
Support processes to facilitate operational processes.
Externally-facing processes that connect the management system with the wider
world (e.g. interfaces with customers, suppliers, regulators and other interested
parties).
Other processes needed to fulfil ISO 9001 requirements, including processes to
determine external and internal issues and interested parties, processes to monitor
and review issues and interested parties, management review etc.
5 Leadership
People do what their managers pay attention to. If meeting customer and regulatory
requirements, enhancing customer satisfaction and improvement of systems and
processes are important to top management and seen to be so, these will be the things
people pay attention to and so will get done. Section 5 describes specific requirements
for how top management communicate their commitment to the customer and the
quality management system and how they support these commitments in a practical
sense.
5.1.1. General
Purpose: To get top management to show leadership for the quality management
system.
Requirements
This section assigns some specific responsibilities that top management must personally
carry out, i.e. that cannot be delegated. These include:
Taking accountability for the effectiveness of the quality management system, in
other words, the buck stops here and top management are expected to take full
ownership for the quality management system.
Promoting risk-based thinking, the process approach and improvement.
Communicating the importance of adhering to quality management system
requirements.
Engaging and directing others to contribute to the effectiveness of the quality
management system and supporting them to do so.
Supporting other leaders and managers in the organization to show leadership in
relation to the quality management system.

LRQA Training 2015
Page 43 of 62
There are some further requirements for which top management have overall
responsibility and accountability, but where the use of the word ensure means that
they can delegate or involve others in these areas. These include:
Ensuring that quality is an integral part of the business, supporting the business
strategy; that quality policy, objectives and processes are aligned with the business
strategy and context and are fully integrated into business management systems and
operational processes.
Making sure that the resources needed for the quality management system to
achieve its intended results are available, including people, premises, plant,
equipment, IT etc.
Making sure the system achieves the intended results and taking action if it does
not.
Guidance
Top management is defined as the person or group of people who directs and controls
an organization at the highest level (but if the scope of the quality management
system covers only part of an organization then top management refers to those who
direct and control that part of the organization) (ISO 9000).
In practice, top management need to be hands-on and show tangible leadership for
quality as an integral part of their business strategy. They need to involve themselves in
the Plan-Do-Check-Act cycle, planning the goals and intended results, implementing
and resourcing the plan, checking, monitoring and measuring and reviewing
performance and taking decisions and acting on the performance data to ensure the
quality management system achieves its intended results.
5.1.2 Customer Focus

Purpose: For top management to show leadership with regard to customers,
demonstrating that customers are at the heart of the organization and that meeting
their needs and enhancing their satisfaction is essential.
Requirements
Top management to make sure that there are mechanisms and processes in place to:
Find out what customers need and consistently meet those needs.
Find out what regulations apply to products and services and consistently meet those
requirements.
Identify what could get in the way of producing products and services that meet
customers needs, or enhancing their satisfaction (i.e., risks) and manage or minimise
these; take opportunities to improve conformity of products and services and
enhance customer satisfaction.
Guidance
Whilst top management can delegate tasks relating to customer focus, they remain
accountable for meeting customer and regulatory requirements and for ensuring that
the drive and desire to improve customer satisfaction is constant.

LRQA Training 2015
Page 44 of 62
5.2 Policy
Purpose: For top management to communicate their intent in relation to quality and to
give focus and direction for the organization and what it should achieve.
Requirements
Top management should:
Establish and document a quality policy that:
Reflects the organizations strategy and context and provides long term direction.
Includes top managements commitment to meet customer and regulatory
requirements and to continual improvement.
Is a high-level document from which specific objectives can be derived.
Communicate the policy throughout the organization and to other interested parties
if needed.
Ensure there is a way of checking that people understand what the policy means and
that the policy has been effectively applied.
5.3 Organizational roles responsibilities and authorities

Purpose: To ensure that responsibility for all the things that need to happen in the
management system is assigned to people, that everyone knows what they need to do
and what others need to do. That authority for taking action and decisions is assigned
to individuals and groups as appropriate.
Requirements
Top management need to decide who does what, including their authority for making
decisions and taking action. They need to communicate this and make sure people
understand their own and others roles, responsibilities and authorities.
In particular top management needs to allocate responsibility and authority for:
Making sure that the requirements of ISO 9001 are met.
Making sure that processes do what they are supposed to do and deliver the
required outputs.
Reporting to top management and others on how well the quality management
system is performing and what needs to be improved.
Championing the customer by making sure that customer focus is maintained
throughout the organization.
Making sure the quality management system is not adversely affected when changes
are made, so the impacts of changes on other parts of the system are managed.
Guidance
Although top management can delegate responsibilities as indicated, this does not
absolve them of their overall responsibility and accountability for the quality
management system.

LRQA Training 2015
Page 45 of 62
6 Planning
This section is all about transforming ideas and words into tangible goals and actions, to
ensure that things get done and making sure that changes are implemented in a
managed and coordinated way.
6.1 Actions to address risks and opportunities

Purpose: To understand how the variables identified (see section 4) could impact the
organization and the quality management system, positively or negatively and to
manage these potential impacts.
Requirements
Monitor and review external and internal issues and the requirements of interested
parties (see section 4).
Work out what negative impacts (risks) or positive impacts (opportunities) these
issues could present to the organization.
Decide which risks and opportunities the organization needs to take action upon in
order to:
Make sure the quality management system achieves its intended results.
Maximise positive impacts and minimise negative impacts.
Achieve improvement.
Decide what action to take, according to the significance of the risk or opportunity.
Plan how to integrate and implement actions into the organizations business
processes and the quality management system.
Plan how you will check that the actions taken have worked.
Guidance
This section of the standard encourages organizations to take a proactive approach to
anticipating what could happen and being ready for it, so that there are fewer surprises
for which the organization is unprepared. Risk is defined in ISO 9000 as the effect of
uncertainty. This uncertainty could give rise to negative consequences, or could open
up opportunities for the organization. Sometimes the same issue can give rise to
negative and positive impacts at the same time and organizations should consider both.
The organization needs to decide which risks are worth taking action on and the action
taken should depend upon the significance of the issue and its potential impact on the
organization.
Integrating actions into the quality management system might involve changing or
enhancing existing processes (e.g. by adding additional checks and control points) or by
defining new processes.

LRQA Training 2015
Page 46 of 62
6.2 Quality objectives and planning to achieve them

Purpose: To translate the high-level quality policy into specific actions and deliverables.
Requirements
Measurable quality objectives should be set that support the quality policy. These
should be documented and cascaded throughout the organization, covering the
functions, levels and processes needed to ensure that the higher level objective can be
achieved. Departments, process owners and individuals that contribute to the
achievement of objectives need to have a clear understanding of what is required of
them.
The objectives need to:
Cover applicable requirements, e.g. of the organization and other stakeholders,
including the requirement to consistently provide products and services that meet
customer and regulatory requirements.
Enhance customer satisfaction including improvement objectives that will achieve
this.
Be communicated, monitored and updated as necessary.
For each objective there needs to be a plan covering what actions are needed, who will
do them, when, what resources are needed and how it will be evaluated.
Guidance
There should be transparency between the policy and high-level objectives right through
the organization to the detailed process measures and the checking, monitoring and
measurement activity that happens on a day-to-day basis. It should be possible to take
a high-level objective and trail down into the detailed measures and vice versa, i.e. to
take a specific measure and trace it up to see how it contributes to the high-level
objective and subsequently to the quality policy.
The policy includes commitment to improvement and objectives need to be consistent
with the quality policy and so should include specific, measurable improvement
objectives.
Whilst there is a requirement for the objectives to be documented, there is no
requirement for plans to achieve them to be documented, provided that they are clearly
understood by all those involved.
6.3 Planning of changes

Purpose: To implement changes in a controlled and systematic manner and with
minimum adverse impacts.
Requirements
Decide what changes are needed and why.
Assess the impact and possible consequences of the change:
On people, including roles and responsibilities.
On the processes that make up the quality management system.
Decide what resources are needed to make the change and what resource is
available.
Plan and manage the change.

LRQA Training 2015
Page 47 of 62
7 Support
The purpose of this section is to make sure that all the processes needed for the
management system and the people operating those processes, have the resource and
support they need to operate properly, from tools and equipment to competent people
and up to date information.
This section supports all phases of the Plan-Do-Check-Act cycle.
7.1 Resources
Purpose: To make sure all the resources are in place for the processes to operate
effectively and deliver the results needed.
Requirements
The organization needs to work out what resources are needed, including to maintain
and improve the quality management system and whether those resources already exist
internally, or if they need to be obtained from outside.
They then need to provide the resources required, including:
People.
Infrastructure (buildings, utilities, plant and equipment, IT, etc.)
Environment in which processes can operate. This could include physical factors
needed to ensure conformity of product and service, such as heat, light, cleanliness
etc. and human factors such as the social and psychological environment needed for
people to perform their roles.
Organizational knowledge and learning, including intellectual property and lessons
learned that can be shared across the organization.
Guidance
The environment for the operation of processes could include processes that are
conducted off-site, such as at a customers premises.
Organizational knowledge includes what the organization needs to know today,
including lessons learned from previous experience. It is important when implementing
changes or forward planning to identify what additional knowledge the organization
will need and how it will obtain this.
7.1.5 Monitoring and measuring resources

Purpose: To make sure that products and services conform to requirements. This is a
subset of resources and could include people, infrastructure and environment.
Requirements
The organization needs to decide how it will verify that products and services conform
to requirements. Where this is done by monitoring or measuring, the organization
needs to:
Determine what resources are needed to make sure that monitoring and measuring
activities provide results that are accurate and can be trusted.
Make sure the resources are suitable for the task (e.g. capable of measuring the
parameters and criteria defined, e.g. in product specifications).
Provide the resources.
Maintain the resources so they are fit for purpose.
Keep records to show that resources are fit for purpose.

LRQA Training 2015
Page 48 of 62
Sometimes it is necessary to be certain and to be able to prove that the measurements

made using measuring equipment are accurate, in which case the equipment should be:
Calibrated or verified against known standards at specified intervals.
Identified to provide a link to the calibration status.
Protected to make sure it remains capable of accurate measurement.
If calibration reveals a problem, the organization needs to plan how it will handle any
products that may have been measured using inaccurate equipment.
Guidance
This section most commonly applies to measurement equipment that is used to measure
the physical properties of product. But it could also include making sure that where
conformity of product or service is judged by a person, that that person is competent to
make that decision.
7.2 Competence
Purpose: To make sure people can do their jobs properly and achieve the results
needed.
Requirements
Identify what competencies are required for people doing work for which the
organization is responsible (including employees, suppliers of outsourced processes,
sub-contractors, agency staff etc).
Make sure that people are competent and have the training, education and
experience required.
Where there are competence gaps, take action to acquire the competence and
check that the actions worked.
Keep records of competence.
7.3 Awareness
Purpose: If people are clear about whats expected they are more likely to do it.
Requirements
To make sure that people doing work for the organization know about the quality policy
and objectives and their role in making sure the quality management system is effective,
including the need for improvement and the implications of not conforming to the
quality management system.
7.4 Communication
Purpose: To make sure people know what they need to know.
Requirements
Decide what needs to be communicated, inside and outside the organization, who will
communicate, when, how and to whom.

LRQA Training 2015
Page 49 of 62
7.5 Documented information

Purpose: To give people the information they need to work effectively, ensuring that
processes are carried out as intended and the quality management system is effective.
Requirements
Decide what documented information is required, including that from sources
outside of the organization. In addition to the documented information mandated
by ISO 9001 the organization needs to decide what other information it thinks needs
to be documented.
Choose a format and media that is appropriate for its purpose and audience.
Title or label the documented information clearly.
Review and approve new or updated documented information before issue to make
sure it will achieve its purpose and is suitable for the audience.
Make sure its distributed or available and accessible to the people who need to use
it.
Protect documented information from damage, access by those who should not see
it and unintended alterations; make sure it is only used as intended.
Control changes, e.g. through some form of version control.
Make sure documented information is appropriately stored, for as long as needed
and is then disposed of in a controlled way.
Guidance
Documented information is defined as Information required to be controlled and
maintained by an organization and the medium on which it is contained. A document
can be in any media capable of storing information, including paper, electronic
documents, photographs, software etc.
ISO 9001 requires organizations to document and maintain the quality policy and
objectives and requires certain other documented information to be retained as records.
Beyond that, it is up to each organization to decide what is appropriate they need to
have sufficient documented information to support people and help them do the right
things, but not so much that it becomes confusing.
Documented information can typically include process maps, procedures, work
instructions, specifications, databases, computer code, drawings, contracts, records,
meeting minutes, emails, checklists etc.

LRQA Training 2015
Page 50 of 62
8 Operation
This section covers the processes through which organizations provide products and
services for their customers. Its likely that most of what your organization does is
covered by the requirements in this section. Its purpose is to ensure that operational
activities are planned and controlled systematically, so they work properly and enable
organizations to deliver products and services that meet customers needs and
expectations.
This section supports the Do phase of the Plan-Do-Check-Act cycle.
8.1 Operational planning and control

Purpose: To make sure the planning and control of operational processes is effective
and consistent with high-level planning (see section 6).
Requirements
Many of the requirements in this section repeat or reiterate those covered in other
sections, such as section 4.4. Additional requirements in this section include:
The need to be clear about the requirements for products and services and the
criteria for their acceptance, i.e., how we know if the requirements are achieved.
The need to maintain and / or retain documented information to show that products
and services conform to requirements.
The need to produce planning outputs as necessary. These might include things
such as: project plans, production schedules, method statements, quality plans, work
instructions, process documentation, control plans, verification or inspection and test
plans, depending on the product or service and needs of the organization.
The need to review the consequences of unintended changes and take action to
mitigate any adverse effects.
The need to control outsourced processes as well as internal processes.
Guidance
For an organization that offers bespoke products or services, the outputs of the
planning process may be customer specific, e.g. a quality plan or project plan describing
how that particular contract will be fulfilled. Where an organization has standard
products or services, the output of the planning process may be more general, such as
schedules and work instructions.
Whilst there is no specific requirement for the output of the planning to be
documented, in most cases some documented information is likely to be needed.
8.2 Requirements for products and services

Purpose: For the organization to be clear about what the customer wants and know
that they can meet their needs.
Requirements:
There are three elements to this section:
8.2.1 Customer communication
The organization needs to ensure that processes for communicating with customers are
effective, for the end-to-end relationship, from providing information about the
products and services available, handling enquiries, contracts and changes, through to
obtaining their feedback at the end of the process and handling of complaints and
contingency actions that may be needed. This also covers arrangements for handling
customers property.

LRQA Training 2015
Page 51 of 62
8.2.2 Determining the requirements related to products and services

The organization needs to be clear about the specifications of its products and services
and be able to prove that they fulfil the claims made, e.g. in advertising and marketing
information. Products and services also need to meet relevant regulatory requirements.
8.2.3 Reviewing requirements related to products and services
Before making a commitment to provide products or services, the organization needs to
review to ensure that it is clear about what is being requested and that it is able to fulfil
all of the requirements, both stated and implied, including delivery and post-delivery
activities. The organization needs to resolve any differences between the order
requirements and those previously expressed, for example in a quotation or contract.
Appropriate records of the review should be kept and any changes communicated.
Guidance
If organizations are to achieve customer satisfaction, they need to properly understand
what it is the customer wants. This section of ISO 9001 typically applies to enquiry,
quotation, contract and sales activities and may include advertising information,
marketing activity and a range of customer-contracting processes, from telephone and
internet sales to complex tender processes.
8.3 Design and development of products and services

Purpose: To ensure products are designed effectively and that they work.
Overview
Organizations design products and services to meet customer specific needs or the
needs of the market. Design is fundamental to achieving customer satisfaction. Design
must include customer and applicable statutory and regulatory requirements for the
product from the start. ISO 9001 mandates requirements to ensure design is carried out
as a series of logical steps, including periodic reviews of the design to ensure
requirements are identified and carried forward into the final product. The ISO 9001
requirements for design incorporate the Plan-Do-Check-Act cycle.
Requirements
There are five elements to this section.
8.3.2 Design and development planning
The design process should start with planning. The detail of whats included in the plan
will depend upon the nature, duration and complexity of the specific design, but it
should include:
The stages of the design and development process, including reviews.
Who is involved, their roles and how they need to interact during the design process
(this could include customers and users) and who makes decisions.
The resources needed.
How the design will be tested.
The controls needed to make sure the needs of customers and other interested
parties are met and that the product or service can be produced, e.g. that the design
fits within the organizations capability to make or deliver it.
The documented information needed.

LRQA Training 2015
Page 52 of 62
8.3.3 Design and development inputs

Before the design can progress, the organization needs to identify all the things the
design needs to achieve. This should be captured as documented information that
provides a complete, clear and unambiguous description of requirements. These need to
include:
What needs to be designed, what it needs to be able to do (function) and how it
needs to perform.
Any regulatory requirements, standards, codes or practice etc.
Lessons learned from similar products.
The potential consequences if the product or service fails (in order that the design
can seek to avoid or mitigate these).
Guidance
Although its not a specified requirement in this section, the design inputs requirements
would need to be consistent with the needs and expectations of customers and other
interested parties. The examination of potential consequences links back to risks and
opportunities discussed in section 6.
8.3.4 Design and development controls
Design activity needs to progress in a controlled way, following the plan. Specific checks
need to be made including:
Reviews, to ensure the design stays on track and that it will meet all the
requirements.
Verification: answers the question in theory, could this design work by making
sure all of the input requirements have been addressed in the design outputs. This is
usually a theoretical process that takes place before any prototyping of the design.
For example, if you were designing a drinking glass you might compare the drawings
and materials specification with the inputs to make sure it will hold the right amount
of liquid and that it will be dishwasher safe.
Validation: answers the question does this design work in practice? This would
involve producing the product or service and testing whether it performs as needed.
It could include building prototypes, destructive testing, sample batches, piloting of
services, user testing etc.
Records of these checks, and any actions needed to address any problems, need to be
retained as documented information.
8.3.5 Design and development outputs
The output of the design process will be used to make the product or deliver the service,
and needs to contain all the information needed to do this, consistently. The output
needs to:
Be documented.
Address all the input requirements.
Specify the acceptance criteria and how they are to be measured / monitored.
Specify the features and characteristics of the product or service that are needed for
it to work properly and achieve its purpose, safely.

LRQA Training 2015
Page 53 of 62
8.3.6 Design and development changes

Changes to the design might be made during or after the design and development
activity. Either way, changes need to be clearly identified, reviewed and controlled to
make sure conformity to requirements is maintained.
Organizations need to retain documented information of the changes, the results of
reviews, who has authorised the design changes and what action is needed.
Guidance
You can argue that in order to review and control changes, a similar processes would
be needed to the original design process, i.e. the changes should be verified against the
design inputs and validated to ensure that the revised design will work as intended. If
the design change is intended to correct a problem, organizations may also need to
identify what action is needed to ensure that existing products conform, for example a
product recall for products that might not be safe, or a service pack for a software
programme.
8.4 Control of externally provided processes, products and services

Purpose: To give confidence those processes, products / materials or services from
outside sources are fit for purpose.
Requirements
There are three elements to this section.
8.4.1 General
When externally sourced items or services are incorporated into, or used to provide your
products or services, the organization needs to work out what controls are needed, and
apply them, to make sure they conform to requirements.
This includes situations where suppliers provide products or services directly to your
customers and applies where organizations operate processes on your behalf.
Organizations need to decide and apply criteria to:
Evaluate and select external providers.
Monitor their performance.
Re-evaluate providers.
They should keep records of the criteria, the evaluations and actions arising.
Guidance
Externally provided includes anything that comes from outside the organization. This
could include materials and services purchased from suppliers, components
manufactured to your design by a subcontractor and material or components supplied
by customers for incorporation into their products or services. It would also include
outsourced activities, where another organization or other part of your own
organization such as a sister, parent or subsidiary company operates processes on your
behalf, such as an IT helpdesk, central purchasing or design function.
In some instances the organization may be required to use a specific provider, e.g.
because it is a corporate policy or a customer requirement. In such instances the
organization will need to show that it is able to control the process and have effective
arrangements for communicating with and resolving any problems with that provider, to
ensure that requirements are met.

LRQA Training 2015
Page 54 of 62
8.4.2 Type and extent of control

The organization should take a risk-based approach to controlling external providers,
based on the potential impacts of the products and services they are providing and how
effective the providers own controls are.
The organization needs to:
Define controls to be applied to the external provider and also the product or service
itself.
Decide how to verify that the products or services conform to requirements, e.g.
through monitoring, inspection etc.
8.4.3 Information for external providers
Organizations need to communicate requirements clearly to external providers including:
The products and services to be provided and any related approval requirements, or
specific requirements for the competence and qualification of people involved.
How the organization and provider will communicate and interact.
How the organization will monitor and control the external providers performance.
Any verification activities the organization intends to carry out at the providers site.
8.5 Production and service provision

Requirements
There are six elements in this section.
8.5.1 Control of production and service provision.
Purpose: To make sure that the operational processes are controlled and effective and
result in products and services that meet requirements.
Requirements
Organizations need to make sure they control operational processes and many of the
controls to be considered here duplicate requirements identified elsewhere, for example
from section 4.4, processes, and section 7, resources and documented information.
Some requirements are specified here in more detail than elsewhere, for example:
The need to monitor and measure to verify that processes are controlled and that
acceptance criteria for products and services have been met.
The need to validate processes where the output of the process cannot be fully
inspected.
The need to take actions to prevent human error.
The need to control arrangements for releasing products/services and what happens
after, including delivery and beyond.
Guidance
This section supports risk-based thinking and links particularly to 6.1.2.b, integrating
actions to address risks and opportunities into the quality management system
processes. Put simply, greater risks generally warrant tighter controls. This also applies
to the likelihood of human error, which should not just be accepted as being inevitable.
Taking a risk-based approach, organizations should identify circumstances in which
humans are likely to make errors; where the consequences of this would have a
significant impact on the organizations ability to consistently provide product and
service that meets customer and regulatory requirements, additional controls may be
needed to prevent mistakes.

LRQA Training 2015
Page 55 of 62
8.5.2 Identification and traceability

Purpose: To make sure we know whats what and can link and match things as
needed.
Requirements:
Identify product in an appropriate way, making it clear throughout the production
process what checks have been made and what the results were. Where traceability is
required, a methodology for uniquely identifying materials and product and keep
records is needed.
8.5.3 Property belonging to customers or external providers
Purpose: To know if we are using other peoples property and to look after it.
Requirements
Many processes rely on materials or information that comes from customers and other
external providers. These could include materials, components, data, intellectual
property such as designs, tools, software etc. For example, an organization that
manufactures and installs signs may be attaching the sign to their customers building.
Similarly a financial institution or legal service may use confidential information and
personal data supplied by the customer. In all of these cases the organization needs to
exercise a duty of care with respect to customers and others property, which includes
identifying and protecting it and reporting back to the owner if there are any problems.
8.5.4 Preservation
Purpose To look after the product or service and make sure it is not lost, damaged or
harmed.
Requirements:
Take appropriate steps to look after process outputs to make sure they meet
requirements, through all stages of the operational processes.
8.5.5 Postdelivery activities
Purpose: To make sure organizations meet their obligations after the product or service
is delivered.
Requirements
The organization needs to determine and meet requirements for post-delivery activities.
These can include contracted services, such as maintenance or help desks, handling of
problems customers experience with the product, such as warranty claims, and end of
product life services such as recycling. The degree to which post-delivery activities are
needed depend upon customers needs and expectations, the nature of the product or
service and associated risks, and any regulatory requirements.
8.5.6 Control of changes
Purpose: To ensure that changes are made in a controlled way and ensure conformity
of products and services.
Requirements
Where things change that affect the provision of products and services, the organization
needs to review the change, keeping records of the review, the results of the review,
who has authorised the change and what actions are needed.

LRQA Training 2015
Page 56 of 62
8.6 Release of products and services

Purpose: To make sure the product or service meets requirements before it is delivered
to the customer.
Requirements
Check the product or service at stages of its production to make sure it meets the
requirements, as you have planned (see 8.5.1).
If for any reason the plan has not been adhered to, or the product or service is not
exactly as specified, any release would need to be approved by someone with
appropriate authority, who may be the customer.
Keep records that show that the product or service met the acceptance criteria and
link to the person who authorised its release.
8.7 Control of nonconforming outputs

Purpose: To make sure that where a problem is detected, the organization rectifies the
problem before it affects the customer.
Requirements:
When problems are identified the organization needs to act to ensure that the
nonconforming output cannot be used. In the case of nonconforming products or
services, the organization needs to make sure these are not delivered to the
customer, unless the problem is corrected or the customer is told of the nature of
the problem and agrees to a concession. If problems are identified during or after
delivery the organization must take appropriate action, which could include
suspension of the service or recall of product.
Documented information should be retained describing what the nonconformity
was, what action was taken, who authorised the action and giving details of any
concessions obtained.
Guidance
An output is defined as the result of a process. This could be a physical output, such
as a component or a product, or it could be an intangible output such as information or
data. Nonconforming outputs could be detected at any stage of the operational process
for example, if a delivery company noticed that a batch of address labels did not
include the customers post codes, they would need to take action to make sure this
batch of labels could not be used and would need to print a correct batch.

LRQA Training 2015
Page 57 of 62
9 Performance evaluation
This section is intended to ensure that all the processes in the management system are
delivering their intended results and that the processes interact effectively in the overall
system.
This section supports the Check phase of the Plan-Do-Check-Act cycle.
9.1 Monitoring, measurement, analysis and evaluation

Purpose: To find out whether the organization is getting the results it wants and to
provide information that supports fact-based decision making.
Requirements
The organization needs to evaluate if the quality management system is effective, i.e., if
it is achieving the goals and results intended.
Firstly the organization needs to decide what to monitor and measure, how and
when. This needs to include the monitoring of customers perceptions to find out if
they consider their needs and expectations have been met.
Then it needs to decide what its going to do with the results of the monitoring and
measuring, including how and when it will analyse and evaluate the data.
The analysed data should enable the organization to know how well it is performing
in relation to:
Providing products and services that conform to requirements.
Satisfying customers.
Whether the quality management system is achieving its intended results.
Whether planning has been effective.
How successful actions to address risks and opportunities have been.
The performance of external providers.
What needs to be improved.
Guidance
This is the Check part of the Plan-Do-Check-Act cycle, so its important that the checks
reflect the original plan and provide a transparent trail between policy, objectives and
specific measures see the guidance note in section 6.2.
This section applies where any reference is made in ISO 9001 to evaluating effectiveness
(e.g., 6.1.2, evaluate the effectiveness of actions to address risks and opportunists, or
7.2.d, evaluate the effectiveness of actions to address competence gaps).

LRQA Training 2015
Page 58 of 62
9.2 Internal Audit

Purpose: To monitor the quality management system to see if it is being applied as
intended and if it is working, with a view to identifying improvements.
Requirements
Develop an audit programme (schedule) outlining what processes are to be audited,
when, by whom and how. Carry out the audits defined on the programme.
For each audit, clearly identify:
The processes to be audited (scope).
The requirements against which the processes are to be audited (criteria). Specific
requirements will vary for each audit, but will include:
The organizations own requirements, which might also cover regulatory
and customer requirements.
The requirements of ISO 9001.
Who will do the audit (making sure they are not biased and can be objective
about the process they will audit).
Plan and conduct individual audits, to determine conformance against the criteria
and the effectiveness of the processes.
Report the audit to relevant management.
Take action to correct any problems identified and take corrective action to make
sure they cant happen again.
Record the results of audits as documented information.
Keep the audit programme up to date (maintain it) and ensure records are available
to show that the audit programme has been implemented.
Guidance
ISO 9001 encourages a risk-based approach to audits and the schedule should be based
on a combination of factors including:
Quality objectives what is the organization trying to achieve?
The importance (risk) of processes what could be the consequences if it went
wrong?
Customer feedback whats important to them?
Changes impacting the organization.
Results of previous audits.
Information available from other monitoring and measurement activities to indicate
how well the process is performing.

LRQA Training 2015
Page 59 of 62
9.3 Management Review

Purpose: Management review is a key driver of the quality management system,
connecting the Plan-Do-Check-Act cycle. This is where top management turn checks
into actions, and support fact-based decision making.
Requirements
Top management periodically reviews the quality management system to make sure its
achieving the results intended and supporting the organizations strategic direction.
The review should consider:
Progress and results on actions from pervious reviews.
Changes in the external and internal issues and feedback from interested parties
(identified in section 4).
Information from data collected and analysed (see 9.1), including opportunities to
improve.
Performance against objectives.
Audit results and other information about process performance.
What problems (nonconformities) have happened and how successful corrective
actions have been in addressing the problems and stopping them happening again.
Adequacy of resources.
Having reviewed the information from the system top management needs to make
decisions (with associated actions) about:
What to improve.
What to change.
Resources needed.
Organizations should keep records of management reviews.
Guidance
This is an important leadership activity that top management are personally responsible
for, and so supports the leadership requirements of section 5.
As well as considering the overall results of the system, top managers should also
consider whether the tools, methods, approaches, resources etc. used are appropriate
(suitable) for the organization and what its trying to achieve and whether there is
enough of them (i.e., are they adequate or sufficient?).
The frequency of the review is to be determined by the organization, but the focus
should be on having sufficient information, with trends over time, to allow leaders to
stand back from the day to day detail and allow them to take a broad and holistic view
of how well all the components of the system are performing, including how well
processes are interacting.

LRQA Training 2015
Page 60 of 62
10 Improvement
The purpose of this section is to close the loop, making sure that improvements
identified in section 9 are implemented, which can be both reactive and proactive, and
that improvement objectives are fed back into plans (section 6).
This section supports the Act phase of the Plan-Do-Check-Act cycle.
10.1 General
Purpose: To drive improvement.
Requirements
Identify what needs to be improved in order to better meet customer needs and
enhance their satisfaction, including:
Current or future improvements to products and services.
Resolving existing problems and preventing others.
Improving processes and the overall quality management system so that it works
better.
Guidance
All the information from section 9 would feed into the identification of what needs to
be improved, particularly through the management review process.
10.2 Nonconformity and corrective action

Purpose: To resolve problems and stop them happening again.
Requirements
A nonconformity arises when an organization doesnt meet a requirement, including
where a customer has made a complaint. When a nonconformity is detected the
organization needs to:
Address the issue and its possible consequences.
Review and analyse the nonconformity to work out what caused it and whether
other similar problems could happen.
Deciding what action is needed to stop it happening again or elsewhere, in
proportion to the problem and associated risks.
Implement actions, including making changes to the quality management system if
necessary and check if they have worked.
Update information about risks and opportunities from the information learned in
dealing with the nonconformity.
Retain documented information about the nonconformity, actions taken and the
results of the actions taken.

LRQA Training 2015
Page 61 of 62
10.3 Continual Improvement

Purpose: To make sure that improvement is a recurring, systematic activity.
Requirements
To routinely examine the results of data analysis, evaluation and management review to
identify how to make the system more suitable, how to improve any inadequacies and
make the overall system more effective in achieving the required results.
Guidance
This section reiterates the linkage in the Plan-Do-Check-Act cycle, ensuring that
information is fed into management review, and that top management regularly review
the information and identify improvements (section 9) that are fed into the overall
selection of improvements (section 10) and that these are then planned for (section 6).

LRQA Training 2015
Page 62 of 62

Pre Course Pack

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Pre Course Pack

Caricato da

Copyright:

Formati disponibili

QMS Auditor/Lead Auditor

Section A - The ISO 9000 Series of Documents

Section B - ISO Terms and Definitions

Section C - Quality Management Principles

The Seven Quality Management Principles

ISO 9001 requirements to the quality management principles

Section D - Context of the organization

Section E - ISO 9001 Structure and Contents

ISO 9001 Model of a process-based quality management system

Section F - Introduction to Auditing

Audit terms and definitions

Audit types and purpose

Certification and accreditation

Section G - Verification of Pre-Course Work

Section H - Defining Personal Course Objectives

Appendix - Guide to ISO 9001 Requirements

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

The course duration is 40 hours over 4 days.

100% attendance is required.

What is this pre-course work for?

How long will it take?

Plan on taking approximately two hours in total to complete it.

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Am I expected to remember all of the information in this pack?

Please complete Section G Verification of pre-course work and Section H

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section A ISO 9000 Series of Documents

The ISO 9000 Series of Documents

ISO 9000 - Quality management systems Fundamentals and vocabulary

ISO 9001 - Quality management systems Requirements

ISO 9004 Managing for the sustained success of an organization A quality

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section B ISO Terms and Definitions

ISO Terms and Definitions

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section B ISO Terms and Definitions

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section C - ISO 9000 Quality Management Principles

The Seven Quality Management Principles

Version 4 - Revision 0.0

Section C - ISO 9000 Quality Management Principles

(Reproduced from ISO 9000)

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section C - ISO 9000 Quality Management Principles

ISO 9001 requirements that support the principle

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section D Context, Risk and Process Approach

QMS Auditor/Lead Auditor

Version 4 - Revision 0.0

Section D Context, Risk and Process Approach

Political, legal and regulatory, financial, economic, technological, competitive and

Organizations policies, objectives and strategies to achieve them.

Relationships with and perceptions and values of external interested parties.

Relationships with and perceptions and values of members of the organization.

Capabilities and resources.

QMS Auditor/Lead Auditor