ISO 9001 - Quality management -

The first edition of ISO 9001 was published in 1987 and at that moment it was based on the requirements of a British standard (BS 5750).

From its first publication ISO 9001 has been revised four times – in 1994, 2000, 2008 and, most recently, in 2015. Standards revision is a normal process, meant to keep them relevant for the changes in technology, business environment and international trade.

ISO 9001 is in fact part of a family of standards that also includes ISO 9000 (standard that defines vocabulary, principles and fundamentals of quality management), ISO 9004 (applicable to organizations that want to use quality management in the pursuit of sustainable success), ISO 19011 (a guide for auditing management systems) or ISO/TS 9002 (published in 2016 as guidelines for the implementation of a quality management system). Starting from the requirements of ISO 9001 other standards have been developed to define quality management requirements for specific industries. Some examples are ISO/TS 16949 (today IATF 16949 for the automotive industry); ISO 13485 (for the manufacture, storage, distribution, installation and service of medical devices); AS 9100 (specific to the aerospace industry) or ISO/TS 29001 (for the oil and gas sector).

RIGCERT is accredited for the certificaton of quality management systems according to ISO 9001:2015. Our accreditation certificate is available here.

ISO 9001 includes a series of requirements that an organization has to fulfil in order to have a functional quality management system (QMS) and obtain certification. Below we explain the requirements of ISO 9001:2015 but it’s important to highlight that, although the requirements are generic, they have to be understood and applied to the specifics of each organization, its context, products and services. The requirements of ISO 9001:2015 are grouped into 7 major chapters: context of the organization, leadership, planning, support, operation, performance evaluation and improvement.


The organization is required to identify internal and external issues relevant for its purpose and strategic direction. Examples of internal issues can be: the structure and governance of the organization, resources and capabilities, organizational culture, existing contractual relations, etc while external issues can be related to political and economic situation, financial markets, availability of key resources and workforce, etc. Interested parties and their relevant needs and expectations are to be determined. Some examples of interested parties are: customers, suppliers, employees, community, partners, final users of products and services, etc. ISO 9001 asks the organization to define the scope of its QMS – activities and locations included in the management system and, if any, the requirements of the standard that, given the specifics of the organization’s activities, are not considered applicable (e.g. requirement 8.3. Design and development – in case no design and development activities are performed). The processes in the organization as well as their succession and interaction have to be identified (a process transforms input elements into outputs and outputs from one process can become input elements into the next – e.g. outputs from the purchasing process (i.e. products and services purchased) are inputs into the manufacturing or service provision process). Defining the context of the organization is meant to ensure that the organization is aware of the external and internal realities of its environment, the interested parties and their requirements and takes into consideration those elements in its operations.


Senior management is required to support the QMS and demonstrate its commitment for continual improvement and for meeting customer requirements. Top management should define and communicate inside the organization a quality policy which represents in fact the visible proof of its commitment for the QMS. Also top managment shall define roles, responsibilities and authorities for personnel, including roles and responsibilities for the administration and improvement of the quality management system. In order to have a functional QMS and get benefits from its implementation the involvement and support from top management are key.


The organization is required to identify and treat relevant risks and opportunities in order to give assurance that its QMS achieves intended results. ISO 9001:2015 does not require specifically for a certain approach to identification of risks and opportunities nor does it require a formal risk assessment. Still the organization has to demonstrate that it uses risk based thinking and there are actions meant to address risks and opportunities. Obviously those actions have to be proportionate to the potential impact on the conformity of products and services. The organization is required to establish quality objectives, to plan and act for their achievement.


The resources needed for the implementation of the QMS, for the operation and control of processes shall be available. The organization must provide and maintain the needed infrastructure (buildings, utilities, equipment, software, IT&C,etc) depending of course on its activities, products and services. The environment for the operation of processes (including here physical factors like temperature, humidity, hygene, light, etc; psychological factors – ex. stress-reduction, burnout prevention and social factors like non-discriminatory and non-confrontational attitude) shall be available. Obviously the environment for operation of processes varies depending on the specifics of the organization and its activities. The organization has to identify, provide and maintain the appropriate measuring and monitoring resources needed to verify the conformity of its products and services. As needed such equipment shall be calibrated/ verified according to specifications. The organization shall have access to the relevant knowledge needed to operate its processes and to achieve conformity of its products and services. Sources to obtain this knowledge differ according to the specifics of every organization (e.g. experience, intellectual property, industry standards, academia are just a few examples). ISO 9001 requires that the organization identifies the needed competence for persons doing work under its control and ensures that those persons are competent. Whenever appropriate, the organization should act to ensure people acquire the needed competence using different methods (training being the most popular but mentoring or re-assigning responsibilities represent other options). Personnel shall be aware of the quality policy and objectives, their contribution to the effectiveness of the QMS as well as the implications of not conforming to requirements. Effective communication (internal and external) processes shall be in place. The quality management system shall be supported by documented information. The extent of the documentation differs depending on the structure and size of the organization, on its activities, products and services. Documented information of the QMS shall be controlled.


ISO 9001:2015 requires the organization to plan, implement and control the processes needed for the provision of products and services to its customers. Outsourced processes (subcontracting) that have an impact on the conformity of products and services shall also be controlled. Proper communication with customers shall be in place with regards to: providing information relating to products and services; handling enquiries, contracts and orders including changes; obtaining customer feedback including customer complaints; handling or controlling customer property and establishing requirements for contingency actions when requred depending on the specifics of products and services. The organization shall ensure that the requirements for products and services it intends to place on the market are established and it can meet the claims for the products and services offered. It is required that, before committing to supply products and services to a customer, the organization performs a review that confirms it has the capability to provide the respective products and services as required. In case the organization performs design and development activities this process needs to be appropriately controlled to ensure its results are adequate. Specific controls are required for design and development including planning, identification of input elements, verification, validation or the control of changes. The organization is required to ensure that processes, products and services purchased from external providers conform to requirements. ISO 9001:2015 requires to define and apply criteria for the evaluation/ re-evaluation, monitoring and selection of suppliers and to implement controls for products and services obtained from external providers taking into consideration the potential impact on the organization’s own products and services. The organization must use suitable means to identify products and services in order to ensure traceability. Property of customers or external providers (including here both tangible and intangible property) that is under the control of the organization shall be adequately protected. The standard requires that, depending of course on the specific of its products and services, the organization provides adequate preservation conditions (including here aspects like identification, handling, packaging, contamination control and transport). Post-delivery activities shall be planned and performed as required (depending on the products and services post-delivery activities may refer to warranties, legal and contractual obligations, maintenance services, recycling or final disposal, etc). ISO 9001 requires that prior to the release of its products and services the organization performs all needed verifications to ensure requirements have been fulfilled. When nonconforming outputs (products and services) are identified the organization shall take appropriate actions based on the nature and effect of the nonconformities. Such actions include: correction, segregation, containment, return or suspension of provision, informing the customer, etc.


ISO 9001:2015 requires the organization to evaluate the performance and effectiveness of its QMS. Information on customer satisfaction shall be obtained and reviewed. The methods to obtain customer satisfaction information are at the choice of the organization. At planned intervals the organization shall perform internal audits of the quality management system to ensure it conforms to the requirements of ISO 9001:2015, it is implemented and maintained. Senior management is required to review periodically the QMS to ensure it continues to be adequate, effective and in line with the strategic direction of the organization.


The organization has to identify opportunities for improvement and act to improve its products and services in order to enhance customer satisfaction. Whenever nonconformities are identified (including complaints) the organization has to act by applying corrections and corrective actions.

Those are in short the requirements of ISO 9001:2015. As mentioned at the beginning the requirements have to be understood and adapted in relation to the specifics of the organization, of its products and services.

Being applicable to any kind of organization, ISO 9001 has been adopted by more than 1.000.000 organizations around the world as shown by the ISO Survey of 2017. The standard can be implemented and certified in state institutions, private companies or not for profit organizations.

ISO 9001 can be implemented and certified individually or integrated with other management system standards (most common choices being ISO 14001, ISO 45001/ OHSAS 18001 or ISO/IEC 27001).

If you are interested in certification please contact us at
If you want to understand the requirements of this standard and how they can be implemented and audited you can check out our online course on this page.


asked questions

It is a set of elements (policies, processes and procedures) used by an organization to fulfil its objectives and perform its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or several disciplines at the same time, in what is referred to as an integrated management system. It is the choice of the organization what type of management system it chooses to implement and certify.

For every discipline there are specific standards that define the requirements for a management system (e.g. ISO 9001, ISO 14001 or ISO/IEC 27001). An organization wishing to obtain the certification of its management system has to demonstrate during an initial certification audit that it fulfils the requirements of the specific standards used as reference for certification.

Regardless of the discipline all management systems generally require organizations to define roles, responsibilities and authorities for personnel, document policies, establish objectives and actions to achieve them, demonstrate operation in controlled conditions, monitor, measure, analyze and evaluate performance and act to continually improve the system.

A management system can be implemented by the organization using internal resources or with the help of external consultants . The management system needs to be maintained and continually improved.

To be useful, a management system should become an integral part of the organization’s activities and not a set of requirements separated from operational routine.

The support from top management is vital for the success of a management system in the organization.

Certification is an attestation from a third party (usually called registrar or certification body) that the management system implemented by an organization fulfills the requirements of applicable standard(s).

So, in fact, not the organization is the subject of certification but its management system.

The certification process begins with the application sent by the organization looking to obtain certification. It has to be a written application and its useful to the certification body for understanding what is required and to plan the resources needed to provide the certification services.

A contract for the certification is signed.

The certification audit is done to evaluate how the requirements of the standard(s)/ reference documents are implemented. The audit team is made of one or several members and the audit duration depends on a series of factors like the standards for certification involved, the size of the organization, its activities. locations, etc.

In case the conclusions of the audit are positive and there are no other elements that may affect the certification, the certification body issues the conformity certificate(s).

The document General rules for the certification of management systems contains detailed information about how the certification process works, what are the requirements for obtaining and maintaining certifications.

Management system certifications are valid for 3 years, with the condition that successful yearly surveillance audits are performed (in the first and second year after certification). Surveillance audits are meant to evaluate if the management system certified continues to respect applicable requirements.

The certification program is the document that specifies the planning of surveillance audits and it is communicated to the organization at certification date.

In the third year the recertification audit takes place and the organization enters another 3-year certification cycle in similar conditions as the previous.

In case surveillance audits are not performed as scheduled the certification may be suspended. During suspension the certification is temporarily invalid. If during suspension the situation is not corrected the certification is withdrawn.

Appeals refer to decisions of RIGCERT with regards to a certain certification (e.g. not granting, suspending, withdrawal, etc) while complaints may refer to a series of aspects like: the personnel working on behalf of RIGCERT, activities of the organizations certified by RIGCERT, activities of third parties connected to RIGCERT, etc.

Appeals and complaints should be sent at and are treated confidentially.

RIGCERT personnel involved in the review and decision regarding a certain appeal or complaint have not been involved in the case being reviewed.

The review can include actions like performing special audits, request of information from the parties involved and is concluded with a formal decision communicated to the appellant and/ or complainant.

Detailed information on the appeals and complaints handling process are available in the document General rules for the certification of management systems.

do you

Want to work with us

Complete the form below with your personal information and we will contat you as soon as possible.