A Beginner’s Guide to ISO 9001- 2023 Update
What’s Involved in ISO 9001 Certification?
The achievement of an ISO 9001 certification is a milestone in demonstrating to your customers that you have implemented a reliable system of producing and delivering your products and services. The focus of this “system” is twofold: providing consistent products and services, and continual improvement in your processes leading to better results. Common questions and concerns are the focus of this article with the goal of clearing up common misconceptions about implementing ISO 9001 and achieving certification.
ISO 9001 – What is it?
The International Organization for Standardization in Geneva, Switzerland publishes thousands of international standards to help companies throughout the world more efficiently do business with one another. The ISO 9001 standard is focused on defining minimum business practices for the production and delivery of a company’s products and services through the implementation of a formal “quality management system”, or QMS. An ISO QMS is made up of certain processes, documentation, and other formal practices that control internal company operations to ensure customer requirements are consistently met.
Each nation participating in ISO administers formal certifications to companies that can demonstrate compliance with the ISO 9001 requirements. The certification is achieved through a formal quality system audit conducted by a professional auditing firm commonly called a Registrar (other names for these auditing firms are used in various countries). Once a company successfully passes the audit they are “registered” as a “certified” company.
How is ISO 9001 Certification Achieved?
There are basically four steps to get certified:
STEP 1: PLAN
The starting point for a company pursuing ISO certification is the planning and preparation of the required processes and documentation specified in the ISO 9001 standards. While these requirements are comprehensive in scope, meaning they apply to most areas of your business, they are also very general in their descriptions, meaning they can be adapted to any type of business. Because of this non-specific language, the ISO standard is extremely flexible and may be implemented in a variety of ways to suit your specific way of doing business.
STEP 2: IMPLEMENT
The starting point for any ISO implementation is to identify and define your key business processes; that is, how you produce and deliver your products and services to your customers. For each process, measurable performance measures and objectives (called “quality objectives”) must be developed and implemented to serve as the basis for continual improvement.
In addition to defined processes and objectives, certain formal documents must be developed and implemented to provide “control” of your processes.
The first is a quality manual that defines policies your company follows based on the ISO requirements. Additionally, six administrative procedures must be documented and implemented which include:
- Control of Documents
- Control of Records
- Internal Auditing
- Control of Nonconforming Products
- Corrective Action
- Preventive Action
Beyond these basic six procedures, your company must determine any additional procedures, work instructions, forms, or other formal documents needed to effectively implement your QMS. In prior editions of ISO 9001 (prior to 2000), there were numerous “required” procedures. More recent versions of the standard have reduced the focus on required documentation and increased focus on control and improvement of your key business processes.
Once your processes and documents are developed and implemented, train your employees.
To complete this implementation step, many companies seek the assistance of a professional consulting firm such as Core Business Solutions. We provide several products and services designed to simplify ISO implementation and make it achievable for any business. Options provided range from do-it-yourself documentation and “Certification Kits” to more hands-on consulting packages.
Once your QMS is implemented, it is required that you maintain your system for a minimum of 60 – 90 days before your certification. This “waiting period” is necessary to generate sufficient records of your QMS to be auditable. Newly developed processes and documents cannot be demonstrated effectively without some auditable history for the auditor to review. This timeframe should be factored into your overall project plan for certification.
STEP 3: REVIEW
During the Review Stage, you will conduct your internal audit and management review. Once these are completed, your QMS is considered implemented and your company is “ISO Compliant”, though not yet certified.
STEP 4: CERTIFY
Who Grants ISO 9001 Certification?
The ISO 9001 certification is granted by a third-party auditing firm called a Registrar which specializes in quality system auditing. There is a wide variety of Registrars located in every ISO participating country. Some firms have offices internationally; others have a more regional focus. The selection of your Registrar is one of the more important decisions you will make to ensure the best alignment with your type of business, your location(s), and the overall cost of maintaining the certification.
The initial certification audit is conducted in two parts. The Stage 1 audit is a general review of your QMS documentation to ensure you have addressed all of the requirements of the standard. Depending upon the size of your business, this can be conducted in a one to two-day visit to your facility or virtually via phone. Any discrepancies noted during the Stage 1 audit will be documented in a formal report and must be corrected before the Stage 2 audit.
The main part of the ISO audit is the Stage 2 audit which is always conducted onsite at your location(s) and will be focused on the implementation and effectiveness of your QMS. During this audit which can take 1 day (for very small companies) to several days, the auditor(s) will tour your company, speak to managers and employees, and review documentation and records (along with any Stage 1 discrepancies) to ensure that your system is fully implemented. If any nonconformance is found, it will be documented in a formal report for correction.
Following the Stage 2 audit, you are generally given thirty (30) days to submit corrective action plans for all audit non-conformances. Once corrective actions are received, your certification is complete and your certificate is issued.
To maintain the certification, you will participate in an annual surveillance audit from your Registrar where they confirm that you are maintaining your QMS. Every third year, a more comprehensive re-certification audit is conducted, similar to the initial certification audit.
How Can You Get the Most from Your ISO Investment?
One of the most common misconceptions of the ISO 9001 certification is that it is mostly an exercise in putting documents together to show an auditor in order to get the certification. Those of us who have worked with ISO for several years remember earlier versions of the ISO standard that required inordinate documentation with little focus on actual results. Many business owners and managers considered this merely a basic overhead expense to the business with no measurable benefit.
Improvements to Business Processes
More recent revisions of the standard have restructured the requirements to focus more on the improvement of business processes and have less focus on putting documents in place for the benefit of an auditor. This new approach has had a significant impact on the results achieved by certified companies as seen by customers, shareholders, top management, and employees. This new “Process Approach” is a practical way to align improvement efforts throughout the company with real customer and business needs.
Through working with hundreds of companies each year in achieving ISO 9001 certification since 2000, our consultants have developed three basic rules for implementing ISO to achieve meaningful, measurable results from the investment.
Basic Rules for Implementing ISO:
RULE #1: KEEP IT SIMPLE
The most common “mistake” we’ve seen companies make in implementing ISO for the first time is to make it too complicated. This results in procedures no one looks at, records no one needs, and training that does not impact the job. The reason behind this is usually due to the implementers of the system taking a “better to be safe than sorry” approach because they don’t understand what the auditors will look for during the audit. All this does is (inadvertently) raise the ongoing cost of the ISO certification without adding value to the business.
Instead, a conscious effort should be made to keep the number of documents to a minimum and focus on implementing those specifically needed by the business or required by the standard.
RULE #2: FOCUS ON BUSINESS VALUE
The second rule for implementation is to stay focused on driving genuine improvement in the company’s processes in order to improve performance for the customers and the business. This means that everything that is implemented should be scrutinized to be sure it is aligned with your company’s ways of operation and the needs of your customers. Because of the general language in the ISO standard, companies can specifically tailor their QMS to meet their unique needs while still complying with the intention of the certification.
The general rule of thumb is to work with a specific requirement until you can see how it benefits your company and fits with the management approach of your organization.
RULE #3: NEVER DO ANYTHING JUST TO SHOW AN AUDITOR
The third rule is based on an understanding that the worst reason to implement something is merely to show it to an auditor. If an ISO requirement is being discussed during your implementation and a comment is made such as “I have no idea why we are implementing this but we have to do it to please the auditor”, then return to rules one and two above. While you certainly need to develop a system that meets the ISO requirements, every requirement is flexible to be implemented in a way to suit your company – and to add measurable value to it. Be sure to review your ISO processes and documentation with an eye on keeping it simple and adding business value. If you do so, your auditor will certainly be satisfied.
ISO 9001 Certification is Achievable
ISO 9001 certification is achievable for any company of any size. It can be done with internal staff resources or with the help of an external consultant. If relying on internal resources, the assignment of a strong project manager and the availability of team members to work on processes and documentation is vital. The use of commercially available templates and training can greatly shorten the time to certification. It is also key to follow the 3 rules above to keep your ISO QMS focused on your specific business needs.
ISO 9001 Consulting Help
You may also want to consider the use of a professional consulting firm to assist with or lead your project. Various consulting firms provide different levels of support ranging from full-service consulting engagements, do-it-yourself coaching programs and share-the-work approaches that utilize internal resources for much of the hands-on implementation work. This third option is a great way to get the benefit of external assistance and keep the overall cost of the project at a more manageable level. All three consulting options are available from Core Business Solutions.
