Faced with the need to complete ISO 9001 certification, owners and managers of small businesses need to know what it will take to prepare for, and pass, the certification audit. Generally, this is not because they want to take shortcuts or “just get by” the auditor. It’s a practical matter of fitting a project such as ISO into very busy schedules. What is the straightest path to certification?
Before we answer, let’s briefly touch on what ISO certification is and what it isn’t. ISO 9001 is a quality management system, or QMS. In other words:
While the focus is on improving of company processes, the QMS is a process itself. When a company is certified, it means that an effective QMS (that is, a process for continual improvement) is in place and has been successfully demonstrated to an auditor.
ISO 9001 is not a quick fix nor does it require that every problem you face is solved. It is an ongoing process of improvement that requires planning and dedication over time. During an initial certification audit, the Registrar will not expect perfection. Instead, evidence that shows a QMS that works will pass the audit. I’ve often said that certification is the starting line not the finish line for continual improvement.
So, our focus for certification should be on setting up the quality management system and showing that it works. For many small businesses looking into ISO 9001, this is somewhat of a surprise because of past experiences or misunderstandings about the ISO process. Let’s break it down into three basic steps.
Step 1: Define the Quality Management System
The starting point for ISO 9001 certification is to define how the company appropriately applies the ISO 9001 requirements. As we have mentioned in a previous blog, there are specific documents that must be prepared in order to define your company’s QMS. These straightforward documents explain how ISO is used in your business in terms your managers and employees can understand and adhere to in the course of their jobs.
All ISO 9001 certified companies have the following documents in place:
Quality Manual – Describes the overall QMS and how the company applies the ISO 9001 requirements. Typically about 20 – 25 pages for a small company.
Control of Documents Procedure – Explains the process for developing, approving, revising and maintaining company documentation.
Control of Records Procedure – Defines policies for storing and maintaining company records.
Control of Nonconformances Procedure – Lays out how products and or services that are found to not meet requirements (“nonconforming”) are identified, controlled and corrected.
Corrective Action Procedure – Explains how problems are investigated and resolved by making necessary changes in company processes.
Preventive Action Procedure – Walks through how potential problems are identified and resolved so they are avoided.
Internal Audit Procedure – Defines the company’s own audit process (separate from the certification audit conducted by the 3rd party auditor) that helps identify weaknesses or gaps in the QMS so they can be corrected.
These seven documents define the company’s quality management system. By preparing this documentation, company management must think through how best to implement the ISO requirements to fit their business.
In some cases, additional documents may be prepared beyond those required to further define how the process will work. Added documentation is at the discretion of management and should only be developed if there is a need for further clarification of certain company processes. Often, additional documentation should be considered after the QMS is implemented as part of your continual improvement efforts.
Step 2: Implement the Quality Management System
As the QMS documents are developed, they must be implemented. Implementation essentially means that the requirements are communicated and followed. ISO 9001 certification affects all employees and everyone must learn what is expected. For some processes, changes to how things done would be expected. Everyone must support the effort.
In order to oversee the implementation and maintenance of the QMS, top management must provide direction, support and oversight through a formal management review. As one of the requirements of ISO 9001 certification, management review is a regular meeting led by the senior executives of the company. This allows management to monitor how well the QMS is working, track performance issues that need to be addressed and determine needed changes to be made. The management review, often set up as a monthly meeting, is what supports the implementation of the QMS and makes it work. Top management must consider this time commitment and plan to fit into their schedules both before and following certification.
Step 3: Verify the Quality Management System
The final step to prepare for ISO 9001 certification is to conduct a full internal audit in order to verify that the QMS is in place and is effective. The internal audit is a tool of top management to help evaluate how well the QMS is implemented and working.
The internal audit is different than the Registrar’s certification audit because it is conducted by company internal auditors on behalf of management. Internal auditors may be trained company employees or a subcontractor, such as a qualified consultant. Part of management’s responsibility is to decide the best resources to use for internal auditing.
The internal audit is often more thorough than the Registrar’s audit because management may want specific processes or problems to be reviewed carefully. The agenda for the internal audit is flexible and should be reviewed by management during management review. The results of internal audits are presented during management review to ensure proper corrections are made.
You’re Now Ready for the Certification Audit
In summary, there are three basic steps to prepare for ISO 9001 certification:
- Define the QMS by preparing required documentation
- Implement the QMS by establishing the management review
- Verify the QMS by completing the internal audit
For most small companies, it takes 3-4 months to complete these steps effectively so they can be demonstrated during the certification audit. Most initial certification audits require follow up actions to correct minor issues found by the Registrar. But a successful certification audit is one where the QMS is in place and can be demonstrated. It does not require everything to be perfect. After all, ISO also requires continual improvement. That means, there will always be something to be improved. That’s the point, after all.–Scott Dawson, President of Core Business Solutions, Inc.