Last September, seven years after the previous version, the new ISO 9001:2015 was published. Within three years (by September 2018), it will completely replace the "old" 2008 standard.
Since we believe it is beneficial to start understanding the effects of the standard's revision on your organization as soon as possible and to work on the new text to allow enough time to implement the required changes to the Quality System, let’s take a look at the key updates introduced by this important revision.
First, the 2015 version once again emphasizes the process approach, which, although already present in previous editions, has unfortunately been adopted by only a few organizations—many of which still operate based on functions rather than processes. While this is not a radical change, the concept of "process approach" has evolved from a general mention in section 0.2 of the ISO 9001:2008 introduction to the ten requirements outlined in section 4.4.2 of the new standard.
Another major focus is on what might initially appear to be a mere simplification of document management but, in reality, represents a clear stance on what the new standard refers to as "documented information."
All previous documents, procedures, and records will now fall under the broader term "documented information," which includes:
- The statement of the quality system’s purpose;
- Documentation related to process activities and their control;
- The quality policy;
- Records of production processes or service delivery;
- Quality objectives;
- Evidence of staff competencies;
- Monitoring and measurement records;
- Review of contractual requirements;
- Records related to design and development;
- All aspects of traceability;
- Control of modifications;
- Product/service release records;
- Management of tools and equipment;
- Internal audits;
- Management reviews;
- Non-conformities and corrective actions.
The final major change involves the identification and management of risks and opportunities within the organization’s daily operations, which is now mandatory to obtain or maintain ISO 9001 certification.
Rather than a full-fledged risk management system (as outlined in ISO 31000 or ISO 14971), the new standard promotes a concept known as risk-based thinking. This does not require a formalized risk management process but rather a structured awareness that risks and opportunities are inherent in every organization. Recognizing and managing them is essential for satisfying customers and ensuring long-term success.
This is perhaps the most impactful change, as it requires companies to adopt a completely different strategic approach. While some forward-thinking organizations already saw this as logical, many still separate strategy, policy, and daily operations from quality management, treating it as merely a certification requirement rather than a powerful managerial tool.
Conducting a serious analysis of risks and opportunities means moving away from a one-size-fits-all approach based on a long list of standard requirements. Instead, it encourages a more mature methodology where each company evaluates its specific risks and opportunities to design a management system that truly meets its needs.
To effectively apply this new approach, it is essential to understand the organization’s context—including the needs and expectations of stakeholders—and to monitor it systematically. This is the only way to continuously improve the system and achieve the agreed objectives, which is why this aspect is also considered a key innovation.