FAQ
In short, ISO 9001 is a voluntary Quality Management System (QMS) standard that helps organizations ensure they are meeting customer requirements. Note that the key word in the title is "Management." The intent of the 9001 standard is to implement systems that Management can use to better run the business.
Many companies have portions of these best practices in place currently or they wouldn't be able to stay in business. However, the standard offers a more structured approach for processes such as how customer requirements are reviewed and met; how products or services are actually produced and delivered; how employees are hired and considered to be competent; how documents are controlled to ensure they are current; how management itself periodically reviews the processes they have implemented; and how data is used in decision making. In fact, the 23 page standard provides guidance in all areas of the business. Its process approach to organizational improvement can be applied to any business - no matter the industry or size.
ISO 9000 indicates the overall series of the Quality Management System standards. ISO 9001 is the number of the actual standard to which a company achieves certification. Both terms are often used synonymously to refer to the certification. The year of the current revision of the standard appears in the title, such as ISO 9001.
Prior to the 2000 revision of the ISO standard, there were also ISO 9002 for companies who didn't design any products, and ISO 9003 for companies who just did distribution. ISO 9002 and 9003 have been discontinued. Now, there is just the one standard, and if certain sections don't apply, organizations can take an "exclusion" for those sections. ISO 9004 is a guidance document that helps explain the requirements of the 9001 standard. ISO 9000 itself is also a supporting document related to fundamentals and vocabulary.
The International Organization for Standardization decided not to use an acronym for their organization, because it would be different in different languages. Instead, they used the word "ISO," which is derived from the Greek word "isos" meaning "equal." The standards act as an equalizer for companies doing business across global boundaries.
Apart from the Quality Management System standards, there are many other standards that are maintained by the International Organization for Standardization located in Geneva, Switzerland, and their 158 member countries.
Apart from the obvious benefit of opening up market opportunities where ISO 9001 certification is a requirement, the biggest benefits stem from having a structure to improve your processes. Because the standard is really based on best practices for organizations, it provides management with the tools to objectively decide where things are working well, and where to best apply resources to make things run more smoothly. So - ideally, ISO 9000 helps your management team maximize the effectiveness of your business, thereby enhancing growth and reducing cost. From your customers' perspective, it gives them confidence that you have an organization that can consistently meet their needs.
Absolutely. We've worked with companies of one or two people who decided to get ISO certified. The processes that you'll put in place would have the same intent as a much larger company; it's just that the implementation will be simpler. We work with organizations to assist them in balancing the appropriate level of documentation with what's necessary to meet requirements.
In fact often times the process of achieving ISO 9001 is much simpler with smaller companies due to the lack of complexities in process as well as simple and straight forward business processes.
The answer depends on a number of factors. There are costs to implement, cost related to the Registrar and costs to maintain. In terms of costs to implement, if you choose a full do-it-yourself approach, the only real costs will be in the time for resources dedicated to the implementation process and in time spent writing documents and training your staff. If you have little experience with ISO 9001, or have limited internal resources, you might choose to get some outside professional help.
Costs of registration are dependent on the size of your organization as well. Registrars establish day-rates which are dictated by the total number of personnel within the company, so typical company of less than 5 people are allotted 1 day. Most registrars charge a certain rate per day to be on-site at your facility. Currently the rate is around $1,100 - $1,500 per day per auditor. Smaller companies could expect one auditor on site for 2-3 days; larger companies may require several auditors for an extended site visit. There are also processing fees for the audit report and certificate.
To maintain your certification, the Registrar must return at least annually to audit a portion of your system.
Those costs will be less than the original visit, since the time spent will be shorter. Once every three years, the Registrar returns to audit your entire system.
The ISO 9000 standards are general enough to apply to any industry. We have clients in industries ranging from manufacturing to government and defense contractors; from education to call center operations to software development and they can all apply the standard to their business model.
The ISO standard can be purchased in various languages through the International Organization for Standardization website. In America, the standard (officially, "ANSI/ISO/ASQ Q9001-2008: Quality Management Systems Requirements") can be purchased through the American Society for Quality website. The Standards Council of Canada also has the standard available for purchase on their website.
An amendment to the ISO 9001 standard was released in November 2008. The changes primarily clarify wording, and don't add any new requirements. However, certified companies will need to review their documentation in light of the changes, and revise accordingly. If you are currently certified, you will have two years to transition to these modified requirements. If you aren't certified yet, you will have to understand the intent of the requirements, implement systems that comply with the amendment, and then be audited to the new standard. In either case, you will have to purchase a copy of the ISO 9001:2008 standard which can be found at the International Organization for Standardization website or through the American Society for Quality site in the U.S.
If the products are manufactured in a segregated area or separate building, then you may be able to limit the scope of the certification to those products. Generally it is not possible to do so if these products are built using the same manufacturing process as other products.
That being said, the work to implement ISO 9001 for these two products is probably nearly equivalent with certifying the entire facility so it might be more trouble than it's worth to try to keep everything separate.
Exclusions to ISO 9001 can be taken to requirements in section 7.0 that are not part of the company's operations. It's not related to the size of the company but the type of business you are in.
Incidentally, what IS critical in a micro-business like your's is to keep the documentation simple. We regularly work with companies as small as a 1-man shop to get ISO certified. It's important to tailor the documentation approach to not make your system overly cumbersome that only raises the ongoing costs of certification and often results in more audit findings.
The ISO standard offers best practices that can be used to implement a quality system in any organization. Many organizations who attempt to implement improvement efforts find the efforts can be disjointed without a structure such as ISO 9001. ISO provides a way to focus the management team on what they need to do to successfully implement change in ways that satisfy customers.
Yes. Your Quality System is based on the requirements of the ISO Standard, and so you need to ensure that you have a copy of the most current version to show evidence that you fully understand those requirements. Most Registrars do ask to see that you have a copy available and that it is controlled appropriately as an external document in your Document Control.
Many companies choose get ISO certified by their own, so having a consultant is not a requirement.
We do believe that having access to a consultant's knowledge and expertise can be very helpful as you try to sort out how to apply ISO in your business. One of the key factors in implementation of the ISO 9001 requirements is how and to what degree do we implement the requirements into our existing business processes, also the management of resources to support those business processes. Using a qualified consultant can save your company tremendous time and resources.
And if you have an urgent need to attain certification and limited resources, using a consultant is often the most practical approach.
Of course this depends upon several factors such as: how large your organization is; how complex your processes are; what procedures you may have in place already, etc. For a smaller company (less than 100 employees) an implementation can take 4-8 months; for a larger company (more than 100 employees) the process can take 12-18 months. The process also depends on the time and resources your company can apply to implementation.
One note about the timeframe - once you have met the requirements, there is some time needed for your systems to mature and to produce records that show evidence the systems are working. Most registrars prefer to see 2-3 months worth of records after you've implemented everything. That time needs to be figured in your overall timeline upfront, especially if you have to meet a deadline for registration. How many documents will I need?
Many people are hesitant to begin the certification process, because they incorrectly believe that they will need mounds of paperwork to comply. In fact, the ISO standard only requires a quality manual and six written procedures: Control of Documents, Control of Records, Internal Auditing, Control of Nonconforming Product, Corrective Action, and Preventive Action. Beyond those requirements, it's really up to you how much additional documentation you need to plan, operate and control your business effectively. Some companies find the need to add extra controls they didn't have previously; some use the process to delete older documents that are redundant or not worthwhile to maintain.
You can certainly be ISO certified in as little as 4 months. It requires focused attention on your part and often the help from an experienced outside consulting resource. At Paradigm Consulting we are quite experienced in this area and work diligently with our clients to achieve is a realistic time-frame.
The best way to start is to gain an understanding of the requirements and the process.
Call our office at any time to answer any questions you might have in terms of implementation of requirements and achieving certification success.
We can be reached at 905-764-0749.
A gap analysis is a process used to assess your organization's readiness for ISO 9000. The analysis can be done to review what you currently have in place versus the requirements of the ISO standard. Any differences are the "gaps" that need to be addressed. This process can be conducted by internal staff or can be done by an external consulting firm and should occur in the beginning stage of your implementation.
There needs to be an individual appointed by top management who is responsible for ensuring compliance with the ISO standards and internal procedures. This individual, the Management Representative, usually drives the initial implementation and certification project. After implementation, the Management Rep. has some specific duties relative to the Quality Management System as outlined in the ISO standard. This person needs to have some broad authority to drive change and to relate customer requirements, so the Management Rep. needs to be respected in the organization.
Internal auditors are people internal to your business - your employees or a sub-contractor - who are trained to audit your company's quality management system. In many organizations, auditors are drawn from their full time jobs periodically (usually annually) to perform "audit duties" on a part-time basis. One stipulation is that auditors are not allowed to audit the areas where they work in their full-time capacity. Even in small companies, this can be accomplished by having at least two auditors assigned. The smallest of companies might consider sharing resources within another local ISO certified company or hiring outside help.
The documentation needed to get any organization certified (be it logistics, or manufacturing, or service) is really the same. There is a quality manual needed, which is a policy level document that shows how you address all the ISO requirements.
There are six procedure level documents required: Control of Documents; Control of Records; Internal Audit; Control of Non-conforming Product; Corrective Action; and Preventive Action.
And then there are other documents that you deem necessary to run your business. The need for these documents is really your call in terms of what you need in place to control and operate your organization.
If there are sections of the ISO standard that aren't applicable - for example, if you don't design products or services - you can write an "exclusion" in your quality manual to exempt you from that section.
We provide several packages that can get you started with the quality manual, procedures and other helpful tools. They can all be modified to suit your company.
Verification is an evaluation of your final design results to ensure that they meet specified requirements for the product that were developed before the design effort began. Validation is an evaluation of your product's capability to meet the needs of your customer's application or use. In other words, verification asks, "Does our design meet the requirements?" and validation asks, "Does our designed product work for what the customer needs?"
An interesting question. In our view, an ISO-based QMS is a system of processes that are established and managed by the top management of the company. Employee "compliance" with procedures and processes is achieved with a balance between good process design and employee involvement. Both are necessary and, in our opinion, both are the responsibility of management.
A good process design is one that is easier to do "right" than to do "wrong" so that employees will more often do the "right" thing and errors are immediately made visible to the employee so that a quick correction can be made. If a process is hard to do right, or easy to do wrong, it will be done wrong sometimes simply due to human error, in spite of best effort by employees and management.
Employee involvement is achieved by the creation of a company culture that encourages identification and removal of obstacles in the process. If "real world" obstacles are hidden or ignored, it violates the rule for good process design mentioned above. Most often, obstacles are hidden or ignored because management has not made it "safe" to report problems.
That being said, there are times when an occasional employee will not want to participate and support the change. I've often said that these are the easiest problems management can solve because the appropriate action is clear.
In summary, I guess I'd more support your latter suggestion over the former one.
Metrics are critical because they provide a way to gauge the effectiveness of the processes that have been implemented. More importantly, measures tell an organization how well they are doing in meeting the elements of their quality policy. Most organizations measure several high level objectives related to speed, delivery, quality, reliability, customer satisfaction, etc. Ideally, departmental measures are then designed to support the organization's measures. For example, on-time performance can be measured not only for the business as a whole, but within each department or even at individual work areas. It's really about alignment and focus for going forward as much as knowing where the organization is currently.
As with anything worthwhile, there is some ongoing effort required to maintain ISO 9000 so that it returns real value to your organization. It is possible to implement ISO only to satisfy the auditors and to "check the certification box". But, in many cases only an extra half-step of effort is required to make the certification really pay for itself with increased quality and efficiency. Certainly there are some resources needed to maintain the processes you implement. However, most companies feel this cost is offset by the business benefits realized in terms of more efficient processes.
The ISO 9001 process does impact every employee in a certified company. Generally, the continual improvement of your company processes and procedures involves employees in helping to make changes to the ways in which work gets done, thereby making things work more smoothly. This emphasis on continual improvement is the primary purpose of the ISO certification.
The ISO 9001 standard requires that you define your processes, the sequence, and the interaction between them. Many companies develop flow charts to meet this requirement. In fact, some Registrars prefer to see a flow chart as evidence that you understand the key processes of the business. It's also a way to explain the business processes to new employees.
While it is technically possible to attain certification that quickly, it would imply a very simple process and a very small company. Most organizations take four to six months to attain certification. Also, in order to achieve any business value through the certification process, it should take some thought and planning, which takes a bit longer.
There are several factors that dictate how much time to dedicate to the Quality System. Factors such as size of the organization, complexity of the process, manual administrative systems verses automated or electronic systems (ex: Document Control) all have a role in determining if there is a need for a full-time person. Of course, during the set-up of the Quality Management System there is more of a time commitment than after you are certified. For most small companies, it is a part time role.
First, your organization has to understand the requirements of the standard and implement processes and procedures that meet those requirements. Once you have implemented the requirements you contract an outside party (sometimes known as a "third party"), called a Registrar, to come to your organization and conduct an audit. If they find you have successfully complied with the ISO standard, they will issue a certificate to your company.
When there are areas of your quality system that don't comply with the ISO standard, the Registrar may choose to write what's called a "nonconformance." It's a document that details the discrepancy and the area of the Standard to which it applies. These "findings" need to be addressed by your organization in the form of a Corrective Action plan. Periodically (once or twice a year depending on the schedule you set up) the Registrar will return to audit portions of your quality system. When they return they will ensure that their previous findings have been addressed. Typically, every three years they return for a full system audit.
Obviously, it's best to fully utilize the systems you put in place as part of how you operate the business. Not only will you realize many more benefits from your efforts, but also the Registrar's audit will become second nature and not a big "housekeeping event" where you rush to get things updated before the audit.
The terms are used in different countries to mean the same thing - so there is no real difference. Both terms indicate that your company's Quality Management System (QMS) is being recognized by a Registrar for meeting requirements of the written ISO 9001 standard.
The process doesn't quite work that way. We are a consulting firm, and we are not able to certify companies. We focus on helping you to prepare for the Registrar's certification audit. Conversely, Registrars, who do certify companies, are not allowed to consult. That objectivity on the Registrar's part is necessary for them to fairly evaluate organizations. However, we can help you find a Registrar that suits your business needs and knows your industry.
Many companies choose to implement the requirements of the ISO standard, and not undergo the certification process. That's fine for providing some confidence to their customers that they can meet necessary requirements. What they are missing is the benefit of having an outside party view their company and offer ways to improve their management systems. Having another party conduct a scheduled look at the organization can also make your company more accountable than if it were on its own. You'll also gain the extra credential to show your customers.
There are a number of Registrars who can certify your company's Quality Management System. There are several key factors that you should review as you enter the selection process. The Registrar should be accredited by a body that has international credibility, such as the ANAB (ANSI-ASQ National Accreditation Board) in America or the SCC (Standards Council of Canada) in Canada. This gives your certification more credibility. You should also choose a Registrar that has experience in your particular industry or sector. Certainly the Registrar is there to look for compliance, but they should also highlight areas to improve. This is easier to accomplish if the Registrar has a context for understanding your business. Of course cost should be a factor, though not always the most important when looking at ongoing services they can provide. One thing to remember up-front is that you are the customer. Since ISO 9001 is a voluntary standard, you have the right to choose whichever Registrar best suits your requirements. Most Registrars encourage calls to them with the issues mentioned above and are glad to quote a specific engagement for you. Part of the service we provide at 9000World is to find the best Registrar to fit your requirements.
You can certainly challenge findings from the Registrar, within a professional context. Perhaps the auditor didn't fully understand the background related to an answer given or didn't have all the information available when they made the assessment. Certainly, anything they find should not come as a surprise to you. If you are the Management Representative or even an internal auditor, it's in your best interest to accompany the Registrar's auditor throughout your facility. That way, you can learn through them, and help clarify any terms that may not be clear between them and your employees. Through that process, you can also be apprised of discrepancies the auditor is finding. They auditor should also be showing you where those discrepancies are found in the ISO standard. If you do find yourself at odds with the auditor at the end of the audit, the Registrar should have an appeal process in place that you could pursue. Again, you are the customer. If you find the auditor isn't a good fit for your organization, it's your prerogative to ask the Registrar to change auditors or even more drastically to change Registrars altogether.
No. The certification is for a company's quality management system. So - individuals can't be certified, though they can have their company's systems certified. Individuals can become a Certified Lead Auditor through appropriate training and subsequent auditing, but a person cannot be "certified to ISO 9001."
No. The certification is for a company's quality management system. So - products can't be certified, though you can have your company's systems certified, and give credibility to the processes that produced the product.
The certification is typically "site specific," meaning that in corporations, each location would be certified individually. Companies can tie together locations under one certificate if they have the same quality system process and same quality manual in place. Usually, each site gets audited to ensure they are complying with the standard and their internal procedures. For companies who want to certify a portion of their business (Engineering Services for example) the process can be done relative to that one department. Most companies see the benefits of applying the standard to all departments, however, and choose to get the entire site certified.
Many companies have discrepancies in the area of document control, especially during their initial audit. Findings include problems with inconsistent or missing documentation or documents that are not current. It's vital to have not only good documentation, but also a document control process in place that addresses these issues along with ensuring access for your employees.
Other common "findings" stem from issues with Corrective Action processes, Training, and Internal Auditing. We have several articles that discuss these issues and several solutions that can help you avoid these problems.
When an auditor from a registrar finds a discrepancy between the ISO standard and the company procedure or process, or between the company procedure and the actual implementation, they write their "finding" in the form of a nonconformance. Often, the auditor will make a distinction between a "major" and "minor" nonconformance - major being much more serious.
A major nonconformance typically indicates that the management system has not been implemented properly. For example, if you tried to get certified without an internal audit program.
A minor finding/nonconformance is usually indicative of an incident being discrepant instead of a system-wide problem. For example, if you had a problem with one internal audit file. If there are multiple instances of the same (or similar) minor nonconformance, the auditor may choose to tag the finding as major, since this indicates that the process itself has not been effectively implemented.
With a major finding, certification will not be granted until after the discrepancy is handled and possibly re-audited. With minor nonconformances, registrars will usually issue a "conditional approval" which means that you can respond to the finding with a plan and still get certified. Registrars vary as to what findings they define as major and minor and their actions vary as well. It is best to ask them to articulate the distinction upfront as you enter into an agreement with them.
What it really depends upon is the size of your company and the complexity of your process. For a smaller company, (less than 100 employees) most Registrars will be on site for 1 - 2 days. For larger companies Registrars can spend a week or bring in several auditors. Typically, they charge $1,100-$1,500 per man day plus travel plus some processing fees. So - for smaller companies you are looking at $3,000-$5,000. If larger, the cost could be $10,000-$20,000.
The Registration cost is one piece of the total cost. The cost to implement, whether you use in-house resources or bring in help, adds to the picture. There are also ongoing costs for the Registrar to conduct an annual 'surveillance audit' on a portion of your Quality Management System.
Part of the service we provide to clients is to get quotes from several Registrars local to you that we can help you assess. Of course, we also help with the documentation of your system, through tools we have available on our www.9000world.com site or through an on-site engagement.
The ISO 9001 document provides the standard for Quality Management Systems. The ISO 9004 document contains not only the ISO 9001 standard requirements, but also guidelines for performance improvements. While it's not a requirement of registration to have both documents, it's certainly helpful to obtain the ISO 9004 document to get guidance for implementing each section.
The governing body for the ISO standard itself is the International Organization for Standardization in Geneva. In terms of accrediting Registrars, the body in the US is ANAB (ANSI-ASQ National Accreditation Board.) Other countries have other bodies that certify their Registrars.
Typically all divisions of a company operate under one single certification. In this case, the divisions all share a common quality management system and a single quality manual and commons administrative procedures would be implemented. In addition, each division may have their own individual procedures for their own processes.
In some cases, it is possible to certify a single division of a company, if that division provides its own products or services to customers.
The ISO 9001 certification applies to a business, not a specific process such as handling of a specific part number. The focus of the certification is the company's "quality management system" that includes everything from how your management planning is done, acceptance of contracts and orders, fulfilling orders and customer support.
During a formal ISO audit, findings by an auditor are commonly categorized as either a "nonconformance" or an "observation". A nonconformance, whether major or minor, is a clear discrepancy between a requirement (ISO 9001 standard or company procedure) and company practice (work methods, records, etc.). Nonconformances always require formal corrective action to resolve.
An observation can be noted by an auditor for less significant issues, potential nonconformances and improvement suggestions. While generally no formal action is required in response to audit observations, many Registrar auditors will document observations that will likely become nonconformances in future audits unless addressed. Therefore, you should carefully review all audit observations to see if you can avoid a larger problem in the future by addressing a small problem now.
No outside party can "guarantee" your certification. However, with proper focus on your part, and our assistance, we won't let you go through the certification process without being ready. For the clients we have worked with directly - either through on-site consulting or phone coaching, we maintain 100% success rate for first-time certifications.
A Registrar is a private firm (not associated with the government) that you contract to conduct your audit. They provide an objective "third-party" review of your system. They are also audited to an ISO standard by independent organizations. In the US, the ANAB (ANSI-ASQ National Accreditation Board) independently ensures the quality of the Registrars processes. So - for US Registrars, you should ensure they are accredited by this body or by other country's oversight bodies outside the US.
Consultants focus on helping you to prepare for the Registrar's certification audit. Conversely, Registrars, who do certify companies, are not allowed to consult. That objectivity on the Registrar's part is necessary for them to fairly evaluate organizations. However, we can help you find a Registrar that suits your business needs and knows your industry.
A pre-assessment is an optional step in the process where the Registrar visits your company and reviews your processes and procedures "off-the-record". While it does give you an opportunity to see the areas that the particular auditor may focus on, it is definitely not required. Working with any reliable consultant gives you the same level of objective review of your process as a Registrar pre-assessment.
