What a wild ride it’s been updating the IQPS Internal Auditor Training Course to ISO 9001:2015! I wanted to take some time to contemplate the various opinions out there as we all learn about ISO 9001:2015 together. I have been listening to clients and experts, reading a few books and attending training classes to absorb all the information I possibly could—considering my heavy business travel schedule. All of these classes that tell you about interested parties and risk assessments are great until you have to sit down and define a management system on paper.
- Where do you start?
- Do you even need a quality manual?
- What do you do with the procedures?
Well, I’ve just finished my first ISO 9001:2015 manual and have decided on my approach. First, if your current quality policy manual repeats the standard, throw it away! I can’t tell you how many quality manuals I have read that are just a repeat of the standard. Everybody already knows the standard. My quality manuals have always combined some policy but primarily documented procedures.
Since I already audit ISO 27001 for information security, ISO 14001 for environmental systems and OHSAS 18001 (soon to be ISO 45001) for health and safety systems, all of these systems have one theme in common: identifying and putting controls in place to mitigate risk. These risks include losing information, spilling a drum of oil or avoiding an injury. Now ISO 9001:2015 expects us to mitigate business risks such as losing a sole supplier.
When I looked at all three risk standards, I decided that ISO 27001 was the best fit. After all, ISO 27001:2013 was the first standard to be converted to the Annex SL format. When I first read context of the organization in ISO 9001:2015 and attended my second training class the light came on. They were really talking about the scope document in ISO 27001, which is where the quality manual went!
When I read about contractors in ISO 9001:2015, I see relationships on how ISO 14001 requires you to treat contractors, i.e., those working on your behalf. I also see similarities in statements about communications in ISO 14001 for internal and external communication processes. So for those of you who have organizations certified to ISO 14001 standard, I would incorporate some of this language into your scope document.
For those of you just looking for an ISO 9001:2015 update, I have separated this discussion out from my Internal Auditor Training Course into its own course, called ISO 9001: 2015. I think having audited ISO 27001, 14001 and OHSAS 18001 has given me some brilliant insights and I look forward to sharing them with you!