Six pitfalls to avoid in your ISO 9001 2015 migration project

Little man - Prominent person.jpgWithout  ISO 9001 Transition Training or the services of a competent ISO 9001 Consultant, these are the most likely mistakes you'll make...

As we’re now more than half way through the three-year ISO 9001:2015 Transition Period (it ends September 2018) many Management Representatives (and their advisers and consultants) will be concerned about the changes needed to comply with the revised Standards and keen to avoid significant error.  But which are the errors to avoid?  We think there are six main pitfalls to be avoided in implementing ISO 9001 2015...

  1. Continuing to audit procedures only.
  2. Limiting treatment of risk-based thinking to clause 4.4.1.
  3. Not recognising the importance of the word ‘determine’.
  4. Insufficient records to demonstrate maintenance of the QMS
  5. Ignoring the need for what was called Preventive Action
  6. Failure to adequately address the identification of processes and their interrelationship.

We’ll consider each in turn.  But note – the list is not prioritised and you need to avoid all of these pitfalls…

1. Continuing to audit procedures only

Many audit programme managers and their Certification Bodies (CBs) have for many years accepted audit schedules that listed procedures alone.  This was never fully adequate as, for example, Section 5, Management, in the 2008 Standard was rarely included in a procedure and so not audited as part of the internal audit programme.  The situation has changes significantly with the revised Standard. Examine Sections 4, Context of the Organization (COTO), and 5, Leadership, in particular.  There are many requirements here that are unlikely to be mentioned in a Procedure, Work Instruction and the like.

Our Advice: Revise your Internal Audit Programme and, in addition to auditing Procedures, plan to audit other requirements using other methods.  Include interviews with top management to ensure that Leadership requirements are being met and introduce a Checklist to confirm that specific requirements in COTO and elsewhere are being complied with.  A significant effort will likely be needed to get this right.

2. Limiting treatment of risk-based thinking to clause 4.4.1

Risk requirements occur in every Section of the Standard from Section 4 through Section 10. We have previously covered this in the article ’ISO 9001:2015 and Risk-based Thinking - some practical advice’. 

Our Advice: Review your Quality Manual (and don’t be tempted not to have a Quality Manual) to ensure that every instance relating to risk mentioned in the article is addressed adequately. And emphasise to top management that they will be quizzed about risk, and it application to your organization, as part of their interviews with CB Auditors.

We go further: we suggest you apply risk management methods focused on satisfying you customers.  That’s right, a fully documented risk management system.  This was covered in our article ‘The answer to RBT in ISO 9001 2015 is Risk Management’.ISO 9001 Implementation Infographic

3. Not recognising the importance of the word ‘determine’

The word ‘determine’, or a variant, appears 40 times in the auditable parts of the Standard.  Take for example a statement like ‘The organization shall determine the boundaries and applicability of the quality management system to establish its scope’.  What exactly is required to demonstrate compliance with the requirement?  It is not unreasonable to claim compliance by simply telling a CB Auditor that you have determined the boundaries etc. and proceed to tell him/her what the boundaries and scope are.  However, if you limit yourself to offering interview evidence only to demonstrate compliance with all or most of the 40 instances of ‘determine’, the CB Auditor will not be able to provide a positive audit conclusion (a recommendation for registration to the revised Standard) due to insufficient objective evidence of compliance.  Interview evidence is the weakest form of evidence and is acceptable only when better evidence is not possible.

Our Advice: Treat every instance of ‘determine’ as a requirement for some form of documented evidence – a document or record of some kind.  Alternatively, you can demonstrate an activity or show a physical asset. Only when not possible to do otherwise, should you offer interview evidence alone.

4. Insufficient records to demonstrate maintenance of the QMS

CB Auditors will need sufficient ‘retained documentation’ as evidence of the Quality Management System (QMS) being implemented and maintained as per the requirements of ISO 9001:2015.  At a minimum you will need three months of records; consult your CB to determine what minimum they will apply – it does vary from one CB to another.   The time taken to generate records will largely determine how long it will take to complete your ISO 9001 2015 migration.

Our Advice: In addition to having at least three months of records of your QMS operating in conformance with ISO 9001:2015, make sure that you have…

  1. Completed a full cycle of internal audits against the requirements of ISO 9001:2015 (necessary as evidence of having fully implemented the QMS), and
  2. Recorded a Management Review of the QMS operating under ISO 9001:2015 requirements.

5. Ignoring the need for what was called Preventive Action

A lot has been written about Preventive Action having been removed from the Standard and, while the phrase ‘preventive action’ is not used, the circumstance that usually led to it in the past remains. To explain, preventive action is about addressing the causes of potential non-conformances.  And previously, as an extension of Corrective Action, the question was asked: ‘where else in our processes could this non-conformance arise?’  In other words, where could the cause of the non-conformance we are dealing with, or something similar, cause another non-conformance.

Clause 10.2.1 b) states: ‘evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by…’ (our bold).  Note those three words carefully – they call for the equivalent of Preventive Action.

Our Advice: If you have a typical Non-Conformance Report (NCR) form for your QMS that meets the requirements of the 2008 Standard, you will have a section for Corrective Action and another for Preventive Action.  Don’t delete the latter; instead just change the title from ‘Preventive Action’ to ‘Other Actions’ and use it to prevent other potential non-conformances from occurring.

New Call-to-action

6. Failure to adequately address the identification of processes and their interrelationship.

We have seen situations where a single SIPOC Diagram was presented in a Quality Manual as evidence of the application of the Process Approach.  This will no longer be accepted by CB Auditors.  The revised Standard has expanded requirements regarding the Process Approach. In future, expect Major Noncompliances where a cursory approach is adopted.

Our Advice: Prepare a fully-featured Process Flowchart to include operating processes, quality management processes and support processes (HR, Finance and similar).  Ensure that the flowchart is consistent with the Context of the Organization and with the physical reality and customer requirements.  Make sure that the key Processes are identified, that is, the ones that, if they fail, will have most adverse effect on customer satisfaction.  These key Processes will require detailed Procedures, Work Instructions and the like, to adequately control them.


We don’t suggest that these are the only pitfalls on the migration path to ISO 9001:2016 Certification. But they are the ones most likely to cause difficulties.

We hope you’ve found this article useful and e wish you every success in your transition to the revised Standard.


 monthly email sign-up

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in manufacturing industry John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems. 'Our objective is to be a world-class provider of e-training using the best proven technology so to satisfy and, hopefully, delight all of our Learners. Great commercial success and professional esteem will surely follow.' Full profile:
Find me on:

Related Articles…