ISO9001:2000 Frequently Asked Questions

In short, ISO 9001 is a voluntary Quality Management System standard that helps organizations ensure they are meeting customer requirements. Note that the key word in the title is "Management." The intent of the 9001 standard is to implement systems that Management can use to better run the business.

Many companies have portions of these best practices in place currently or they wouldn't be able to stay in business. However, the standard offers a more structured approach for processes such as how customer requirements are reviewed and met; how products or services are actually produced and delivered; how employees are hired and considered to be competent; how documents are controlled to ensure they are current; how management itself periodically reviews the processes they have implemented; and how data is used in decision making. In fact, the 23 page standard provides guidance in all areas of the business. Its process approach to organizational improvement can be applied to any business - no matter the industry or size.

ISO 9000 indicates the overall series of the Quality Management System standards. ISO 9001 is the number of the actual standard to which a company achieves certification. Both terms are often used synonymously to refer to the certification. The year of the current revision of the standard appears in the title, such as ISO9001:2000.

Prior to the 2000 revision of the ISO standard, there were also ISO 9002 for companies who didn't design any products, and ISO 9003 for companies who just did distribution. ISO 9002 and 9003 have been discontinued. Now, there is just the one standard, and if certain sections don't apply, organizations can take an "exclusion" for those sections. ISO 9004 is a guidance document that helps explain the requirements of the 9001 standard. ISO 9000 itself is also a supporting document related to fundamentals and vocabulary.

The International Organization for Standardization decided not to use an acronym for their organization, because it would be different in different languages. Instead, they used the word "ISO," which is derived from the Greek word "isos" meaning "equal." The standards act as an equalizer for companies doing business across global boundaries.

Apart from the Quality Management System standards, there are many other standards that are maintained by the International Organization for Standardization located in Geneva, Switzerland, and their 158 member countries.

Apart from the obvious benefit of opening up market opportunities where ISO 9001 certification is a requirement, the biggest benefits stem from having a structure to improve your processes. Because the standard is really based on best practices for organizations, it provides management with the tools to objectively decide where things are working well, and where to best apply resources to make things run more smoothly. So - ideally, ISO 9000 helps your management team maximize the effectiveness of your business, thereby enhancing growth and reducing cost. From your customers' perspective, it gives them confidence that you have an organization that can consistently meet their needs.

Absolutely. We've worked with companies of one or two people who decided to get certified. The processes that you'll put in place would have the same intent as a much larger company; it's just that the implementation will be simpler. We work with organizations to assist them in balancing the appropriate level of documentation with what's necessary to meet requirements.

The answer depends on a number of factors. There are costs to implement, cost related to the Registrar and costs to maintain. In terms of costs to implement, if you choose a full do-it-yourself approach, the only real costs will be in the time for resources dedicated to the implementation process and in time spent writing documents and training your staff. If you have little experience with ISO 9000, or have limited internal resources, you might choose to get some outside professional help.

Costs of registration are dependent on the size of your organization as well. Most registrars charge a certain rate per day to be on-site at your facility. Currently the rate is around $1,100 - $1,500 per day per auditor. Smaller companies could expect one auditor on site for 2-3 days; larger companies may require several auditors for an extended site visit. There are also processing fees for the audit report and certificate.

To maintain your certification, the Registrar must return at least annually to audit a portion of your system. Those costs will be less than the original visit, since the time spent will be shorter. Once every three years, the Registrar returns to audit your entire system.

The ISO 9000 standards are general enough to apply to any industry. We have clients in industries ranging from manufacturing to education to call center operations to software development and they can all apply the standard to their business model.

The ISO standard can be purchased in various languages through the International Organization for Standardization website. In America, the standard (officially, "ANSI/ISO/ASQ Q9001-2000: Quality Management Systems Requirements") can be purchased through the American Society for Quality website. The Standards Council of Canada also has the standard available for purchase on their website.

There is an amendment (not revision) to the standard now scheduled to be out in October, 2008. This amendment mostly clarifies wording in the standard and doesn't attempt to change the intent of how the standard should be implemented. If you are in process of implementing the requirements now, there shouldn't be any significant changes for you to worry about.

If the products are manufactured in a segregated area or separate building, then you may be able to limit the scope of the certification to those products. Generally it is not possible to do so if these products are built using the same manufacturing process as other products.

That being said, the work to implement ISO 9001:2000 for these two products is probably nearly equivalent with certifying the entire facility so it might be more trouble than it's worth to try to keep everything separate.

Exclusions to ISO 9001:2000 can be taken to requirements in section 7.0 that are not part of the company's operations. It's not related to the size of the company but the type of business you are in.

Incidentally, what IS critical in a micro-business like your's is to keep the documentation simple. We regularly work with companies as small as a 1-man shop to get ISO certified. It's important to tailor the documentation approach to not make your system overly cumbersome that only raises the ongoing costs of certification and often results in more audit findings.

The ISO standard offers best practices that can be used to implement a quality system in any organization. Many organizations who attempt to implement improvement efforts find the efforts can be disjointed without a structure such as ISO 9001. ISO provides a way to focus the management team on what they need to do to successfully implement change in ways that satisfy customers.

Of course this depends upon several factors such as: how large your organization is; how complex your processes are; what procedures you may have in place already, etc. For a smaller company (less than 100 employees) an implementation can take 4-8 months; for a larger company (more than 100 employees) the process can take 12-18 months. The process also depends on the time and resources your company can apply to implementation.

One note about the timeframe - once you have met the requirements, there is some time needed for your systems to mature and to produce records that show evidence the systems are working. Most registrars prefer to see 2-3 months worth of records after you've implemented everything. That time needs to be figured in your overall timeline upfront, especially if you have to meet a deadline for registration.

Many people are hesitant to begin the certification process, because they incorrectly believe that they will need mounds of paperwork to comply. In fact, the ISO standard only requires a quality manual and six written procedures: Control of Documents, Control of Records, Internal Auditing, Control of Nonconforming Product, Corrective Action, and Preventive Action. Beyond those requirements, it's really up to you how much additional documentation you need to plan, operate and control your business effectively. Some companies find the need to add extra controls they didn't have previously; some use the process to delete older documents that are redundant or not worthwhile to maintain.

You can certainly be ISO certified in as little as 4 months. It requires focused attention on your part and often the help from an experienced outside consulting resource. Another option to speed up your ISO project would be to utilize a template-based documentation package like we provide on the 9000World website.

The best way to start is to gain an understanding of the requirements and the process. One place to start is the free training videos here on 9000 World The first, entitled "Introduction to ISO 9000," provides an overview of what ISO 9000 entails. Next, the video entitled, "ISO Project Planning," walks you through the steps to implement a Quality Management System and the certification process. 9000World also provides free access to articles that help you gain specific insight into processes and terminology that may be confusing as you get started.

A gap analysis is a process used to assess your organization's readiness for ISO 9000. The analysis can be done to review what you currently have in place versus the requirements of the ISO standard. Any differences are the "gaps" that need to be addressed. This process can be conducted by internal staff or can be done by an external consulting firm and should occur in the beginning stage of your implementation.

There needs to be an individual appointed by top management who is responsible for ensuring compliance with the ISO standards and internal procedures. This individual, the Management Representative, usually drives the initial implementation and certification project. After implementation, the Management Rep. has some specific duties relative to the Quality Management System as outlined in the ISO standard. This person needs to have some broad authority to drive change and to relate customer requirements, so the Management Rep. needs to be respected in the organization.

Internal auditors are people internal to your business - your employees or a sub-contractor - who are trained to audit your company's quality management system. In many organizations, auditors are drawn from their full time jobs periodically (usually annually) to perform "audit duties" on a part-time basis. One stipulation is that auditors are not allowed to audit the areas where they work in their full-time capacity. Even in small companies, this can be accomplished by having at least two auditors assigned. The smallest of companies might consider sharing resources within another local ISO certified company or hiring outside help.

The documentation needed to get any organization certified (be it logistics, or manufacturing, or service) is really the same. There is a quality manual needed, which is a policy level document that shows how you address all the ISO requirements.

There are six procedure level documents required: Control of Documents; Control of Records; Internal Audit; Control of Non-conforming Product; Corrective Action; and Preventive Action.

And then there are other documents that you deem necessary to run your business. The need for these documents is really your call in terms of what you need in place to control and operate your organization.

If there are sections of the ISO standard that aren't applicable - for example, if you don't design products or services - you can write an "exclusion" in your quality manual to exempt you from that section.

We provide several packages that can get you started with the quality manual, procedures and other helpful tools. They can all be modified to suit your company.

Verification is an evaluation of your final design results to ensure that they meet specified requirements for the product that were developed before the design effort began. Validation is an evaluation of your product's capability to meet the needs of your customer's application or use. In other words, verification asks, "Does our design meet the requirements?" and validation asks, "Does our designed product work for what the customer needs?"

An interesting question. In our view, an ISO-based QMS is a system of processes that are established and managed by the top management of the company. Employee "compliance" with procedures and processes is achieved with a balance between good process design and employee involvement. Both are necessary and, in our opinion, both are the responsibility of management.

A good process design is one that is easier to do "right" than to do "wrong" so that employees will more often do the "right" thing and errors are immediately made visible to the employee so that a quick correction can be made. If a process is hard to do right, or easy to do wrong, it will be done wrong sometimes simply due to human error, in spite of best effort by employees and management.

Employee involvement is achieved by the creation of a company culture that encourages identification and removal of obstacles in the process. If "real world" obstacles are hidden or ignored, it violates the rule for good process design mentioned above. Most often, obstacles are hidden or ignored because management has not made it "safe" to report problems.

That being said, there are times when an occasional employee will not want to participate and support the change. I've often said that these are the easiest problems management can solve because the appropriate action is clear.

I summary, I guess I'd more support your latter suggestion over the former one.

Metrics are critical because they provide a way to gauge the effectiveness of the processes that have been implemented. More importantly, measures tell an organization how well they are doing in meeting the elements of their quality policy. Most organizations measure several high level objectives related to speed, delivery, quality, reliability, customer satisfaction, etc. Ideally, departmental measures are then designed to support the organization's measures. For example, on-time performance can be measured not only for the business as a whole, but within each department or even at individual work areas. It's really about alignment and focus for going forward as much as knowing where the organization is currently.

First, your organization has to understand the requirements of the standard and implement processes and procedures that meet those requirements. Once you have implemented the requirements you contract an outside party (sometimes known as a "third party"), called a Registrar, to come to your organization and conduct an audit. If they find you have successfully complied with the ISO standard, they will issue a certificate to your company.

When there are areas of your quality system that don't comply with the ISO standard, the Registrar may choose to write what's called a "nonconformance." It's a document that details the discrepancy and the area of the Standard to which it applies. These "findings" need to be addressed by your organization in the form of a Corrective Action plan. Periodically (once or twice a year depending on the schedule you set up) the Registrar will return to audit portions of your quality system. When they return they will ensure that their previous findings have been addressed. Typically, every three years they return for a full system audit.

Obviously, it's best to fully utilize the systems you put in place as part of how you operate the business. Not only will you realize many more benefits from your efforts, but also the Registrar's audit will become second nature and not a big "housekeeping event" where you rush to get things updated before the audit.

The terms are used in different countries to mean the same thing - so there is no real difference. Both terms indicate that your company's Quality Management System (QMS) is being recognized by a Registrar for meeting requirements of the written ISO 9001 standard.

The process doesn't quite work that way. We are a consulting firm, and we are not able to certify companies. We focus on helping you to prepare for the Registrar's certification audit. Conversely, Registrars, who do certify companies, are not allowed to consult. That objectivity on the Registrar's part is necessary for them to fairly evaluate organizations. However, we can help you find a Registrar that suits your business needs and knows your industry.

Many companies choose to implement the requirements of the ISO standard, and not undergo the certification process. That's fine for providing some confidence to their customers that they can meet necessary requirements. What they are missing is the benefit of having an outside party view their company and offer ways to improve their management systems. Having another party conduct a scheduled look at the organization can also make your company more accountable than if it were on its own. You'll also gain the extra credential to show your customers.

There are a number of Registrars who can certify your company's Quality Management System. There are several key factors that you should review as you enter the selection process. The Registrar should be accredited by a body that has international credibility, such as the ANAB (ANSI-ASQ National Accreditation Board) in America or the SCC (Standards Council of Canada) in Canada. This gives your certification more credibility. You should also choose a Registrar that has experience in your particular industry or sector. Certainly the Registrar is there to look for compliance, but they should also highlight areas to improve. This is easier to accomplish if the Registrar has a context for understanding your business. Of course cost should be a factor, though not always the most important when looking at ongoing services they can provide. One thing to remember up-front is that you are the customer. Since ISO 9001 is a voluntary standard, you have the right to choose whichever Registrar best suits your requirements. Most Registrars encourage calls to them with the issues mentioned above and are glad to quote a specific engagement for you. Part of the service we provide at 9000World is to find the best Registrar to fit your requirements.

You can certainly challenge findings from the Registrar, within a professional context. Perhaps the auditor didn't fully understand the background related to an answer given or didn't have all the information available when they made the assessment. Certainly, anything they find should not come as a surprise to you. If you are the Management Representative or even an internal auditor, it's in your best interest to accompany the Registrar's auditor throughout your facility. That way, you can learn through them, and help clarify any terms that may not be clear between them and your employees. Through that process, you can also be apprised of discrepancies the auditor is finding. They auditor should also be showing you where those discrepancies are found in the ISO standard. If you do find yourself at odds with the auditor at the end of the audit, the Registrar should have an appeal process in place that you could pursue. Again, you are the customer. If you find the auditor isn't a good fit for your organization, it's your prerogative to ask the Registrar to change auditors or even more drastically to change Registrars altogether.

No. The certification is for a company's quality management system. So - individuals can't be certified, though they can have their company's systems certified. Individuals can become a Certified Lead Auditor through appropriate training and subsequent auditing, but a person cannot be "certified to ISO 9001."

No. The certification is for a company's quality management system. So - products can't be certified, though you can have your company's systems certified, and give credibility to the processes that produced the product.

The certification is typically "site specific," meaning that in corporations, each location would be certified individually. Companies can tie together locations under one certificate if they have the same quality system process and same quality manual in place. Usually, each site gets audited to ensure they are complying with the standard and their internal procedures. For companies who want to certify a portion of their business (Engineering Services for example) the process can be done relative to that one department. Most companies see the benefits of applying the standard to all departments, however, and choose to get the entire site certified.

Many companies have discrepancies in the area of document control, especially during their initial audit. Findings include problems with inconsistent or missing documentation or documents that are not current. It's vital to have not only good documentation, but also a document control process in place that addresses these issues along with ensuring access for your employees.

Other common "findings" stem from issues with Corrective Action processes, Training, and Internal Auditing. We have several articles that discuss these issues and several solutions that can help you avoid these problems.

When an auditor from a registrar finds a discrepancy between the ISO standard and the company procedure or process, or between the company procedure and the actual implementation, they write their "finding" in the form of a nonconformance. Often, the auditor will make a distinction between a "major" and "minor" nonconformance - major being much more serious.

A major nonconformance typically indicates that the management system has not been implemented properly. For example, if you tried to get certified without an internal audit program.

A minor finding/nonconformance is usually indicative of an incident being discrepant instead of a system-wide problem. For example, if you had a problem with one internal audit file. If there are multiple instances of the same (or similar) minor nonconformance, the auditor may choose to tag the finding as major, since this indicates that the process itself has not been effectively implemented.

With a major finding, certification will not be granted until after the discrepancy is handled and possibly re-audited. With minor nonconformances, registrars will usually issue a "conditional approval" which means that you can respond to the finding with a plan and still get certified. Registrars vary as to what findings they define as major and minor and their actions vary as well. It is best to ask them to articulate the distinction upfront as you enter into an agreement with them.

What it really depends upon is the size of your company and the complexity of your process. For a smaller company, (less than 100 employees) most Registrars will be on site for 1 - 2 days. For larger companies Registrars can spend a week or bring in several auditors. Typically, they charge $1,100-$1,500 per man day plus travel plus some processing fees. So - for smaller companies you are looking at $3,000-$5,000. If larger, the cost could be $10,000-$20,000.

The Registration cost is one piece of the total cost. The cost to implement, whether you use in-house resources or bring in help, adds to the picture. There are also ongoing costs for the Registrar to conduct an annual 'surveillance audit' on a portion of your Quality Management System.

Part of the service we provide to clients is to get quotes from several Registrars local to you that we can help you assess. Of course, we also help with the documentation of your system, through tools we have available on our www.9000world.com site or through an on-site engagement.

The ISO 9001:2000 document provides the standard for Quality Management Systems. The ISO 9004:2000 document contains not only the ISO 9001:2000 standard requirements, but also guidelines for performance improvements. While it's not a requirement of registration to have both documents, it's certainly helpful to obtain the ISO 9004:2000 document to get guidance for implementing each section.

The governing body for the ISO standard itself is the International Organization for Standardization in Geneva. In terms of accrediting Registrars, the body in the US is ANAB (ANSI-ASQ National Accreditation Board.) Other countries have other bodies that certify their Registrars.