It is a system that is used to manage quality. ISO (the International Organization for Standardization) definition is 'the management system to direct and control an organization with regard to quality'.

Think of it as the system a particular business uses to design, develop or make products. If you make or manufacture widgets, it's the system you use to make them. If you sell or distribute products that other companies make, it's the system you use to buy & sell them. Or if you are a service business, then it's the system you use to develop and deliver your services.

Your business quality system comprises your policies, processes, procedures, people, tools and equipment or other resources: all that is involved in producing your products or services, from planning them in the first place, through creation or design (if that applies), through development and finally delivery to your customers. But a quality management system goes beyond just 'producing product' to include how you manage yourself, making sure your people are competent, that you have the right equipment, tools or whatever else you need right through to checking your results, making sure what you planned to happen in fact did happen, and doing something sensible about that if not.

All the various elements work together (or should do!) to accomplish goods or services of consistent quality that meet their specifications.

Do you have a business now? Have you been in business for a year or more? Are you still in business? Still have customers buying from you? If you answer yes to these questions, you already have a quality system. It may not be an 'ISO 9001 quality system' yet, but you do have a quality management system. And you probably already have some kind of QA, perhaps also some QC.

What is ISO 9001?

ISO 9001 is an international Standard. It represents an international consensus on good management practices for quality. The aim is to ensure that your organisation can deliver the products or services that meet the quality requirements of your clients, time and time again. These agreed good practices have been distilled into a set of standardized requirements for a quality management system, no matter what your organization does, what its size, or whether it's in the private or public sector.

ISO 9001 is the most widely known and internationally accepted model for a quality management system, used by organisations across the globe for some highly effective quality systems. At the end of 2005 over 800,000 businesses were certified to it.

ISO 9001 is a generic Standard. (as is ISO 140001 for environmental management). Most other ISO Standards are specific. A generic Standard can be applied to any organisation in any industry or field in any country, regardless of the type of product or service, or the size of the organisation.

The Standard expects and encourages the use of Deming's PDCA circle: Deming PDCA cycle

First you Plan, then you Do - work the plan.

You Check (review, audit etc) the results you got, and so on.

The more you follow this virtuous quality circle, the better your system becomes.

What is a Standard?

It is a published document that sets out specifications (and sometimes procedures) intended to ensure that a something is fit for purpose and consistently performs in the way it was intended, whether a material, product, method or service.

Standards establish a common language which defines quality and establishes safety criteria. They ensure quality and consistency. Some simple examples include:

Traffic light colours: globally, red = stop, amber = caution and green = go
Conformity in sizes of screws and threads: a nut made in Melbourne Australia, fits a bolt made in Shanghai China
Containers - freight moves worldwide using standardised containers and handling technology.

Key principles of ISO 9001

The Standard is based on these 8 key principles:

Customer focus
Leadership
Involvement of people
A process approach
A systems approach to management
Continual improvement
A factual approach to decision making
Mutually beneficial supplier relationships.

What's in the Standard?

The Standard itself consists of a set of specific requirements.

The requirements aren't impossible, arcane or even strange. Really, they are just sheer good practice, and sound business sense. Requirements are set out in these groups:

General requirements - requirements that apply throughout; including requirements to identify your processes, have and control your documentation and manage records
Management responsibility - requirements for the 'decision-makers'
Resource management - covering people, environment and infrastructure
Product realization - requirements for core business activities

See ISO 9001 in a Nutshell for a summary of the requirements in the Standard.

Each requirement is numbered: there are 28 in 4 groups - more if you count all the sub clauses & details in the content.

An important point: The requirements specify what must be done, but not how.

The requirements are generic. And because it can be applied to all kinds of businesses & organisations, you need skill and experience to apply it intelligently and effectively in your particular organisation and environment.

Which makes sense if you think about it, because you can't - or shouldn't! - just try to apply a 'one size fits all' approach to, say: a security firm, a property development company, an automotive parts manufacturer, a food-producing business, a nonprofit professional organisation, police stations, the Australian ATO, the USA's Federal Aviation Association or companies that develop, service or install software.

An ISO 9001 system must be both documented and auditable - that is, able to be audited.

On the down side, the Standard was written by a committee, and has the inherent weaknesses of multiple authorship. And the language it uses isn't always immediately accessible: it can be difficult to understand.

Why do ISO 9001?

That's a very important question. You should have at least one good reason to do it. And just 'having the certificate' alone is definitely not a good reason - it's one of the most common mistakes.

Some of the most frequent reasons given: greater client assurance, because it's the most widely known quality system model, it's internationally accepted, or to get benefits such as increased sales, improved processes, improved communication at all levels, greater business control, greater internal consistency and discipline, and reduced costs through doing things faster, better or cheaper and/or reducing errors or customer complaints. >>More about the benefits of ISO certification.

Should everyone 'do ISO'? Not necessarily, but using it as a model for your quality system can benefit almost any organisation.

If you decide to apply for certification, then there is a cost involved, although too often people only focus on the 'cost of quality'.

Try turning that thinking around to consider the cost of not having quality. What's the real cost of business lost through failures in services or products? The cost of dissatisfied customers? Of repeating the same mistakes, duplicating work. Or of inefficient processes, when it's cheaper and more effective to do things once and get them right the first time (not the second, third or even fourth).

If you really can't achieve any extra satisfaction for your customers (eg, a welfare organisation with a 'captive market') then certification may not be valuable for you. If you're not sure, ask a certifier or consultant; any reputable one should be able to advise.

Can I do ISO 9001 myself?

Getting ISO 9001 certification does take time, effort and resources. You must know what the Standard says, identify your gaps, and work out how to fill them. You'll also need to know how to interpret the Standard and apply it to your business.

Do expect it to take you some time and effort to figure out what's involved, to perhaps take longer than using a consultant, and thus also to involve cost. A potential solution is using a good DIY kit.

What's a certifier or registrar?

A company with the authority to issue certificates is called a certifier or registrar. They supply the external auditors. Only companies who are accredited can award certificates, provided of course they agree you meet all the requirements at their audit.

Certifiers award the certificates: think of them as a bit like an examiner. They test (audit) your system, and if it meets requirements, give you the certificate. But they don't coach you, help prepare you, or tell you how to 'pass'. In fact they can't, because this would be a conflict of interest. But good certifiers will adopt a 'business partner' approach, not a dictatorial or inspector-like attitude.

How does it happen? You choose a certifier: & sign up with them, agree on the particular Standard (eg, ISO 9001) and the scope, pay the fees, and arrange a date for audit.

Are all certifiers the same? No. Contrary to widespread belief, they're not government bodies but are private companies: service providers. They all assess you against the same Standard, but of course there are differences. Choose the one you think will suit your business best.

What do consultants do?

Consultants help and advise. We assess your system against the requirements, do a gap analysis to establish your current position, advise, coach you through the process and how to meet the various requirements, and prepare you for audit. We do not certify (accredit) you.

A good consultant can be very valuable. We can speed up the process, make it easier and more efficient, so you save time and money. We make sure you avoid the most common mistakes. A good consultant will help you get a system that suits you, not just a certificate.

But ultimately only you can decide if it's worth it, because it's your company, your time and your money. Do take care selecting: How to choose a consultant.

QA, QC and QM

Many people think terms like QC, QA and so forth are all the same. They aren't.

Quality control or QC is where things began. At its simplest, QC is product-focussed - checking your final product to make sure that it is OK (conforms to requirements), or rejecting it as non-complying if it doesn't.

The next development was QA or quality assurance. This moves beyond the end-product further 'up the line' to find and fix faults earlier in the process, and is aimed at providing confidence that requirements are, or have been, met. Note that QA includes QC at its core, but it also looks at support processes (such as training, document control, audits) to try to prevent non-conformance occurring in the first place or stop it happening again if it does.

Finally, Quality Management extends beyond both of the former to embrace the business management system as a whole. Hence, a quality management system.

Get more information

List of FAQs published by ISO, from experts & users
Join my email newsletter list. Find out more.

Do you have a question or problem with ISO 9001?

Email me the problem or query and I'll post an answer in my newsletter or on the website. But please read what's published here first.
Note: we do not respond to anonymous queries or free email addresses.

Top 10 Mistakes with ISO 9001

What are the top 10 mistakes? learn the secrets of ISO 9001 from our exclusive free report.

4 Quotes on quality

4 Quotes on improvement

Quality that is simple, practical and flexible

ISO9001 FAQs (frequently asked questions) with answers

What is... ?

How to... ?

Who does what?

Other questions

What is a quality system?