Small businesses know the importance of trust. Your business has the quality customers are looking for. But how will potential customers know that? Big corporations can signal their trustworthiness with a recognizable brand. But what about smaller companies?
That’s where ISO 9001 certification comes in. ISO 9001 can build trust, in any business of any size. It tells the world you meet international quality standards. Customers won’t need to take your word for it. They can see your certificate.
ISO 9001 helps you create a continually-improving Quality Management System (QMS) with a focus on customer satisfaction. By following the requirements of ISO 9001, you refine your processes, set goals, and achieve success. Consequently, when potential customers see an ISO 9001 certificate, they see a business that takes quality seriously.
At CertFast, we provide ISO 9001 auditing tailored to small business. We exist to make certification possible for businesses like yours. We want to help you achieve certification and start displaying your badge of quality to the world.
But before that process begins, you need to understand the ISO 9001 standard and implement its requirements. That can seem like a daunting task—but don’t worry. In this article, we’ll give you a complete tour of the ISO 9001 standard: the basic knowledge you need to get started on your ISO 9001 journey. And when you’re ready for a hassle-free audit focused on the needs of a small business, CertFast will be there to help.
Let’s start with the basics:
What is ISO 9001 Certification?
ISO 9001 is an international quality management system standard. Does it already sound complicated? Let’s break that idea down into its individual parts:
International
ISO 9001 is a global standard. It is published by the International Organization for Standardization (“ISO” for short, and yes, we know the letters don’t match). Standard bodies from over 160 countries participate in ISO, crafting standards that set international benchmarks in areas like quality, health and safety, environmental protection, and more.
What does this mean for you? When you follow an ISO standard—like ISO 9001—you’re meeting globally recognized best practices. An ISO certification proves to customers that your business meets world-class standards. If you ask us, that beats a Google review.
Currently, over a million companies worldwide have certified to ISO 9001.
Quality Management
The ISO 9001 standard focuses specifically on quality management. This concept can apply to any business in any industry, whether you create a product or provide a service. It doesn’t matter what your business does; Every customer or client in every industry wants quality. In addition, they want the product they order or the service they hire to meet its promised standards.
When a company meets or exceeds those standards, customer satisfaction grows—and so does that company’s reputation. Conversely, when a company fails to meet those standards, customer satisfaction plummets.
So how do you ensure consistent, improving quality? That’s where the “system” part of Quality Management System comes in.
System
By following ISO 9001, you create a QMS: a quality management system. You’re not just putting in effort and hoping for the best. You’re defining processes, setting goals, and tracking results. When you follow a QMS, efficiency increases. You can clearly see your growth—and you can also see areas for improvement.
With a QMS in place, failures aren’t a cause for panic. Instead, they’re an opportunity to grow. You know you have a system in place to address the root cause of problems and turn them into improvement.
Your system will be made up of processes and documentation. This includes your quality policy, procedures, work instructions, and records. When you consistently follow the processes of your QMS, you can achieve your objectives and continually improve.
To make this system work, it will involve everyone in your organization. Particularly, the driving force must come from company leadership.
What ISO 9001 Can Do for You
Here’s a brief summary of the benefits ISO 9001 can bring to a small business:
• Greater customer satisfaction
• Improved efficiency
• International recognition
• More customer trust
• Bolstered bottom line
Who Issues the ISO 9001 Certificate?
Once you have implemented the requirements, you will need to undergo a third-party audit to receive your ISO 9001 certificate. This is an essential step. As you meet ISO requirements, current customers will see your improving quality even before you receive certification. But to prove your quality to new customers, you will need an ISO 9001 certificate vouched for by a neutral third party.
To make that happen, you can reach out to a registrar like CertFast. Make sure to work with a registrar that has achieved ISO 9001 certification for itself. You want to work with auditors who practice what they preach.
If you’re a small business, you will also want to choose an auditor who understands the needs and constraints that come with that context. Many registrars focus specifically on large businesses, making it hard for smaller companies to break into their auditing schedule and find an understanding auditor.
The Requirements of ISO 9001
Now let’s open the standard and see what ISO 9001 actually requires. ISO 9001 divides its requirements into the following sections:
• Context of the Organization
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement
You might notice that ISO 9001 has ten sections, but we’ve only listed seven. That’s because the first three clauses do not actually contain requirements. They simply lay out introductory information for the standard.
These seven sections are what make up an ISO 9001 QMS. Their ordering is not incidental. These requirements follow the PDCA cycle: Plan, Do, Check, Act.
You will follow this cycle throughout the entire ISO 9001 process. It involves making plans, doing what you planned, checking your results, and acting on your findings—and then doing it all again. The PDCA cycle makes continual improvement possible.
Before jumping into the requirements, let’s take a look at the introductory portion of the standard. The concepts therein will prove essential to your understanding of ISO 9001.
Understanding the Process Approach
To understand the power of ISO 9001, you need to understand the process approach.
ISO 9001 defines the process approach in the following way:
“… the systematic definition and management of processes, and their interactions, so as to achieve the intended results in accordance with the quality policy and strategic direction of the organization. Management of the processes and the system as a whole can be achieved using the PDCA cycle (see 0.3.2) with an overall focus on risk-based thinking (see 0.3.3) aimed at taking advantage of opportunities and preventing undesirable results.” (0.3.1)
Your organization is made up of processes. These processes interlock, working together to output the product or service you provide. When your individual processes perform well, your overall business performs well.
The process approach helps you see those processes and how they work together. It also helps you break down those processes into manageable parts, revealing the critical checkpoints where you can apply controls to ensure quality.
What are those “manageable parts?”
Every process has six basic elements
• Source of Inputs. What “feeds” the process at hand? Is it another process, or perhaps a policy?
For example: On a product assembly line, the “source of input” might be an external materials provider. Or it could be a previous process that creates the parts needed for assembly.
• Inputs. Inputs can be anything required to produce a product or service. These can be physical materials, products of other processes, or even intangible things like information.
In our assembly line example, the “inputs” would be the raw materials or parts coming into the assembly line. But if we were talking about a performance evaluation process, the input might be information, such as employee performance records.
• Activities. This broadly refers to the actions performed during a process.
In our assembly line example, the “activities” would be the actions taken to turn the parts and raw materials into an assembled product.
• Outputs. What does this process produce?
In our assembly line example, the “output” is obviously the assembled product. But every process has an output. A quality assurance process might have the “output” of a written performance report.
• Receivers of Outputs. Where do the outputs of this process go?
This connects the individual process to the rest of your business. Do the outputs of this process go to another process within your business—the way assembly line outputs might feed into a quality assurance process? Or do the outputs of this process go directly to the customer?
Key Points:
• A process transforms inputs (such as materials, information, or parts) into a useful output (such as a product or report) that must meet specific requirements.
• Processes often feed each other. The outputs of one process can become the inputs of another process, creating a series of interlocking processes working together to create the products or services you provide.
• Every process must have a process owner. This person is responsible for keeping track of the process performance and KPIs. The process owner takes charge of that specific process to make sure it continually improves. When every process owner ensures the improvement of her own processes, the whole system works better.
Understanding Operational Risk Management
ISO 9001 lays out one more essential concept before getting into the requirements: Risk-based thinking.
When you follow ISO 9001, risk-based thinking drives your decisions. Keep in mind: Not all risk is negative. You will need to think in terms of risks and rewards. By focusing on risk, you become proactive. You’ll be prepared to face negative risks and take advantage of opportunities.
But it’s not enough to consider your risks. You need to manage them.
ISO 9001 says the following about operational risk management:
“To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.” (0.3.3)
To receive ISO 9001 certification, you will need to display a formal, documented risk management process. But this process doesn’t only help you earn a certificate. It also prepares your business for the future.
Key Points:
• When it comes to identifying risks, everyone plays a role. Risk could come from any part of the process.
• By employing a formal risk management system, you can create better plans and see more improvement over time.
• You will need to perform risk management for all your operational activities. These include product requirements reviews, contract negotiations, operations management, design and development, purchasing, and work transfers.
Context of the Organization
ISO 9001 can fit any business. To make it fit your organization, you need to understand your context. This is a formal step of the process.
When it comes to context, ISO 9001 requires the following:
“The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. “The organization shall monitor and review information about these external and internal issues.” (4.1)
You can start by looking at what influences your organization, both internally and externally. The standard requires you to make note of any party that might have a stake in your company—not just customers and clients, but employees, local governments, and regulatory bodies. All these influences connect and intertwine to form your context: the background against which you make decisions.
When you build a QMS based on your specific context, you can see the real benefits of ISO 9001. This process helps you focus efforts on your specific needs and goals.
While considering context, you must also define the scope of your QMS. To which parts of your company will the QMS apply? Or, to put it another way: Which parts of your company will be audited and receive ISO 9001 certification?
Key Points:
• When determining your context, you will need to consider both internal and external factors.
• Internal factors might include your company goals, culture, products, or size
• External factors might include industry trends, technologies, regulations, requirements, and economic shifts.
• You also must define what ISO calls “interested parties”—those stakeholders who influence your business. These interested parties bring their own expectations and requirements to the table, which you will need to address.
• Employees bring the requirements of labor laws and safety
• Customers and partners bring the requirements of contracts and expectations of quality service.
• Owners and shareholders bring legal requirements and performance expectations.
• Government authorities bring the requirements of legal regulations.
• Certification bodies bring the requirements of standards like ISO 9001.
Remember: This is all about your context. These influences and requirements will look different for every organization.
Leadership in ISO 9001
ISO 9001 dedicates an entire section to company leadership. Leadership sits at the center of ISO 9001. Your auditor will expect to see company leadership as the driving force of your ISO 9001 project. The requirements of ISO 9001 must come from the top down, creating a culture of quality and improvement at every level of your organization.
The standard says the following about leadership:
“Top management shall demonstrate leadership and commitment with respect to the quality management system… Top management shall demonstrate leadership and commitment with respect to customer focus…” (5.1.1, 5.1.2)
How do you demonstrate leadership and commitment to the QMS? ISO 9001 helps you accomplish this through a handful of requirements. To start: Leaders must hold regular management review meetings. Here, company leaders assess the direction and performance of the organization. It’s the job of leadership to set priorities and communicate those prioritize at all levels.
Key Points:
• Leadership must craft a Quality Policy. This document is central to your QMS. It states your organization’s commitment to quality and serves at the starting point for all quality objectives.
• Speaking of quality objectives: It’s the job of leadership to set quality objectives and KPIs for every process. This allows you to measure your performance against objective standards, which in turn enables you to push toward improvement.
• You must determine the needed roles and responsibilities throughout your organization, including the authority that must come with those roles. Leadership will need to delegate tasks to competent team members.
• Top management must perform regular management review meetings to assess processes and documents, making sure the system remains effective.
• Lastly, leadership provides the necessary resources for your QMS. These resources include employees, equipment, infrastructure, and environment.
Planning in ISO 9001
In the planning section of ISO 9001, you get to exercise your risked-based thinking muscles. Previous sections directed you to identify the risks you face. Here, you make specific plans to address those risks. You will also set quality objectives you can objectively measure.
Here’s what the standard has to say about planning:
“When planning for the quality management system, the organization shall consider the issues referred to in 4.1 (context) and the requirements referred to in 4.2 (expectations of interested parties) and determine the risks and opportunities that need to be addressed . . . The organization shall establish quality objectives at relevant functions, levels, and processes needed for the quality management system.” (6.1.1, 6.2.1)
You should also plan for any future changes to your QMS.
Key Points:
• Your plans should be proportionate to your risks. Think about the impact a risk could have on your business. Your plans should reflect the severity of that impact, or the lack thereof.
• Focus your planning on results. To accomplish this, it’s important to set goals you can objectively measure.
• Planning isn’t once and done. Managers and process owners will continue making plans as new results roll in. This is essential to continuous improvement.
• Remember to keep the necessary documents and records. You should document the actions you take, tasks to complete, needed resources, completion dates, effectiveness evaluations, and any other data relevant to your plans.
Support and Resources
Your quality management system will require resources to run properly. Again, this duty falls to your organization’s leadership.
ISO 9001 lays out the following requirements for support and resources:
“The organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the quality management system.” (7.1.1)
A business can’t achieve consistent quality without a constructive work environment, functional equipment, competent workers, and proper documentation. All these resources will require maintenance: Equipment must be calibrated, documentation must be updated, work environments must meet the latest safety regulations, and workers will require new training.
Key Points:
• You must have a sufficient workforce. You also must ensure the competency of your workers by providing training and documentation. Know what knowledge is required for each role and maintain that knowledge among your team.
• Your policies and procedures will only take effect if you communicate them clearly. You must ensure employee awareness of your QMS by choosing effective communication methods.
• Control your documents and records. This includes any information related to your QMS, such as documentation on product quality and safety. If documents change, make sure to communicate those changes.
• Maintain the infrastructure necessary for your QMS (such as equipment, facilities, transportation, and technology). You must provide an effective work environment, and any equipment used for monitoring and measurement must be maintained and calibrated.
Operations Control—Putting Plans Into Action
“Operations” is a broad term. This category covers any activity you perform to create your products or services, at any point in the product or service lifecycle. Essentially, it’s everything you do.
In ISO 9001, you will find controls for several essential sub-categories of your operations. These requirements cover areas such as design and development, external processes, production and service provision, release of products and services, and nonconforming outputs. “Controls” here are a means of regulating a process to achieve your desired results.
ISO 9001 says the following about operations control:
“The organization shall plan, implement, and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6… The output of this planning shall be suitable for the organization’s operations. “The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. “The organization shall ensure that outsourced processes are controlled (see 8.4).” (8.1)
You must control your key processes. These processes will look different for every business. They depend on your organization and the product or service you provide.
Key Points:
• You must control design and development processes. This includes planning, reviews, verification, and validation. If a product or service changes, the change must be managed with care. Keep an eye on parts and materials that may become obsolete.
• Your controls also extend to processes that take place outside of your business. You must consider controls for external providers, and the requirements you communicate to those providers. When you purchase a product, make sure it complies with your requirements. This requires a process for monitoring and measuring supplier performance. Remember: Suppliers come with their own set of risks to be managed.
• The production or service delivery process must be controlled all the way through release. This requires sufficient planning and preparation, with quality inspections and a controlled delivery process. On-time delivery is a key factor for customer satisfaction.
• Operations control doesn’t end after product or service delivery. You also must control your post-delivery support.
The Focus of ISO 9001: Customer Satisfaction
ISO 9001 focuses on your customers. To satisfy customers, you must meet their expectations.
How can you know if your QMS is working? Customers will be satisfied. ISO 9001 keeps their needs and requirements in focus at all times.
ISO 9001 says this about customer focus:
“The organization shall monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information.” (9.1.2)
Customer satisfaction is one of the only things ISO 9001 absolutely requires you to measure. All your processes should ultimately point to the goal of satisfying customers. Communication will be key in this process.
Key Points:
• To satisfy customers, you must know their needs and requirements. Again: Communication is essential.
• Customer requirements are key, but your QMS must also address any legal or regulatory requirements for your industry.
• The job of customer satisfaction belongs to your entire team. Everyone plays a part in keeping your QMS focused on this goal.
• To protect customer satisfaction, you should have processes in place to prevent the release of nonconforming products or services.
• ISO 9001 requires you to set objectives for product quality and on-time delivery.
• Keep track of customer feedback. All customer feedback provides useful data for gauging customer satisfaction and spotting areas for improvement.
The Result of ISO 9001: Continual Improvement
Your ISO 9001 QMS should produce continual improvement. The final clause of the standard lays out the requirements for achieving that end. Here, you monitor, evaluate, and improve your processes in order to meet goals and comply with the requirements of ISO 9001.
ISO 9001 says the following about performance evaluation and improvement:
“The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.” (10.1)
To spot those areas for improvement, you must continually evaluate the effectiveness of your operations. Are you reaching your goals? Are your outputs conforming to your requirements? From here, you can evaluate and act on your findings. Top management should drive this improvement process.
Key Points:
• To achieve continual improvement, you need a process for monitoring, measuring, analyzing, and evaluating your performance. Goals and KPIs only help if you pay attention the results and learn from them.
• Company leadership should use management reviews as an opportunity to analyze performance data and set a direction for improvement.
• Every organization must perform an internal audit. Your internal audit serves as a practice run of the real thing, helping you discover areas of noncompliance and other needs for improvement. This is a required part of ISO 9001.
• You also must have a process for dealing with nonconformities (processes or outputs that don’t meet your standards). Remember to implement corrective actions that address the root cause of the issue, not merely the symptoms
Final Steps: The ISO 9001 Audit
That concludes our brief look at the requirements of SO 9001. Once you have implemented these requirements and performed your required internal audit, it will be time for the real thing: The third-party audit from a certified registrar.
This part of the process often intimidates people. But here are a few key things to remember about the audit process:
The Third Party Audit
The third-party audit gives ISO 9001 certification its power. By letting a neutral third party evaluate your business, you give credibility to your claims of quality. An ISO 9001 certificate lets potential customers know you meet international quality standards, and that an official registrar has certified this fact. At CertFast, we see the audit process as an essential part of helping small businesses achieve success with ISO 9001.
Fixing Nonconformities
You will have a chance to fix any issues discovered. Do away with any ideas of a grouchy auditor looking for reasons to fail your business and snatch away your chance of certification. If your auditor does discover a nonconformity (something that doesn’t meet ISO 9001 requirements) you will have a chance to address it. Once you’ve addressed your findings adequately, you can receive your certification.
Small Business Registrar
You can work with an auditor who understands your needs. Despite recent revisions making ISO 9001 simpler for small businesses, the standard sometimes still carries a big business reputation. Many auditors focus on bigger companies and fail to consider the needs and capabilities of smaller businesses. But when you work with a registrar like CertFast, you’re guaranteed to work with an auditor who understands small business—and who wants to see small businesses succeed.
Simple, Friendly and Affordable Certification
At CertFast, we make ISO 9001 certification simple, friendly, and affordable. If you have questions about ISO 9001 or the audit process, give us a call. If you’re ready to begin the audit process with a registrar who cares about your business, contact us for a hassle-free quote.