QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Category Archives: ISO 9001:2015

Documentation for organisational context

Asheef Mohamed from Muscat, Oman has asked: “For context of organisation what record can be used?  Internal and external issues logs or something else?”

Here are my views on this issue:

Except clause 4.3: Scope, the requirements of clause 4 of ISO 9001:2015 are not covered in the list of mandated documents. However, determination of external and internal issues, interested parties and their requirements are ‘shall statements’. Not only this, their  monitoring and review to ensure their continued suitability for the organization are also shall statements. How to achieve these requirements without excessive documentation is part of your question. Here are some of the ways you can achieve  this objective of yours:

Clause 4.1:

  • Organizational goals, purpose, intended outcomes may be in the form of mission, vision, Quality Policy and core value  statements
  • Internal and external issues may be included in organizational risk register, strategy, MoMs, email circulars, posters etc)
  • Context statement in  a few organization

Clause 4.2:

  • Applicable legislation and regulatory compliance register
  • Contracts with customers and suppliers
  • Complaints/ complements received from customers and others
  • Interested parties and their needs & expectations

Since your query is for organisational context, I take it for entire clause 4 of the stadard. Let me therefore include clauses 4.3 and clause 4.4 also.

Clause 4.3:

  • Documented Scope statement, which anyways remains a mandated requirement

Clause 4.4:

  • Defined process framework and interrelations between processes
  • Evidence and of continual improvement
  • Formats, guidelines, standards, checklists, directives etc.

Hope this satisfies your query. I will be pleased to more clarify issues …

Communications as per clause 7.4 of ISO 9001:2015

Salman Raziq <salman.raziq@tqcts.com> writes from Muscat, Oman: “Clause 7.4 speaks of communication. It says all the communication regarding QMS should be recorded and I have a communication register with me. </salman.raziq@tqcts.com>How do I record all the communication happening in the organization in the register? Is it really possible”.

My answer: Clause 7.4 merely asks for determination of internal and external communications relevant to QMS and details thereon. It does not ask for recording all the communications taking place across the organization. Probably you want to create  a communications register to use it as an evidence for the auditors, which in my opinion, is not the right approach. Let us do our business as usual without bothering about audits. Usual channels of communications in any organization are emails, town-hall meets, posters, danglers and internet/ intranet sites etc. Most of these are already pieces of recorded evidence. Meeting minutes of management addresses or speeches are also records. Even if a number of sampled employees in an organization tell the auditors about a speech or  meeting with relevant details, it is a piece of evidence.  Creating a separate register for recording communications is not a good idea.

Hope this explanation satisfies you…


Mapping an NC to applicable standard’s clauses during audits

Today I concluded conducting an IRCA authorized  QMS Lead Auditors Course. During the mock audits conducted as part of the course curriculum, the participants’ ability to identify most appropriate clause of ISO 9001:2015 against an NC remained a challenge. In real life first/second/third party audits, even experienced auditors find it challenging to map a given NC to the right clause of the standard.  For example, an NC about product delivery with known defects is mapped not only to clause 8.6 of ISO 9001 but also to 8.5.2 (Identification and tractability), 8.7 (control of NC outputs), 9.1 (monitoring and measurements etc) and 7.3 (competence). Needless to say, by doing this the focus on right correction and corrective action is lost, leading to vague responses from auditees.

My advice to auditors is to think for a few moments on the NC or the situation on hand and then mentally map it to ‘most appropriate clause’.  Only if necessary, start going through the clauses of the standard for such mapping, To the extent possible, map the situation to one clause only, unless off-course when there is a genuine need to refer to two clauses.

In no case, more than two clauses should be mapped.


Risk based auditing

My friend AKM Desai (desaiakm@hotmail.com ) wants me to comment on this topic.

ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…

ISO 19011:2011 introduced the concept of risk in auditing. It included  both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.

Specific requirements for managing an effective risk management is provided  in Annex SL standards like  ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits  conforming to  ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined  as ‘Risk based auditing’. Such internal and external audits  should be conducted in a seemliness  manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible  and with full conformance to the requirements in clause 4, 6 and 8  of above requirements standards.


Roles & Responsibilities to satisfy ISO 9001:2015 requirements

One of my friends Shikha Bahadur wanted me to throw some light on this subject. ISO 9001:2015 clause 5.3 sets the responsibility on the top management to ensure roles & responsibilities are assigned, communicated and understood by all in the organization.

One of the ways to achieve this requirement is evolving a RACI (Responsibility, Authority, to be Consulted, to be Informed) matrix. A sample is attached for your reference which can be modified to suit your organizational requirements…RACI

Where is information security in ISO 9001:2008?

A friend asked me this  question yesterday…

If you search for the term ‘security’ in ISO 9001:2008, it is not there. If I were to map information security to ISO 9001, only clause I can map it is 6.4: Work Environment which reads like: “The organization shall determine and manage the work environment to achieve conformity to product requirements”. With IT increasingly being part of everyday business, a secured work environment to protect businesses from loss of confidentiality, integrity and availability becomes a prerequisite. Information security works around identification of risks, planning for their mitigation and effectively implementing those plans. The 2008 version of ISO 9001 has included ‘risks associated with environment’ right in the beginning, in its clause 0.1a: Introduction.

Draft ISO 9001:2015- A few insights

Draft ISO 9001_2015 International Standard_A few insights_V 1.0

Hello all,

The attached article provides some insights and clarifies issues being  raised about the draft international standard ISO 9001:2015, scheduled to be published in Q-3 of 2015.

As mentioned in last few lines, I have declared copyright of this article to Quality and Process Improvement fraternity, not to myself.

Best Regards,


Clarifications on DIS ISO 9001:2015


Can someone clarify on following issues:

1. There is no mention of ‘Management Representative’ in the draft standard. Why?

2. CAPA: I don’t see the clause  on Preventive Action. Also, the no. of review inputs and outputs have been reduced. Why?

3. Whether the company remains responsible for the quality of outsourced product or service is not clear as before.

4. Internal audit: ‘Auditors will not assess their own work’ is missing. Why?


AKM Desai

Requirements Management in Projects: An interesting illustration

%d bloggers like this: