Protect your business with our ISO 9001 consultants
At ISOexcellence, our ISO 9001 consultants work hard every day to make our clients’ information security goals a reality.
ISO is the international standard for organisational information security published by the International Standardisation Organisation (ISO). These standards determine how information in a company should be managed to protect information and privacy.
The standards of ISO 9001 compliance can be applied to any business, large or small. ISO standards require sound methods and robust information security management. ISO 9001 was designed by the world’s top experts in the field of information security. ISO certified firms signal to their customers that they have taken the necessary steps to implement effective information security.
Why does ISO matter? In the last couple of years, ISO 9001 has become the most trusted information security standard in the world, with a growing number of companies certified.
Below we’ll list the four main reasons you should consider implementing ISO for your organisation.
The implementation of ISO 9001 is a reliable way to ensure compliance with laws, regulations and contractual requirements. Get ahead of future regulations by proactively boosting your organisation security.
Protect your brand with robust security. Data breaches and perceptions of lax security can be a nightmare for your company’s reputation. ISO helps prevent data breaches from occurring, maintaining your customers’ trust in your company.
With concern over data protection at an all-time high, you can use ISO certification to win over clients by emphasising your company’s robust security. Customers care deeply about the protection and security of their data.
ISO compliance will save you money in the long run. Data breaches are expensive to resolve. By investing in information security, you can avoid costly security breaches. ISO 9001 is specifically designed to prevent incidents before they occur.
Why pick us as your ISO 9001 consultant?
Experience you can trust
The biggest factor in choosing a consultant is experience. We boast a long history of serving clients across a variety of industries with their information security needs. Our expertise puts us miles ahead of the competition.
A solid reputation
We let our track record speak for itself. With positive client feedback and consistent satisfaction, we’re confident in our ability to serve you. Take a look at our reviews and testimonials to find out what makes us different.
At ISOexcellence, we can help you get ISO 9001 certified by understanding your needs and dedicating special attention to your company. Our committed professionals want to help your organisation grow, protect your brand, and keep your stakeholders safe.
Get an ISO 9001 Quotation
What is ISO 9001
ISO 9001 is an international standard for Quality Management Systems. This standard can be used to demonstrate that your organisation can consistently deliver its products and services in line with customer and other requirements. ISO 9001 is not industry specific and is suitable for organisations of all sizes regardless of the services or products they provide.
What does ISO 9001 cover?
ISO 9001 is built on a common framework for ISO management standards known as ISO Annex SL (also known as Annex L from the 2019 edition) which sets out the common headings for ISO standards to follow. The main headings contained in this and other ISO standards are:
- Normative references
- Terms and definitions
- Context of the organisation
- Performance evaluation
Sections 4 to 10 contain the main provisions for organisations to implement when setting up, maintaining and continually improving their Quality Management System. Here’s a breakdown of sections 4 to 10 and what is required:
What are ISO 9001 requirements?
From the 10 sections within ISO 9001, Sections 4 to 10 contain the requirements for a quality management system to fulfil for certification. The requirements of sections 4 to 10 include:
4. Context of the organisation
The organisation must identify internal issues and external issues that affect its ability to achieve the quality management objectives. The organisation must also identify the various stakeholders and the relevant requirements of these stakeholders. The standard refers to stakeholders as “interested parties”.
Top Management must demonstrate their leadership and commitment to the Quality Management System by developing a quality policy and quality objectives, providing the necessary resources, integrating the quality management system into the organisation’s business processes, identifying customer and applicable regulatory requirements, maintaining focus on customer satisfaction, and assigning and communicating responsibilities and authorities for relevant roles. Top Management is defined in ISO 9000 (ISO 9000:2015 Quality management systems — Fundamentals and vocabulary) as the “person or group of people who directs and controls an organization at the highest level”.
Planning the Quality Management System requires consideration of internal and external issues and stakeholder requirements identified under section 4, and determining risks and opportunities to be addressed to ensure the quality management system achieves its objectives. The organisation must define its specific and measurable quality objectives, and control any changes it deems necessary for its management system.
Organisations must provide the necessary resources for the establishment, implementation, maintenance and continual improvement of the Quality Management System, including people, infrastructure, environment for operation of the processes, resources for monitoring and measuring, and ensuring organisational knowledge is maintained and made available.
Organisations must also determine the necessary competence of persons working under their control that affect the performance and effectiveness of the Quality Management System. Evidence of competence or actions taken to achieve it must be retained.
The necessary competence of persons working for the organisation must be determined, and these persons must be competent on the basis of their education, training or experience.
Persons working under the control of the organisation must be made aware of the quality policy, relevant quality objectives, their contribution to the effectiveness of the quality management system and the implications of not conforming to requirements. Additionally, organisations must determine what will be communicated, when (under what circumstances and within what time constraints), to whom, who will do the communicating and the process for such communications.
When creating and updating documentation, the processes must provide for appropriate identification, description, format, media, and review and approval for suitability and adequacy. Document control must address additional points such as: distribution, access, retrieval and use, storage and preservation, control of changes, and retention and disposition. Document control processes must also address documentation of external origin.
Section 8 of ISO 9001 contains significantly more detail than other standards such as ISO 45001 or ISO 14001. The sub-sections from 8.1 to 8.7 will be dealt with individually below.
8.1 Operational planning and control
The processes must be planned, implemented and controlled. In addition, criteria for the processes and for the acceptance of products and services must be determined. To the extent necessary, records must be kept to have confidence that the processes have been carried out properly and that products and services meet requirements.
8.2 Requirements for products and services
The organisation must determine the communications it is to have with customers, including information relating to products and services, enquiries and order handling etc.
Requirements for products and services must be defined and the organisation must ensure it can meet any claims made.
The organisation must retain records of reviews conducted to establish it can meet requirements for products and services. Customer requirements must be confirmed prior to acceptance and must retain records of reviews and any new requirements for products and services. Changes to requirements for products and services are to be documented and communicated to relevant persons.
8.3 Design and development
The organisation must establish, implement and maintain a process for design and development. There must be proper and controlled planning of design and development. Inputs must be determined and documented. Controls must be applied to ensure design outputs meet requirements. Outputs must meet input requirements, be adequate for the provision of products and services and be documented. Changes to design and development must be identified, reviewed and controlled. Records of changes and their review must be retained.
8.4 Control of externally provided processes, products and services
The organisation must ensure outsourced or procured services, products and processes conform to requirements. The controls to be applied must be determined and applied, including determining criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers. There must be suitable and adequate communication with external providers regarding the products, services and processes to be provided, approval methods to be applied, competence requirements, interactions with the organisation, control and monitoring of the providers performance to be applied by the organisation, and verification or validation activities that the organisation (or its customers) intended to perform at the external provider’s premises.
8.5 Production and service provision
This section requires the organisation to carry out the provision of its services and production in a controlled manner, including through the provision of documented information which outlines the products, services or processes to be provided to the customer and the results to be achieved, the availability and use of suitable monitoring and measuring resources, implementation of monitoring and measuring, appointment of competent persons, and implementation of release, delivery and post-delivery activities.
The organisation must identify the outputs as necessary, and identify the status of outputs throughout production and service provision. Where required, the organisation must also control the unique identification of the outputs when traceability is a requirement – and must retain records of such traceability.
Property belonging to customers and external providers must be minded, and any damage or loss of their property must be reported to them without delay. Property belonging to the customer or external provider can include materials, equipment, tools, premises, intellectual property and data.
The organisation must determine and meet requirements for post-delivery activities, including any required by statutory and regulatory requirements, potential undesired consequences associated with its products and services, the nature, use and intended lifespan of its products and services, and customer requirements or their feedback.
Changes to products and services must be carried out in a controlled manner. Changes must be reviewed and evidence of this review must be retained.
8.6 Release of products and services
ISO 9001 requires organisations to carry out, at planned intervals throughout the provision of products and services, the necessary arrangements to ensure they meet requirements at all stages. Products and services must not be released to the customer until the organisation is satisfied that all requirements have been met. This section of the standard requires the organisation to retain evidence that the requirements have been met and who authorised release of the products and services to the customer.
8.7 Control of nonconforming outputs
Where outputs do not conform to requirements, the organisation must ensure that these are identified and controlled whether by correction, segregation and containment, informing the customer, or obtaining authorisation from the customer for acceptance under concession.
Records must be retained in respect of the nonconformity, actions taken, and the identity of the authority deciding the action to be taken.
9. Performance evaluation
ISO 9001 requires organisations to determine what needs to be monitored and measured, the methods for monitoring and measuring, the timing of such monitoring and measuring, and when the results of monitoring and measuring will be analysed and evaluated.
The organisation decides what it is that will be monitored, measured, analysed and evaluated, but will be required to keep documented information of the results of monitoring and measuring. The organisation is required to evaluate the performance of the quality management system and retain records of any such evaluation.
Organisations must audit their quality management system, and must plan, establish, implement and maintain an internal audit programme based on the importance of the processes and the results of previous audits.
Management must hold an annual review of the quality management system to ensure its ongoing suitability and effectiveness. Topics to considered and reviewed include: changes in issues identified under section 4, trends in non-conformities, customer satisfaction and feedback of interested parties, process performance and conformity of products and services, nonconformities and corrective action,, results of monitoring and measuring, audit results, performance of external providers, adequacy of resources, effectiveness of actions taken to address risks and opportunities, and opportunities for continual improvement.
10. Continual improvement
Arrangements must be developed and implemented to deal with non-conformities as they arise, including determining their causes, implementing the necessary actions needed, reviewing the effectiveness of corrective actions, and making changes to the quality management system where required. These steps are commonly managed through a nonconformity and corrective action process.
Organisations must continually improve the suitability, adequacy and effectiveness of their quality management system.
ISO 9001 FAQ’s
ISO 9001:2015 is an international standard published by the Organization for Internal Standards for quality management systems. It’s full title is “Quality management systems –
Requirements (ISO 9001:2015)”. The standard sets out the requirements an organisation must fulfil to achieve certification.
The current standard is ISO 9001:2015
Benefits associated with ISO 9001 include being able to demonstrate to customers that an organisation meets internationally recognised requirements for quality management systems. In many cases, achieving ISO 9001 certification is a requirement for tendering for certain projects. Other benefits include improving efficiencies within an organisation and enhancing customer satisfaction.
The main requirements are to develop a quality management system which is in line with the detail of the standard, to operate it and continually improve it, to maintain records of its implementation. Further information is provided in the outline of sections 4 to sections 10 above.
Strictly speaking, anyone can provide certification to this or any other management system standard. However, the International Accreditation Federation is the worldwide body for Conformity Assessment Accreditation Bodies. These are the national bodies who provide accreditation and official recognition of Certification Bodies who actually provide the certification to organisations.
When choosing a Certification Body, it is important to select a Body which has official recognition for the certification of the relevant management systems. This reduces the risk for your organisation when seeking to become certified.
The cost for ISO certification to any standard is dependent on many factors including the size and type of organisation, the sector in which it operates, the extent to which its current business and operational systems are developed etc. Typically, you could expect the entire implementation costs for a consultant to cost in the range of €5k to €10k, depending on organisation-specific factors.