ISO 9001:2015 – New Terminology, Not a Change in Requirements

This is a guest post by Lorri Hunt, a U.S. technical expert and task group monitor for the next revision to Lorri HuntISO 9001. She is an ASQ Senior member, an Exemplar Global lead auditor, a frequent contributor to quality publications and journals, and a speaker all over the world.  She is the president of Lorri Hunt and Associates Inc.

Author’s Note: ISO 9001:2015 is still in the revision process and subject to change.  Information in this blog should be used with caution when making changes to a quality management system or for legal agreements.

ISO 9001:2015 is currently at the Draft International Stage (DIS) with a scheduled publication date of September 2015. As organizations have gotten their first glance at the proposed changes, many have focused on specific words rather than what the requirements actually say. While a new structure demonstrates the biggest visual change, the standard also uses different words, in some cases, to explain requirements that have existed in ISO 9001 since its infancy.

Some of these changes are based on the fact that the text related to certain concepts is part of the standard structure and common text and definitions that have been established for every management system standard to follow.  This includes documented information instead of documents and records, and the removal of terms such as the “quality manual” and “management representative.” Other terms have been changed by the technical experts who are drafting ISO 9001:2015.  These include “external provider” instead of “supplier” and “applicability” instead of “exclusion.”

Stock image of people talking

In all of these cases, the requirements that relate to them have not changed, just the term.

Management Representative

Requirements for assigning responsibilities and authorities are included in Clause 5.3 Organization Roles, Responsibilities and Authorities. All of the requirements for the role of management representative from ISO 9001:2008 are included with some minor enhancements.  The ISO 9001:2015 DIS just doesn’t define the term.

Quality Manual

The requirements that would have been included in the quality manual from ISO 9001:2008 are included in Clause 4.3 Determining the Scope of the Quality Management System and 4.4 Quality Management System and Its Processes.  The information that was included in the quality manual must be maintained as documented information. It just doesn’t call the documented information a quality manual.

Documented Information

The requirements that were included under control of documents and control of records in ISO 9001:2008 are included in 7.5 Documented Information.  Because there have been substantial changes in how documented information is controlled, the difference between a document and a record has become more difficult.  To help users, the phrase “maintain documented information” is used when referring to the legacy term “document” and the phrase “retain documented information” is used when referring to the legacy term “record.”  Organizations that have a quality management system that is compliant to ISO 9001:2008 requirements should be compliant to ISO 9001:2015 requirements.


In ISO 9001:2008, organizations could exclude requirements as long as they did not affect an organization’s ability to provide product that conformed to requirements.  In the DIS, an organization can determine that a requirement does not apply if it does not affect the organization’s ability to ensure that a product or service conforms to requirements.  This application must also be maintained as documented information according to the requirements in 4.3 Determining the Scope of the Quality Management System.

In each of these cases of change of terminology, many users see this as a reduction or change in requirements. However, there has not been a reduction in requirements. The change in terminology is simply providing a less prescriptive standard.  As users begin the transition to ISO 9001:2015 and initiate a gap analysis to the requirements, it is important to not just consider the words that have been written, but the requirements that they represent.

Users of the standard can also continue to use whatever terminology they wish when implementing a quality management system.  This concept is reinforced in Annex A.1 in the DIS for ISO 9001:2015.

Simply put, there is not a need to throw everything you have in your quality management system out, but ensure that your quality management system meets the new requirements in ISO 9001:2015 regardless of the terminology used.

26 thoughts on “ISO 9001:2015 – New Terminology, Not a Change in Requirements”

  1. Dear Mrs.Lorri ,
    First of all , thank you for your explaination for the new requirements in ISO 9001:2015 , BUT what we read above didn’t reflict any serios updating or changing in our QMS . So what is the benifit to issue new draft with the standard without real added value or to improve our Quality System , its mainly commercial step.
    Best Regards, Eng.Ahmed Fouad ,QA Manager.

  2. Dear Mrs.Lorri
    Thank you for this information. Where does the risk assessment issues fit in. Is this going to be a massive exercise to impelment. Some consultants are saying that the QMS systaem has to be redevelopedd


    1. Hello Prof. Ramphal,
      I hear your concern. But, risk-based thinking is something we all do automatically and often subconsciously to achieve the best results. The idea of Risk Management has always been implied in the ISO 9001 standard. The revision makes it more explicit.
      Here is a little insight into how risk is addressed in the clauses of ISO 9001:2015:
       in Clause 4 the organization is required to determine the risks which can affect its ability to meet these objectives
       in Clause 5 top management are required to commit to ensuring Clause 4 is followed
       in Clause 6 the organization is required to take action to identify risks and opportunities
       Clause 8 – the organization is required to implement processes to address risk
       Clause 9 the organization is required to monitor, measure, analyse and evaluate the risks and opportunities
       In Clause 10 the organization is required to improve by responding to changes in risk
      Hope this helps even a little.


      1. Hello dear Andy Katerson,

        As practicing ISO consultant and certified auditor for ISO 9001:2008 I am really glad, that you brought clarification to many of the rumors around ISO 9001:2015. The summary around risk is great. But it would have not hurt though to outline a little bit more in detail the circumstances around the new wording “RISK BASED THINKING” within the new ISO 9001:2015 standard. Many individuals in the quality world are becoming part of sometimes “wild” speculations, of what this new requirement wording is all about.

        As quality professional, I believe, that the new standard will bring value to any organization and their customers and I hope that organizations will implement the new standard as new long-term strategy to enhance the organization’s quality capabilities and market position.

        On the other hand I am convinced that the new standard ISO 9001:2015 cannot be compared as equal to ISO 9001:2008 in terms of the CAPA (Corrective/Preventive action) process wording. As we have all read, the new DIS will make all CAPA processes obsolete with the official release of ISO 9001:2015. Any Quality Management System (QMS) in place or new build will need sooner or later to address the changes of ISO 9001:2015, in order to stay ISO 9001:2015 compliant. All CAPA processes have to be addressed in different ways now, compliant with ISO 9001:2015.

        Advisory on how to manage the ISO 9001:2015 “Risk Based Thinking” changes for application is needed especially on the new requirement facts of how to split and separate the existing CAPA process may I call them Corrective Actions and Risk Management (Preventive actions which will be integrated into new risk management processes).

        Whether organizations are using electronic based QMS systems or manual QMS systems, their CAPA process WILL change in terms of process mapping, routing, documentation, verification, validation, etc…, even if it does not matter, which kind of risk based thinking “model” an organization will apply.

        I agree with you, that risk management has been (or should be) always part of ISO 9001:2008 planning, but it will physically change every organizations QMS system in terms of new quality plans, new chart development, new process maps, swim lanes, new audit plans, risk management planning checklists, transition checklists, etc.

        It is not all about only changes in wording, just to make that more clear…

  3. Thank-you for spending the time to clarify these issues regarding ISO 9001:2015.

    Other things I’ve read and seen would lead one to believe that the revisions/improvement here are, well, enormous. They’re not enormous… they are overdue, starting with the “risk.” A recent article in Quality Progress paints a much different picture of these changes.

    ISO 9001 continues to evolve, in our view, as it has for almost 30 years. We welcome the changes, and we’ll be ready to apply them. Best regards!

  4. We need more information as to how far down the process chain we have to go for an acceptable documentation of risk identification, determination of risk degree and mitigation. I am thinking classic FMEA, but there must be other methods. We need to know about other acceptable methods.

  5. As far as I know it’s about risk management not only risk assessment.
    Another new topic I read about is the definition , organization and management of relevant Knowledge.
    In addition to the terms Lorrie listed I think there are changes to other basic definitions .
    So the change might be about essence not only about form.
    Would anybody please elaborate ?

  6. Towards the identical goal of continous improvement of quality , I am working on the integration with ISO 13053 and 9001,4, 5 and other ISO 9000 family.
    I am expecting at the next revision of ISO 9001:2015, 9001 and 13053 get closer or even merged to ease my pratical applictaionion.

  7. I found a client which is not understanding the difference between “document” and “record” because nowhere is it explained that records are different from documents. Nowhere is it explained, either, that both are audited and that records are by far the most substantial and objective proof that the policies, procedures, and steps given in documents carried out at all, let alone carried out correctly.

    In ISO 13485 and 21 CFR 820.30, the medical device and pharmaceutical quality system requirements, both mention ISO 9001 as their springboard and as a point of reference, there is wording that “the final documents” must be signed and must go in the design history files. This is being interpreted that these are all that are required. Yes, I am explaining that plans etc. are all records and must go in, but they are not seeing it in black-and-white in the various standards so they remain uncertain.

    Is it possible to stipulate what records do as opposed to documents? Can ISO 9001:2015 also stipulate final documents of a requirement are a portion, and not the only records, pertaining to a requirement? Finally, can it be stated somewhere what their importance is with respect to auditing?

    I tell clients that records are probably the best and cheapest business insurance that they can have.

  8. Thanks for your comments! Lorri provided this response:

    “This blog was a short overview of one type of change in ISO 9001:2015, which is new terminology. It was not meant to be a cover-to-cover analysis of the changes to the standard, but simply to reflect that the new terminology does not necessarily require an organization to make change.

    “Other requirements in the standard such as context of the organization and the concept of risk-based thinking, as well as others, will require an organization to do a gap analysis to see how they are meeting the intent of these new requirements. Annex A in the Draft International Standard provides clarification on many of the “new” requirements in ISO 9001:2015.”

  9. the iso 9001:2008 will be change with iso 9001:2015, my question is whether the Auditor with certificate iso 9001:2008 should be follow again the training for 5 days or enough to transition training for iso 9001:2015. thanks.

  10. Ms. Hunt “……………… it is important to not just consider the words that have been written, but the requirements that they represent.” Please clarify, with examples if possible, what you mean. In the ISO world, the only requirements are those that come directly from words . Anything else leads to apocrypha.
    Ms.Weedon Documents tell us what is to be. Records tell us what was.

  11. I have gone through the article, and I can say there are fundamental changes in ISO 9001:2015 version of the standard. we will wait for final version of standard to get published and then see How it can be implemented in the organization with minimum changes in the existing system. .

  12. i have been involved in training some of the AB’s around the world regarding ISO 13485 which includes risk assessment. The “vast” majority of auditors from all CABs and ABs do not thoroughly understand risk assessment / management. If done correctly, the risk doc is a “live” doc, open for revisions at any time and include “all” production and non-production processes. This clearly means that when the technique was designed, all processes are to be evaluated for risk. This also means that no matter the degree of risk, if risk exists, it must be documented. Organizations are also required to determine if an acceptable degree of risk exists. If so, no further mitigation is required unless actions, failures, complaints, data, etc suggests further mitigation or that the previous risk level was not correct. There’s no question, if this statistical technique is implemented correctly, it becomes a daily vital objective of every QMS process. If anyone says no, they do not understand the statistical technique.

  13. We can apply ISO 31000 to implement risk management. I guess not the whole detail, but the approach used there will be useful.

  14. Dear mrs Hunt, as Italian i do not agree at all with your conclusions (you say that’s merely a matter of terminology).
    In the italian entrepreneurs culture of small-medium organizations is still present, at least in 80% of them, the culture “by-functions” instead than “process” one.

    Some pitiful authors say that even in 2008 release the standard contained the process culture , but it is a pityful lie. In fact the process approach was foreseen in point 02 of the introduction, but all the standard was designed and built up according “function approach”.
    Now the new standard has mended the chilidish mistake (even though some brontosaurs have re-introduced a lot of silly retourns to the first version of 1987, passing from the CD an the DIS (the ISO CT/176 had made a pretty perfect job, whilst the DIS document has put to straw a large part of their labour.
    Do you want a demonstration of this? the four totally useless notes added to the term “Process” in clause 3.12 (just to say something, but if you look to the backward useless pointing out of clause 8.3 you can esaily understand what I intend to mean)

    I want also to add that for my country the new definition of “documented informations” set a clear full stop to what can be considered part of an organisation system: in my country, unfortunately, a lot of entreperneurs considered the QMS something TO ADD to their current (“perfect”- in their opinion) organization SYS, an this costly addendum has been born “just to please the certification body’s inspectors”!! (…. Joking, we consultants, call these entrepreneurs the hirers of a stamp of a famous bananas seller brand)
    Now, at least, the documented informations consider all the stuff of the organisation (drawings, specs, instructions of any kind and media used, purchase orders, etc.) as being Documented informations of any organizational system, as the QMS is.
    This was not absolutely clear in the 2008 release (the standard always refferred only to QMS documents).

    I want also tell to Mrs Hunt that the introduction, in clause four, of the two little sub clauses 4.1 e 4.2 is a total revolution: the standard clause 4 “Context of the organization” do not start any longer with “requirements”, (as while the old standard starts immediately with sub clause 4.1 General requirments) and speaks also about “processes”, making a real mess between “processes” and “Phases of processes” ).

    I have recently written an e-book, unfortunately only IN ITALIAN, with Amazon telling these comments and more others which are worth, in my opinion, to address to. …. if by any chance you have a friend italian-speaking i would recommend it to you, not with the aim to teach you anything (obviously), but as an instrument underlining change by change.
    Pls also note that i was one of the first in Europe to contribute to the writing of a quality manual, working in the nuclear field (1970), and the one that drew the attention to the compulsory need of integration (from 1995) among the standards now considered in the “frame” of 2015 release (twenty years later); I was also the first to elaborate a 14001 scheme deeply integrated wity a 9001 for a public entity (famous seaside italian Municipality) soon copied by hundred of municipalities in Europe…. This just to let you know that I consider not to be the last arrived on this matter.

  15. My comments to those inquiring about the changes is that for companies that are taking the right approach and doing this because they want to, there will be little change. Additions would include some mention of risk analysis / management and change management. For those that are doing this at the bare minimum level just to receive a certificate will now have fewer requirements to document certain things and keep certain records. My opinion is that this is an overall reduction in the stringency of this standard and under the principle of making it “less prescriptive” will dilute the effectiveness of the standard on a broad. I can see no tangible discernible benefit to users at large for the changes. Also, the transition will be a nightmare. In the ISO world, there are not less than 39 definitions for risk. Which one will you use? Which one will you internal auditors, external auditors, accreditors use???

Leave a Reply

Your email address will not be published. Required fields are marked *