Despite the release date in 2015, many CISOs are still trying to figure out where the puzzle pieces of the updated ISO 9001 standard fit in their compliance program. With the International Organization on Standards (“ISO”) official website noting that organizations have been granted a three-year transition period to migrate their quality management systems, the current year time limit means that many may just be in the initial stages of reorganizing.

What does this mean for your organization?

Paula Oddy at Quality Digest notes that the changes include:

  • Shifts in concepts and philosophies
  • A reinforced process approach
  • Focus on risk-based thinking
  • Flexibility in the management system documentation
  • Enhanced stakeholder perspective
  • Business metrics suited to key processes

The conceptual changes leading to new approaches to quality management relate to a shifting focus on customers and the shift from “products” to “products and services.” The new version of the ISO states that the quality management principles are:

  •    — customer focus;
  •    — leadership;
  •    — engagement of people;
  •    — process approach;
  •    — improvement;
  •    — evidence-based decision making;
  •    — relationship management.

In short, ISO 9001:2015 places the burden of leadership on management’s creation of a process-based program that is supported by evidence to improve customer experiences and create buy-in from the entire organization.

What does this mean to an organization?

Risk management is the first step to a strong process approach. The ISO notes in the new edition’s introduction that “risk-based thinking has been implicit in previous editions.”  The ISO 9001:2015 revision, however, makes the need for risk review explicit. Although building risk matrices may be a hassle, they provide the documentation necessary to support opinions and decisions. A large organization serving an international clientele may need more detailed processes in place compared to a smaller, lower volume organization. For example, the ISO 9001:216 introduction, the purpose of the Plan-Do-Check-Act cycle is to enable:

a) understanding and consistency in meeting requirements;

b) the consideration of processes in terms of added value;

c) the achievement of effective process performance;

d) improvement of processes based on evaluation of data and information.

Starting with an overall corporate risk profile, CISOs can better determine what processes not only best comply with the standard but which ones constitute a value add. At their core, the standards intend to create a replicable series of processes to ensure that business moves along smoothly and efficiently. This not only helps customers receive the best service but also leads to greater profits.

What does this mean for the CISO?

Unlike the 2008 version wherein a single individual could be designated the “management representative,” ISO 9001:2015 holds top management generally accountable for the effectiveness of the quality management system. The shift to focusing on leadership, relationship management, and engagement of people incorporates a holistic approach to compliance that reinforces its importance as an integral component to organizational success. Instead of responsibility and oversight is limited to a small few, the entire company should be working together to create an overall compliance environment that is easy to manage for everyone.