As I wrote the other day, I have a pre-publication copy of ISO DIS 9001:2026 and reviewed the requirements clauses here. A major change to the standard, as compared to the current 2015 edition, is the addition of a massive 15-page Annex A, which contains guidance on implementing ISO 9001.
Remember: this is the text from the Draft International Standard (DIS) version and prior to a pass by ISO’s editors. The final standard may change.
The guidance is controversial for a lot of reasons. First, no one ever asked for it; there was never a User Survey that polled users if they wanted guidance from ISO on how to implement ISO 9001.
Next, the addition of Annex A will likely increase the cover price of ISO 9001 by at least $50, if not $100. No one asked for that, either, but ISO wants to jack up the price of its most popular standard. Sergio Mujica continues to run ISO as a commercial, for-profit publishing house.
Next, ISO is pissing off the legions of free marketers and promoters it has relied on for the past two decades to sell copies of ISO 9001: mainly, the private consultants. The content in Annex A is, essentially, consulting advice written by Sam Somerville and a few of her private consulting pals. That could, at first glance, make writing books and giving seminars on ISO 9001 more difficult. In other words, ISO screwed the very people it relies on to create ISO 9001 by crippling their consulting practices. This led to major players like Lorri Hunt quitting TC 176 entirely.
But consultants shouldn’t worry too much because of this last point: the content of Annex A is really, really bad. Users will still need to hire consultants even with the guidance in place. What ISO should have done, if they wanted to put end users first, is make the requirements easier to understand instead of intentionally complicating them so they had to write an entire 15-page document decoding it all. But Somerville and her gang of scammers didn’t go that route.
Let’s take a look at the actual guidance content.
Frontmatter
Annex A is officially called “Clarification of Structure, Terminology and Clauses.” The opening sentences attempt to define the purpose of the Annex, but screw that up from the get-go. It says:
The information given in this annex is intended to provide clarification and to prevent misunderstanding of the requirements contained in this document.
Again, writing the requirements in simple language would have accomplished that, but here we are. The next bit then goes on to just outright lie, while desperately trying to sell a book that some ISO consultants worked on and are pissed never sold many copies:
This annex does not provide guidance for the implementation of requirements….
Umm, no. The Annex A guidance absolutely does tell you how to implement ISO 9001. I have no idea why they’re saying it isn’t intended for that. TC 176 has no idea what they are even writing.
The rest of the frontmatter of Annex A then goes into some housekeeping and terminology clarifications. I found this one of particular interest:
The word “consider” means it is necessary to think about the topic, but it can be excluded; whereas “take into account” means it is necessary to think about the topic, but it cannot be excluded.
In the 2015 edition, TC 176 replaced clearly-stated requirements that said, “the organization shall…” with murky, wimpy, non-binding suggestions phrased as “the organization shall consider….” Putting the word “consider” after “shall” thus nullifies the required nature of anything that follows, making it a non-requirement. Now, any time the standards says “the organization shall consider,” it is actually a note that happens to be inserted in the requirements section.
The Annex A material essentially admits this by saying the words coming after it may be “excluded.” So why write it at all?
Finally, as I wrote about previously, the frontmatter further complicates the entire “documented information” problem by providing the murkiest, muddiest decoding algorithm I’ve ever seen in a management system standard. Now
– If the standard says “shall be available as documented information” = requirement for documentation.
– If the standard says “documented information shall be available as evidence of” = requirement for a record.
Because that is easier than just using the words “document” or “record” in the actual text.
A.4 Context of the Organization
This section tries to clarify clause 4.0, obviously. It fails spectacularly.
As I have written about (a lot), clause 4.0 is presented in the wrong order. Clause 4.2 (on interested parties) should come first, since the interested parties determine the “issues” discussed in Clause 4.1. ISO 9001 continues to have them backward and the Annex A material essentially admits this. The guidance on 4.1 says to consider the issues of stakeholders that are not referenced until 4.2. Instead of forcing TMB to fix Annex SL and put the clauses in the right order, they added a full 600 words of guidance instead. Not exactly efficient.
Then there’s this cringeworthy bit:
… it is important that the external and internal issues relevant to the quality management system are determined using a rational approach and addressed by applying risk-based thinking and opportunity-based thinking.
Yes, Sam Somerville and her gang are leaning full-on into the ludicrous branding of “opportunity-based thinking.” Remember, ISO 9001:2015’s “risk-based thinking” has been widely debunked as not only a fraud (it never existed before ISO printed the words) but also a failure (risk managers and quality managers alike hate it). The only people promoting RBT have been consultants who want to sell seminars about it. Now they want to double their money and train you on “opportunity-based thinking,” or “OBT.”
As I write this, nearly no one is talking about OBT. But a few months after ISO 9001:2026 gets published, every consultant will be claiming to be an expert in this thing that did not exist just a few months prior.
For clause 4.3 on scope, TC 176 insists, “the scope of quality management system, and the scope of certification refer to different things, yet they are closely linked.” No, they are not. The scope of the QMS and the scope of certification should be absolutely identical. The fact that they are not is only due to the fact that CBs refuse to copy-and-paste the client’s QMS scope onto the certificate, and make up their own on the spot. Allowing the certificate to have a different scope than what the client has published internally is an invitation for fraud. I can tell my customers, “our QMS scope is for XYZ,” but internationally say, “XYZ is too hard, so the real scope is just X.” Again, fraud.
The last section on 4.4 continues to treat the process approach as if it is constrained to clause 4 only, and promptly drops it by the time we reach clause 5. The language here continues to be overconfusing when the process approach really isn’t that complicated. They just need to hire a talented writer who can explain it in simple terms. (I’m available for $4,000 an hour, ISO.)
A.5 Leadership
There really isn’t much here except for a rewording of the actual requirements in clause 5.0 of the standard itself. Section A.5 comprises over 500 words that say nothing much new.
I thought this was interesting, though:
Ethical behaviour is part of the quality culture and is fundamental to the leadership commitment to support the quality management system….
Again, TC 176 is trying to rewrite history. Suddenly, in 2026, ethics is a “fundamental” part of a QMS? Where was it in the 1987 standards, then? Or the 1994 or 2008 0r 2015 versions? Did ethics only get invented in 2025?
I could take all of this more seriously if ISO and TC 176 were not themselves so egregiously unethical. This is more advice ISO gives others since it’s not using it.
A.6 Planning
Here again, TC 176 is high on its own supply and insists that a thing they just thought of has been “fundamental” to quality management all along. Read this:
…the fundamental quality concepts of risk-based thinking and opportunity-based thinking are used to enhance the organization’s ability to meet the objectives of its quality management system…
Listen, if “opportunity-based thinking” was “fundamental,” someone like Deming or Ishikawa or Crosby would have come up with it in the 1960s. They didn’t because it’s nonsensical, childish bullshit. This is just Sam Somerville thinking she’s the smartest person in the room because BSI shoved her on the committee due to her entire lack of spine. Now she’s filled with herself, just like her incompetent predecessor Nigel Croft, who invented “risk-based thinking.”
(And speaking of which, where’s Croft now? He has completely disappeared from the ISO scene and has disavowed all responsibility for creating RBT, despite having boasted about it years ago. Somerville will share the same fate.)
Then, this section of the Annex provides a massive subsection on advice for RBT, comprising approximately 250 words, and continues to repeat Nigel Croft’s claim that “the concept of risk-based thinking has been implicit in previous editions of this document.” No, in fact, the 2000 and 2008 versions explicitly excluded risk. But here, the Somerville Gang goes further in its war on preventive action and removes all references to it entirely, whereas the old Croft quote at least mentioned it in passing. Now, RBT is alleged to have been implicit in prior editions “through requirements for planning, review and improvement, and quality specific requirements that historically have been designed to prevent the delivery of nonconforming products or services to an organization’s customers.” None of that is true, and is just TC 176 gaslighting you into believing something that you could disprove in five seconds if you had a copy of the old standard.
Then, TC 176 adds another 150 words on OBT. Here, the authors are really gearing up for a war with risk clowns like David Hillson by saying, overtly and unapologetically, “Determining and managing risks and opportunities are separate processes. Risks are not opportunities.” For anyone paying attention to the evolution of risk within ISO standards, that is a massive salvo fired broadsides at an entire generation of risk management fakirs who have tried to market “positive risk” as including opportunities within it. Damn!
As for quality objectives, TC 176 still has no clue and (as I said) by clauses 5 and 6, they have already forgotten the process approach. In a real process-based QMS, the quality objectives are assigned to each process as KPIs. In ISO’s mind, process KPIs are entirely different from quality objectives, which drives us back to the pre-1950s practices of setting goals that are entirely unrelated to processes and then expecting them to have meaning. They don’t.
Bizarrely, a note follows the section on quality objectives that refers to ISO 10005 on quality plans, which has no relevance to the actual paragraph. It will be fun to see if this typo makes it through the editing process.
The section ends with a paragraph on Planning of Changes, which is nearly a word-for-word copy of the text from the actual requirements. It’s clear that TC 176 doesn’t really understand change management, and can’t explain it.
A.7 Support
This section does not offer much in terms of solid advice, but it begins with a sentence that will undoubtedly send consultants into a marketing frenzy: “Emerging technologies can be used in place of people for some functions.” They won’t notice that TC 176 are being corporate dicks and in effect saying, “you can use AI instead of hiring people,” and will instead insist — as they have for months already — that ISO 9001 now addresses “emerging technologies.“ This is one of the only places the term is even mentioned.
(I can’t wait for the day AI replaces these trashy consultants, frankly.)
The bit on infrastructure drops more consultant buzzwords, like “hybrid and remote work” and “innovative technologies,” but again, not in any actual requirements. This will also be misrepresented by consultants wanting to sell bullshit.
For the work environment, TC 176 doubles down on 2015’s insistence that the workplace should be chill, to protect workers’ psychological well-being, but then issues a diktat that “this does not mean a health and safety requirement should be addressed within the scope of the quality management system.” Many consultants had hoped that ISO 9001 would absorb ISO 45001, but this throws cold water on that claim.
The section on monitoring and measuring resources includes some wacky definitions of the terms that don’t match at all what appears in the requirements sections. This will add more confusion, of course.
The section on organizational knowledge is just a rewording of the requirements clause, with nothing added.
The next few sections on competence, awareness, organizational knowledge, and documented information comprise a full 800 words, but also simply rephrase the requirements using different words. There’s no real insight into any of them.
A.8 Operation
8.1 Operational planning and control
The Annex guidance on clause 8.1 suggests the TC 176 authors still don’t fully understand what this clause is about. It was originally some vestigial text that related to quality plans, but with the advent of documented quality systems, the use of formal “quality plans” fell to the wayside. Now 8.1 sits here and spews a lot of words that have no context to anyone who doesn’t remember ISO 9001’s history.
ISO also makes a silent distinction between “organizational” processes that might cover all the clauses except 8, and “operational” processes covered by clause 8. It would have been nice if this Annex guidance had cleared that up, but it remains entirely silent on the topic. Clause 8.1 desperately needed some explanation, but TC 176 wasn’t up to the task.
And, again, we see a weird footnote referencing “configuration management” here that doesn’t belong in this section.
8.2 Requirements for products and services
The guidance on 8.2 is really, really out there, man. This used to be the simple “contract review” clause, but TC 176 has lost the plot here. Take a look at a few of the sentences that pop up:
… communication … can also include training activities aimed at the customer to enable them to better formulate requests.
Wait, what? You have to train your customers now?
Customer information can also include advertising.
… with ethical behaviour is important to avoid creating customer expectations that do not correspond to what the organization is actually capable of providing.
That last one suggests that auditors might start auditing companies’ websites to make sure they can “meet the claims” they make about their products and services. Good luck with that!
8.3 Design and development of products and services
This edition of ISO 9001 still hasn’t removed “and services” from the scope of the design clause, despite ISO and IAF having full policies on how to exclude it if you are a service organization and not a product manufacturer. (I wrote about that back in 2018, here, and ISO ignored me, of course.) Instead, TC 176 doubles down and insists that those exclusion rules don’t exist, and the section totally applies to the design of services:
For service organizations, the approach to design and development can be different from “traditional” manufacturing organizations.
It then suggests that service organizations can exclude “some sub-clauses” of 8.3 “without necessarily excluding the entire clause.”
Remember when I said they lied up front and insisted that the Annex wasn’t providing implementation advice? That last bit sure looks like full-on implementation advice!
The authors then insist that design and development be a single process, when in reality, companies often have multiple design processes. This is due to the TC 176 reps having no practical experience in designing much of anything other than their consulting company’s business cards.
This section includes more consultant-catchy words like “sustainability” and “innovative solutions.” This will be misrepresented by consultants who will insist ISO 9001 is now demanding companies adopt these things.
A.8.4 Control of externally provided processes, products and services
Here, the TC 176 geniuses were remarkably brief, which is odd since consultants often come from supply chain quality departments. They still do not even recommend using written communication to buy raw materials or critical services, allowing you to do so by phone or telepathy, ensuring you have no means of verifying whether what you received is what you bought. Thinking-based standards, yo!
It then includes this sentence that I can’t really make sense of, and which is grammatically incorrect:
Processes provided externally always have the essential characteristic of a service, since it [sic] will have at least one activity necessarily [sic] performed at the interface between the provider and the organization.
They then name-drop RBT and OBT because they are really going all-in on those things.
A.8.5 Production and service provision
This section starts with a long-winded discussion of validation of special processes, but without ever using the industry-established term “special processes.” As a result, it’s confusing.
Once that’s out of the way, the section glosses over or ignores nearly the entirety of the rest of clause 8.5. As others and I have noted, TC 176 reps have little to no practical shop floor experience, so it was expected they would just skip this part.
I don’t get it. I had 11 years of shop floor experience before I became a consultant, but with over 350 clients under my belt, even as a consultant, I am constantly walking shop floors and engaged with actual production operators. I spend a huge portion of my time in clause 8.5. I don’t know how you can be an ISO 09001 consultant and be so clueless about how your clients make stuff.
A.8.6 Release of products and services
I am not sure if the current Sam Somerville class of consultants doesn’t know that this clause is about inspection and testing, or if they are just dedicated to ISO’s refusals to use the words.
(Easter egg: The word “inspection” does not appear anywhere in the new standard, and I mean not even in the huge Annex!)
So, instead, this guidance section talks about verifying “conditions under which product or service is delivered,” making it sound like you’re controlling the shipping department lighting and not performing any actual final inspections.
Weird.
A.8.7 Control of nonconforming outputs
Waiter, I’ll have what TC 176 is smoking! They launch into this section like a rabid roid rocket, saying, “If all previous steps have been conducted in accordance with the requirements of this document, the possibility of nonconforming output is minimal.”
That’s a pretty bold statement, which is not even close to the truth, unfortunately. The requirements part of the standard is so confusing that generating nonconforming products and services is more likely under ISO 9001:2026 than, say, ISO 9001:2000.
Seriously, switch to decaf, guys!
They bizarrely name-drop PDCA here, despite having forgotten about it for the rest of the standard, too.
Showing that the authors continue to be confused between clauses 8.7 and 10.2 on Corrective Action, this section contains notes that point to other ISO standards on “complaints handling” and “dispute resolution external to organizations.” That is not at all what this clause is about.
A.9 Performance Evaluation
Here, the authors discuss how this clause is related to the “Check” step of PDCA, but then never set the stage for this to in any way rope back around to clause 4. There are vague references to checking the effectiveness of the QMS, but never through the review of the processes. The idea that a QMS is a set of processes was forgotten and never revisited.
For the clause on internal auditing, TC 176 gets a little aggro and says, “All processes of an organization’s quality management system need to be audited.” Really? Because that’s not what the requirements section in the actual standard says! This is because TC 176 was so terrified to edit the Annex SL text, they did not dare add process auditing and risk upsetting Dick Hortensisus and his TMB goons.
But expect this to be misrepresented by consultants as a requirement for process-based auditing. It is not.
For the section on management review, TC 176 sets itself up for a war with the IAF and every certification body everywhere by saying, “It is up to the organization to determine the intervals between management reviews.” As you likely know, CBs demand that you do your management review at least annually. So, no, the organization does not determine the interval; the CBs do, all without any actual requirement justifying it.
A.10 Continual Improvement
Here, the authors countermand the literal title of the clause by saying, “Continual improvement is one type of improvement, but there are other ways to improve the quality management system.” If so, why call the clause “Continual Improvement”?
The authors then launch into a brief paragraph on “emerging technologies” but only as they pertain — curiously enough — to continual improvement. I guess there are no emerging technologies for operational technology (OT)? They then say, “the use of emerging technologies within organizations and society is essential.”
Here’s the thing: in 1987, when ISO 9001 was introduced, we were already experiencing groundbreaking “emerging technologies” like the affordable personal computer, MS-DOS and Windows as an operating system, and just a few years later, the freaking internet. By the time the 1994 edition came out, we were already awash in those free AOL disks! There is nothing new about the idea of emerging technologies now, in 2025, than there was when ISO 9001 was first released. Only the types of technologies have changed. ISO keeps pretending that tech was invented only a few years ago.
In what is the most dangerous and mind-bogglingly stupid bit of advice, TC 176 ends the Annex on an entirely erroneous claim that the clause of corrective action in 10.2 is tied to clause 8.7 on nonconforming products and services. No, it isn’t, and spending just five minutes in any actual functioning company would disprove this ridiculous claim.
It says (emphasis added by me):
This requirement covers the management of both nonconforming outputs, as addressed in clause 8.7, and any other nonconformities found in the quality management system.
and
This clause specifically addresses the actions to be taken once the nonconformity has arisen, in addition to what is stated in clause 8.7.
So, per the Annex A guidance, you will have to file a formal corrective action — with full cause analysis, action plan, follow-up verification, and logging — every time you scrap a single part. Every time.
Sam Somerville and her gang of idiots think that is how a company operates.
In the real world, companies have two systems: a nonconformance report for defective products or services, and then a CAPA or CAR system for holistic and existential nonconformities to the QMS or organization. The brain-dead slobjockeys at TC 176 continue to conflate the two, defying decades of real-world quality management practices.
Then, the guidance goes on to confuse things further by saying that’s not what they said, even though they totally did (again, emphasis added by me):
It is not required that corrective action be taken for every nonconformity.
Umm, you just said it was! Now, recall that the requirements of clause 10.2 require the organization to “determine the causes of the nonconformity.” But then the guidance section says that’s wrong, too:
There is no requirement that root cause analysis be done, although the organization can choose to do so, or be required to do so by other bodies.
What is likely happening here is that TC 176 is making a distinction between formal “root cause analysis” and “determining the causes of nonconformities,” but it never explicitly states that. Furthermore, for decades, users have understood (perhaps wrongly, but nevertheless universally) that the phrase “determining the causes of nonconformities” means RCA is required. Here, TC 176 is distancing itself from RCA, just as it had previously done for preventive action… two critical tools in any quality manager’s toolbox!
This will cause absolute chaos if it’s not removed from the guidance.
The complete lack of competence by TC 176 is staggering.
Bibliography
The last few pages of the new standard then list a whopping 27 supporting ISO standards. This is a new approach brought on by Sergio Mujica, who is trying to generate more revenue by upselling. I estimate that if you bought each of the supporting standards listed, it would run you at least $5,000.
I again point out the references to iso on configuration management. ISO has (wrongly) resisted adding a clause on CM, despite it being a crucial aspect of most quality systems. Neither the requirements nor the Annex discuss CM, but they keep suggesting you buy the standard on it.
When ISO finishes its transition to “Standards-as-a-Service” via ISO Smart, I suspect they will somehow require you to pay for each of those if you simply buy a license for ISO 9001. We will see.
If you’re frustrated by these changes, your only option is to let your national TC 176 member body. They may not be able to do much — ISO and BSI have nearly shut down all practical feedback mechanisms, not even allowing the people who physically show up at meetings to have a say in what gets put into the text — but enough outrage might get ISO to change course.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
