The ISO Directive for developing standards (specifically, ISO/IEC Directives Part 1: “Rules for the structure and drafting of International Standards“) carefully lays out how standards such as ISO 9001 must be written. For example, clause 4.1 of the Directive states that all standards must:

  • be as complete as necessary within the limits specified by its scope,
  • be consistent, clear and accurate,
  • be comprehensible to qualified persons who have not participated in its preparation, and
  • take into account the principles for the drafting of documents

Meanwhile, the Directive also demands that any requirements (“shall clauses”) be “used to indicate requirements strictly to be followed in order to conform to the document and from which no deviation is permitted.”

What’s odd, then, is just how TC 176 and the ISO Technical Management Board managed to publish ISO 9001:2015, which violates these rules so often throughout its text, making the resulting standard baffling and unintelligible. Of particular concern is the fact that so many of the “shall clauses” in ISO 9001:2015 don’t actually require anything at all, and thus provide no basis for the reader — nor any auditor — to understand what either “conformance” or “deviation” would look like.

For example, consider clause 6.2.2 on quality objectives, which reads:

6.2.2 When planning how to achieve its quality objectives, the organization shall determine:

  1. what will be done;
  2. what resources will be required;
  3. who will be responsible;
  4. when it will be completed;
  5. how the results will be evaluated.

This clause actually doesn’t provide any hard requirements at all, and instead creates a scenario whereby the user can “fill in the blanks” with any particular requirements they like. The literal reading — and all standards must be read literally — says “the organization shall determine what will be done.” This is a gross abdication of duty on the part of the authors of ISO 9001, since the standard is supposed to provide the requirements, not offload that responsibility to the reader. In fact, the provision of requirements is the sole purpose of a standard.

Clause 7.4 on Communication suffers the same problem:

The organization shall determine the internal and external communications relevant to the quality management system, including:

  1. on what it will communicate;
  2. when to communicate;
  3. with whom to communicate;
  4. how to communicate;
  5. who communicates.

Reading it literally, we again see the ISO 9001 standard is not providing any actual requirements here, but — again — asking the reader to invent their own requirements. It would be functionally equivalent if the standard simply had a blank space in the paragraph, and invited the user to write in whatever they want. Worse, TC 176 didn’t even bother to provide a context for the what “communication” should be achieving; if they had, they might have written “The organization shall determine the internal and external communications necessary for the effective implementation of the quality management system.”  Had they done that, at least, we would have a contextual basis for what requirements we were being asked to invent; as it’s written, ISO 9001 doesn’t even tell you why you need “communication” so you don’t know what that the communication should be about.

Remember, ISO Directives demand that its standards define “requirements strictly to be followed in order to conform to the document.” In the above two cases, there’s nothing that defines the limits or boundaries of conformity, but instead they ask the user to define conformity themselves. It’s absurd.

Furthermore, reading it literally, a company could simply say “we’re not going to communicate about anything,” and that meets the literal requirement: the company has “determined the internal and external communications relevant to the QMS” by determining it doesn’t need any. This would lead to an argument that such an interpretation “doesn’t meet the spirit of ISO 9001,” except standards are not supposed to be interpreted based on a “spirit,” but on hard requirements. That fact is what makes them standards.

In both these causes (clauses 6.2.2 and 7.1), TC 176 isn’t the source of the problem; instead, they simply copied and pasted the text provided to them by the ISO TMB, which appeared in Annex SL. this introduces some additional problems. When the TMB wrote Annex SL, it was neither a standard nor a guide, and was instead embedded in the very ISO Directives that provide the rules for developing standards. That means that it didn’t have to follow the rules for a standard, since it was intended to sit “above” such standards. So the TMB can write anything it wants, but as soon as TC 176 copied and pasted it into ISO 9001, it was TC 176’s responsibility to edit the text to ensure it complied with the ISO Directives. They didn’t do that, and the TMB didn’t say anything, since they didn’t want their original text fiddled with anyway. But what this means is that the TMB led TC 176 into violating the very ISO Directives in which Annex SL had been embedded!

The standard also suffers from “duplication of requirements,” which is taboo. According to the ISO Directives, “avoidance of duplication is a general principle in the methodology of standardization,” and this is especially critical for any standards used for either product or system certification, since nonconformities must be written against a single requirement. For example, if an ISO 9001 auditor finds that employees are not aware of the Quality Policy, under ISO 9001:2008, this would be written up under a single clause (5.3: “Top management shall ensure that the quality policy … (d) is communicated and understood within the organization“.) Under ISO 9001:2015, however, it’s not clear if you would write the nonconformity under 5.2.2 (“The quality policy shall … (b) be communicated, understood and applied within the organization“) or 7.3 (“the organization shall ensure that persons doing work under the organization’s control are aware of … (1) the quality policy.”)

Ultimately, these flaws in ISO 9001:2015 are the result of ISO’s crushing print deadline, and the imposition of Annex SL which was not subject to proper vetting by a Technical Committee, since the TMB imposed it on the Technical Committees. The end result is a vague and confusing standard that becomes impossible to audit, and whereby users can actually ignore entire swaths of the standard because the literal language doesn’t define hard requirements. while few are likely to take this path, it does become problematic on how, exactly, to audit the standard which is critical, since the standard is intended for use in third-party certification audits.

More evidence that ISO needs to pull ISO 9001:2015 from distribution, and start over, to fix the problems it created.


    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015, which can be purchased here.