ISO 9001:2025 Committee Draft Leaked: An In-depth Look

We got our hands on the Committee Draft (CD) of ISO 9001:2025, and here’s my detailed breakdown. No, I can’t publish the actual document, so don’t ask.

This appears to be a copy and paste of the “Secret Draft” that was written as a precursor to the CD. They sort of skipped the usual working Draft (WD) this time entirely, suggesting they are pushing hard for a 2025 publication date.

TL;DR Version

I’ll have a longer editorial on this thing shortly, but here’s the attention-deficit version.

If you hated ISO 9001:2015, you will still hate this. They don’t fix anything, but (so far) they haven’t added any new world-breaking requirements. In fact, the new requirements are minimal. This may change with the next version, the DIS (Draft International Standard), but I doubt it.

The new standard keeps nearly all the problems, errors, mistakes, blank clauses, non-requirement requirements, etc. from the 2015 version. Thsi is likely due to TC 176’s slavish adherence to the Annex SL core text.

OMG, do the 100-year old, dimbulb TC 176’ers want you to know they are hip. They name-drop so many awkward and already dated terms like “VR” and “Metaverse,” you’d think they actually know how to boot their own computers.

The standard adds a massive annex that reads like a consultant’s handbook to implementing ISO 9001. This was copied and pasted from the TC 176 document ISO 9001 for Small Enterprises published in 2016. This will increase the cover price immensely, as the page count is about to double or triple. The content is meh.

Most of the clauses that would require TC 176 to actually know what happens on a shop floor — like all of clause 8! — remain largely untouched. They spent a lot of time twiddling words in the leather-elbow parts, like COTO.

TC 176 still has no idea what a QMS actually is, and they break the PDCA and process approach midway through the standards.

Changes to Clauses

0.0 Introduction

No real changes

Still maintains the lie that “risk-based thinking” is part of the process approach. This was never true; still insists that risk-based thinking is to replace preventive action.

Contains errors, such as still referring to ISO 9001:2008 — LOL.

1.0 Scope

No changes

2.0 Normative references

No changes, still only references ISO 9000

3.0 Terms and definitions

Now adds definitions for: organization, interested party (stakeholder), top management, management system, policy, objective, risk, process, competence, documented information, performance, continual improvement, effectiveness, requirement, conformity, nonconformity, corrective action, audit, measurement, monitoring.

This section like to get excised; the CD of ISO 9001:2015 also included definitions which were later taken out.

Definition of risk is presented as “effect of uncertainty” and still claims it can be either “positive or negative“

New definitions are added, rather than just referring to ISO 9000. Includes definition of “documented information,” which still insists it refers to both documents and records simultaneously.

Still no definitions for “strategic direction” or “opportunity,” despite the terms being crucial for understanding the standard.

4.0 Context of the Organization

CD continues to present sub-clauses in the wrong order. You can’t identify issues until AFTER you identify your stakeholders, you window-licking morons! Just because Dick Hortensius is dyslexic doesn’t mean you need to copy and paste his mistakes.

4.1 Understanding the Organization and Its Context

Adds climate change language from the ISO 9001:2015 Amendment 2024. Still didn’t fix the error that the text of the clause never discusses “context,” and the standard never explains what that means.

4.2 Understanding the needs and expectations of interested parties

Adds climate change language from the ISO 9001:2015 Amendment 2024.

Minor language tweaks, no new requirements.

4.3 Determining the scope of the quality management system

Minor language tweaks, no new requirements.

4.4 Quality management system and its processes

Minor language tweaks, no new requirements.

5.0 Leadership

5.1 Leadership & Commitment

5.1.1 General

Adds requirements for top management to “promote ethics and integrity” and “determine, implement and improve the organization’s mission, vision and values, and promoting an aligned quality culture.” More unenforceable platitudes keeping the clause largely useless and un-auditable.

This means the rumors of a new clause related to the “culture of quality” were bogus. They just added a tiny note.

The bit about “ethics and integrity” will ensure that ISO, itself, never adopts this standard. Snort.

5.1.2 Customer focus

No changes.

5.2 Policy

No changes.

5.3 Organizational Roles Responsibilities and Authorities

No changes.

6.0 Planning

6.1 Actions to address risks and opportunities

Largely improved. Now distinguishes more clearly the difference between risk and opportunity. Adds sub-clauses 6.1.1.1 for risks, and 6.1.1.2 for opportunities.

Still no requirement for procedure, process, records, root cause, or any legacy preventive action language, so this will remain a huge flaw in ISO 9001. TC 176 predictably ignored the world’s feedback on “risk-based thinking.”

6.2 Quality objectives and planning to achieve them

Adds a bizarre change now requiring that objectives be measurable only “if practicable.” Huge step backwards. Objectives should ALWAYS be measurable. tIt’s like they weren’t happy making Deming spin in his grave by invoking “measurement by objectives” in the first place, they want the poor guy to drill his way to China with more “management by slogans.”

TC 176 still does not close the loop on the process approach as the core of a QMS, thinks process metrics and quality objectives are different things.

6.2.2 maintains the cringeworthy “who, what, where,…” language of Annex SL and ISO 9001:2015. Remains a blank clause, with not actual requirements. Still no editors stepping in to fix this glaring flaw.

6.3 Planning of changes

No changes

7.0 Support

7.1 Resources

7.1.1 General

No changes.

7.1.2 People

No changes.

7.1.3 Infrastructure

No changes. Continues to put the requirements into the note, keeping the error from ISO 9001:2015.

7.1.4 Environment for the operation of processes

Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Maintains the bonkers language on “social and psychological” factors such as “emotionally protective” workplace. Adds new suggestions to consider “technological” and “cultural” aspects. The “technological” note adds cringeworthy name-drops of words like “AI, Metaverse, VR, chatbots.” Absolutely embarrassing.

7.1.5 Monitoring and measuring resources

No changes. Still does not require a calibration log!

7.1.6 Organizational knowledge

No changes.

7.2 Competence

No changes.

7.3 Awareness

No changes.

7.4 Communication

Maintains the cringeworthy “who, what, where,…” language of Annex SL and ISO 9001:2015. Remains a blank clause, with no actual requirements.

7.5 Documented information

No changes except for possibly some minor word tweaks. Continues to mix up “documents” and “records,” keeping the section confusing and rambling.

8.0 Operation

8.1 Operational planning and control

No changes, maintains ISO9001:2015’s errors of (a) not clearly explaining that the standard views “operational” and “organizational” processes differently, (b) not fixing the clause so that it can in any way be understood without a consultant, and (c) still tossing “outsourced processes” over the 8.4 rather than fleshing out the real ways companies should manage these.

8.2 Requirements for products and services

8.2.1 Customer communication

Adds a cringeworthy note defining what “customer communication” is – really? we needed that? – then namedrops terms like “web site content, Frequently Asked Questions” as if it was written during the AOL era.

8.2.2 Determining the requirements related to products and services

No changes. Maintains bizarre language that this applies BEFORE a customer even exists (“products and services to be offered to customers…”) Still haven’t fixed that.

8.2.3 Review of requirements related to products and services

No changes. Still a mess (“to be offered…”) and largely repeats what was said in 8.2.2. Old 2000 language was better, but they still won’t restore it.

8.2.4 Changes to requirements for products and services

No changes.

8.3 Design and development of products and services

No changes. Maintains the jumbled nature of this clause from 2015, implying that design validation happens before you create design outputs, Again, the  2000 language was better, but they won’t restore it. Agile folks, you will still hate this.

The fact that this was not touched at all so far suggests that none of the TC 176 authors understand product design. The clause STILL does not discuss service design, despite it being in the title of the clause. This speaks to a gross lack of subject matter experts on the committee.

8.4 Control of externally provided processes, products and services

No changes. This maintains the confusing repetition of requirements in 8.4.1 and 8.4.2. Also (again) the fact this wasn’t touched suggests no actual SMEs are working on this standard. TC 176 doesn’t know how supply chain management and procurement work.

Still doesn’t require that you communicate with suppliers in actual writing, so still no PO requirement!

Outsourced process still get no love.

8.5 Production and service provision

8.5.1 Control of production and service provision

No changes.

8.5.2 Identification and traceability

No changes.

8.5.3 Property belonging to customers or external providers

No changes.

8.5.4 Preservation

No changes.

8.5.5 Post-delivery activities

No changes. This clause still doesn’t know what it wants to say.

8.5.6 Control of changes

No changes.

8.6 Release of products and services

No changes. Still maintains the horrid 2015 error or switching terms mid-standard. Until this clause, “measurement and monitoring” has been used to refer to inspection and testing. Now, at clause 8.6, they call inspection and testing “planned arrangements.” Readers would have no way to know this. Clause is still not about “release” (delivery) at all.

Oh, and still no actual delivery clause! So product never needs to be shipped. TC 176 has never set foot in an actual company, I think.

8.7 Control of nonconforming outputs

No changes, and we desperately needed fixes here.

9.0 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.1.1 General

No changes, remains nearly entirely useless. Never ties back to process approach, so breaks PDCA entirely.

9.1.2 Customer satisfaction

No changes.

9.1.3 Analysis and evaluation

No changes. Again, never ties back to process approach, so breaks PDCA entirely. Treats “performance and effectiveness of the quality management system” as something totally apart from process approach.

Keeps “statistical techniques” as an afterthought note, ensuring problems for companies that use them.

Fails to alert the reader to the (idiotic) fact that now, in clause 9, TC 176 is using the term “monitoring and measurement” in an entirely different context. Now it is NOT about inspection testing, despite that being understood up until clause 8.7. So, for those keeping tarack at home:

Clauses 4 through 8.5: “monitoring and measuring” means inspection and testing.

Clause 8.6: now, inspection and testing are referred to as “planned arrangements” you do prior to “release.”

Clauses 9 & 10: “Monitoring and measurement” now means a more holistic (and literal) monitoring and measurement of data related to the QMS, and not inspection and testing.

Got it?

9.2 Internal audit programme

Weird: changes name of clause to add the word “programme.” Then uses the word, but not consistently. Refers to auditing as a “process” then “programme” and then “process” again, all in one single sentence. What a bunch of shitbirds.

Still no requirement or language about “process-based auditing,” so – again – PDCA and the process approach are abandoned by the time we get to clause 9.

Odd how bad this is, since the TC 176 consultants love to write books about auditing, and they appear to have no clue how to do it.

9.3 Management review

Nio changes. Maintains 2015’s errors of (a) failing to tie back to PDCA and process approach, (b) conflating “process performance” with “conformity of products and services” when the two are very, very different things, (c)

10.0 Improvement

10.1 General

Still largely repeats what is later said in 10.3, making them effectively duplicates. Adds cringeworthy note namedropping terms like “incremental and breakthrough change,” “innovation and re-organization,” and “emerging technology.”

10.2 Nonconformity and corrective action

No changes, doesn’t’ fix the confusion between this clause and 8.7’s nonconformities. Still doesn’t require a procedure because TC 176 is doing an outreach program for illiterates.

10.3 Continual improvement

No changes. Still never ties back to processes or anything in clause 4 at all, so breaks the PDCA cycle one last time.

New Appendix A

The standard adds an absolutely huge new appendix called “Guidance on Use of this International Standard.” While this was clearly written by a consultant, this will have some competing and contradictory ramifications. First, it might confuse people more, pushing folks to have to go out and hire a consultant. But, alternatively, this might cripple the sale of all those TC 176’er books, since this section essentially IS an entire implementation guide. A shitty one, but still, a guide.

UPDATE: I since learned this is just the 2016 publication ISO 9001:2015 for Small Enterprises -What to Do – Advice from TC 176 literally copied and pasted and put into the CD. The only change is where the original document says things like “you should do XYZ” the CD text says “the organization should do XYZ.” So TC 176 didn’t even work on this part during their breathless scrambling to develop ISO 9001:2025.] The problem here is that this publication is — as the title says — for SMALL enterprises, and the ISO 9001 standard is for everyone. So I have no idea what the authors were thinking of by including it, since it reduces the scope of use for ISO 9001, and doesn’t expand it.

I won’t go over this in detail, because it is absolutely massive. Here are some brief first impressions:

Includes subsections on Clarification of Structure and Terminology, Clarification of Concepts, and then long-winded clarifications on each of the requirements clauses from 4 through 10.

Repeats the mindbogglingly bad sentence, “Organizational knowledge is the specific knowledge of the organization.” Good lord, what utter morons these people are.

Oh, they try to make a case for the design clause in 8.3 applying to a “coffee-shop.” Which is hyphenated, yes.

The narrative on “internal audits” suddenly starts talking about conducting audits by process, but that was never indicated in the actual requirements of clause 9.2. So there’s some cognitive disconnects here.

Namedrops “ISO 9000:2025,” suggesting that 2025 will definitely be the year ISO 9001 itself is published.

On the benefit side, there are a few good nuggets amidst the piles of crap. There are a few guidance suggestions for service organizations, to help them understand this despite ISO 9001 still being written for widget manufacturers. So at least the service sector is getting a teeny bit of lip service.

Remaining Bits

The last parts are:

Appendix B: Other Standards

Just the usual product placement and up-selling ads for other ISO standards.

Bibliography

No changes that I noticed.

---

UPDATE 29 April, 2024: Updated the text above to clarify that the new Appendix A is actually the 2016 publication, ISO 9001 for Small Enterprises, now plopped into the ISO 9001 standard.