I was able to get a copy of “CD2” of the new ISO 9001:2026 standard, which is the second Committee Draft. The original CD1 was scrapped after some widespread criticism over the inclusion of an entire book in the Annex, which would have increased the cost of the final standard many times.
As usual, I won’t publish the CD2 nor send it, so don’t ask. I have a video on YouTube about the changes here.
This draft appears to be the second draft of CD2, and I am told a third was made or is underway. So additional changes are going to be made. It’s a little odd they are doing so many drafts of a draft, but I think if they announced a “CD3,” it would simply look too much like TC 176 has lost control of the plot. (Which it has.)
Stray observation: the header of the document still says “ISO 9001:2024.” So every page reminds TC 176 of its failures.
The short take: CD2 make ISO 9001 worse, not better. The authors clearly have no practical QMS experience and seem to have been locked in a conference room for the last two decades. Nearly zero changes to clause 8, for example, while they argue over inane, meaningless details like bureaucrats. The trimming of the Annexes is welcome, but the guidance provided in the new Annex A is abysmal and confusing. Some of the Annex A text actually contradicts the text of the requirements!
There are two huge problems that, like risk-based thinking replacing preventive action, actually set QMSs back by a century or more:
- Removal of nearly all language making “outsourced process” controls intelligible.
- Insistence that quality objectives do not need to be measured.
These two changes are really inexplicable from a quality management standpoint.
There were changes to frontmatter, appendices and notes… none of which present requirements. This has allowed consultants and ISO-sellers to brag about things being addressed, like “emerging technologies,” but if they do not appear in the actual requirements, then it’s pointless. So this version is filled with this sort of name-dropping of concepts that don’t actually turn into actionable things you have to do.
All of the major flaws and mistakes in ISO 9001:2015 remain intact: clause 4 sub-clauses in the wrong order, requirements put into notes, notes presented as requirements, PDCA still not a loop, “shall consider” clauses still being entirely un-implementable, etc.
ISO learned nothing because TC 176 continues to be a paranoid, cloistered set of uninformed, unqualified private consultants who listen to no one. BSI taking over this effort has had no impact, and the TC 176 leadership is too busy arguing over commas rather than making meaningful improvements to the standard.
The good news? Implementing the changes should be relatively simple for those who already have ISO 9001:2015 in place. That’s one massive benefit of this mess.
Overview of Changes
Much has been said by ISO and TC 176 that they were seriously working on the comments provided by members on CD1. At the same time, my sources told me that ISO was intending on ignoring the comments from CD1, since ISO is already years behind on the release of this update. The truth ended up being in the middle. There is no way the TC leadership did the amount of comment processing they are claiming, but some comments were examined. In all, about twenty (as in 20) comments seem to have affected the text. ISO was saying they were processing over 1,000 comments, so clearly, they did not process them all. But “some” is more than zero… I guess?
That huge book at the end has been eliminated entirely, and in its place is a new Annex A that provides guidance on implementing ISO 9001. In its current CD2 state, this only adds bout 8 pages to the document. (CD1’s annex added over 30 pages.) A longwinded “Annex B” from CD1 on relative other standards, which added another five pages, has been dropped entirely in CD2, thankfully.
Now, the final document comes in at only 50 pages, or about ten more than a typical PDF of ISO 9001:2015. That’s manageable.
The overwhelming bulk of the changes are due to updates to Annex SL, which is now referenced as the “HS” for “harmonized structure. (It’s still Annex SL, but I guess they think “HS” sounds better.) As a result, we see many of the new languages that appeared in the recent ISO 42001 standard on AI Management Systems now also appearing in ISO 9001:2026; they both are just adopting the Annex SL text.
Within the changes made to requirements, quality objectives are now optional, as they were in CD1. This is an Annex SL change that TC 176 has inexplicably agreed to. This pushes us back to what Deming warned us about: management by slogans. But Dick Hortensius and the Annex SL authors probably never ready Deming, and Hortensius never had a proper job, so here we are.
Also per Annex SL’s update, the standard does away with the old code of referring to “retain documented information” to mean records and “maintain documented information” to mean documented procedures. Now, it says, “documented information shall be available,” leaving the user to decide whether a document or record is best.
The cringy terms found in the CD1 draft, like “VR” and “metaverse” have been — thankfully — removed. In their place is a new note on “emerging technologies.” But this is a note, not a requirement.
Instead of working on clause 8, TC 176 also argued over what can only be described as “bullshit.” Look at this inane argument over the need to have a “discipline-specific justification” just to replace “e.g.” with “for example.” This is what they spent their time on!
Changes to Clauses
0.0 Introduction
A complete re-write of the bit on “risk-based thinking“; ISO appears to have taken my advice, however, and stopped pretending RBT was part of the process approach. This section frustratingly continues the nearly-criminal assistance that RBT = preventive action, however. Anyone who has worked five minutes in a real QMS knows this is untrue. The new paragraph also conflates risks and opportunities; a new paragraph tries to explain “opportunities,” but it’s still called “risk-based thinking,” so it implies that opportunities are some form of risk. Keep this in mind because it comes up again later in Annex A.
Thankfully, the user’s “Bill of Rights” remains untouched. This is the paragraph that starts with “it is not the intent of this document…” and it is an invaluable tool for users who are harassed by uninformed auditors.
1.0 Scope
No changes
2.0 Normative references
No changes; still only references ISO 9000.
3.0 Terms and Definitions
Now adds definitions for: organization, interested party (stakeholder), top management, management system, policy, objective, risk, process, competence, documented information, performance, continual improvement, effectiveness, requirement, conformity, nonconformity, corrective action, audit, measurement, monitoring.
The definition of risk still claims it can be either “positive or negative.” Then a new note says, “the word ‘risk’ is sometimes used when there is the possibility of only negative consequences.” So they can’t even be consistent. There are five notes on this definition, showing TC 176 really struggling with this whole “positive risk” insanity.
Still no definitions for “strategic direction” or “opportunity,” despite the terms being crucial for understanding the standard. “Opportunity” is 50% of the clause, and no one knows what it means. After nearly a decade!
4.0 Context of the Organization
Still presents sub-clauses in the wrong order. This is made worse by the Annex A guidance; see below.
4.1 Understanding the Organization and Its Context
Adds climate change language from the ISO 9001:2015 Amendment 2024.
4.2 Understanding the needs and expectations of interested parties
Adds climate change language from the ISO 9001:2015 Amendment 2024.
Minor language tweaks, no new requirements.
4.3 Determining the Scope of the Quality Management System
Minor language tweaks, no new requirements.
Still does not require that the scope statement include locations that fall under the QMS, despite this being a requirement for certification going back to the late 1980s. Still does not conclude that the scope statement is the expression of the organization’s “context“; the authors don’t understand how to interpret Annex SL for quality management.
4.4 Quality Management System and Its processes
Minor language tweaks, no new requirements. Did not clean this up, unfortunately. The process approach remains as confusing as ever. This isn’t rocket science, but ISO has had 25 years to get this right and can’t do it. The process approach is then dropped by Clause 5 and never really mentioned again, breaking PDCA.
5.0 Leadership
5.1 Leadership & Commitment
5.1.1 General
Adds requirements for top management to promote “quality culture and ethical behavior.” More unenforceable platitudes, keeping the clause largely useless and un-auditable. Adds a note that tries to explain this, but it’s weak.
Annex A later references ISO 10010 on Quality Culture, so expect that a lot of auditors will expect companies to implement that standard in order to comply with this clause. Product placement for another ISO standard.
5.1.2 Customer Focus
No changes. Still a largely useless clause, as it simply refers to content already addressed elsewhere.
5.2 Policy
No changes.
5.3 Organizational Roles, Responsibilities and Authorities
No changes.
6.0 Planning
6.1 Actions to address risks and opportunities
Strange; in this case, CD1 had improved the language and more clearly described the difference between risk and opportunity. That draft also broke up the clause into sub-clauses 6.1.1.1 for risks, and 6.1.1.2 for opportunities.
But, no, we can’t have nice things. CD2 undoes those edits and reverts the clause back to the original (confusing) language. The Annex A guidance then makes this much worse, saying, “opportunities are not risks,” after having said the opposite in clause 0. It’s a mess, and it’s clear that the entire risk thing has baffled TC 176 to the point of satire.
Still no requirement for procedure, process, records, root cause, or any legacy preventive action language, so this will remain a huge flaw in ISO 9001. TC 176 predictably ignored the world’s feedback on “risk-based thinking.”
6.2 Quality Objectives and Planning to Achieve Them
The addition of language that says objectives are to be measurable only “if practicable” comes from a terribly wrong edit made to Annex SL. Since BSI and those folks are slaves to the ISO Technical Management Board, they are refusing to fix this mistake, which will dramatically weaken all quality management systems. Obviously, objectives must be measurable in a QMS. This will push users into “management by slogans,” which Deming warned against.
This is an example of cowardly bureaucrats winning over actual subject matter experts.
TC 176 still does not close the loop on the process approach as the core of a QMS, and thinks process metrics and quality objectives are different things. They are not, but sure, let’s be unnecessarily redundant.
6.2.2 maintains the cringeworthy “who, what, where,…” language of Annex SL and ISO 9001:2015. Remains a blank clause, with no actual requirements. Still, no editors are stepping in to fix this glaring flaw.
6.3 Planning of changes
No changes.
7.0 Support
7.1 Resources
7.1.1 General
No changes.
7.1.2 People
No changes.
7.1.3 Infrastructure
No changes. Continues to put the requirements into the note, keeping the error from ISO 9001:2015.
7.1.4 Environment for the Operation of Processes
Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Maintains the bonkers language on “social and psychological” factors such as “emotionally protective” workplace. Adds new suggestions to consider “technological” and “cultural” aspects. This is ten augmented by a section in the Annex on “emerging technologies.”
Side note: it is cringeworthy to watch how consultants are praising ISO for discussing “emerging technologies” as if this is somehow tied to a requirement. It’s not. The term is just used in passing, and there are actionable requirements here that a user of the standard has to do, so it’s all fluff.
None of use need ISO 9001 to tell us to be aware of emerging technologies. Imagine reading the 1987 version of the standard and seeing a clause in there that says, “hey, there’s this thing called the internet coming, you should pay attention to it.” Just silly. But low-information consultants are praising this, because they have no ability to think critically.
7.1.5 Monitoring and Measuring Resources
New paragraph added that requires validation of any software used for calibration. But a note suggests this is still under discussion and may yet get deleted. My gut tells me it will stay.
A new note was added to help define metrological traceability and push readers towards ISO 10012.
7.1.6 Organizational knowledge
No changes.
7.2 Competence
No changes.
7.3 Awareness
No changes.
7.4 Communication
No changes. Still unauditable, still doesn’t include customer communication (which instead appears in 8.2, out of place.)
7.5 Documented information
No changes. Continues to mix up “documents” and “records,” keeping the section confusing and rambling. A lot of people complained about this in the 2015 version, but TC 176 ignored them.
8.0 Operation
8.1 Operational planning and control
Maintains ISO 9001:2015’s errors of (a) not clearly explaining that the standard views “operational” and “organizational” processes differently, (b) not fixing the clause so that it can in any way be understood without a consultant.
Inexplicably, they made the “outsourced processes” thing worse, not better. Whereas ISO 9001:2015 referred readers over the 8.4, this draft removes that reference entirely. So now outsourced processes have no actual requirements to bite into. This will dramatically injure all quality systems, as there is no longer any language telling you what to do with an outsourced process.
This clause desperately needed guidance in Annex A, as it’s a complex clause that few understand. Annex A does not provide that guidance, however.
8.2 Requirements for Products and Services
8.2.1 Customer communication
Adds a cringeworthy note defining what “customer communication” is – really? Did we need that? – then namedrops terms like “web site content, Frequently Asked Questions” as if it was written during the AOL era. (I like how “web site” is two words, as if it was written in 1990.)
8.2.2 Determining the Requirements Related to Products and Services
No changes. Maintains bizarre language that this applies BEFORE a customer even exists (“products and services to be offered to customers…”) Still haven’t fixed that.
8.2.3 Review of Requirements Related to Products and Services
No changes. Still a mess (“to be offered…”) and largely repeats what was said in 8.2.2. Old 2000 language was better, but they still won’t restore it.
8.2.4 Changes to Requirements for Products and Services
No changes.
8.3 Design and Development of Products and Services
No changes. Maintains the jumbled nature of this clause from 2015, implying that design validation happens before you create design outputs, Again, the 2000 language was better, but they won’t restore it. Agile folks, you will still hate this.
The fact that this was not touched at all so far suggests that none of the TC 176 authors understand product design. The clause STILL does not discuss service design, despite it being in the title of the clause. This speaks to a gross lack of subject matter experts on the committee.
8.4 Control of Externally Provided Processes, Products and Services
No changes. This maintains the confusing repetition of requirements in 8.4.1 and 8.4.2. Also (again) this suggests no actual subject matter experts are working on this. TC 176 doesn’t know how supply chain management and procurement work.
Still doesn’t require that you communicate with suppliers in actual writing.
Outsourced processes still get no love.
8.5 Production and Service Provision
8.5.1 Control of Production and Service Provision
No changes.
8.5.2 Identification and Ttraceability
No changes.
8.5.3 Property Belonging to Customers or External Providers
No changes.
8.5.4 Preservation
No changes.
8.5.5 Post-delivery activities
No changes. This clause still doesn’t know what it wants to say.
8.5.6 Control of changes
No changes.
8.6 Release of Products and Services
No changes. Still maintains the horrid 2015 error or switching terms mid-standard.; see notes on 9.1.3 below. The clause is not about “release” (delivery) at all.
Oh, and still no actual delivery clause! So, per ISO 9001, product never needs to be shipped. Astonishing.
8.7 Control of Nonconforming Outputs
No changes, and we desperately needed fixes here.
9.0 Performance evaluation
9.1 Monitoring, Measurement, Analysis and Evaluation
9.1.1 General
No changes, remains nearly entirely useless. Never ties back to process approach, so breaks PDCA entirely.
9.1.2 Customer satisfaction
No changes.
9.1.3 Analysis and Evaluation
No changes. Again, never ties back to process approach, so breaks PDCA entirely. Treats “performance and effectiveness of the quality management system” as something totally apart from process approach.
Keeps “statistical techniques” as an afterthought note, ensuring problems for companies that use them.
Fails to alert the reader to the (idiotic) fact that now, in clause 9, TC 176 is using the term “monitoring and measurement” in an entirely different context. Now it is NOT about inspection testing, despite that being understood up until clause 8.7. So, for those keeping track at home:
Clauses 4 through 8.5: “monitoring and measuring” means inspection and testing.
Clause 8.6: now, inspection and testing are referred to as “planned arrangements” you do prior to “release.”
Clauses 9 & 10: “Monitoring and measurement” now means a more holistic (and literal) monitoring and measurement of data related to the QMS, and not inspection and testing.
Got it?
9.2 Internal Audit Programme
Weird: changes name of clause to add the word “programme” (per Annex SL update.) Then uses the word, but not consistently. Refers to auditing as a “process” then “programme” and then “process” again, all in one single sentence. No one is editing this.
Still no requirement or language about “process-based auditing,” so – again – PDCA and the process approach are abandoned by the time we get to clause 9.
There is a lot of audit-related language added to section 3 on definitions, though. Not much of it is good, though.
Odd how bad this is, since the TC 176 consultants love to write books about auditing, and they appear to have no clue how to do it.
9.3 Management Review
No changes. Maintains 2015’s errors of (a) failing to tie back to PDCA and process approach, (b) conflating “process performance” with “conformity of products and services” when the two are very, very different things.
10.0 Improvement
10.1 General
Still largely repeats what is later said in 10.3, making them effectively duplicates. Adds cringeworthy note namedropping terms like “incremental and breakthrough change,” “innovation and re-organization,” and “emerging technology.”
10.2 Nonconformity and Corrective Action
No changes; doesn’t fix the confusion between this clause and 8.7’s “nonconformities.” (This was because Hortensius and his Annex SL crew don’t understand the difference, never having worked outside a standards body.) Still doesn’t require a procedure; apparently, you can control your nonconformities through song or slam poetry.
10.3 Continual improvement
No changes. Still never ties back to processes or anything in clause 4 at all, so breaks the PDCA cycle one last time.
New Annex A
this draft removes the CD1’s dumb decision to put the entire 2016 book, ISO 9001:2015 for Small Enterprises -What to Do – Advice from TC 176, into the standard. In its place is a new Annex on guidance advice that only takes up ten pages.
The Annex comes with a caveat that it only provides guidance on clauses the authors think “may need clarification and/or guidance for use.” So they don’t go through all of the clauses, but cherry-pick the ones they had some information on. As a result, major clause — which desperately need guidance — go unclarified. I suspect this is because the TC 176 folks have no idea what they mean, so are not prepared to actually defend them.
The only clauses covered are:
- 4.0 Context of the Organization. The advice given here makes COTO more confusing, not less.
- 5.1.1 (c) on quality culture and ethical behavior. This tries to explain why they added this entirely non-auditable thing. OK, buddeh.
- 6.0 Planning. This advice gives yet more discussion on risk-based thinking, and contradicts the actual requirements text. Introduces a new concept called “opportunity-based thinking,” which is just as ridiculous as it sounds. Since this doesn’t show up in the actual requirements portion, it is just one of the authors of TC 176 rambling incoherently.
- 7.1.3 Infrastructure. Reiterates that you have to decide what types of infrastructure apply to your organization.
- 7.1.6 Organizational Knowledge. Not much here, just paraphrases the actual requirement. Adds hilariously-cringe namedrop of “blockchain” and “machine learning,” because someone at TC 176 overhead someone say these things. Wait: ISO is all about climate change, and then wants you to use blockchain, something that burns up tremendous amounts of fossil fuels. They also mention “intellectual property,” as if that is something new in the 21st century. Shudder.
- 8.4 Control of External Providers. Just paraphrases the requirements using a larger amount of text. Still requires you “communicate” your requirements to suppliers, but never even suggests you actually write it down (as in a purchase order.) You can still communicate all your orders verbally, and ISO 9001 is okay with that.
- Emerging Technologies. A bit applicable to a few clauses, allowing TC 176 to sound hip. Again, low-information consultants are loving this, but if it doesn’t translate into any actual, actionable requirements, who cares? It’s just there to pad the page count and increase the cover price of ISO 9001.
Remaining Bits
CD2 removes a massive table of “other standards,” which really looked like desperate product placement. Now the standard ends with a Bibliography, and nothing else.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world