ISO 9001:2026 Final Draft (?) Gets Weirder Still

The wholesale destruction of a once venerable quality management standard continues as the authors of the next edition of ISO 9001 insert more personal opinions and made-up nonsense rather than actual industry-proven best practices. Continuing to adhere to the increasingly unhinged Annex SL Harmonized Structure isn’t helping, either.

If you want to skip right to the clause changes, click here.

How We Got Here

If you have been following along, the development of the next edition of ISO 9001 has been a disaster. ISO had to ignore multiple official votes from member nations telling it not to update ISO 9001. Then, it purged long-standing ISO contributors who pushed back on ISO’s greed. It shoved in a climate change amendment without formal voting or following any normal publication rules. Next, it wrested control of the drafting from much of TC 176 and handed it over to BSI, and rumors of a plot to create an AI-driven ISO 9001 implementation tool pissed off the consultants, who promptly quit. When the TC finally started putting pen to paper, things got much worse, and ISO had to push their intended release date into 2026. (It was originally intended to be released in 2022.)

The first attempt at a “Committee Draft” (CD1) was met with widespread ridicule, forcing TC 176 to go back to the drawing board.  The resulting “CD2” was no better, so it underwent multiple rewrites. We are now up to the fourth draft of CD2, which is likely the “Final Draft” of the CD stage. This will go up for formal voting within TC 176 in a month or so, with the next step being the conversion of the CD2 to a Draft International Standard, or DIS version. We can expect a few changes between CD2 and DIS, but not many.

ISO has tightly limited who can participate in TC 176 these days, so the remaining folks are loyal toadies to the ISO HQ and BSI. Critics still exist, but they have been nearly entirely neutered. As a result, what you are about to read will likely represent the final ISO 9001:2026 standard even if there is widespread public outrage over it.

I remain in complete disbelief that they will get this done by 2026. All signs point to this being published in 2027, unless ISO skips crucial steps. (They could skip the DIS entirely and put the CD2 out as a Final DIS, which would be a controversial move. But given the controversies ISO has allowed so far, I wouldn’t be surprised.)

As usual, I won’t publish the CD2 nor send it to anyone, so don’t ask. But you may not have to wait long. It appears that ISO itself may have bungled something on its end and leaked this one online itself, so I am sure someone will have captured it and uploaded it somewhere. But I haven’t seen it in the wild yet, though.

Short Takes

As with the prior CDs, today’s ISO 9001 authors have no practical or contemporary QMS experience. The few that have any experience have been consultants for so long — as in many decades — their knowledge pre-dates things like ERP systems or even the internet. It shows.

Worse still, ISO continues to forget what standards are supposed to do. Standards are supposed to take already-proven best practices — things that have already been tested in the industry and proven as good — and then put them down on paper. With ISO 9001:2015, the committee was overrun by consultants who wanted to sell books and seminars, so the standard began injecting made-up nonsense that did not actually exist. “Risk-based thinking” was made up from thin air to sell the services of the consultants who invented it. It never existed before ISO 9001:2015.

TC 176 may have purged the ranks of contributors, but the ones left are still all private consultants. From what I can tell, there are no actual user organizations on the committee at all. So, the committee is left to lean into their worst instincts rather than reverse course. Now, in a cringe-inducing bit of insanity, they have invented “opportunity-based thinking” — another thing that no one ever heard of because they just made it up sometime in 2024.

But they aren’t done! Instead of fixing the confusion over “documented information” and whether it refers to records or documents, they made it worse! This version of the standard makes the distinction entirely unintelligible.

Despite all these delays and tinkering, clause 8 remains untouched. This (again) proves that the TC 176 participants have not been on a shop floor in decades, and have no idea on how a QMS actually operates. They are arguing over things that have very little practical impact while ignoring where how work is performed. All the current problems and mistakes from ISO 9001:2015 will remain intact.

As a result, TC 176 has once again done very little actual work here. The bulk of the changes were driven by updates to the Annex SL “Harmonized Structure,” written by the Technical Management Board and not by TC 176 at all.

Instead, the authors spend a lot of time consulting, because private consultants just cannot help themselves. You would have never seen this in standards like MIL-Q-9858 or NATO AQAP-1. Now, however, the authors can dump whatever distraction, opinion, or random thought they want into the standard’s Annex. And they do. A lot.

Changes to Clauses

0.1 Introduction

A complete re-write of the bit on “risk-based thinking“; ISO appears to have taken my advice and stopped pretending RBT was part of the process approach. This section frustratingly continues the nearly-criminal insistence that RBT = preventive action. Anyone who has worked five minutes in a real QMS knows this is untrue. The new paragraph also conflates risks and opportunities; a new paragraph tries to explain “opportunities,” but it’s still called “risk-based thinking,” so it implies that opportunities are some form of risk. Keep this in mind because it comes up again later in Annex A.

Despite inventing “opportunity-based thinking” this time around, it’s worth noting that no one added this to clause 0.1. So one and doesn’t know what the other is doing.

Thankfully, the user’s “Bill of Rights” remains untouched. This is the paragraph that starts with “it is not the intent of this document...” and it is an invaluable tool for users who are harassed by uninformed auditors.

0.2 Quality Management PRinciples

No changes.

0.3 Quality Management Principles

No changes from ISO 9001:2015.

0.4 Process Approach

Moves text around. Risk-based thinking is no longer presented as a subset of the process approach. In fact, it’s kicked out of clause zero entirely.  But the text just a page before it, in 0.1, insists risk-based thinking is a part of the process approach. So, the edits to 0.4 should have triggered corresponding edits to 0.1, but did not. The two sections contradict each other. Once again, nobody is editing this thing.

1.0 Scope

No changes.

2.0 Normative references

No changes; still only references ISO 9000.

3.0 Terms and Definitions

Now adds definitions and expands on what was in previous CD drafts. This section is growing, not shrinking. Now adds definitions for the following terms:

• organization
• interested party (stakeholder)
• top management
• management system
• quality management system
• policy
• quality policy
• objective
• risk (adds contradictory notes showing the authors fighting amongst themselves. One note says risk is both positive and negative, while another note says it is only negative.)
• process (adds a note defining “special process“)
• competence
• documented information
• performance
• continual improvement
• effectiveness
• requirement
• conformity
• nonconformity
• corrective action (references “preventive action” but never defines the term)
• audit
• measurement
• monitoring (the definition here says this is relevant to activities, but then a note suggests this is relevant to products [“objects“])

Still no definitions for “strategic direction” or “opportunity,” despite the terms being crucial for understanding the standard. “Opportunity” is 50% of the clause, and no one knows what it means.

While many of the definitions are taken from ISO 9000, they are still very, very bad. ISO 9000 needed to be updated, but wasn’t. So, now we have bad definitions appearing in two documents.

It is likely this section will get cut, though. ISO is cannibalizing its own products here; no one will buy ISO 9000 if the definitions appear in ISO 9001. Sales are going to drop.

4.0 Context of the Organization

Still presents sub-clauses in the wrong order. This is made worse by the Annex A guidance; see below.

4.1 Understanding the Organization and Its Context

Adds climate change language from the ISO 9001:2015 Amendment 2024. No other changes.

Doesn’t fix the problem that the subclause title refers to “context,” but then the clause text only talks about “issues.” Notes still don’t connect those two dots. Major flaws from ISO 9001:2015 remain uncorrected here.

4.2 Understanding the needs and expectations of interested parties

Adds climate change language from the ISO 9001:2015 Amendment 2024.

Adds a clarifying statement saying that the organization will determine “which of these requirements will be addressed through the quality management system,” allowing you to keep many needs and expectations outside of the QMS.

Doesn’t fix the problem that the subclause title uses the words “needs and expectations” while the actual text refers to “requirements.” Which is it?

4.3 Determining the Scope of the Quality Management System

Minor language tweaks, no new requirements.

Still does not require that the scope statement include locations that fall under the QMS, despite this being a requirement for certification going back to the late 1980s. Still does not conclude that the scope statement is the expression of the organization’s “context“; the authors don’t understand how to interpret Annex SL for quality management.

4.4 Quality Management System

New clause name, drops the reference to the QMS “processes.” Weird choice for the clause about the process approach. That change will cause confusion and further minimizes the importance of the process approach. Another bit of tinkering that has no real purpose.

Minor language tweaks, no new requirements.

ISO did not clean this up, unfortunately, and the process approach remains as confusing as ever. This isn’t rocket science, but ISO has had 25 years to get this right and can’t do it.

The bullet list for process controls should be presented in the PDCA order, and still isn’t. They still don’t tie in process metrics with quality objectives, something practitioners have been doing since literally the 1980s, but ISO 9001 has not kept up.

The process approach is then dropped by Clause 5 and never really mentioned again, breaking PDCA.

5.0 Leadership

5.1 Leadership & Commitment

5.1.1 General

Adds requirements for top management to promote “quality culture and ethical behavior.”  More unenforceable platitudes, keeping the clause largely useless and un-auditable. Adds a really weak note: “The organization’s culture and ethics can be demonstrated through shared values, beliefs, history, attitudes and observed behaviours.” 

Annex A later references ISO 10010 on Quality Culture, so expect that a lot of auditors will expect companies to implement that standard in order to comply with this clause. Product placement for another ISO standard.

5.1.2 Customer Focus

No changes. Still a largely useless clause, as it simply refers to content already addressed elsewhere in the standard. Impossible to audit.

5.2 Quality Policy

Clause title now invokes “Quality” Policy by name. Takes out the titles for the sub-clauses, but otherwise there are no changes.

5.3 Organizational Roles, Responsibilities and Authorities

Minor re-phrasing per Annex SL updates, but no changes.

6.0 Planning

6.1 Actions to address risks and opportunities

Goes back to the proposed text from the first CD1 draft, resulting in draft ping pong. It’s now broken into three subclauses. These will be controversial, as ISO 9001 is now taking a firm position that risk and opportunities are opposites. (They say this overtly in the Annex.) Still no requirement for procedures, processes, records, root cause, or any legacy preventive action language, so this will remain a huge flaw in ISO 9001.

ISO 9001 will remain a reactive standard, rather than a proactive one. Risk-based thinking and opportunity-based thinking are weak tea compared o the classic preventive action requirements of ISO 9001:2000.

6.1.1 General 

Just keeps language from current standard.

6.1.2 Actions to Address Risks

Keeps much of the language from the current standard, but defines risk as things “that can have an undesirable effect on its ability to continually and consistently provide conforming products and services.” This means that there are two definitions of risk in the same standard!

6.1.3 Actions to Address Opportunities

Entirely new subclause, and finally attempts to define “opportunity” as things “that can have a desirable effect on its ability to continually and consistently provide conforming products and services.” Positions opportunities as opposite to risk. Otherwise just a copy-and-paste of the risk paragraph above, with the only difference being the word “desirable” instead of “undesirable.” Adds unnecessary padding to standard.

6.2 Quality Objectives and Planning to Achieve Them

The addition of language that says objectives are to be measurable only “if practicable” comes from a terribly wrong change made to Annex SL. Since BSI and those folks are slaves to the ISO Technical Management Board, they are refusing to fix this mistake, which will dramatically weaken all quality management systems. Obviously, objectives must be measurable in a QMS. This will push users into “management by slogans,” which Deming warned against.

Bullet list is re-ordered and adds new bullet requiring objectives be documented.

TC 176 still does not close the loop on the process approach as the core of a QMS, and thinks process metrics and quality objectives are different things. They are not, but sure, let’s be unnecessarily redundant.

6.2.2 maintains the cringeworthy “who, what, where,…” language of Annex SL and ISO 9001:2015. Remains a blank clause, with no actual requirements. ISO still has no editors stepping in to fix this glaring flaw.

6.3 Planning of changes

No changes.

7.0 Support

7.1 Resources

7.1.1 General

No changes.

7.1.2 People

Minor re-phrasing per Annex SL updates, but no changes.

7.1.3 Infrastructure

No changes. Continues to put the requirements into the note, keeping the error from ISO 9001:2015.

7.1.4 Environment for the Operation of Processes

Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Maintains the bonkers language on “social and psychological” factors such as “emotionally protective” workplace. Adds new suggestions to consider “technological” and “cultural” aspects. This is then augmented by a section in the Annex on “emerging technologies.”

The term “emerging technologies” is just used in passing, and there are no actionable requirements here that a user of the standard has to do, so it’s all fluff. Consultants are going to make a big deal of this, though, even though it says nothing.

7.1.5 Monitoring and Measuring Resources

No changes. Some proposed edits from the prior draft were, as predicted, removed. This now matches ISO 9001:2015 identically. The problem here is that clause 7.1.5.1 only requires a list of all measurement devices as “evidence of fitness for purposes.” 7.1.5.1 isn’t about calibration. In the actual calibration clause (7.1.5.2) there is no such record requirement, so ISO 9001 still doesn’t actually require a calibration registry!

And the clause’s content contradicts the attempts to define “monitoring” and “measuring” at the front of the standard. They can’t even remain consistent from one section to another.

7.1.6 Organizational knowledge

No changes.

7.2 Competence

Minor re-phrasing per Annex SL updates, but no changes.

7.3 Awareness

Minor re-phrasing per Annex SL updates, but no changes.

7.4 Communication

Minor re-phrasing per Annex SL updates, but no changes. Still unauditable, still doesn’t include customer communication (which instead appears in 8.2, out of place.)

7.5 Documented information

Minor re-phrasing per Annex SL updates, but no changes.

Continues to mix up “documents” and “records,” keeping the section confusing and rambling. A lot of people complained about this in the 2015 version, but TC 176 made it much, much worse this time. By slavishly adhering to the TMB’s Annex SL text changes, ISO now had to add the following clarification to the new Annex A:

First, the phrase “shall be available as documented information” replaces “maintain documented information” which previously referred to documentation other than records. Second, “documented information shall be available as evidence of” replaces “retain documented information as evidence of” which previously referred to records.

They made it worse, not better!

8.0 Operation

8.1 Operational planning and control

Maintains ISO 9001:2015’s errors of (a) not clearly explaining that the standard views “operational” and “organizational” processes differently, (b) not fixing the clause so that it can in any way be understood without a consultant.

Inexplicably, they made the “outsourced processes” thing worse, not better. Whereas ISO 9001:2015 referred readers over the 8.4, this draft removes that reference entirely. So now outsourced processes have no actual requirements to bite into. This will dramatically injure all quality systems, as there is no longer any language telling you what to do with an outsourced process.

This clause desperately needed guidance in Annex A, as it’s a complex clause that few understand. Annex A does not provide that guidance, however.

8.2 Requirements for Products and Services

8.2.1 Customer Communication

Adds a cringeworthy note defining what “customer communication” is – really? Did we need that? – then namedrops terms like “web site content, Frequently Asked Questions” as if it was written during the AOL era. (I like how “web site” is two words, as if it was written in 1990.)

This paragraph still doesn’t belong here, and should have been moved to 7.4.

8.2.2 Determining the Requirements Related to Products and Services

No changes. Maintains bizarre language that this applies BEFORE a customer even exists (“products and services to be offered to customers…”) Still haven’t fixed that.

8.2.3 Review of Requirements Related to Products and Services

No changes. Still a mess (“to be offered…”) and largely repeats what was said in 8.2.2. Old 2000 language was better, but they still won’t restore it.

8.2.4 Changes to Requirements for Products and Services

No changes.

8.3 Design and Development of Products and Services

No changes. Maintains the jumbled nature of this clause from 2015, implying that design validation happens before you create design outputs. Again, the  2000 language was better, but they won’t restore it. Agile folks, you will still hate this.

 The clause STILL does not discuss service design, despite it being in the title of the clause. This speaks to a gross lack of subject matter experts on the committee.

8.4 Control of Externally Provided Processes, Products and Services

No changes. This maintains the confusing repetition of requirements in 8.4.1 and 8.4.2. Also (again) this suggests no actual subject matter experts are working on this. TC 176 doesn’t know how supply chain management and procurement work.

Still does not require that you communicate with suppliers in actual writing. Verbal orders to supply chain are OK, per ISO.

Outsourced processes still get no love.

8.5 Production and Service Provision

8.5.1 Control of Production and Service Provision

No changes.

8.5.2 Identification and Traceability

No changes.

8.5.3 Property Belonging to Customers or External Providers

No changes.

8.5.4 Preservation

No changes.

8.5.5 Post-Delivery Activities

No changes. This clause still doesn’t know what it wants to say.

8.5.6 Control of changes

No changes.

8.6 Release of Products and Services

No changes. Still maintains the horrid 2015 error or switching terms mid-standard.; see notes on 9.1.3 below. The clause is not about “release” (delivery) at all.

Oh, and still no actual delivery clause! So, per ISO 9001, product never needs to be shipped. Astonishing.

8.7 Control of Nonconforming Outputs

No changes, and we desperately needed fixes here.

9.0 Performance Evaluation

9.1 Monitoring, Measurement, Analysis and Evaluation

9.1.1 General

No changes, remains nearly entirely useless. Never ties back to process approach, so breaks PDCA entirely.

9.1.2 Customer satisfaction

No changes.

9.1.3 Analysis and Evaluation

No changes. Again, never ties back to process approach, so breaks PDCA entirely. Treats “performance and effectiveness of the quality management system” as something totally apart from process approach. That’s not how it works, and hasn’t been true since the 1970s, at least.

Keeps “statistical techniques” as an afterthought note, ensuring problems for companies that use them.

Fails to alert the reader to the (idiotic) fact that now, in clause 9, TC 176 is using the term “monitoring and measurement” in an entirely different context. Now it is NOT about inspection testing, despite that being understood up until clause 8.7. So, for those keeping track at home:

Clauses 4 through 8.5: “monitoring and measuring” means inspection and testing.

Clause 8.6: now, inspection and testing are referred to as “planned arrangements” you do prior to “release.”

Clauses 9 & 10: “Monitoring and measurement” now means a more holistic (and literal) monitoring and measurement of data related to the QMS, and not inspection and testing.

Got it?

9.2 Internal Audit Programme

Weird: changes name of clause to add the word “programme” (per Annex SL update.) Then uses the word, but not consistently. Within the section, it bounces around by referring to auditing as both a “process” and a “program.”

Still no requirement or language about “process-based auditing,” so – again – PDCA and the process approach are abandoned by the time we get to clause 9.

There is a lot of audit-related language added to section 3 on definitions, though. Not much of it is good, though.

It’s odd how bad this is, since the TC 176 consultants love to write books about auditing, and they appear to have no clue how to do it. I mean, Sam Somerville is supposed to be an auditing expert, but she doesn’t know how to audit?

9.3 Management Review

No changes. Maintains 2015’s errors of: (a) failing to tie back to PDCA and process approach and (b) conflating “process performance” with “conformity of products and services” when the two are very, very different things.

10.0 Improvement

10.1 General

Still largely repeats what is later said in 10.3, making them effectively duplicates. Adds cringeworthy note namedropping terms like “incremental and breakthrough change,” “innovation and re-organization,” and “emerging technology.”

10.2 Nonconformity and Corrective Action

No changes; doesn’t fix the confusion between this clause and 8.7’s “nonconformities.” (This was because Hortensius and his Annex SL crew don’t understand the difference, never having worked outside a standards body.) Still doesn’t require a procedure; apparently, you can control your nonconformities through song or slam poetry.

10.3 Continual improvement

No changes. Still never ties back to processes or anything in clause 4 at all, so breaks the PDCA cycle one last time.

New Annex A

This draft largely keeps intact the guidance text from the prior CD2 drafts and does not add an entire book as proposed by CD1. But the content will be very controversial, and it’s telling that ISO knows the standard itself is so bad that it requires the addition of over twenty full pages to decipher what they wrote. But this will pad the page count, and thus make the cover price of ISO 9001:2026 much higher… which means more money for the ISO home office.

This has Sam Somerville written all over it. I don’t know if she wrote it, but as the new head of TC 176 Subcommittee 2, she has definitely leaned into her worse consulting instincts and allowed this garbage to be inserted. It has no place in a requirements document. Put it in ISO 9004 if you want, but keep  your opinions to yourself in 9001! Somerville is the new Nigel Croft, using her role at BSI and ISO to promote her private consulting work. Shameful.

(I think there’s a reason her private consultancy is called “Jigsaw Quality Management.”)

What is so astonishing about Annex A is that the content ends up making things so much more confusing. This stuff only makes sense in the fever-dream of the authors themselves, and will be loathed by everyone else. It’s just terrible.

The Annex also continues ISO’s new greed-driven approach by referencing multiple other standards in the hopes that you will buy them, too. This got out of hand with the new ISO 42001 standard on AI Management Systems, but TC 176 did not want to be outdone here. So, Annex A references a ton of other standards. Get out your credit card!

The Annex comes with a caveat that it only provides guidance on clauses the authors think “may need clarification and/or guidance for use.” So they don’t go through all of the clauses, but cherry-pick the ones they had some information on. As a result, major clause — which desperately need guidance — go unclarified. I suspect this is because the TC 176 folks have no idea what they mean, so are not prepared to actually defend them.

The guidance defines terms used in the standard like “applicable” vs. “appropriate,” for the policy wonks.

The clauses covered are:

4.0 Context of the Organization.

The advice given here makes COTO more confusing, not less. The authors have no idea what they are trying to communicate with COTO.

5.0 Leadership.

Tries to clarify Quality Policy and Roles, Responsibilities and Authorities, but largely just re-phrases the requirements. Clause remains un-auditable.

6.0 Planning.

This one is just mind-bogglingly bad.

First, it starts with discussing risk-based thinking and triples down on the lie that “the concept of risk-based thinking has been implicit in previous editions of” ISO 9001. Again, that is a lie, and if you go back and read the 2008 or  2000 versions, you will see they say the standards explicitly exclude risk.

The authors then invent a new form of bullshit called “opportunity-based thinking,” which is just as ridiculous as it sounds. This is so cringe-inducing, it is shameful. it overtly positions opportunities as the opposite of risk, thus setting a ware between ISO 9001 and ISO 37001. It says (emphasis added by me):

Identifying and managing risks and opportunities are separate processes. Risks are not opportunities. Opportunities result from assessment of the internal and external context including interested parties’ needs and expectations, the organization’s capability, capacity and competence to leverage its strengths and weaknesses, as well as the results of various monitoring activities and key performance indicators.

Crazy!

7.1.3 Infrastructure

Reiterates that you have to decide what types of infrastructure apply to your organization.

7.1.5 Monitoring and Measuring Resources

Adds references to three supporting ISO standards(ISO 10009, 10012 and 10017) as a form of product placement.

7.1.6 Organizational Knowledge

Not much here, just paraphrases the actual requirement. Adds hilariously-cringe namedrop of “blockchain” and “machine learning” because someone at TC 176 overhead someone else says these things. ISO is all about climate change but then wants you to use blockchain, which burns up tremendous amounts of fossil fuels.  They also mention “intellectual property,” as if that is something new in the 21st century. Shudder.

7.2 Competence

Nothing except a reference to ISO 19011 relevant to “auditor competence.” That will allow TC 176’ers to sell a lot of auditor training classes.

7.3 Awareness

It just restates the requirements but in a lot more words.

7.4 Communication

Adds cringeworthy text like communication should allow people to “build trust amongst each other.”

7.5 Documented Information

Name-drops ISO 10013.

8.3 Design

Just name-drops ISO 10007 on configuration management. This won’t make any sense since the concept is not mentioned anywhere in the actual requirements section.

8.4 Control of External Providers

Just paraphrases the requirements using a larger amount of text. Still requires you to “communicate” your requirements to suppliers, but never even suggests you actually write it down (as in a purchase order.)No one on TC 176 has ever heard of a purchase order or contract, I guess.

Name drops ISO 37500 on outsourcing.

10.1 Continual Improvement

Adds some text on “emerging technologies” to shut up the people clamoring for it. A bit applicable to a few clauses, allowing TC 176 to sound hip. Again, low-information consultants are loving this, but if it doesn’t translate into any actual, actionable requirements, who cares?

Bibliography

Now includes a massive list of 39 additional ISO standards supporting ISO 9001. You will go broke if you buy all of these.