I obtained a copy of the pre-publication version of the ISO 9001:2025 Draft International Standard (DIS). The DIS is now with ISO’s editors for final editing, and official publication is now expected to be sometime in August or September of 2025. (I had reported earlier that it would be released by now, but ISO elected to have a full editing scrub on the document since it will be sold for actual money.) The only changes expected between the copy I have and the published DIS will be editorial in nature.
The manuscript I have is over 50 pages and will likely come in at around 55 – 60 pages when published as a final PDF. This will increase the cover price over what ISO is currently charging for ISO 9001:2015. This is entirely due to the addition of (potentially controversial) guidance materials within a new Annex, a huge bibliography (ISO wants to upsell) and bloated front matter.
(For my review of Annex A, click here.)
Big takeaways:
- The bulk of changes are to non-requirements text, in the front matter and the Annex. Very few changes to actual requirements.
- All mistakes in 2015 version remain uncorrected. Some are made worse.
- No new language on sustainability, cybersecurity, AI, etc., despite false claims made by consultants and CBs for months now.
- As expected, TC 176 left clause 8 largely untouched, but then added a significant amount of text to the Annex to discuss it. None of it helpful.
- PDCA is still broken. Clause 10 never loops back to clause 4.
- The auditing clause is crippled by the removal of a paragraph on the purpose of internal audits; this will cause chaos when CBs audit client’s internal audit programs.
Let’s take a look at what is in this document and, more importantly, what isn’t.
Changes to Clauses
0.0 Introduction
Rewrite of the section on the “process approach,” with a new graphic that illustrates a typical process’s inputs and outputs, but which stops short of being a full Turtle Diagram. Despite 25 years of attempts, ISO still fails in defining the process approach in a way that will be easily understood by all, and is still treating this like rocket science. The new graphic is useful, but the surrounding text is worse than what we had in 2000.
Stunningly, the entire section on risk-based thinking is removed. I am as shocked as you are. Instead, RBT is now solely discussed in the guidance materials appearing in the Annex.
Thankfully, the user’s “Bill of Rights” remains untouched. This is the paragraph that starts with “it is not the intent of this document…” and it is an invaluable tool for users who are harassed by uninformed auditors.
1.0 Scope
Very minor rewording, no changes
2.0 Normative references
References ISO/CD 9000 (still being drafted).
3.0 Terms and Definitions
References ISO/CD 9000 (again) and points to the ISO/IEC “Electropedia” website for more definitions. Yes, “Electropedia” sounds like something Jeffrey Epstein got arrested for.
Now adds definitions for: organization, interested party (stakeholder), top management, management system, quality management system, policy, quality policy, objective, quality objective, risk, process, competence, documented information, performance, continual improvement, nonconformity, corrective action, audit, measurement, monitoring.
The definition of risk still claims it can be either “positive or negative.” Then a new note says, “the word ‘risk’ is sometimes used when there is the possibility of only negative consequences.” So they can’t even be consistent. There are five notes on this definition, showing TC 176 really struggling with this whole “positive risk” insanity.
Still no definitions for “strategic direction” or “opportunity,” despite the terms being crucial for understanding the standard. “Opportunity” is 50% of the clause, and no one knows what it means. After nearly a decade!
The definitions of “monitoring” and “measurement” don’t accurately reflect the words as they are used within the context of the standard itself, and this remains a problem. In this draft, “monitoring and measuring” refers to inspection and testing until clause 8.6; at 8.6, the term “planned arrangements” is swapped in to replace “monitoring and measuring,” and by clause 9, “monitoring and measuring” takes on an entirely different meaning. It’s a mess.
4.0 Context of the Organization
Still presents sub-clauses in the wrong order.
Embeds the 2024 amendment language about climate change, but no other additions.
4.1 Understanding the Organization and Its Context
Embeds the 2024 amendment language about climate change, but no other additions.
4.2 Understanding the needs and expectations of interested parties
Adds climate change language from the ISO 9001:2015 Amendment 2024.
Minor language tweaks, no new requirements.
4.3 Determining the Scope of the Quality Management System
Minor language tweaks, no new requirements.
Still does not require that the scope statement include locations that fall under the QMS, despite this being a requirement for certification going back to the late 1980s. Still does not conclude that the scope statement is the expression of the organization’s “context“; the authors don’t understand how to interpret Annex SL for quality management.
4.4 Quality Management System
Minor language tweaks, no new requirements. Despite the change to the clause name, this is the “process approach” clause.
5.0 Leadership
5.1 Leadership & Commitment
5.1.1 General
Adds requirements for top management to promote “quality culture and ethical behavior.” More unenforceable platitudes, keeping the clause largely useless and un-auditable. Adds a note that tries to explain this, but it’s weak.
5.1.2 Customer Focus
No changes. Still a largely useless clause, as it simply refers to content already addressed elsewhere.
5.2 Policy
Adds new requirement that the Quality Policy “takes into account the context of the organization and supports its strategic direction.” Likely language mandated by the Annex SL update. The standard still never defines what a “strategic direction” is or actually requires a company to have one.
5.3 Organizational Roles, Responsibilities and Authorities
Adds new requirement to assign someone the responsibility to report “on opportunities for improvement to top management.”
6.0 Planning
6.1 Actions to address risks and opportunities
TC 176 clearly spent — or some may say wasted — time on this one. Each CD has had different language here, and the DIS takes another shot at it. The sub-clauses are divided as follows:
6.1.1 Determining Risks and Opportunities: largely the same language as 2015.
6.1.2 Actions to Address Risks: largely the same language as 2015.
6.1.3 Actions to Address Opportunities: new language that (cringingly) takes the exact same text from 6.1.2 and swaps in the word “opportunity” for “risk.” Again, TC 176 is pretending to do stuff by copying-and-pasting. They made clause 6.1 larger but without adding any new words.
Still no requirement for procedure, process, records, root cause, or any legacy preventive action language, so this will remain a huge flaw in ISO 9001. TC 176 predictably ignored the world’s feedback on “risk-based thinking.” Worse, the Annex now leans into the astonishingly insipid new branding of “opportunity-based thinking.” Look no further for evidence that TC 176 is populated to utter morons.
6.2 Quality Objectives and Planning to Achieve Them
ISO was humiliated by Oxebridge and others for toying with the idea of adding language that says objectives are to be measurable only “if practicable.” That humiliation worked, and ISO backtracked. Now, objectives (once again) must be measurable.
6.2.1 only re-orders the bulleted list; no new requirements as compared to 2015.
TC 176 still does not close the loop on the process approach as the core of a QMS, and thinks process metrics and quality objectives are different things. They are not, but sure, let’s be unnecessarily redundant.
6.2.2 maintains the cringeworthy “who, what, where,…” language of Annex SL and ISO 9001:2015. Remains a blank clause, with no actual requirements. Still, no editors are stepping in to fix this glaring flaw.
6.3 Planning of changes
Minor rewording and re-ordering of the prior requirements here, but without a mandate that anything be documented or recorded, the clause is largely useless.
7.0 Support
7.1 Resources
7.1.1 General
No changes.
7.1.2 People
No changes.
7.1.3 Infrastructure
No changes. Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Hey, ISO editors: you cannot have requirements in notes. I put that in boldface red font so you can read it more easily.
7.1.4 Environment for the Operation of Processes
Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Hey, ISO editors: you cannot have requirements in notes.
Maintains the bonkers language on “social and psychological” factors such as “emotionally protective” workplace.
The language from prior CD versions, including references to consider “technological” and “cultural” aspects, was removed.
A final sentence is included in the requirements section that says, “Some factors are dependent on the organizational quality culture, including ethical behaviour.” Let’s do this again: Hey, ISO editors: you cannot have requirements in notes.
7.1.5 Monitoring and Measuring Resources
No changes. All revisions from CD2 were removed.
The standard still bafflingly requires a record of all monitoring and measuring resources, but then fails to provide a record for calibrated devices. So there’s still no requirement for records of calibration. Everyone misinterprets this, and ISO isn’t fixing it.
7.1.6 Organizational knowledge
No changes.
7.2 Competence
No changes.
7.3 Awareness
Adds requirement to ensure employees are aware of “quality culture and ethical behaviour.”
7.4 Communication
No changes. Still unauditable, still doesn’t include customer communication (which instead appears in 8.2, out of place). Maintains cringeworthy “who, what, where, when” approach as if written by a thirteen-year-old.
7.5 Documented information
No changes. Continues to mix up “documents” and “records,” keeping the section confusing and rambling. A lot of people complained about this in the 2015 version, but TC 176 ignored them.
The Annex guidance on this clause goes full-on meth-head batshit crazy. Now it has the following decoding language:
– If the standard says “shall be available as documented information” = requirement for documentation.
– If the standard says “documented information shall be available as evidence of” = requirement for a record.
Because that is easier than just using the words “document” or “record” in the actual text.
Got it? No? Want more meth?
8.0 Operation
8.1 Operational planning and control
Maintains ISO 9001:2015’s errors of (a) not clearly explaining that the standard views “operational” and “organizational” processes differently, (b) not fixing the clause so that it can in any way be understood without a consultant.
Still doesn’t fully discuss outsourced processes, since the TC 176 authors don’t really know what they are.
8.2 Requirements for Products and Services
8.2.1 Customer communication
No changes, but clarifies what ISO 9001:2015 meant by “contingency actions,” adding language that says these include “disruptions in the products or services provided.” Not great, but better than 2015.
Adds a cringeworthy note defining what “customer communication” is – really? Did we need that? – then namedrops terms like “web site content, Frequently Asked Questions” as if it was written during the AOL era. (I like how “web site” is two words, as if it was written in 1990.)
8.2.2 Determining the Requirements Related to Products and Services
No changes. Maintains bizarre language that this applies BEFORE a customer even exists (“products and services to be offered to customers…”) Still haven’t fixed that.
8.2.3 Review of Requirements Related to Products and Services
No changes. Still a mess (“to be offered…”) and largely repeats what was said in 8.2.2. Old 2000 language was better, but they still won’t restore it.
8.2.4 Changes to Requirements for Products and Services
No changes.
8.3 Design and Development of Products and Services
No changes. Maintains the jumbled nature of this clause from 2015, implying that design validation happens before you create design outputs, Again, the 2000 language was better, but they won’t restore it. Agile folks, you will still hate this.
The fact that this was not touched at all so far suggests that none of the TC 176 authors understand product design. The clause STILL does not discuss service design, despite it being in the title of the clause. This highlights a significant lack of subject matter expertise on the committee.
8.4 Control of Externally Provided Processes, Products and Services
No changes. This maintains the confusing repetition of requirements in 8.4.1 and 8.4.2. Also (again) this suggests no actual subject matter experts are working on this. TC 176 doesn’t know how supply chain management and procurement work.
Still doesn’t require that you communicate with suppliers in actual writing.
Outsourced processes still get no love.
8.5 Production and Service Provision
8.5.1 Control of Production and Service Provision
No changes.
8.5.2 Identification and Traceability
No changes.
8.5.3 Property Belonging to Customers or External Providers
No changes. Still puts the requirements in the notes, so:
Hey, ISO editors: you cannot have requirements in notes.
8.5.4 Preservation
No changes. Still puts the requirements in the notes, so:
Hey, ISO editors: you cannot have requirements in notes.
8.5.5 Post-delivery activities
No changes. This clause still doesn’t know what it wants to say. Still puts the requirements in the notes, so:
Hey, ISO editors: you cannot have requirements in notes.
8.5.6 Control of changes
No changes.
8.6 Release of Products and Services
No changes. Still maintains the horrid 2015 error or switching terms mid-standard. The clause is not about “release” (delivery) at all.
Oh, and still no actual delivery clause! So, per ISO 9001, product never needs to be shipped and services are never delivered. Astonishing.
8.7 Control of Nonconforming Outputs
No changes, and we desperately needed fixes here.
9.0 Performance evaluation
9.1 Monitoring, Measurement, Analysis and Evaluation
9.1.1 General
No changes, remains nearly entirely useless. Never ties back to the process approach, so breaks PDCA entirely.
9.1.2 Customer satisfaction
No changes.
9.1.3 Analysis and Evaluation
No changes. Again, never ties back to the process approach, so breaks PDCA entirely. Treats “performance and effectiveness of the quality management system” as something totally apart from the process approach.
Keeps “statistical techniques” as an afterthought note, ensuring problems for companies that use them.
9.2 Internal Audit Programme
Very strange rewrite. The 2015 version required you to perform audits to ensure conformity with ISO 9001 and against your own QMS requirements. The 2026 version removes this entire paragraph, never telling you what you are supposed to audit! It’s a truly bizarre change that makes no sense. It also invites trouble: CBs will not be able to write nonconformities if you don’t audit your QMS against ISO 9001 or even your own procedures.
If I were a CB, I would be hating this change. Maybe this will get fixed before FDIS, but I doubt it.
Also changes name of clause to add the word “programme” (per Annex SL update.) Then uses the word in the text, but not consistently. Refers to auditing as a “process” then “programme” and then “process” again, all in one single sentence. No one is editing this.
Still no requirement or language about “process-based auditing,” so – again – PDCA and the process approach are abandoned by the time we get to clause 9.
Odd how bad this is, since the TC 176 consultants love to write books about auditing, and they appear to have no clue how to do it.
9.3 Management Review
No changes. Maintains 2015’s errors of (a) failing to tie back to PDCA and process approach, (b) conflating “process performance” with “conformity of products and services” when the two are very, very different things.
10.0 Improvement
10.1 General
No changes to requirements. Adds cringeworthy note namedropping terms like “incremental and breakthrough change,” “innovation and re-organization,” and “emerging technology.”
10.2 Nonconformity and Corrective Action
No changes; doesn’t fix the confusion between this clause and 8.7’s “nonconformities.” (This was because Hortensius and his Annex SL crew don’t understand the difference, never having worked outside a standards body.) Still doesn’t require a procedure; apparently, you can control your nonconformities through song or slam poetry.
10.3 Continual improvement
No changes. Still never ties back to processes or anything in clause 4 at all, so breaks the PDCA cycle one last time.
New Annex A
This version expands the Guidance material first cooked up in CD2’s first draft. This is where TC 176 spent all of its time, while ignoring the key clause 8 material that really needed to be fixed. This is what happens when you allow consultants, rather than end users, to write standards. They consult.
This annex adds a massive fifteen pages to the standard, and it’s crucial to understand that all of it may be ignored. There are no requirements here.
My full review of Annex A is here, but — again — there are no requirements here, so all of it is simply the consultant-authors riffing.
What’s Not in the Standard
In the past few months, multiple so-called experts have claimed that the new standard will include concepts such as “sustainability,” “emerging technologies,” “artificial intelligence,” “Quality 4.0,” “automation,” and “digital technologies.” Every single one of those claims is false! None of those things appear in the requirements.
Worse, nearly none of them appear in the Notes or Annex A materials, either! So they’re not even mentioned in the suggestions.
In the Annex A guidance, there’s a single brief mention of “emerging technologies” as it relates to document control, and then a brief discussion on “digitalization” under the guidance on continual improvement. There is no mention at all of AI, nothing about cybersecurity. Where you would expect to see discussions about new technologies is the guidance on clause 8.5, but there is nothing.
Here are a few examples of what consultants and CBs have been misleading folks about in order to drum up sales and create panic. None of this was true. They all lied:
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
