ISO FDIS 9001:2026 Full Review

I obtained a copy of the pre-publication version of the ISO 9001:2025 Final Draft International Standard (FDIS). This version is nearly guaranteed to be the exact, word-for-word text that appears in the final published standard, as ISO rules only allow up-or-down voting on the FDIS and disallow changes at this point. (Edits for grammar and formatting are allowed, however.)

Having said that, for the 2015 version, they added that whole “emotionally protective workplace” nonsense after the FDIS version last time, so ISO may not follow its rules and make changes anyway.

The PDF is 50 pages long. This will increase the cover price over what ISO is currently charging for ISO 9001:2015 and is entirely due to the addition of (potentially controversial) guidance materials within a new Annex, a bibliography with 27 references to other ISO standards (ISO wants to upsell), the inclusion of definitions (rather than referring to ISO 9000) and bloated front matter.

Big takeaways:

• The bulk of changes are to non-requirements text, in the front matter and the Annex. Very, very few changes to actual requirements.
• Updating to the new standard will likely take most companies about an hour. I am not kidding. Anyone paying for upgrade classes or training is getting robbed; if you want to get ripped off, just send me your money and I’ll spend it for you.
• All mistakes in the 2015 version remain uncorrected. Some are made worse.
• No new requirements on sustainability, cybersecurity, digitalization AI, etc., despite false claims made by consultants and CBs for years now.
• As expected, TC 176 left clause 8 largely untouched, but then added a significant amount of text to the Annex to discuss it. None of it helpful.
• PDCA is still broken. Clause 10 never loops back to clause 4.
• Still no clause on shipping.
• The auditing clause is crippled by the removal of a paragraph on the purpose of internal audits; this will cause chaos when CBs audit client’s internal audit programs.

Let’s take a look at what is in this document and, more importantly, what isn’t.

Changes to Clauses

0.0 Introduction

Rewrite on the intent of ISO 9001, references “sustained success” which seems to be why people think the standard is about “sustainability.” It’s not.

Still only 7 quality management principles. Yes, when the consultants took over in 2015, they eliminated an entire principle, and the 2026 team didn’t add it back. When consultants take over anything, you always end up with fewer principles.

Rewrite of the section on the “process approach,” with a new graphic that illustrates a typical process’s inputs and outputs, which may only cause confusion. Worse, they revise the process approach to make it appear that risk-based thinking and opportunity-based thinking were always parts of the process approach, which is an Orwellian rewriting of history. Deming said nothing about risk or opportunity, but they want you to think he did.

They maintain another graphic from 2015 on how the clauses align with PDCA, which was wrong in 2015 and is still wrong. They put clause 7 under “Do” rather than “Plan,” for example, and have clause 5 (Leadership) sit outside, not assigning it to any of the four steps. (It’s “Plan,” too, dummies.)

Stunningly, the entire section on risk-based thinking is removed. I am as shocked as you are. Instead, RBT is now solely discussed in the guidance materials appearing in the Annex.

Thankfully, the user’s “Bill of Rights” remains untouched except for a minor rewording. This is the paragraph that starts with “this document does not imply the need for …” and it is an invaluable tool for users who are harassed by uninformed auditors.

1.0 Scope

Very minor rewording, no changes

2.0 Normative references

References ISO/DIS 9000 (still being drafted).

3.0 Terms and Definitions

References ISO/CD 9000 (again) and points to the ISO/IEC “Electropedia” website for more definitions. Yes, “Electropedia” sounds like something Jeffrey Epstein got arrested for.

Now adds definitions for: organization, interested party (stakeholder), top management, management system, quality management system, policy, quality policy, objective, quality objective, risk, process, competence, documented information, performance, continual improvement, nonconformity, corrective action, audit, measurement, monitoring.

The definition of risk still claims it can be either “positive or negative.” Then a new note says, “the word ‘risk’ is sometimes used when there is the possibility of only negative consequences.” So they can’t even be consistent. There are five notes on this definition, showing TC 176 really struggling with this whole “positive risk” insanity.

Still no definitions for “strategic direction” or “opportunity,” despite the terms being crucial for understanding the standard. “Opportunity” is 50% of the clause, and no one knows what it means. After nearly a decade!

The definitions of “monitoring” and “measurement” don’t accurately reflect the words as they are used within the context of the standard itself, and this remains a problem. In this draft, “monitoring and measuring” refers to inspection and testing until clause 8.6; at 8.6, the term “planned arrangements” is swapped in to replace “monitoring and measuring,” and by clause 9, “monitoring and measuring” takes on an entirely different meaning. It’s a mess.

4.0 Context of the Organization

Still presents sub-clauses in the wrong order.

Embeds the 2024 amendment language about climate change, but no other additions.

4.1 Understanding the Organization and Its Context

Embeds the 2024 amendment language about climate change, but no other additions.

4.2 Understanding the needs and expectations of interested parties

Adds climate change language from the ISO 9001:2015 Amendment 2024.

Minor language tweaks, no new requirements.

4.3 Determining the Scope of the Quality Management System

Minor language tweaks, no new requirements.

Still does not require that the scope statement include locations that fall under the QMS, despite this being a requirement for certification going back to the late 1980s. Still does not conclude that the scope statement is the expression of the organization’s “context“; the authors don’t understand how to interpret Annex SL for quality management.

4.4 Quality Management System

Minor language tweaks, no new requirements. Despite the change to the clause name, this is the “process approach” clause.

5.0 Leadership

5.1 Leadership & Commitment

5.1.1 General

Adds requirements for top management to promote “quality culture and ethical behavior.”  More unenforceable platitudes, keeping the clause largely useless and un-auditable. Adds a note that tries to explain this, but it’s weak.

This has led consultants and poor readers to think that “quality culture” and “ethics” are some kind of hard requirement, but that’s not true. This clause has always listed various non-auditable concepts, which are then entirely ignored. TC 176 did not follow this up with actual clauses requiring a quality culture or ethics, so anyone saying the standard now emphasizes these concepts is lying.

5.1.2 Customer Focus

No changes. Still a largely useless clause, as it simply refers to content already addressed elsewhere.

5.2 Policy

Adds new requirement that the Quality Policy “takes into account the context of the organization and supports its strategic direction.” Likely language mandated by the Annex SL update. The standard still never defines what a “strategic direction” is or actually requires a company to have one.

5.3 Organizational Roles, Responsibilities and Authorities

Adds new requirement to assign someone the responsibility to report “on opportunities for improvement to top management.”

6.0 Planning

6.1 Actions to address risks and opportunities

TC 176 clearly spent — or some may say wasted — time on this one. Each CD has had different language here, and the DIS takes another shot at it. The sub-clauses are divided as follows:

6.1.1 Determining Risks and Opportunities: largely the same language as 2015. Still a mess, as it mangles the interpretations of risk and opportunity into one incomprehensible bulleted list. This clauses claims the risks and opportunities discussed are only those relevant to “planning for the QMS.” Hold that thought.

6.1.2 Actions to Address Risks: largely the same language as 2015. Whereas the prior clause said the risks are related only to QMS planning, this clause immediately contradicts that, and now says the risks “that can have an undesired effect on its ability to continually and consistently provide conforming products and services and enhance customer satisfaction.” This gets it a bit closer to being true preventive action, but not quite.

6.1.3 Actions to Address Opportunities: new language that (cringingly) takes the exact same text from 6.1.2 and swaps in the word “opportunity” for “risk.” Again, TC 176 is pretending to do stuff by copying-and-pasting. They made clause 6.1 larger but without adding any new words. As I said, “opportunity” is never defined.

Still no requirement for procedure, process, records, root cause, or any legacy preventive action language, so this will remain a huge flaw in ISO 9001. TC 176 predictably ignored the world’s feedback on “risk-based thinking.” Worse, the Annex now leans into the astonishingly insipid new branding of “opportunity-based thinking.”

6.2 Quality Objectives and Planning to Achieve Them

ISO was humiliated by Oxebridge and others for toying with the idea of adding language that says objectives are to be measurable only “if practicable.” That humiliation worked, and ISO backtracked. Now, objectives (once again) must be measurable.

6.2.1 only re-orders the bulleted list; no new requirements as compared to 2015.

TC 176 still does not close the loop on the process approach as the core of a QMS, and thinks process metrics and quality objectives are different things. They are not, but sure, let’s be unnecessarily redundant.

6.2.2 maintains the cringeworthy “who, what, where,…” language of Annex SL and ISO 9001:2015. Remains a blank clause, with no actual requirements. Still, no editors are stepping in to fix this glaring flaw.

6.3 Planning of changes

The bullet list here expands, but it’s another “shall consider” clause. Whenever thoes two words are put together, the “consider” neuters the “shall,” and the text following it becomes, essentially, a non-binding note. It’s bad practice, and once again, no editors stepped in to fix this. The new bullet items include suggestions (not requirements) that the user consider “how the effectiveness of the changes will be monitored and evaluated” and “how the results of the changes will be reviewed.” But without a mandate that anything be documented or recorded, the clause is largely useless.

7.0 Support

7.1 Resources

7.1.1 General

No changes.

7.1.2 People

No changes.

7.1.3 Infrastructure

No changes. Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Hey, ISO editors: you cannot put requirements in notes. I put that in boldface red font so you can read it more easily.

7.1.4 Environment for the Operation of Processes

Continues to put the requirements into the note, keeping the error from ISO 9001:2015. Hey, ISO editors: you cannot put requirements in notes.

Maintains the bonkers language on “social and psychological” factors such as “emotionally protective” workplace.

The language from prior CD versions, including references to consider “technological” and “cultural” aspects, was removed.

A final sentence is included in the requirements section that says, “Some factors are dependent on the organizational quality culture, including ethical behaviour.” Let’s do this again: Hey, ISO editors: you cannot put requirements in notes.

7.1.5 Monitoring and Measuring Resources

No changes. Still no requirement for records of calibration, but still requires a generic list of all inspection devices (whether calibrated or not.) The sentence related to records is clearly in 7.1.5.1 and not 7.1.5.2, but ISO never moved it.

7.1.6 Organizational knowledge

Minor rewording of the note, no changes to requirements.

7.2 Competence

No changes.

7.3 Awareness

Adds requirement to ensure employees are aware of “quality culture and ethical behaviour.”

7.4 Communication

No changes. Still unauditable, still doesn’t include customer communication (which instead appears in 8.2, out of place). Maintains cringeworthy “who, what, where, when” approach as if written by a thirteen-year-old.

7.5 Documented information

No changes. Continues to mix up “documents” and “records,” keeping the section confusing and rambling. A lot of people complained about this in the 2015 version, but TC 176 ignored them.

The Annex guidance on this clause goes full-on meth-head batshit crazy. Now it has the following decoding language:

– If the standard says “shall be available as documented information” = requirement for documentation.

– If the standard says “documented information shall be available as evidence of” = requirement for a record.

Because that is easier than just using the words “document” or “record” in the actual text.

You don’t believe me, so here it is. Consultants think this makes things easier.

8.0 Operation

8.1 Operational planning and control

Maintains ISO 9001:2015’s errors of (a) not clearly explaining that the standard views “operational” and “organizational” processes differently, (b) not fixing the clause so that it can in any way be understood without a consultant.

Added some additional language requiring documentation “to the extent necessary to have confidence that the processes have been carried out as planned” and “to the extent necessary as evidence of the conformity of products and services.” Removed vestigial sentence related to quality plans.

Still doesn’t fully discuss outsourced processes, since the TC 176 authors don’t really know what they are. Removed the term “outsourced processes.”

8.2 Requirements for Products and Services

8.2.1 Customer communication

No changes, but clarifies what ISO 9001:2015  meant by “contingency actions,” adding language that says these include “disruptions in the products or services provided.” Not great, but better than 2015.

Adds a cringeworthy note defining what “customer communication” is – really? Did we need that? – then namedrops terms like “website content, publications, social media, responses to frequently asked questions and training.” Again, this is a note, so not a requirement.

8.2.2 Determining the Requirements Related to Products and Services

No changes. Maintains bizarre language that this applies BEFORE a customer even exists (“products and services to be offered to customers…”) Still haven’t fixed that.

8.2.3 Review of Requirements Related to Products and Services

No changes. Still a mess (“to be offered…”) and largely repeats what was said in 8.2.2. The old 2000 language was better, but they still won’t restore it.

8.2.4 Changes to Requirements for Products and Services

No changes.

8.3 Design and Development of Products and Services

No substantive changes. Maintains the jumbled nature of this clause from 2015, implying that design validation happens before you create design outputs, Again, the  2000 language was better, but they won’t restore it. Agile folks, you will still hate this.

To trick the Agile folks into thinking they are relevant, a new note was added that drops the word “iterative.” TC 176 thinks that if you present a waterfall model but call it “iterative,” it becomes Agile.

The fact that this was not touched at all so far suggests that none of the TC 176 authors understand product design. The clause STILL does not discuss service design, despite it being in the title of the clause. This highlights a significant lack of subject matter expertise on the committee.

8.4 Control of Externally Provided Processes, Products and Services

No changes. This maintains the confusing repetition of requirements in 8.4.1 and 8.4.2. Also (again), this suggests there were no actual subject matter experts working on this. TC 176 doesn’t know how supply chain management and procurement work.

Still doesn’t require that you communicate with suppliers in actual writing. So you can order a billion dollars in military components over the phone with no record whatsoever.

Did correct the 2015 mistake and added “as applicable” to the bulleted list of possible flowdown requirements. That one was driven by me, so you’re welcome.

8.5 Production and Service Provision

8.5.1 Control of Production and Service Provision

No changes. Special process clause is still entirely unintelligible.

8.5.2 Identification and Traceability

No changes.

8.5.3 Property Belonging to Customers or External Providers

No changes. Still puts the requirements in the notes, so:

Hey, ISO editors: you cannot put requirements in notes.

8.5.4 Preservation

No changes. Still puts the requirements in the notes, so:

Hey, ISO editors: you cannot put requirements in notes.

8.5.5 Post-delivery activities

No changes. This clause still doesn’t know what it wants to say. Still puts the requirements in the notes, so:

Hey, ISO editors: you cannot put requirements in notes.

8.5.6 Control of changes

No changes.

8.6 Release of Products and Services

No changes. Still maintains the horrid 2015 error or switching terms mid-standard. From clause 7 until 8.5, “monitoring and measuring” was meant to mean inspection and testing. Now, in 8.7, they drop that term and instead use “planned arrangements” and “release” to mean inspection and testing. This comes from a fundamental mis-read of the 2000 text. Worse, “monitoring and measuring” then re-appears in clause 9 under a different meaning entirely!

The clause is not about “release” (delivery) at all.

Oh, and still no actual delivery clause! So, per ISO 9001, the product never needs to be shipped, and services are never delivered. Astonishing.

8.7 Control of Nonconforming Outputs

No changes, and we desperately needed fixes here. Given that ISO 9001 is, itself, a defective product, it’s no wonder TC 176 doesn’t know anything about controlling such things.

9.0 Performance evaluation

9.1 Monitoring, Measurement, Analysis and Evaluation

9.1.1 General

No changes, remains nearly entirely useless. Never ties back to the process approach, so breaks PDCA entirely.

Still improperly includes a requirement for records that (allegedly) flows down to 9.1.2 and 9.1.3, which is against ISO’s drafting rules. Each sub-clause is supposed to be self-contained and include its own records callout.

9.1.2 Customer satisfaction

No changes to requirements. Adds the term “social media” to the note, which is hilarious since TC 176 bans anyone who provides feedback on social media. Yes, I am talking about you, Sam Somerville, you hunchbrained troll.

9.1.3 Analysis and Evaluation

No changes. Again, never ties back to the process approach, so breaks PDCA entirely. Treats “performance and effectiveness of the quality management system” as something totally apart from the process approach.

Keeps “statistical techniques” as an afterthought note, ensuring problems for companies that use them.

9.2 Internal Audit

Puts back legacy language after the prior DIS version tried to go in a different direction.

Still refers to auditing as a “process” then “programme” then “process” again, all in one single sentence. No one is editing this.

Still no requirement or language about “process-based auditing,” so – again – PDCA and the process approach are abandoned by the time we get to clause 9.

Odd how bad this is, since the TC 176 consultants love to write books about auditing, and they appear to have no clue how to do it.

9.3 Management Review

No changes other than a call back to opportunities. Maintains 2015’s errors of (a) failing to tie back to PDCA and process approach, (b) conflating “process performance” with “conformity of products and services” when the two are very, very different things.

10.0 Improvement

10.1 General

No changes to requirements. Adds cringeworthy note, namedropping terms like “incremental and breakthrough change,” “innovation and re-organization.” Removed the DIS phrase “emerging technology,” which so many consultants insisted was a requirement. It was only in a note, and now it was excised entirely.

10.2 Nonconformity and Corrective Action

Stunningly bad, if nearly invisible change: they put the requirement to process customer complaints in an optional note, meaning you no longer need to file corrective actions if you get complaints. Again, moving ISO9001 back to the pre-Industrial Revolution era.

Still doesn’t fix the confusion between this clause and 8.7’s “nonconformities.” (This was because Hortensius and his Annex SL crew don’t understand the difference, never having worked outside a standards body.) Still doesn’t require a procedure; apparently, you can control your nonconformities through song or slam poetry.

10.3 Continual improvement

Removed entirely! That’s because under ISO 9001:2015, it was redundant with 10.1. So the requirements are still there, just in one place (rather than two).

New Annex A

This version expands the Guidance material first cooked up in CD2’s first draft. This is where TC 176 spent all of its time, while ignoring the key clause 8 material that really needed to be fixed. This is what happens when you allow consultants, rather than end users, to write standards. They consult.

This annex adds a massive fifteen pages to the standard, and it’s crucial to understand that all of it may be ignored. There are no requirements here. 

My full review of Annex A is coming soon, but — again — there are no requirements here, so all of it is simply the consultant-authors riffing.