Guide
ISO 9001:2015: A QMS That Actually Improves Things
ISO 9001:2015 is the most widely held quality management standard in the world — over a million certificates across every industry — and the framework that ISO 13485 (medical devices), IATF 16949 (automotive), AS9100 (aerospace) and many sector standards are built on. The 2015 revision was structural: ten clauses aligned to the High-Level Structure shared with ISO 14001 (environment), ISO 45001 (health and safety) and ISO 27001 (information security), making integrated management systems achievable for the first time. The revision also elevated risk-based thinking, leadership engagement, and the process approach. The 2026 audit climate is sharper than 2018 — certification bodies are pushed by the IAF to deliver more rigorous audits, and the 'tick-box ISO 9001' that survived a decade ago will not survive now. This guide walks through the ten clauses, the risk-based-thinking expectation, the integration opportunities, and a practical readiness path. It is written for QA leads, quality managers, management representatives and operations directors at manufacturers of any size pursuing or maintaining ISO 9001 certification.
Start free trial Free trial, no credit card, onboard in days, not months.
The ten clauses and the High-Level Structure
ISO 9001:2015 organises requirements across ten clauses (clauses 1-3 are informational; 4-10 are auditable): Context of the Organization (4); Leadership (5); Planning (6); Support (7); Operation (8); Performance Evaluation (9); Improvement (10). The structure aligns with Annex SL (now ISO/IEC Directives Part 1 Annex L) shared by ISO 14001, 45001, 27001, 22301 and others — making a single integrated management system structurally possible. The auditable clauses each open with the same conceptual frame (Plan-Do-Check-Act mapped to clauses 4-6 / 7-8 / 9 / 10), and the audit narrative follows that frame. A management review that has never explicitly addressed clauses 4 and 6 is a structural finding waiting to happen.
Risk-based thinking: not the same as risk management
Clause 6.1 introduced 'actions to address risks and opportunities' — and the 2015 revision deliberately did not require a separate risk register or a formal risk management process. Risk-based thinking is meant to permeate the QMS — every process should consider risks and opportunities to its outputs. Auditors test this through process-by-process discussion ('what could go wrong in this process and what are you doing about it'), not through a single risk register review. Sites that wrote one risk register and call it done miss the point; sites that integrate risk into every process — design, purchasing, production, delivery, change — pass the test by demonstration. ISO/TS 9002:2016 (guidance for ISO 9001:2015) is the clarifying reference if interpretation is contested.
Context, interested parties and the scope statement
Clause 4 (Context of the Organization) requires determining the external and internal issues relevant to the organisation's purpose and strategic direction, the interested parties relevant to the QMS, their requirements, and the scope of the QMS. This is the clause most often underdone — sites have a one-line scope statement and no documented analysis of context or interested parties. Certification audits in 2026 open with this clause and pull the thread through to whether the rest of the QMS actually addresses what clause 4 says it does. A scope statement that excludes a process the organisation clearly performs (typical example: design and development) requires a documented justification, not a silent omission.
Leadership engagement: clause 5 and the management review
Clause 5 (Leadership) requires top management to demonstrate leadership and commitment with respect to the QMS — taking accountability for QMS effectiveness, ensuring the quality policy and quality objectives are established and compatible with the strategic direction, ensuring integration of QMS requirements into business processes, promoting the process approach and risk-based thinking, ensuring the QMS achieves its intended results, engaging directing and supporting persons, promoting improvement. The management review under clause 9.3 is where this commitment becomes visible — and a management review that delegates fully to the QA manager, that does not address the clause 9.3.2 inputs explicitly, or that produces no decisions and actions, is the clearest evidence the leadership clause is not met.
Documented information: when and how much
ISO 9001:2015 deliberately reduced prescriptive documentation requirements — there is no longer a required Quality Manual or list of mandatory procedures. Documented information is required where the standard explicitly requires it (the scope, the quality policy, quality objectives, evidence of various activities), and where the organisation determines it is necessary for the effectiveness of the QMS. The principle is fit-for-purpose: documents that change behaviour, not documents that exist to prove an auditor wrong. The trap is over-documentation as much as under-documentation — large procedure libraries with nobody reading them are themselves a quality issue.
Operation (clause 8): where the QMS meets reality
Clause 8 is the largest, covering Operational Planning and Control (8.1), Requirements for Products and Services (8.2), Design and Development (8.3 — applicable unless justifiably excluded), Control of Externally Provided Processes Products and Services (8.4 — including outsourcing and suppliers), Production and Service Provision (8.5), Release of Products and Services (8.6), Control of Nonconforming Outputs (8.7). The Operation clause is where most audits spend most of their time, and where most findings land — particularly around supplier control (8.4), traceability (8.5.2), and nonconforming outputs (8.7).
A 60-day readiness path
Days 1 to 10: gap assessment against all auditable clauses (4-10) with explicit attention to clause 4 (context and interested parties), clause 6.1 (risk and opportunities), clause 9.3 (management review inputs and outputs), and clause 8.4 (external providers). Days 11 to 25: close the structural gaps — context analysis, interested-parties register, risk integration in priority processes; refresh the management review template to cover every clause 9.3.2 input. Days 26 to 45: process-by-process internal audit with documented evidence of risk-based thinking; close findings with corrective action that addresses cause (clause 10.2). Days 46 to 60: management review with the internal audit and the customer feedback evidence; mock certification audit if the audit cycle warrants; pre-audit logistics.
Where this lives in V5 Ultimate
The clauses above aren't theoretical — every one maps to a shipped module and an industry profile. Jump to the parts of the product that turn this guide into evidence on a Monday morning.
Modules that do the work
Quality management
Ten-clause structure with risk-based thinking operationalised.
Document control
Documented information curated by evidence of use, not accumulation.
Audits & CAPA
Internal audit and corrective action covering all clauses on cycle.
Supplier control
Clause 8.4 external provider control with risk-proportioned depth.
Compliance self-assessment
Score the QMS against the 2015 clauses on demand.
Industries this hits hardest
Frequently asked
Is ISO 9001:2015 mandatory?
No — ISO 9001 certification is voluntary. It is a contractual requirement in many sectors (automotive, aerospace, medical devices, defence supply chains) and is often required for tender qualification in public procurement, but it is not a legal requirement in any jurisdiction. Many manufacturers maintain it because customers require it, not because regulators do.
Will there be an ISO 9001:2026?
ISO has confirmed the next revision is in development with publication targeted for late 2025 / 2026. The technical committee (ISO/TC 176/SC 2) has signalled the revision will be evolutionary rather than structural — climate change considerations integrated into context (already added by an amendment in 2024), some clarifications on risk-based thinking and on documented information, alignment with the latest Annex L. The next edition is not expected to overturn the 2015 framework; sites with a strong 2015 implementation will transition without difficulty.
How does ISO 9001 differ from ISO 13485?
ISO 13485 is the QMS standard for medical devices — built on the same management-system structure but with medical-device-specific requirements (risk management throughout, design controls, sterile and implantable device controls, regulatory requirements integration). ISO 13485 deliberately uses regulatory-rather-than-customer satisfaction as its frame, and the 2016 revision did not align to Annex SL the way ISO 9001:2015 did. A medical device manufacturer typically holds ISO 13485 (not ISO 9001) because the regulatory route to market depends on it.
Can I integrate ISO 9001 with ISO 14001 and ISO 45001?
Yes — the High-Level Structure was designed for this. An Integrated Management System (IMS) sharing context, leadership, planning, support, evaluation and improvement clauses across quality, environment and health-and-safety is significantly more efficient than three parallel systems. Certification bodies offer combined audits at reduced effort. The integration is most valuable for sites where management commitment, internal audit programmes and management review can be unified rather than triplicated.
See it on your shop floor.
Free trial, no credit card, onboard in days, not months.