Do you know that if you Google ISO 9001:2015 you get over 76 million hits? If you just type in ISO 9001 (without the date) you get about 209 million hits. That’s not too shabby for a document that’s only 29 pages long and has been around for about 35 years.

Why do organizations even today continue to embark on an ISO 9001 implementation project, joining the 1.2 million others around the globe who are certified to this extraordinary quality management system (QMS) model? What’s the staying power? What’s the value – the appeal? Why does the ISO 9001 certificate still resonate with companies as the qualifying benchmark for managing their supply chains?

The short answer: it works. It delivers on its commitment. It establishes a foundation that is solid yet pliable. It is both adequately generic to be useful across a plethora of industries and service sectors; and, specific enough to provide global homogeneity of some key concepts that are ubiquitous around the world. And, it has ensured its continued relevance over the years through multi-faceted monitoring and timely revisions.

A short overview of ISO 9001 yields its hallmarks for success. The document addresses concepts and processes that pervade all organizations. They include such topics as:

  • Definition of operations
  • Identification of processes
  • Provisions for training and/or qualification of personnel
  • Ability to understand and fulfill customer requirements
  • Controlled design and development activities
  • Maintenance of an adequate infrastructure
  • Supply chain management
  • Performance monitoring and metrics
  • Established practices for dealing with problems
  • Structured and protected documentation


Big or small, single storefront or multi-site operation, simple or complex – these concepts are somehow manifest. The standard accommodates both the companies who fabricate only one product in modest quantities and those who sell millions of skews manufactured by dozens of subcontractors. It is also relevant to service organizations whose services are their “products.” There’s no one single right way to apply the standard – as long as there is conformance to requirements.

The overused mantra “Do what you say and say what you do” may seem hackneyed, but it persists as a core trait of this international standard.  

These activities reflect bits and pieces of the whole that have to be woven into the fabric of an effectively implemented QMS. It merits pointing out that if it isn’t effective or doesn’t create value for the organization, it’s worthless. Monitoring, therefore, emerges as an important component for getting from where we are to where we need to be.

The manner in which organizations monitor the effectiveness of their QMS may vary. If a company says, “Our quality objectives are on-time-delivery and zero rejects,” then those are their performance metrics. A larger corporation may have dashboards that monitor dozens of activities, product attributes, environmental controls, labor standards, customer calls, quotation turnaround rate and their carbon footprint. And that’s okay, too. In each instance, the monitoring methods and resulting analysis have to be appropriate, consistent and reflect reliable and usable data.

Effectiveness can be achieved by adopting the concepts that came to prominence in the current revision, ISO 9001:2015. What follows is a brief summation of some of these concepts.

Risk-based thinking

Language relating to risk is peppered throughout the standard. Risk is dealt with in terms of the potentiality for something to go wrong. Interestingly, it’s paired with opportunity for improvement. In both instances, there is the potential for unexpected consequences and the need to take action to either mitigate a risk or seize an opportunity. The impetus to anticipate a risk or take action is directly linked to the next three concepts – which are themselves interrelated.

Understanding internal and external issues

These are the factors that affect your ability to sustain your organization and to serve your customers. They may be fairly common and ongoing or unique to your industry. They include factors like staffing shortages, equipment obsolescence, new technology or competitive designs. They may be very specific or short-lived like the scarcity of a precious raw material, a drought or the retirement of several key technicians. Or, of course, a pandemic. Failure to address the issues will result in challenges in your ability to get product to market – to, in the words of ISO 9001:2015, “…consistently provide products and services that meet customer and applicable statutory and regulatory requirements.”

Interested parties

Interested parties are also called stakeholders. Internal and external issues don’t exist without interested parties. Think of them as the who to the preceding what (an issue). Interested parties come in three flavors: those who affect the organization, those affected by your organization and those who perceive themselves to be affected by your organization. Examples, in no particular order, include:

  • competitors who slash their prices
  • customers who revise their requirements to address climate change initiatives
  • suppliers who have been negatively impacted by international logistical problems
  • regulators who revise product specifications or material restrictions
  • financial institutions who revamp their lending policies
  • temp employment agencies that discontinue pre-qualification protocols
  • baby boomers retiring
  • local zoning board changing by-laws where you were intending to build a new facility
  • technical school that provides interns going out of business


Through consistency and control, organizations get a better opportunity to identify relevant factors from the ultra-critical to the humdrum. The same applies to interested parties. Through vigilance it creates the potential to mitigate instances in which interested parties inadvertently wreak havoc on your company. Bringing consistency to these monitoring activities is the big benefit to get out of actualizing the requirements related to both internal and external issues, and interested parties. It enables the organization to better manage the output of this monitoring: change.

Change control

Change in and of itself isn’t positive or negative. It can engender either a risk or an opportunity depending on the effect that it has on planned results or intended outputs. The degree to which the output of the change can be planned, with appropriate consideration of internal and external issues, will determine whether the change results in an unforeseen problem or in an actualized opportunity. The standard clearly directs the organization to consider the purpose of the change, potential consequences, availability of resources and the authority and responsibility for the change. Although there is one clause relating specifically to planning changes to the QMS, the concept of change is not relegated to that single clause of the standard, but permeates multiple sections. ISO 9001 comes pretty close to giving companies a blueprint for handling change: decide what’s to be done, determine who’s in charge, delegate authority, provide resources, execute the plan and then check the results – all the while watching for internal and external issues that could mess with your plan or interested parties who might be affected by what you do.

So, as processes change, product goes out the door, there are turnovers in staff and the supply chain shrinks or grows, the perpetual cycle of monitoring issues, processes and interested parties continues.

Putting all of this together, it’s clear that a well-managed ISO 9001 system isn’t just a neat idea. It’s a sound business decision. The standard that was launched in 1987 continues to be an exquisitely elegant but uncomplicated model for achieving the success of your organization while ensuring customer satisfaction.