Implement ISO 9001

If you are faced with implementing ISO 9001, or anticipate it may soon become a requirement for your organization, keep reading. This article identifies reasons to implement the standard, summarizes its requirements, explains the certification process, identifies implementation steps, describes a typical schedule, estimates the costs, and lists expected benefits.


There are a number of reasons why an organization might pursue ISO 9001 certification. Most often, it is because a client requests it, or a contract requires it. Why would a client impose the standard? Because ISO 9001 certification demonstrates your ability to consistently provide products and services that meet customer and legal requirements.

Use of ISO 9001 also addresses customer satisfaction through a quality management system that is focused on preventing nonconformities and achieving defined objectives. More and more companies are requiring ISO 9001 certification as a prerequisite for doing business around the world. In fact, more than one million organizations now hold ISO 9001 certificates.

The ISO 9001 standard is applicable to all industry sectors and organizations, regardless of their type, size, product, or service. The standard is interpretative, not prescriptive. It specifies control requirements that must be addressed. It does not specify what methods to use.

Organizations seeking certification must demonstrate that they have documented and implemented an effective system. And, it is the system that will be being evaluated, not product quality, service quality, or the performance of individuals. With certification, along with improved quality, your organization will hopefully gain a competitive advantage.

Without satisfied customers, an organization is in peril. To keep customers satisfied, the organization needs to meet their requirements. The ISO 9001 standard provides a tried and tested framework for managing your processes so they consistently deliver products and services that satisfy your customers.


ISO 9001 provides a set of standardized requirements for a quality management system, regardless of what an organization does, its size, or whether it is in the private or public sector.

There are five requirement groupings in the standard that specify activities to be considered when you implement your system:

  • Overall requirements for the quality management system and documentation
  • Management responsibility, focus, policy, planning, and objectives
  • Resource management and allocation
  • Product realization and process management, and
  • Measurement, monitoring, analysis, and improvement.

Quality Management System

ISO 9001 begins with a set of general requirements for the system, and then identifies the need for a quality policy, quality objectives, and a quality manual. The standard continues with requirements to control documents and records.

Management Responsibility

This section requires top management to demonstrate their commitment to the system, ensure the organization is customer-focused, and verify employees understand the quality policy. The standard requires top management to also establish measurable performance targets, define and communicate responsibilities, and regularly meet to review the effectiveness of the system.

Resource Management

ISO 9001 requires the organization to provide resources for implementing and maintaining the system, continually improving its effectiveness, meeting customer requirements, and enhancing customer satisfaction. The standard also requires everyone working within the system to be competent to perform their assigned duties. The organization must provide the infrastructure, work environment, and supporting services needed to produce conforming products and services.

Product Realization

This section contains the largest set of requirements. It ranges from planning and gathering requirements, to producing and delivering products and services to the customer.

The processes for product realization must be planned and implemented. Then, the organization can capture and review customer requirements, as well as, establish effective customer communication.

Next, the requirements are transformed into a product specification by following a well-defined design and development process. These activities include reviews, verification, validation, and change control.

With a product design in place, the organization must now evaluate and select suppliers that can provide the necessary parts and services. These requirements include sending suppliers the correct purchasing information and verifying the purchased product upon receipt.

Now, the organization is ready to produce their product. The standard requires production be carried out under controlled conditions. Products must be clearly identified, customer property protected, and products properly handled, stored, packaged, and protected. Any monitoring and measuring equipment used for production or testing purposes must be calibrated to ensure accurate, reliable results.

Measurement, Analysis, and Improvement

The standard requires processes within the system to be planned, measured, analyzed, and improved. An organization must also monitor how well it is meeting customer requirements.

Organizations must establish an internal audit program to determine conformity to requirements, to evaluate system effectiveness, and to identify opportunities for improvement.

Processes must be monitored to ensure they are achieving the planned results. Likewise, products must be measured to verify they meet the acceptance criteria. Product that does not meet the criteria must be controlled as nonconforming product to prevent its delivery.

A lot of process and product data will be available for analysis to identify improvement areas. Corrective actions are taken to eliminate the causes of any detected process or product nonconformities in order to prevent their recurrence. Preventive actions are taken to eliminate the causes for any potential process or product nonconformities to prevent their occurrence.

And, the organization is required to continually look for ways to improve the effectiveness of the quality management system.


The standard requires the organization to conduct internal audits of its ISO 9001-based quality system to verify the processes are being managed effectively, in other words, to confirm the organization is fully in control of its activities.

The organization may also invite its clients to audit the quality system in order to give them confidence that the organization is capable of delivering products and services that will meet their requirements.

Lastly, the organization may engage the services of an independent certification body, also called a registrar, to obtain an ISO 9001 certificate of conformity. This option has proved extremely popular because of the perceived credibility of an independent assessment.

Stage 1 Audit 

After your system is implemented, the certification body conducts a stage 1 audit to assess your documentation and verify key practices are in place, e.g., internal audits, management reviews, and performance tracking. Stage 1 audits are typically a day in duration. If you pass this audit without any major issues, the certification body will deem your system ready for the full system audit.

Stage 2 Audit 

About one or two months after a successful stage 1 audit, the certification body will return to assess the entire system. They will look for conformity to customer, legal, and organizational requirements, as well as, to the requirements of the standard. The audit duration will depend on the size of the organization, the number of sites, and the functions included in the system.

For example, a small organization with 10 or fewer employees might receive an audit of only two days. For an organization of 20 employees, the duration would increase to three days. For 30 employees, the audit would be four days; for 50 employees, the audit would be five days.

The number of audit days continues to grow as the size of the organization increases. For a size of 100 employees, the audit would be seven days; for 200 employees, the audit would be nine days. If the organization has 500 employees, the duration would be 11 days.

If the organization receives no major nonconformities during the audit, the audit team can recommend certification based on your submission of an acceptable corrective action plan for any reported minor nonconformities. The certificate will be issued a few days or weeks later, and describe the scope of the certified quality management system.

If one or more major nonconformities are found, the certification body either conducts a special visit in a month or two to verify the major issues have been resolved, or it conducts another full certification audit when the organization says the major nonconformities have been corrected.

Surveillance Visits

Depending on the size of the organization, the certification body will establish an annual or semi-annual surveillance program. The total surveillance days each year will be about one-third the duration of the stage 2 certification audit. Each visit will always assess certain key elements of the system, for example, internal audit, management review, customer satisfaction, and corrective action. A sample of the other areas of the system will be examined during the visit, with all the areas being assessed over the three year life of the certificate.

Recertification Audit

Every three years, the entire system will be assessed again. The recertification audit duration will be about two-thirds as long as the stage 2 audit. Assuming the assessment doesn’t find any major nonconformities, the audit team can recommend the organization for continued certification. And, after receipt of an acceptable corrective plan for any minor nonconformities, the certification body will reissue the ISO 9001 certificate.


The implementation process is important in achieving the full benefits of the quality management system. Most new users obtain measurable payback early in the process.

First, you need to fully engage top management to define why they want to implement an ISO 9001-based quality management system. Next, review the mission, vision, and values of your organization. Then, you are ready to define your quality policy and quality objectives, and identify the key processes and interactions needed to meet your quality objectives.

To build your ISO 9001-based system, you’ll need to train top management and key staff on the ISO 9001 requirements. Map these requirements to your system and identify management owners for each process. Perform a gap analysis of the current system to determine where the requirements are fulfilled and where they are not. Then, use the results of the gap analysis to develop an implementation plan that describes the activities, deliverables, responsibilities, and due dates.

Some of the implementation steps are:

  • Appoint a management representative
  • Define your quality policy and objectives
  • Identify the processes and responsibilities
  • Assign each process to a manager
  • Establish your implementation team
  • Collect procedures, instructions, and forms
  • Define your project plan and schedule
  • Conduct employee awareness sessions
  • Inform customers and suppliers of the plan
  • Arrange for public and onsite training
  • Begin writing the needed documents
  • Monitor the progress against your plan
  • Evaluate and select the certification body
  • Implement the documents and practices
  • Operate the system and collect evidence
  • Initiate the management review meetings
  • Begin conducting the internal audits
  • Undergo the certification audits
  • Take the necessary corrective actions
  • Receive the ISO 9001 certificate
  • Begin the ongoing surveillance audits


The implementation schedule for an ISO 9001-based system may range from 6 months to 12 months, or longer, depending on the work to be done and the resources that can be devoted by the organization.

The first month or two are typically spent organizing, training, planning, and then performing a gap analysis. The next couple of months are allocated to correcting any nonconforming practices, creating the necessary documents, and selecting the certification body.

After three to six months, the system is usually ready to be implemented and operated. Records are kept as evidence of conformity. After a month of operation, the stage 1 audit can be held, followed by corrective actions, then the stage 2 audit, and submission of an action plan to the certification body.


There are costs associated with training classes, consultants (if used), the certification body, and your organization’s own time involvement.


Public courses are available with titles like Implementing ISO 9001, Quality System Documentation, and Internal Auditing. The fees for these two and three-day courses range from $800 to $1200 per student. You can also have the courses taught on-site if you have sufficient students to justify the flat rate fees. The individual on-site class fees may range from $4000 to $7500, plus instructor travel expenses. Some of this training may not be necessary if you use the services of a consultant.


Choosing a qualified consultant is no easy task. The importance of taking the time to make a thoughtful selection should not be underestimated. Your choice could end up affecting the effectiveness of your business operations.

Qualified consultants are usually certified auditors that have experience assessing systems for ISO 9001 certification. To remain impartial, the consultant can’t be assigned to perform your certification audit. They can, however, provide guidance and conduct internal audits to confirm the system is ready for the certification audit.

The daily rate for consultants may vary from $800 to $2000, depending on their experience, reputation, and success. The more experienced consultant may be needed for fewer days due to their effectiveness. The consultant’s goal should be to make the organization self-sufficient as soon as possible.

The consultant’s initial visit usually involves training, a gap analysis, and implementation planning. This visit may require two to four days, depending on the size of the organization. You may ask the consultant to return for one or two days a month over the life of the project to check on progress, review documents, and consult on the remaining tasks.

A big variable with consultant costs is whether you have the consultant interview people and write your documents, or if you write the documents and have the consultant review them. If thoughtfully selected and wisely used, a consultant can be a valuable partner in helping to set up your quality management system. However, remember that the system is owned by your organization.

Certification Body

The daily rates for certification bodies seem to vary from $1200 to $1600, plus auditor travel expenses. The number of auditor days is based on the size of the organization, the number of sites, and the functions included in the system scope. See the earlier discussion in this article for duration estimates.

You’ll know the actual cost when you request quotes from several certification bodies. See the ANSI-ASQ National Accreditation Board web site for a list of certification bodies.


Most organizations have a few selected managers and employees implement ISO 9001 in addition to their regular activities. A few duties may be offloaded to give these people more time on the project, but more costs aren’t usually incurred, unless overtime pay is involved.


Most new users of ISO 9001 obtain measurable benefits early in the process of implementing the requirements. These initial benefits are usually due to the improved measurements and controls.

Employee Benefits

For a successful implementation of a quality management system, employees need to understand its value for them. The better they understand what is in it for them, and how the organization benefits, the more receptive they will be to the changes and the work involved to make it happen.

Employees usually benefit from the improved internal communication and top management support. And, conformity to the standard will mean suitable and well-maintained equipment, along with the training necessary to perform their jobs.

Work instructions, where necessary, will be available to guide them in their activities. They’ll have a better understanding of their role in the system and their contributions to meeting objectives.

The sense of order and control should carry over into clean and well-organized work areas. Since the organization wants to continually improve its system, employees will be encouraged to report problems and suggest improvements. Employees should become more satisfied and committed to the business.

Organization Benefits

One of the results of a conforming quality management system will be better planned and coordinated activities. Any problems affecting product quality will be identified and effective solutions implemented.

The plan-do-check-act approach of ISO 9001 will lead to more efficient and effective processes and more productive employees. Higher quality products will be delivered to increasingly satisfied customers.

And, the story only gets better, because your organization and its quality management system will be continually improving. As a result of your ISO 9001-based system and its policies, procedures, tools, and information, the organization will be better managed for success.

Certification Benefits

ISO 9001 is the international language of quality. Certification will help your organization gain expanded access to world markets. And, potential customers may require certification as a prerequisite to bid on contracts. With the certificate in place, your organization will be ready.

In addition, the ISO 9001 certificate may differentiate your organization from others in the marketplace and provide a competitive advantage. The certification mark recognizes a quality accomplishment that you continue to earn through successful surveillance audits. You will be able to display it with pride.

Due to its prevention focus, disciplined approach, and better controls, your organization may see an extra benefit of improved housekeeping and fewer accidents. As a result, you may qualify for lower insurance premiums. And, don’t underestimate the value of independent system assessments by well-qualified professional auditors.

For more information on how to implement an ISO 9001-based quality management system, consider enrolling in our 2-day Implementing ISO 9001:2008 course.

You might also consider buying a book on ISO 9001 at this Amazon web site.