
ISO's Climate Change Amendment
Mar 23, 2024
Climate change has become a burning issue in recent years and impacts not only individuals but businesses at various levels. Considering this, the International Organization for Standardization (ISO) has taken a big step towards integrating climate change considerations into management systems standards.
This decision, in line with the ISO London Declaration on Climate Change, recognizes the need to consider how climate change affects achieving management system goals. These changes will affect existing standards and all new ones in development.
In this article, we'll explore what these changes are, how they can be implemented into your organization’s management system and the significance of ISO's move towards a greener future.
What are the changes in the amendment?
This amendment is incorporated into various management system standards, including ISO 9001, ISO 45001, ISO 14001, and ISO 27001. The key changes introduced in this amendment impact Clauses 4.1 and 4.2 of the affected standards. Clause 4.1 now requires organizations to consider the "changes in external and internal issues" that may impact their management system, with a specific focus on the effects of climate change. Clause 4.2, on the other hand, mandates that organizations identify the "needs and expectations of interested parties" that are relevant to their management system, including those related to climate change. These changes are effective from the 23rd of February, 2024.
How to implement the new requirements?
It is crucial to understand the implications of these new requirements and how they can be effectively addressed within your organization's management system. The simplest approach will be to incorporate the discussion of climate change impacts and interested stakeholder needs as part of your regular Management Review Meetings or Strategic Planning Meetings. This will enable you to assess the potential risks and opportunities presented by climate change and determine the appropriate actions to be taken. Also note that it is not necessary that your organization will be impacted by climate change or the impact or likelihood of the risk is too low for you to take any action. In such a case, you can document this as part of your management system clearly recording in management review minutes of meetings.
When addressing the ISO Climate Change Amendment, it is essential to consider the specific context of your organization and the management system standards you have implemented.
Let’s discuss a few examples relevant to different ISO standards:
ISO 9001 (Quality Management System)
In the context of ISO 9001 (Quality Management), your organization may need to evaluate how climate change could affect their ability to consistently provide products and services that meet customer and regulatory requirements.
An example relevant to ISO 9001 could be that climate change may lead to natural disasters which could disrupt the supply chain. Businesses may run the risk of delayed raw material supplies which may impact the delivery of the products and services to the customer. This should be identified as an external issue while determining the context of the organization. This should also be identified as a risk and adequate controls should be implemented to mitigate this risk. An example could include researching an alternative supplier and putting a contingency plan in place.
ISO 45001 (Occupational Health and Safety Management System)
Similarly, in the case of ISO 45001 (Occupational Health and Safety), you may need to assess the impact of climate change on the health and safety of your employees, particularly in the event of extreme weather events. As climate changes, temperatures are increasing around the globe. This could become a hazardous condition for the employees who work outdoors in extreme heat or in physically demanding jobs. The employees (interested parties) would expect adequate arrangements in the workplace for managing heat-related illnesses, such as heat stroke and exhaustion. This shall be identified as a “need and expectation of the interested party” and a hazardous condition requiring risk planning. Appropriate actions shall be taken to address this risk as part of the organization’s management system. Some examples of the actions could include the provision of weather appropriate Personal Protective Equipment (PPE), access to water and cool spaces and preparedness for emergencies.
ISO 14001 (Environmental Management System)
ISO 14001 deals with the need to adapt to any change in environmental conditions, including those resulting from climate change. Apart from risks flowing down from the context of the organization, the Environmental Management System (EMS) requires that the organizations also understand greenhouse gas emissions-related environmental aspects and compliance obligations. Risk mitigation shall be planned in these areas which could include risks of failing to meet reduction objectives, risk of interested parties' demands or risk of not meeting the regulations. The organization shall identify methods to adapt to climate change by understanding how environmental conditions affect them and what risks can be posed due to these environmental conditions. Some examples of risks include a water shortage, flooding and solid erosion. The risks could also be related to the organizations’ activities and some examples could include resource shortages or supply chain disruptions.
ISO 27001 (Information security management System)
ISO 27001-related internal and external issues may include infrastructure vulnerability, workforce unavailability due to extreme climatic conditions or a vendor dependency who may be impacted by climate change. Some examples of risks involved include damage to the infrastructure, supply-chain disruption and power outages (which would then lead to issues with data integrity and availability). Appropriate controls should be put in place to ensure the availability of infrastructure, networks and data that may be disrupted due to climate change-related conditions.
By proactively addressing the ISO Climate Change Amendment, small and medium-sized businesses can not only ensure compliance with the updated standards but also position themselves as responsible and forward-thinking organizations. This can lead to enhanced stakeholder trust, improved operational resilience, and ultimately, a stronger competitive advantage in the marketplace.
How Can Small Businesses Mitigate Information Security Risks by Complying With ISO 27001?
Mar 23, 2024
Information security has taken centre stage in strategic planning for businesses of all sizes, whether you have 30 or 30,000 employees. Larger enterprises have the resources to create governance, risk and compliance (GRC) groups, but for small business owners and startup CEOs, all the responsibility for keeping information safe tends to collect at the top.
As information volumes expand logarithmically, and a host of regulatory bodies revise their requirements with greater regularity, companies have found more and more of their resources are going just to predictive analytics on what could go wrong. Each scenario comes with its own risk and exposure profile, ranging from distracting to devastating. Malicious agents and accidental events can bring down entire networks without warning, so the most proactive IT managers have put together plans and best practices to reduce risks and speed recovery. That's where the ISO 27001 standard come into the picture.
What is ISO 27001?
To address these proliferating threats systematically, the ISO 27001 standard was developed by a committee of subject matter experts representing over 100 countries around the world. ISO facilitated this process over several years. The standard establishes a baseline for an information security management system (ISMS). This was updated in 2013, so it is currently referred to as ISO/ IEC 27001:2013.
Implementation of an ISMS preserves the "confidentiality, integrity and availability" of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
Let's look at each of those three terms individually in the context of this standard.
Confidentiality -- Customers and partners need to have assurance that their private information assets will not be shared inappropriately or left unattended in vulnerable software or physical locations.
Integrity -- This refers to the accuracy and completeness of information. Accounting records maintained in software such as Xero need to have their integrity preserved for tax purposes and general business management so that reports are accurate.
Availability -- Just a bank customer expects access to their own money, companies and individuals should have easy access to the information they share, with the ability to amend, update or delete that information on demand.
Why would a small business need ISO 27001?
Within two years of the introduction of these guidelines, more than 30,000 global businesses of all sizes secured their ISO 27001 certification. It has become even more valuable for small businesses recently as they seek ways to comply with legislation such as the Privacy Act in Australia or the General Data Protection Regulation (GDPR) in the European Union. Certification also makes sense due to all of the information security threats to small businesses, including but not limited to:
Hackers - motivated by challenge, ego, status or money
Computer criminals - motivated by destruction of information, illegal information disclosure, monetary gain or unauthorised alteration
Industrial espionage - motivated by competitive advantage and economic espionage
Insiders - motivated by curiosity, monetary gain
Disgruntled ex-employees - motivated by anger and frustration
The ISO explained that companies are looking for a "systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure."
What risks do small businesses face that ISO 27001 could help with?
Today the biggest threats to private information assets come from phishing, fraud, loss, and ransomware attacks that block managers from being able to access their vital business systems. Accenture's study on the cost of cybercrime found that companies all over the planet lose about $2.4 million per attack on average and they spend 50 days or more trying to recover. Costs have increased by 62 percent over the past 5 years. The study also showed that smaller companies pay 4X more per worker per attack because the costs can't be spread out over a larger field of cost centres.
One of the biggest threats to information security for a small company is the lack of attention to hard copy documents. ISO 27001 standard applies to information security in the real world just as much as protection of digital assets. What often happens is that workers print out documents and leave them in public areas or on their desks where the information is exposed to visitors, contractors and cleaning staff, any of whom could profit from sharing private company information assets without violating any legal agreements.
Another huge risk factor involves removable media. USB sticks, external drives, digital cameras, Wi-Fi transfers and Bluetooth-enabled devices represent a vulnerability for downloading information assets, uploading viruses and access to networks for malicious code. Informal processes will not protect a business from financial losses and legal exposure, but following the ISO 27001 standard can.
What does ISO 27001 address?
This set of standards was designed to assure the confidentiality, integrity and availability of:
- Employee records
- Configurations of technology assets (for restoration)
- Information in internal communications
- Customer information
- Location of your assets, physical and digital
- Project tenders
- Product development plans
- Financial information
The security of this information is required by law in some instances, and the loss of it would expose your company to legal challenges. Data breaches and the loss of customers cost global companies $40 million for every 1 million records lost in 2018 and nearly all of those data were due to criminal or malicious attacks.
Where should you start to comply with ISO 27001?
Even if your organization is not planning on seeking out certification in ISO 27001 standard, you owe it to your customers and other stakeholders to protect their information to the best of your ability.
Best practices recommend you should:
- Purchase an Information Security Management System from ISO Templates.
- Look for the highlighted prompts in the template documents to add company-specific information such as logos, name, addresses and change any requirements that won't be able to be implemented.
- Follow the steps on the implementation plan provided with the Information Security Management System.
- Complete the Inventory of Assets including the valuation of the assets.
- Complete the Statement of Applicability based on the status of the 114 security controls in your business.
- Complete a risk assessment and treatment plan in accordance with the detailed steps in the Risk Management Procedure using the Information Security Risk Register.
- Conduct information security awareness training using the PowerPoint template provided.
- Keep refining and improving your information security as new threats emerge, or move on to a certification audit from a third party to determine how close you are to recognition by the ISO.
On the other side of ISO 27001 compliance
Small businesses can benefit greatly from the authority conferred by ISO certification in information security. Compliance with ISO 27001 through the implementation of an ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. Once your company is certified or at least compliant with the ISO 27001 standard, you benefit from better communications using secure channels, lower risk exposure, stronger trust from internal/external stakeholders and a substantial competitive advantage over less secure peers in the market.
ISO 9001 Clause 9.2 Internal Audit
Mar 23, 2024
Internal audit is an objective assurance exercise carried out by independent and trained auditors. The purpose of this exercise is to add value and improve the organizational processes. With the help of an internal audit which is a systematic and disciplined approach to evaluate the effectiveness of the Quality Management System, an organization can achieve the objectives set for its Quality Management System. ISO 9001 provides guidance on how these internal audits can be conducted in a systematic and efficient manner to evaluate if the organization is meeting the requirement of its own quality management system, ISO 9001, customer and regulatory requirements.
Why is it important?
Having Internal Audits helps to find non-conformities and prevent them so that they do not lead to non-conforming products in future. To understand this better let's take an example of a Builder. During an audit on builder operations, the auditor could not locate review records of building design and raised a non-conformity on that. When the management came to know of the issue, they analysed the situation and found that the design review was done without following the complete process. The design records were not in place which raised doubts on how efficiently the review was done. As a correction, the review was done again with the help of proper documents and a number of design faults were found and corrected. Such issues when found on time, can help management take corrective actions so that they do not appear in future. A casual approach to a critical process could have led to many faults in the building design and the organization will bear the cost later when customer complaints start pouring in. A simple lapse in the process can lead to bad product quality and can fetch you a bad reputation.
Establishing an audit program
ISO 9001 requires that an organization establishes an audit program with some key elements included. These are:
Methods: Methods include the techniques that you will use to gather objective audit evidence. These will form the basis of determining non-conformities in the system. Examples of audit methods may include an interview with auditees, review of documents, and observation of activities. Some organizations also develop checklists against their Quality Management Systems and tools to plan and conduct audits.
Frequency: ISO 9001 does not prescribe any frequency for the internal audit. But since this is a mandatory requirement, many companies opt for keeping the frequency just once a year. While this is acceptable from an ISO 9001 compliance point of view, this should not be the criteria for determining the frequency. A more logical frequency that suits the needs of your organization and helps you identify issues at the right time should be criteria for determining the frequency of the audits. This decision should be based on factors such as:
- Importance of the processes;
- Managerial priorities;
- Performance of the processes;
- Changes affecting the organisation
- Results from previous audits
- Trends in customer complaints
- Statutory and regulatory issues.
- Health of the Quality Management system
- Complexity of the products and services delivered
- Organization Size
Responsibilities: An organization needs to define the responsibilities of auditors and auditees. Auditors will conduct audits and report audit findings and auditees will take the corrective action in a timely manner.
Planning requirements: You need to establish how audits will be planned, this may include an annual audit calendar, audit plan or schedule.
Reporting: You need to define the level of reporting of audit findings to the management.
Conducting Audits
Once the audit program is established, the next step is to conduct audits. You need to take the below steps to conduct effective audits in your organization:
Establish audit criteria:
Audit criteria is the criteria against which the audit will be conducted. The auditor may evaluate the current implementation of processes against Quality Management System policy and procedures, ISO 9001 requirements, regulatory or customer requirements, etc. This needs to be established for each audit or whole audit program.
Select Auditor:
While selecting auditors for conducting audits, you should establish the minimum qualification required for internal auditors. Internal auditors need to be trained in the ISO 9001 standard as they also audit for conformity to ISO 9001 requirements. They should also have a good understanding of your quality management system processes and their interaction, customer or regulatory requirements, audit process and techniques established in your audit program.
Another important requirement of the standard is to conduct impartial and objective audits. To ensure this is done, the independence of the auditor is important. The auditor should not be from the same work area or department being audited.
Conduct audits and report findings:
During the audit, auditors should look at objective evidence, interview auditees and review the evidence obtained against the audit criteria established for the audit. In case the auditor finds that the actual process is not implemented appropriately, the auditor should raise a non-conformity in that area. All audit findings should be reported to the auditees/process owners in the formats provided by the organization.
Take correction and corrective actions:
On all the non-conformities raised by the auditor, auditees must take immediate corrections and plan corrective actions. A correction is taken to correct the problem immediately while corrective action is taken on the root cause identified for the non-conformity. Appropriate action taken against these root causes should be tracked to closure and follow-up needs to be done to ensure that the root cause has been eliminated.
Audit Reporting to Management:
Audit results should be reported to appropriate levels of management. The results of each audit and overall annual audit program may be analyzed to determine opportunities of improvement in Quality Management System processes, their interactions, products, Services etc.
Retain evidence of audit:
ISO 9001 requires you to retain records of Audit, these include annual audit calendar, records of audit planning containing audit criteria, Audit scope, methods used, auditor assigned, etc. Other records may include auditor training records, audit checklists, audit notes, nonconformity details, corrective actions, analysis of non-conformities and overall audit program.
ISO 9001 - Clause 6: Planning explained
Mar 23, 2024
Planning is the process of conceptualizing the activities required to achieve a desired goal. It is the first and foremost activity for any new project/task that you want to accomplish. Planning involves thinking about the risks that may occur in future and addressing these through adequate control measures. Clause 6 of ISO 9001 deals with this highly critical activity and requires an organization to take a risk-based approach and plan for the uncertainties pro-actively preventing undesired effects. Another aspect of planning is to identify objectives which can be used to monitor and track our progress. Additionally, this clause requires an organization to plan for changes and follow a structured approach for any changes required in the management system.
Why Is it important?
Risk based thinking is introduced in the new version of ISO 9001 and is included throughout the standard. This shift was done to introduce a pro-active approach to handling risks, rather than taking an approach of preventive actions when the issue has already occurred.
Let us understand why risk-based thinking is important and how it impacts various aspects of our lives. We face risk of traffic or car breakdown when we travel from our house to office. To reduce the effects of the risk, we may plan to leave home 15 minutes early or take a longer route with lesser traffic. Risks may also sometimes present opportunities, risks of running late may give us an opportunity to explore other modes of travel or you may want to look for a job closer to home.
In a business scenario also, risks are equally important. Through a pro-active approach on planning ahead for the risks, we can avoid unforeseen situations, occurrences, events or incidents. This helps in reduction or mitigation of our liabilities and improve the product or service delivery. This in turn, helps in managing reputation and helps in business growth.
Defining Quality Objectives is an important step for any organization to control its processes and helps bring-in continual improvement in their systems. Quality Objectives gives you important insights on how you are progressing and drives you to create plans to meet the objectives. This is a good way to identify opportunities and pave a way for growth of your organization.
Moreover, any continual improvement or corrective action may need change which should be handled in a formal manner to avoid any unforeseen consequences of the change.
Actions to address risks and opportunities
This clause of ISO 9001 requires an organization to consider the contextual issues and requirements of the interested parties and determine the risks and opportunities. In our Article on Clause 4, SWOT analysis was used to determine the internal and external context followed by a stakeholder’s analysis to determine their requirements. Risks and opportunities are identified from these issues or through non-conformities that are identified in the course of your operations. The identified risks may be at the strategic levels or operational levels. Some examples of risks that an organization may face are given below:
Strategic Risk
- Competition high in our area of operation
- Reputation at stake if a complex/large project is not successful
Operational risk
- Risk of defective delivery
- Risk of schedule slippage due to unclear requirements
Once all risks are identified, the next step is the address these risks and opportunities. A risk which is operational in nature may be handled by a manager who owns the area/function while ownership of strategic risks is with the top management.
Once you have identified all operational and strategic risks, the next step is to plan actions to either reduce the likelihood of its occurrence (called mitigation) and/or reduce the severity or impact of the risk (called contingency). For a small organization or where the complexity of work is less, this could just mean planning mitigation actions and ensuring timely closure of all such actions.
Companies may opt for a detailed risk evaluation. This is done by defining a risk methodology to manage all kinds of risks. This methodology involves assessing the risk, giving it a score or a rating and then comparing it against an acceptance level. Based on the acceptance levels, adequate response to the risk is planned. Risk matrices (Sample given in Figure below) based on probability and impact are used to give a rating to the risk. A risk lying in the green zone may be acceptable whereas amber and red need additional controls and shall be prioritized for closure.

Once control action on risks is taken, the effectiveness of these actions shall be evaluated to ensure that the control measures were effective. Monitoring of risk should be carried out on a regular basis or on events like changes in staff, process or equipment.
Quality Objectives and Planning to Achieve Them
The next stage of Planning is to set quality objectives for various levels/functions in the organization. The quality objectives shall be consistent with the quality policy and shall be relevant to the conformity of products/ services, and the enhancement of customer satisfaction.
The quality objectives must be defined in a way that they are measurable and consideration shall be given to the applicable customer and statutory and regulatory requirements.
A simple method of establishing these quality objectives is using the S.M.A.R.T. methodology. What SMART specifies is that each objective shall be defined in a way that it is:
- Specific - The objectives are written in a way it is interpreted in same way by anyone who reads it
- Measurable – This means that the objective should be quantitative so that it can be compared against a goal and its achievement assessed. Terms such as amount, percentages, etc shall be used to define these objectives.
- Achievable- An objective which is planned but capturing its data is difficult or there are no mechanisms/resources to achieve the results makes an objective useless. So, adequate resources/mechanisms should be available to achieve the objective.
- Relevant –The objective shall be relevant to organization’s context and it shall provide an insight if the customer / statutory and regulatory requirements are being met or not.
- Time-Oriented- The objective should be time-bound so that its achievement can be evaluated within a fixed time-frame.
Some examples of quality objectives are given below:
- Product – Reduction in defective product by 2% within a year
- Customers –Improvement in customer satisfaction scores by 4% by end of 2020
- For the QMS –Number of improvement opportunities in a quarter, etc
The quality Objectives shall be defined by the top management and once these are finalized, the organization shall:
- Document these Quality objectives in your quality manual/ procedures/ quality plans or any other relevant place.
- Communicate the quality objectives to the employees, as required. This may be done through training or in meetings.
- Deploy these quality measurements in the organization. You may plan to capture the data manually or use tools to gather the data required. Also, plan for mechanisms to report these quality objectives.
- Ensure these are measured across the organization. Monitor the achievement of the quality objectives using dashboards or simply by reporting these at fixed time intervals
- Review the achievement of objectives with the top management. This can be done in management review meetings. Based on the achievement of the quality objectives, the goals may be updated, as appropriate
- Plan actions when the actual results do not meet the goals. This gives you an opportunity to identify continual improvement initiatives.
Planning of Changes
When the organization determines there is a need to change the QMS, this clause of ISO 9001:2015 requires such change to be carried out in a controlled manner. A defined change management process is a good way of addressing this clause. A structured approach ensures that the person requesting the change consider a number of items such as who will be impacted, the resources required, etc. This ensures that change approver/manager makes a good decision and manages the change properly.
The steps required to plan a change are:
- Identify the change required and define the details of the change
- Assess the need of change considering
- the purpose of the changes and potential consequences
- the availability of resources
- the allocation or reallocation of responsibilities and authorities.
- whether the integrity of QMS could be compromised as a result of making the change
- Get an approval from top management/ change approver for change implementation
- Create a plan and identify tasks, resources and responsibilities, timelines, etc. to carry out the change
- Create a communication plan and identify all the internal and external stakeholders that are impacted and need to be informed of the change
- Get review of the changes done by top management/change approver after changes are done.
- Conduct Training for people affected by the change
- Monitor the change to evaluate its effectiveness

ISO's Climate Change Amendment
Mar 23, 2024
Climate change has become a burning issue in recent years and impacts not only individuals but businesses at various levels. Considering this, the International Organization for Standardization (ISO) has taken a big step towards integrating climate change considerations into management systems standards.
This decision, in line with the ISO London Declaration on Climate Change, recognizes the need to consider how climate change affects achieving management system goals. These changes will affect existing standards and all new ones in development.
In this article, we'll explore what these changes are, how they can be implemented into your organization’s management system and the significance of ISO's move towards a greener future.
What are the changes in the amendment?
This amendment is incorporated into various management system standards, including ISO 9001, ISO 45001, ISO 14001, and ISO 27001. The key changes introduced in this amendment impact Clauses 4.1 and 4.2 of the affected standards. Clause 4.1 now requires organizations to consider the "changes in external and internal issues" that may impact their management system, with a specific focus on the effects of climate change. Clause 4.2, on the other hand, mandates that organizations identify the "needs and expectations of interested parties" that are relevant to their management system, including those related to climate change. These changes are effective from the 23rd of February, 2024.
How to implement the new requirements?
It is crucial to understand the implications of these new requirements and how they can be effectively addressed within your organization's management system. The simplest approach will be to incorporate the discussion of climate change impacts and interested stakeholder needs as part of your regular Management Review Meetings or Strategic Planning Meetings. This will enable you to assess the potential risks and opportunities presented by climate change and determine the appropriate actions to be taken. Also note that it is not necessary that your organization will be impacted by climate change or the impact or likelihood of the risk is too low for you to take any action. In such a case, you can document this as part of your management system clearly recording in management review minutes of meetings.
When addressing the ISO Climate Change Amendment, it is essential to consider the specific context of your organization and the management system standards you have implemented.
Let’s discuss a few examples relevant to different ISO standards:
ISO 9001 (Quality Management System)
In the context of ISO 9001 (Quality Management), your organization may need to evaluate how climate change could affect their ability to consistently provide products and services that meet customer and regulatory requirements.
An example relevant to ISO 9001 could be that climate change may lead to natural disasters which could disrupt the supply chain. Businesses may run the risk of delayed raw material supplies which may impact the delivery of the products and services to the customer. This should be identified as an external issue while determining the context of the organization. This should also be identified as a risk and adequate controls should be implemented to mitigate this risk. An example could include researching an alternative supplier and putting a contingency plan in place.
ISO 45001 (Occupational Health and Safety Management System)
Similarly, in the case of ISO 45001 (Occupational Health and Safety), you may need to assess the impact of climate change on the health and safety of your employees, particularly in the event of extreme weather events. As climate changes, temperatures are increasing around the globe. This could become a hazardous condition for the employees who work outdoors in extreme heat or in physically demanding jobs. The employees (interested parties) would expect adequate arrangements in the workplace for managing heat-related illnesses, such as heat stroke and exhaustion. This shall be identified as a “need and expectation of the interested party” and a hazardous condition requiring risk planning. Appropriate actions shall be taken to address this risk as part of the organization’s management system. Some examples of the actions could include the provision of weather appropriate Personal Protective Equipment (PPE), access to water and cool spaces and preparedness for emergencies.
ISO 14001 (Environmental Management System)
ISO 14001 deals with the need to adapt to any change in environmental conditions, including those resulting from climate change. Apart from risks flowing down from the context of the organization, the Environmental Management System (EMS) requires that the organizations also understand greenhouse gas emissions-related environmental aspects and compliance obligations. Risk mitigation shall be planned in these areas which could include risks of failing to meet reduction objectives, risk of interested parties' demands or risk of not meeting the regulations. The organization shall identify methods to adapt to climate change by understanding how environmental conditions affect them and what risks can be posed due to these environmental conditions. Some examples of risks include a water shortage, flooding and solid erosion. The risks could also be related to the organizations’ activities and some examples could include resource shortages or supply chain disruptions.
ISO 27001 (Information security management System)
ISO 27001-related internal and external issues may include infrastructure vulnerability, workforce unavailability due to extreme climatic conditions or a vendor dependency who may be impacted by climate change. Some examples of risks involved include damage to the infrastructure, supply-chain disruption and power outages (which would then lead to issues with data integrity and availability). Appropriate controls should be put in place to ensure the availability of infrastructure, networks and data that may be disrupted due to climate change-related conditions.
By proactively addressing the ISO Climate Change Amendment, small and medium-sized businesses can not only ensure compliance with the updated standards but also position themselves as responsible and forward-thinking organizations. This can lead to enhanced stakeholder trust, improved operational resilience, and ultimately, a stronger competitive advantage in the marketplace.

ISO 9001 Clause 10. Improvement
Mar 23, 2024
Improvement is simply an act or a process of making something better.
ISO 9001 Clause 10, which is the last clause of ISO 9001, talks about Improvement, which describes the action steps that an organization shall take to improve their processes, products and services. This clause also describes the process for addressing nonconformities and taking corrective actions to eliminate the root causes as the first step in acting to improve the system. ISO 9001 also requires that the process improvement should not be a one-time activity but should be in-built into the process so that a mechanism of continual improvement is established.
Why is it important?
Today’s world of business is highly competitive; customers have high demands, and they cannot be pleased with just their requirements being met; they want value for money. Companies must bring in differentiating factors in their business to ensure they surpass customer expectations. The differentiating factors can be built-in by delivering faster than others, selling goods of high quality, quick and easy-to-reach after-sales staff, etc. All these need process improvements, which could be bought in by removing the waste or unwanted processes to move the goods faster or by improving your supply-chain processes, ensuring good quality raw material through detailed inspections, etc. This is where your continual-improvement efforts should be focused at. Continually improving the processes is how you create excellence and become highly competitive.
How to identify improvement opportunities?
Clause 10.1 emphasizes the need for an organization to seek out and realize improvement opportunities that will enable the organization to meet customer requirements better and enhance their customers' satisfaction.
When looking to improve, organizations should review their processes, improve their products and services, correct, prevent or reduce undesired effects and improve their QMS results. This clause adds that organizations should not only improve products and services to meet known requirements but also address the “future” needs and expectations of the customer.
Improvement opportunities may be identified at various places throughout your organization's processes. Some of the inputs to improvement opportunities are:
- Risk-Based Thinking requires an organization to take actions to mitigate risks or enhance opportunities. Both of these lead to certain actions which improve the organizational systems.
- Non-Conforming product or processes, whenever encountered, requires you to identify root causes and take corrective actions. This could lead to making changes or process improvements to your QMS to ensure that nonconformities do not occur again. More details on this are given in the next section.
- Future needs of the customers can indicate a lot of areas where you can expand and grow your business.
- Customer feedback analysis and data evaluation against the goals can also point you to a number of process improvements. Measurements and review of achievement against targets are means for revision of various processes and setting of revised goals and targets for the next cycle.
Nonconformity and Corrective Action
Sub-clause 10.2 calls out requirements on how an organization should act when nonconformity is identified. Let’s define a few terms before we move forward:
- Nonconformity - non-fulfilment of a requirement
- Root cause analysis - a technique used to determine the underlying cause of a nonconformity.
- Corrective action - action to eliminate the cause of nonconformity and to prevent a recurrence
When we talk about non-conformity, there are can be many potential sources of non-conformities. These include but is not limited to:
- Internal and External Audit Findings
- Results of monitoring and measurements, for example inspection reports, testing defects, etc.
- Customer complaints
- Non-compliance with regulatory and statutory requirements
- Warranty claims
- Problems reported with external suppliers, For example, delivery issues or incoming inspection results
- Suggestions or problems identified by employees, etc.
When a non-conformity is encountered in a system, an organization needs to take the following steps:
- Take action as necessary to control and correct the nonconformity, and to deal with any resultant consequences (Correction)
- Conduct root cause analysis to identify the root cause of the problem, using appropriate problem-solving tools like 5-why, fishbone, failure mode, Pareto analysis, etc. It is not necessary that you adopt all or any of these methodologies to conduct a root cause analysis, but these methodologies give a structure to your root cause analysis and helps you identify appropriate root cause. We will see in an example below.
- Take action to eliminate the root cause (corrective action)
- Ensure timely closure of all corrective action
- Conduct follow-up reviews to ensure that the action taken has been effective to eliminate the non-conformity and preventing recurrence
- If evidence of recurrence is found, then perhaps the action or root cause identified is inadequate or incorrect. Conduct root causes analysis again to identify the additional cause and take actions against them.
- Make corrective action records available for customers and present a summary of corrective action results for management review.
- Also, consider if any new actions to address risks and opportunities have been identified and if so assess them in accordance with Clause 6.1.
Let’s now explore with an example how when encountered with a non-conformity, what an ideal process should be and how by effectively using tools like 5-Why, you can eliminate the non-conformity and ensure that it never recurs. To explain the approach, let’s take an example of a Fast-Food Restaurant which promises burritos delivery to home within 30 minutes of the order. The restaurant received a complaint from one of their regular customers, Ms. Olivia. She was quite unhappy with the restaurant and raised her concerns to the Restaurant Manager. The Restaurant Manager called all his team members and used 5-why to understand the root cause of the customer complaint and identify a solution. Let’s see how it went:
- Why was Ms. Olivia unhappy with the delivery?
- Because Burritos were delivered late
- Why were Burritos delivered late?
- Her address was incorrect in the software used for orders
- Why was her address incorrect in our records?
- Customer address changed and it was not confirmed while taking the order
- Why was the address not confirmed while the order was taken?
- The person taking the order missed verifying the address
- Why did the person miss to confirm the address?
- The software (used for taking orders) uses the default address in the system and places the order in the system. It does not require any verification of address.
The Restaurant Manager identified the below action to improve the process:
“Software used for taking orders shall have a step to verify the address and should give an indication to the person taking the order to confirm the address. Only after he verifies in the software, the order should be placed in the tool. This way the step would not be missed.”
This action is a full-proof solution to the problem. This will ensure that anyone who works with the software does not miss the step. The non-conformance will never occur again due to this reason. Observe how a small non-conformance of late delivery can lead to a huge process improvement that involved updating the software.
Again, it is not necessary that you will be able to implement corrective action for all non-conformities. For a small restaurant, getting the software updated may involve a huge cost. You need to evaluate the significance of nonconformities on the basis of their impact on operating costs, cost of correction or corrective action, impact on customer satisfaction or any other risks. Based on all these factors, an organization may decide if corrective action is required for the non-conformity or not. In a case where such corrective actions cannot be taken, the organization may reduce the likelihood of non-conformity to an acceptable level. In the example above, if spending a huge amount on getting the software updated is not feasible, you may opt for other methods like training the staff, creating a checklist, and pasting it at the desk of staff taking orders as a constant reminder, etc. This will definitely reduce the non-conformity to an acceptable level even if it is not eliminated from the system.
Continual Improvement
Clause 10.3 requires the organization to work continually to improve its QMS in terms of its suitability, adequacy and effectiveness.
As part of the continual improvement process, the organization is specifically required to use the outputs from analysis and evaluation (see sub-clause 9.1.3) and from management review (see clause 9.3) to determine areas of underperformance and to identify any opportunities for improvement.
Tools and methodologies should be employed as appropriate by the organization to investigate the cause of underperformance and identify actions to support continual improvement. At the time of Management Reviews, where effectiveness of various parameters is reviewed, is an excellent time to identify process improvement opportunities.
Continual Improvement is at the core of ISO 9001 and a key area with which all organizations shall comply with. This is the way businesses can constantly improve and maintain an edge over their competitors.

ISO 27002:2022 Overview
Jan 14, 2022
The new version of ISO 27002 has recently released on February 15, 2022. This new version is restructured, and changes have been done within the controls. In this article, we will discuss key changes that have been bought in the standard in terms of structure, changes in the controls and a brief summary of the new controls.
Structure of the standard
The old standard had 14 sections which have been now reorganized into only four sections.
The new ISO 27002:2022 standard has 93 controls organized in these four sections and 2 Annexures:
- Clause 5 Organizational (37 controls)
- Clause 6 People (8 controls)
- Clause 7 Physical (14 controls)
- Clause 8 Technological (34 controls)
- Annexure A – Using attributes
- Annexure B – Correspondence with ISO 27002:2013
The number of controls in the new version is reduced to 93 from the earlier version, which had 114 controls. The reason for this change may be technological developments and an increased understanding of the application of security practices.
Elements of each control
Two new elements that have been added to the structure describe the attributes and purpose of the control. These elements make it easier for a reader to sort the controls and understand the purpose behind using the control. These are:
- Attribute table: This table define the attributes for each control (refer to section Control Attributes for more details)
- Purpose: Justification for the use of the control
Also, the standard has been simplified in terms of a number of subsections. In the earlier version, there were around 3 subsections; for example: under section ‘7, Human Security’, there was a subsection ‘7.1 Prior to Employment’ and then ‘7.1.1 Screening’. In the new standard, this is now depicted as ‘6 People Control > 6.1 Screening’.
Controls attributes
One of the most significant changes that have been done is the introduction of Control attributes. With the introduction of control attributes, a standardized way of sorting and filtering the controls is provided. This helps in easily identifying the requirements of different departments/groups in an organization.
A sample of how control attributes are depicted in the standard is given below:
Attributes options are described below:
- Control types: Preventive, Detective, and Corrective
- Information security properties: Confidentiality, Integrity, and Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
- Operational capabilities: Asset management, Governance, Human resource security, Information protection, System and network security, Physical security, Application Security, Identity and access management, Secure configuration, Continuity, Legal and compliance, Supplier relationships security, Threat and vulnerability management, Information security event management, and Information security assurance
- Security domains: Governance and ecosystem, Protection, Defense, and Resilience
Renamed/Merged controls
23 controls have had their names changed. For example: Teleworking has been renamed “Remote working”.
57 controls have been merged into 24 controls. For example: Some of the logging and monitoring controls have been revised and combined into a new control titled “Monitoring activities”
Impact of changes to ISO 27002 on ISO 27000 series
- The ISO 27000 series is a group of standards that are based on an amalgam of best practices on overall Information security management systems (ISMS).
- ISO 27001 is one of the key standards that provide a framework for developing ISMS in organizations, and this is the standard to which the organizations get certified.
- ISO 27002 which we are discussing in this article, provides guidance on how organizations shall implement the controls given in ISO 27001 standard. ISO 27002 is key to the achievement of the ISO 27001 certification as it explains the implementation of the required controls.
- Due to the changes that have been now bought in ISO 27002, we can expect some changes to ISO 27001 as well soon.
New controls
11 new controls introduced in the standard are given below:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
We will discuss these in detail in the next section.
Threat intelligence
Threat Intelligence has gained a lot of importance in recent years and is fast becoming vital to cybersecurity efforts put in by companies. ISO framework has now introduced Threat Intelligence as a new requirement setting a precedence for other standards and regulations to follow suit.
Threat Intelligence helps cybersecurity teams proactively prepare for upcoming threats. This is an important addition to ISO standards looking at how quickly and easily even low skilled threat actors can conduct successful Malware/ransomware campaigns these days.
Threat intelligence involves gathering and analysing information on cyberattacks that are currently running or may occur in future. By meeting this requirement, organizations gain a better understanding of the techniques and processes attackers use to gain access to networks. This helps organizations proactively plan methods to defend themselves against these attacks.
Information security for the use of cloud services
Cloud services have become an integral part of most businesses these days. These services provide access to various applications and resources, which reduces the cost required for establishing internal infrastructure or hardware. Cloud services are fully managed by cloud computing vendors and service providers.
It is important that information security requirements are considered while acquiring, using, managing or exiting cloud services. Information security is a shared responsibility between a cloud service provider and a cloud service customer. ISO framework requires that the organization these responsibilities shall be defined and implemented appropriately.
A cloud service agreement should address the confidentiality, integrity, availability and information handling requirements of the organization, with appropriate cloud service level objectives and cloud service qualitative objectives.
ICT readiness for business continuity
The old version of ISO 27002 addressed business continuity which required organizations to ensure information security to an appropriate extent in the event of business interruptions.
The new control "ICT readiness for business continuity" further expands on the requirements for business continuity for information security. The control includes the availability requirements based on the results of the Business Impact Analysis (BIA).
Based on the outputs from the BIA and risk assessment involving ICT services, the organization shall identify and select ICT continuity strategies that consider options for before, during and after the disruption.
The new version requires a business impact analysis as a basis for ICT emergency planning.
7.4 Physical security monitoring
This control requires an organization to ensure that the premises are continuously monitored for any unauthorized physical access. This can be done by monitoring the physical premises through surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television and physical security information management software either managed internally or by a monitoring service provider.
This control requires that access to the buildings that house critical systems should be monitored to detect any unauthorised access or suspicious behaviour. The monitoring systems should be kept protected from unauthorised access and the design of these systems should be kept confidential.
The standard also requires that the company takes care of any local laws or regulations including data protection and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods. For example, This may require a company to carry out a data protection impact assessment (DPIA) for camera surveillance to comply with GDPR requirements.
8.9 Configuration management
This new control requires that an organization manage the security configuration of hardware, software, services and networks to ensure a proper level of security and to avoid any unauthorized changes. This requires that the configuration is established, documented, implemented, monitored, and reviewed.
To implement this control, organizations need to define and implement processes and tools to enforce the defined configurations including security configurations for hardware, software, services and networks, for newly installed systems as well as for operational systems over their lifetime.
The organization shall also document procedures and assign roles and responsibilities clearly so that there is no ambiguity whenever configuration changes are made. Standard templates shall be defined and reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced.
This control requires proper documentation of configurations and maintenance of logs whenever there are configuration changes. Any changes to configuration shall follow the change management process. Configurations should be monitored and reviewed on a regular basis.
8.10 Information deletion
This control requires an organization to delete information when no longer required. The purpose of this control is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion. The information could be stored in information systems, devices or in any other storage media or cloud services.
To comply with this clause, an organization need to establish a process that defines what data needs to be deleted and what are the methods of deletion and responsibilities.
You may need to use tools for secure deletion of sensitive information, which may be mandated by contractual or legal requirements, or as per internal risk assessments done by the organization.
Where cloud services are used, the organization’s processes should ensure that the deletion methods provided by cloud service providers are acceptable. Similarly, in the case of the transfer of equipment to vendors, sensitive information should be protected by removing auxiliary storage such as hard drives and memory before equipment leaves the organization's premises.
8.11 Data masking
This control requires an organization to use data masking in addition to access control to ensure sensitive data is not exposed. This new control is added because of a number of regulations that apply to managing personal data which would primarily be the sensitive data in an organization, but this could include other categories of sensitive data as well.
To comply with the requirement, an organization need to use anonymization or pseudonymization to mask data if this is required by regulations. An organization may also use other methods such as encryption, nulling or deleting characters, varying numbers and dates, replacing values with hash, etc.
8.12 Data leakage prevention
This control requires that an organization apply various data leakage methods to avoid any unauthorized disclosure or extraction of information by individuals or systems. In the event of data leakage, the organization shall have processes in place to detect these in a timely manner. These measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.
To comply with these requirements, organizations need to proactively apply measures to avoid any data leakage. Data leakage prevention tools shall be put in place to identify and monitor sensitive information, detect any disclosures of sensitive information and block user actions or network transmissions that expose sensitive information.
Measures can include the implementation of tools to prevent data leakage, for example restricting copy and paste, disabling download to removable storage devices, encryption, email quarantine, etc.
8.16 Monitoring activities
This control requires an organization to monitor its IT systems, networks, and applications to identify any unrecognized activities and take appropriate actions to evaluate potential information security incidents.
The monitoring systems could include outbound and inbound networks, system and application traffic, access to systems, servers, networking equipment, logs from security tools, event logs relating to system and network activity, etc.
An organization should define procedures to respond to positive indicators from the monitoring system in a timely manner and also to identify and address false positives. The purpose is to minimize the effect of adverse events on information security and fine-tune the monitoring software to reduce the number of future false positives.
8.23 Web filtering
This control requires an organization to manage access to certain websites to reduce exposure to malicious content. This will not only protect your systems from being compromised by malware but also prevent users from using illegal materials from the Internet.
To comply with this requirement of the standard, an organization can block access to certain IP addresses, use browsers or anti-malware software, establish rules for safe and appropriate use of online resources, etc.
Also important for compliance with this clause is that organizations create awareness among the employees on the dangers of using the Internet, provide them with the guidelines for safe use, contact points for raising security concerns, and exception process when restricted web resources need to be accessed for legitimate business reasons, etc.
8.28 Secure coding
This control requires an organization to develop secure coding principles and apply them in software development. When secure coding is inbuilt into software, you have reduced the risk of vulnerabilities.
Some of the ways this can be achieved are by separating development, test and production environments, providing guidance on the security in the software development life cycle, embedding security requirements in specification, design, security checkpoints, security testing, etc.

ISO 9001 Clause 9.3 Management Review
Jan 10, 2022
Management review is a regular evaluation exercise where the performance of the quality management system is reviewed to check if the systems are producing the desired results. This process requires the top management to periodically review various elements of the Quality Management System and ensure its suitability, adequacy and effectiveness. That means the top Management shall review that the Quality Management System to check if it still fits its purpose (suitable), is still sufficient (adequate) and is still able to achieve its intended purpose (effective).
While assessing the suitability and adequacy of the Quality Management System this clause requires management additionally consider any changes to the context of the organization and also alignment between the QMS and the strategic direction of the organization. The intent is not only to review the performance of the Quality Management System but to also evaluate the need for any changes in the quality policy, objectives and other elements of the Quality Management System. Management review is an important process that helps in identifying continuous improvement initiatives which are at the core of the ISO 9001 standard.
Why is it important?
Management review is an additional performance evaluation check apart from internal audits and monitoring and analysis which helps in ensuring the effectiveness of the quality management system.
Management oversight is important for any management system or a continuous improvement initiative to succeed. It is, therefore, crucial that management remains committed to holding these meetings on a regular basis to keep themselves abreast with the performance of the management system. Management reviewing the management system at regular intervals helps in understanding changes in the context which is important to ensure that the Quality Management System always remains in sync with changing business scenarios. A key output of the management review meetings is the identification of process improvements which in turn helps in improving quality and customer satisfaction which are key to the success of any company and business growth.
Frequency of Management Reviews
Management review should be conducted at planned intervals; this could be daily, weekly, monthly, quarterly, semi-annually or annually. The frequency should be decided by the Management based on the size and nature of the organization.
It is a common misconception among companies implementing ISO 9001 requirements that management review is a separate exercise that should be done by the top management at a fixed frequency. While this approach is fine but there can be various ways of making the management review more effective, less time consuming and fused with existing processes in place. The goal should be to meet all the requirements of ISO 9001. Top management can look at different aspects of the management system and decide which of the elements can be discussed or is already being discussed in existing ongoing meetings. For example, if top management has a meeting already in place where they review the customer satisfaction survey results; this is one element of the management system that should be reviewed. So, Instead of having this agenda again in the management review, the management team shall continue the existing practice and ensure that the records of the meeting are being maintained.
In a larger organization, where multiple layers of management are there, a more suitable approach would be to have management meetings at different levels to capture data which then can serve as an input to the strategic planning meetings of the Executive Team.
To conclude, an organization may conduct management reviews as a standalone activity or in a combination of related activities (e.g. meetings, reports, etc.) and the frequency at which it needs to be conducted should be based on the business environment, size of the organization and complexity of the work being done.
Preparing Management Review Inputs
ISO 9001 requires that the top management review various elements of the quality management system which include:
- status of actions from previous management reviews
- changes in external and internal issues relevant to QMS
- adequacy of resources
- opportunities for improvement
- effectiveness of actions taken to address risks and opportunities as explained in clause 6.1.
- information on quality performance and effectiveness including trends in:
- non-conformities and corrective actions
- customer satisfaction and feedback from relevant interested parties
- monitoring and measurement results
- audit results
- the extent to which quality objectives have been met
- process performance
- conformity of product and services
- the performance of external providers
Data related to all these elements should be gathered as inputs for the management review. Preparation for the meeting may require you to gather data on various quality parameters, risks and opportunities and their status, changes to the context of the organization, non-conformities and their status, customer satisfaction results, audit results, trend analysis, supplier performance, resource requirements, opportunities for improvement, etc. The inputs should be used to determine trends in order to make decisions and take actions related to the quality management system.
An organization can include additional items in management review (such as new product outline, financial outcomes, new business opportunities, issues or opportunities from the business market, etc.) to determine if the organization is achieving its intended results and would be able to do so in future.
Who should attend Management Review?
Top Management or the Executive Team of an organization is required to attend the Management Review. The Management could decide based on the inputs of the management review on other members who could be required to attend the management review. In a larger organization, with multiple layers of management, decisions should be taken on the basis of the relevant stakeholders that are required for the topics being discussed.
Outputs of the management review
Sub-clause 9.3.2 of ISO 9001 specifies certain requirements for the outputs from management reviews.
These must include decisions as to whether there is a need to change any aspect of the QMS including, but not limited to, resources required to support the operation of the QMS, as well as any decisions relating to continual improvement opportunities. The organization must retain documented information to provide evidence of the results of management reviews. Management review records must include minutes of meetings, decisions taken, responsibilities for corrective or improvement actions and related timelines and follow-up actions from previous management reviews. Examples of documented information include presentations, meeting minutes and reports.

ISO 9001 Clause 9.2 Internal Audit
Dec 21, 2021
Internal audit is an objective assurance exercise carried out by independent and trained auditors. The purpose of this exercise is to add value and improve the organizational processes. With the help of an internal audit which is a systematic and disciplined approach to evaluate the effectiveness of the Quality Management System, an organization can achieve the objectives set for its Quality Management System. ISO 9001 provides guidance on how these internal audits can be conducted in a systematic and efficient manner to evaluate if the organization is meeting the requirement of its own quality management system, ISO 9001, customer and regulatory requirements.
Why is it important?
Having Internal Audits helps to find non-conformities and prevent them so that they do not lead to non-conforming products in future. To understand this better let's take an example of a Builder. During an audit on builder operations, the auditor could not locate review records of building design and raised a non-conformity on that. When the management came to know of the issue, they analysed the situation and found that the design review was done without following the complete process. The design records were not in place which raised doubts on how efficiently the review was done. As a correction, the review was done again with the help of proper documents and a number of design faults were found and corrected. Such issues when found on time, can help management take corrective actions so that they do not appear in future. A casual approach to a critical process could have led to many faults in the building design and the organization will bear the cost later when customer complaints start pouring in. A simple lapse in the process can lead to bad product quality and can fetch you a bad reputation.
Establishing an audit program
ISO 9001 requires that an organization establishes an audit program with some key elements included. These are:
Methods: Methods include the techniques that you will use to gather objective audit evidence. These will form the basis of determining non-conformities in the system. Examples of audit methods may include an interview with auditees, review of documents, and observation of activities. Some organizations also develop checklists against their Quality Management Systems and tools to plan and conduct audits.
Frequency: ISO 9001 does not prescribe any frequency for the internal audit. But since this is a mandatory requirement, many companies opt for keeping the frequency just once a year. While this is acceptable from an ISO 9001 compliance point of view, this should not be the criteria for determining the frequency. A more logical frequency that suits the needs of your organization and helps you identify issues at the right time should be criteria for determining the frequency of the audits. This decision should be based on factors such as:
- Importance of the processes;
- Managerial priorities;
- Performance of the processes;
- Changes affecting the organisation
- Results from previous audits
- Trends in customer complaints
- Statutory and regulatory issues.
- Health of the Quality Management system
- Complexity of the products and services delivered
- Organization Size
Responsibilities: An organization needs to define the responsibilities of auditors and auditees. Auditors will conduct audits and report audit findings and auditees will take the corrective action in a timely manner.
Planning requirements: You need to establish how audits will be planned, this may include an annual audit calendar, audit plan or schedule.
Reporting: You need to define the level of reporting of audit findings to the management.
Conducting Audits
Once the audit program is established, the next step is to conduct audits. You need to take the below steps to conduct effective audits in your organization:
Establish audit criteria:
Audit criteria is the criteria against which the audit will be conducted. The auditor may evaluate the current implementation of processes against Quality Management System policy and procedures, ISO 9001 requirements, regulatory or customer requirements, etc. This needs to be established for each audit or whole audit program.
Select Auditor:
While selecting auditors for conducting audits, you should establish the minimum qualification required for internal auditors. Internal auditors need to be trained in the ISO 9001 standard as they also audit for conformity to ISO 9001 requirements. They should also have a good understanding of your quality management system processes and their interaction, customer or regulatory requirements, audit process and techniques established in your audit program.
Another important requirement of the standard is to conduct impartial and objective audits. To ensure this is done, the independence of the auditor is important. The auditor should not be from the same work area or department being audited.
Conduct audits and report findings:
During the audit, auditors should look at objective evidence, interview auditees and review the evidence obtained against the audit criteria established for the audit. In case the auditor finds that the actual process is not implemented appropriately, the auditor should raise a non-conformity in that area. All audit findings should be reported to the auditees/process owners in the formats provided by the organization.
Take correction and corrective actions:
On all the non-conformities raised by the auditor, auditees must take immediate corrections and plan corrective actions. A correction is taken to correct the problem immediately while corrective action is taken on the root cause identified for the non-conformity. Appropriate action taken against these root causes should be tracked to closure and follow-up needs to be done to ensure that the root cause has been eliminated.
Audit Reporting to Management:
Audit results should be reported to appropriate levels of management. The results of each audit and overall annual audit program may be analyzed to determine opportunities of improvement in Quality Management System processes, their interactions, products, Services etc.
Retain evidence of audit:
ISO 9001 requires you to retain records of Audit, these include annual audit calendar, records of audit planning containing audit criteria, Audit scope, methods used, auditor assigned, etc. Other records may include auditor training records, audit checklists, audit notes, nonconformity details, corrective actions, analysis of non-conformities and overall audit program.

ISO 9001 Clause 9.1.3 Analysis and Evaluation
Dec 21, 2021
Data forms a crucial part of any business today. In our article on Clause 9.1.1 - ISO 9001, we discussed how an organization need to establish monitoring and measurement methods which will lead to a lot of data and information gathered and collected within the organization. Clause 9.1.3 - Analysis and Evaluation requires that the organization should analyse and evaluate appropriate data and information arising from monitoring and measurement. These results of the analysis should be used to evaluate:

Methods to analyse data can include statistical techniques.
Why is this important?
Monitoring and measurements established within the organization will generate a lot of data and information. To fully utilize this information, analysis and evaluation of data is required to help the management in decision making. Just gathering and looking at numbers without any analysis and evaluation will just be a futile exercise that will take a lot of effort without any real value derived out of it.
Let’s take an example to understand this better. If you are just tracking the number of returned pieces of your product and not analysing the trends over a period of time, you cannot improve your products or services to your customers. Benchmarking or setting up goals on the achievement of your objectives is a useful method that can be used to identify any red flags beforehand. If your goal (looking at your previous performance) indicates that you do not have more than 2 returns in a month, but suddenly in a month you get 4 return requests, it is an alarm for you to look into the issue and find out the root causes behind it. This will help you in taking timely action before the issue goes out of control and fetch you some bad reputation.
It is, therefore, important that data is analysed, a conclusion drawn out of it, and plans and actions made whenever an unfavourable trend or condition is observed. That is why analysis and evaluation of data is important for any organization. This will help you seize all opportunities of improvement that exist.
Analysis and Evaluation
ISO 9001 requires that an organization collects, analyses and evaluates Quality Management System data. Both analysis, as well as evaluation of data, is important; that means data analysis through statistical techniques, trend analysis, etc. and interpretation of the analysed data so that it can be used in an appropriate manner, for example- for decision making and action planning.
The data may be analysed and evaluated for the below areas:

Conformity of products and services
Data collected may include defect rates, on-time delivery, number of returns, product or service related complaints, etc. This will help you identify issues in the processes involving the delivery of products /services through the analysis of such data.
Degree of customer satisfaction
Customer satisfaction data analysis will help you determine key areas where improvement is required. With improvement in processes and addressing all customer concerns, you will be able to enhance customer satisfaction further.
Performance and effectiveness of the quality management system.
Performance and effectiveness of quality management system may be derived through analysis of data like Cost reduction improvement (including the cost of poor quality), number of internal audit issues, etc. This will give a good indication of the health and effectiveness of the Quality Management System.
Effective implementation of planning elements
Typically schedule, effort, cost and risks are the elements that may be measured to evaluate the effective implementation of planning. The metrics where you track on-time deliveries, your cost on service against the parameters planned can provide you with a good indication of how planning was effective.
Effectiveness of actions taken to address risks and opportunities
You can derive how effective was the implementation of mitigation actions planned against the risks by evaluating the reduction in the probability or impact of risks.
Performance of external providers
ISO 9001 doesn’t just focus on your internal processes but also requires that you evaluate the performance of external providers based on the targets given to them. For example, if you have a vendor who supplies a critical material used in your product, you can set a target for them to provide you with the right and good quality material within a specified time period and then evaluate their performance on basis of targets met or not. This could also be done based on the number of issues found at your end during the inspection when the material is delivered to you.
Improvements within the quality management system
You can measure these by the number of process improvements suggestions given on the quality management system or on the basis of non-conformities found during internal/ external audits, etc.
Data Analysis and Evaluation Process
Statistical techniques are referenced in the ISO 9001 requirements for data analysis, but these are not mandatory and may not apply in every company’s scenario. Simple trends may be used to monitor progress and identify opportunities for improvement.
Such trends and data should be presented in management review meetings where they should be evaluated further and used for decision making. The exercise becomes meaningful when analysis of data is used as an input to identify opportunities for continual process improvements and corrective actions are taken to address all negative trends.
When developing a process for measurement and metrics collection, analysis and evaluation, it should address the following:

To conclude, ISO 9001 defines a detailed process for monitoring, measurement, data collection, analysis and evaluation. This clause provides you with all the guidance to establish an effective management system whose performance is monitored and measured, analysed and evaluated over a period of time. The objective is to help the organization identify continual improvement opportunities which will further lead to higher customer satisfaction and business growth for your organization.