ISO 9001 is the world's most widely used standard for a quality management system (QMS). Published by the International Organization for Standardization (ISO), it sets out the requirements an organisation must meet to consistently provide products and services that satisfy customers and applicable regulatory requirements, and to improve over time. The current version is ISO 9001:2015, developed by ISO technical committee ISO/TC 176.
ISO 9001 is generic: it applies to any organisation regardless of size, sector, or whether it is public, private, or non-profit. It is voluntary — no law requires certification — though customers, supply chains, or tender processes often ask for it. Organisations can certify their QMS against ISO 9001 through an independent certification body, but self-declaration of conformity is also possible.
What is a quality management system (QMS)?
A quality management system is the set of policies, processes, procedures, and records an organisation uses to plan, control, and improve the quality of what it delivers. ISO 9001 does not prescribe one fixed way to run a business; instead it states what must be in place — defined processes, clear responsibilities, documented information, monitoring, and continual improvement — and leaves how to the organisation.
The aim is consistency: customers get what they expect every time, problems are detected and corrected, and the organisation learns from data rather than relying on individuals' memory or goodwill.
What are the seven quality management principles?
ISO 9001 is built on seven quality management principles defined in the companion standard ISO 9000:2015:
- Customer focus — meet and aim to exceed customer requirements.
- Leadership — top management sets unity of purpose and direction.
- Engagement of people — competent, empowered people at all levels.
- Process approach — manage activities as interrelated processes.
- Improvement — make ongoing improvement a permanent objective.
- Evidence-based decision making — decide on analysis of data and information.
- Relationship management — manage relationships with interested parties such as suppliers.
These principles underpin the whole ISO 9000 family of standards.
How is ISO 9001 structured (Annex SL, clauses 4–10)?
ISO 9001:2015 follows the high-level structure (HLS) defined in Annex SL of the ISO/IEC Directives. This common framework is shared across modern ISO management system standards (such as ISO 14001 for environment and ISO 27001 for information security), which makes it easier to integrate several systems.
The requirement clauses run from 4 to 10:
- Clause 4 — Context of the organisation
- Clause 5 — Leadership
- Clause 6 — Planning (risks and opportunities, quality objectives)
- Clause 7 — Support (resources, competence, documented information)
- Clause 8 — Operation
- Clause 9 — Performance evaluation (monitoring, internal audit, management review)
- Clause 10 — Improvement
Clauses 1–3 cover scope, normative references, and terms.
What are risk-based thinking, the process approach, and PDCA?
Three ideas run through the standard:
- Process approach — the organisation defines its activities as connected processes with inputs, outputs, and controls, and manages them as a system rather than in isolation.
- Risk-based thinking — risk is considered throughout: organisations identify risks and opportunities that could affect conformity and customer satisfaction, and act on them. ISO 9001:2015 does not require a formal documented risk-management method.
- Plan-Do-Check-Act (PDCA) — the improvement cycle that the clause structure maps onto: Plan (clauses 4–7), Do (clause 8), Check (clause 9), and Act (clause 10). PDCA repeats so the system keeps improving.
How does ISO 9001 certification work?
Certification is carried out by an independent certification body (often accredited by a national accreditation body), not by ISO itself. The typical audit cycle is:
- Stage 1 audit — a readiness review of documentation, scope, and whether the QMS is ready for full assessment.
- Stage 2 audit — the main on-site assessment of whether the QMS is implemented and effective. If successful, a certificate is issued.
- Three-year cycle — the certificate is generally valid for three years.
- Surveillance audits — usually annual, to confirm the system remains in conformity.
- Recertification — a fuller audit at the end of the three-year cycle to renew the certificate.
Nonconformities found during audits must be addressed to obtain or maintain certification.
Who is ISO 9001 for, and is it mandatory?
ISO 9001 is designed to be sector-agnostic and size-agnostic — used by manufacturers, service providers, software firms, healthcare, education, public bodies, and small businesses alike. It is one of the most widely adopted management standards worldwide.
It is voluntary: there is no legal obligation to implement or certify it. Organisations adopt it to improve consistency and efficiency, to win or retain customers, or because clients and supply chains require it as a condition of doing business. An organisation can also conform to ISO 9001 without seeking third-party certification.
What is the status of the 2026 revision?
ISO standards are reviewed periodically, and a revision of ISO 9001 is in progress. As of 2026 the draft has reached the Final Draft International Standard (FDIS) stage (listed by ISO as ISO/FDIS 9001), with publication of the revised standard widely anticipated around September 2026.
Industry guidance describes the revision as evolutionary rather than revolutionary: the clause 4–10 structure is retained, with refinements. It is also reported to incorporate the 2024 climate change amendment (which added climate-change considerations to clause 4.1). A three-year transition period for certified organisations is expected following publication, consistent with past revisions, though exact dates depend on confirmation by ISO and accreditation bodies. Until the new edition is published, ISO 9001:2015 remains the current standard.
Frequently asked questions
Is ISO 9001 a legal requirement?
No. ISO 9001 is a voluntary international standard. No law requires it, although customers, regulators in specific sectors, or tender processes may ask for certification as a condition of doing business.
What is the difference between ISO 9000 and ISO 9001?
ISO 9000 sets out the fundamentals and vocabulary of quality management, including the seven quality management principles. ISO 9001 contains the actual requirements an organisation must meet and is the standard you can be certified against.
How long is an ISO 9001 certificate valid?
Typically three years, subject to passing surveillance audits (usually annual). At the end of the cycle a recertification audit is required to renew the certificate.
What are Stage 1 and Stage 2 audits?
Stage 1 is a readiness review of documentation and scope to check the QMS is ready for assessment. Stage 2 is the main on-site audit assessing whether the QMS is implemented and effective. Passing Stage 2 leads to certification.
Does ISO 9001 require formal risk management?
No. ISO 9001:2015 requires risk-based thinking throughout the system but does not mandate a formal documented risk-management process or method. Organisations decide how to identify and address risks and opportunities.
When will ISO 9001 be updated, and what should we do now?
A revised edition is at the Final Draft stage, with publication widely expected around September 2026 followed by a transition period. Until then, ISO 9001:2015 remains current and valid for certification.