The ISO committee involved in drafting the revised standard has labelled the changes as ‘significant’. Unlike in 2008 the changes this time are of a more technical nature, introducing a new management system structure, new quality management principles and concepts.
The main areas of change are around:
Documented information where as part of the alignment with other management system standards a common clause on ‘Documented Information’ has been adopted without significant change or addition.
Structure & terminology where the clause structure and some of the terminology of this International Standard, in comparison with ISO 9001:2008, have been changed to improve alignment with other management systems standards.
Context of the Organization where there are two new clauses relating to the context of the organization, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact on the planning of the quality management system.
Applicability, where the standard no longer makes specific reference to ‘exclusions’ when determining the applicability of its requirements to the organization’s quality management system
Organizational knowledge where the standard addresses the need to determine and maintain the knowledge obtained by the organization, including by its personnel, to ensure that it can achieve conformity of products and services
Risk-based approach where the standard requires the organization to understand its context (see clause 4.1) and determine the risks and opportunities that would need to be addressed (see clause 6.1). Although risks and opportunities have to be determined and addressed, there is no requirement for formal risk management or a documented risk management process.
Products & Services where ISO 9001:2008 used the term “product’ to include all output categories the revised standard uses products and services and that includes all output categories hardware, services, software and processed materials. The specific inclusion of “services” is intended to highlight the differences between products and services in the application of some requirements.
Control of externally provided products and services where the standard addresses all forms of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, or by any other means, the organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services