An audit is a systematic evidence gathering process.
independent and evidence must be evaluated objectively to
how well audit criteria are being met. There are
first-party, second-party, and third-party. First-party
audits are internal
audits while second and third party audits are
Organizations use first party audits to audit themselves.
audits are used to provide input for management review and
internal purposes. They're also used to declare that an
meets specified requirements (this is called a
Second party audits are external audits. They’re usually
customers or by others on their behalf. However, they can also
done by regulators or any other external party that has an
in an organization. Third party audits are external
audits as well.
However, they’re performed by independent
as registrars (certification bodies) or
ISO also distinguishes between combined audits and joint
When two or more management systems of different disciplines
audited together at the same time, it's called a combined audit;
when two or more auditing organizations cooperate to audit a
single auditee organization it's called a joint audit.
Audit criteria are used as a reference point and include
requirements, and other forms of documented information.
compared against audit evidence to determine how well they
met. Audit evidence is used to determine how well policies
implemented and how well requirements are being followed.
Audit evidence includes records, factual statements, and
information that is related to the audit criteria
being used. Audit criteria
include policies, requirements, and other
Audit findings result from a process that evaluates audit
and compares it against audit criteria. Audit findings
can show that
audit criteria are being met (conformity) or that
they are not being
met (nonconformity). They can also identify
best practices or
An audit program (or programme) refers to a set of one or
audits that are planned and carried out within a specific time
frame and are intended to achieve a specific audit purpose.
A characteristic is a distinctive feature or property of
Characteristics can be inherent or assigned and can be
or quantitative. An inherent characteristic exists in
something or is
a permanent feature of something while an assigned
is a feature that is attributed or attached to
Competence means being able to apply knowledge and skill to
achieve intended results. Being competent means having the
and skill that you need and knowing how to apply
competent means that you’re qualified to do the job.
In the context of ISO 9001, a complaint refers to an
dissatisfaction with a product or service and is filed
by a customer
and received by an organization. Whenever a customer
complaint, a response is either explicitly or implicitly
A concession is a special approval that is granted to
nonconforming product or service for use or delivery.
are usually restricted to a specific use and limited by
time and quantity
and tend to specify that nonconforming
characteristics may not violate
Conformity is the "fulfillment of a requirement".
to meet or comply with requirements and a requirement is
expectation, or obligation. There are many types of
including customer requirements,
management requirements, management requirements, product
requirements, service requirements, contractual requirements,
statutory requirements, and regulatory requirements.
An organization’s context is its business environment. It
all of the internal and external factors and conditions
that affect its
products and services, have an influence on its QMS,
relevant to its purpose and strategic direction.
An organization’s external context includes all of the needs and
expectations of interested parties, as well as its social,
legal, technological, regulatory, and competitive
internal context includes its values,
knowledge, and performance.
ISO 9001 2015 expects you
to consider your organization’s
internal and external context when you
define the scope of
its QMS and when you plan it's design and
Continual improvement is a set of recurring activities that
out in order to enhance performance. Continual
improvements can be
achieved by carrying out audits, self-assessments,
reviews. Continual improvements can also be realized by
data, analyzing information, setting objectives, and
corrective and preventive actions.
A contract is a binding agreement between two or more
A correction is any action that is taken to eliminate a
However, corrections do
not address root causes. When
products, corrections can include reworking products,
them, regrading them, assigning them to a different use,
Corrective actions are steps that are taken to
the causes of existing nonconformities in order to
recurrence. The corrective action process tries to make
sure that existing nonconformities and potentially
situations don’t happen again.
A customer is anyone who receives products or services
from a supplier. Customers can be either people or
and can be either external or internal to the supplier
Examples of customers include clients, consumers, users,
guests, patients, purchasers, and beneficiaries.
Customer satisfaction is a perception. It's also a
question of degree.
It can vary from high satisfaction to low
satisfaction. If customers
believe that you've met their
they experience high
satisfaction. If they believe that you've not met
they experience low satisfaction.
Since satisfaction is a perception, customers may not be
even though you’ve met all contractual requirements. Just
you haven’t received any complaints doesn’t mean that
There are many ways to monitor and measure customer
You can use customer satisfaction and opinion surveys;
collect product quality data (post delivery), track warranty
examine dealer reports, study customer compliments and
criticisms, and analyze lost business opportunities.
The term data is defined as any facts about an object.
A defect is a type of nonconformity. It occurs when a
or service fails to meet specified or intended use
Design and development is a process (or a set of processes)
resources to transform general input requirements for an
specific output requirements.
An object is any entity that is either conceivable or
can be real or imaginary and could be material or
include products, services, systems,
organizations, people, practices,
procedures, processes, plans, ideas,
documents, records, methods,
tools, machines, technologies,
techniques, and resources.
To determine means to find or to identify the value of a
The term documented information refers to information that
must be controlled and
maintained and its supporting medium.
Documented information can be in any format and on any medium
can come from any source.
Documented information includes information about the
system and related processes. It also includes all the
organizations need to operate and all the
information that they use
to document the results that they achieve
Effectiveness refers to the degree to which a planned
effect is achieved.
Planned activities are effective if these
activities are actually carried out
and planned results are effective
if these results are actually achieved.
The term feedback is used to refer to a comment or an
expressed about a product or service or an interest expressed
in a product or a service. It may also be used to refer to the
customer complaints-handling process itself.
A function is a role that is performed by a unit of an
Improvement is a set of activities that organizations
carry out in
order to enhance performance (get better results).
can be achieved by means of a single activity or by means
recurring set of activities.
Information is “meaningful data”. While it's not entirely
clear what the
word “meaningful” is supposed to mean in this context,
tend to say that something is meaningful if it is
material, valid, or important.
In the context of this ISO 9001 standard, an information
a network of communication channels used within an
The term infrastructure refers to the entire system of
equipment, and support services that organizations need in
order to function. According to ISO 9001, section 7.1.3, the
infrastructure can include
technologies (both hardware and software).
Innovation is a process that results in a new or
object. An object is any entity that is either
conceivable or perceivable.
Objects can be
real or imaginary and could
be material or immaterial.
Examples include products, services,
systems, organizations, people,
practices, procedures, processes,
plans, ideas, documents, records,
methods, machines, tools,
technologies, techniques, and resources.
An interested party is anyone who can affect, be affected
believe that they are affected by a decision or activity. An
party is a person, group, or organization that has an
interest or a
stake in a decision or activity.
Involvement occurs when people share objectives and are
actively engaged in and contribute to their achievement.
Knowledge is a collection of information and a justified
that this information is true with a high level of
The term management refers to all the
activities that are
coordinate, direct, and control organizations. These
developing policies, setting objectives, and
to achieve these objectives. In this context,
the term management
does not refer to people. It refers to what
A management system is a set of interrelated or interacting
that organizations use to
formulate policies and objectives
establish the processes that are needed to ensure that
followed and objectives are achieved.
These elements include
structures, programs, procedures, practices, plans, rules, roles,
responsibilities, relationships, contracts, agreements,
records, methods, tools, techniques, technologies, and resources.
There are many types of management systems. Some
of these include
systems, environmental management systems,
financial management systems, information
management systems, emergency
management systems, disaster management systems,
management systems, risk management systems, and occupational
health and safety management
The scope or focus of a management system could be
a specific function or section of an organization or it
the entire organization. It could even include a
function that cuts
across several organizations.
Measurement is a process that is used to determine
value. In most cases this value will be a quantity.
Measuring equipment includes all the things needed
out a measurement process. Accordingly, measuring equipment
includes instruments and apparatuses as well as all the associated
software, standards, and reference materials.
To monitor means to determine the status of an activity,
or system at different stages or at different times. In order
status, you need to supervise and to continually
check and critically
observe the activity, process, or system that is
Nonconformity is a nonfulfillment or failure to meet a
A requirement is a need, expectation, or obligation. It
can be stated
or implied by an organization or interested parties.
An object is any entity that is either
Objects can be real or imaginary and could be material or
Examples include products, services, systems,
practices, procedures, processes, plans, ideas,
methods, tools, machines, technologies,
techniques, and resources.
An objective is a result you intend to achieve.
strategic, tactical, or operational and can apply to an
as a whole or to a system, process, project, product, or
Objectives may also be referred to as targets, aims, goals,
or intended outcomes.
Quality objectives are generally based on or derived from
organization’s quality policy and must be consistent with it.
Objective audit evidence is information that is verifiable
generally consists of records and other statements of fact
are relevant to the audit criteria being used.
Objective evidence is data that shows or proves that
exists or is true. Objective evidence can be collected by
observations, measurements, tests, or using other
An organization can be a single person or a group that
objectives by using its own functions, responsibilities,
and relationships. It can be a company, corporation,
association, or institution
and can be either
incorporated or unincorporated and be
privately or publicly
owned. It can also be an operating unit
that is part of a larger entity.
An output is the result of a process. Outputs can be
or intangible. The output from one process is often the input
ISO 9001 lists four generic output categories: services,
hardware, and processed materials. Outputs often combine
of these categories. For example, an automobile (an output)
hardware (e.g. tires),
software (e.g. engine control
processed materials (e.g. lubricants).
When an organization makes an arrangement with an outside
organization to perform part of a function or process, it is referred
to as outsourcing. To outsource means to ask an external
to perform part of a function or process normally done
an outsourced organization is beyond the scope of
your QMS, the
outsourced process or function itself falls within
According to ISO, the term performance refers to a
It refers to the
measurable results that activities, processes, products,
services, systems and organizations are able to achieve. Whenever they
perform well it means that
acceptable results are being achieved and
whenever they perform
poorly, unacceptable results are achieved.
A performance indicator (metric) is a characteristic that
is used to
measure customer satisfaction and how well outputs are
A policy is a
general commitment, direction, or
formally stated by top management. A quality policy statement
express top management's commitment to the implementation and
improvement of its quality management system and should allow
to set quality objectives.
A process is a set of activities that are interrelated or
with one another. Processes use resources to transform
into outputs. Processes are interconnected because the output
from one process often becomes the input for another process.
While processes usually transform inputs into outputs, this
is not always the case. Sometimes inputs become outputs
Organizational processes should be planned and carried
under controlled conditions. An effective process is one
planned activities and achieves planned results.
The process approach is a management strategy. When
use a process approach, it means that they manage and
processes that make up their organization, the interaction
these processes, and the inputs and outputs that tie
A process-based quality management system uses a process
to manage and control how its quality policy is
implemented and how
its quality objectives are achieved. A
process-based QMS is a network
of interrelated and interconnected
Each process uses resources to transform inputs into
Since the output of one process becomes the input of
process, processes interact and are
interrelated by means of
such input-output relationships. These process interactions
single integrated process-based QMS.
A product is a tangible or intangible output that is the
result of a
process that does not include activities that are
performed at the
interface between the supplier (provider) and the
Products can be
tangible or intangible. According to a note
this definition, there are three generic product categories:
processed materials, and software. Many
of these categories. For example, an automobile (a product)
hardware (e.g. tires), software (e.g. engine control
processed materials (e.g. lubricants).
A provider is a person or an organization that supplies
products or services. Providers can be either internal or external to
the organization. Internal providers supply products or services to
people within their own organization while external providers
products or services to other organizations.
The adjective quality applies to objects and refers to the
which a set of inherent characteristics fulfills a set of
An object is any entity that is either conceivable
or perceivable and
an inherent characteristic is a feature that
exists in an object.
The quality of an object can be determined by comparing a
of inherent characteristics against a set of requirements. If
characteristics meet all requirements, high or excellent quality
achieved but if those characteristics do not meet all requirements,
a low or poor level of quality is achieved. So the quality of an
depends on a set of characteristics and a set of requirements
how well the former complies with the latter.
Quality management includes all the activities that
use to direct, control, and coordinate quality. These
formulating a quality policy and setting quality
objectives. They also
include quality planning, quality control,
quality assurance, and
A quality management system (QMS) is a set of interrelated
interacting elements that organizations use to formulate quality
policies and quality objectives and to establish the processes that
are needed to ensure that policies are followed and objectives are
achieved. These elements include structures, programs,
procedures, plans, rules, roles, responsibilities, relationships,
contracts, agreements, documents, records, methods, tools,
technologies, and resources.
A quality objective is a quality result that you intend to
Quality objectives are based on or derived from an
quality policy and must be consistent with it. They are
formulated at all relevant levels within the organization and
for all relevant functions.
The adjective quality applies to objects and refers to the
which a set of inherent characteristics fulfills a set of
and an object is any entity that is either conceivable
Therefore, a quality objective can be set for any kind
A quality policy should express top management's commitment
quality management system (QMS) and should allow managers to
quality objectives. It should be based on ISO’s quality
principles and should be compatible with your organization’s other
policies and be consistent with its vision and mission.
ISO's quality management principles ask you to focus on
and interested parties, to provide
leadership, to engage and involve
people, to use a process
approach, to encourage improvement, to use
evidence to make
decisions, and to manage corporate relationships.
A regulatory requirement is an obligation that is specified
an authority which gets its mandate from a legislative body.
To release means to grant permission to proceed to the next
of a process. The term release is also used to refer to a
software or documented information.
A requirement is a need, expectation, or obligation. It can
be stated or
implied by an organization, its customers, or other
A specified requirement is one that has been
stated (in a document for
example), whereas an implied requirement
is a need, expectation, or
obligation that is common practice or
There are many types of requirements. Some of these include
requirements, quality requirements, quality management
management requirements, product requirements, service
contractual requirements, statutory requirements, and
A review is an
activity. Its purpose is to figure out how well the thing
reviewed is capable of achieving established objectives.
ask the following
question: is the subject (or object) of the review a suitable,
adequate, effective, and efficient way of achieving established
There are many kinds of reviews. Some of these include
reviews, design and development reviews, customer
reviews, nonconformity reviews, and peer reviews.
According to ISO 9000, risk is the “effect of uncertainty
on an expected
result” and an effect is a
positive or negative
deviation from what is
expected. The following two paragraphs will
explain what this means.
This definition recognizes that all of us operate in an
Whenever we try to achieve something, there’s
always the chance that
things will not go according to plan.
Sometimes we get positive results
and sometimes we get negative
results and occasionally we get both.
Because of this, we need to
reduce uncertainty as much as possible.
Uncertainty (or lack of certainty) is a state or condition
a deficiency of information and leads to inadequate
knowledge or understanding. In the context of
uncertainty exists whenever the knowledge or
an event, consequence, or likelihood is
inadequate or incomplete.
While this definition argues that risk can be positive as
negative, a note acknowledges that "the
term risk is sometimes
used when there is only the possibility of
Risk-based thinking refers to a coordinated set of
methods that organizations use to
manage and control
risks that affect its ability to achieve objectives.
replaces what the old standard used to
call preventive action.
While risk-based thinking is now an essential part of the
standard, it does not actually expect you to implement a
risk management process nor does it expect you to document
organization’s risk-based approach.
A service is an
intangible output and is the result of a
that includes at least one activity that is carried out at the
between the supplier (provider) and the customer.
Service provision can take many forms. Service can be
to support an organization’s own products (e.g. warranty
or the serving of meals). Conversely, it can be provided
for a product
by a customer (e.g. a repair service or a
It can also involve the provision of an intangible
thing to a customer
(e.g. entertainment, ambience, transportation, or
A statutory requirement is defined by a legislative body
and is obligatory.
A strategy is a plan for achieving an objective.
A supplier is a person or an organization that
services. Suppliers can be either internal or external to
Internal suppliers provide products or services to
people within their
own organization while
provide products or
services to other organizations.
suppliers include organizations and people who produce,
market products, provide services, or publish information.
still includes a definition for this term, the new ISO 9001
standard no longer actually uses it. It prefers, instead, to
use the term
A system is defined as a set of interrelated or interacting
A management system is one type of system. It is a set of
or interacting elements that organizations use to
and objectives and to establish the processes
that are needed to
ensure that policies are followed and
objectives are achieved.
The term top management normally refers to the people at
of an organization. It refers to the people who provide
and delegate authority and who coordinate, direct, and
However, if the scope of a management system
covers only part
of an organization, then the term top management
to the people who direct and control that part of
Traceability is the ability to identify and trace the
location, and application of products, parts,
materials, and services.
A traceability system records and follows
the trail as products, parts,
materials, and services come from
suppliers and are processed and
ultimately distributed as final
products and services.
Validation is a process. It uses objective evidence to
confirm that the
requirements which define an intended use or
application have been
met. Whenever all requirements have been met, a
validated status is
established. Validation can be carried
out under realistic use
conditions or within a simulated use
There are several ways to confirm that the requirements
an intended use or application have been met. For
example you could
do tests, you could carry out alternative
calculations, or you could
examine documents before you issue them.
Verification is a process. It uses objective evidence to
that specified requirements have been met. Whenever specified
requirements have been met, a verified status is achieved.
There are many ways to verify that requirements have been
For example you could inspect something, you could do tests,
could carry out alternative calculations, or you could
documents before you issue them.