5 Costly Mistakes Businesses Make When Implementing ISO 9001:2015
... And How to Avoid Them (Part 3)

Table of Contents

In the previous two articles in our three-part series, we discussed how to identify and communicate the full range of benefits of ISO 9001 certification for your decision on whether to go down that path, and then, if you do, how to obtain and retain the necessary Top Management Support and involve all employees during the process. Part 3 in the series looks at mistakes you can make while setting up your Quality Management System processes, and even after successfully achieving your initial ISO 9001 certification.

Mistake 4: Creating Bureaucracy That Hinders Rather Than Helps the Business Operate

What Aspects of ISO 9001:2015 Certification Can Harm a Business?

Even though the underlying principles of ISO 9001:2015 should help organizations improve the way they do things, take the wrong approach to implementation of some of the requirements and they can have the opposite effect. The following areas demonstrate how this can happen:

Creating bureaucracy

Creating Too Much or Unhelpful Documentation

When the ISO 9000 series for Quality Systems Standards first appeared in the late 80's they spawned a whole industry of "expert" consultants who could facilitate your ISO 9000 certification for just a few hundred bucks. For that money, you got a generic set of documents that the "expert" had done a search and replace on your name. Your Quality Manual looked identical to hundreds, if not thousands, of documents all over the world and was almost a rewording of the standard itself.

Besides that, many organizations felt they needed to document every little thing they did, ending up with policies guiding procedures guiding work instructions, which had associated forms and checklists. The systems they implemented to create, authorize, distribute, review and update the reams of documentation were complex. While it may, in some cases, have allowed the organization to achieve certification, the documents themselves were all but useless as far as enabling the business to improve. Good companies grew despite the certification not because of it.

In contrast to the original ISO 9001 standard released in the late 1980's, more contemporary versions, including the new ISO 9001:2015 version are far less specific about what documents an organization "must" have to be compliant. That in itself can create confusion about what's required.

Businesses may find themselves without the documentation the external auditor believes they should have, resulting in an audit non-conformance that will need to be fixed before certification is achieved.

How to Ensure Your Documentation Supports Rather Than Undermines Your Business

The new ISO 9001:2015 standard explicitly says that your quality management system documentation doesn't need to mirror the standard, require uniformity across everyone's quality management systems, or even use the terminology within the standard at all. It's all written in black and white in clause 0.1 and appendix A.1. Those two clauses allow businesses a lot of leeway in what they document and which format they use for those documents. If you took an extreme view of the requirements, you would only need a handful of documents at most.

However, rather than eschew documentation altogether, it's critical to evaluate what information you need to support training, succession planning and knowledge retention in each part of the process. If you can honestly say you don't need any procedures, work instructions, forms or checklists to support those issues, then perhaps you don't need to document anything. Otherwise, you probably should.

It's worth noting that while you don't need to have procedures and work instructions, you still need to keep records to show that you meet the requirements of your QMS. So you might decide against a calibration procedure, but you'll still need to maintain and control records that you performed the calibrations.

If documents aren't necessary to support the operation of the business or improve the way things are done, then reassess their usefulness and revise or discard them.

Naomi Sato

Naomi Sato, Product Development Manager, 9001Simplified

The key to not creating too many documents is to evaluate the need for each one by asking questions like:

Is it relevant?

Is it useful for the people who need to do the job?

Are there other regulatory requirements that mandate it?

If documents aren't necessary to support the operation of the business or improve the way things are done, then reassess their usefulness and revise or discard them.

For example, the new 2015 standard no longer requires a Quality Manual. On the other hand, many external auditors still expect one, and a Quality Manual can be modified to become a handy marketing tool to give to clients without disclosing the internal workings of the business. However, if after due consideration you can see no merit in having one, then don't create one. Just make sure you can back that decision up with reasons during the audit.

However, as Greg Thompson notes, "Some people argue that it is not necessary to address each ISO 9001:2015 requirement through documented procedures and they are technically right. However, by covering all ISO 9001:2015 requirements in your procedures, you have a much lower risk that a requirement gets overlooked and forgotten as your quality management system evolves."

Carl Fallon adds: "If you want to take a minimalistic approach, start with a document control procedure. Next, develop and document the processes that your gap analysis identified as noncompliant."

Also, consider the best format for the document. A work instruction need not be a long, wordy document. A simple flowchart, a checklist, diagram or video might be more suitable. Moreover, it's imperative that the people who perform the tasks be involved in the development of the document. There's absolutely no point in developing wonderfully complex documents, detailing exactly how you think things are done if the workers take no notice of them because that's not what happens day-to-day.

Starting from scratch when creating documents can take a lot of time and effort, and there's no guarantee you'll get them right the first time. That's okay because the standard requires all documents be regularly reviewed and updated as necessary. However, you could expend significant effort trying to reinvent the wheel. It's often easier to start with a baseline and then customize it to fit your needs.

9001Simplified has created a series of templates that are compliant with the standard. However, rather than just provide the templates and let our clients bumble through, we have also created step-by-step resources to guide that customization process which is crucial for making your QMS useful. If you need further assistance, we provide free consulting and advice to make sure you stay on track. The templates include everything you need to create a quality manual, associated quality procedures, quality objectives, and then document core processes.

Once these higher level documents are in place, detailed work instructions can be reviewed or created in line with the organization's overarching quality system. Once again, the standard doesn't require that work instructions are in any particular format. However, a template could make that job easier by providing a starting point, and then each work area can tailor the documents for their unique needs.

A Complicated Corrective Action Process Focussed on Blame Rather Than The Opportunity to Improve

Two of the core principles of the 2015 version of ISO 9001 are "Improvement" and "Evidence-Based Decision Making". Clause 10 of the standard requires that organizations have a process in place to:

Identify non-conforming products and services and capture customer complaints

Work out why the problems have occurred

Change the way things are done to get to the root of the problem and prevent recurrence

Follow up to ensure the changes are effective

Maintain evidence of each of those stages

If people are blamed or penalized when they report issues or are implicated in the non-conformance or the complaint, they will be reluctant to come forward in the future. If the problems aren't reported, and the root causes not identified and addressed, they will continue to happen, having a negative impact on the operations of the business.

How to Ensure Your Corrective Action Process Is More Effective

Address the system, not the people. For example, if human error is the ostensible cause, the underlying reason may be inadequate training, incorrect or confusing documentation, or an illogical layout of the workspace.

Encourage employees to identify and report when things go wrong by:

Involving workers in the area where the problems have occurred

Consulting them while identifying the underlying root cause of the issue

Allowing them to contribute to solutions to prevent the problem from happening again

Communicating the success of effective changes to other relevant areas of the organization

A Compliance Focussed Internal Audit Program

ISO 9001:2015 requires that organizations have an internal audit program that checks if the Quality Management System continues to comply with both the business' requirements and those of the standard. However, if compliance is the program's only aim, and the focus is on seeking problems rather than opportunities for improvement, it can create resentment and become a tick and flick exercise.

Greg Thompson explains one aspect: "ISO 9001 internal audits are designed to be a compliance tool to keep the ISO 9001 system fully implemented. Company internal auditors verify that the quality management system is used throughout the organization as an effective management tool. The prospect of upcoming audits prevents managers and staff from cutting corners and slacking off."

Keeping employees on their toes is an important aspect of internal audits, but too much focus on the 'policing' side of things can create an "us and them" attitude. Nobody likes to have outsiders coming into their work area to discover problems and writing them up as "non-conforming," especially if the auditor doesn't have a thorough understanding of that part of the business.

Internal Auditors should be trained, not just in auditing, but also the requirements of the standard. Depending on the source of training, the costs can be significant, which might cause organizations to restrict their pool of auditors to the bare minimum, further exacerbating the perception that Internal Auditors are the 'Quality Police' out to get you.

Getting the Most Out of Your Internal Audit Program

Approached differently, an Internal Audit Program can be one of the most powerful drivers of the QMS, supporting training and education, encouraging involvement, and spreading ideas and improvements across the organization.

An Internal Audit Program can be one of the most powerful drivers of the QMS, supporting training and education, encouraging involvement, and spreading ideas and improvements across the organization.

Greg Thompson

Greg Thompson, Customer Service Manager, 9001Simplified

Use Your Audits as a Way to Spread Good Ideas Across the Business

"There is more to internal audits than just compliance," says Greg. "As the auditor observes work processes in different departments and divisions, they are in a unique position to identify best practices and communicate them throughout the organization. If you want to take full advantage of this business improvement aspect, you should consider training staff from different departments as auditors and specifically make the identification of best practices as one of the objectives. You'll be surprised how much a cross-functional audit team can contribute to business improvement."

Have Your Auditors Help Train Others in Aspects of the QMS

Carl Fallon, Senior Customer Service Representative, explains: "For all practical purposes, internal audits tend to be less strict than the registrar's external audits in the sense that the separation between auditing and consulting is less enforced. This means that internal auditors also take the role of trainers when they suggest ways and methods of implementing specific ISO 9001 requirements. In many cases, the internal auditors themselves learn better ways and methods to do things during their audits of other parts of the organization."

Use Your Internal Audit Program as a Stepping Stone for Promotion

Naomi Sato, suggests that "You might also consider an internal auditor assignment as preparation for a more senior management position. Auditing is an excellent way of training an individual in the diverse functions of the company."

Start the Internal Audit Program Early in the Implementation Process

There's no need to wait until you fully implement your QMS. In fact, that will probably put your certification timeline backwards. It's better to start early, audit one section at a time and utilize your audits as a training tool.

You need to complete one full internal audit of the entire company after adopting all ISO 9001:2015 requirements before your external certification audit. Depending on the size and complexity of the business that can take some time. In addition, all the non-conformances discovered during this audit will need to be addressed and the corrections verified as effective before you get the external auditors to come. By starting early, you'll have plenty of time to identify problems, fix them and follow up on the effectiveness of the changes.

As mentioned, auditors should be well versed in the requirements of ISO 9001:2015 and how the business has applied them. Face-to-face auditor courses can run into a thousand dollars or more per person. Hiring an external trainer to come in and deliver a course for a group of people might run to several thousand dollars.

A third alternative is to develop your own internal training program if you have the resources and expertise to develop it, but that too can be expensive. Besides, you might not have someone with the confidence and knowledge to develop and conduct useful training, especially in the early stages.

Another approach is to purchase online tools and resources to facilitate the training.

9001Simplified provides several products that can support your Internal Audit Program. Developed by experts, they offer a cost-effective way of getting your internal audits up and running at a reasonable cost.

Our online course QMS ISO 9001:2015 Auditor Training will provide your internal auditors with a comprehensive insight into the requirements of the standard, including how to set up the audit program and conduct the audits. We also have a more advanced Lead Auditor program for people who seek to manage teams of auditors and a DVD course you can use over and over again to bring new auditors into the program.

A combination of these tools could see your organization have its Internal Audit Program up and running with participation throughout the business for less than $480.

Find out more about 9001Simplified's range of Audit Training and Tools HERE.

Mistake 5: Thinking the Process Stops Once Certification Is Achieved

What Happens Once an Organization Achieves ISO 9001:2015 Certification?

When an organization undergoes an External Audit and can provide evidence they have addressed any major non-conformances, they will be recommended for ISO 9001 Certification for the scope defined in the original application.

Stopping after certification

Successful certification to ISO 9001:2015 is cause for celebration. The certificate (which will arrive in the mail a short time after the audit) is the reward for a lot of hard work and effort by many people (IF you've avoided Mistake 3). The business can now use the ISO 9001:2015 certification marks, communicate the accomplishment in their marketing materials and compete for contracts requiring certified suppliers.

Ideally, the organization pursued certification for more than just compliance and marketing purposes (see Mistake 1) and have also achieved the goals laid out in the initial stages of the implementation process.

After the concerted effort that may have taken months or even years, it would be easy to take the foot off the pedal and take a rest from "Certification activities". The audit program can slip behind, documents can quickly become out of date, training records lapse, and communication with employees about implementation progress and successes become less frequent or cease. Resources might be cut or reallocated to new programs. The mindset of "That's done. Tick. What do we need to move on to now?" can take hold. Pretty soon, the Quality Management System is no longer functioning the way it was designed.

Alternatively, the success of the certification process and the benefits everyone across the organization has reaped could provide even more impetus for bigger and better quality initiatives.

Why a Quality Management System Must Continue to Evolve

Initial certification to ISO 9001:2015 is only the beginning. Even from a compliance perspective, the Quality Management System requires effort to sustain and improve what's already in place.

The original certificate is only ever valid for three years. Generally, external auditors will return at least once per year to conduct a surveillance audit and every three years for another full audit. This schedule is dependent on several factors: company size, complexity, number of physical locations, sampling plan, and the individual registrar's policy. When they return, the auditors expect to see evidence that the QMS is embedded in the way an organization now runs its business and that processes are continuously improving. In fact, clause 10.3 in the standard requires that the organization continually improve. If the auditors find the business continues to comply with the standard, they will extend or re-register the certification for a further three years.

If an organization doesn't want to have to scramble to get their house in order each time the auditors arrive, there needs to be an ongoing effort by everyone to use, maintain and improve the QMS all the times.

It's unlikely that an organization will implement the ISO 9001:2015 standard's requirements 100% perfect the first time around. They might achieve compliance, but processes might need streamlining to make them more efficient or business friendly (see Mistake 4).

Organizations must continually adapt to the external environment to survive. When they change the way they do things, the related elements of the Quality Management System should also improve. That might be as simple as a work instruction or form, or extend to more complex infrastructure like data monitoring or IT systems.

Organizations must continually adapt to the external environment to survive. When they change the way they do things, the related elements of the Quality Management System should also improve.

Greg Thompson

Greg Thompson, Customer Service Manager, 9001Simplified

How to Avoid Your QMS Stalling After Certification

There are many things organizations can do to maintain momentum after a successful ISO 9001:2015 certification audit.

Firstly, celebrate the achievement with the whole organization. However, make the celebration about more than just getting the certificate. Emphasize the other goals and benefits that have been realized. For example: improved customer satisfaction, fewer product returns, increased sales... whatever the original reasons and benefits defined when deciding whether to pursue certification in the first place along with others that might have emerged during the process.

Define and communicate new quality objectives. That might consist of incremental improvements of the current ones OR entirely new targets.

Certification as Impetus for Continuous Improvement

Top Management needs to continue their support for the Quality Management system and resource it appropriately. While it might not take the same amount of time, money and effort to maintain, it will still require some.

Consider adopting relevant aspects in ISO 9004:2018 "Quality management - Quality of an organization - Guidance to achieve sustained success." This guideline aligns with the requirements of ISO 9001:2015, but gives a more detailed insight into things an organization can do to extend the benefits of their certification, remain sustainable, and ensure continued success into the future. Its focus is broader than just increasing value for the organization and its customers and specifically addresses benefits for other stakeholders including owners, shareholders and the public. ISO 9004 contains many opportunities for further improvement of the quality management system.

It's important to note that you cannot obtain ISO 9004:2018 certification, so the guidelines are entirely optional. That means the organization can choose to apply the parts that are useful for their unique circumstances and ignore those which aren't.


External forces often drive the decision to pursue ISO 9001 certification. To move forward requires the business to commit significant money, time and effort. Managers can be tempted to get it done as quickly as possible for the lowest cost possible. However, in taking this approach, organizations can make costly mistakes and miss a golden opportunity to make their business more sustainable if only they could avoid these pitfalls.

If you can:

Understand and seek the full range of benefits possible from certification

Ensure Top Management support

Get everyone involved in the implementation process

Avoid creating a bureaucracy focussed on merely compliance

Understand the process doesn't finish after the initial certification

... then you are in a much better position to achieve ongoing success.


    What's been your experience with ISO 9001 certification? What other common mistakes should we have added? Let us know in the comments below (all relevant, respectful feedback is welcomed per our guidelines).

    payment options

    ISO 9001 Simplified Money-Back Guarantee