ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

Defining Measurable Objectives/ Metrics to Drive Continual Improvement

Measurable objectives are an essential input for all levels of the management and come from the top management (TM). These objectives guide personnel at the work level to help ensure the success of a management system. The need for a set of value-based metrics is met by looking carefully at the company policy (based on the strategic direction) and then drawing the measurable objectives from it.

My thought is for any organization giving more than the desired value is a challenge! Values in today’s business world are often related solely to the ROI (Return on Investment). Providing value to the customer is a goal. The question is at what cost? Due to budgetary concerns, no organization wants to do more than what is required. Availability of funds is input to the design of the final product and or service. Consequentially, the values that an organization sets for itself must be based on trying to meet the objectives and expectations of the customers, or the statutory bodies (if relevant) within the constraints of the resources. Where a statutory body is involved, it is the vital responsibility of that body to precisely define expectations and what metrics they will accept.

My opinion is that the statutory bodies such as the FAA, FDA, EPA, and USCG, would have concerns about continual improvement by the external service providers. It is therefore critical to conduct an analysis and conduct management reviews internally to achieve the intended purpose of Clause 10.3 of ISO 9001:2015. However, it all starts with defining, providing and monitoring these clear expectations. This means that the statutory body should provide guidelines for stated requirements, as the IMO does in the ISM Code, within Resolution A.1118(30) & MSC-MEPC.7/Cir8. In a similar manner, the USCG could provide clear guidelines for TPO (Third Party Organization) and for the towing companies for the Subchapter M.

Statutory bodies, understandably, may struggle with defining their policy in the initial stages and clearly converting it to a set of measurable objectives (Value based metrics) for external providers. The need for the Leadership (TM) is to spend time and resources well at the plan stage of the PDCA cycle (Plan-Do-Check-Act) by understanding the context of the organization (Clauses 4.1 and 4.2 of the ISO 9001) and appreciate the various risks (Clause 6.1 of ISO 9001) keeping the customer focus in mind. The Standard here provides useful clauses to make the decision. An objective audit of the internal procedures of the statutory body (Clause 9.2 of ISO 9001) would provide the inputs for the Management Review (Clause 9.3) and ensure a robust decision-making process. This then should be followed by regular audits of the organization to which the processes have been outsourced (meeting the requirements of Clause 8.4.1 and 8.4.2 of ISO 9001). The organization which provides the outsourced service or product needs the information in terms of clause 8.4.3 to perform to the total satisfaction of the statutory body. As such providing clear requirements is a vital role of the statutory body.

Once requirements are clear, then the organization providing a product or service will use these inputs to design their Policy (Clause 5.2 of ISO 9001) 5.2.1d. This policy would then ensure that the feedback loop will help to drive continuous improvement efforts of the QMS. This policy would then provide the framework for the “value-based metrics” which in Quality terms would be the measurable objectives in terms of clause 6.2. Both 6.2.1 and 6.2.2 would put the organization on the correct path to success. The statutory body would vigorously and regularly audit the correct implementation itself or by using an independent professional service provider.

In effect, what this means is that just being certified to e.g. ISO 9001:2015 is not enough for any organization. What is required is a functioning PBMS (process-based management system) based on the chosen standard and other criteria implemented by committed leadership and motivated manpower.

(The author Dr. IJ Arora, is the President and CEO of QMII)


In the past year there has been a lot of activity in the development and revision of ISO standards. Highlighted below are a few key updates:

ISO 41001 – Facility Management

This new standard applies the concept of the Plan-Do-Check-Act cycle to the discipline of Facilities Management. This standard provides the requirements for a facility management system where an organization needs to demonstrate effective and efficient delivery of services. The standard is aligned with the High Level Structure adopted by ISO thus ensuring easier integration with other standards. Benefits of implementing this standard, per ISO, include improved productivity, communications, service consistency and costs benefits.

ISO 19011 – Guidelines for Auditing

ISO 19001 has become the primary guideline for all audits conducted globally. The FDIS was recently cleared and the updated revision is due to be published in July 2018. One of the main changes lies in the new auditing principle “Risk-based approach: an audit approach that considers risks and opportunities. The risk-based approach should substantively influence the planning, conducting, and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit program objectives.” This approach is evident in all the clauses of the standard which not follows the High level Structure. We will further update our readers as the standard is published.

ISO 9004 – Guidance to achieve sustained success

The standard has been updated to reflect the guidelines to achieve sustained success of and ISO 9001:2015 QMS. Per ISO, factors affecting an organization’s success continually emerge, evolve, increase or diminish over the years, and adapting to these changes is important for sustained success. The document addresses systematic improvement of overall performance and includes a self-assessment tool for reviewing the extent of conformity by the organization.