Simple Paperwork for Best Practice

What’s really required for a small organisation to get ISO 9001 Certification?

One of the most common misunderstandings about ISO 9001 certification is what must be in place to successfully pass a certification audit.  

This confusion most often stems from previous experience with ISO 9001 certification at a previous organisation, or what’s been “heard through the grapevine” over the years. Granted, ISO 9001 has a developed a mixed reputation over the 25+ years it has been around.  What is commonly heard is:

  • ISO 9001 is too hard for a small organisation
  • ISO certification doesn’t really improve quality
  • ISO is nothing more than added paperwork
  • Small companies can’t get ISO without hiring someone full-time to manage it.

The question to ask is “Are these comments really valid?”

ISO 9001 Origin

The origin of ISO 9001 in the late 1980s sprung out of the need for large manufacturers to have a practical way to qualify parts suppliers without having to conduct regular quality audits. On the other side of the fence, suppliers needed a way to consolidate their various customers’ requirements and cut down the number of customer audits. 

By adopting an internationally accepted standard, such as ISO 9001, and to introduce a “3rd-party” audit from an independent auditing firm (called a “Certification Body”), customers and suppliers found a win-win arrangement. Customers could know that their suppliers were following certain quality assurance practices and suppliers could focus on a single requirement and a single audit to demonstrate compliance.

Before we leave our short review of the history of ISO 9001, we need to touch on the basic approach used in the early days. The original concept for how to control quality in a certified organisation was to specify minimum practices for quality assurance and require documented procedures for each practice. The basic thought was: 

“If we get our suppliers to document everything that every employee does, and then audit to be sure employees are following those documented procedures, quality will improve.”

So, companies created piles of documentation and auditors audited, but quality didn’t really improve. Go figure.  

At least that’s what you hear through the grapevine about the early days of ISO. I know in my career, that’s EXACTLY what happened in the first organisation I was with that implemented ISO. We started the project by stopping by the office supply store to buy several 6-inch binders to hold all of the paperwork we knew we were going to generate.

What happened?

  1. A lot of documents were written to show the auditor.
  2. They were put in the “official” binders.
  3. We showed the auditor.
  4. He was happy.
  5. We put the binders up on the shelf until the next time the auditor came by.

To a large extent, ISO was a show for the auditor!  How would that improve quality is the question we should be asking?

Fortunately, the authors of the ISO 9001 standard built in a review process into their development process and the standard has been revised several times since the early days. Today’s ISO 9001 has changed significantly as “lessons learned” have been incorporated to make the standard more “user-friendly” and more importantly, more effective to actually help improve quality.

  • Today’s standard is more focused on results and less focused on paperwork.
  • It is more flexible to be used by smaller companies and other industries beyond manufacturing.
  • It provides general guidelines to adapt to your organization rather than telling you how to run your organisation.

Many small companies are finding ISO 9001 simpler than they thought and much more helpful in achieving actual improvements that their customers notice. Isn’t that the point, after all?

3 Key points in ISO 9001


1. ISO 9001 Documentation Requirements

In the 2008 version of ISO 9001 the following documents were required:

  1. Quality Manual
  2. Control of Documents Procedure
  3. Control of Records Procedure
  4. Control of Nonconformity Procedure
  5. Internal Audit Procedure
  6. Corrective Action Procedure
  7. Preventive Action Procedure

The quality manual basically explains how your organisation has implemented the ISO 9001 requirements. It would generally be about 20 pages in length and provides a high-level overview of your organisation operations and how your quality management system works. The 6 mandatory procedures were administrative, meaning they describe how you keep up your ISO system in 2-3 pages each. Every ISO certified organisation, regardless of industry, has these standard documents. However, the standard was very prescriptive.

The 2015 version of the standard is much less prescriptive and these mandatory procedures are no longer required. However, you will still need to demonstrate to the auditor how you manage these processes but it’s up to you how you do that.

Beyond these minimum requirements, you must also have documents that your employees need to do their jobs. This doesn’t mean every process for every job needs a procedure or work instruction. The writers of the ISO 9001 standard understand that every organisation is different and that they need to leave it to organisation management to determine the documentation that is needed to run their organisation effectively.

Generally, this means that only documents that your employees are required to use on the job are necessary. So, if you have a simple process, explaining to an employee how to do the task may be enough. If you provide good training, it is likely a minimum of job documentation will be needed. If you are a very small organisation you may find that it is easy to support each other by answering questions as they come up in order to control your process and added documentation won’t be necessary.

The bottom line is a basic question: “If you produce a document, is anyone going to use it?”

Seems like a simple question – one I wish I would have asked years ago when I first implemented ISO 9001.  Back then we continually asked, “What does the auditor want to see?”  This is definitely the wrong question.  

A much better question is - “What do our employees need to do the job right and what will create the most efficient process for our organisation?”

Typically, small companies pursuing ISO 9001 for the first time don’t need additional documentation. They just need to organize and “clean up” the documents they already have.


2. Focus on Results

Second, in place of requiring reams of documents that no one is really going to use, ISO puts more focus on actual improvement and results.  

That means that measurement and action take centre stage. The spotlight of ISO is squarely on top management to establish quality objectives (performance measures) that matter to your organisation and your customers. Most small companies start with 3-5 quality objectives focused on the quality of their performance for their customers.  By establishing these high-priority measures, and reviewing them on a regular basis, this creates a focus for your managers and employees on the important drivers of organisational success. 

This data also provides an objective way to see where improvement is needed. Through corrective action, management initiates changes in the process or processes that have the most impact on the measured results.  The quality objectives will then tell management if the changes worked.  Either they did, or they didn’t and appropriate follow-up actions can be taken. 

This disciplined approach to improvement is managed through a formal process called management review. The management review is led by the top executive of the organisation (typically President, CEO or GM) and attended by all other top managers. It is typically scheduled as a monthly meeting, at least at first but the standard does not mandate how often, it simply requires it to be at “planned intervals to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organisation”. This regularity keeps focussing on improving results that are most important.  You can think of the management review as the “heartbeat” of ISO 9001.

3. Flexible to Adapt to Your Organization

Third, ISO 9001 is also set up to be very flexible to fit your type of organisation and ways of doing things.  You can think of ISO 9001 as a set of guidelines or best-practices that need to be applied to your organisation.  What that means is that there is more than one way to set up ISO 9001, even in the same type of organisation. For example:

  • How many documents should you have?  – that’s up to you.
  • How often should management review be scheduled? – that’s up to you.
  • How often should internal audits be conducted? – up to you. 
  • What should you measure as your quality objectives – depends on what you need.
  • Do you need to put all of your documents in a single location? – whatever works for you.

You get the idea. As long as all of the ISO requirements are addressed effectively and you are seeing improvement in your results, ISO is working and you can easily get certified. There is no “one size fits all” or “cookie cutter approach” that works for everyone.


Bottom Line

For some, these three points are somewhat of a surprise. You may even have individuals in your organisation who have worked in an ISO 9001 certified organisation in the past or heard something about ISO, and have very strong opinions about what it will take to get certified. That may be the reason your organisation hasn’t pursued ISO 9001 yet – fear of what it will do to your organisation.

My suggestion is the best way to fight rumours is with the truth. The ISO 9001 standard has changed and will continue to change with the times.  




This article was adapted by Ben White, General Manager Sci Qual International from an original article by Scott Dawson, President of Core Business Solutions, Inc