Top 10 ISO 9001 Findings

Saying about quality

One of the world’s leading certification bodies, DNV GL Business Assurance, NA shared their top 10 ISO 9001 findings of 2019.  Review these nonconformances to see if there are any weaknesses in your QMS and quality processes.  (Note:  ISO 9001 Findings and their rankings may vary slightly among Certification Bodies.)

  • 8.5.1  Control of production and service provision
  • 7.1.5  Monitoring and measuring resources
  • 7.2     Competence
  • 8.1     Operational planning and control
  • 7.1.3  Infrastructure
  • 10.2   Nonconformity and corrective action
  • 9.2     Internal Audit
  • 6.1      Actions to address risks and opportunities
  • 7.5.3  Control of documented information
  • 9.3.2  Management review inputs

For each ISO 9001 nonconformity, DNV GL provided some great tips, which we’ve summarized, so you can be prepared before your next internal audit and/or Certification Body audit and maintain your ISO 9001 certification. 

8.5.1   Control of production and service provision

  • Personnel who operate process equipment should be familiar with the critical parameters of process requirements, which are usually stated in work instructions, engineering drawings or specifications.
  • Work instructions or specifications should be clear and understandable to ensure the product or service conforms to the requirements.
  • For consistent and stable operation of process equipment and essential materials, specify the amount and extent of maintenance and how they apply within the scope of the QMS.
  • Examples of validation methods:
    • Defined criteria for review and approval of processes
    • Approval of equipment and qualification of personnel
    • Use of specific methods and procedures
    • Requirements for records
    • Re-validation
  • Process monitoring and measuring instructions may take the form of:
    • Process and/or standard operation sheets
    • Inspection and lab test instructions
    • Test procedures
    • Other similar documents that meet the same intent

7.1.5   Monitoring and measuring resources

  • Documented information is usually retained in a spreadsheet, calibration database or through certificates.  The information should include reference to the standards used, results of any calibration or verification, and also when the resource is found not to be valid.

7.2      Competence

  • Information used to determine competence needs may include:
    • An annual assessment which takes into account any changes in technology, business objectives and organizational changes
    • Employee’s performance appraisal
    • Corrective action requests
    • Customer complaints
  • Competence requirements as evidenced in departmental procedure, job descriptions, etc.
  • Competence needs should be defined for new and existing employees, as well as temporary employees.
  • Documented information must be retained. This can include:
    • Education experience and diplomas
    • Signed application
    • Resume/Vitae
    • Copies of certificates
    • Training attendance sheets
    • Learning management systems

8.1     Operational planning and control

  • When product manufacturing or service delivery revolves around highly repetitive and routine activities, planning can begin when documenting the quality system. Otherwise separate planning for each new order or contract may be needed.
  • When a new product or service is introduced or an existing product modified, consideration should be given to the new processes and resources or modification of existing processes and resources to fit the needs of the specific product.
  • Risks and opportunities must also be addressed (This could be done through Failure Mode and Effects Analysis (FMEAs) or control plans)

7.1.3    Infrastructure

  • May consist of: offices, production facilities, warehousing and distribution centers.
  • Also consider access to infrastructure – roadways, railroads and airports.
  • Maintaining infrastructure like production machinery, measuring equipment, etc.
  • Any information technology needed including hardware and software.
  • Support services like maintenance of production machinery, transportation, etc.

10.2     Nonconformity and corrective action

  • In response to a nonconformity/finding a corrective action should be implemented
  • Follow-up to determine if the action was effective
  • Conduct a Root Cause Analysis and create a plan to eliminate the nonconformity from occurring again.
  • For multi-site certifications, any nonconformity and Root Cause Analysis should include all sites covered by the certificate. And where appropriate, implement the corrective action at those sites.
  • Employees should understand the importance of fully investigating the cause and the methodology used.

9.2       Internal audit

  • The internal audit system needs to be fully operational and effective.
  • An audit program should cover all parts of the company and all elements of the management system. Within a 3-years period, all should be audited at least once.
  • Critical areas should be audited annually with frequency based on:
    • the importance of the processes
    • changes to the organization
    • results of previous audits

Knowledge. Expertise. Experience.

Outsource Your Internal Audits

Consulting Services For ISO, IATF, AS, and more


6.1      Actions to address risks and opportunities

  • While verifying risks and opportunities, consider:
    • The scope of the standard – “organization needs to demonstrate its ability to consistently provide product or service that meets customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.”
    • Interested parties (and their requirements) that are relevant to the quality management system
  • A range of approaches are available to manage risk and opportunities. One of those is a risk register. Factors to consider are:
    • Size and complexity of the organization
    • Level of external regulation
    • Shareholder interests, types of customers and suppliers
  • In lieu of a documented formal risk assessment, a company must be able to explain that risks and opportunities have been determined and actions have been evaluated.

7.5.3   Control of documented information

For control of documented information, consider how employees access the information and who has access to the available systems.

  • If information is posted there needs to be a procedure to ensure that what is posted is the current and correct.
  • Electronic documents can be protected through access by assigning login rights with or without revision authority or they might be assigned read-only access.

9.3.2   Management review inputs

In determining whether the quality management system meets the requirements of the ISO 9001 standard, the following items would be helpful for review depending on circumstances:

  • Process performance metrics
  • Results of the improvement activities
  • Results from customer, internal and 3rd party audits
  • Self-assessment of the organization
  • Measurements of customer satisfaction and fulfillment of needs and expectations of other interested parties
  • Marketplace evaluation including performance of competitors
  • Results of benchmarking activities
  • Supplier performance
  • Changes due to new technologies, outputs of research and development, quality concepts, financial, social, environmental conditions and legislative or regulatory changes
  • Needs or opportunities for improvement
  • Status of achieving quality objectives

SimpleQuE is a leader in AS, IATF® and ISO consultingauditing and training.  Whether you are just beginning the certification process or looking for a partner for ongoing gap analysis and internal audit assistance, simpleQuE makes the process easier and more efficient. Contact us for a consult and see the difference that simpleQuE can bring to your quality management process.


Learn More About The simpleQuE Advantage

The simpleQuE Advantage Begins Here! Contact Us Today