ISO 9001 QUALITY POLICY AND SYSTEM SCOPE
Two key elements of the ISO 9001 standard are the management system scope and the quality policy. Each of these must be defined and established by every ISO certified organization, usually by the executive leadership team. The QMS scope defines the boundaries for the management system while the policy communicates the mission or vision for the organization. The first of our three March ISO 9001 DIY series articles explores these two ISO 9001 system elements and provides some tools for getting the job done.
Management System Scope
Part of establishing the context of the organization (ISO 9001 section 4.0) includes definition of the scope of the management system (clause 4.3). The scope defines the boundaries of the management system and should be determined based on information gleaned during the development of your organizational context (Interested Parties and Internal / External Issues) along with consideration of the products and services provided to customers by your organization. Let’s take a closer look at the ISO scope statement.
Before we go too far though, let’s clarify a couple things:
- This has nothing to do with section 1 of the ISO 9001 standard (Scope). Section 1 is just defining the scope of the standard itself. We are only focused on section 4.3 of the ISO 9001 standard for this article.
- Section 4.3 (Determining the Scope of The Quality Management System), deals with defining the boundaries of your ISO 9001 management system or those processes and elements of your organization which will be covered and certified to ISO 9001.
- In addition to defining the QMS scope, you will also need to define a “Scope Statement” which is the summary description covered by your ISO certification and which is printed on your ISO 9001 certificate. These may be one in the same, however, often the certificate scope statement is a summary or snapshot of the management system scope.
First the QMS scope should identify all areas of your organization that are applicable to your ISO 9001 management system and covered under the associated certification. For instance, you might state that the scope of the management system is “the fabrication, assembly, inspection, packaging, and shipping of household appliances”.
Make sure that the scope is inclusive enough to cover all possible applications but at the same time, tight enough to clearly define what you do. The scope should allow for all possible products, services, markets, industries, and customers applicable to your organization, or at least that part of your company that will be covered by the ISO certification.
Consider use of the SIC or NAICS codes (links) that apply to your organization to define your scope along with customers, industries, and markets served. You can use these as reference tools to actually include the appropriate numbers and descriptions in your scope text. Your ISO registrar will most likely use these numbers to identify the right auditor to complete your certification assessment.
Not all aspects of your organization may fall under the defined scope. Perhaps you operate two different business units (e.g. Engineering Services and Analytical Testing Services) within your facility but only want ISO 9001 certification for the engineering side of the business. You would scope your management system to only include the functions, products, and services performed by the engineering business unit.
In addition to what is included, the scope should clearly identify any excluded requirements within the ISO 9001 standard which are not applicable to your organization. For example, if you do not design or develop products or services, then your scope should state that the design and development requirements under section 8.3 are excluded from your management system scope. Be sure to state a defendable reason or justification for the exclusion.
Note that you may not exclude any of the ISO 9001 requirements if they are relevant and applicable within the scope of the system. You simply can’t exclude specific sections of the standard just because you don’t want to address the requirements. If they are applicable to your business operations, then you must satisfy and be compliant to the requirements.
Ideally, ISO 9001 should be applied to every function within your organization, however, there are a few that are generally not covered by some companies such as legal, finance, and sales, since none of the ISO 9001 requirements directly touch on or impact these functions. That doesn’t mean that you can’t include these functions and it would probably be a great benefit to develop and formalize the processes within these functions. Your call here.
If you aren’t sure where or how to get started with this exercise, you might Google “example ISO 9001 scope” or similar search term which will provide many different example scopes to help guide you in this process. Brainstorm all the products and services you provide along with the industries, markets, and customers served to ensure all necessary aspects of your organization are covered. Review and refine your system scope with the leadership team to create a final version. Note that your ISO registrar and auditor will review this information during certification and audit activities and provide input and feedback while ensuring that your scope is appropriate and acceptable.
ISO 9001 requires the management system scope to be maintained as documented information. While ISO 9001:2015 no longer requires a formal “Quality Manual” as previous versions did, there is good reason to maintain a similar high-level management system document which would be an excellent place to capture and control your ISO 9001 scope along with other key management system information. However, you can capture this information any place you feel is appropriate as long as it is maintained under your document control process. Any time your scope changes, it must be revised through your document change control process.
In addition to defining your ISO management system scope, you must also craft, control, and communicate your ISO 9001 Quality Policy.
Policy Structure and Content
The quality policy defines leadership’s vision and direction for the organization in regard to the management system. Just like a vision or mission statement, it communicates to the organization and external stakeholders (interested parties) the values and principles that are most important to the organization and its overall success. The policy doesn’t need to be called the Quality Policy. You can call it your management policy, mission or vision statement, or whatever else works for you.
As long at the policy addresses the mandatory ISO 9001 requirements, you can expand on it in any way you like such as adding values, principles, or other similar information. Keep the policy relatively short and sweet. Shoot for 100 words or less. The policy should also be crafted by the leadership team, however, input from any level of the organization is not only permitted but might help ensure buy-in and acceptance of the final policy when released and implemented. This is another one of those things to be embedded into the company culture.
Quality Policy Requirements
The policy must meet the following minimum requirements:
- It must agree with the context of the organization and overall business strategy. You don’t have to include all this information in the policy, but anything you state in the policy shouldn’t conflict with the business context and strategy.
- The policy should align with and frame your most important business objectives. We recommend that you do not actually include your business objectives in the policy as objectives will change over time, while the policy should remain fixed over the long term. We’ll explore quality objectives in an upcoming article.
- The policy must state in some form that your organization complies with the ISO 9001:2015 requirements and standard.
- Include a clause indicating that your organization continuously improves its management system.
A Google search for “example ISO 9001 quality policy” or similar search term will provide numerous examples to help get your started on this exercise.
Communicating the Policy
ISO 9001 has some specific requirements for controlling the quality policy:
- First, it must be maintained which means that it is placed under some form of document control. It can’t be changed without going through your established document change control process. Consider adding it to the quality manual or similar document discussed earlier in this article. Of course, you are welcome to control it as its own independent stand-alone document.
- It must be available to everyone within the organization. Everyone in the company should have access to the policy. This could be through public display of the policy in various locations throughout your facility. We often see framed copies of the policy in main lobbies, break rooms, production areas, etc. It might also be visible on a company Intranet site. Or by providing each employee with a wallet size laminated card with the policy and other key company information. You decide how best to make the policy available and visible to all employees. You must also make if available to external stakeholders (interested parties), where applicable.
- Beyond just being available, leadership is responsible for ensuring that the policy is clearly communicated and understood by all employees. This means more communication by the leadership team to explain the policy, what it means to the organization, and why it is important. Leadership must support and live the policy every day to embed it into the company culture and ensure that it is effectively applied by everyone.
Back in the day under previous revisions of the ISO 9001 standard, employees were expected to memorize and be capable of reciting the organization’s quality policy verbatim. This is no longer required, however, each employee should be able to paraphrase the policy in their own words and be able to verbalize how they and their role within the organization impacts or aligns with the policy. It is also totally acceptable for employees to reference a written copy of the quality policy when needed. Just like a corporate mission or vision statement, the policy should resonate with employees and help guide them at the highest level to understand what is most important to the company and the direction the organization is headed.
ISO 9001 Quality Policy Development
If you haven’t already done so, get started by drafting your policy with input and feedback from key personnel throughout the organization development and implementation. Don’t worry about it being perfect as you will have many opportunities to revise it before you are done implementing the management system. If you are still stuck, a google search will return an overwhelming number of examples and guidance information to help with this topic.
You might want to draft different versions of your policy and then get feedback from the leadership team and/or other resources to help refine and agree on a final version. There is no hurry and the best way to do this is to be patient and let the policy evolve over time. Also, development of your quality objectives may provide input that will challenge you to revise the quality policy. Just get started with a draft to two for now.