ISO 9001 is the world's most widely adopted quality management system standard, yet many people who work with it every day struggle to explain what each clause actually requires. The language in the standard can feel dense and circular, especially if you are reading it for the first time. This guide breaks down every ISO 9001 clause in plain English, from Clause 4 through to Clause 10, so you can understand what the standard is asking, why it matters, and what auditors look for in practice.
On this page
Whether you are a Quality Manager preparing for certification, an internal auditor building your first audit checklist, or a professional stepping into ISO work for the first time, this clause by clause walkthrough will give you a solid working understanding of the standard.
Why ISO 9001 Starts at Clause 4
Clauses 1, 2, and 3 cover scope, normative references, and terms and definitions. They are introductory material. The actual requirements begin at Clause 4, which is where auditors start their work. Every clause from 4 to 10 contains requirements that your organisation must meet to achieve and maintain certification.
The standard follows the High Level Structure, also known as the Harmonised Structure, which is shared across all modern ISO management system standards including ISO 14001 and ISO 45001. This makes it easier to integrate multiple standards into one system, and it means that once you understand the structure of ISO 9001, the others feel familiar.
Clause 4: Context of the Organisation
Clause 4.1: Understanding the Organisation and Its Context
This clause asks you to think about what is happening inside and outside your organisation that could affect your quality management system. Internal factors include things like your culture, staff capability, and the processes you use. External factors include the market you operate in, regulatory requirements, and economic conditions.
In practice, organisations capture this in a SWOT analysis, a PESTLE analysis, or a simple issues register. Auditors will ask how you identified these factors, how current the information is, and how it feeds into your planning. A document that was created three years ago and never reviewed is a common finding.
Clause 4.2: Understanding the Needs and Expectations of Interested Parties
Interested parties are people and organisations that can affect or be affected by your QMS. This includes customers, regulators, suppliers, employees, and in some industries, the local community. The clause asks you to identify who they are and what they need from you.
This is not about satisfying everyone. It is about knowing whose requirements are relevant to your QMS and factoring them into how you operate.
Clause 4.3: Determining the Scope of the QMS
Scope defines the boundaries of your quality management system. Which products and services does it cover? Which locations and functions are included? Scope must be documented, and any exclusions from Clause 8 must be justified.
Auditors check whether the scope is realistic and whether what is happening on the ground matches what the scope statement says. A scope that is too narrow to avoid scrutiny is a red flag.
Clause 4.4: The QMS and Its Processes
This is where the standard asks you to take a process approach. You need to identify the processes your QMS needs, determine how they interact, and manage them systematically. For each process, you should know the inputs, outputs, sequence, resources, responsibilities, risks, and performance indicators.
A process map or turtle diagram is a common tool here. Auditors will follow the thread from one process to another to check that the interactions are understood and managed, not just documented on paper.
Clause 5: Leadership
Clause 5.1: Leadership and Commitment
This clause is directed at top management, meaning the people who have the authority to make decisions about the organisation's direction and resources. The standard lists specific ways top management must demonstrate commitment, including taking accountability for the QMS, ensuring the quality policy and objectives are compatible with the strategic direction, and actively promoting a customer focus.
Auditors do not just take management's word for it. They look for evidence in meeting minutes, resource allocation decisions, how quality issues are escalated, and whether management actually reviews QMS performance or delegates it entirely.
Clause 5.2: Quality Policy
The quality policy is a short statement that sets the direction for quality in your organisation. It must be appropriate to your context, include a commitment to satisfying applicable requirements, and include a commitment to continual improvement. It must be communicated to staff and available to interested parties.
The most common problem auditors find here is a policy that sounds impressive but says nothing specific. A policy that could apply to any organisation in any industry is unlikely to be effective in practice.
Clause 5.3: Organisational Roles, Responsibilities and Authorities
Someone needs to own each part of the QMS. This clause requires top management to assign and communicate responsibilities and authorities for quality. There is no longer a requirement for a dedicated Management Representative, but someone still needs to be responsible for reporting on QMS performance and ensuring the system works.
Clause 6: Planning
Clause 6.1: Actions to Address Risks and Opportunities
Risk based thinking is one of the key concepts in ISO 9001:2015. This clause asks you to identify risks and opportunities that arise from your context and interested party analysis, and then plan actions to address them. The standard does not require a formal risk register, but it does require that you have thought about what could go wrong and what you are doing about it.
Auditors look for evidence that risk thinking is embedded in how decisions are made, not just recorded in a spreadsheet that nobody uses. To go deeper on how auditors approach this area, see our article on how to audit risk based thinking under ISO 9001 Clause 6.1.
Clause 6.2: Quality Objectives and Planning to Achieve Them
Quality objectives must be measurable, consistent with the quality policy, monitored, communicated, and updated as needed. For each objective, you need a plan that covers what will be done, what resources are needed, who is responsible, when it will be completed, and how results will be evaluated.
Vague objectives like improve customer satisfaction without a target or a measurement method will not pass an audit. Auditors want to see that objectives are driving real activity, not just sitting in a document.
Clause 6.3: Planning of Changes
When your organisation decides to make changes to the QMS, those changes need to be planned. You need to consider the purpose of the change, potential consequences, resource availability, and responsibility for implementation. This clause prevents organisations from making ad hoc changes that break parts of the system without anyone noticing.
Clause 7: Support
Clause 7.1: Resources
This clause covers the resources needed to establish, implement, maintain, and continually improve the QMS. That includes people, infrastructure, the work environment, monitoring and measurement resources, and organisational knowledge. Each of these has its own subclause with specific requirements.
Calibration sits under Clause 7.1.5. If your organisation uses measuring equipment to verify product or service conformity, that equipment needs to be calibrated or verified at defined intervals. Calibration records are a common audit sample point.
Organisational knowledge under Clause 7.1.6 is often overlooked. It asks how you capture and maintain the knowledge your organisation needs to operate effectively, and how you manage the risk of losing that knowledge when people leave.
Clause 7.2: Competence
People doing work that affects quality must be competent. Competence means having the education, training, or experience needed for the role. The organisation must determine what competence is required, ensure people have it, and keep records as evidence.
A training matrix is a practical tool here. Auditors will ask to see competence records and will often interview workers to check whether their actual understanding matches what the records claim.
Clause 7.3: Awareness
Workers must be aware of the quality policy, the quality objectives relevant to their work, their contribution to QMS effectiveness, and the implications of not conforming to requirements. Awareness is not the same as training. It is about genuine understanding. Auditors test this by asking workers directly during interviews.
Clause 7.4: Communication
The organisation must determine what needs to be communicated about the QMS, when, to whom, how, and by whom. This applies to both internal and external communication. There is no prescribed format, but there must be a deliberate approach.
Clause 7.5: Documented Information
ISO 9001 does not prescribe a long list of mandatory documents. It requires documented information where needed to support the operation of processes and to retain evidence of results. The standard distinguishes between documents (which provide direction) and records (which provide evidence).
Control of documented information means ensuring it is available, suitable for use, protected from unintended changes, and that obsolete versions are not in use. This is one of the most frequently audited areas in any QMS audit.
Clause 8: Operation
Clause 8 is the largest section of the standard and covers the operational processes that deliver your products and services. This is where the QMS connects to what your organisation actually does.
Clause 8.1: Operational Planning and Control
You must plan, implement, control, and maintain the processes needed to meet requirements for products and services. This includes establishing criteria for processes and acceptance of outputs, and controlling planned changes while managing unintended ones.
Clause 8.2: Requirements for Products and Services
This covers how you communicate with customers, determine what they need, handle enquiries and orders, and manage changes to requirements. It also covers the review of requirements before you commit to supplying a product or service. If a customer requirement cannot be met, you need a process for handling that.
Clause 8.3: Design and Development
If your organisation designs products or services, this clause applies. It covers planning, inputs, controls, outputs, changes, and review of the design process. Many service businesses claim this clause is not applicable, but auditors will test whether that exclusion is genuinely justified.
Clause 8.4: Control of Externally Provided Processes, Products and Services
This clause covers how you manage suppliers and subcontractors. You must evaluate and select external providers based on their ability to meet requirements, define what you need from them, and monitor their performance. The level of control should be proportionate to the risk and impact on your outputs.
Supplier management is consistently one of the top areas where nonconformities are raised. Approved supplier lists, supplier evaluations, and purchase order specifications are all common audit evidence points.
Clause 8.5: Production and Service Provision
This clause covers the controlled conditions under which you produce products or deliver services. It includes documented information describing the process, suitable monitoring and measurement, the use of appropriate infrastructure, the appointment of competent people, and where relevant, validation of processes whose outputs cannot be verified by monitoring alone.
Identification and traceability, preservation of outputs, and post delivery activities also sit here. If your customers can trace a product back through your system, this is the clause that makes that possible.
Clause 8.6: Release of Products and Services
Before you release a product or service to a customer, you must verify that requirements have been met. Records must show who authorised the release and when. If a release happens before all planned checks are complete, there must be an approval from a relevant authority and, where applicable, the customer.
Clause 8.7: Control of Nonconforming Outputs
When something does not meet requirements, you must identify it, control it to prevent unintended use or delivery, and take appropriate action. That might mean reworking it, scrapping it, obtaining a concession, or segregating it until a decision is made. Records of nonconforming outputs and the actions taken must be kept.
Clause 9: Performance Evaluation
Clause 9.1: Monitoring, Measurement, Analysis and Evaluation
The organisation must determine what needs to be monitored and measured, the methods to be used, when it should be done, and when results should be analysed. Customer satisfaction monitoring is specifically required under Clause 9.1.2. Analysis and evaluation of data must feed into decisions and improvement activity.
Clause 9.2: Internal Audit
Internal audits must be conducted at planned intervals to check whether the QMS conforms to the organisation's own requirements and to the standard's requirements, and whether it is effectively implemented and maintained. The audit programme must consider the importance of processes and previous audit results. Auditors must be objective and impartial, which means they cannot audit their own work.
For a detailed breakdown of this requirement, our article on ISO 9001 Clause 9.2: what internal audit actually requires covers the specifics in depth.
Clause 9.3: Management Review
Top management must review the QMS at planned intervals. The review must consider a defined list of inputs including audit results, customer satisfaction data, process performance, nonconformities, and the effectiveness of actions taken on risks and opportunities. Outputs must include decisions on improvement opportunities, changes needed to the QMS, and resource needs. Records of the review must be kept.
A management review that consists of a five minute discussion with no documented inputs or outputs will not satisfy this clause.
Clause 10: Improvement
Clause 10.1: General
The organisation must determine and select opportunities for improvement and implement necessary actions to meet customer requirements and enhance customer satisfaction. This is the overarching improvement requirement.
Clause 10.2: Nonconformity and Corrective Action
When a nonconformity occurs, the organisation must react to it, evaluate the need for corrective action, determine root causes, implement actions to prevent recurrence, review the effectiveness of those actions, and update risks and opportunities if needed. Records must be kept throughout.
This is one of the most important clauses in the standard. A QMS that raises nonconformities but never closes them out with effective corrective action is not functioning as intended. Auditors will trace nonconformities through to closure and check whether the root cause was genuinely addressed.
Clause 10.3: Continual Improvement
The organisation must continually improve the suitability, adequacy, and effectiveness of the QMS. This is not a one off activity. It requires a systematic approach to using data, audit results, management review outputs, and corrective actions to drive ongoing improvement over time.
Putting It All Together
Reading through the clauses in sequence reveals a logical structure. Clauses 4 and 5 set the foundation by understanding the context and establishing leadership. Clause 6 plans for risks and objectives. Clause 7 puts the support resources in place. Clause 8 delivers products and services under controlled conditions. Clause 9 checks how well the system is performing. Clause 10 acts on what is found to drive improvement. This is the PDCA cycle in action across the entire standard.
Understanding the clauses at this level is the starting point. Being able to audit against them, gather evidence, identify gaps, and write findings that drive real improvement is a different skill set entirely. If you want to build that capability, the next step is structured auditor training.
At Audit Workshop, our ISO 9001 internal auditor and lead auditor courses are built around exactly this kind of practical, clause by clause understanding. Founder Dilawar Laghari has conducted over 500 external certification audits and brings that experience directly into the training. Whether you are looking to become an ISO internal auditor or you are ready to pursue lead auditor credentials, our courses are structured to give you the skills to audit with confidence, not just pass an exam.
You can explore our training options at auditworkshop.com.
