ISO 9000 standards started in the late 1980s to promote standardization of trade. Early use of the ISO 9001 Standard was in the European Union countries, which influenced international trade by requiring registration for companies selling products worth more than 100,000 Euros, the then-evolving European Union currency. Since that time, the requirement to be registered has also been incorporated into many U.S. companies' bidding requirements. In the expanding global economy, domestic companies must now compete with foreign companies that are achieving ISO certifications to become more acceptable as suppliers. As a result, U.S. companies in foreign markets find ISO certification useful in assuring their foreign customers that they have fundamental quality processes.

Determining whether to be assessed to ISO 9001 depends a lot on what motivates a company's management. Typically, a company becomes ISO 9001 registered because it (1) is required to do so by the customer, (2) wishes to reduce customer audits by becoming registered to ISO 9001, (3) is more aggressive and feels it would be more competitive, believing customers would look more favorably on suppliers that are registered, (4) thinks producing a quality product would be more cost effective and that being ISO registered would improve quality, (5) wishes to expand the capability of its business by adopting broader or more in-depth quality models, (6) incorporates a combination thereof. As quality improvement is a journey and not a destination, companies are likely to evolve through several of these steps as they mature in the pursuit of quality.

As a result of reasons like these, there were 561,747 ISO 9000 certificates at the end of 2002 distributed throughout 159 countries, according to the International Organization for Standardization¹ in Switzerland, which owns ISO 9001 and other ISO-related standards. While the worldwide distribution of registrations changes constantly, a breakdown of the number of registrations by economic trading block in 2001 shows that approximately 50 percent were in European countries, 25 percent in Asian countries, and 9 percent in the United States, with a rapidly increasing number in smaller countries who wish to be suppliers to the larger countries.

I am told during audits, and it is confirmed in the numerous ISO 9001 surveys reported, that the benefits of certification include having documented processes versus tribal knowledge; being trained; understanding why things are done to assist in achieving the company's goals and objectives; reducing costs due to scrap, rework, and delay; and overall buy-in by employees that results in improved customer focus and participation in continual improvement. Companies also find that the registrar's corrective action process in ISO 9001 is a valuable addition to their ongoing improvement program.

Users of the ISO 9001 standard had goals that were twofold: Reduce the customer's cost of auditing suppliers, and reduce the cost of conforming to and being audited by customers. The maze of standards significantly added to a company's cost of business and ability to compete. For example, a survey in the mid- 90s by members of the ISO/ International Electrotechnical Commission (IEC) Subcommittee SC7 U.S. Technical Advisory Group for Software found more than 500 standards worldwide for software alone. The numerous standards resulted in multiple audits of suppliers to conflicting requirements resulting in complicated and dissimilar quality management systems.

While auditing companies in the early '90s that had complicated quality systems, I asked how they had developed their quality management systems. The common response was that since each auditor who came through required something different, they incorporated those requirements into their quality system and it simply evolved.

With many governments today retiring their local standards, ISO 9001 has served to simplify and standardize the definition of a quality management system for both the customer and the supplier. Through ISO 9001's third-party auditing process, customer visits are typically reduced, which reduces costs while providing confidence that the company continues to operate in conformance with a registered quality system.

Companies that aggressively pursue different industry sectors often obtain registration to ISO 9001 as a baseline standard and may then adopt other standards associated with new business opportunities. ISO 9001 began as a oneshoe- fits-all quality system. However, several industrial sectors have documented additional specific requirements, referred to as sector schemes. These scheme's conform to ISO 9001 yet are required by the particular industry to demonstrate conformance to their elaboration on ISO 9001 requirements within the context of that industry's unique terminology, processes, and measurements. The result is incremental improvement based on the clauses of ISO 9001.

The software industry in the United Kingdom was the first to develop additional requirements documented in its TickIT Guide² and reflected by its notations on certificates: a tick, , (British for checkmark), followed by the letters IT (indicating Information Technology). This individualized sector scheme was later followed by other industries and documented in guides such as National Quality Assurance-1 for nuclear quality assurance; ISO 13485 for the U.S. Food and Drug Administration; Quality System 9000/Technical Specification 16949:2002 for the quality system in the United States and technical specification for the international automotive industry; Telecommunication Leadership 9000 for telecommunications; Aerospace Society 9000 for the aerospace standard; International Safety Management for marine international safety management; the FAA-iCMM from the U.S. Federal Aviation Administration; and ISO 9001 models for education, oil and gas, medical, and more.

Sector schemes are one way to improve relative to the performance maturity model in ISO 9004:2000 Appendix A.2. Continually improving by adding to and going beyond ISO 9001 with more in-depth quality principles in maturity models such as the Capability Maturity Model® (CMM®) not only indicates maturity to those models' paradigms, but also increases performance maturity relative to the ISO 9004 performance model.

Other process improvements include incorporating additional quality principles, enhancing metrics to achieve objectives with Six Sigma, pursuing broader excellence standards like Baldrige, or incorporating the new Space Systems — Risk Management³ ISO 17666:2003 standard. ISO 9001 is flexible enough to allow a company to blend sector schemes or maturity model terminology and process detail that conform to or exceed ISO 9001 requirements when creating procedures. Conversely, a company implementing CMM/CMMI Level 3 processes finds many generally similar processes so that they only have to add relatively few unique clauses from ISO 9001 to also achieve a blended quality system. In either case, it is fundamental to begin with the end in mind in order to architect the building blocks (schemes) that will be blended into your quality management system over time to facilitate an orderly expansion of its features to suit the growth strategy of the company.

Having audited companies in many industries to ISO 9001 for many years, I have found that when companies truly apply ISO 9001, they mature from a mindset of being forced to do it to wanting to do it. The result is pride in quality products and an improved business environment achieved by truly applying the process.

The first thing people in a company need to know, and the biggest success factor, is that top management supports and provides the resources to implement the ISO 9001 quality management system. People do what top management takes an interest in, participates in, and can measure.

Companies should gather the information mentioned in this article, provide copies of the ISO 9001 standard (at least to key employees), and provide training to all employees on the ISO 9001 standard. They should also obtain the ISO 9000 glossary, ISO 9004 guidance document, and the free ISO guidance documents from the ISO/IEC Technical Committee 176 Subcommittee 2, found at www.iso.org/iso/en/iso9000-14000/iso9000/transition.html.

Any organization implementing ISO 9001 is encouraged to download this information so it understands the intention of the ISO 9001:2000 authors, and it correctly defines its quality management system — be skeptical of anyone who offers contrary advice. The documents include the following:

• "The Year 2000 Revisions of ISO 9001 and ISO 9004."
• "Transition Planning Guidance for ISO 9001:2000."
• "Guidance on Outsourced Processes."
• "Guidance on ISO 9001:2000 Clause 1.2 Application."
• "Guidance on the Documentation Requirements of ISO 9001:2000."
• "Guidance to the Terminology Used in ISO 9000:2000 Family of Standards."

Numerous Web sites offer help for ISO 9001 such as free quality manual templates found by searching Google. Such manuals are only a starting point and must be significantly enhanced to incorporate the processes, terminology, and tools used by a particular company. For example, according to ISO 9001 clause 4.2.2, the quality manual shall "include or reference procedures and describe the interaction between the company's processes."

Be aware that a diagram of the company's quality management system that simply copies Figure 1's process diagram from the ISO 9001:2000 standard instead of creating an actual process diagram of your company would not be generally acceptable to an ISO 9001 registrar. So be specific as sector schemes are in part the result of companies failing to voluntarily create industry-specific versus generic quality manuals and procedures in the early years of ISO 9001.

A thorough and honest analysis is a second success factor. An analysis of where the company complies with the standard, and where it needs to take action to establish compliance must be done to gain a realistic assessment of what needs to be accomplished.

A third success factor is to measure twice for every improvement. Companies are cautioned to proceed with a step-wise refinement of their quality system by establishing and measuring system performance before making improvements. Measure, then formalize what conforms, and add what is missing relative to the standard, then measure again. Then go on to reengineer processes and measure again. This establishes the data for the analysis required by ISO 9001 and substantiates the benefits of the quality system. Do not use ISO 9001 as a club to force unrelated pet improvement projects that were not accepted earlier; this is often a recipe for failure, or at least significant delay in implementation.

A company has to decide how quickly it wishes to achieve ISO 9001 registration, and what resources it has to apply to its effort to become registered. Another critical success factor is developing in-house competency by sending key personnel to an accredited ISO 9001 Lead Auditor class.

The ISO offers publications for help in getting started. For small businesses, the ISO also offers a free publication "ISO 9001 for Small Businesses⁴." If a company wishes to rapidly implement ISO 9001 and does not immediately have in-house resources, it may want to contact a consultant who is independent of the registrar. The ISO offers a free guide to selecting a consultant, "How to Choose a Competent Quality Management System Consultant⁵." Remember, the assessment requires that the company demonstrate the quality system is suitable and effective for its business.

The next step is to select a registrar. A resource to help you make that decision is "The ISO 9000 Handbook" [1]. Quality Digest magazine also offers an online list of registrars at www.qualitydigest.com. When selecting a registrar, begin with the end in mind. If you know the company intends to augment its quality management system with one or more of the ISO sector quality schemes or the CMM/CMMI, then consider a registrar who is also authorized to offer this added scope of service to ensure consistency.

The time it takes the company to prepare for the initial audit depends on where it is in the process of establishing a quality management system that conforms to the 31-page ISO 9001:2000 standard, and the degree of sophistication of its implementation.

The fundamental framework for estimating the number of audit days is defined by the International Accreditation Forum, Inc.⁶ (IAF) in "IAF Guidance on the Application of ISO/IEC Guide 62:1966⁷." See the Annex 2 — Auditor Time, "Guide for Process to Determine Auditor Time For Initial Audit," and subsequent sections describing factors that may require more or less audit time. If a joint assessment is being performed to multiple standards, guidelines, or models, ensure that enough time is allowed to accomplish both successfully.

The process may start with a preassessment, which is an optional activity, preferably done by the person who will eventually be your auditor. IAF Guide 62 allows value-added assessments that can identify opportunities for improvement, but cannot result in recommendations or advice that would be considered consulting.

The typical process is an initial audit that is longer than subsequent surveillances, as the entire quality system of the company must be audited. An example estimate, drawn from IAF Guide 62 Annex 2, would be an audit of 276-425 employees in one location by two auditors for five days, adjusted per Guide 62.

Subsequent surveillance audits are semi-annual or annual, depending on the arrangements and confidence in the internal audit process of the company, and incrementally cover different clauses of the standard. An annual audit is typically twice as long as a semi-annual audit. After every audit, the registrar also verifies the audit report for conformance to its procedures. Overall, a typical registrar's contract is for three years, after which the current requirement is that the full quality system be re-audited to assure the overall system's continuing effectiveness has been maintained.

Each registrar must be contacted separately as it sets its own day rates, though market forces tend to make rates somewhat similar. The cost is typically determined for the three-year contract, which can be determined once the audit days and day rate have been agreed on, plus any pre-assessments that may be performed and the number of report reviews over the three-year period.

Some companies feel that with registration they have reached their destination (registration) and seek multi-site arrangements and bargain for price. However, remember the audit process is a journey; the auditor can add value in identifying opportunities for improvement as well as nonconformance for breakdowns or deviant evolution in the quality system that needs to be pointed out.

While companies have been known to perform a detailed cost analysis of their efforts, surveys of registered companies have typically shown that when measurements have been established as described above, net benefit can be demonstrated.

Going into the audit, the company's quality personnel need to be sure of top management's commitment to finding and fixing any issues that may exist. Evidence is overwhelming that, if these issues are ignored or not addressed, they will resurface as even bigger problems later. This is a critical factor for now and the future. Top management must reinforce that identifying problems and opportunities for improvement is a fundamental goal of the quality system.

The company must expect to provide an escort for each auditor and have arranged a schedule with each auditor establishing that all processes and departments identified for audit can be accommodated in the time available. When the audit starts, the overall process is the following:

• Plan the audit with the lead auditor.
• Hold an opening meeting.
• Allow time for initial document review.
• Conduct numerous interviews.
• Request documents.
• Convene interim feedback sessions as appropriate.
• Allow time for the auditors to formulate results and audit reports.
• Hold a closing meeting to present the findings and the lead auditor's decision on whether a certificate can be granted.

Findings that are observations or non-systemic nonconformance are handled after the audit. Occasionally an initial assessment finds systemic failure to implement clauses of the ISO 9001 standard or the company's own procedures. This will result in a reassessment to confirm completion of the missing clauses and a delay in issuing the certificate until implementation can be verified.

After the audit, the company must respond in writing to the audit findings (which may be nonconformance or observations), receive an acceptance of the response from the registrar, receive a certificate, and continue to take the committed corrective action to prevent reoccurrence of each finding.

A cycle of surveillance audits similar to the initial audit to verify continued compliance with selected clauses of ISO 9001 as described earlier is performed. The value-added audits add another dimension to the improvement process and help ensure the continued functioning of the quality system.

It is a natural expectation that the desire for continual improvement will cause findings to be resolved. Occasionally during surveillances, failure to implement effective corrective action may result in additional nonconformance; repeat nonconformance for the same finding over time may result in withdrawal of the registration certificate.

All registrars are required to provide a directory of currently registered companies. As the directory must be provided on request, the registered company will not only be listed in the registrar's directory but also in several other compilations of all registrars' directories available by subscription from publications such as Quality System Update or www.qualitydigest.com.

After your company becomes registered to ISO 9001, you should read "Publicizing Your ISO 9001:2000 or ISO 14001 Certification⁸" so you do not violate ISO restrictions. The ISO does not allow registered companies to use their symbol, often referred to as a mark in their advertising or literature.

Registrars often offer the Mark of Accreditors represented on the registration certificate given to the registered company and the Registrar's Mark to their clients for use in advertising or in their literature. The Registrar's Marks must be accompanied by the company's registration number so customers can verify the registration's validity. After registration, contact the registrar to obtain the marks as well as the restrictions on their use, which per the IAF Guide 62 prohibits using the mark on actual products.

Customers often periodically ask for copies of the current certificates held by a subcontractor to verify registration claims and gain confidence that the company has a quality system that is being audited by an independent thirdparty registrar's auditor. While many registered companies display their ISO 9001 and other certificates on their own Web site, it is more appropriate to verify that the certificate is current and represents the current scope of registration of the registered company through independent sources.

Independent verification of certificates by the customer is also necessary, as registrars have discovered fraudulent certificates. With more than 500,000 registered companies worldwide and with worldwide subcontracting and e-commerce, the customer must beware.

The registered company must be aware of the restrictions or charges its registrar places on the duplication of certificates, which can become expensive if it has several locations it wants to display the certificate, or if its customers ask for copies of certificates. Some registrar's directories are online and may display the certificate or permit the customer to print the certificate if the company is currently registered.

In summary, being assessed to the most prevalent standard in use today can establish the foundation for quality in a company, achieve more immediate benefits to the business, establish universal recognition of a standardized quality management system, and lay the groundwork for continued improvement by expanding to incorporate other quality techniques, sector schemes, and quality models.

1. Peach, Robert W. The ISO 9000 Handbook Fourth Edition. QSU Publishing Company, 11 Oct. 2002.

1. See www.iso.org/iso/en/commcentre/pressreleases/2003/Ref864.html.
2. See www.tickit.org/international.htm.
3. See www.iso.org/iso/en/isoonline.frontpage.
4. See www.iso.org/iso/en/iso9000-14000/basics/basics9000/basics9000_4.html.
5. See www.iso.org/iso/en/commcentre/isobulletin/articles/2001/pdf/qmconsultant0112.pdf.
6. See www.iaf.nu for documentation.
7. See www.accreditationforum.com/guidance.asp under Guidance Documents (GD Series).
8. See www.iso.org/iso/en/iso9000-14000/publicizing/index.html.

Robert Vickroy is a senior auditor for ABS Quality Evaluations, Inc., an ISO registrar for ISO 9001 and sector schemes and for ISO 14001, and a Software Engineering Institute Transition Partner. Previously Vickroy worked for IBM for 25 years developing systems and automating processes in all areas of IBM engineering, manufacturing, and in software development as programmer, analyst, and manager of software development organizations. As an auditor for TickIT, ISO 9001, ISO 14001 and TL9000, and as a SEI authorized Capability Maturity Model® (CMM®) Assessor and CMM IntegrationSM Appraiser, Vickroy has assessed more than 300 quality management systems, specializing in assessing jointly implemented systems. Additionally, he achieved the following certifications: ASQ-CQA, ICCP-CDP, EDPA-ISACA and ISC2 security auditor, and he is a trained NQA-1 auditor. Vickroy has a Bachelor of Arts in computer science, a Bachelor of Arts in accounting and economics, and a Master of Science.

ABS Quality Evaluations, Inc.
16855 Northchase DR
Houston,TX 77060
Phone: (281) 877-6485
Fax: (281) 877-6001
E-mail: bvickroy@eagle.org