Compliance With ISO 9000:2000 - Upgrade of system to ISO 9000:2000


John C

Compliance With 9K:2000

Cove Contributors,

A current client wants me to put together a plan for upgrade of his system to ISO 9000:2000. I hadn’t done any work on the new version, having waited until the final draft was out before spending effort on it and now I see it has presented me with something of a quandry;
My impression from various sources was that there would be few changes necessary - the general opinion seemed to be that if you qualified for ‘94 then you would qualify for ‘2000 without much re-documentation. Certainly, my view of ‘94 and the developer’s approach to the subject led me to think that this would be the case.
Now I’ve looked in detail at some of 2000, I see a new approach. A lot of things which were assumed or implied before, are now written down as specific requirements. My conclusion is that we need a considerable documentation effort to upgrade.
My ‘quandry’ is that the rest of the world might not see it like that.
I think it is quite possible that these requirements, that I see as specific, will go on being seen as ‘assumed’ and that little will be done to come up to the new level and that registrars will accept it that way and go on as before.
Let me give an example;
In the 2000 version section 4.1 there are 9 requirements, including a) to f) plus a note. The first line and the note, indicate that procedures are required to cover requirements for section 4 and, as in any audit, the auditor is likely to ask were you doing the right thing and have you evidence of doing it. As I see it, each of these requirements is specific, individual and open to these questions from a registrar auditor; ‘Have you done this? Where is it documented? Tell me how you did it? Can you show me evidence (ie; quality records) that you have done it.’

In the appendix showing correspondance 2000 to ‘94 it states that this 4.1 corresponds to 4.2.1 of ISO 9001:’94. But, in fact, the old version asks for only 3 specific responses, ie; ‘document, etc a DMS, prepare a QManual, refer to the procedures and outline the structure of the quality system.
The old version does not ask for continuous improvement. It does not ask us to ‘identify the processes needed and their application’, which I see as asking for a process of identifying the correct ones and a means of providing evidence. It does not ask us to determine the sequence and interaction (quite a different thing from ‘structure’. Nor does it ask for what I consider to be the best and biggest question of all; ‘Determine criteria and methods to ensure implementation and control is effective’. That’s the $64000 question (or requirement). A whole lot of thought and good work would go into that one to come up with a valid answer.
Similarly; ‘Monitor, measure and analyse these processes; Implement actions to achieve planned results, continuous improvement. The final requirement, ‘Processes needed for QMS including management, resources, product realisation and measurement’, leaves us open to be written up on any significant process that isn’t documented.

I hoped that this new approach would only apply to section 4, but as I go on, I see the same type of specific requirement appearing where, before, the method was assumed and the end product was all that was asked for. It seems like a totally new standard to me.

I’d like to hear comment on this issue. How far do people think we have to go? Is my comment valid? practicable? likely to be the right and the effective way to deal with things?

My own view is that it is right to read into it these specific requirements. They have always been part of the response to the standard, as I saw it, but not specified. However, since I object to the restriction and the problems likely to arise from registrars, I do not approve of their appearance in the 2000 version.

What do you think?
thanks and rgds,
John C
Elsmar Forum Sponsor


In response to your questions:
1. There's an excellent article on auditing to the ISO 9001:2000 version in the May 99 issue of Quality Progress. Let me know if you need a copy.
2. Registrar [and other] auditors will have to focus on evidence of effectiveness, the evidence being key metrics showing progress towards quality goals and targets (e.g., OTD, FTY, COQ reduction, etc., whatever makes good business sense in the eyes of your customers and other stakeholders, and other evidence of compliance e.g., listening to auditees, observing people working, and quickly understand what the organization is doing, not what the 3rd party auditor thinks they should or must be doing) and evidence of action taken when trends indicate you're not making progress (showing trends over time began to show progress).
3. Auditors must stop looking for mismatches between documented procedures and practices. Your QMS needs to be able to quickly adapt to changing business conditions. Note that only 6 requirements require documented procedures.
4. I was able to audit more than 650 organizations over the past 10 years. During 2000 I saw several organizations either converting to electronic documentation, corrective action, change control, etc., or starting their systems that way from the start of the ISO/QS/AS process. What a great way to streamline and simplify a typically over-documented, detailed and tedious non-value added way of keeping a certificate on the wall! [and it gives 3rd-party auditors (many of whom have never worked in a factory) a field day for writing frivolous non-value-added CARs for mismatches between practices and documented procedures]. However, during a 4 day TL 9000 class last week I asked the consultants (Excel Partnerships) if they had also seen any recent digital approaches to Quality Management Systems. They told me Control, an Enterprise Management Process software tool, was the best they'd ever seen, and I agree 100%! I've seen it work and highly recommend considering it. I didn't have a chance to search the Cayman Cove Forums, but if you don't already know about it you can learn about and download a free demo from this site::


Good luck!

[This message has been edited by stefanson (edited 29 December 2000).]


Fully vaccinated are you?
Staff member
I don't know if this will help. I personally think you're reading too much into the 'new' requirements. In December the 3rd company I have done to the DIS registered without a problem. The implementation was not significantly different than to the 'old' standard. Before you say "Yeah, but you were audited to the old version..." you should know we were audited to the quality manual as well which was written to the DIS (the last one to the FDIS).

On the other hand, I offer the following:
Newsgroups: misc.industry.quality
Subject: Re: ISO 9001:2000
Date: Mon, 1 Jan 2001 21:58:51 -0000

> > Dave & Rachael wrote in message
> > news:[email protected]
> >
> > How did the ISO9000:2000 audit differ from an ISO9000:1994 audit? My
> > assessment body is still considering [at the start of December 2000] how to
> > audit against the new standard.

> David Tan wrote in message
> news:[email protected]
> Interestingly enough, the audit is very much different from the old ISO
> which stresses on COMPLIANCE. I always remembered "say what you do and do
> what you say". This rule of thumb seems to be lesser of importance. The
> new emphasis was very much on EFFECTIVENESS. By doing what you say is not
> good enough, the bottomline is "IS IT EFFECTIVE?" . Does it help the
> organisation to gain more customers, keep customer's happy, achieve business
> goals? Lastly, how can you tell how good or how far off ? Systems must be
> in place to monitor and assess the effectiveness of processes. The only way
> to be able to distinguish effectiveness is to be able to measure it and best
> of all matched against certain set benchmarks.
> Finally some key words that summarises the new ISO - Commitment, Customer
> focus, Continual Improvement, Effectiveness.
> In essence, the 9000:2000 makes more business sense and I believe would
> steer organisation towards a better customer focused, better managed
> organisation.

Starting to sound strange...

[This message has been edited by Marc Smith (edited 01 January 2001).]

John C

I've finished my first review of '2000;
Not including the Design Section (working from 9002 basis), I've identified 45 requirements that I consider new. I admit that I always regarded virtually all of the 45 as necessary for a DMS, but they are not in 9002. How they translate in terms of what is in the a typical system compliant with 9002, I can't say. I don't have the same concerns as I had at first sight regards the new stuff in there; It drives right through from the Policy to the final review, keeping focus on the customer and on improvement and most of the differences are in these two areas - which were almost ignored in 9002 - so that's ok.
But, my 45 new requirements came in a total of only something over 150, so it's a pretty significant difference. (I'm not saying there's only 150 requirements - it's just the way I grouped them, everyone would have their own figure)
I think I'd find a good few ommissions in an average '2000 system unless people are a lot cleverer and dedicated than I give them credit for.
As regards, effectiveness; This word comes in quite a lot but I don't believe it can be very relevant in terms of measured improvement - we do have to maintain objectiveness in auditing. How can you judge the effectiveness of an improvement of 4.3%? How can you judge the validity of the percentage of effort directed into the measurement of effectiveness? (This new standard might tend to require a team of quality professionals, but I don't think we're going to get them whether we decide we need them or not) It would take either an exceptionally bad, or an exceptionally good system to turn that sort of data into objective evidence. I think it is going to be a case of addressing the issues, having a process that can be seen to be working, and leaving it at that.
Anyway, that's all very well but, what about my 45 new requirements? Has anyone else seen any? Real, spelled out ones, that is, not just opinions.
Are we going to be audited against the standard or against registrar's and auditor's ideas about what we should be audited against?
rgds, John C

Andy Bassett

Hello John

I have been drawn to this particular post several times like a moth to a flame, as i know from previous discussions that any response is likely to be completely opposite to your preferred method of work. But what the hell, it cant hurt to look at a problem from many different angles, even if they do seem obtuse.

I seriously beleive that the new ISO 9000 is an improvement over the last version, because it requests more precisely concepts that have a chance to add value to a company. ie Customer Satisfaction, Process Measurements, Company Objectives etc.

Yes it is true that if a company was committed to enthusiastically implementing the full INTENT of ISO 9000:1994 in the first place, then there shouldnt be any major differences. I just havent met many of these companies.

The new ISO simply supports better anybody who is seriously having a go at implementing Best Practise in an organisation.

Thats the background. So how have i changed my approach when implementing the new ISO 9000:2000?.
NOT AT ALL. My approach is absolutely the same as before. I work from the point of view of what does the company need. What is the Value Chain, what are the Critical Processes needed to make this company successful (and rarely are they the same as the required processes from ISO) and then define them and improve them.

After having done all this i then go to the Standard and see how far away we are. If something is missing that can add value for the company, i am angry at myself for the oversight and i include it. If something is missing that doesnt add value i gird myself for a fight with the auditor.

However i am always surprised after building a system that the company needs just how close it is to the intent of ISO.

My point is why not try to approach the company from the point of view of what do they need to be successful, not what are the ISO 9000 requirements. Dont read too much into the Standard itself. my experience is that an auditor can differentiate between a company that is systematically striving for Best Practise and a company that is trying to pull the wool over their eyes. I suppose the risk is that you could meet a pedantic auditor who simply quotes the Standard chapter and paragraph at you, but in this case i would change the auditor instead of the system.



Andy B


I agree with Andy regarding reading too much of the requirements of the standard, the value added aproach to business practices are more important to organizational development, However,Management commitment, document control, records and training remain the backbone of any quality system.


A new paradigm is born so -most of us are going back to zero. Naturally, we resist the change - some people I know memorized and can recite almost all of the 1994 version. Many of us are taking steps so quickly and started working on the changes, when more time to study, understanding and reflexion is needed to assimilate the new model. The two most important features of the new model are related to the customer and continual improvement. The steps I am starting to take are:

1. Read the new standard completely once.This should include the ISO 9000 and ISO 9004 documents, and of course the ISO 9001.
2. Read it again, this time making notes as you go, on ideas. Brainstorm with people from different departments.
3. Analyze the process, as if iso 9000 version 1994 never existed. Concentrate on the value chain and the process flows and interactions.
4. Identify processes, products and documents that are providing real help, value, and support to the people; and those who don't.
5. Define new processes, with two objectives in mind, first, provide a healthy and valuable quality system and second, to comply with the new ISO 9001:2000.
6. Only after those six steps, make a plan to document the sistem, that is, what, who, when and why to do it. Some useful documentation identified in step 4 can be used, changing the identification to align it with the new clauses and making any necessary changes.
7. Implement the system. Phase out all of the now obsolte 94 based system.
8. Audit internally and then with a certified outside auditor before the certification audit with the new standard takes place.

In my opinion, this is an opportunity to review and redefine our approach to quality, it may be better to go one firm step at a time. Some people already wrote manuals and procedures based on the drafts, and the standard has important changes even from the final draft. Get your copy of the standards and dump the previous drafts - the standard eliminated a lot of jargon and confusion in the redaction.

Good luck in your efforts to make a professional and sound transition !

Gus Gutierrez


Train your management in ISO 9000:2000
Train your internal auditors (thoroughly) in ISO 9000:2000
Train your employees in ISO 9000:2000
Audit your quality management system ( 2 cycles)
Tell your auditor you are compliant with ISO 9000:200 and you need to be audited to that standard.

Dave Taylor
Thread starter Similar threads Forum Replies Date
O ISO 9000 section 7.2.1(c) Compliance help needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
S Have I got the right idea for my ISO 9000 compliance project... ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 27
C ISO 14001:2015 6.1.3 Compliance Obligations - Legal requirements monitoring ISO 14001:2015 Specific Discussions 0
K ISO 13485 and compliance of electronic signature ISO 13485:2016 - Medical Device Quality Management Systems 5
A Environmental Compliance obligations and risks (ISO 14001:2015 6.1.3) ISO 14001:2015 Specific Discussions 3
G ISO 14001 - 6.1.3 Compliance Obligations ISO 14001:2015 Specific Discussions 1
N Which EN ISO 17664 version compliance to EU MDR? Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 3
C Compliance with ISO 17025 requirement 8.4.2 - Controls - Records recovery ISO 17025 related Discussions 4
G ISO 9001 Legal Compliance and Legal Register Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Sidney Vianna Interesting Discussion Legal compliance as part of ISO 45001 accredited certification. Major OSHA penalties in the USA. Occupational Health & Safety Management Standards 15
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
E Compliance to standards (ISO 80369) but the ID is out of specification Other ISO and International Standards and European Regulations 0
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
S Saving QMS documents in cloud drive - Compliance with ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 3
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
C ISO 13485 certified as precursor to regulatory compliance to 21 CRF Part 820? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
S What records are required to show compliance to ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 1
J ISO 9001:2015 8.2.3 - Review of Requirements (Clarification on compliance) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
N ISO 17025 Clause 4.6 Purchasing Services & Supplies (Compliance) ISO 17025 related Discussions 3
A Action to demonstrate compliance with on clauses 4.1, 4.2 and 6.1 of ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Partial Compliance to an ISO Standard for Medical Device CE Marking EU Medical Device Regulations 13
J Anyone here use Paradigm Sofware to manage compliance with ISO standards Quality Assurance and Compliance Software Tools and Solutions 3
B Would compliance with ISO/TS 16949:2009 mean also compliance with ISO 9001:2015? IATF 16949 - Automotive Quality Systems Standard 1
N ISO 20000 Implementation Guide and Compliance Checklist wanted IT (Information Technology) Service Management 2
U Compliance with CFR 21 Part 11 vs. ISO 9001 Certification Qualification and Validation (including 21 CFR Part 11) 9
J Assessing compliance with ISO 13485 Section 6.1 ISO 13485:2016 - Medical Device Quality Management Systems 10
S Evaluation of legal compliance to ISO 14001 and OHSAS 18001 ISO 14001:2015 Specific Discussions 18
L CE Auditor Using ISO audit reports to show compliance to the MDD?? EU Medical Device Regulations 4
P ISO/TS 16949:2009 Compliance - Self Declaration Audit IATF 16949 - Automotive Quality Systems Standard 4
D Customer will not submit Purchase Orders - System for ISO 9001 Compliance ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
D ISO EN 60601 Edition 3 Class IIa Medical Device Compliance Other ISO and International Standards and European Regulations 2
M Pre-Selecting Materials for ISO 10993-1 Biocompatibility Compliance Other ISO and International Standards and European Regulations 5
Icy Mountain ISO 14001 Compliance - Do I need an Accredited Registrar? ISO 14001:2015 Specific Discussions 12
B What are Guidelines? Compliance to ISO 9001 Clause 4.2.4 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
B ISO 9001 Compliance or Excellence: How is Quality best achieved ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Richard Regalado A.15 Compliance - One of the grey areas of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 7
F What Compliance to ISO 9001, 6.2.2 Competence, Awareness and Training Means ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 35
V Achieving ISO/TS 16949 "Compliance" - Miscellaneous clarifications needed... IATF 16949 - Automotive Quality Systems Standard 9
T Quality Compliance Software to meet ISO 13485 QMS and 21 CFR 820 Requirements Quality Assurance and Compliance Software Tools and Solutions 3
W European Union Customer Request for ISO 13485 Compliance ISO 13485:2016 - Medical Device Quality Management Systems 5
Q ISO 13485, ISO 9001 QMS and FDA Requirements - Process vs. Compliance Approach? ISO 13485:2016 - Medical Device Quality Management Systems 4
T ISO 14155 Good Clinical Investigation Practices Compliance Checklist? EU Medical Device Regulations 1
K Compliance with ISO 22000 Clauses 8.4.2 and 8.4.3 Food Safety - ISO 22000, HACCP (21 CFR 120) 1
S Providing Evidence of Compliance to MIL-I-45208A and ISO 9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
E Sterile Validation Management in compliance with ISO 17665 Other ISO and International Standards and European Regulations 1
J Compliance with ISO 9001 Clause 7.6 Control of Monitoring & Measuring Devices ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Implementation of SAP and compliance to ISO 9001: 2008 Document Control Systems, Procedures, Forms and Templates 7
N Field Audit Tools for ISO 14001 or Environmental Compliance General Auditing Discussions 5
M Compliance with ISO 9001 Clause 7.1 - Planning of Product Realisation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19

Similar threads

Top Bottom