Ideal way or steps in preparing the system certification for ISO9K:2K?


Quite Involved in Discussions
Hi Everyone,
Is there an ideal way or steps in preparing the system certification for ISO9K:2K?:bigwave:
I was quite confused on the steps that was been provided to me.
We are ISO9001:1994 certified, does everybody undergoes soft launching on the ISO9K:2K?:confused:
I'm planning to slowly update our documents and align to the ISO9K:2K standard.

Any feedback would be appreciated.

Thanks in advance,

Raffy :cool:


Fully vaccinated are you?
In the 3 'upgrades' I've been involved in, we did little more than rewrite the quality manual. There were no major systems changes but we did do a 'top level' flow chart of the 'QMS' and a preventive Action flow chart. Both just repeated existing systems. No document re-numbering or anything like that. Finished the 3rd today with 0 findings (there was one 'gray area' finding that was dropped).

What steps have been 'provided' to you and by whom? Need some more detail.

I have been, and still do, contend that people (especially training companies, consultants and such) are making this out to be a big deal. It isn't. What I find hard to believe is companies are still registering to ISO 9001:1994... :bonk: What maroons... :thedeal:


Quite Involved in Discussions
Hi Marc,
Thanks for responding immediately to my concern.
" What steps have been 'provided' to you and by whom? Need some more detail."
To start with is soft launching of ISO9k:2K to the management; planning; hard launching to all employees; different courses needed to support the ISO9K:2K alignment;gap analysis;internal audit; followup audit. I got it to a consulting firm that offers their service in educating us with the ISO9K:2K.
Originally quoted by Marc:
"What I find hard to believe is companies are still registering to ISO 9001:1994... What maroons... "
With regard to this, since there were no requirement coming from our customer that we need to certify to the new standard and we are caught that our certificate would be expired in months time, we opted to choose the old revision.

M Greenaway


Many of the registrars offer a transitional audit cycle (in addition to your 1994 audits). These are basically extra visits over a two year (or less) period where a section of ISO9000:2000 will be audited against at each visit to see if you are up to scratch.

Although I havent been through it myself this sounds like an excellant approach, and avoids you doing needless, or possibly innacurate gap analysis as the registrar effectively does it for you. These transitional audits wont threaten your 1994 certificate, and so long as you implement all corrective actions you will get your 2000 cert at the end.

Sounds simple ?


Fully vaccinated are you?
I agree with M Greenaway that a 'gentle' approach would be a good idea. And I apologise for the nick against those registering to ISO 9001:1994. I will admit some giddiness on my part as I responded within hours after another successful upgrade - that always puts me in a good mood... However, I was thinking of first time registrations. It is my understanding that registrars (at least some - this one still is) will still register a company (initial registration) to the 1994 version.

If I were you I would do my own internal gap analysis since you are already registered. Then ask yourself what you have to do. What I did was use the files in the ISO Mains directory Upgrade subdirectory (Premium File Access):

ISO9K2K_Upgrade Gap_Analy.xls and ISO9K_Upgrade.ppt were the two main files I used. I went over the line items in ISO9K2K_Upgrade Gap_Analy.xls with the management rep at each place and made sure they could answer / address each line item. That was their 'training'.

However -- Each of the companies I have worked with were former implementation clients. The one I worked with yesterday was registered in 1997. This said, each company had one or more people who understand ISO 9001 so when we looked at the differences they had a pretty good grasp of the requirements as they applied to their company. Secondarily, each was a 'Flow Chart' implementation and they followed my advice on systems when they first registered.

My concern is you mention things like courses needed to do the upgrade. I guess I gave my clients 'courses' in the sense that we did sit down and go over the requirements, but there were no courses per se involved. None of the mainstream prsonnel went through any training as the differences didn't require anything that needed training. We did not even do a management review to the new standard nor did we do an internal audit prior to the upgrade. The auditors in 2 cases were unsettled by this, but I used the standard "Show me where it says..." and they let it go.

I guess had I not already gone through 3 upgrades now (two with 0 findings - not as much as a minor) and in none of the cases did we do anything more drastic than what I have mentioned, I am having a difficult time understanding what all the hoopla is about. In each case we were able to look at existing systems which address the 'new' requirements. Not even the quality policy had to be updated. We completely rewrote the quality manual (1 day using my template and transferring references) and did two new flow charts (1 day). We had a sitdown first where we went over the line items in ISO9K2K_Upgrade Gap_Analy.xls (a morning) and not much else

So - I guess my summary is to do an internal gap analysis, identify gaps and go from there. I would make sure that you are not already addressing the new requirements. The few places I found issues were in their readiness to discuss the new requirements (which we dealt with the morning we went over the line items in ISO9K2K_Upgrade Gap_Analy.xls) and - as I said - all were already doing what the 'new' standard required. The main hangup - if one can call it that - was to ensure 'measureable' quality objectives. Communications and most of the other issues were already a part of their operations (more basic good business practices).

Unfortunately I believe there is a lot more hype than reality in what many people are saying about how the changes to the standard are significant. I might feel differently but I spent less that a week with each client going through the 'upgrade' process.

If you do an internal gap analysis and want to ask specific questions about specific 'new' requirements you do not believe you already meet, I'll try to tell you what we found and did. In addition, I did put in a field in everyone's user profile wher you can put in your company size - that would give me a better idea (I checked and you haven't updated your profile) as to the possible complexity of what you're dealing with.

If I have one sentence of advice - don't over complicate what the 'new' requirements actually require. If you look closely you may already be doing what is necessary - It may be you're just not ready to explain.

Jim Green

Additional Training for ISO 92k

What about additional training for Internal auditors. These 8 quality management principles and techniques that they are required to know?
On to another subject.
I have been following this forum for about 3 yrs. Good info. and it makes me feel like I am on the cutting edge of quility. Thanks for your efforts.


Fully vaccinated are you?
> These 8 quality management principles and techniques that
> they are required to know?

Where in ISO 9001:2000 does it say there are 8 quality management principles and techniques that someone has to know? I would like to know where it comes from because I seem to have missed it somehow.

I would definitely go through the changes (we're talking upgrade, right?) with your internal auditors. While it is not required per se, I would go through a round of internal audits prior to the registrar coming.

Each of the registrar's auditors I 'experienced' in upgrade audits was Ok with the fact that none of my clients did a round of internal audits (but they were each surprised and expected problems and they said so), but I went through the differences with my clients so they knew what the rquirements are and how to approach auditing them, not to mention addressing them. When you come out of an audit with 0 findings it's hard to complain that the company needed a round of internal audits to the new standard. A registrar might require a round, but the standard does not and the registrars I have dealt with did not specifically require them.

What I am saying is I see stuff like this:<hr>
PeterH wrote in message
news:[email protected]...
> I recently attended an ISO9001:2000 workshop for QA managers upgrading
> from ISO9001:1994. I was left with a couple of questions in my mind
> that weren't clearly explained. You may be able to help me.
> Q1. Can exemptions be sought from ALL subclauses of Clause 7 (ie Cl
> 7.1 to 7.6 inclusive) as per Clause 1.2? The presentation notes I was
> given only mentioned Cls 7.3 to 7.6 being exempt.
> Q2. The workshop notes stated that procedures must be documented (ie
> they are mandatory) for Cls 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2 and 8.5.3
> and that other clauses can be verbal, if necessary, for the remainder.
> Where in ISO 9001:2000 does it mention these mandatory requirements
> and that some can be verbal? In what way can procedures be verbal and
> still be auditable?
> Q3. What are the main things to look for when changing from
> ISO9002:1994 to the new ISO9001:2000. Is it simply that the company
> would need to review how much design it does that was once excempt
> from the requirements of ISO9002 that may now be required to be
> included under ISO9001:2000?
> regards
> PeterH

From: "Dave & Rachael"
Newsgroups: misc.industry.quality
Subject: Re: Some 9001:2000 Questions
Date: Tue, 12 Feb 2002 21:27:59 -0000

Here's my experiences of going through certification:

Q2: The procedures called for in the standard are mostly common sense ones you would need regardless of whether you are using the ISO9000-series of standards. Effective document control does not happen by chance.

Our approach was to develop a high-level management plan that contained the objectives we planned to meet over the coming three years (it is updated each year). To support those objectives, we developed a series of simple process maps that described the steps taken to meet those objectives. Where necessary, those steps were supported by lower-level Quality plans that in turn referenced procedures. The progress of the objectives were monitored by the top-level Management Board using a traffic light system (green = OK, amber = minor weakness, red = major weakness) in a balanced scorecard.

What the Standard is trying to say is don't create procedures for the sake of it. If you need a procedure, and it will be used, create it.

Q3: The main changes for me were: - the use of the eight Quality Management principles - integrating the Quality Management System into the business planning activities - development of processes (don't underestimate this task - processes and procedures are different) - changes of auditing practices (processes + data replace procedures in many cases) - trying to communicate a technical subject such as process management to non-Quality staff

Two main pluses were: - we have LRQA as our assessors and they had created a transition checklist - we formed a working group of the Management Board to answer each question (over 100 of them, it took eight hours over three sessions) - we introduced the Management Board to the standard through mini-workshops (over three months) lasting about ten minutes where we brainstormed how we met the eight Quality Management Principles

By the time we had finished, the Management Board had bought in and knew what was going on. It was a big effort - don't underestimate it. From start to finish, the transition takes about a year for an organisation of about 150 staff.

We're talking tons of bucks here. I hope that's for an implementation from scratch. And if the person means there are only 150 people in the company where he states " organisation of about 150 staff..." a year is a long time. Is that everybody or does he mean only office personnel by using the word 'staff'? A year for a transition is way, way too long. Every client I have has already had stuff like goals and objectives at every level of the company. That's what any good company will be doing anyway. If a company currently does not have those, how do they control their operations? How do they advance and improve?

I'm just using the above as an example. My point is to take a close look at the 'new' requirements and make sure you're not already doing something but never really thought of what you are doing in light of the new standard before.

The 'process approach' thing also galls me. Practically every client I have worked with in implementations since 1994 has used flow charts for level IIs as a minimum. These flow charts already show where functional groups interact and how (also defining communication channels). The flow charts themselves describe their processes. This said, they have taken a 'proess approach' for years. This is a smoke screen of confusion in my opinion.

Bottom line: Make sure you understand the changes and make sure you're not already doing what they require before you start a crusade for change as many seem to be making this out to be.

Just my opinion... I've been through 3 upgrade audits and 2 implementations to the 2000 standard from scratch and all have been smooth audits with one exception where 1 of two auditors was a pain in the butt. But - all were successful. In two upgrades 0 nonconformances were identified. But - You never know. I could be missing something obvious. :thedeal:

M Greenaway

Marc, i'm sure you know this...

The 8 management principles are defined in ISO9000:2000 - which isnt auditable, but would be a good idea I think if auditors understood the principles (unless of course they start quoting non-compliances against it !!).


Fully vaccinated are you?
Ah! OK. We're talking about 0.2 in that document. I agree that's not a bad idea - I've just never gone that far with internal auditors.

Bruce Wade

The eight management principles are included in our Level I manual. All auditors are trained to look for use of these principles in our procedures, processes and activities.

The auditors are also instructed to use them in conducting audits, where appropriate, i.e. factual decision-making in performing audits and analyzing results, examining processes and looking from a "systems" approach during audits.

Upper management has ascribed to these principles, per the Level I manual. Therefore, IAs are free to comment on use and call management for nonconformance when they are not used.

This (we hope) does a couple of things. First, using the eight principles, particularly using factual information in decision-making, should help keep the nonconformance system impersonal. (Like many sites, this was previously a problem. People punished each other by sending nonconformances. Lots of anger and rage!) Second, it should help keep our "feet to the fire" in terms of dealing more appropriately with nonconformance and CA/PA.

I believe this were probably the purposes of including the management principles in ISO 9000:2000...
Top Bottom