ISO 9001:2015 - Small Shop


I run a small division of a larger company that will most likely be spinning it off into its own entity in the next 6 months. We are currently ISO 9001:2015 certified, but I have been having more and more issues with our auditor and was hoping someone could give me some advice before I decide whether or not we want to actually go after ISO as a stand alone company.

Management review is a great example of some of the issues I'm having as I did not attend our last management review meeting (with the larger company) as I was running PPAP samples for a new job. I was written up for that, rightly so, although I do have plans to meet with the owners of the business to go over the topics I normally cover. With the way things are currently setup it's usually a 3 hour meeting where I talk for 10 minutes while everyone plays on their phone b/c they have nothing to do with my shop. Most of the time it's not a problem, but being such a small shop I don't have anyone to fill in for me on important things like PPAP launches and to me, that's far more important than a meeting to review things with people who have little interest in what I'm doing.

My question is, how do you handle things like this in a small shop? I have 2-4 employees, but they have little to do with big picture things... does the standard require me to have a meeting with myself and then document it? I'm struggling with a lot of the day to day stuff that looks good, but really adds no value to my business. I do work with some Tier 2/3 automotive suppliers and they do like it when I'm ISO certified, but they also usually have an out that we can supply parts to them without a certification assuming we pass an audit from their quality department.

Does anyone have any thoughts?

Does anyone know of a consultant who specializes in companies this small and ISO?

Any feedback or help would be greatly appreciated.
does the standard require me to have a meeting with myself and then document it?
The standard doesn't require a meeting. The standard requires a review. If there is only one person (you) who can compile the information for the review and take action based on that review, there is no requirement that you involve others. You need to have documented proof that the review occurred and that you reviewed all the items required by the standard.

Ron Rompen

Trusted Information Resource
As indubioush said, a 'meeting' isn't required. You can review the items via email (which provides a record of the review), or while having lunch. I disagree with the suggestion that there is no requirement that you involve others - as the COO of your 'small shop' there must be others who are involved at a senior 'strategy planning' level - they need to be involved and to provide some input into the review. It would be difficult to justify that you held the review meeting with only yourself.


Super Moderator
Why don't you report to your certification body regarding issues with your auditor or get the auditor changed?

The requirement is that top management has to review the QMS, so it depends upon who you assign as top management, whether it is one person/group of people.

Just make sure you cover all required inputs as per 9.3.2.

As suggested by Ron, the review can take place through an email. You can just summarize the inputs in one email / send the summary as an attachment to the top management. And their comments to this email/attachment in email can be considered as a management review.

John Broomfield

Super Moderator

Every now and then you take a moment to consider:

A. What your company (system) does well,
B. What your company does less than well,
C. What you are going to do about B. above.

Record your musings in your calendar, share them with your employees and set a reminder for your next review.

Or, if you are building the value of your business you could make a more conventional record and plan.

Continued certification of your system by a reputable accredited body should enhance the value of your business.


Fully vaccinated are you?
ISO 9001 9.3.2 - Management Review Inputs

For effective review and decision making, the management review shall take into
account the following issues:
  • Follow-ups from previous reviews and status of decisions and actions taken.
  • The review shall discuss changes in external and internal issues that are relevant to the quality management and their influence on it.
  • Information regarding the performance of the QMS with reference to trends and indicators such as
    • Results of customer satisfaction and feedback measurements
    • The extent to which quality objectives have been met
    • Process performance and product conformance supported by evidences
    • Audit results: internal, external, and customer audits
    • Information about nonconformities and status of corrective actions
    • Results of monitoring and measurement activities
    • Issues related to suppliers and external providers that may affect products, services, and the QMS
  • The adequacy of resources
  • The effectiveness of actions taken to address risks and opportunities
  • Opportunities for improvement


Trusted Information Resource
You're life is about to get much easier. No more 3 hours useless meetings. All you have to do is setup a "meeting" with 3 people -- me, myself and I. As long as they don't argue, you're meeting will be quick. :)

So the easiest thing to do is create a working record of management reviews. List out all the criteria in the above posts. Take that to every meeting with your team and keep it readily available at your desk. Whenever you discuss or think about something on the list, make your notes. For example, part of our review our monthly/quarterly data. So I just jot down the numbers for each quarter on the record, thus noting I have reviewed them. I hand that to the auditor each year and management review audit is basically done.


Trusted Information Resource
I run a small division of a larger company that will most likely be spinning it off into its own entity in the next 6 months. We are currently ISO 9001:2015 certified....

With all due respect, I will just say that the quality system process ID is most likely not effective.

It should describe the activities that take place under the certificate at each site. I would suggest that the process id should identify your site as a 'submit records for process effectivenesss and communicate objective results and manage local NC's' kind of responsibility for the site.

That is the way to keep the auditor on track and not look for things that won't be there (a.k.a. the low hanging fruit) and make them assess your processes.

Just make sure you cover all required inputs as per 9.3.2.

And perhaps the outputs per 9.3.3?
Top Bottom