What’s got us talking

Insight
Is your Quality System Dead or Alive? - 6 telling tests from QFactorial
Insight
Why Quality Management is Critical for Start-ups and Growing SMEs
Insight
Award winning clients investing in a quality future
Story
RPD International Fast-track to ISO 13485 for medical device product development
Story
Guildmore Construction Raising standards and supporting growth with UKAS accredited ISO certification

Make an enquiry

To find out more about how Qfactorial can help your business, please get in touch using the enquiry form below or, if you prefer, call us on +44 (0)1256 814111 or email kevin@qfactorial.co.uk to speak to our principal consultant.

Standards

Your practical guide through the maze of standards

With the proliferation of management system standards based on quality principles and ISO 9001, we can help you to navigate the maze and minimize duplication, complication and inefficiency.

Q! Standards

Choose each standard below to see how they might apply to your business.

Subject

Quality

When to use it

ISO 9001 is the foundation standard for most management systems. Use it to improve the quality of your products, services or processes, and to bring structure and consistency to the way you work. 

Integration with ISO 9001

ISO 9001 tells you what to do but not how to do it, so there is flexibility to integrate with your existing ways of working. Most other management system standards are based on ISO 9001, so it often makes sense to start with ISO 9001, allowing space to plug and play other standards later on. 

Certification

Several new requirements were introduced in the ISO 9001: 2015. These are intended to encourage alignment between your management system and the goals of your business, together with a more pro-active (risk-based) approach. Approached positively, the new requirements can help you to manage problems, risks, opportunities and changes in a structured and efficient way. We are finding that most certification auditors are now looking more at business alignment and system effectiveness rather that the minutiae of document control, record-keeping and bureaucracy that have tended to dominate their thinking in the past.

Subject 

Quality and regulatory compliance (Medical  devices) 

When to use it 

Use ISO 13485 when a quality management system is required as part of regulatory compliance in one or more stages of the life-cycle of a medical device, from design and development to decommissioning and disposal. The standard is explicitly aimed at regulatory compliance but can also be used on a contractual or voluntary basis.   

Integration with ISO 9001 

Due to a combination of timing, politics and the intricacies of committee workings, this standard, although revised in 2016, is not aligned with ISO 9001: 2015. This makes for an awkward integration. Some of the key changes in ISO 9001:2015 are contradicted by ISO 13485: 2016. For example, the requirements for management representative, quality manual and preventive action have disappeared from 9001 but remain in 13485.

Certification

There are a limited number of certification bodies accredited for ISO 13485 and other international schemes such as the Medical Devices Single Audit Program (MDSAP). Some of these are major players who are also notified bodies for CE marking under relevant EU Directives. Others are only involved in ISO certification. Within the standard there are clause by clause links to the Medical Devices Directive and the Active Implantable Medical Devices Directive. These EU Directives have now been superseded by the EU Medical Devices Regulation (MDR) and many of the certification bodies who are also notified bodies are more focused on this transition than the ISO standard. In some cases, they are turning away new ISO 13485 business until they have completed the switch to MDR with existing clients. Compliance with ISO 13485 can satisfy some but not all of the regulatory requirements. 

Subject

Environmental

When to use it

Use ISO 14001 to manage your impact on the environment, comply with environmental laws, reduce waste, improve environmental performance and demonstrate your green credentials. 

Integration with ISO 9001

Of the increasing number of management system standards, ISO 14001 has been around for longer than most. It has always been closely aligned to ISO 9001 and many businesses operate a single integrated management system to meet both standards. 

Certification

By aligning the management processes and audit programmes for quality and the environment, compliance and certification can be maintained at a lower cost. New requirements were introduced in ISO 9001:2015, partly to align with new ISO 9001: 2015 requirements for strategic alignment. Other changes include the need to take a life-cycle perspective on aspects, impacts and controls, with particular reference to design and procurement aspects. There is a new focus on evaluating environmental performance rather than simply monitoring and measuring, including use of KPIs. In keeping with the new concept of risk-based thinking, there is a higher expectation of controls for managing changes and emergency situations. So long as these are considered as new requirements, certification auditors will naturally pay special attention to these areas.     

Subject 

Testing and Calibration Laboratories 

When to use it 

Use  ISO 17025: 2017 to implement a robust management system for your laboratory and demonstrate technical competence to produce valid and reliable results. ISO 17025: 2017 specifies requirements for competence, impartiality and consistent operation and may be applied to any organisations performing laboratory activities, irrespective of size. ISO 17025: 2017 may be used to  demonstrate conformity of internal and external laboratories to the Laboratory Requirements of IATF 16949. 

Integration with ISO 9001

The latest revision of ISO 17025 takes into consideration the latest version of ISO 9001 on quality management and reflects developments in technology and new ways of working in modern laboratories. International recognition of ISO 9001 has increased the need to ensure that laboratories can operate a management system according to the principles of ISO 9001, as well as to the  ISO 17025 standard.  As a result, these principles are reflected in two options which ISO17025 provides for the implementation of a compliant certifiable laboratory management system. 

Certification

The latest revision published in November 2017 supersedes ISO 17025: 2005, which is withdrawn. Third party certification is carried out by UKAS themselves rather than UKAS-accredited certification bodies. Organisations with existing certification to the 2005 standard need to transition to the new standard within 3 years from publication of the new revision, but during this period  the certification to ISO 17025: 2005 remains valid and recognised.

Subject

Nuclear energy sector supply chain – supplying products and services important to nuclear safety (ITNS)

When to Use It

Use ISO 19443 if you supply products and services at any level within the nuclear supply chain and need to establish an effective quality management system applicable to the nuclear industry. Use ISO 19443 to implement nuclear-specific practices and controls for ensuring the quality, reliability and safety of your products and services and conformity to customer and regulatory requirements. ISO 19443 will also help suppliers with existing ISO 9001 certification aspiring to become part of the nuclear supply chain where integrity of systems, products and services are vital for nuclear safety.

Integration with ISO 9001

ISO 9443 is a new standard released in June 2018 prepared in collaboration with the International Atomic Energy Agency (IAEA). It contains the core requirements and structure of ISO 9001 but has supplemental elements specific to the nuclear industry. It adds requirements such as methods for determination of ITNS items and activities, use of a graded approach, and controls for preventing counterfeit, fraudulent or suspect items, all to be applied within a nuclear safety culture and environment. The requirements specified in ISO 19443 are complementary to applicable statutory and regulatory requirements and its application to organisations performing activities on a licensed nuclear site is subject to prior agreement by the Licensee.

Certification

UKAS accredited certification to ISO 19443 is not yet available. UKAS is working with certification bodies to establish the necessary extension to their scope for quality management system certification in accordance with the new standard, and to ensure high confidence in third party certification for the nuclear sector. The responsible technical committee in ISO is developing the requirements for the certification bodies relating to the nuclear sector and a new Technical Standard is in development to support this process. Approach your certification body for the latest status. 

Subject 

Sustainable Procurement 

When to use it 

Use ISO 20400 to help your organisation to integrate sustainability into your procurement culture, policy, strategy, processes and supply chain. Organisations of any size or sector can use it to develop their ethical practices in their procurement decisions and activities. Based on principles such as accountability, transparency, respect for human rights and ethical behaviour, using ISO 20400 can help to meet the growing expectations of customers and other interested parties and demonstrate a positive contribution to society.

Integration with ISO 9001 

There is no explicit link from ISO 20400: 2017 to ISO 9001, and ISO 20400 does not share the high-level structure of the management system standards. However, ISO 20400 draws on various underlying principles such as organisational context, risk-based thinking and process approach. ISO 20400 is most closely linked with ISO 26000: 2010, the guidance standard for social responsibility. It shows how the sustainability issues covered in ISO 26000 relate to possible procurement actions, drawing on the same core ethical topics.

Certification 

ISO 20400 provides guidance, not requirements, on sustainability within procurement. Like ISO 26000 it is therefore not intended for certification purposes. Its key value lies  in its use as a tool for helping to integrate ethical procurement into the organisation and its supply chain. 

Subject

Food safety management

When to use it

Use ISO 22000 to implement a food safety management system (FSMS) designed to consistently provide food-related products and services that are safe and meet regulatory requirements. ISO 22000 may be used by any organisation in the food chain, irrespective of size and complexity, such as farming, producing and manufacturing food or providing food services such as packaging, storage, distribution, retail and catering. Use it to demonstrate your commitment to food safety and continuous improvement to customers and other interested parties such as suppliers, regulatory bodies and industry schemes.

Integration with ISO 9001

ISO 22000: 2018 is based on the same structure and common terms as management system standards such as ISO 9001. It has been designed to be integrated with other management processes to facilitate management of multiple standards and incorporates principles such as risk-based thinking and the process approach. It also incorporates the latest thinking on food safety in a global industry and aligns with the Codex Alimentarius international food standards definitions and Codex HACCP principles.

Certification

ISO 22000: 2018 supersedes ISO 22000: 2005. If you have this certification, you must transition to the new version by June 2021. The BSI PAS 220: 2008 prerequisite programmes specification is now withdrawn and replaced by the ISO/TS 22002 series for specific activities, e.g. ISO/TS 22001-2 for catering operations. One way into ISO 22000 is through the Food Safety System Certification scheme, FSSC 22000. This scheme is recognised by the Global Food Safety Initiative (GFSI) and is available under UKAS-accreditation.

Subject 

Business management system for product quality and safety (Rail sector) 

When to Use It 

Use ISO/TS 22613 if you are a manufacturer of railway vehicles or you supply systems or components and need to establish an effective business management system applicable to the rail industry supply chain. Use ISO/TS 22613 to embed rail-specific requirements that encompass all business processes for ensuring the quality, reliability and safety of your products and services and conformity to customer and regulatory requirements. Use ISO/TS 22613 to help gain industry recognition, demonstrate compliance and drive continuous improvement.

Integration with ISO 9001 

ISO/TS 22613 is an ISO Technical Specification published in May 2017 prepared by UNIFE, the European Rail Industry Association. It contains the core requirements and structure of ISO 9001 but has supplemental elements specific to the rail industry. It creates requirements for a business management system for quality and product safety including aspects such as design, project management and life cycle costing. ISO/TS 22613 is being kept under review to incorporate industry developments and feedback from stakeholders and a full ISO standard is being worked towards.

Certification 

Certification to ISO/TS 22163 is available but only from certification bodies approved by UNIFE via its global certification scheme IRIS (International Railway Industry Standard) and not by UKAS. After publication of the standard UNIFE launched the latest version of the IRIS Certification system, IRIS Rev.03, combining the requirements of ISO/TS 22163 with the IRIS Certification Rules 2017 which describe the assessment methodology and certification process. 

Subject

Business continuity

When to use it

Use ISO 22301 to establish processes to prevent, mitigate, respond to and recover from disruptive incidents, including emergencies and disasters. 

Integration with ISO 9001

ISO 22301 is aligned with ISO 9001 and can be integrated quite readily with management systems based on ISO 9001:2015 by adding specific controls for business continuity 

Certification

Not all UKAS-accredited certification bodies are approved to audit against ISO 22301. Most of the larger, well known national and international bodies can cover this. If ISO 22301 is on your long horizon, choose your ISO 9001 auditor with this in mind. 

Subject

Information security

When to use it

Use ISO 27001 to manage and protect your information assets, building trust and credibility with your customers. Use it to address the people, process, physical and technology (PPPT) elements that impact on the confidentiality, integrity and availability (CIA) of information.  

Integration with ISO 9001

ISO 27001 is closely aligned with ISO 9001 and can be integrated into an ISO 9001 system by adding controls on information security risk to complete your information security management system (ISMS). However, there is one major difference in approach: ISO 27001 requires you to decide which controls to apply on the basis of a comprehensive risk assessment. For most  businesses the key areas of overlap are support functions such as IT (obviously), HR, procurement, document control and record/data management, together with the leadership and improvement  elements that are inherent in all ISO 9001-based standards. For IT companies where InfoSec is actually part of the product or service, there are more integration points up and down the supply chain.

Certification

Most of the UKAS-accredited certification bodies include ISO 27001 in their scope of approval. If you are considering ISO 27001 as a step towards full business continuity management, check if your certification body is also accredited to assess ISO 22301. If GDPR is your concern, consider BS 10012 which is specifically designed to address the General Data Protection Regulation. Consider supporting any of these standards with a Cyber Essentials assessment on the IT elements.

Subject

Quality (oil and gas)

When to use it

Use ISO 29001 to demonstrate how your management system supports your licence to operate in the oil and gas industry and its supply chain.

Integration with ISO 9001

ISO 29001 mirrors ISO 9001:2008 and adds extra requirements for the oil and gas industry, keeping it aligned with API Q1, the globally recognized US sector standard. But it is one step behind and more detailed than ISO 9001:2015. 

Certification

At present there is no UKAS-accredited certification route for ISO 29001, although many major certification bodies offer non-accredited schemes. If a current ISO 9001 certificate is more important to your clients, you may want hold fire on the extra requirements of ISO 29001 until it is clear if they will survive the next revision. 

Subject

Anti-bribery management

When to use it

Use ISO 37001 to help your organisation implement an internationally recognised anti-bribery management system (ABMS) and put in place good practice measures to prevent, detect and address bribery. ISO 37001 can be used flexibly by organisations of any size or sector for implementing policies, procedures and controls which are proportionate to the bribery risks which may be faced. Using ISO 37001 can demonstrate your anti-bribery commitment to interested parties and can provide evidence that you have taken reasonable steps to prevent bribery.

Integration with ISO 9001

ISO 37001 is based on the same structure and common terms for management system standards as used in ISO 9001. It can be applied as an independent system if required, but the measures it describes are designed to be integrated with existing management processes to ensure they are applied as part of routine business operations.

Certification

ISO 37001: 2016 supersedes the British Standard BS 10500:2011 for an anti-bribery management system. With the UK Bribery Act 2010 becoming law in July 2011, BS 10500 was introduced to help organisations implement measures to meet the new legislation and has been used in the development of ISO 37001. Organizations may choose to be certified to ISO 37001 to confirm compliance, gain reputational benefit and reduce the risk of prosecution. As only a limited number of UK certification bodies have gained UKAS accreditation to certify against this standard, their accreditation status should be checked with UKAS before proceeding. 

Subject

Collaborative working

When to use it

Use ISO 44001 to establish formal structures for long-term, value-adding business collaborations with internal and external partners. E.g. joint ventures, alliances, etc. 

Integration with ISO 9001

ISO 44001 aligns with ISO 9001 at the highest level, absorbing its predecessor BS 11000 and adding controls, including: value creation, value analysis, business case review and engagement strategy. 

Certification

Organizations with BS 11000 certification are migrating to the new standard, ISO 44001. At present there is no UKAS-accredited certification route for ISO 44001 but the Institute of Collaborative Working (ICW) validates certification bodies to ensure the integrity of certification. 

Subject

Occupational Health and Safety Management

Note: ISO 45001 does not address product safety (i.e. safety to end-users of products) 

When to use it

Any organisation may use ISO 45001 as a framework for implementing an effective system for managing OH&S to avoid work-related injury and ill health. It promotes a proactive and structured best practice approach to the improvement of OH&S culture and performance for the provision of safe and healthy workplaces. Use ISO 45001 to establish effective preventive and protective measures to eliminate hazards and minimise OH&S risks, take advantage of OH&S opportunities, and to demonstrate fulfilment of legal requirements. 

Integration with ISO 9001

ISO 45001 shares the same structure, terms and definitions with ISO 9001: 2018 and other recently revised ISO management system standards such as ISO 14001: 2015 (Environmental Management). ISO have adopted this approach to facilitate the integration of new management topics into an organisation's existing management system. ISO 45001 is not prescriptive about the design of an organisation’s OH&S management system, allowing it to be as simple or sophisticated as needed to be effective, appropriate to the organisation and levels of risk.    

Certification

ISO 45001 is a completely new standard published in March 2018 and certification is available through UKAS-accredited certification bodies. It supersedes OHSAS 18001 which is now withdrawn and no longer available for new certifications. Organisations with existing certification to OHSAS 18001 have a solid platform for implementing ISO 45001 but will need to implement migration plans recognising that there are differences in philosophy and emphasis in addition to the structure. Organisations certified to OHSAS 18001 have until March 2021 to migrate to the new standard.

Subject

Energy

When to use it

Use ISO 50001 to manage your energy use, improve energy efficiency and demonstrate your sustainability credentials. ISO 50001 certification can be used to demonstrate ESOS compliance so long as the energy management system covers 90% of overall energy use.

Integration with ISO 9001 (and ISO 14001)

The structure of ISO 50001 is aligned with ISO 9001 and ISO 14001, either of which can provide a strong foundation for implementing ISO 50001. At the last revision all three standards strengthened their focus on actual performance of the management system. For ISO 50001 this includes selecting appropriate KPIs linked to significant energy uses. Note: there will be no credit given for green initiatives such as switching to renewable energy, these being the aims of ISO 14001 not ISO 50001. For 50001 it is all about reducing energy usage, regardless of how that energy  is generated. 

Certification

Many major UKAS-accredited certification bodies can issue ISO 50001 certificates. There are also a number of niche players in this arena. All ISO 50001:2011 certificates will expire on 19/08/2021. But note this when you are considering transition to ISO 50001: 2018: certification bodies are mandated by ISO 50003, their auditing standard, to issue you with a Major NCR if you cannot demonstrate improvement of energy performance at every audit visit. That is a potential game changer if you’ve already picked all the low hanging fruit.

Subject

Asset management

When to use it

Use ISO 55001 to maximize the value and increase the performance and life of tangible and intangible assets, from systems and equipment to land, property, inventory and intellectual property.

Integration with ISO 9001

ISO 55001 is already aligned with ISO 9001 so that can form a foundation for extending your management system to cover this important area. You can also consider integrating with other life-cycle based standards such as ISO 50001 (energy) and ISO 14001 (environment).

Certification

Although a relatively new standard to the management systems canon, there are several certification bodies with UKAS approval to certify against ISO 55001.

Subject

Quality (Aviation, space and defence)

When to use it

Use AS 9100 to establish a quality management system to meet aviation, space and defence standards. More specific sister standards are available for aviation maintenance organizations (AS 9110) and for aviation, space and defence distributors (AS 9120).

Integration with ISO 9001

AS 9001 and various supporting standards are issued by the International Aerospace Quality Group (IAQG).AS 9100 follows the ISO 9001:2015 structure whilst still retaining some of the more prescriptive requirements of ISO 9001:2008. There are also particular requirements for the aviation, space and defence industries.

Certification

Certification to these standards is offered by  some of the major certification bodies and sector specialists, although UKAS accreditation may not always be available. The AS 9001 audit process is more detailed and onerous than ISO 9001 and includes some difficult topics driven by particular concerns in the aerospace industry, e.g. counterfeit, fraudulent or suspect (CFS) parts, safety critical processes and human factors. You may also find that other certification schemes such as NADCAP follow in the wake of AS 9100 once you are in the supply chain flow-down.   

Subject 

Data Protection – Personal Information Management System (PIMS) and GDPR/DPA

When to use it 

BS 10012 provides a structure for a Personal Information Management System. It may be used by organisations of any size or sector who deal with personal information to help maintain and prove compliance with data protection requirements and good practice. Use BS 10012 as part of your organisation’s governance structure to help to implement effective policies, procedures and controls which fulfil the requirements of the EU General Data Protection Regulation (GDPR) / UK Data Protection Act (DPA) and provide confidence to clients and other interested parties that you have addressed all security risks relating to their personal information.

Integration with ISO 9001 

BS 10012: 2017 follows the same structure as ISO 9001 and ISO 27001 for ease of integrating multiple management system standards. The standard also aligns with principles of the GDPR/DPA  and outlines the core requirements organizations need to consider when collecting, storing, processing, retaining or disposing of personal information related to individuals.

Certification 

Certification to BS 10012 is available through a  few certification bodies. It can help organisations to show that they have taken necessary and reasonable measures to comply with the privacy elements of the GDPR/DPA. ISO 27001 certification covers the information security requirements within the GDPR (the technical and organisational measures required by Article 32). While certification to either or both standards does not confer immunity from legal obligations it can demonstrate commitment and accountability in an arena where trust and reputation are highly valued. 

Subject

Secure destruction of confidential material – Code of Practice

When to use it

Use BS 15713 to help establish and maintain effective practices for managing the secure destruction of confidential information. The recommendations in the standard follow industry best practice, covering security of premises, screening of personnel and the end to end processes by which confidential material is collected, handled, transported, stored and destroyed – from the point of collection to destruction and recycling. Using BS 15713 helps to comply with legislation, minimise risks associated with confidential data leaks and to provide reassurance to clients and other interested parties. 

Integration with ISO 9001

BS 15713 does not follow the same structure as ISO 9001 and other management system standards such as ISO 14001 and ISO 27001. However, its industry-specific recommendations are applicable within an ISO 9001 structure. Industry best practice draws the two standards together to provide for secure destruction within a robust quality management system. 

Certification

Certification to BS 15713 is offered by some certification bodies but it is not a UKAS accredited standard and therefore a certificate would be non-accredited. UKAS accredited certification to ISO 9001, used in conjunction with the BS 15713 Code of Practice, can provide a recognisable approach for service providers in the industry to demonstrate compliance to clients, regulators and other interested parties such as trade associations. 
 

Subject

Cyber risk and resilience

When to use it

Use BS 31111 to help your organisation to implement an effective cyber security regime to manage cyber risk and resilience. BS 31111 is intended for organisations of any type and size and can help to ensure that cyber security governance arrangements, policies and procedures are fit for purpose and integrated into the wider organisation. Use BS 31111 to help your organisation to demonstrate to stakeholders and regulators that your cyber security measures are effective, resilient and based on best practice.

Integration with ISO 9001

There is no explicit link from BS 31111: 2018 to ISO 9001. BS 31111 is designed to provide strategic rather than detailed technical guidance and more closely complements management standards ISO 27001 Information Security and ISO 22301 Business Continuity, and the ISO 31000 Risk Management guidelines. BS 31111 may be a useful aid for addressing cyber security considerations in other standards, for example IATF 16949.

Certification 

BS 31111 provides guidance and recommendations, not requirements. It is not intended for certification purposes and therefore claims of compliance cannot be made to it. Certification to management systems standards ISO 27001  and ISO 22301 is available through UKAS-accredited certification bodies.

Subject

Quality (automotive production and relevant service parts organisations)

When to use it

Use IATF 16949 to demonstrate that your management system and capabilities meet the quality requirements for the automotive sector global supply chain. Use this standard if you are producing, or intend to produce, customer-specified production parts, service parts, and/or accessory parts. The standard applies to a wide range of activities including design and development, production, treatments and finishing, assembly, installation, and services of automotive-related products, including products with embedded software.

Integration with ISO 9001

IATF 16949: 2016 is used as a supplement to and in conjunction with ISO 9001: 2015. The standard is customer-focused, incorporating customer specific requirements. It requires suppliers to make effective use of a common set of core tools and methods for product and process development and continual improvement. The goal of IATF 16949 is for automotive suppliers to develop their quality management system to provide for continual improvement, emphasising defect prevention and the reduction of variation and waste in the supply chain.

Certification

A number of the UKAS-accredited certification bodies include IATF 16949 in their scope of approval. The International Automotive Task Force (IATF) is responsible for the policies and procedures for the common IATF third party registration scheme to ensure consistency worldwide and publishes the Rules and Sanctioned Interpretations which govern certification. The rules prevent certification bodies from offering or providing consultancy and training.

Interested in working with us?

Speak with a QFactorial expert

Make an enquiry
Thank you

We have recieved your enquiry and one of our specialists will be in contact with you shortly.