Skip to main content

ISO 9001 is the oldest ISO management-system standard still in wide use. First published in 1987, updated most recently in 2015, it is the standard most auditors have most experience with, and it is often the first ISO standard an organisation certifies to. That maturity shapes Stage 1 audits in two ways: the process is well-rehearsed on both sides, and organisations who inherited legacy QMSes discover that a system that satisfied auditors ten years ago does not always satisfy them now.

This piece walks through what happens on the day, what documentation matters most, and where organisations most often trip. It is the sixth piece in the Audit Day series, and completes the Stage 1 sweep across all five ISO management-system standards Axlio supports.

Key takeaways

  • Stage 1 for 9001 is a readiness evaluation of the Quality Management System. The auditor tests whether the QMS is designed, documented, and coherent enough to be evaluated for effectiveness in Stage 2.
  • The pivotal artefact is the process map or process register that expresses the organisation’s process approach under Clause 4.4. Auditors probe this heavily because everything downstream refers back to it.
  • Legacy QMSes are the classic Stage 1 challenge. A QMS that has not been actively refreshed since the 2015 revision often carries language and structures from earlier versions that no longer satisfy current audit expectations.
  • Customer focus (Clause 5.1.2) and nonconforming output handling (Clause 8.7) are the two areas most under-attended in QMSes that treat 9001 as a paperwork exercise.
  • Common Stage 1 finding: the QMS documents what the organisation used to do, not what it does now. Process maps and procedures drift when the business changes and the QMS is not maintained in step.

What the Stage 1 auditor is actually doing

ISO 9001:2015 certification follows the same two-stage process under ISO/IEC 17021-1 as the other management-system standards. Stage 1’s formal objectives:

  • Review the documented information required by 9001, including the QMS scope, quality policy, quality objectives, process approach documentation, and the procedures required by the standard.
  • Evaluate the organisation’s understanding of the standard’s requirements and the operational context of the QMS.
  • Confirm that internal audit and management review are established and running.
  • Identify Areas of Concern that would prevent Stage 2 from proceeding.
  • Establish the Stage 2 audit plan, including sampling of processes and product/service realization activities.

Because 9001 auditors typically have deep experience with the standard, Stage 1 tends to be efficient. The auditor knows what a mature QMS looks like and moves through the documentation quickly. That efficiency cuts both ways: gaps and legacy drift are recognised fast.

What is specifically different from other Stage 1 audits

Organisations that come to 9001 with mature 27001 or 22301 systems find that the shell is familiar but the emphasis is different.

Customer focus is a first-class concern. Clause 5.1.2 explicitly requires top management to demonstrate leadership on customer requirements, customer satisfaction, and enhancing customer satisfaction. Stage 1 auditors ask how customer feedback flows into the QMS, what customer satisfaction metrics exist, and what happens when they decline. This has no direct equivalent in 27001.

Product and service realization is central. Clause 8 covers the whole lifecycle from requirements determination through design, external provider control, production or service delivery, and post-delivery activities. Stage 1 auditors sample the process end-to-end. An ISMS auditor tests information security controls; a QMS auditor tests how work actually gets done.

Nonconforming output handling. Clause 8.7 requires a documented procedure for handling products or services that do not meet requirements. This is distinct from the management-system nonconformity handling under Clause 10.2 that 27001 covers. Stage 1 auditors want both.

External provider control is more detailed. Clause 8.4 covers evaluation, selection, monitoring, and re-evaluation of external providers (suppliers, subcontractors, outsourced services). An “approved supplier list” alone will not satisfy Stage 1. The evaluation criteria, monitoring cadence, and re-evaluation trigger are all in scope.

Process approach is the frame. Clause 4.4 requires the organisation to identify its processes, their sequence and interaction, and manage them as a system. Stage 1 auditors want to see the process map (or equivalent) and understand how the organisation thinks about its own operations at the process level.

Documentation to have ready

Stage 1 auditors ask for the following, roughly in this order:

  • QMS scope statement (Clause 4.3). What activities, sites, and products or services are in scope. Any Clause 8.3 (design and development) exclusion with justification.
  • Quality policy (Clause 5.2). Signed by top management, communicated, reviewed.
  • Quality objectives (Clause 6.2). Measurable, aligned with the policy, monitored.
  • Process approach documentation (Clause 4.4). Process map or register with inputs, outputs, interactions, owners, and any monitoring criteria.
  • QMS roles, responsibilities, and authorities (Clause 5.3).
  • Risk and opportunity treatment (Clause 6.1). What risks and opportunities the QMS addresses and what actions are planned.
  • Customer requirements procedure (Clause 8.2). How customer requirements are determined, reviewed, and managed through changes.
  • Design and development controls (Clause 8.3) where applicable. Where the organisation excludes design (e.g. because it produces to customer-supplied specifications), the exclusion needs justification.
  • External provider evaluation and control (Clause 8.4). Selection criteria, monitoring records, re-evaluation cadence.
  • Production and service provision procedures (Clause 8.5). Including identification and traceability where applicable.
  • Nonconforming output control (Clause 8.7). Documented procedure and records of nonconforming outputs handled.
  • Monitoring and measurement (Clause 9.1). Including customer satisfaction data (9.1.2) and process performance measurement (9.1.3).
  • Internal audit programme and reports (Clause 9.2).
  • Management review inputs and outputs (Clause 9.3). Customer feedback, process performance, nonconformity trends, audit findings, opportunities for improvement.
  • Nonconformity and corrective action records (Clause 10.2). For the management system, distinct from the nonconforming output records under 8.7.

Missing process approach documentation or a weak customer satisfaction data set will almost always trigger Areas of Concern at Stage 1.

The legacy QMS trap

The classic 9001 Stage 1 finding is not that documentation is missing. It is that the documentation was last comprehensively refreshed for the ISO 9001:2008 → 2015 transition and has drifted since.

The telltale signs: language referring to “documented procedures” (the 2008 term) instead of “documented information” (the 2015 term). A quality manual explicitly named as such (2015 removed the mandatory quality manual requirement, though many organisations kept theirs). Process maps that describe operations the organisation stopped doing three years ago. Quality objectives that were meaningful in 2018 and have not been updated since. External provider lists that include vendors the organisation no longer uses and omit vendors it now depends on.

None of this is disqualifying by itself. All of it signals that the QMS is treated as a compliance artefact rather than a live system. Stage 1 auditors notice, and Stage 2 auditors notice more.

The fix before Stage 1 is a genuine refresh: walk the current business through the QMS documentation and update everything that no longer reflects reality. Do this once properly and the QMS becomes maintainable. Do it superficially and Stage 1 will find the gaps.

The customer focus gap

The second most common Stage 1 finding is a QMS that has strong process documentation and weak customer focus.

Customer satisfaction data collected but not analysed. Customer complaints handled operationally but not fed into management review. Customer requirements captured in sales but not translated into internal specifications. Post-delivery activities (support, warranty, follow-up) treated as separate from the QMS rather than as part of Clause 8.5.5.

Auditors ask specifically about customer satisfaction trends and what the organisation did in response to them. “We survey annually and report the score to the board” is not sufficient if the score has been declining and no action has followed.

A practical pre-Stage 1 checklist

Two weeks before Stage 1:

  • Every mandatory documented information item above exists, is current, and is accessible.
  • The QMS scope statement matches what the organisation actually does now, not what it did at previous certification.
  • The process map or register has been walked through with the process owners in the last three months and updated to reflect actual operations.
  • Quality objectives are measurable, currently being measured, and reviewed at management review.
  • Customer satisfaction data has been collected in the last twelve months, analysed for trends, and reviewed at management review.
  • Nonconforming output records exist for at least the sampling period, with corrective action taken and closed.
  • External provider evaluation records are current for every provider in the register.
  • At least one internal audit cycle has been completed across the QMS scope.
  • At least one management review has taken place with all the required inputs from Clause 9.3.2 substantively covered.

If any of the above is not true, address it before Stage 1. Some of it (updating a process map, refreshing objectives) is fast. Some of it (running the missing management review with proper inputs) requires more coordination.

The Axlio Method at 9001 Stage 1

Stage 1 sits inside the Assure step of the Axlio Method. By this point, Understand (what the business does and who its customers are), Assess (against 9001 requirements), Prioritise (which processes and controls matter most), and Implement (the QMS itself) should already have happened. Stage 1 is the first independent test.

Where Stage 1 raises significant issues on legacy QMSes specifically, the response is usually to loop back to Understand and Assess: the QMS documentation describes an earlier version of the business, and the refresh needs to happen at the level of what the QMS is trying to describe, not the surface documentation.

Closing

ISO 9001 Stage 1 is a mature audit event. The auditor knows what a healthy QMS looks like. Organisations that treated 9001 as a living management system pass Stage 1 cleanly. Organisations that inherited a QMS and let it drift discover that the fastest path through Stage 1 is an honest refresh in the fortnight before, not a defence of documentation the auditor can see is out of date.

For support preparing for an ISO 9001 audit, or for a wider ISO 9001 or audit preparation engagement, get in touch. Nine times out of ten the work is not adding to the QMS. It is bringing what already exists back into contact with what the organisation actually does today.

Common questions

Is 9001 still worth certifying to if we do not manufacture anything?
Yes. ISO 9001 is written to apply to any organisation that produces products or delivers services. Services companies (consultancies, technology firms, healthcare providers, financial services, education) certify to 9001 for the same reasons manufacturers do: customer confidence, tender qualification, and internal discipline. The standard's language occasionally reads as manufacturing-first (particularly around design and development in Clause 8.3) but the clauses adapt cleanly to services with sensible scoping.
What does 'process approach' actually mean in practice?
The organisation identifies its processes, describes their inputs and outputs, records how they interact, and manages them as a system rather than as isolated activities. In practice this usually shows up as a process map or process register alongside supporting procedures. Stage 1 auditors want to see that the organisation understands its own operations at this level, not just that some processes are documented.
Do we need statistical process control or Six Sigma?
No. ISO 9001 requires monitoring, measurement, analysis, and evaluation (Clause 9.1). It does not prescribe methods. Simple, defensible measurement of key process outputs and customer satisfaction is enough. Sophisticated statistical methods are appropriate in some contexts and unnecessary in others. Auditors care about whether measurements are meaningful and used, not whether they are advanced.
How is a 9001 nonconformity different from an ISMS nonconformity?
9001 addresses two related but distinct things: nonconforming outputs (products or services that do not meet requirements) under Clause 8.7, and management-system nonconformities under Clause 10.2. An ISMS talks about only the latter. 9001 auditors care about both, and the way an organisation handles nonconforming outputs (product recalls, service failures, warranty claims) is a specific area of Stage 1 focus that has no direct equivalent in 27001 or 22301.
Can we integrate 9001 with our existing ISMS?
Yes, and it is common. Both standards use the Harmonised Structure so clauses 4 through 10 largely align. Common processes (internal audit, management review, corrective action, document control) can be shared. Standard-specific requirements (quality objectives, product/service realization, external provider evaluation, nonconforming output control) remain distinct. Our note on [integrated management systems](/insights/integrated-management-systems-what-actually-integrates/) covers what genuinely integrates and what stays separate.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk