Is Management of Change Required in ISO 9001:2015?

by Miriam Boudreaux | September 22, 2016

When ISO 9001:2015 was released, aside from the major differences everyone was talking about (i.e. risk and documented information), it was not clear what other differences there were between the current and the new requirements.

As the deadline for migrating to ISO 9001:2015 moves right along, we are progressively receiving more questions about the new requirements, one of them being the requirement for how to handle “changes.”

Clients with an already established or new Quality Management System usually want to know if a coordinated method for managing changes is required. We received the following question regarding this very topic:

We thought that Control of Changes was only required by API. However, after reviewing Clause 8.5.6 Control of Changes, it appears managing changes is a requirement for ISO 9001. What do you think?

The word change appears 27 times in the ISO 9001:2015 standard within clauses 4 through 10, and not just in Design and Development clause. Here are some very specific areas that call out Control of Changes:

I’m not sure why Change Control was not given as much clout as Risk was, but Mireaux recommends that a full blown Management of Change program be established in order to properly handle changes within your Quality Management System. Since the requirement to control changes is embedded in so many facets of the standard, we suggest to go ahead and establish a well thought out program instead of a weak one. We are not advocating that it be complex and unsustainable, but we are also not saying to just implement a form that will never be used. Our recommendation is that you think about the types of changes your organization would be required to handle in an orderly fashion. These changes would be up to your company and your processes.

As far as handling changes in an orderly fashion, consider all the requirements of ISO, such as understanding the purpose of the change, allocating the resources, ensuring people are informed of the changes, having proper reviews and authorization for the change, etc. As you can see, once you put all the requirements found in 6.3, 8.1, 8.2.4, and 8.5.6 together, you will realize that it makes for a typical Management of Change program.

One thing you don’t have to worry about when establishing a Management of Change program under ISO 9001:2015 is conducting a Risk Assessment based on the potential risks that the change could bring. That is a requirement of the API Q1 and API Q2 standards only (as of now) and does not apply to the ISO 9001-based Quality Management Systems.

Meet The Author

Miriam Boudreaux is the CEO and Founder of Mireaux Management Solutions, a Technology and Consulting firm headquartered in Houston, TX. Mireaux is an ISO 9001:2015 and ISO 27001:2013 certified company and its services encompass ISO and API Certification Consulting, Auditing, On-site and Public Training, Managed Services, and its software Web QMS. With over 25 years of experience in the ISO and API standards, Miriam loves writing about the many benefit the standards can bring to organizations who wish to become certified.