77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
ISO 9001 Certification: Process, Requirements and the Role of the QMR
Quality Management

ISO 9001 Certification: Process, Requirements and the Role of the QMR

27 May 202612 min readBy Dr. Henrik Bauer
CIVAC

ISO 9001 certification under DIN EN ISO 9001:2015 is a prerequisite for supplier approvals and public contracts in many industries. This article explains the certification process, the requirements for the QMS and the tasks of the Quality Management Officer.

DIN EN ISO 9001:2015 is the most widely adopted international standard for quality management systems (QMS). It sets out requirements that an organisation must meet in order to consistently deliver products and services that satisfy customer and regulatory requirements. Certification to ISO 9001 is, in many industries, a de facto prerequisite for supplier approval, public tenders and contracts with large corporations.

The standard was fundamentally revised in 2015 and has since strengthened the risk-based approach, process orientation and contextual analysis of the organisation. This article explains what ISO 9001:2015 requires of companies, how the certification process is structured, what tasks the Quality Management Representative (QMR) undertakes and how ongoing maintenance of the certification is ensured.

Key Takeaways

  • DIN EN ISO 9001:2015 requires a documented quality management system with a risk-based approach, context analysis and measurable quality objectives; certification is regarded as a market-entry prerequisite in many industries.
  • The certification process comprises three phases: Stage 1 audit (document review), Stage 2 audit (on-site assessment) and subsequent annual surveillance audits.
  • The Quality Management Representative (QMR) coordinates certification preparation, maintains the QMS and serves as the contact point for the certification body — this function can be filled internally or externally.

Overview of DIN EN ISO 9001:2015 Requirements

DIN EN ISO 9001:2015 is structured into ten main clauses that follow the High Level Structure (HLS) common to all recent ISO management system standards. The normative requirements begin with Clause 4 (Context of the Organisation) and end with Clause 10 (Improvement). Clause 4 requires the organisation to systematically analyse its internal and external factors as well as the requirements of interested parties.

Clause 6 introduces the risk-based approach: the organisation must identify, assess and plan actions to address risks and opportunities. This replaces the preventive action concept of ISO 9001:2008. Clause 7 addresses resources, competence and documented information; Clause 8 covers operational planning. Clause 9 requires performance evaluation through internal audits and management review.

The standard does not prescribe the job title "Quality Management Officer" but does require top management to assign roles, responsibilities and authorities (Clause 5.3). In practice, the QMR assumes the coordinating function for the entire QMS. They serve as the point of contact for internal and external audits, maintain documented information and ensure that Clause 10 improvement actions are followed up.

Clause 5 strengthens the leadership responsibility of top management: it must establish a quality policy aligned with the strategic direction and ensure that QMS requirements are integrated into business processes. This requirement aims to embed quality management within corporate strategy rather than treating it as an isolated departmental function.

Further information on the role of the QMR and appointment through CIVAC can be found on the Quality Management Officer page.

Certification Process: From Gap Analysis to Certificate

An ISO 9001 certification is divided into three main phases. The first phase is internal preparation: the company analyses the current state of its QMS against the standard's requirements (gap analysis), closes identified gaps, creates or revises required documented information and conducts an internal audit. Top management then carries out a management review pursuant to Clause 9.3.

The second phase is the certification audit, which consists of two stages. In the Stage 1 audit, the auditor from the accredited certification body reviews the QMS documentation, assesses the maturity of the system and identifies potential focus areas for the Stage 2 audit. This typically takes place a few weeks after the Stage 1 audit. In the Stage 2 audit, the auditor assesses on-site whether the QMS as described is actually implemented and whether the standard's requirements are met. Identified deviations are classified as Major Nonconformity (resulting in non-certification until remedied) or Minor Nonconformity (may be remedied after certification).

The third phase is maintenance: the certificate is generally valid for three years. In the first and second years following initial certification, annual surveillance audits take place. At the end of the three-year certification cycle, a recertification audit renews the cycle.

The period between the Stage 1 and Stage 2 audits is typically four to eight weeks. The company should use this window to address the focus areas identified in the Stage 1 audit and complete the relevant processes and documents. An experienced QMR coordinates this phase and prepares staff for the typical interview questions posed during the Stage 2 audit.

Internal Audits under Clause 9.2: Preparation and Conduct

Clause 9.2 of ISO 9001:2015 requires the organisation to conduct internal audits at planned intervals in order to verify whether the QMS meets the organisation's own requirements and the standard's requirements, and whether the QMS is effectively implemented and maintained. The internal audit is therefore not merely a preparatory tool but a permanent control and improvement instrument.

The audit plan must specify frequency, method, responsibilities and reporting requirements. Internal auditors are selected with due regard to objectivity and impartiality: auditors must not audit their own work. In smaller companies, an external QMR may conduct the internal audits since they hold no operational line function within the organisation.

Audit results must be documented. Nonconformities lead to corrective actions under Clause 10.2, the effectiveness of which is verified at a follow-up audit. Documentation of the entire audit programme, including evidence of completed actions, is a central subject of scrutiny for external auditors. An incomplete internal audit programme is one of the most frequent findings at certification audits.

The CIVAC workspace provides 490 ready-to-use audit templates, including templates for internal QMS audits. The QMR can manage audit plans, checklists, findings and corrective actions directly within the workspace without relying on external tools.

The frequency of internal audits should be determined on a risk basis: processes with high quality risk or frequent deviations are audited more often than stable standard processes. A differentiated audit plan that reflects this risk weighting is assessed by external auditors as a sign of a mature QMS.

Documented Information: What the Standard Actually Requires

ISO 9001:2015 no longer distinguishes between quality manuals, procedural instructions and records as the 2008 version did. Instead, the standard uses the term "documented information" and specifies in various clauses which documented information is to be maintained (documents) and which is to be retained (records).

Mandatory documents include, inter alia, the scope of the QMS (Clause 4.3), the quality policy (Clause 5.2), quality objectives (Clause 6.2), the risk and opportunity assessment (Clause 6.1) and the results of the management review (Clause 9.3). Mandatory records include calibration evidence (Clause 7.1.5), competence records (Clause 7.2), internal audit reports (Clause 9.2), nonconformities and corrective actions (Clause 10.2) and supplier evaluation results (Clause 8.4).

The standard does not require a quality manual but recommends one for organisations wishing to communicate their QMS structure clearly. External auditors expect at least a documented overview of processes and their interactions. A QMR who has established a clear documentation structure and fully implemented all mandatory documents significantly reduces the time spent during Stage 2 audits. Audit-ready, documented, ISO 9001:2015-compliant — that is the benchmark.

Control of documented information also means: obsolete versions must be withdrawn from circulation. External auditors regularly check whether outdated procedural instructions or forms are still present at workstations. A structured version control system that ensures only current documents are available at relevant workstations and in the associated IT systems is one of the simplest and most effective measures for reducing minor nonconformity findings at surveillance audits.

Risk-Based Approach under Clause 6.1

The risk-based approach is the central methodological feature distinguishing ISO 9001:2015 from its predecessor version. Clause 6.1 requires the organisation to determine, when planning the QMS, the risks and opportunities relevant to achieving the intended outcomes, and to plan actions to address them.

The standard does not prescribe a specific methodology. Widely used approaches include FMEA (Failure Mode and Effects Analysis), SWOT analyses, risk-based process assessments or simpler risk matrices. The key requirement is that the chosen method is systematic, traceable and documented. Auditors evaluate the approach on the basis of its appropriateness to the complexity of the organisation.

In practice, many companies underestimate the effort required for a robust risk analysis. A risk analysis consisting of a half-page table that has never been updated will be viewed critically by experienced auditors. The risk analysis must reflect the real risks of the business activities and be linked to the quality objectives under Clause 6.2.

For organisations maintaining multiple management system standards, an integrated risk analysis combining ISO 9001:2015, ISO 14001:2015 (environment) and ISO/IEC 27001:2022 (IT security) is advisable. The CIVAC workspace supports combined audit and risk assessment workflows, avoiding duplication of effort between officers from different disciplines.

The risk analysis should be updated at least once a year and on an event-driven basis in response to material changes in business activities, the product portfolio or the customer base. Risk treatment measures must be documented and their effectiveness assessed as part of the management review.

Selecting a Certification Body and Estimating Costs

ISO 9001 certifications may only be issued by accredited conformity assessment bodies. In Germany, the Deutsche Akkreditierungsstelle (DAkkS) accredits certification bodies on the basis of DIN EN ISO/IEC 17021:2011 and IAF MD 5. Only certificates from accredited bodies are recognised as equivalent by clients and authorities.

Well-known accredited certification bodies in Germany include TÜV SÜD, TÜV Rheinland, DEKRA, DQS, Bureau Veritas and Lloyd's Register. The choice of certification body should be guided by industry experience, response times and value for money.

Certification costs vary considerably depending on company size and the complexity of the QMS. For small and medium-sized enterprises, total costs for the initial certification procedure — including Stage 1 and Stage 2 audits — amounting to several thousand euros are standard practice. This is supplemented by the annual costs for surveillance audits and the internal resources for preparation, the QMR function and documentation maintenance.

External QMR appointments can reduce overall certification costs, as preparation is structured more professionally, deviations are identified earlier and the Stage 2 audit proceeds more smoothly. A QMR familiar with the requirements of ISO 9001:2015 and with the certification body from previous audits significantly accelerates the process. Information on external QMR appointments can be found at Quality Management Officer at CIVAC.

It is advisable to obtain at least two quotations from accredited certification bodies and to compare not only the price but also the audit duration, the sector experience of the designated auditor and the flexibility in scheduling. Some certification bodies offer remote audits for the Stage 1 element, which can reduce travel costs.

Management Review under Clause 9.3: Obligations of Senior Management

Clause 9.3 of ISO 9001:2015 requires top management to review the QMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organisation. The management review is not a formality but a structured process with defined inputs and outputs.

Mandatory content of the management review includes the status of actions from previous reviews, changes to relevant internal and external issues, information on QMS performance (customer complaints, internal audit findings, quality objective achievement), resources, opportunities for improvement and strategic alignment. The outputs must be available as documented information and must include decisions on improvement measures.

In practice, companies frequently regard the management review as an administrative burden and document it minimally. External auditors typically recognise a pro forma set of minutes immediately. A QMR who prepares and structures the management review substantively ensures that the meeting meets the normative requirements and functions as a management tool.

The deadline runs from the point at which top management should have conducted the review. A missing or incomplete management review is a typical minor nonconformity finding at surveillance audits and may escalate to a major finding if repeated.

The quality objectives under Clause 6.2, which are assessed for achievement during the management review, must be formulated in SMART terms: specific, measurable, achievable, relevant and time-bound. Vague objectives such as "improve quality" without a metric and target value are assessed by auditors as non-conformant. An external QMR defines objectives together with senior management and ensures that measurement and tracking function in day-to-day operations.

Integration with Other Management System Standards

Many companies operate additional management systems alongside ISO 9001: ISO 14001:2015 (environment), ISO 45001:2018 (occupational health and safety), ISO/IEC 27001:2022 (IT security) or IATF 16949:2016 (automotive). The common High Level Structure (HLS) of all recent ISO standards was developed to facilitate integration.

An integrated management system (IMS) combines the requirements of multiple standards in a shared documentation structure, a shared risk assessment and a shared internal audit programme. This significantly reduces the overall effort compared with parallel, isolated systems. Certification bodies offer combined audits covering multiple standards.

When integrating, differences in standard-specific requirements must be taken into account: ISO/IEC 27001:2022 requires a Statement of Applicability that ISO 9001 does not. ISO 14001:2015 requires an environmental aspects assessment that differs methodologically from the ISO 9001 risk analysis.

An external QMR familiar with multiple standards can coordinate the integration and ensure that no requirements are lost between standards. The CIVAC workspace supports combined audit workflows and enables officers from different disciplines to collaborate on a shared platform. Further information on combined appointments can be found on the CIVAC roles overview.

In practice, integration most sensibly begins with a shared context and risk analysis process that simultaneously addresses the requirements of all relevant standards. Standard-specific requirements, such as the ISO 27001 Statement of Applicability, are then added as a supplementary layer. This approach avoids redundant documents and creates a consistent foundation for combined external audits.

Preparing for ISO 9001 Certification with CIVAC

CIVAC is a compliance platform and Officer-as-a-Service for German companies. For quality management tasks, CIVAC provides qualified external Quality Management Officers (QMRs) who take on ISO 9001 certification preparation, the internal audit programme and ongoing QMS maintenance. Formal appointment is completed within two business days, including the letter of appointment and a management briefing.

The CIVAC workspace provides 490 ready-to-use audit templates, including templates for ISO 9001:2015 gap analyses, internal audit checklists and management review templates. All documented information is managed in tamper-proof storage within the workspace. Licence the workspace for your internal officers or appoint our officers directly through the Officer-as-a-Service model.

Others manage compliance like a filing cabinet. We manage it like software. For ISO 9001 this means: when the external auditor from the certification body conducts the audit, internal audit reports, corrective action records, management review minutes and the risk assessment are all available in a structured audit log. No searching through network drives, no updating outdated spreadsheets.

For companies that maintain multiple standards simultaneously or are pursuing integrated certification, CIVAC offers combined appointments. A QMR can collaborate with a supplier auditor or an environmental officer on the same platform, without creating duplicate structures. This reduces the administrative burden and creates a consistent body of evidence for all external auditors.

Turn reading into action. Write to info@civac.de or use the contact form on civac.de. The team will respond within one business day.

FAQ

Is ISO 9001 certification a statutory requirement?

There is generally no statutory obligation to obtain ISO 9001 certification in Germany. In certain industries such as the automotive sector (IATF 16949), medical devices or public procurement, however, certification is a de facto prerequisite for supplier approval and participation in tenders.

How long does preparation for an initial ISO 9001 certification take?

The preparation period depends on the maturity of the existing QMS. Companies without a structured quality management system typically allow six to twelve months until they are ready for certification. With an experienced external QMR who structures the gap analysis and coordinates implementation, this period can often be shortened.

Does ISO 9001:2015 require a quality manual?

No. DIN EN ISO 9001:2015 does not require a quality manual. The standard requires documented information on certain topics but leaves the form of documentation to the organisation. A quality manual can be useful for communicating the QMS structure transparently internally and to customers.

What happens when a major nonconformity is identified at the certification audit?

A major nonconformity means that a material requirement of the standard is not met. The certification body will not issue a certificate in this case. The company is given a deadline for remediation and must subsequently undergo a follow-up audit. Minor nonconformities must be demonstrably remedied within a set deadline.

Can the Quality Management Officer be appointed externally?

Yes. ISO 9001:2015 does not prescribe an internal appointment. External QMRs take on the mandate on the basis of an appointment agreement, conduct internal audits, maintain documentation and prepare management reviews. For small and medium-sized enterprises, the external model is often more cost-effective than a full-time internal position.

How frequently do surveillance audits take place after initial certification?

After initial certification, annual surveillance audits take place in years 1 and 2. In year 3, the recertification audit renews the certification cycle. The exact schedule may vary slightly depending on the certification body and risk category.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles