Quality management representative: tasks, duties and position according to ISO 9001:2015
With ISO 9001:2015, the obligation to appoint a quality management representative has been formally eliminated. In practice, the role remains standard. This article organises tasks, qualifications, orders and interfaces.
The role of the quality management representative is no longer explicitly prescribed since the revision of ISO 9001:2015. Section 5.3 instead requires that top management assign responsibilities and authority for the quality management system tasks. In practice, the quality management representative (QMB) remains the central functionary in most certified organisations because auditors, customers and regulated markets expect an identifiable contact person.
This article is aimed at management, quality managers and applicants for the QMB function. You will find out which tasks the role includes operationally according to ISO 9001:2015, which qualifications have been established on the market, how the order is clearly documented, which interfaces there are to other representatives and when an external appointment makes sense. The focus is on the question of how an effective QMB is measured in the certification audit.
Key Takeaways
- The obligation to name has been removed since ISO 9001:2015, the tasks remain unchanged and in practice continue to be delegated to a named role.
- Effectiveness is evident in the audit process: management assessment, internal audits, corrective measures and effectiveness tests are the mandatory fields.
- External QMBs are particularly established in medium-sized businesses and must be independent, qualified and have a written appointment certificate.
Legal framework: What ISO 9001:2015 really requires
With the revision of the standard in September 2015, the express requirement for a quality management representative was no longer required. Section 5.3 of ISO 9001:2015 instead talks about top management assigning responsibilities and authority. In particular, the aim is to ensure the conformity of the QM system with the standard, to ensure process performance, to report to top management as well as to promote customer orientation and maintain integrity in the event of changes.
In effect, all of the tasks that were assigned to the QMB under the previous standard continue to exist. Most certifiers and customer audits also expect a specific person as a contact person. Anyone who spreads the tasks broadly across several functions and does not identify responsibility risks a major deviation in Chapter 5.3 in the audit.
Sectoral special standards exacerbate the situation. ISO 13485 for medical devices continues to specifically require a top management representative according to Section 5.5.2. IATF 16949 for the automotive industry knows Customer Representative and Quality Manager. ISO/IEC 17025 for testing laboratories speaks of quality managers. Those working in regulated industries are virtually unable to maintain certification without a dedicated QMB role. Audit-proof, documented, Section 5.3-proof.
Core tasks in day-to-day operational business
The operational task list of a quality management representative can be divided into seven blocks, which are based on the structure of ISO 9001:2015 (Chapters 4 to 10).
- Context of the organisation: Maintaining interested parties, updating the QM scope of application, process map.
- Leadership: Preparation of management review, reporting to top management, Customer focus reviews.
- Planning: Risk and opportunity analysis, quality goals, change management.
- Support: Control of documented information, training and proof of competence, control of measuring and testing equipment.
- Operation: Accompaniment of product and service provision, supplier evaluation, complaint management.
- Assessment of performance: Planning and implementation internal audits, evaluation of KPIs, customer satisfaction measurement.
- Improvement: Control of corrective measures, root cause analysis, continuous improvement processes.
These tasks are the duty of the organisation, not the person. The QMB is the operational coordinator who ensures compliance and escalates gaps to management. Anyone who takes on the role of pure document manager misses the point of the standard. The auditor calls, the evidence is ready.
Ordering and documentation of the role
The order is made by top management. Even though ISO 9001:2015 does not prescribe a form, the written appointment certificate has become established. It creates clarity about tasks, authorities and reporting lines and is reliable evidence in the audit according to Section 5.3.
A reliable appointment document contains: name and function of the appointed person, scope (locations, companies, divisions), assigned tasks with reference to ISO 9001:2015, authorities (audit rights, escalation rights, access to data), reporting line to top management, duration of the appointment and representation regulations. The appointment certificate, signed, filed, verifiable.
It is important to differentiate from other agents. The QMB is not the data protection officer and not the information security officer. Interfaces must be specified in the order, for example for the control of documented information, for corrective actions and for audits in integrated management systems.
For integrated management systems (ISO 9001, ISO 14001, ISO 45001, ISO/IEC 27001) a combined role is possible, provided that the qualification, capacity and independence of the internal audits are guaranteed. The standard does not require a separation of people, but does require a separation of the audit activity from the area being audited.
Qualifications and proof of competence
ISO 9001:2015 requires competency based on appropriate education, training or experience in Section 7.2. There are no specific hourly requirements or certificate requirements. Two paths have been established on the market.
Way 1: certified courses. Providers such as TÜV, DGQ, DEKRA and similar institutes offer modular training that usually ends with personal certification. Typical is a QMB training (around 40 teaching hours) and an advanced level to become an internal auditor (another 16 to 32 hours). The personal certification is limited to a few years and is tied to proof of further training.
Way 2: proven professional experience. Several years of work in QM functions, documented by audit mandates, training management, project or process responsibilities, can replace formal certification if it is comprehensibly documented and results in a competency profile within the meaning of Chapter 7.2.
For regulated industries, industry-specific evidence is also required. ISO 13485 requires an understanding of medical device regulation (MDR, IVDR), IATF 16949 industry knowledge (Core Tools, Customer Specific Requirements), ISO/IEC 17025 professional competence in the testing laboratory area.
The competence assessment must be renewed regularly. Anyone who has ordered a QMB whose training level is three years old and who has not taken part in any audit training or standard update event since then weakens the line of defence in the certification audit.
Internal audits and management reviews
The most powerful tasks of the QMB lie in Chapter 9 of ISO 9001:2015. Internal audits according to Section 9.2 must be planned, carried out, documented and converted into corrective measures. The QMB is regularly responsible for the audit program, not necessarily for each individual audit. Auditors must be independent of the area being audited, which often leads to the commissioning of external auditors in small organisations.
The audit program must cover all processes and locations over a cycle of several years, three years is common. Mandatory components are: audit objectives, criteria, scope, audit data, audit reports, identified deviations, corrective measures and effectiveness tests.
The management assessment according to Section 9.3 is prepared by the QMB. ISO 9001:2015 lists the input and output data precisely: status of previous assessments, changes in external and internal issues, information on the performance of the QMS, adequacy of resources, effectiveness of measures on risks and opportunities, potential for improvement. The assessment must be carried out at least annually and kept as documented information.
Anyone who treats the management assessment as a mandatory appointment without preparation is missing out on one of the few forums in which top management formally assumes responsibility. In the CIVAC workspace, the audit program, audit reports, list of measures and management assessment are interlinked in a data path. Others run compliance like a filing cabinet. We run it like software.
Interfaces to other representatives
In most organisations, the QMB is just one of several officer roles. A clean interface matrix prevents duplication of work and gaps.
| Role | Standard/Law | Typical interface to the QMB |
|---|---|---|
| Information security officer | ISO/IEC 27001:2022 | Control of documented information, internal audit, List of measures |
| Data protection officer | Art. 37 GDPR | Order processing, data protection training, incident management |
| Environmental protection officer | BImSchG, ISO 14001 | integrated management system, joint audits |
| Occupational safety | ASiG, ISO 45001 | Process risks, supplier evaluation of security-relevant services |
| Compliance officer | § 130 OWiG | Training, whistleblower system, supplier controls |
In medium-sized companies, several of these roles are often carried out in conjunction with one another. This is permissible as long as the qualifications, capacity and independence of the internal audit function are ensured. Where a staff union reaches its limits or qualification limits, external filling of individual roles is the usual solution.
When an external QMB appointment makes sense
An external quality management representative is permitted by law and is particularly common in medium-sized businesses in practice. Four constellations speak in favor of external staffing.
First: Lack of internal capacity. Where the QMB, in addition to other full-time tasks, does not find sufficient hours for internal audits, management assessments and corrective action maintenance, the system remains inconspicuous in day-to-day business, but visible in the audit.
Second: Lack of specialist competence. The normative requirements are particularly low in integrated management systems or regulated industries (medical devices, automotive, aviation). External QMBs bring the latest standard know-how with them.
Third: independence. In small organisations, the separation between executive and checking functions often cannot be established internally. An external QMB solves this problem structurally.
Fourth: transition or vacancy. In the event of a change in personnel, illness or the establishment of a new location, an external QMB bridges the period until a stable internal staffing is made.
CIVAC provides the quality management representative as an officer-as-a-service, with an appointment certificate, reporting line to management and connection to the 490 ready-to-use audit templates in the workspace. Licence the workspace for your internal representatives or have our representatives order it. The choice follows capacity, not form.
Typical audit findings and how to avoid them
Evaluations by major certifiers show recurring weak points in the practice of QMB. Six patterns occur particularly frequently and regularly lead to minor deviations or major deviations.
- Unclear assignment according to Section 5.3. Tasks are distributed across several functions without one person being identifiably responsible. Solution: documented order with clear assignment of tasks.
- Outdated management assessment. The last assessment was more than twelve months ago or does not contain all the input data required in Section 9.3.2.
- Audit program without coverage logic. Individual processes have not been audited for years because the program is not risk-based.
- Corrective measures without root cause analysis. Measures will be taken implemented without analysing the cause according to Section 10.2. The same findings appear again in subsequent audits.
- Document control without version discipline. Old forms circulate parallel to new ones, which violates the conformity of the documented information according to Section 7.5.
- Proof of training incomplete. Proof of competence according to Section 7.2 is missing for key roles, especially for the QMB itself.
Who these six fields on a quarterly basis goes through, significantly reduces the risk of a major deviation and relieves the burden of preparing the next certification audit.
Turn reading into an assignment
The quality management representative is no longer required according to ISO 9001:2015, but is practically indispensable. Those who order the tasks properly, staff them qualifiedly and operate them in guided audit, evaluation and action processes not only meet the standard, but also create a control line on which top management can actually make decisions.
CIVAC is a compliance platform and officer-as-a-service with 25 representative roles, 490 ready-to-use audit templates and EU data residency. For the QMB role, the workspace bundles the appointment certificate, the audit program, the management assessment, the corrective measures, the proof of competence and the interface matrix to the DPO, ISB, environmental and compliance officers in an audit-proof line. The normative integration with ISO/IEC 27001:2022 makes it easier to set up an integrated management system.
Licence the workspace for your internal representatives or have our representatives order it. Turn reading into an assignment. If you would like to reorganize your QMB function or consider hiring an external person as Quality Management Representative, write to info@civac.de or use the contact form on civac.de. We will get back to you within two working days with an assessment as to whether a workspace setup or an external order is the right option.
FAQ
Is a quality management representative still mandatory according to ISO 9001:2015?
No, the express obligation no longer applies with the 2015 revision. However, Section 5.3 requires that top management assign responsibilities and authority for the QM tasks. In practice, a named person remains the rule because certifiers and customers expect a clear contact person.
What qualifications does a QMB have to demonstrate?
Competence based on appropriate education, training or experience in accordance with Section 7.2. QMB courses at TÜV, DGQ or DEKRA with personal certification as well as an advanced level to become an internal auditor are established on the market. In regulated industries, sector-specific evidence is also required, such as MDR knowledge for ISO 13485.
What does a resilient QMB order look like?
Written appointment certificate with tasks with reference to ISO 9001:2015, scope, authorities (audit rights, escalation rights, data access), reporting line to top management, duration and representation regulations. This document is the central proof in the audit according to Section 5.3.
Can the QMB also be a data protection officer or ISB?
Yes, provided the qualifications, capacity and independence of the internal audits are ensured. Personnel union is common in integrated management systems. It is important that the audit function remains separate from the area being audited and that the interfaces are documented in the order.
When does an external QMB make sense?
If there is a lack of internal capacity, a lack of specialist expertise in regulated industries, a lack of independence in small organisations or as a bridge during personnel changes. CIVAC provides the external QMB with an appointment certificate, reporting line to management and connection to the audit templates in the workspace.
How often does the management review have to take place?
At least annually. The input and output data are defined in Sections 9.3.2 and 9.3.3 of ISO 9001:2015: status of previous assessments, changes in relevant topics, performance of the QMS, resource adequacy, effectiveness of measures on risks and opportunities, potential for improvement. It must be kept as documented information.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.