5 Lessons I Learned from a Successful ISO 9001:2015 Certification Audit

Effective risk management requires an 
in-depth and sometimes painfully honest assessment 
of your processes and your areas of risk. 
The publication of ISO 9001:2015 in September generated much anxiety among companies fearing a bumpy transition to the new and significantly changed international standard. Admittedly, we at MasterControl were not immune to those worries.

Despite having quality experts involved with the ISO changes since they were proposed some years ago, even we did not know how our ISO assessors would apply the new requirements, what evidence they would expect to see, and how to pre-emptively satisfy their expectations.

Additionally, MasterControl is not a typical manufacturer of materials, but rather of software and services. This means we needed to understand the intent of each requirement under the new standard in order to correctly apply them to our products and services.

After much research and preparation, we’re proud of the fact that when we completed the audit successfully on Nov. 12, 2015, no other company in the world had yet received a certificate for the new ISO 9001:2015 standard (1), though a few held audits the same week we did. In fact, it was only that very week that ISO assessors across the globe were authorized by their governing bodies to begin certifying companies to the revised standard.

Some people have asked me what I learned from the audit experience, as well as the preparation that preceded it. Below are five lessons I learned, but first, a quick background.

Comprehensive Audit

MasterControl’s U.K. office was first to earn ISO 9001 certification in August 2012. MasterControl completed a year-long initiative in preparing for the addition of its U.S. headquarters to the certificate and in transitioning from the ISO 9001:2008 standard to the 2015 requirements.
A comprehensive audit was conducted for four days in MasterControl’s headquarters in Salt Lake City, Utah, and for one day in its office in Basingstoke, England, during the week of Nov. 9-12, 2015.

The following core QMS processes were among those which were reviewed in-depth: change control, corrective actions and deviation management, customer feedback and complaints, document control and record management, internal communication, product development, testing, validation, servicing and support, risk management, supplier management, and training management.

This article is related to the Whitepaper:
The Top 5 Benefits of Electronic GLP Audit Management
To get the full details, please download your free copy.

Five Lessons Learned

The biggest challenge leading to the ISO 9001:2015 certification initiative was getting informed and enthusiastic buy-in of top management, and more importantly, of the employees who comprise such an integral part of the company. We all know that without top-management support, no quality initiative can truly be successful, but we cannot overlook the importance of the adherence from those individuals of whom we are asking the most.

As you will see below, the lessons I learned from my recent experience involved working with my colleagues as a team, not as a hierarchy.
#1 Be humble. When you are asking colleagues to change their processes, it is important to come in with humility and collaboration, not demands. It is also important to look at your own areas of improvement and understand how difficult change can be by undergoing it yourself first. We in Quality Department certainly had processes that needed to be overhauled and audited, and we tackled those first so that we could finesse our project methods before applying them to other departments. This gained us great credibility with other departments and also helped us to make the process easier for them.

 #2 Add value, not obstacles. Most people can get excited about a quality initiative if you sell them on the fact that it is value-added and makes their lives easier. For this particular initiative, we made a big deal of “laying the old system to rest.” Specifically, we called it the Quality Management System Re-Implementation Project, affectionately referred to as the QMS-RIP. The old QMS had become overrun with muda (meaning waste in Japanese) and was a burden on the rest of the system. Instead of trying to change things little by little, we decided to retire the old system and build a brand-new, state-of-the-art system. This inspired excitement and adherence in a way that small one-off fixes likely would not have.

  #3 Understand your company processes. Rather than simply performing a gap assessment and then dictating to process owners what changes needed to be made to be compliant with the new standard, my team sat down with various departments and mapped out their processes so that we could truly understand their needs before expressing our own. We added controls only where risk dictated doing so, allowing them the flexibility to maintain productivity and meet demand.

Additionally, we rewrote all procedures from an end-user perspective so they are easier to understand and train on. We made them all concise, streamlined, and easy to keep updated as processes change.

#4 Think outside of the audit checkbox list. It’s important to understand who your interested parties are, not as a checkbox item, but because those parties play an integral part in every risk assessment. ISO used to focus primarily on customer requirements, but it is now understood that the requirements of your regulators, your shareholders, your investors, your city government, your neighbors, and your employees, among others, also have the ability to impact your adherence to quality.

#5 Identify and manage risk effectively. It is very important to understand how to effectively identify and manage risk. Much like identifying root cause, it requires an in-depth and sometimes painfully honest assessment of your processes and your areas of risk.
Applying risk-based decision making at every level and in every process allows resources to be much better allocated and helps stakeholders to feel that you understand their process rather than taking a blanket approach and applying controls where none are needed.

Maintaining Certification
To maintain certification, MasterControl will undergo a surveillance audit every year, and a re-certification audit every three years. We plan to include our Japan office in next year’s assessment process.

Alcumus ISOQAR, based in Manchester, England, conducted the audit and will be awarding certification to MasterControl (2)
Lillian Erickson is MasterControl’s global quality manager for the U.S., U.K., and Japan. She spearheads the company’s quality-related efforts, including its ISO 9001:2015 certification audit. She has worked in the field of quality for the past eight years, starting in document management and then specializing in quality compliance. During that time, she has hosted over 200 client audits, led five ISO audits, and participated in over 10 FDA, EMEA, and other regulatory entity audits. She is passionate about making quality an accelerator of business rather than a bottleneck. 

Erickson received a master of professional communications degree from Westminster College with an emphasis in technical writing and rhetorical analysis. She also obtained her ASQ-CQE while in graduate school.

(1) ISO 9001:2015 is the latest revision of the world’s most widely applied international standard on quality management systems. Companies worldwide adhere to the standard to demonstrate to their customers that their products and services maintain the highest quality. To watch free videos about the newly revised standard, go to:
(2) To read the press release about MasterControl’s ISO 9001:2015 certification, go to: