Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

ISO 9001

ISO 9001 is the world’s most widely used quality-management standard, specifying the requirements an organisation must meet to be certified for a quality management system.

CASRAI research-methods explainer — ISO 9001

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What ISO 9001 requires

ISO 9001:2015 sets out requirements an organisation must satisfy to run a quality management system: understanding the needs of customers and interested parties, demonstrating leadership commitment, planning to address risks and opportunities, controlling its processes, and improving continually. The standard is structured around ten clauses, with clauses 4 to 10 carrying the auditable requirements. It does not prescribe how to do the work, only what must be in place, so a software firm and a hospital can both conform while operating very differently. The goal is consistent quality and demonstrable customer satisfaction.

The process approach, PDCA and risk-based thinking

Three ideas run through ISO 9001:2015. The process approach treats the organisation as a set of interlinked processes with defined inputs, outputs and controls rather than isolated departments. The Plan-Do-Check-Act cycle structures continual improvement: plan a change, implement it, check the results, then act on what is learned. Risk-based thinking, introduced prominently in the 2015 revision, requires the organisation to identify and address risks and opportunities that could affect conformity and customer satisfaction, replacing the earlier reliance on prescriptive preventive-action procedures.

Certification and who it is for

An organisation seeking ISO 9001 certification is audited by an independent certification body, which checks conformity against the standard and, if satisfied, issues a certificate typically subject to periodic surveillance audits. Certification is voluntary unless required by a customer or regulator, and it is the organisation, not its products, that is certified. ISO 9001 is deliberately generic so it suits manufacturers, service providers, public bodies and non-profits alike. Many sector-specific standards, such as ISO 13485 for medical devices, are built on its framework.

Key facts

At a glance

  • Definition: the certifiable requirements standard for a quality management system
  • Current version: ISO 9001:2015
  • Core ideas: process approach, Plan-Do-Check-Act, risk-based thinking
  • Structure: ten clauses; clauses 4–10 are auditable requirements
  • Scope: any organisation, any size or sector
  • Certified entity: the organisation’s management system, not its products

Common misconceptions

What people often get wrong

Often heard: ISO 9001 certifies that a company’s products are high quality.

Actually: ISO 9001 certifies the quality management system, not the products. It provides assurance that the organisation has consistent, controlled processes to meet requirements; product quality is an expected outcome, but the certificate covers the system, not individual goods.

Often heard: ISO 9001 tells you exactly how to run your processes.

Actually: ISO 9001 specifies what must be in place, not how to achieve it. It is deliberately non-prescriptive so organisations of any kind can conform while choosing their own methods, tools and structures.

Often heard: Once you are certified, ISO 9001 is done.

Actually: Certification is ongoing. Certificates are typically valid for three years with regular surveillance audits, and the standard requires continual improvement, internal audits and management review, so conformity must be maintained, not achieved once.

Going deeper

Related CASRAI guidance

The ISO 9000 familyISO 13485ISO 9001 vs ISO 13485Internal auditQMSStandards dictionary
LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →