Kontaktiere uns
sternberg consulting logo
Contact Us

ISO 9001 Implementation for SMEs: The Complete Guide for the DACH Region

A practice-oriented roadmap to successful certification – from initial consideration to passing the audit

Introduction: Two Paths to ISO 9001 Certification

Anyone aiming for ISO 9001 certification faces a fundamental decision: Should implementation be done independently or with professional support?

Path 1: ISO 9001 Implementation with Support from a Consultant. An experienced ISO consultant takes over project management, creates documentation, conducts gap analysis, prepares the team for audits, and accompanies the company to successful certification. This approach saves time, minimizes risk, and enables you to leverage industry experience. Sternberg Consulting offers this support specifically for small and medium-sized enterprises in the DACH region – from initial analysis to certificate.

Path 2: Independent ISO 9001 Implementation for SMEs. With the right knowledge, sufficient time, and a structured approach, you can also build a quality management system (QMS) independently. This guide is aimed at anyone who wants to take this path. It outlines all required steps, explains the standard’s requirements, and highlights common pitfalls.

An important hurdle for independent implementation: ISO 9001 requires conducting internal audits. You must demonstrate internal auditors’ competence, specifically knowledge of the standard and audit techniques. Without an external consultant who can provide this qualification, a QMS course or internal auditor training is usually required. Consider this from the beginning when planning your path towards ISO 9001 certification.

Important note: Regardless of which path is chosen, purchasing and thoroughly studying the ISO 9001:2015 standard is essential. The standard is available from Beuth Verlag or directly from ISO and serves as the binding basis for all certification audits.

List of Acronyms and Definitions

8D – Eight Disciplines. A problem-solving methodology designed to find the root cause of a problem, devise a short-term fix, and implement a long-term solution.

BAFA – Bundesamt für Wirtschaft und Ausfuhrkontrolle. The Federal Office of Economics and Export Control.

DACH – D (Germany), A (Austria), CH (Switzerland). An acronym representing the three major German-speaking countries in Europe.

DAkkS – Deutsche Akkreditierungsstelle. The national accreditation body for the Federal Republic of Germany.

DIY – Do It Yourself.

ESF – European Social Fund.

FIFO – First-In, First-Out. A stock rotation principle ensuring that the oldest inventory (material that arrived first) is used or shipped before newer inventory to prevent expiration or obsolescence.

FMEA – Failure Mode and Effects Analysis. A systematic technique for identifying foreseeable failure modes in a product or process and assessing the risk associated with those failure modes.

HLS – High Level Structure.

IMS – Integrated Management System.

ISO – International Organization for Standardization.

KPI – Key Performance Indicator.

OEM – Original Equipment Manufacturer.

OFI – Opportunity for Improvement.

PDCA – Plan-Do-Check-Act.

QMR – Quality Management Representative. (German: Qualitätsmanagementbeauftragter or QMB).

QMS – Quality Management System (German: QM-System).

SMART – Specific, Measurable, Achievable, Relevant, Time-bound.

SME – Small and Medium-sized Enterprises (German: KMU).

TÜV – Technischer Überwachungsverein – Technical Inspection Association. A group of consulting and testing organizations in the DACH region that also act as major certification bodies for ISO standards.

Part 1: Why ISO 9001 Is Relevant for SMEs in the DACH Region

Competitive Advantages in the German-speaking Market

The DACH region is characterized by a pronounced quality culture. German, Austrian, and Swiss companies enjoy an excellent reputation worldwide – and this reputation is based on systematic quality management.

For small and medium-sized enterprises, ISO 9001 certification means more than just a certificate on the wall. It signals to customers and business partners that the organization has structured internal processes, systematically captures customer requirements, and practices continuous improvement. In a market where customer focus, trust and reliability are decisive purchasing criteria, this can make the difference between winning and losing an order.

Especially in mechanical engineering, which plays a central role in the DACH region, ISO 9001 has practically become an industry standard. Engineering firms, suppliers, and system integrators are regularly asked about their certification – often even before any discussion about the projects.

Tenders and Public Contracts

Public clients in Germany, Austria, and Switzerland frequently require proof of a certified quality management system in tenders. This applies particularly to technical services, mechanical and plant engineering, and supplies for critical infrastructure.

Without ISO 9001 certification, many of these contracts remain out of reach. Certification not only opens doors to new customers but also significantly expands the addressable market.

Supply Chain Requirements

Large OEMs and system houses in the German-speaking region increasingly require ISO 9001 from their suppliers. The automotive industry, mechanical engineering, and medical technology are particularly strict here.

The logic behind this is simple: A certified supplier offers greater process reliability. Complaint rates are typically lower, traceability is ensured, and, in the event of problems, defined escalation paths are in place. For purchasing departments, this significantly reduces risk.

Companies that are or want to become suppliers should consider ISO 9001 not as an optional extra, but as a basic requirement for business relationships on equal footing.

BAFA Funding: Financial Support for Consulting

The Federal Office of Economics and Export Control (BAFA) offers an attractive opportunity to reduce the costs of professional consulting with the program “Funding for Business Consulting for SMEs.”

Who is funded? Small and medium-sized enterprises based in Germany that employ fewer than 250 employees and have an annual turnover of less than 50 million euros or a balance sheet total of less than 43 million euros.

 

How high is the funding? Funding rates differ by region:

  • New federal states (excluding Berlin and Leipzig), Lüneburg region, Trier region: 80% of consulting costs, maximum 2,800 euros
  • Old federal states (including Berlin and Leipzig): 50% of consulting costs, maximum 1,750 euros

The maximum eligible consulting costs are 3,500 euros per consultation.

How many consultations are possible? Within the validity period of the funding directive (until December 31, 2026), a maximum of five consultations can be funded, but no more than two per year.

How does the procedure work? The application is submitted online via the BAFA platform. After review, the company receives an information letter that allows the start of consulting. Important: retrospective funding is excluded. You can only conclude the consulting contract after receiving the letter.

After you complete the consultation, you must submit proof of use within six months. This includes the consulting report and various forms.

Which consultants are authorized? Consulting must be carried out by consultants registered with BAFA. Sternberg Consulting is registered as a BAFA-approved consultant and offers support for both the application and the actual QMS implementation.

Part 2: Understanding ISO 9001:2015

The Process Approach Explained

ISO 9001:2015 is fundamentally based on the process approach and quality management principles. This means that a company is not viewed as a collection of individual departments, but as a network of interconnected processes.

A process converts inputs into results (outputs). The inputs of one process are often the results of upstream processes. A manufacturing process, for example, requires as inputs the results of the procurement process (material), the design process (drawings), and human resources management (qualified employees).

For practical implementation, this means:

  1. Identify processes: Which processes exist in the company? Which are value-adding, which are supporting?
  2. Understand interactions: What interfaces exist between processes? Where are handover points?
  3. Define responsibilities: Who is responsible for which process? Who controls the interfaces?
  4. Define metrics: How is the performance of each process measured? What are the critical success factors?

The process approach prevents so-called “silo thinking,” where departments work in isolation. Instead, the focus is on the entire value stream – from customer inquiry to delivery and beyond.

Risk-Based Thinking for SMEs

The 2015 revision of ISO 9001 anchored risk-based thinking as a pervasive principle. However, the standard does not require formal risk management according to ISO 31000. A pragmatic approach is sufficient for SMEs.

Risk-based thinking means asking with every decision: What can go wrong? What opportunities might be missed? How likely is it? What impact would it have?

You must identify risks and opportunities for each process within the quality management system – not just at the overarching company level. The standard processes that exist in practically every company provide a good starting point.

Standard Processes and Associated Risks and Opportunities

Process Risks Opportunities
Sales and Order Acceptance • Unclear customer requirements
• Unrealistic deadline commitments
• Credit risks		 • Cross-selling
• Customer loyalty through consulting competence
Development and Design • Missing specifications
• Change loops
• Standard changes		 • Innovation
• Standardization of assemblies
Procurement • Supplier failure
• Delivery delays
• Quality problems with purchased parts		 • Alternative suppliers
• Framework agreements
• Material cost reduction
Production and Assembly • Machine failure
• Capacity bottlenecks
• Quality fluctuations
• Scrap		 • Process optimization
• Automation
• Setup time reduction
Testing and Quality Control • Undetected errors
• Measuring equipment failure
• Wrong decisions		 • Preventive error detection
• Process capability improvement
Delivery and Shipping • Transport damage
• Delivery delays
• Wrong deliveries		 • Optimized logistics
• Packaging standards
Human Resources Management • Know-how loss through turnover
• Shortage of skilled workers
• Missing competencies		 • Employee development
• Knowledge management
Customer Service and After-Sales • Dissatisfied customers
• Complaint costs
• Reputational damage		 • Customer loyalty
• Service business
• Feedback for product improvement

 

The standard requires that you consider these risks in the planning of the QMS. You must integrate risk treatment measures into the processes. Important: The effectiveness of these measures must be assessable.

At the same time, it’s also about opportunities. What possibilities present themselves? How can processes be improved? Where are the innovation potentials?

A pragmatic approach for SMEs is a simple risk-opportunity matrix that documents the most important risks and opportunities for each core process, assesses their probability of occurrence and impact, and defines appropriate measures.

Leadership and Commitment of Top Management

Chapter 5 of ISO 9001 places clear requirements on top management. This is not a formality – the commitment of management is the most important success factor for a functioning QMS.

The standard requires that top management:

  • Takes accountability for the effectiveness of the quality management system
  • Establishes quality policy and quality objectives that fit with the strategic direction
  • Provides resources (personnel, infrastructure, time)
  • Communicates the importance of an effective QMS and meeting requirements
  • Supports other leaders in their areas of responsibility

In practice, this means for an SME: Management cannot completely delegate the QMS. Regular participation in management reviews, visible commitment to quality, and consistent enforcement of standards are indispensable.

A common mistake in small businesses: The QMS is viewed as a “quality manager’s project.” This typically leads to a system that lacks practical value, plays no role in actual workflows, and is hard to justify during inspections.

Context of the Organization

Chapter 4 of the standard requires that a company understand its context – both internally and externally. This forms the basis for all further QMS decisions.

External issues can be:

  • Legal and regulatory requirements (Machinery Directive, product liability)
  • Technological developments (Industry 4.0, digitalization)
  • Competitive situation
  • Economic framework conditions
  • Customer expectations and market trends

Internal issues can be:

  • Company values and culture
  • Organizational structure
  • Existing know-how and competencies
  • Technical equipment and infrastructure
  • Financial resources

Additionally, interested parties (stakeholders) and their relevant requirements must be determined. Interested parties include, for example, customers, employees, suppliers, authorities, owners, or the local community.

A structured workshop with management and department heads is suitable for this analysis. The results are documented and regularly updated – at least annually.

Part 3: Preparing for Implementation

Gap Analysis: The Current State

Before starting to build the QMS, do an honest inventory. A gap analysis can show you which requirements of the standard are already met and where you need to improve.

Systematic approach:

  1. List standard requirements: Consider each requirement of ISO 9001:2015 individually (Chapters 4 to 10).
  2. Assess current state for each requirement:
    • Fully met (corresponding processes and documentation available)
    • Partially met (approaches available, but gaps recognizable)
    • Not met (no corresponding regulations)
  3. Document gaps: Detail exactly where the current status differs from the required standard.
  4. Derive measures: Necessary measures are defined for each gap.

Conduct the gap analysis through interviews with process owners, review of existing documentation, and site visits. External support can be very valuable here, as an experienced auditor recognizes gaps that are often overlooked internally.

Realistically Plan Resource Requirements

Implementing a QMS requires resources – and more than many small businesses initially expect. Realistic planning prevents later frustration and project delays.

Time requirements:

  • Project management (internal QM officer): 20–40% of working time over the project duration
  • Management: 5–10% of working time for reviews, decisions, communication
  • Department heads and process owners: 5–15% for process definition, training, participation
  • All employees: Time for training and familiarization with new processes

Typical project duration:

  • Small companies (< 20 employees) with simple structure: 3–6 months
  • Medium companies (20–100 employees): 6–12 months
  • More complex structures or additional requirements: 12–18 months

Other resources:

  • Budget for consulting (if desired), training, documentation systems
  • IT infrastructure for document control
  • Possible external support for internal audits

Choose Implementation Path

There are various paths to certification. The choice depends on available resources, urgency, and desired learning curve.

Completely independent implementation:

  • Suitable for companies with QM-experienced employees
  • Highest internal learning effect
  • The longest project duration and the highest risk of errors
  • Lowest external costs

Supported by a consultant:

  • Structured approach by an experienced expert
  • Faster implementation with reduced risk
  • Know-how transfer to internal employees
  • Higher external costs, but often lower total costs through efficiency

Hybrid approach:

  • Consultant for critical phases (gap analysis, audit preparation)
  • Independent implementation of documented measures
  • Good compromise between costs and security

Realistic Time Planning

A typical implementation plan for a medium-sized company could look like this:

Phase 1 – Preparation (Month 1–2):

  • Project kickoff and resource planning
  • Conduct gap analysis
  • Determine context and interested parties
  • Define the scope of QMS

Phase 2 – Conception (Month 2–4):

  • Define quality policy and quality objectives
  • Create a process map
  • Conduct risk analysis
  • Establish documentation structure

Phase 3 – Documentation (Month 4–7):

  • Create process descriptions
  • Develop work instructions and forms
  • Create a quality management manual (if desired)
  • Implement document control

Phase 4 – Implementation (Month 6–9):

  • Introduce processes in daily operations
  • Train employees
  • Keep records
  • Corrective actions for deviations

Phase 5 – Review (Month 9–11):

  • Conduct internal audits
  • Analyze findings and implement measures
  • Conduct a management review
  • Establish audit readiness

Phase 6 – Certification (Month 11–12):

  • Select certification body
  • Stage 1 audit (document review)
  • Stage 2 audit (on-site audit)
  • Address non-conformities and OFIs

Part 4: Building the Quality Management System

Quality Policy and Quality Objectives

ISO 9001:2015 requirements for quality policy (Section 5.2):

Top management must establish, implement, and maintain a quality policy that:

  • is appropriate for the purpose and context of the organization and supports its strategic direction
  • provides a framework for setting quality objectives
  • includes a commitment to satisfy applicable requirements
  • includes a commitment to continual improvement of the QMS

The quality policy must be available as documented information, communicated within the organization, understood and applied, and available to relevant interested parties, as appropriate.

ISO 9001:2015 requirements for quality objectives (Section 6.2):

The organization must establish quality objectives for relevant functions, levels, and processes. Quality objectives must:

  • be consistent with the quality policy
  • be measurable
  • take into account applicable requirements
  • be relevant to conformity of products and services and to the enhancement of customer satisfaction
  • be monitored
  • be communicated
  • be updated as appropriate

When planning how to achieve quality objectives, the organization must determine: what will be done, what resources will be required, who will be responsible, when it will be completed, and how the results will be evaluated.

Practical implementation of quality policy:

The quality policy is the overarching declaration of intent of top management regarding quality. It must be appropriate for the purpose and context of the organization, provide a framework for quality objectives, include a commitment to satisfy requirements, and a commitment to continuous improvement.

Typical errors in quality policy:

  • Too general and interchangeable (“We deliver quality”)
  • Too long and difficult to understand and remember
  • No connection to actual business operations
  • Not supported by management

A good quality policy is short, specific to the company, understandable for all employees, and actually practiced.

Quality objectives concretize the quality policy. They must be measurable, consistent with the quality policy, relevant to conformity of products and services, and contribute to increasing customer satisfaction. This also boosts operational efficiency.

Examples of quality objectives in mechanical engineering:

  • Complaint rate in the current year below 1% of turnover
  • Delivery date reliability in the current year above 95%
  • First article approval in the current year for 90% of parts without rework
  • Customer satisfaction index in the current year above 8 out of 10 points

Important: You must regularly monitor and evaluate quality objectives. The results will flow into the management review.

Process Map and Process Documentation

The process map visualizes all relevant processes of the company and their relationships. It is the central overview document of the QMS.

Typical process structure:

Management processes:

  • Strategic planning
  • Management review
  • Internal audit
  • Continual improvement

Core processes (value creation):

  • Sales and order acceptance
  • Development and design
  • Procurement
  • Production and assembly
  • Testing and quality control
  • Delivery and commissioning
  • Customer service

Support processes:

  • Human resources management (incl. training and competence management)
  • Infrastructure and maintenance
  • Document control
  • Measuring equipment management
  • IT management
  • Supplier management

For each process, document the following:

  • Purpose and scope
  • Process owner and involved roles
  • Inputs and outputs
  • Essential activities and workflows
  • Interfaces to other processes
  • Metrics for monitoring
  • Risks and opportunities
  • Relevant documents and records

The depth of documentation should be based on the risk and complexity of the process. Critical processes require more detailed descriptions than simple routine procedures.

Roles and Responsibilities

Clear responsibilities are fundamental for a functioning QMS. The standard requires that you assign and communicate responsibilities and authorities in the organization.

Important roles in the QMS:

Top management (executive management):

  • Overall responsibility for the QMS
  • Establishment of quality policy and quality objectives
  • Provision of resources
  • Conduct of management review

Quality management representative (QMR): Note: ISO 9001:2015 no longer explicitly requires a QMR. However, the tasks must still be performed:

  • Ensuring standard conformity
  • Reporting to top management
  • Coordination of the QMS
  • Promotion of quality awareness

Process owners:

  • Responsibility for their respective process
  • Ensuring process performance
  • Continual improvement of the process
  • Control of interfaces

Internal auditors:

  • Conducting internal audits
  • Independence from audited areas
  • Reporting results

Documentation of roles can be done through organizational charts, job descriptions, responsibility matrices, or a combination of these tools.

Note on Organizational Charts: While ISO 9001:2015 doesn’t explicitly require an organizational chart (organigram), it is the most common and effective way to document organizational structure and meet Section 5.3 requirements. Auditors typically expect to see one. The chart should show reporting lines, key positions, departments, and clearly identify QMS-specific roles (QMR/QMB, process owners, internal auditors). Keep it focused on QMS-relevant positions rather than listing every employee, and ensure it’s maintained as a controlled document with proper versioning.

Document Structure and Control

ISO 9001:2015 speaks of “documented information.” This includes both documents (requirements such as process descriptions, work instructions) and records (evidence such as test protocols, training records).

Typical document hierarchy:

Level 1 – QM Manual (optional):

  • Description of QMS scope
  • Quality policy
  • Process map
  • References to more detailed documents

Level 2 – Process descriptions:

  • Presentation of core processes
  • Responsibilities and workflows
  • Interfaces

Level 3 – Work instructions:

  • Detailed action instructions
  • Test instructions
  • Specifications

Level 4 – Forms and templates:

  • Checklists
  • Protocol templates
  • Forms for records

Document control must ensure that documents are reviewed for adequacy before release, documents are updated and re-released as needed, the current revision status is identifiable, valid documents are available at the point of use, obsolete documents are not unintentionally used, and external documents (standards, customer specifications) are identified and controlled.

An electronic document management system is helpful, but not mandatory for small businesses. A structured folder system with clear naming conventions and release processes can also meet the requirements.

Part 5: Creating Core Documentation

Quality Management Manual: Required or Not?

ISO 9001:2015 no longer explicitly requires a QM manual. Nevertheless, creating a QM manual is highly recommended, especially for small businesses building the QMS independently.

Recommendation: Structure the manual according to the ISO 9001 standard structure

In my experience, a proven approach is to structure the manual along the chapter structure of ISO 9001 (Chapters 4 to 10). For each standard section, describe how the company meets the respective requirement – with references to the corresponding process descriptions, work instructions, and forms.

This approach offers several advantages:

  • Completeness check: Working through the standard chapter by chapter ensures that you don’t overlook any requirements.
  • Audit preparation: The auditor can immediately see from the manual how you implement each requirement. If the description is clear and comprehensible, this saves many follow-up questions in the audit – the auditor takes the information directly from the manual.
  • Onboarding of new employees: The manual serves as a guide to understand the entire QMS.
  • Reference in daily operations: In case of uncertainties, you can quickly look up which rules and requirements apply.

A modern QM manual does not have to be an extensive work. Often, 20–40 pages are sufficient, containing the scope of the QMS, the quality policy, the process map, the organizational structure, the description of standard implementation by chapter, and references to detailed documents.

Many companies today dispense with a classic manual and instead use a wiki, intranet, or other digital platform that provides the same information. For beginners, however, a structured document along the standard is the safest way.

Documented Procedures According to ISO 9001:2015

The standard explicitly prescribes documented information only for certain areas. These “must-have documents” are the minimum:

Required documented information (requirements):

  • Scope of the QMS
  • Quality policy
  • Quality objectives
  • Criteria for evaluation and selection of suppliers
  • As necessary: Process descriptions, work instructions

Required records (evidence):

  • Evidence of employee competence
  • Results of management reviews
  • Results of internal audits
  • Results of corrective actions
  • Monitoring and measurement results
  • Release of products and services
  • Traceability (as required)
  • Evidence for customer property
  • Control of nonconforming outputs
  • Supplier evaluation and approval
  • Results of design verification and validation (if development is in the scope of the QMS)

This list is the minimum. Depending on industry, customer requirements, and internal needs, you could need additional documents.

Work Instructions and Forms

Work instructions specify exactly how tasks must be carried out. They are particularly important for complex processes, training new personnel, maintaining high quality standards, and ensuring safety compliance.

Characteristics of good work instructions:

  • Clearly and understandably formulated
  • Tailored to the target group
  • Practical and current
  • With images or diagrams where helpful
  • Available at the workplace

Forms standardize how you record information. Good forms guide the user through the required inputs, are clearly designed, and contain clear identification (document number, revision status).

Important: Not every process needs a detailed work instruction. The documentation depth should correspond to the risk. Superfluous documentation creates bureaucracy and is ignored in daily operations.

Control of Records

Records are evidence that you carried out the processes as planned. These records must be legible, identifiable, retrievable, and protected.

Make sure to define:

  • Where are the records filed?
  • Who is responsible for filing?
  • How long are records retained?
  • How are records protected from loss?
  • How are records destroyed?

Retention periods are based on legal requirements (tax law, product liability), contractual agreements with customers, and internal requirements.

In mechanical engineering, retention periods of 10 years or more for technical documentation are not uncommon. Product liability may even suggest periods beyond that.

Part 6: Implementing the Standard Chapters in Detail

Chapter 4: Context of the Organization

What does the standard require?

  • Understanding the organization and its context (4.1)
  • Understanding the needs and expectations of interested parties (4.2)
  • Determining the scope of the QMS (4.3)
  • QMS and its processes (4.4)

Practical implementation:

The context analysis should be updated annually, ideally before the management review. A simple structure is sufficient:

  • External issues: Market development, competition, technology, legal changes.
  • Internal issues: Organizational changes, personnel development, infrastructure.

The stakeholder analysis identifies relevant interested parties and their requirements:

Interested Party Relevant Requirements
Customers Product quality, delivery reliability, service
Employees Occupational safety, development
Suppliers Clear specifications, fair payment terms
Authorities Compliance with legal requirements

The scope defines which locations, products, and processes are covered by the QMS. Exclusions are only permissible if they do not affect your ability to provide conforming products. You must justify any exclusions, so in most cases it’s better to focus on compliance rather than trying to bypass requirements.

Chapter 5: Leadership

What does the standard require?

  • Leadership and commitment (5.1)
  • Quality policy (5.2)
  • Roles, responsibilities, and authorities (5.3)

Practical implementation:

The requirements for top management cannot be met through documents alone. Auditors pay attention to actual behavior:

  • Does management know the quality objectives and their degree of fulfillment?
  • Are resources provided for quality?
  • In case of conflicting goals, is quality consistently decided for?
  • Does management actively participate in management review?

The quality policy must be documented, communicated, and understood. Typical auditor question to employees: “Do you know your company’s quality policy?” An unknown quality policy is worthless.

You should document roles and responsibilities in a responsibility matrix or in job descriptions. What matters is actual clarity – not the perfection of documentation.

Chapter 6: Planning

What does the standard require?

  • Actions to address risks and opportunities (6.1)
  • Quality objectives and planning to achieve them (6.2)
  • Planning of changes (6.3)

Practical implementation:

Risk assessment does not have to be a complex FMEA (Failure Mode and Effects Analysis). For SMEs, a simple evaluation is often sufficient:

Process Risk Probability Impact Measure
Procurement Supplier failure Medium High Qualify a second source
Production Machine failure Low High Maintenance plan, keep spare parts

Quality objectives must be SMART: Specific, Measurable, Achievable, Relevant, Time-bound. For each objective, document: What should be done? What resources are required? Who is responsible? By when? How will results be evaluated?

Change planning concerns both organizational changes and changes to products and processes. Changes must be planned, controlled, and evaluated regarding their impacts.

Chapter 7: Support

What does the standard require?

  • Resources (7.1): Personnel, infrastructure, process environment, monitoring and measuring resources, organizational knowledge
  • Competence (7.2)
  • Awareness (7.3)
  • Communication (7.4)
  • Documented information (7.5)

Practical implementation:

Resources must be adequately provided for processes. This includes qualified personnel in sufficient numbers, suitable infrastructure (buildings, machines, IT), appropriate work environment, and calibrated measuring and testing equipment.

Competence management means determining the required competencies for QMS-relevant activities, ensuring these competencies through education, training, or experience, evaluating the effectiveness of measures, and retaining appropriate records.

A competence matrix clearly shows which employees have which competencies and where training needs exist.

Organizational knowledge was a new concept introduced in ISO 9001:2015. It represents the collective know-how of the company. This must be determined, maintained, and protected from loss. When changes happen, you must check what additional knowledge is required.

Chapter 8: Operation

Chapter 8 is the most extensive and deals with actual value creation. It describes how core processes must be controlled.

8.1 Operational Planning and Control

The organization must plan, implement, and control processes required for the provision of products and services. This includes determining requirements for products and services, establishing criteria for processes and acceptance of products, determining required resources, and controlling processes according to established criteria.

Practical implementation in mechanical engineering: Work plans and production orders define process steps. Test plans specify which characteristics are tested and how. Capacity planning ensures resources are available.

8.2 Requirements for Products and Services

Communication with customers: Arrangements must exist for information about products, inquiries and contracts, customer feedback, including complaints, and handling of customer property.

Determination and review of requirements: Before entering into a commitment, you must be ensure that requirements are completely defined (incuding expected requirements, not explicitly stated by the customer), legal requirements have been determined, and the organization can meet these requirements.

Practical implementation in mechanical engineering: A structured order clarification with a checklist captures all customer requirements. Customer creates and releases technical specifications. Feasibility checks before order acceptance avoid later problems. Changes are documented and communicated.

8.3 Design and Development of Products and Services

If development is within scope, there are extensive requirements you must meet:

Development planning: Phases, reviews, verification, and validation must be planned. Responsibilities and authorities must be defined.

Development inputs: You must consider functional and performance requirements, legal requirements, standards, and previous development results.

Control measures: Conduct reviews to evaluate progress, verification (Do results meet inputs?), and validation (Does the product work as intended?).

Development outputs: Must meet input requirements, be suitable for subsequent processes, and establish acceptance criteria.

Practical implementation in mechanical engineering: A development process with defined milestones (e.g., concept release, design release, series release) structures the approach. Design reviews evaluate critical decisions. Design FMEAs identify risks. Prototype tests validate function. All changes are documented in change management.

8.4 Control of Externally Provided Processes, Products and Services

This chapter concerns all supplier management:

Supplier selection and evaluation: You must establish criteria for selection, evaluation, and re-evaluation of external providers. Evaluation results must be documented.

Type and extent of control: Control must be appropriate to the impact on conformity. Critical purchased parts require stricter controls than standard material.

Information for external providers: Orders must contain clear requirements – for products/services, release procedures, personnel competence, and QMS requirements.

Practical implementation in mechanical engineering: Supplier evaluation is conducted regularly according to defined criteria (quality, delivery reliability, price, service). There is a list of approved suppliers. Incoming goods inspections are planned based on risk. First article inspections qualify new parts. Supplier documents (certificates) are required and archived.

8.5 Production and Service Provision

Controlled conditions: Production must occur under controlled conditions, including documented information (work instructions), suitable monitoring and measurement, suitable infrastructure, and qualified personnel.

Identification and traceability: Products must be identifiable throughout the realization process. The extent of traceability depends on requirements.

Customer property: Material belonging to the customer must be identified, verified, protected, and safeguarded. In case of loss or damage, the customer must be informed.

Product preservation: Conformity must be preserved during internal processing and delivery (handling, packaging, storage, transport).

Practical implementation in mechanical engineering: Manufacturing travelers document production progress. Serial numbers or batch identification enable traceability. Warehouse organization and the First-In, First-Out (FIFO) principle prevent mix-ups. Packaging specifications protect goods.

8.6 Release of Products and Services

Before delivery, you must conduct and document planned tests. You may only release products and services when all requirements are met – unless an authorized entity approves a deviation and (if applicable) the customer agrees. Records must clearly indicate who authorized the release.

Practical implementation in mechanical engineering: Final inspections according to the test plan are conducted before shipping. Test protocols document results. Release by QA or defined employees occurs before delivery. Delivery documentation (certificates, test reports) is created.

8.7 Control of Nonconforming Outputs

You must detect and control defective products to prevent unintended use. Possible measures are correction (rework), segregation (quarantine, scrapping), release with special approval, and customer notification. You must document all measures.

Practical implementation in mechanical engineering: A quarantine warehouse or marked quarantine area prevents the use of defective parts. Defective parts are marked with quarantine labels. Decisions (rework, scrap, special release) are documented. After rework, re-inspection occurs.

Important for audit: Complete traceability

An auditor will typically want to trace one or more processes from beginning to end in the certification audit – for example, from customer inquiry through order confirmation, procurement, manufacturing, testing, to delivery and invoice. This so-called “audit trail” check shows whether processes actually function as documented.

For the company, this means: there should be clear connections between individual process steps. Typical links are order numbers that run through all documents (quote, order confirmation, purchase order, delivery note, invoice), production orders that reference the customer order, test protocols assigned to the production order, goods receipt documents that reference the purchase order, and delivery notes that reference the customer order.

If an auditor selects any process, it should be possible to compile all associated documents and records within a few minutes. If this link is missing, it almost inevitably leads to audit findings.

Chapter 9: Performance Evaluation

What does the standard require?

  • Monitoring, measurement, analysis, and evaluation (9.1)
  • Internal audit (9.2)
  • Management review (9.3)

Practical implementation:

Monitoring and measurement includes both product testing and process monitoring. You must define metrics for all relevant processes. Also, you must actively monitor customer satisfaction (surveys, complaint analysis, customer feedback).

Internal audits are covered in detail in the next chapter.

Management review is the central control instrument of the quality management system. It must be conducted at planned intervals (at least annually, better semi-annually or quarterly).

Inputs for management review:

  • Status of actions from previous reviews
  • Changes in external and internal issues
  • Information on QMS performance (customer satisfaction, quality objectives, process performance, nonconformities, audit results, supplier performance)
  • Adequacy of resources
  • Effectiveness of risk treatment
  • Improvement opportunities

Results of management review:

  • Decisions and actions on improvement opportunities
  • Need for changes to the QMS
  • Resource needs

Management review must be documented. The record is an important audit document.

Chapter 10: Continuous Improvement

What does the standard require?

  • Nonconformity and corrective action (10.2)
  • Continual improvement (10.3)

Practical implementation:

Corrective actions are required for nonconformities, i.e., when requirements are not met. The process includes reaction to the nonconformity (correction), root cause analysis, measures to eliminate the cause, evaluation of effectiveness, and, if necessary, updating of risks and opportunities as well as QMS changes.

An 8D report or simpler corrective action form structures this process.

Continual improvement Continual improvement is not optional; it is a standard requirement. Improvement initiatives can originate from various sources, including:

  • Audit results
  • Data analysis and KPI trends
  • Management reviews
  • Employee suggestions
  • Customer feedback and complaints
  • Supplier performance issues
  • Changes in technology or market conditions

The PDCA cycle (Plan-Do-Check-Act) serves as the fundamental model for driving these improvements.

Part 7: Internal Audits and Management Review

Planning the Internal Audit Program

Internal audits are a central element of the QMS. They check whether the system is implemented as planned and meets standard requirements.

Audit program requirements:

  • All QMS-relevant processes must be audited at appropriate intervals
  • Frequency and scope depend on importance, changes, and previous results
  • Audit criteria, scope, and methods must be established
  • Auditors must be objective and impartial (no auditing of their own work)

Typical audit planning for SMEs:

  • Annual audit plan covering all areas at least once
  • Audit critical processes more frequently if necessary
  • Audits are distributed over time, not all shortly before the external audit

Training Internal Auditors

Internal auditors must be competent. This does not necessarily require external training, but sound knowledge of ISO 9001 requirements, audit techniques and questioning methods, the company’s own processes, and objectivity and communication skills.

Options for qualification:

  • External auditor training (recommended, approx. 2–3 days)
  • Internal training by an experienced auditor
  • Learning by doing under guidance.

For very small companies, it may make sense to have internal audits conducted externally, since independence can hardly be guaranteed internally.

Conducting Audits Effectively

Basis: The Audit Program

Before doing individual audits, you must create an audit program. The audit program establishes which areas/processes will be audited during the year, when audits will take place (schedule), who will audit (auditor assignment), and what resources are needed. The audit program should be created at the beginning of the year and released by management. It is itself an auditable document when assessing ISO compliance.

Before the individual audit:

  • Create an audit plan for the specific audit (schedule, areas, contacts)
  • Communicate the audit plan to the audited areas
  • Review relevant documents (process descriptions, previous audit reports)
  • Prepare a checklist or a question catalog

During the audit:

  • Opening meeting with the responsible parties
  • Evaluate processes through interviews, observation, and document review
  • Collect evidence, don’t just accept claims
  • Document findings objectively and concretely

After the audit:

  • Closing meeting with preliminary results
  • Create an audit report
  • Classify findings (nonconformity, improvement potential, conformity)
  • Request and follow up on corrective actions

Typical auditor questions:

  • How is it ensured that…?
  • Show me the evidence for…
  • What happens if…?
  • Who is responsible for…?
  • How is the effectiveness of… evaluated?

Structure of Management Review

Management review brings together all QMS-relevant information and enables top management to make strategic decisions.

Agenda for management review:

  1. Review of previous review
    • Status of open actions
    • Evaluation of implementation
  2. Changes in context
    • External and internal issues
    • Changes in interested parties
  3. Quality performance
    • Achievement of quality objectives
    • Customer satisfaction and complaints
    • Process performance and metrics
    • Supplier performance
  4. Results of internal and external audits
    • Main findings
    • Status of corrective actions
  5. Resource situation
    • Personnel
    • Infrastructure
    • Training needs
  6. Risks and opportunities
    • Evaluation of the current situation
    • Need for adjustment
  7. Improvement measures
    • Proposals
    • Decisions
  8. Outlook and planning
    • Goals for the coming period
    • Resource planning

The management review protocol is a very important audit document. It must contain essential results, decisions, and actions, and is part of continuous improvement efforts.

Part 8: The Certification Process

Choosing the Right Certification Body

Certification bodies must be accredited. In Germany, the German Accreditation Body (DAkkS) is the responsible authority. Only certificates from accredited bodies are internationally recognized.

Selection criteria:

  • Accreditation for the relevant scope
  • Industry experience of auditors
  • Regional presence (shorter travel = lower costs)
  • Reputation and references
  • Costs and contract terms
  • Flexibility in scheduling

Typical certification bodies in the DACH region:

  • TÜV SÜD, TÜV NORD, TÜV Rheinland, TÜV Hessen, TÜV Austria, etc.
  • DEKRA
  • DQS
  • Bureau Veritas
  • SGS
  • DNV

Pro Tip: Get quotes from several bodies. Costs can vary considerably.

Stage 1 Audit: Document Review

The stage 1 audit (also “pre-audit” or “document review”) is the first part of ISO certification. It typically takes place 4–8 weeks before the stage 2 audit and can be conducted on-site or remotely.

Objectives of stage 1 audit:

  • Review of QMS documentation for completeness and standard conformity
  • Assessment of site conditions and site-specific aspects
  • Check of audit readiness for stage 2
  • Identification of potential problem areas

What is checked?

  • Quality policy and quality objectives
  • Process descriptions and documentation
  • Internal audit results
  • Management review protocols
  • Procedures for corrective actions

Possible results:

  • Ready for stage 2
  • Ready for stage 2 with notes
  • Stage 2 only possible after improvements

Stage 2 Audit: On-Site Audit

The stage 2 audit is the actual certification audit. External auditors check on-site whether the QMS is implemented as documented and is effective.

Audit duration: The audit duration depends on company size and complexity. As a guideline, for a company with 20 employees approximately 2–3 audit days, for 50 employees approximately 4–5 audit days.

Process:

  • Opening meeting
  • Audit of processes (interviews, document review, observation)
  • Review of evidence and records
  • Summary and closing meeting

What auditors want to see:

  • Active implementation of processes, not just paperwork
  • Objective evidence that requirements are being met
  • Staff who are knowledgeable and competent in their roles
  • An effective system for continuous improvement
  • Demonstrated commitment from top management

Typical Nonconformities and Their Prevention

Common nonconformities:

  1. Incomplete management review
    • Not all required inputs were considered
    • No traceable decisions documented
  2. Gaps in internal audits
    • Not all areas are audited
    • Auditors not independent
    • No follow-up on actions
  3. Missing corrective actions
    • Root cause analysis was not conducted
    • Effectiveness not evaluated
  4. Documentation deficiencies
    • Obsolete documents in circulation
    • Records not retrievable
    • Missing evidence for training
  5. Incomplete supplier evaluation
    • Criteria not defined
    • Evaluations not conducted
  6. Customer satisfaction is not determined
    • No systematic capture
    • Results not evaluated

Prevention strategies:

  • Conduct a complete self-assessment before audit for ISO compliance
  • Use checklists based on standard requirements
  • Check all records of the last 12 months for completeness
  • Prepare employees for typical auditor questions

Part 9: BAFA Funding in Detail

Prerequisites for Funding

Who is funded?

The funding program is aimed at small and medium-sized enterprises (SMEs) and members of the liberal professions who meet the following criteria:

  • Fewer than 250 employees
  • Annual turnover under 50 million euros or balance sheet total under 43 million euros
  • Headquarters, branch, or business operations in Germany
  • Economic activity

What is funded?

Eligible services include strategic consulting on economic, financial, personnel, and organizational business matters. This explicitly covers consulting for the implementation of a quality management system.

Funding is not available for services primarily consisting of legal, insurance, or tax advice. Also excluded are expert reports, studies, or concepts that do not provide concrete recommendations for action.

Application Process Step by Step

Step 1: Select a consultant. The consultant must be registered with BAFA and have a valid consultant ID. The list of approved consultants is available via the BAFA website.

Step 2: Submit an application online. The funding application is submitted exclusively online via the BAFA application platform. Only company data and information on planned consulting are required.

Step 3: Wait for the information letter. BAFA or a coordination office checks the application and informs you about the result. This information letter allows the start of consulting.

Important: Only after receiving this letter may the consulting contract be concluded and consulting begun. Retrospective funding is excluded.

Step 4: Conduct consulting. The consulting is conducted and results in a consulting report with concrete recommendations for action.

Step 5: Submit proof of use. After completion of consulting, proof of use must be submitted within six months. This includes the consulting report, invoices and payment receipts, EU SME and de minimis declaration, and questionnaires on ESF Plus principles.

Step 6: Payment. After review of proof of use, payment of the grant occurs.

Optimally Use the BAFA Grant for ISO 9001 Implementation

Tips for maximum funding:

Consulting should be planned so that eligible costs are utilized as much as possible. With consulting fees of 3,500 euros and a funding rate of 80%, the own contribution is only 700 euros.

Since a maximum of two consultations per year can be funded, a larger project can be distributed over several years. For example, year 1 could cover gap analysis and conception, year 2 implementation support, and year 3 audit preparation.

For companies that have been on the market for less than one year, a free information meeting with a regional partner is required before application.

Part 10: After ISO Certification

Surveillance Audits: What to Expect

After successful certification, annual surveillance audits follow. These are shorter than the certification audit but check ongoing conformity and effectiveness of the QMS.

What is checked in surveillance audits?

  • Internal audits and management review
  • Corrective actions since the last audit
  • Handling of customer complaints
  • Effectiveness of QMS regarding goal achievement
  • Progress on planned improvements
  • Ongoing control of core processes
  • Changes to QMS or the organization

Typical duration: 50–70% of initial audit effort.

Living Continual Improvement

Obtaining a certificate is a milestone, but not an endpoint. The greatest challenge is keeping the QMS alive and continuously developing it.

Success factors for a living QMS:

  • Regular metrics evaluation and response to deviations
  • Active use of the corrective action process
  • Involvement of employees in improvement initiatives
  • Regular review and adjustment of processes
  • Ongoing training and competence development

Warning signs for a “dead” QMS:

  • Documentation is only updated immediately before the audits
  • Corrective actions are treated as a mere formality (“tick-box” exercises)
  • Metrics and data are ignored or unmonitored
  • Management reviews are bureaucratic formalities with no actionable outcomes
  • Employees don’t know process descriptions

Typical Mistakes After Certification

Mistake 1: Carelessness between audits. After the certification audit, the daily routine returns and the QMS recedes into the background. The result: At the next surveillance audit, evidence is missing, and processes are no longer followed.

Prevention: Establish fixed routines for QMS tasks (weekly/monthly reviews), clearly assign QMS responsibilities.

Mistake 2: Overloading with documentation. Out of fear of audit findings, more and more is documented. The system becomes bureaucratic and impractical.

Prevention: Regularly question: Do we really need this document? Is it used? Keep documentation lean.

Mistake 3: No further development. The QMS is viewed as a static system that is set up once and then never changed.

Prevention: Annual review of processes for currency and improvement potential. Benchmarking with other companies.

Extension to Other Management Systems

The High Level Structure (HLS) of ISO management system standards enables simple integration of additional standards. Typical extensions for SMEs in mechanical engineering are ISO 14001 for environmental management, ISO 45001 for occupational health and safety, and ISO 13485 for medical devices.

An integrated management system (IMS) uses common elements such as document control, internal audit, and management review, and only adds standard-specific requirements. This reduces effort and avoids duplication of work.

Part 11: DIY vs. Consulting – Making the Right Decision

When DIY Works

Independent implementation can be successful when experience with management systems already exists (through previous activities, training), sufficient time is available for familiarization and implementation (realistic: several months with considerable time investment), the company structure is manageable and clear, simple processes exist, and there is willingness to learn from mistakes and make improvements.

Advantages of the DIY approach:

  • Deep understanding of one’s own system
  • Reduced external consulting costs
  • Independence from third-party schedules
  • Retention of expertise and knowledge within the company

Risks of DIY approach:

  • Extended project timeline due to the learning curve
  • Higher risk of misinterpreting the standard’s requirements
  • Potential audit findings caused by overlooked regulations
  • High opportunity costs due to the time commitment required from staff

When Professional Support Makes Sense

Consider professional consulting if you are under pressure from customer deadlines or tender dates. It is the most effective approach when internal QM expertise is lacking, processes are complex, or operations span multiple sites. Consulting is also the right choice if your team is fully absorbed by day-to-day business, or if you simply want a smooth, hassle-free path to certification.

Advantages of professional support:

  • Structured, efficient approach
  • Avoidance of typical errors
  • Experience from many projects
  • External perspective on blind spots
  • Time savings through proven templates and methods
  • Security through experience with certification audits
  • Significantly reduced internal effort

The Hybrid Approach

Many small businesses choose a middle path: Certain phases are conducted with external support, others independently.

Typical distribution:

With a consultant:

  • Initial gap analysis (clarify starting point and scope)
  • Training of internal employees
  • Review of the created documentation
  • Preparation for certification audit

Independent:

  • Creating process documentation
  • Implementation in daily operations
  • Conducting internal audits (possibly after training)
  • Maintenance and further development of the system

This approach combines the advantages of both paths: External expertise secures quality at critical points, while internal know-how is built up and costs remain manageable.

Finding the Right Partner

If you decide to hire external support for ISO compliance and quality management implementation, ensure the consultant is accredited and experienced (using BAFA approval as a minimum standard). They should possess relevant industry knowledge and take a pragmatic approach that avoids excessive bureaucracy. Furthermore, verify that their availability matches your project schedule and that they are a good personal fit, as the collaboration may last several months.

Use the initial consultation to clarify your needs, the proposed approach, and mutual expectations. Requesting references from similar projects will provide additional assurance.

Conclusion: The Path to Certification is Achievable

ISO 9001 certification is an achievable goal for SMEs in the DACH region – regardless of whether the path is taken independently or with support. The key lies in realistic planning, consistent implementation, and management commitment.

This guide has described the essential steps: from the decision through understanding the standard to certification and beyond. What’s important is taking the first step: acquiring and studying the standard, conducting a gap analysis, and creating a realistic project plan. Then follows step-by-step implementation towards ISO compliance – not perfect, but consistent.

A well-implemented QMS is not bureaucracy, but a tool for better processes, more satisfied customers, and ultimately, business success.

About the Author:

Jonathan Sternberg is a certified internal auditor and external quality management representative with experience in automotive, semiconductor, laser optics, and medical technology. With Sternberg Consulting, he supports small and medium-sized enterprises in the DACH region in implementing ISO 9001, ISO 14001, ISO 45001, and ISO 13485.

Ready for the next step?

Those who choose the independent path will find in-depth articles on each standard chapter in our blog. Those who prefer professional support can arrange a non-binding initial consultation. As a BAFA-approved consultant, Sternberg Consulting also supports you when applying for funding.

[Contact us] | [To QM Blog]

en_USEnglish
de_DEGerman en_USEnglish