Taking a Closer Look at ISO 9001 Clause 6

ISO 9001 Clause 6.

By now, you may have realised that ISO is a business management process that is not so complex, right? If tackled well, It is easier than many expect. In this blog, we will be talking about ISO 9001 Clause 6. However, if you are interested in other clauses within this standard I invite you to look at the other reading material or YouTube videos that go over the rest of the clauses.

The ISO 9001 Clause 6 is basically split into three main sections:

  • ISO 9001 Clause 6.1 | Actions to address risks and opportunities
  • ISO 9001 Clause 6.2 | Quality objectives and planning to achieve them
  • ISO 9001 Clause 6.3 | Planning of Changes

ISO 9001 Clause 6.1 |Actions to Address Risks and Opportunities

The first of which is actions to address risks and opportunities. As you might be aware this particular clause, ISO 9001 Clause 6, is a new addition to the standard, that is ISO 9001:2015.

Here we have to consider the risks and opportunities relating to your organization and if you follow the blog regarding clause 4, in that particular clause, we are required to create a SWOT analysis whereby we have to identify the strengths, weaknesses, opportunities and threats relating to your organization. In ISO 9001 Clause 6, the standard asks us to prioritize these risks and opportunities so that we can do something about them.

So the standard specifically says that when planning the quality management system the organization shall consider the issues referred to in 4 .1 and the requirements referred to in 4 .2 to determine the risks and opportunities that need to be addressed. these need to be addressed to give the necessary assurance that the quality management system can achieve its intended results, enhance desirable effects, prevent or reduce undesired effects, and achieve improvement. So when we are creating the SWOT analysis we have to consider these elements.

So what are the strengths, weaknesses, opportunities, and threats relating to our organization? What do the external and internal stakeholders of the organization want? And what are our strengths, weaknesses, opportunities, and threats in being able to provide these stakeholders what they need? The standard goes on to say that the organization shall plan actions to address these risks and opportunities and define how to integrate and implement the actions in its quality management system processes and evaluate the effectiveness of these actions.

As a minimum, you will be discussing risks and opportunities on a yearly basis. However, when first creating the list of risks and opportunities and you’re going to prioritize them, it is wise to come up with a list of actions that you’re going to do to mitigate your risks and seize your opportunities. If based on any of the risks we identify throughout the process, we need to change something within our processes, then that has to be reflected in the way the processes for your organization are defined. Let me take a simple example.

So if you are a company that is developing software, for example, for your clients, then a risk that you might have is that you wouldn’t understand or you wouldn’t be in agreement with the scope of the software that you are developing for your client.

Therefore, in the long run, it might result in your client not being happy with the cost of the software once it has been completed, because it would have not been properly specced before agreeing on a price with the client.

Or else, it might be that the client gets the software that they wanted at the price that was pre-agreed. However, the company doesn’t generate the profit that it should have generated from that particular project. So it’s important, for example, in this case, that we add a step within your sales process, whereby we effectively understand the requirements of your client and only once that has been fully completed do we provide an accurate quote to our clients.

This varies drastically from what a supermarket will need to do whereby if a client is requesting a carton of milk that is available on one of your shelves then there is no scoping that has to be done and the client can freely take that carton of milk to the cash and go ahead and pay.

So what I’m trying to explain here is that when reading this particular sentence on integrating and implementing the actions into its quality management system processes this is what I mean. It means that the processes of sales for example for a software company and the supermarket will be different because they have different risks.

To evaluate the effectiveness of these actions means that if, for example, we’re taking an action, for example, one of our risks might be that we have a high employee turnover. As one of the actions that we choose to implement, we decide that we’re going to improve the employee culture within our organization.

After taking these actions to improve the culture within the organization, we should monitor the employee turnover rates to see if the actions that we are taking actually had an effect on the risk that we wanted to solve in the first place. And the standard has some further notes that we can consider.

First of all, the standard states the following: The actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

Once again, that example of the software development company, if the software is not properly specced and an accurate quote is given to the client, or a definitive quote is given to the client, rather than accurate, then invariably that will have a huge risk either on the quality of the product or on the profitability of the project.

Therefore, a certain amount of importance has to be given to that particular step. And that is what this particular section is effectively talking about. And then we have an additional two notes.

Note 1 of ISO 9001 Clause 6.1 says “Options to address risks can include avoiding risk, taking a risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk or retaining the risk by informed decisions.

Let’s see what each of these means. So whenever we have a risk, we have different choices. First of all, we can adopt new practices. We can do things in a different way to avoid certain risks from coming to fruition. We can take risks in order to pursue an opportunity. So we might know that we are investing for example in a new product that is being developed by our organization, however, we are not 100% sure that this new product will work.

The company might still decide to move ahead with that particular project because they are excited and they see the potential benefit that seizing such opportunity will get to your organization. You can eliminate the risk source.

So if for example one of your risks is that someone might get injured for example and then you might want to work in a different way whereby you would not be exposing your employees to certain risks.

So eliminating the risk source is something that I try to avoid when working with my clients because invariably this will mean that you will definitely have to change the way that you are working before. So yes, eliminating the risk source is something that you should avoid unless absolutely necessary. Going back to the example of the software company, to eliminate the risk of not defining the software properly, we shouldn’t stop selling software, right?

But rather we should do different things to mitigate that particular risk. Changing the likelihood or consequences would be what we would be doing if we are investing more time in scoping the software before giving a quote to our customers.

Once again, in the case of the company sharing the risk, okay? Sharing the risk or transferring the risk is for example when we are using insurances. By paying the insurance we are effectively transferring some of that risk onto another company.

Of course, each risk carries another risk whereby we might be relying on an insurance company but what would happen if that insurance company were to go bust, for example? So sharing the risk is another technique that we use to mitigate risks and even though it is commonly used, there are other risks that we have to consider when we are sharing the risk.

Finally, we can retain the risk by informed decision, which means that we would know that a particular process is risky. However, we decide to keep it as it is because the risk that we have right now is of a potential negative impact that is less than the action that we would need today to mitigate that particular risk.

Note 2 of ISO 9001 Clause 6.1 states that “Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using technology and other desirable and viable possibilities to address the organizations or its customers needs.

So here the standard is telling us that we can do different types of things effectively to mitigate risks.

ISO 9001 Clause 6.2 | Quality Objectives and Planning to Achieve Them

Moving on to ISO 9001 Clause 6 .2, this particular clause talks about quality objectives and planning to achieve them.

First of all, what are quality objectives? Quality objectives are objectives for your organization that are aimed at having some type of goal that everyone can see within your organization. And given that the standard says that the organization shall establish quality objectives at relevant functions, levels and processes needed for the quality management system, that means that first of all, we have to consider generic elements, for example, the HR function.

The accounting function, if we want to include accounts within the quality management system, we don’t need to mind you, but HR would be a wise inclusion within the quality objectives. We can have objectives at different levels.

So it might be a top management level, it might be lower down within the organization, we can have goals relating to specific departments rather than the organization. And we can also have goals relating to our processes. For example, the conversion rate of our sales process, the number of defective products that are generated by our manufacturing line, et cetera. The objectives shall be consistent with the quality policy.

This means that when creating quality objectives, we have to go back to the quality policy that would have been created in clause five, right? The topic of how to create a quality policy has already been covered in past blogs. The quality policy and the objectives that we create right now have to cater for those unique selling points that you have as an organization to make sure that whatever you are saying in the quality policy in terms of words, you are now translating that in terms of actual numbers.

For example, if you want to say that you want to become a market leader in the quality policy, then in the quality objectives, you might have an objective relating to the market share. that you have as an organization.

So quality objectives have to be consistent with the quality policy. They have to be measurable and when talking about measurable here I like to tell my clients to have smart objectives. Smart objectives doesn’t necessarily mean and doesn’t just mean that they have to be intelligent objectives but smart objectives is an acronym to having specific, measurable, attainable, relevant and timely objectives for your organization.

Once again I invite you to go to my website or other videos within this YouTube channel so that you can understand how to create quality objectives that are smart for your organization. So moving on to the third point here we have to take into consideration that quality objectives have to into account applicable requirements.

So if there are any applicable customer requirements or statutory and regulatory requirements. For example, we might have agreements with our clients as regards SLAs, okay, software or rather service level agreements.

If we have committed with our clients that we’re going to service their needs within, for example, 24 hours, it might be a good idea to have a quality objective that measures the timeliness of our response to our clients to make sure that you are able to meet those SLAs.

To be relevant to the conformity of products and services and to enhance, and to enhancement of customer satisfaction. What this is saying is that of course, quality objectives have to relate to quality and not just the quality of the product or service itself, but rather to how happy your clients are with the service or products they are getting from your organization.

And there are different ways in which we can do this. First of all, we can evaluate the quality of the product or services itself, but we can also consider elements, for example, the amount of repeat work that we can get from clients.

This is an indirect measure of customer satisfaction because only happy clients will buy time and time again from your organization. So what percentage of your clients are purchasing once again from your business if it’s relevant to your organization?

So yes, monitoring quality and customer satisfaction is definitely a critical part of creating quality objectives that are compliant with the requirements of the standard. Objectives have to be monitored, communicated, and updated as appropriate, and the organization shall maintain documented information on quality objectives.

What this means is that first of all, given that it has quality objectives, have to be maintained as documented information. means that we have to have these objectives written down somewhere so that the auditor can actually see them and read them and objectives have to be monitored.

If for example, we come up with a quality objective that SLAs have to be sorted within 20 hours, it’s useless to come up with that objective if we’re not going to monitor the performance of each and every request that we get from our clients to be able to get a number for the actual time that we are taking to respond to customer needs.

Another element is that they have to be communicated. So it’s useless once again to come up with a list of objectives if they are saved somewhere and not communicated with the relevant people. If objectives are communicated adequately and if as an intelligent leader would do quality objectives are tied to the performance appraisal of employees, then you’re going to make sure that everyone within your organization is pulling the same rope and taking your organization into the same direction, which is obvious but not so common.

And objectives have to be updated. This goes without saying. Once again, it’s useless to come up with objectives, leaving them like that for six, or seven years, you know, and expecting that these objectives will remain relevant to your organization.

So we have to make sure that objectives are continuously updated to reflect the changing realities of your organization.

ISO 9001 Clause 6.2.2

Moving on to clause 6 .2 .2, here we see that it states that when planning how to achieve its quality objectives, the organization shall determine what will be done.

So the actual objective, what are we going to do to reach that particular objective, what resources will be required to do the actions that are needed to reach that specific objective, who will be responsible for the deadline and by when it will be completed? How the results will be evaluated, okay?

So basically, once again, by employing smart objectives, we will be meeting part of the requirements of this particular clause, 6 .2 .2, but also we have to make sure that we are adequately scoping the decisions that we take for each objective and the actions and implications of meeting each and every objective, and we have to make sure that the right resources are being provided in terms of time and money to allow the person who is responsible for such an objective or such tasks to be able to make sure that they are actually capable of doing those actions to meet the results of this objective.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

ISO 9001 Clause 6.3

Finally, the standard ISO 9001 Clause 6.3 talks about the planning of changes. So when the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner.

So here it’s asking us to refer to clause 4 .4 which as we have seen earlier, it talks about listing down your processes and making sure that your processes are relevant to the needs of your organization.

However, these changes can be related to other topics, not just relating to your processes. For example, if you decide to enter in a new market, if you’re going to start promoting a new product, if you’re going to change the premises of your organization, if there is a new legal requirement that is being imposed on your organization, it is wise to consider such changes as major changes within the organization and in such a case you will need to consider these four elements.

First of all, the purpose of the changes and their potential consequences. Let’s say that you’re going to change premises. So what are the potential consequences of changing the location of your premises?

You might not be as close as you were previously to your clients or to your suppliers. It might make it harder for your clients to find you in this new location. So you need to communicate this particular change accordingly with your market.

So what are the consequences of your changes? The integrity of the quality management system. If, for example, before we were very close to our clients and now the distance has increased drastically, then that might have an impact, for example, on the lead time of our deliveries to our clients.

Therefore, once again, we have to make sure that the consequences of our processes are leaving our quality management system intact and that it’s not having any negative effect on the quality of products and the services that we sell to our clients.

We also have to make sure that we have the available resources needed to meet the demands of such a change. So for example, when it comes to medical devices, recently, not recently, a couple of years ago now, the new medical device regulations came into action.

And for example, organizations had to have the role of an MDRP, medical device registered person. So that is clearly a new resource that had to be added to these organizations or where an employee would need to be retrained to be able to meet the requirements of the role of an MDRP.

So considering the resources that are needed for a particular change is important. Once again, if we’re talking about about changing the offices. We don’t just snap our fingers and the operations of the organization will move from one place to the next.

We need to move, we need to make sure that we have the right desks, the right equipment. We need to make sure that the IT setup has been translocated from one place to the next, ok. So there are resources with each endeavor change that occurs within our organization.

Another significant change might for example be the implementation of a software. Recently I was working with a client who decided to implement ISO 9001 as part of their process of digitizing the whole operation of their organization.

And even though they knew it was going to be a difficult and detailed process, they were later overwhelmed by what it literally took to change all the processes from being paper based to computer-based.

Therefore it’s important for us as organizations to consider having all the resources needed and given that Murphy’s law states that everything that can go wrong will probably go wrong then it would be ideal to possibly overcompensate the resources that will be allocated to a specific project to make sure that we have allocated the right resources to take this change through to the end without having any negative consequences on our quality management system.

Finally, the allocation or reallocation of responsibilities and authorities basically states that once we have implemented a change within our organization it would be wise to review the roles and responsibilities that we have discussed in clause 5.3 within this standard to make sure that they are still relevant to the updated needs of the organization.


As an ISO management system consultant Luke Desira will make it his personal mission to put your company in a class above all others! Read more about how to get ISO certified with Luke Desira here. Otherwise, you can also read about the difference between implementing ISO in a large company versus implementing ISO in a small firm. These blogs and others will surely help you get more knowledge about ISO 9001, specifically ISO 9001 Clause 6.

If you are searching for information on different types of ISO certification, read more here, and find out about the 10 pitfalls that you may encounter during the implementation process of different types of ISO certification.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

That is it from my end, let’s keep building processes and uncover the definition of ISO through optimised systems!

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

Clause 10 of ISO 9001
ISO 9001

Close Examination | Clause 10 of ISO 9001

Clause 10 of ISO 9001 is the final clause of the standard. Clause 10 of ISO 9001 talks about improvement and the purpose of this blog is to give more information about this particular clause by going through what the standard says in this clause. Here, you can either listen to the video where Luke

Read More »
ISO 9001 Clause 9 - Management Review
ISO 9001

ISO 9001 Clause 9 – Performance Evaluation

Hey there, are you interested in ISO 9001? Well, you’re in the right place. This blog covers ISO 9001 Clause 9, to be exact. This blog is in fact part of a mini-series where the ISO 9001 standard is put under the spotlight and examined really closely. If you haven’t looked at the other blogs

Read More »
ISO 9001 Clause 8
ISO 9001

ISO 9001 Clause 8 Shining a Light on Key Processes

The scope of this blog is to go into great detail about ISO 9001 clause 8. Now given that ISO 9001 clause 8 talks about the key processes of your organization, this blog will cover the sales, purchasing, operations and design processes of your organization. In this blog, an overview will be given about each

Read More »
Scroll to Top