How IT systems can help organizations comply with ISO 9001:2015

Companies looking to implement ISO 9001:2015 often find that a key challenge is ensuring that their IT systems are up to scratch. Issues around the acquisition, supply, development, operation and maintenance of computer software sometimes need particular focus.

Standard BS ISO/IEC/IEEE 90003:2018 provides guidelines for the application of ISO 9001 to computer software. What has changed in this recently updated edition?

What is ISO 9001:2015?

ISO 9001 sets out criteria for a quality management system that is suited to organizations of any size and type. The standard can be certified to or used without this step. Around 1 million companies and organizations in over 170 countries have certified to ISO 9001.^[1]

The standard explains quality management principles such as strong customer focus, motivating and implicating top management, the process approach and continual improvement. The aim is to ensure that customers receive consistent, good-quality products and services, leading to a wide range of benefits for the business or organization.

A number of additional standards have been developed to provide guidance for businesses working in particular areas or to help with particular topics – for example, medical devices (ISO 13485); local government (ISO 18091); business management systems for rail organizations (ISO/TS 22163); and petroleum, petrochemical and natural gas industries (ISO/TS 29001).

BS ISO/IEC/IEEE 90003:2018 is one such supplementary standard, which provides guidance on the application of ISO 9001 to software engineering.

Key ISO 9001 concepts

ISO 9001 helps organizations break down, analyse and improve their activities by using a process approach. This should be done when developing, implementing and improving the effectiveness of a quality management system. Understanding interrelated processes as a system helps an organization to achieve intended results through better effectiveness and efficiency.

The process approach looks at sources of inputs (such as predecessor processes), inputs (e.g. materials, resources and requirements), activities, outputs (e.g. the product, service or decision) and receivers of outputs (such as customers or other relevant parties). For each stage of this process, the organization can identify controls and checkpoints that will help to monitor and measure performance.

The process approach is often also seen as a plan–do–check–act cycle, showing how careful thinking at each stage of the process can help to deliver improvements and identify risks and weaknesses.

Risk-based thinking is also a key component of ISO 9001. This approach helps organizations carry out preventive action to eliminate potential non-conformities, as well as analysing non-conformities that occur and taking action to prevent recurrence.

The format of BS ISO/IEC/IEEE 90003:2018

BS ISO/IEC/IEEE 90003:2018 leads organizations through a process of considering key elements of their quality management as it relates to software. First, the context of the organization is considered. Then, the document takes the reader through sections on leadership, planning, support, operation, performance evaluation and improvement.

The document sets out the key provisions from ISO 9001, then gives guidance in a software-specific context and, where appropriate, references to further information. For example, where ISO 9001 Clause 8.1 sets out guidance on operational planning and control, BS ISO/IEC/IEEE 90003:2018 provides software-specific guidance such as looking at testing procedures, life-cycle models and programming language conventions.

Design and development

Design and development planning is a particularly important part of BS ISO/IEC/IEEE 90003:2018. In ISO 9001, Clause 8.3.2 sets out stages and controls for design and development, which are enlarged upon in BS ISO/IEC/IEEE 90003:2018. Organizations are advised to define elements such as the activities to be carried out, required inputs and outputs, verification for each activity, management and supporting activities, and required team training.

Managers are also advised to develop a schedule identifying stages of the project, a work breakdown structure, associated resources and timing, associated dependencies, milestones, and verification and validation activities.

Customer satisfaction

BS ISO/IEC/IEEE 90003:2018 gives guidance on ISO 9001's Clause 9.1.2 on customer satisfaction, confirming that organizations should monitor customers’ perception of the degree to which their needs and expectations have been fulfilled.

BS ISO/IEC/IEEE 90003:2018 states that organizations' processes for requesting, measuring and monitoring feedback of customer satisfaction should provide information on a periodic basis – for example, considering analysis of helpdesk calls, quality-in-use metrics derived from customer direct and indirect feedback, and the number of software fixes required to fix problems after initial delivery.

Management review inputs

ISO 9001 sets out requirements for planning and carrying out a management review, looking at issues such as customer satisfaction, quality objective achievement, process performance, monitoring and measurement results, audit results and the performance of external providers.

BS ISO/IEC/IEEE 90003:2018 adds to this by advising that software management review inputs may include software standard compliance, areas of risk against development, resource monitoring and control, formal third-party approvals, and reviewing and maintaining certification to a known standard.

Risk management

As IT systems become more integrated and vital to the operations of most companies, risk management likewise becomes more important. BS ISO/IEC/IEEE 90003:2018 sets out guidance on creating production or testing environments where non-conforming hardware or software can be tested to detect defects.

The document then sets out what should be done in the event of non-conformity being identified – for example, repair or rework, acceptance with repair, and treatment as a conforming product after amendment or rejection.

What is new in the updated version?

BS ISO/IEC/IEEE 90003:2018 is a technical revision of the 2014 version. The structure and content have been updated to reflect the revision of ISO 9001:2015 , and other content has also been updated to reflect the revision of BS ISO/IEC/IEEE 12207:2017 and other software and systems engineering standards.

The document has a useful annex setting out key clauses within ISO 9001:2015 and other relevant standards.

Is BS ISO/IEC/IEEE 90003:2018 right for your organization?

If your organization has been using ISO 9001 to improve quality management, it’s likely that BS ISO/IEC/IEEE 90003:2018 will also be of use. There can hardly be a business in operation today that does not rely on software to some extent. Failure can be costly, inconvenient and expensive. Why not use this standard to help make your organization more resilient?