Support as QMS Foundation
Clause 7 provides the enabling conditions without which Clause 8 (operations) cannot achieve quality outcomes. People, infrastructure, knowledge, and documented information are the building blocks of a working QMS. A common failure is organizations jumping to operational procedures without ensuring that adequate support resources are in place. An organization cannot execute quality processes if staff lack necessary competence, tools, or knowledge.
Clause 7.1: Resources Overview
Clause 7.1 requires the organization to determine and provide the resources necessary for the QMS to be effective. The standard specifies six sub-types of resources that must be addressed. First, people (addressed in detail in 7.2). Second, infrastructure — the facilities, equipment, utilities, technology platforms, and tools needed for processes to operate. Third, work environment — the conditions (temperature, lighting, noise, safety, ergonomics) needed for people to work effectively. Fourth, monitoring and measuring resources — equipment used to verify conformity, which must be calibrated and maintained. Fifth, organizational knowledge — the intellectual capital and operational knowledge needed for processes to function. Sixth, competence (addressed in detail in 7.2).
The requirement is straightforward: determine what resources are necessary, provide them, and maintain them. Many organizations fail on the maintenance part — equipment is not calibrated, knowledge documentation is not updated, facilities are not properly maintained. The resource requirement is not one-time; it is continuous.
Clause 7.1.6: Organizational Knowledge
Clause 7.1.6 is a 2015 addition to ISO 9001 and reflects the growing recognition that knowledge is a critical organizational asset. The standard requires that the organization determines the knowledge necessary for operation of its processes and to achieve conformity of products and services. The organization must maintain this knowledge and make it available when needed. The knowledge is protected from loss (for example, when employees leave).
This is a practical requirement in organizations with key person dependency. If critical process expertise exists only in the head of one individual, there is a knowledge at-risk problem. Building documented procedures, work instructions, lesson learned records, and institutional memory before key personnel leave is the organizational knowledge management approach.
| Knowledge Type | Risk if Lost | Capture Mechanism | ISO 9001 Clause |
|---|---|---|---|
| Process expertise (key operator knowledge) | Process variation, quality failures, lost capability | Documented work instructions, job shadowing, procedure review | 7.1.6 |
| Customer relationship knowledge | Miscommunication of requirements, lost business | CRM system, requirements review documentation, account notes | 8.2 |
| Technical/product knowledge | Design errors, specification misunderstanding | Design documentation, technical procedures, design reviews | 8.3 |
| Supplier knowledge (approved suppliers, past issues) | Requalifying known-bad suppliers, duplicate mistakes | Supplier register, evaluation records, supplier history | 8.4 |
| Lesson learned from nonconformities | Repeated quality failures, same root causes | NCR records, corrective action register, lessons learned register | 10.2 |
Clause 7.2: Competence
Clause 7.2 requires the organization to determine the competence necessary for people to perform work affecting the quality of products and services. The organization must ensure that these people are competent based on education, training, skills, and experience. When people are found to be lacking necessary competence, the organization must take action such as training, mentoring, reassignment, or outsourcing. The organization must retain documented evidence of competence.
The critical distinction is between training and competence. A person who attended a training course but cannot demonstrate correct application of the training is trained, not competent. ISO 9001 requires evidence of competence — which means evidence that the person can apply their knowledge and skills in the actual work environment to produce conforming outcomes. This evidence may include training certificates, but must also include evidence of competence demonstrated (work product quality, supervisor verification, assessment results).
| Competence Evidence Type | Example | Better Than |
|---|---|---|
| Training certificate | Attended quality management course, certificate received | Nothing, but does not prove competence |
| Training record + assessment | Course completed + post-training test passed | Training certificate alone |
| On-the-job verification | Supervisor verified correct process execution | Training record and assessment alone |
| Performance record | Quality metrics show no attributable errors over period | Assessment result alone |
| Certification/qualification | Third-party verified competence in specialized area (welding, design) | Training record without verification |
Clause 7.3: Awareness
Awareness is different from competence. While competence is about ability to perform work, awareness is about knowledge of organizational context and purpose. Clause 7.3 requires that relevant personnel are aware of the quality policy, the quality objectives, their personal contribution to QMS effectiveness, and the implications of nonconformity for quality and customer satisfaction.
Awareness programs typically include: induction programs for new employees covering quality policy and objectives, periodic refresher training on QMS relevant topics, team meetings or communications where quality performance is discussed, and connections between individual work and organizational quality outcomes. The requirement is that this communication is systematic, not random.
Clause 7.4: Communication
Clause 7.4 requires that the organization conducts internal and external communication relevant to the QMS. This includes what is communicated (quality policy, quality objectives, QMS changes, quality performance), when (proactively before changes, routinely as scheduled), to whom (all affected personnel, external parties where relevant), how (meetings, email, training, notice boards), and by whom (designated communicators). The requirement is that quality-relevant communication is systematic, not ad hoc.
A common failure is that quality-relevant information is communicated informally or through individual relationships rather than through systematic communication channels. When a new procedure is released but only announced at a team meeting without documentation that communication occurred, auditors will ask who did not attend that meeting — and whether they are aware of the change.
Clause 7.5: Documented Information
The 2015 standard replaced the phrase "documents and records" with "documented information" — a deliberate simplification to avoid confusion. The standard requires specific documented information to exist (mandatory documented information: quality policy, scope, quality objectives, procedures for key processes, etc.). Organizations determine what additional documented information is needed based on their context, risks, and processes.
Clause 7.5 also specifies document control requirements: documented information must be available and suitable for use, protected from unauthorized access or modification, distributed in a controlled manner, retained for a defined period, and disposed of appropriately. Electronic document management systems help meet these requirements, but paper-based systems with clear procedures are also acceptable.
| Mandatory Documented Information | ISO 9001 Clause | When Created | Typical Format |
|---|---|---|---|
| QMS scope | 4.3 | Before QMS certification | Scope statement document |
| Quality policy | 5.2 | Before QMS certification | Policy document, posted in workplace |
| Quality objectives | 6.2 | Annually | Objectives plan with measurement |
| Competence evidence | 7.2 | Upon hire and training | Training records, assessments |
| Customer requirements review | 8.2.3 | For each customer order/project | Requirements review record |
| Design records (if 8.3 applies) | 8.3 | During design process | Design plan, review records, verification/validation records |
| Supplier evaluation | 8.4.1 | Upon supplier approval | Supplier evaluation record |
| Production/service records | 8.5.1 | During production/delivery | Work instructions, inspection records, release records |
| Nonconformity records | 8.7 | When NC discovered | NCR form with disposition |
| Internal audit records | 9.2 | Per audit program | Audit report, findings log |
| Management review records | 9.3 | Per review schedule | Management review minutes with inputs and outputs |
| Corrective action records | 10.2 | When NC identified | Root cause analysis, action plan, effectiveness verification |
| KEY IDEA | The 2015 standard replaced "documents and records" with "documented information" — a deliberate simplification. This means you determine what documented information you need based on your processes, risks, and organizational context. The standard mandates some specific documented information; everything else is your decision. Do not create documentation because you think ISO 9001 requires it — create it because it adds quality value or because it is a requirement of your specific processes. |
| IMPORTANT | Competence is not the same as training. A person who attended a training course but cannot demonstrate correct process execution is trained, not competent. ISO 9001 requires evidence of competence demonstrated in the actual work. Auditors will ask to see both training records and competence evidence. If training records exist but competence is not demonstrated, this generates a finding. |
| BITLION INSIGHT | Organizational knowledge management (Clause 7.1.6) is the requirement that most Indonesian organizations are least prepared for. Key person dependency is widespread — critical process knowledge exists only in one individual's head. Building documented work instructions, process procedures, and lessons learned records before key personnel leave is the most practical response to this requirement. This is not bureaucracy — it is risk management for operational capability. |