The ISO 9000 Family
ISO 9001 is the certifiable standard, but it is part of a family of quality management standards published by ISO. The family includes:
ISO 9000:2015 (Quality Management Systems — Fundamentals and Vocabulary) is the vocabulary and conceptual foundation. It defines key terms that ISO 9001 uses without defining, including "product," "service," "conformity," "nonconformity," "documented information," "risk," "process," and "interested party." Any organization implementing ISO 9001 should begin by reading ISO 9000 to ensure a shared understanding of these terms.
ISO 9004:2018 (Managing for the Sustained Success of an Organization) goes beyond the minimum requirements of ISO 9001 and describes how organizations achieve sustained organizational success through quality. ISO 9004 is not certifiable but is valuable for organizations pursuing continuous improvement beyond ISO 9001 compliance.
ISO 19011:2018 (Guidelines for Auditing Management Systems) provides guidance on planning, executing, and reporting internal and external audits of management systems. Organizations implementing ISO 9001 should follow ISO 19011 guidance for their internal audit program (required by Clause 9.2).
Understanding the whole family matters because gaps in comprehension of vocabulary or concepts often lead to QMS implementation errors. An organization that implements ISO 9001 without reading ISO 9000 may misinterpret key requirements or conflate related concepts.
ISO 9000: The Vocabulary Foundation
Key concepts defined in ISO 9000:2015 that ISO 9001 uses without defining deserve special attention:
Product — an outcome of processes; can be tangible (a manufactured good) or intangible (service, software, information). Understanding the distinction is essential because some QMS processes differ for products vs. services.
Service — the outcome of at least one activity performed at the interface between the supplier and customer. Services are typically intangible and cannot be owned. Manufacturing organizations may provide products accompanied by services (delivery, installation, training). Service organizations provide only services.
Conformity — fulfillment of a requirement. A product conforms if it meets specified customer requirements. A process conforms if it operates according to its documented procedure.
Nonconformity — a deviation from a requirement. Examples include a defective product, a process performed outside its documented procedure, or a service that fails to meet a customer expectation.
Documented information — information required to be controlled and maintained by the organization, plus the media and supports on which it resides (e.g., procedures, records, databases, drawings).
Risk — the effect of uncertainty on objectives. In ISO 9001, risk-based thinking is applied to identify and control process risks that could prevent the QMS from achieving its objectives.
Sector-Specific Quality Standards Built on ISO 9001
Several sector-specific quality standards are built upon or aligned with ISO 9001. These standards incorporate the ISO 9001 requirements and add sector-specific requirements. Organizations pursuing these sector standards must first achieve ISO 9001 competence.
| Standard | Sector | Relationship to ISO 9001 | Indonesian Relevance |
|---|---|---|---|
| IATF 16949 | Automotive manufacturing | ISO 9001 embedded plus automotive-specific requirements (design control, FMEA, statistical control) | Required for Toyota, Honda, Astra supply chain suppliers |
| AS9100 Rev D | Aerospace and defense | ISO 9001 plus safety and traceability requirements; design control emphasis | PT Dirgantara Indonesia; aerospace MRO providers |
| ISO 13485 | Medical devices | Similar structure to ISO 9001 but with device-specific requirements and regulatory authority interface | BPOM-registered medical device manufacturers |
| ISO/IEC 20000-1 | IT service management | Annex SL sibling structure; service management quality and IT service delivery | Indonesian technology companies; government IT providers |
| ISO 45001 | Occupational health & safety | Annex SL sibling; risk-based approach to managing occupational health and safety | Construction, mining, manufacturing; high-hazard sectors |
| ISO 14001 | Environmental management | Annex SL sibling; risk-based approach to managing environmental aspects and impacts | Export manufacturers; environmental compliance-driven sectors |
The Annex SL Management System Family
In 2015, ISO made a strategic decision to harmonize the structure of all new and revised management system standards using a common framework called Annex SL (High Level Structure). This framework defines identical clause titles, structures, and foundational concepts for all Annex SL standards. The primary Annex SL standards are ISO 9001 (Quality), ISO 27001 (Information Security), ISO 22301 (Business Continuity), ISO 20000 (IT Service Management), ISO 14001 (Environmental), and ISO 45001 (Occupational Health & Safety).
The rationale for Annex SL is powerful for organizations pursuing multiple certifications: if you can understand and implement the structure once, you can more rapidly implement related standards because the foundational infrastructure is already in place.
| IMS Component | Standalone (3 separate certifications) | Integrated (IMS) | Efficiency Gain |
|---|---|---|---|
| Context Analysis | 3 separate context analyses for quality, security, and BC | 1 shared organizational context document used for all three standards | 67% effort reduction |
| Risk Register | 3 separate risk registers (quality risks, security risks, BC risks) | 1 integrated risk register showing how quality, security, and BC risks are managed | Consolidated risk view; better prioritization |
| Internal Audit Program | 3 separate audit schedules and programs | 1 combined audit program covering all three systems in a single audit cycle | Significant scheduling efficiency; better process coverage |
| Management Review | 3 separate management reviews (often at different times) | 1 combined review session addressing all three standards' performance and improvement | Executive time efficiency; integrated decision-making |
| Document Control | 3 separate document management systems | 1 unified DMS serving all three standards | Reduced maintenance burden; single source of truth |
ISO 9001 and ISO 27001: The Most Common Indonesian Dual Certification
Among Indonesian organizations, the most common combination is ISO 9001 (Quality) and ISO 27001 (Information Security). This combination makes sense for organizations in technology services, business process outsourcing, and government IT suppliers where both quality and security are critical competitive qualifications.
ISO 9001 and ISO 27001 share the Annex SL structure, which means Clause 4 (Context) can be shared, Clause 5 (Leadership) can be unified, and Clause 6 (Planning) can address both quality and security risks in a single risk register. The internal audit program can combine quality and security audits, and management review can address both systems in a single governance session.
The overlapping requirements also create efficiency in documenting evidence. For example, management's engagement in quality (Clause 5 Leadership for ISO 9001) is the same engagement that demonstrates leadership for information security (Clause 5 of ISO 27001). A single management review agenda, supplemented with both quality and security performance data, satisfies both standards.
ISO 9001 and ISO 20000: Quality in IT Service Management
ISO 20000 (IT Service Management) is relevant for technology organizations that deliver IT services (infrastructure, applications, helpdesk support, etc.). ISO 20000 is built on Annex SL and shares much of its structure with ISO 9001.
For technology organizations, the question is whether to certify ISO 9001 or ISO 20000 or both. ISO 9001 is the broad quality management standard that any organization can pursue. ISO 20000 is specific to IT service management and typically required by customers who procure IT services. Many technology organizations start with ISO 9001 and later add ISO 20000 as market requirements drive it.
Building Toward an IMS
Organizations pursuing multiple certifications face a sequencing decision: which standard first? The general recommendation is to start with ISO 9001 as the foundational quality management system, then add security (ISO 27001) or environmental (ISO 14001) based on business drivers. This sequencing builds the shared infrastructure — context analysis, risk framework, process mapping, internal audit, and management review — on a single foundation.
A well-planned IMS integration can reduce the total implementation effort by 40–50% compared to implementing standards separately. However, poorly planned integration — where organizations try to combine too many standards at once — often results in overly complex documentation and inadequate depth in any single standard.
| KEY IDEA | ISO 9001 is a gateway standard. Once an organization understands and implements the Annex SL structure through ISO 9001, adding ISO 27001 or ISO 22301 becomes significantly faster and less costly because the shared infrastructure — context analysis, risk framework, internal audit, management review — is already in place. |
| IMPORTANT | Sector-specific standards like IATF 16949 and ISO 13485 incorporate ISO 9001 requirements and add sector-specific requirements on top. Organizations pursuing these sector standards must first achieve ISO 9001 competence. Indonesian organizations in the automotive supply chain or medical device manufacturing sector should plan their QMS journey with the sector standard as the ultimate target. |
| BITLION INSIGHT | The most common question from Indonesian organizations considering ISO 9001 is whether they should pursue it alone or alongside ISO 27001. The answer depends on their primary commercial driver: if government IT procurement is the priority, ISO 27001 may deliver faster commercial value. If manufacturing quality certification or export market access is the priority, ISO 9001 comes first. For technology service organizations, building toward a combined ISO 9001 + ISO 27001 certification from the start is almost always the most efficient path. |