Ever since the announcement that ISO 9001 would be revised, the internet has been alive with speculation about what will change. Long before any draft documents were available, self-proclaimed experts insisted that the standard would be totally rewritten, or that some new topic would take center stage. Some of these pronouncements were wishful thinking. In other cases, early drafts were leaked that contained suggestions for new topics, but those suggestions were later rejected during the normal committee review process. 

Last summer, ISO issued a Draft International Standard, ISO/DIS 9001, for worldwide review and comment. Voting on this draft was open until mid-November. Assuming no upsets, we can expect a Final Draft soon and then publication of the updated standard in 2026.  

Normally by this stage in its development, a standard is pretty solid. We should not expect many more changes. So I sat down recently to compare the ISO/DIS 9001 with the published standard that is in effect today, ISO 9001:2015. What follows is a summary of the changes I found. Of course, it is always possible that something else will sneak in at the last minute, but it is very unlikely. 

What has changed? The short answer is: Not much. But that can be misleading. If you ask, “Which pages have been touched?” the answer is: Most of them. And there are significant additions in Clause 3 and Annex A. But if your organization is already certified to ISO 9001:2015 and expect to recertify next year when the new edition is published, the net impact on you will be very small. 

In fact, the current DIS contains only two new ideas. One is “quality culture and ethical behavior.” The other is “opportunity-based thinking.” The rest of the changes touch a lot of pages, but are mostly not requirements. 

Quality culture and ethical behavior 

The first new topic shows up in the requirements on leadership. Clause 5.1.1 itemizes responsibilities for top management. The DIS updates this list by adding one more item: 

Top management shall demonstrate leadership and commitment with respect to the quality management system by: … promoting quality culture and ethical behavior.  

Then it adds a note to explain:  

NOTE 2 An organization's quality culture and ethical behavior are reflected in its shared values, attitudes, and established practices. 

The topic is referenced briefly in Clauses 7.1.4 and 7.3(e), but not with any new requirements. 

In one sense, this requirement is only natural. We all know that organizations which tolerate sloppy ethical behavior often tolerate sloppy operational behavior too, so they are likely to have quality problems. And every organization has its own quality culture—that basic sense you breathe in with the air that says “This behavior is acceptable, but that behavior isn’t.” So far, so good. 

What do you have to change in your organization, to comply with this requirement? Nothing, I hope! I hope you already behave ethically and have a good quality culture. But if you mean, “What do we have to show the auditor?” then it’s not so clear. The requirement doesn’t ask you for any evidence that you aren’t creating anyway. So don’t make something up. If your auditor asks, just explain how your existing system—the way it is—supports you in doing a good and honest job. 

Opportunity-based thinking 

The current edition of the standard introduced the idea of “risk-based thinking,” and ever since it was published there has been disagreement about what that means. Some people insist that a risk is the effect of any kind of uncertainty, good or bad. Since the future is uncertain, they argue, “risk-based thinking” means that businesses have to watch for what can go wrong, but also for what can go unexpectedly well. Then if a “positive risk” appears, a business can capitalize on it. 

Others reply that this is a confusing way to use the word risk. They add that the normal way to talk about a “positive risk” is to call it an opportunity. And they have urged for years that the standard should be updated with this language. 

It may sound like a small point; but in the world of international standards, exact words are important. In fact, ISO publishes many technical standards that use the word risk, and most of them use their own definition—one that fits the usage in a specific technical area. Since ISO 9001 is used across so many disciplines, none of those special definitions will work. The final decision was to use both risk and opportunity, just to make the document less confusing. But the intention is unchanged: you should watch for what can go wrong, but also for what can go right. Probably you are already doing both.     

So what’s all the rest? 

The other updates mostly preserve the same meaning as before but change the wording. Often when some clause involves a bulleted list, the updated version rearranges the elements of the list. And in every place where the current edition refers to itself as “this International Standard,” the DIS refers to “this document.” 

Clause 3 is for “Terms and definitions.” In the current edition, that clause is a one-sentence reference:  

For the purposes of this document, the terms and definitions given in ISO 9000:2015 apply. 

The DIS keeps this reference, but also lists twenty-three definitions separately. None of these is a new word. All of them exist today in ISO 9000, with the same definitions given in the DIS. I don’t know why they are here. 

Annex A contains fifteen pages of discussion, explaining the material in the body of the DIS. Some of it is interesting and valuable, but none of it is a requirement. If you are unclear what a requirement means, check the discussion in Annex A for help. But you don’t have to implement any of it if you don’t want to. 

Here is a list of the other changes I found: 

• Clause 6.1.2 now says which risks to address, but it says exactly what you already do anyway. 
• Clause 6.3 now says to communicate and evaluate changes. These weren’t required before, but you probably did them. 
• Clause 8.4.3(d) now says that if one of your suppliers is going to interact directly with your customers or other interested parties, you have to tell them what to do. 
• Clause 9.2.2(a) now says to define objectives for your internal audits, as well as criteria and scope. 
• Clause 9.3.2 now says that management review must include the long list of inputs, rather than just take them into consideration. You probably already do that. 
• Clause 9.3.2(c) now says that management review must review changes in the needs and expectations of your interested parties. This wasn’t required before, but you probably do it. 
• There are new notes added to several clauses: 6.1.2, 7.1.3, 8.2.1, 8.3.1, 8.3.3, and 8.5.1. But notes are just explanations, never requirements. 

That’s it. 

Again, it’s always possible something else could sneak into the document at the last minute. But the whole history of ISO says that’s unlikely at this late stage in the process. If you are already certified to ISO 9001:2015, the effort to upgrade to the new edition should be minimal. And if you aren’t certified yet, by all means join us!