ISO 9001:2008 Gap Analysis

A sample section from our 32-page ISO 9001:2008 checklist is shown on the next page.

You can order the complete electronic Word file by sending a check for $50.00 to Whittington & Associates, 242 Highlands Drive, Woodstock, GA 30188.

Please call 770-517-7944 (or email ) if you have any questions. The file will be transmitted upon receipt of your payment (or a purchase order number). Credit card orders are not accepted.


Company: ______
Contact: ______
Email: ______
Telephone: ______Fax: ______
Scope: ______
Auditor: ______Date: ______
This checklist can be used to evaluate the conformity level of your quality management system against the requirements of the ISO 9001:2008 standard.
Additional criteria for the quality management system may be specified in customer contracts, regulatory documents, and in the organization’s own quality manual, plans, procedures, and instructions, but are not considered during the gap analysis. All these requirements must be addressed in your internal audits.
Process Owners
First, identify the process owners and their managers in the Process Owner table.
Process Matrix
Next, identify for each row of the Process Matrix, the process areas with Primary responsibility (owner) and Secondary responsibility (user). Use an X for a requirement that is not applicable for a process area. Each row should have a P assigned. Avoid, if possible, multiple primary responsibilities in a single row.
Gap Checklist
The gap checklist is used to assess the process areas with Primary responsibility for the applicable requirements. Indicate under the Status column a C for Conformity with all the clause requirements. Indicate P for Partial conformity and N if a Nonconformity.
Conformity Level
Interviews during the gap analysis are with the process owners with Primary responsibility for the applicable requirements. Users of the process (Secondary responsibility) are not interviewed. Their conformity level will be assessed in later internal audits after the system is fully implemented.
After completing the checklist for each clause, indicate the conformity level for each row in the Process Matrix as Green for conforming, Yellow for partial conformity, and Red for nonconformity.
Process owners will be responsible for writing any documents, and adding any practices, necessary to achieve complete conformity with the requirements. It should be expected that organizations just beginning their implementation of an ISO 9001:2008-based quality management system will have few green areas.
The Process Diagram (see next page) can be used to help process owners better understand their process in terms of inputs, resources, methods, measures, and outputs, along with documents and records. The diagram can also be used to help develop any procedures needed for the processes.

Process Owners

Process Area
(department) / Process Manager
(owns process) / (reports to)
Management Owner
01.
02.
03.
04.
05.
06.
07.
08.
09.
10.
11.
12.
13.
14.
15.

Process Matrix

P = Primary Responsibility (Owner) / S = Secondary Responsibility (User) / X = Not Applicable
Green = Conforming / Yellow = Partial / Red = Nonconformity
Clause / ISO 9001:2008 Requirements / Process Areas
01 / 02 / 03 / 04 / 05 / 06 / 07 / 08 / 09 / 10 / 11 / 12 / 13 / 14 / 15
4. Quality Management System
4.1 / General Requirements
4.2 / Documentation Requirements
4.2.1 / General
4.2.2 / Quality Manual
4.2.3 / Control of Documents
4.2.4 / Control of Records
5. Management Responsibility
5.1 / Management Commitment
5.2 / Customer Focus
5.3 / Quality Policy
5.4 / Planning
5.4.1 / Quality Objectives
5.4.2 / Quality Management System Planning
5.5 / Responsibility, Authority, Communication
5.5.1 / Responsibility and Authority
5.5.2 / Management Representative
5.5.3 / Internal Communication
5.6 / Management Review
5.6.1 / General
5.6.2 / Review Input
5.6.3 / Review Output
P = Primary Responsibility (Owner) / S = Secondary Responsibility (User) / X = Not Applicable
Green = Conforming / Yellow = Partial / Red = Nonconformity
Clause / ISO 9001:2008 Requirements / Process Areas
01 / 02 / 03 / 04 / 05 / 06 / 07 / 08 / 09 / 10 / 11 / 12 / 13 / 14 / 15
6. Resource Management
6.1 / Provision of Resources
6.2 / Human Resources
6.2.1 / General
6.2.2 / Competence, Training, and Awareness
6.3 / Infrastructure
6.4 / Work Environment
7. Product Realization
7.1 / Planning of Product Realization
7.2 / Customer-Related Processes
7.2.1 / Determination of Product Requirements
7.2.2 / Review of Product Requirements
7.2.3 / Customer Communication
7.3 / Design and Development
7.3.1 / Design and Development Planning
7.3.2 / Design and Development Inputs
7.3.3 / Design and Development Outputs
7.3.4 / Design and Development Review
7.3.5 / Design and Development Verification
7.3.6 / Design and Development Validation
7.3.7 / Control of Design Changes
7.4 / Purchasing
7.4.1 / Purchasing Process
7.4.2 / Purchasing Information
7.4.3 / Verification of Purchased Product
7.5 / Production and Service Provision
7.5.1 / Control of Production and Service
7.5.2 / Validation of Processes
7.5.3 / Identification and Traceability
7.5.4 / Customer Property
7.5.5 / Preservation of Product
7.6 / Control of Measuring Equipment
8. Measurement, Analysis, and Improvement
8.1 / Measurement, Analysis, Improvement
8.2 / Monitoring and Measurement
8.2.1 / Customer Satisfaction
8.2.2 / Internal Audit
8.2.3 / Process Monitoring and Measurement
8.2.4 / Product Monitoring and Measurement
8.3 / Control of Nonconforming Product
8.4 / Analysis of Data
8.5 / Improvement
8.5.1 / Continual Improvement
8.5.2 / Corrective Action
8.5.3 / Preventive Action
PROCESS NAME: / PROCESS DIAGRAM

Process Owner:
Worksheet Number:
Auditor Name:
Report Number and Date:
PROCESS
(Main Activities) / ENVIRONMENT
(Workplace Needs)
1. INPUTS
(What Received, When, and from Whom) / 2. OUTPUTS
(What Delivered, When, and to Whom)
3. WHAT - Resources
(Equipment, Materials, and Tools) / 4. WHO - Resources
(People, Skills, and Experience)
5. METHODS
(Procedures, Instructions, and Controls) / 6. MEASURES
(Performance Results and Objectives)
DOCUMENTS
(Any Documents Not Listed Under Methods) / RECORDS
(Records Generated by the Process)

4. Quality Management System

4.1 General Requirements

C = Conformity / P = Partial Conformity / N = Nonconformity

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
4.1 / Has the organization established, documented, implemented, and maintained a quality management system and continually improved its effectiveness in accordance with the ISO 9001 requirements?
Refer to clause 5.4.2 (a) for planning to meet these requirements.
4.1
4.1.a / Has the organization:
a) determined the processes needed for the quality management system and their application throughout the organization? See ISO 9001 clause 1.2.
4.1.b / b) determined the sequence and interaction of these processes?
Refer to ISO clause 4.2.2.c on the description required in the quality manual. / .
4.1.c / c) determined criteria and methods needed to ensure that both the operation and control of these processes are effective?
4.1.d / d) ensured the availability of resources and information necessary to support the operation and monitoring of these processes?
4.1.e / e) monitored, measured where applicable, and analyzed these processes?
4.1.f / f) implemented the actions necessary to achieve the planned results and continual improvement of these processes?
4.1 / Are these processes managed in accordance with the ISO 9001 requirements?
Note 1 / Processes needed for the quality management system should include processes for management activities, provision of resources, product realization, measurement, analysis, and improvement.
4.1 / Has the organization ensured control over any outsourced processes that affect product conformity with requirements?
4.1 / Has the type and extent of control of these outsourced processes been defined within the quality management system?

4.1 General Requirements (continued)

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
Note 2 /
An outsourced process is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party.
Note 3 / Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory, and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as:
a) the potential impact of the outsourced process on the organization's capability to provide product that conforms to requirements,
b) the degree to which the control for the process is shared;
c) the capability of achieving the necessary control through the application of clause 7.4.

4.2 Documentation Requirements

4.2.1 General

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
4.2.1
4.2.1.a / Does the quality management system documentation include:
a) documented statements of quality policy and quality objectives?
4.2.1.b / b) a quality manual?
4.2.1.c / c) documented procedures and records required by ISO 9001?
(See clauses 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, and 8.5.3 for documented procedures)
4.2.1.d / d) documents, including records determined by the organization to be necessary to ensure the effective planning, operation, and control of its processes?
Note 1 /
Where the term “documented procedure” appears within ISO 9001, this means that the procedure is established, documented, implemented, and maintained. A single document may include the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document.
Note 2 / The extent of quality management system documentation can differ between organizations due to:
a) size of organization and type of activities,
b) complexity of processes and their interactions, and
c) competence of personnel.

4.2.1 General (continued)

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
Note 3 / The documentation can be in any form or type of medium.

4.2.2 Quality Manual

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
4.2.2
4.2.2.a / Has the organization established and maintained a quality manual that includes:
a) scope of the quality management system, including details of, and justification for, any exclusions? (see ISO 9001 clause 1.2)
4.2.2.b / b) documented procedures established for the quality management system, or reference to them?
4.2.2.c / c) description of the interaction between processes of the quality management system?

4.2.3 Control of Documents

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
4.2.3 / Are the documents required by the quality management system controlled?
4.2.3 / Are records (a special type of document) controlled according to the requirements given in 4.2.4?
4.2.3 / Has a documented procedure been established to control documents?
4.2.3.a / Does the documented procedure define the controls to:
a) approve documents for adequacy prior to issue?
4.2.3.b / b) review, and update as necessary, and re-approve documents?
4.2.3.c / c) ensure that changes and the current revision status of documents are identified?

4.2.3 Control of Documents (continued)

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
4.2.3.d / d) ensure that relevant versions of applicable documents are available at points of use?
4.2.3.e / e) ensure that documents remain legible and readily identifiable?
4.2.3.f / f) ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled?
4.2.3.g / g) prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose?

4.2.4 Control of Records

ISO 9001

Clause

/ ISO 9001:2008 Requirements / Status
(C-P-N)
4.2.4 / Are records established and controlled to provide evidence of conformity to requirements and of the effective operation of the quality management system?
4.2.4 / Has a documented procedure been established for controlling records?
4.2.4 / Does the documented procedure define the controls needed for the:
Identification of records?
4.2.4 / Storage of records?
4.2.4 / Protection of records?
4.2.4 / Retrieval of records?
4.2.4 / Retention time of records?
4.2.4 / Disposition of records?
4.2.4 / Are records kept legible, readily identifiable, and retrievable?

Revision 6: 11/17/08© 2000-2008 Whittington & Associates, LLCPage 1of 32