4.1 Clause 8.1–8.2 — Operational Planning & Requirements for Products and Services
Key Takeaways
- Clause 8.1 requires the organization to plan, implement, and control processes by determining requirements, criteria, resources, and documented information needed for confidence.
- Unintended changes must trigger a documented review of their consequences, with action taken to mitigate any adverse effects.
- Clause 8.2.1 requires defined customer-communication processes covering enquiries, changes, feedback, complaints, customer property, and contingency actions.
- Clause 8.2.3 mandates review of requirements BEFORE committing to supply — verbal orders must be confirmed before acceptance, and review results must be documented.
- Auditors verify contract-review evidence is dated before production or acceptance, not retrofitted afterward as a paperwork exercise.
Where Clause 8 Sits in the Standard
Clause 8, "Operation," is where Plan (Clauses 4-7) turns into Do. It is the longest clause in ISO 9001:2015 and covers everything from planning the work through to handling nonconforming output. For a lead auditor, Clause 8 is where most of the physical and documented evidence lives - work orders, contracts, inspection records, production travelers - because this is the clause that touches the organization's actual product or service, not just its management system on paper. Auditors typically spend the largest share of on-site audit time here, which is consistent with the exam blueprint's own weighting toward "conducting the audit."
8.1 Operational Planning and Control
Clause 8.1 requires the organization to plan, implement, and control the processes needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6 (risks/opportunities, quality objectives, planning of changes). To do this, the organization must determine:
- Requirements for the products and services
- Criteria for the processes and for the acceptance of products and services
- Resources needed to achieve conformity (people, infrastructure, monitoring and measuring equipment - traceable back to Clause 7.1)
- How control will be implemented according to the criteria
- Documented information needed to have confidence the processes have been carried out as planned, and to demonstrate conformity of products and services to requirements
The output of this planning must be appropriate to the organization's operations. A low-risk, high-volume commodity process does not need the same depth of planning documentation as a complex, safety-critical build. This is an important auditor judgment call: 8.1 does not mandate a fixed set of documents; it mandates that planning outputs are sufficient to give confidence that the process will deliver a conforming result.
Two further requirements sit inside 8.1 that candidates often overlook:
- Planned changes must be controlled, and the organization must review the consequences of unintended changes, taking action to mitigate any adverse effects arising from them.
- The organization must control outsourced processes in accordance with 8.4 - 8.1 is the trigger clause that pulls externally provided processes into the operational-control net even though 8.4 does the detailed work.
Auditor evidence for 8.1: production plans, process flowcharts or route cards, work instructions, control plans, records of planned-change approval (e.g., engineering change orders), and evidence that an unintended change - an equipment breakdown, a substitute material, temporary staff - triggered a documented impact review rather than being absorbed silently into the process.
8.2 Requirements for Products and Services
8.2.1 Customer Communication
The organization must establish processes for communicating with customers on:
- Information relating to products and services
- Enquiries, contracts, or orders, including changes
- Obtaining customer feedback relevant to products and services, including customer complaints
- Handling or controlling customer property
- Specific requirements for contingency actions, when relevant
Auditors should trace a live customer file - quotation, order acknowledgement, any subsequent change - and confirm the same information reached everyone who needed it, including production, quality, and dispatch, not just the sales function that first received it.
8.2.2 Determining Requirements for Products and Services
Before offering products or services, the organization must ensure the requirements are defined, including:
- Any applicable statutory and regulatory requirements
- Requirements considered necessary by the organization itself, even when not stated by the customer (fitness for intended or specified use)
- That the organization can meet the claims it makes for the products or services it offers, including marketing material, datasheets, and catalogs
8.2.3 Review of Requirements for Products and Services
This is the sub-clause auditors probe hardest. Before committing to supply a product or service - accepting a contract or order, including any change to one - the organization must review:
| Review must confirm | Typical evidence |
|---|---|
| Requirements specified by the customer, including delivery and post-delivery activities | Signed order, contract review checklist |
| Requirements not stated by the customer but necessary for known or intended use | Engineering review notes |
| Requirements specified by the organization itself | Internal specification sign-off |
| Statutory and regulatory requirements applicable to the product/service | Compliance checklist |
| Contract or order requirements differing from those previously expressed | Amendment log, resolved-discrepancy record |
| That the organization can meet the defined requirements | Capacity or feasibility check |
The organization must retain documented information on the results of the review and on any new requirements for the products or services. Where the customer provides no documented statement of requirement - a verbal order, for example - the organization must confirm the requirements before acceptance. Under 8.2.4, when product or service requirements change, relevant documented information must be amended and relevant persons made aware of the changed requirements; this is a frequent finding site when a change is agreed with a customer by sales but never reaches the people actually doing the work.
Common nonconformity pattern: contract review is evidenced only after production has started - a checklist found completed in the file only at final inspection - rather than before commitment. Auditors should always check dates against the sequence of events: the review date must precede the acceptance or production-start date, never follow it, or the review has not actually controlled anything.
During a stage 2 audit, the lead auditor finds that a signed contract-review checklist is dated the day AFTER the customer order was accepted and production began. What does this most likely indicate?
A customer places a verbal order with no written specification. According to ISO 9001:2015 Clause 8.2.3, what must the organization do?