4.1 Clause 8.1–8.2 — Operational Planning & Requirements for Products and Services

Key Takeaways

  • Clause 8.1 requires the organization to plan, implement, and control processes by determining requirements, criteria, resources, and documented information needed for confidence.
  • Unintended changes must trigger a documented review of their consequences, with action taken to mitigate any adverse effects.
  • Clause 8.2.1 requires defined customer-communication processes covering enquiries, changes, feedback, complaints, customer property, and contingency actions.
  • Clause 8.2.3 mandates review of requirements BEFORE committing to supply — verbal orders must be confirmed before acceptance, and review results must be documented.
  • Auditors verify contract-review evidence is dated before production or acceptance, not retrofitted afterward as a paperwork exercise.
Last updated: July 2026

Where Clause 8 Sits in the Standard

Clause 8, "Operation," is where Plan (Clauses 4-7) turns into Do. It is the longest clause in ISO 9001:2015 and covers everything from planning the work through to handling nonconforming output. For a lead auditor, Clause 8 is where most of the physical and documented evidence lives - work orders, contracts, inspection records, production travelers - because this is the clause that touches the organization's actual product or service, not just its management system on paper. Auditors typically spend the largest share of on-site audit time here, which is consistent with the exam blueprint's own weighting toward "conducting the audit."

8.1 Operational Planning and Control

Clause 8.1 requires the organization to plan, implement, and control the processes needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6 (risks/opportunities, quality objectives, planning of changes). To do this, the organization must determine:

  • Requirements for the products and services
  • Criteria for the processes and for the acceptance of products and services
  • Resources needed to achieve conformity (people, infrastructure, monitoring and measuring equipment - traceable back to Clause 7.1)
  • How control will be implemented according to the criteria
  • Documented information needed to have confidence the processes have been carried out as planned, and to demonstrate conformity of products and services to requirements

The output of this planning must be appropriate to the organization's operations. A low-risk, high-volume commodity process does not need the same depth of planning documentation as a complex, safety-critical build. This is an important auditor judgment call: 8.1 does not mandate a fixed set of documents; it mandates that planning outputs are sufficient to give confidence that the process will deliver a conforming result.

Two further requirements sit inside 8.1 that candidates often overlook:

  • Planned changes must be controlled, and the organization must review the consequences of unintended changes, taking action to mitigate any adverse effects arising from them.
  • The organization must control outsourced processes in accordance with 8.4 - 8.1 is the trigger clause that pulls externally provided processes into the operational-control net even though 8.4 does the detailed work.

Auditor evidence for 8.1: production plans, process flowcharts or route cards, work instructions, control plans, records of planned-change approval (e.g., engineering change orders), and evidence that an unintended change - an equipment breakdown, a substitute material, temporary staff - triggered a documented impact review rather than being absorbed silently into the process.

8.2 Requirements for Products and Services

8.2.1 Customer Communication

The organization must establish processes for communicating with customers on:

  • Information relating to products and services
  • Enquiries, contracts, or orders, including changes
  • Obtaining customer feedback relevant to products and services, including customer complaints
  • Handling or controlling customer property
  • Specific requirements for contingency actions, when relevant

Auditors should trace a live customer file - quotation, order acknowledgement, any subsequent change - and confirm the same information reached everyone who needed it, including production, quality, and dispatch, not just the sales function that first received it.

8.2.2 Determining Requirements for Products and Services

Before offering products or services, the organization must ensure the requirements are defined, including:

  1. Any applicable statutory and regulatory requirements
  2. Requirements considered necessary by the organization itself, even when not stated by the customer (fitness for intended or specified use)
  3. That the organization can meet the claims it makes for the products or services it offers, including marketing material, datasheets, and catalogs

8.2.3 Review of Requirements for Products and Services

This is the sub-clause auditors probe hardest. Before committing to supply a product or service - accepting a contract or order, including any change to one - the organization must review:

Review must confirmTypical evidence
Requirements specified by the customer, including delivery and post-delivery activitiesSigned order, contract review checklist
Requirements not stated by the customer but necessary for known or intended useEngineering review notes
Requirements specified by the organization itselfInternal specification sign-off
Statutory and regulatory requirements applicable to the product/serviceCompliance checklist
Contract or order requirements differing from those previously expressedAmendment log, resolved-discrepancy record
That the organization can meet the defined requirementsCapacity or feasibility check

The organization must retain documented information on the results of the review and on any new requirements for the products or services. Where the customer provides no documented statement of requirement - a verbal order, for example - the organization must confirm the requirements before acceptance. Under 8.2.4, when product or service requirements change, relevant documented information must be amended and relevant persons made aware of the changed requirements; this is a frequent finding site when a change is agreed with a customer by sales but never reaches the people actually doing the work.

Common nonconformity pattern: contract review is evidenced only after production has started - a checklist found completed in the file only at final inspection - rather than before commitment. Auditors should always check dates against the sequence of events: the review date must precede the acceptance or production-start date, never follow it, or the review has not actually controlled anything.

Test Your Knowledge

During a stage 2 audit, the lead auditor finds that a signed contract-review checklist is dated the day AFTER the customer order was accepted and production began. What does this most likely indicate?

A
B
C
D
Test Your Knowledge

A customer places a verbal order with no written specification. According to ISO 9001:2015 Clause 8.2.3, what must the organization do?

A
B
C
D