2.3 Clause 5.2–5.3 — Quality Policy, Roles, Responsibilities & Authorities
Key Takeaways
- Clause 5.2.1 requires the quality policy to be appropriate to the organization's context, provide a framework for quality objectives, and commit to satisfying requirements and continual improvement.
- Clause 5.2.2 requires the policy to be documented, communicated and understood within the organization, and available to relevant interested parties as appropriate.
- Clause 5.3 requires top management to assign five specific responsibilities and authorities (a through e), which can be distributed across multiple roles rather than concentrated in one management representative.
- A strong audit traces a single chain from the policy commitment (5.2) through measurable objectives (6.2) to assigned accountability and reporting (5.3), and tests whether that chain still holds after any recent restructuring.
Clauses 5.2 and 5.3 turn Clause 5.1's leadership commitments into two concrete, auditable artifacts: a quality policy that states what the organization is committing to, and a set of assigned roles, responsibilities, and authorities that make sure someone is accountable for delivering on that commitment. Both sub-clauses are short in the standard's text, but they generate some of the most frequently cited minor nonconformities in real certification audits — usually because organizations treat them as paperwork exercises rather than as the backbone connecting policy to day-to-day operation.
5.2.1 Establishing the Quality Policy
Top management must establish, implement, and maintain a quality policy that:
a) is appropriate to the purpose and context of the organization and supports its strategic direction b) provides a framework for setting quality objectives c) includes a commitment to satisfy applicable requirements d) includes a commitment to continual improvement of the quality management system
Notice what is not on this list: the policy does not need to contain numeric targets, a list of every product line, or a restatement of the organization's context analysis. What it must do is connect the organization's strategic direction to a commitment that gives quality objectives (Clause 6.2) somewhere to attach — item (b) is the direct bridge from Clause 5.2 into Clause 6.2, and an auditor should be able to trace it.
5.2.2 Communicating the Quality Policy
The quality policy itself must:
a) be available and maintained as documented information b) be communicated, understood, and applied within the organization c) be available to relevant interested parties, as appropriate
Sub-clause (b) is where many organizations fall short. A policy that is posted on an intranet page nobody reads, or displayed as a poster in a break room that new hires never notice, technically satisfies "available" but not "communicated, understood, and applied." An auditor verifies (b) primarily through staff interviews on the shop floor or in operational roles, not by reading the document itself — asking an employee, in their own words, what the organization is committed to and how their job connects to it is a far stronger test than asking whether they can locate the policy file.
Sub-clause (c) — availability to relevant interested parties, "as appropriate" — is a qualified requirement, and the qualifier matters for the exam. The standard does not require the policy to be published on a public website or handed to every customer unprompted; it requires the organization to have thought through which interested parties genuinely need access and to be able to provide it when appropriate. A regulator conducting a statutory inspection, a customer whose contract specifies quality-system disclosure, or a certification body auditor are all obvious candidates for "as appropriate" access; a competitor is not. An auditor testing 5.2.2(c) should ask how the organization would respond if a specific, relevant interested party requested the policy — not assume that "as appropriate" means "never."
Common Findings at Clause 5.2
| Finding | Why It Happens |
|---|---|
| Generic, templated policy wording with no link to the organization's actual context or strategic direction | Policy copied from a template or a previous certification without tailoring |
| Policy references an outdated legal entity name, address, or scope after a merger or restructuring | Policy not reviewed as part of change management |
| Staff on the shop floor cannot explain the policy's intent in their own words | Communication treated as a one-time induction event, not reinforced |
| Policy unavailable to a relevant interested party (e.g., a regulator requesting it, or a customer under contract) | 5.2.2(c) treated as internal-only by default |
A quality policy audit is rarely about the wording on the page — it is about whether the commitment in that wording is actually alive inside the organization's daily decisions. A useful discipline for a lead auditor is to read the policy once, in full, before the site visit, and then form two or three specific questions from it — for example, if the policy commits to "on-time delivery," ask a warehouse supervisor how that commitment shows up in their daily targets. If the answer is a blank stare, the policy is not satisfying 5.2.2(b), regardless of how well-crafted the document itself reads.
It is also worth being precise about what "appropriate to the context" in 5.2.1(a) actually tests. It does not require the policy to enumerate the organization's context analysis or interested-party list — it requires the commitment itself to make sense given the organization's actual situation. A one-site custom fabrication shop and a twelve-country software-as-a-service provider will reasonably have very differently worded policies; what an auditor checks is not conformity to a template, but whether the specific wording chosen actually reflects what that organization does and who it serves. A policy borrowed wholesale from an unrelated industry, or one that references activities the organization does not perform, fails 5.2.1(a) even if every other formal requirement (documented, framework for objectives, two required commitments) is technically present.
For exam purposes, keep 5.2.1 and 5.2.2 conceptually separate: 5.2.1 is about content — what the policy must say — while 5.2.2 is about treatment — how the policy must be documented, communicated, and made available. A question describing a policy with excellent, well-tailored wording that nobody on the shop floor has ever heard of is testing 5.2.2, not 5.2.1; the content could be perfect and the clause could still be breached purely on communication grounds.
5.3 Organizational Roles, Responsibilities & Authorities
Top management must ensure that responsibilities and authorities for relevant roles are assigned, communicated, and understood throughout the organization. Specifically, top management must assign responsibility and authority for:
a) ensuring the QMS conforms to the requirements of ISO 9001 b) ensuring the processes are delivering their intended outputs c) reporting on the performance of the QMS and on opportunities for improvement (in particular to top management, per Clause 6.1) d) ensuring the promotion of customer focus throughout the organization e) ensuring the integrity of the QMS is maintained when changes to the QMS are planned and implemented
This list is effectively what survives from the old ISO 9001:2008 management-representative job description — but instead of concentrating all five duties in one named individual, 2015 explicitly allows top management to distribute them across multiple roles, provided each duty has a clear, communicated owner. A mid-size manufacturer might assign (a) and (c) to a quality manager, (b) to individual process owners, (d) to a customer-experience or sales director, and (e) to a change-control board chaired by an operations director. That distribution is fully compliant — what an auditor checks is whether the assignment is actually documented, communicated, and understood, not whether it is concentrated in one person.
Audit Trails: From Policy to Objectives to Accountability
A strong Clause 5 audit connects three things in a single traceable chain:
- The quality policy (5.2) states a commitment — for example, to continual improvement and to meeting customer requirements
- Quality objectives (6.2), set within the framework the policy establishes, turn that commitment into measurable targets at relevant functions and levels
- Assigned responsibility and authority (5.3) — particularly item (c), reporting on QMS performance to top management — closes the loop, ensuring someone is accountable for tracking whether the objectives are actually being met and escalating when they are not
An auditor testing this chain might start at a shop-floor quality objective (say, a defect-rate target), ask who owns it, ask that person to show how it connects back to the stated policy commitment, and ask how performance against it gets reported upward. A break anywhere in that chain — an objective with no clear owner, a policy commitment with no corresponding objective, or a reporting responsibility that exists on paper but produces no actual reports reaching top management — is a legitimate audit finding.
Objective Evidence for Clause 5.3
Typical evidence a lead auditor should request and cross-check includes:
- Organization charts and RACI matrices showing who holds each of the five 5.3(a)–(e) duties
- Job descriptions or role charters that explicitly reference QMS responsibilities, not just operational duties
- Appointment letters or meeting minutes documenting when a responsibility was assigned or changed, especially after a restructuring
- Management review records showing that the person responsible for 5.3(c) reporting is actually presenting QMS performance data to top management, not merely attending
- Interview consistency — do different role-holders describe the same allocation of responsibility, or does the organization chart contradict what people say on the floor?
The single most revealing test of Clause 5.3 compliance is a simple one: after a recent restructuring, redundancy, or role change, can the organization show — with a document, not just an assertion — who currently owns each of the five duties? Organizations that pass this test comfortably almost always have a genuinely functioning accountability structure; organizations that struggle usually reveal a QMS that has quietly drifted out of alignment with the current org chart.
A Worked Example
Consider a mid-size logistics company where the quality manager holds 5.3(a) — ensuring the QMS conforms to ISO 9001 — and 5.3(c), reporting performance to top management. Regional operations managers hold 5.3(b) for their own depots, each accountable for their depot's processes delivering intended outputs. The sales director holds 5.3(d), promoting customer focus across the commercial team. A change-advisory board, chaired by the operations director and including IT and quality representatives, holds 5.3(e), reviewing any proposed change to systems or procedures for its effect on QMS integrity before implementation. During an audit, a lead auditor could reasonably interview a regional operations manager and ask them to describe, unprompted, what "5.3(b) responsibility" means for their depot in their own words — a strong answer references specific processes, specific performance criteria, and how they escalate when a process is not delivering.
This kind of distributed model is exactly what ISO 9001:2015 intends, and it is often a better fit for larger organizations than concentrating everything in one management representative, precisely because it puts accountability closest to where the process actually happens. The audit risk is not in the distribution itself, but in gaps at the seams — a duty nobody realizes they still own after a reorganization, or two people who both believe someone else is covering 5.3(e) for a particular system change. Testing those seams, not just confirming a chart exists, is where Clause 5.3 auditing earns its value.
For exam purposes, remember that 5.3's five duties (a)–(e) are a closed list — the standard is specific about what top management must assign, and a candidate should be able to recall all five rather than treating 5.3 as a vague "assign some roles" requirement. Scenario questions frequently isolate a single duty (most often (b), process outputs, or (e), change integrity) and ask which specific sub-clause is at risk, exactly as illustrated in the quiz that follows.
Which of the following is a required content element of the quality policy under Clause 5.2.1?
During a recertification audit, an auditor reviews organizational charts and finds that the Quality Manager's job description clearly assigns responsibility for reporting QMS performance to top management. However, a recent restructuring eliminated several process-owner positions, and no one can identify who is now responsible for several core operational processes meeting their targets. Which Clause 5.3 requirement is most directly at risk of nonconformity?