3.1 Clause 6 — Planning

Key Takeaways

  • Clause 6.1 requires organizations to determine risks and opportunities from their Clause 4.1/4.2 context and plan proportionate actions — but ISO 9001:2015 does not require a documented risk-management process or formal risk register
  • Clause 6.2 quality objectives must be consistent with policy, measurable where practicable, monitored, communicated, and updated, with documented information retained as mandatory evidence
  • Planning to achieve an objective must define what, what resources, who, when, and how results will be evaluated — an objective missing any of these is a common audit finding
  • Clause 6.3 governs planned changes to the QMS itself (distinct from Clause 8.5.6 production changes), requiring consideration of purpose, consequences, QMS integrity, resources, and responsibilities
Last updated: July 2026

6.1 Actions to Address Risks and Opportunities

When an organization plans its quality management system, Clause 6.1 requires it to look back at the context it established in Clause 4.1 (internal and external issues) and Clause 4.2 (needs and expectations of interested parties) and decide what risks and opportunities need to be addressed. The purpose is to give the QMS assurance that it can achieve its intended results, to enhance desirable effects, to prevent or reduce undesired effects, and to achieve improvement.

Once risks and opportunities are identified, the organization must plan actions to address them and describe how those actions will be integrated into the QMS processes and evaluated for effectiveness. Critically for an auditor, ISO 9001 requires the actions taken to be proportionate to the potential impact on conformity of products and services — a small retailer and an aerospace manufacturer will treat the same category of risk very differently, and both can be compliant.

The standard lists several options for addressing risk, and an auditee should be able to explain which option they chose and why:

  • Avoiding the risk
  • Taking the risk in order to pursue an opportunity
  • Eliminating the risk source
  • Changing the likelihood or consequences
  • Sharing the risk (e.g., through insurance or partnering)
  • Retaining the risk by an informed decision

A point every lead auditor must know cold: ISO 9001:2015 does not require a documented risk-management process, a formal risk register, or methods borrowed from ISO 31000. A footnote to 6.1 states explicitly that the organization is not obliged to run a formal risk-management program. Many organizations keep a risk register anyway because it is a convenient way to demonstrate compliance, but its absence is not, by itself, a nonconformity — the auditor must instead look for objective evidence that risk-based thinking has genuinely influenced planning, whether that evidence lives in a register, meeting minutes, a SWOT analysis, or process FMEAs.

6.2 Quality Objectives and Planning to Achieve Them

Clause 6.2 requires the organization to establish quality objectives at relevant functions, levels, and processes needed for the QMS. These are not aspirational slogans; ISO 9001 sets six specific requirements for what a quality objective must be:

RequirementWhat the auditor checks
Consistent with the quality policyObjective traces back to a policy commitment
Measurable (where practicable)A number, rate, or verifiable state, not a vague aspiration
Takes account of applicable requirementsReflects statutory, regulatory, or customer requirements
Relevant to conformity and customer satisfactionConnects to product/service quality or the customer experience
MonitoredThere is a tracking mechanism — dashboard, KPI report, review log
CommunicatedRelevant staff know the objective exists and their part in it
Updated as appropriateObjectives are revisited, not frozen at certification

The organization must also retain documented information on the quality objectives — this is one of the mandatory documented-information requirements in the standard, so a lead auditor should always ask to see it rather than accept a verbal description.

When planning how to achieve an objective, Clause 6.2.2 requires the organization to determine five things, which map neatly onto a lead auditor's follow-up questions: what will be done; what resources will be required; who will be responsible; when it will be completed; and how the results will be evaluated. An objective with a target but no owner, no resource commitment, and no evaluation method is a classic finding — the objective exists on paper but there is no credible plan to achieve it.

6.3 Planning of Changes

Clause 6.3 governs planned changes to the QMS itself — for example, adding a new process, restructuring a department, or changing the scope of certification. This is a different requirement from Clause 8.5.6, which controls changes to production or service provision; auditors frequently need to distinguish the two, and confusing them is a common candidate error on the exam.

When the organization determines a need for change, Clause 4.4 requires the change to be carried out in a planned manner, considering:

  • The purpose of the changes and their potential consequences
  • The integrity of the quality management system
  • The availability of resources
  • The allocation or reallocation of responsibilities and authorities

For a lead auditor, evidence of Clause 6 compliance typically includes a risk/opportunity log or equivalent records showing risks were identified and treated proportionately; a documented set of quality objectives with targets, owners, timelines, and resources; monitoring records (dashboards, meeting minutes, KPI trend reports) showing objectives are actually tracked; and records of significant QMS changes with an impact assessment covering resourcing and responsibilities. When auditing this clause, resist accepting objectives that are simply restated policy statements ("we will delight our customers") — press for the measurable target and the plan behind it, and check that risk treatment is proportionate rather than either absent or excessively bureaucratic for the size of the organization.

A common exam trap is confusing Clause 6.3 with Clause 8.5.6. Both deal with "change," but 6.3 concerns changes to the management system — a new process, a reorganized department, a revised scope of certification — while 8.5.6 concerns changes to production or service provision on the shop floor, such as a revised work instruction or a new supplier for a critical component. A lead auditor should also expect a natural link forward into later clauses: quality objectives set here under 6.2 are the very things Clause 9.1 monitors and measures, and Clause 9.3 management review evaluates their status — so a weak or untraceable objective at 6.2 tends to surface again as a gap when the audit trail reaches performance evaluation.

Test Your Knowledge

An ISO 9001:2015 lead auditor is reviewing how an organization addresses risks and opportunities under Clause 6.1. The organization has no formal risk register and no documented risk-management methodology, but can clearly explain in interviews how risk thinking shaped its process design. What should the auditor conclude?

A
B
C
D