Call Today! (800) 244-5409

July 2026

How to Choose an ISO Consultant: 8 Questions to Ask

How to Choose an ISO Consultant: 8 Questions to Ask

Hiring an ISO consultant is one of those decisions that looks simple until you start comparing proposals. Two firms quote wildly different prices for what sounds like the same work. One promises certification in 90 days; another says six months. One sends a polished template package; another wants to spend a week walking your floor before writing a word.

The difference between a good consultant and a bad one rarely shows up in the sales pitch. It shows up eight months later, when your registrar auditor opens a manual that reads like it belongs to another company, or when your “certified” management system quietly falls apart because nobody in-house ever understood it.

This is a buyer’s guide, not a sales page. The eight questions below are the ones that actually separate consultants who will get you certified and leave you stronger from the ones who will sell you a binder. Ask all of them before you sign anything.


1. Have you implemented this exact standard in my industry?

“ISO experience” is not a monolith. ISO 9001 for a machine shop, ISO 13485 for a medical device manufacturer, AS9100 for an aerospace supplier, and ISO/IEC 27001 for a software company share a common backbone, but the risks, the documentation auditors expect, and the failure points are completely different.

A consultant who has run twenty ISO 9001 projects but has never touched ISO 13485 will learn your regulatory environment on your dime. Ask specifically: how many organizations like mine, implementing this specific standard, have you taken through certification? Vague answers about “decades in quality” are a warning sign. You want a number and a few examples.

If you operate under a sector scheme such as AS9100 or IATF 16949, this question matters even more. Those standards layer industry-specific requirements on top of ISO 9001, and a generalist will miss them.

2. What is your first-audit pass rate?

The whole point of hiring a consultant is to get certified on the first attempt. A failed certification audit, or a stage 2 audit that closes with a pile of major nonconformities, costs you re-audit fees, months of delay, and internal credibility.

Ask directly: of the clients you have guided through a full implementation, how many passed their initial registrar audit? A confident firm will answer without flinching. At QRC, clients who use the full-service implementation program consistently achieve certification on their first registrar audit, and that track record is exactly the kind of claim you should ask any consultant to back up with specifics.

Be reasonably skeptical of anyone who claims a literal 100% with no context. Ask what happens if you don’t pass, and get the answer in writing.

3. Who actually does the work: the person in the room, or a junior behind them?

Consulting firms sometimes win the contract with a seasoned expert and then hand delivery to a junior associate you never met in the sales meeting. The senior name on the proposal shows up for the kickoff call and disappears.

Ask who will be on-site or on your calls week to week, what their background is, and whether that person stays with you through certification. Continuity matters. An implementation is a relationship built over months, and swapping consultants midway forces you to re-explain your operation every time.

4. Do you write from templates, or do you build the system around how we actually work?

This is the single biggest red flag to watch for. Template mills sell the same quality manual to every client, change the logo, and call it a management system. The document set looks complete, but it describes a company that isn’t yours. Auditors spot the mismatch immediately, and worse, your team can’t follow procedures that don’t reflect reality.

A good consultant starts with a gap analysis: they look at what you already do, compare it to the standard, and build documentation around your real processes. Templates are a fine starting skeleton. They should never be the finished product. Ask to see a redacted example of a manual they produced for a company in your sector and judge how tailored it looks.

5. Who owns the documentation when the engagement ends?

You would be surprised how often this comes up too late. Some consultants keep your quality manual, procedures, and forms in their own proprietary system or make the “living” versions dependent on their continued involvement. When you try to leave, you discover you can’t easily take your own management system with you.

Insist on a clear answer: you own every document, in an editable format, with no strings attached. A legitimate consultant wants you self-sufficient. Ownership of your ISO documentation should never be a bargaining chip.

6. What happens after we’re certified?

Certification is the starting line, not the finish. ISO certificates run on a three-year cycle with annual surveillance audits, and your system has to keep breathing the whole time: internal audits, management reviews, corrective actions, and updates as your business changes.

Ask whether the consultant offers post-certification support and internal auditor training so your own team can carry the system forward. A consultant who is only interested in the initial implementation and vanishes at certification leaves you exposed at your first surveillance audit. The best engagements aim to make you independent while remaining available when you need a check-in.

7. How do you use AI, and where does a human stay accountable?

This is a newer question, and a fair one to ask in 2026. AI tooling can genuinely accelerate the mechanical parts of an ISO project: drafting first-pass documentation, cross-referencing clauses during a gap analysis, flagging inconsistencies before an audit, and monitoring compliance between reviews.

The right answer is that AI speeds up the tedious work while a veteran consultant reviews, tailors, and stands behind every deliverable. The wrong answer is either “we don’t use it at all” (you may be paying for slow manual work) or “AI writes your whole manual” (nobody accountable, and auditors will notice the generic output). QRC’s approach pairs experienced ISO consultants with AI tooling so the drafting moves faster, but a human expert owns the result. Ask any firm to be specific about where the machine helps and where a person signs off.

8. How do you price the work, and what isn’t included?

ISO consulting is priced in a few common ways: fixed project fee, monthly retainer, hourly, or per-deliverable. None is automatically better, but each hides different risks. Fixed-fee protects you from overruns but can tempt a consultant to cut corners. Hourly aligns effort but can balloon. Retainers are predictable but can drift on indefinitely.

What matters is knowing the total cost and what falls outside it. Ask what is not included: registrar fees (which you always pay separately to the certification body, never to the consultant), travel, extra revision rounds, training, or surveillance support. Get the scope in writing. A firm that gives you a clear, itemized answer respects your budget; one that stays vague is setting up a change order later.


Frequently Asked Questions

How much does an ISO consultant cost?

Costs vary widely by standard, company size, and how much of your system already exists. Small ISO 9001 implementations can run a few thousand dollars in consulting fees; larger or multi-site programs, or sector standards like AS9100 and ISO 13485, cost more. Always confirm that registrar (certification body) fees are separate from consulting fees, and ask for an itemized scope before comparing quotes.

How long does ISO 9001 certification take with a consultant?

A typical full ISO 9001 implementation runs about five to seven months from kickoff to certification audit, depending on your starting point, company size, and how quickly your team can dedicate time to the project. A good consultant will give you a realistic timeline after a gap analysis, not a number pulled from a sales script.

Can’t I just do ISO certification myself without a consultant?

You can, and some organizations do. The trade-off is time and risk: self-implementation usually takes longer, and first-audit failures are more common when nobody on the team has run a certification before. A consultant is worth it when the cost of delay, a failed audit, or an internal team that can’t spare the hours outweighs the fee.

What’s the biggest red flag when hiring an ISO consultant?

Generic, template-only documentation. If a consultant hands you a quality manual that could belong to any company and never invested time understanding how you actually operate, both your auditor and your own staff will struggle with it. Insist on a system built around your real processes.


QRC has helped more than 1,000 organizations implement ISO-compliant management systems since 1993, and every engagement is led by a veteran consultant who stays accountable for the result. If you’re weighing your options, learn more about our team or explore our full range of ISO consulting services, then call us with your questions before you sign with anyone.

Call (800) 244-5409
Local: (408) 371-9995
Contact Us

ISO 45001 vs OHSAS 18001: What Changed and Why It Still Matters

ISO 45001 vs OHSAS 18001: What Changed and Why It Still Matters

If your occupational health and safety management system still traces its DNA back to OHSAS 18001, it is time for a candid conversation. OHSAS 18001 was formally withdrawn in September 2021. The transition standard, ISO 45001, is now the only internationally recognized standard for occupational health and safety management, and any organization still operating an OHSAS-era system is working from a framework that no longer exists in the eyes of registrars, customers, and regulators.

The difference between ISO 45001 and OHSAS 18001 is more than a change of name and number. ISO 45001 rebuilt the standard on a modern structure, elevated the role of leadership, made worker participation a formal requirement, and shifted the entire mindset from reacting to hazards toward proactively managing risk. This article walks through what actually changed, why those changes matter, and what companies still running legacy safety systems should do next.


The short history: how OHSAS 18001 gave way to ISO 45001

OHSAS 18001 was first published in 1999 and revised in 2007. For nearly two decades it was the default benchmark for occupational health and safety management, but it was never a true ISO standard. It was developed by a consortium of national standards bodies and certification organizations to fill a gap that ISO had not yet addressed.

ISO 45001 was published in March 2018 as the first genuine ISO standard for occupational health and safety. Organizations certified to OHSAS 18001 were given a migration window to transition. That window closed in September 2021, when OHSAS 18001 was officially withdrawn. Certificates issued against it are no longer valid, and accredited registrars no longer audit against it.

In practical terms, an OHSAS 18001 certificate today carries no accredited standing. If your safety system was built around that standard and has not been updated, you are running a management system that the certification world has retired.


Annex SL: the structural change under the hood

The most fundamental difference between ISO 45001 and OHSAS 18001 is invisible on the surface but shapes everything above it. ISO 45001 is built on Annex SL, the common high-level structure that ISO now uses across its major management system standards, including ISO 9001 for quality and ISO 14001 for environmental management.

Annex SL organizes every standard around the same ten clauses: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement, among others. OHSAS 18001 used its own older structure that did not align with these standards.

Why does this matter? Because most organizations do not run a single management system in isolation. A manufacturer might hold ISO 9001, ISO 14001, and ISO 45001 at the same time. Under the shared Annex SL structure, those systems can be integrated into one coherent framework rather than three disconnected sets of binders. Common clauses mean common processes for document control, internal audits, management review, and corrective action. That integration reduces duplication, lowers the cost of maintaining certification, and makes audits considerably less painful. If you already run an ISO 9001 quality system, aligning safety under the same structure is far easier than it was under OHSAS 18001.


Leadership: safety moves into the boardroom

OHSAS 18001 allowed organizations to delegate safety to a management representative, often a single safety officer who owned the system and answered for it. ISO 45001 removed that escape hatch.

Under ISO 45001, top management is explicitly accountable for the effectiveness of the occupational health and safety management system. Leadership must demonstrate commitment, integrate safety requirements into core business processes, provide the resources the system needs, and take an active role in directing and supporting it. Safety is no longer a compliance function parked in a corner of the org chart. It is a leadership responsibility woven into how the business is run.

This shift reflects a hard-won lesson from decades of workplace incidents: safety cultures succeed or fail based on what leadership visibly prioritizes. When executives own safety outcomes, the rest of the organization follows. When safety is delegated and forgotten, gaps appear.


Worker participation: the people doing the work get a formal voice

One of the most significant additions in ISO 45001 is the requirement for genuine worker participation and consultation. OHSAS 18001 touched on consultation, but ISO 45001 makes it a structural requirement rather than an afterthought.

The reasoning is straightforward. The people performing a task usually understand its hazards better than anyone reviewing it from a desk. ISO 45001 requires organizations to consult workers when identifying hazards, assessing risks, and determining controls, and to actively remove barriers that discourage them from participating, including fear of reprisal, language differences, and lack of time.

For non-managerial workers in particular, the standard calls for meaningful involvement in decisions that affect their safety. This is not a box to tick. Auditors will look for evidence that workers genuinely contribute to the system and that their input shapes real decisions.


Risk versus hazard: a shift in mindset

Perhaps the deepest conceptual change is how ISO 45001 frames the goal of the system. OHSAS 18001 was largely hazard-focused and reactive. It concentrated on identifying hazards and controlling them, often after an incident had already revealed the gap.

ISO 45001 is risk-based and proactive. It asks organizations to think in terms of both risks and opportunities, and to understand the broader context in which the organization operates before deciding how to act. That means considering the needs and expectations of workers and other interested parties, anticipating how changes in the business could introduce new risks, and building prevention into planning rather than bolting controls on afterward.

This risk-based thinking mirrors the approach ISO 9001 introduced for quality management. Instead of documenting a fixed set of procedures and hoping they cover every scenario, the organization continually evaluates where things could go wrong and directs its attention accordingly. The result is a safety system that adapts as the business changes rather than one that only responds after something has already gone wrong.


A side-by-side summary

  • Status: OHSAS 18001 was withdrawn in September 2021. ISO 45001 is the only recognized international standard for occupational health and safety.
  • Structure: OHSAS 18001 used its own older format. ISO 45001 uses the Annex SL high-level structure shared with ISO 9001 and ISO 14001, enabling integrated management systems.
  • Leadership: OHSAS 18001 permitted delegation to a management representative. ISO 45001 holds top management directly accountable.
  • Worker involvement: OHSAS 18001 mentioned consultation. ISO 45001 requires formal worker participation and the removal of barriers to it.
  • Orientation: OHSAS 18001 was hazard-focused and reactive. ISO 45001 is risk-based, proactive, and context-aware.

What companies on legacy OHSAS-style systems should do now

If your organization never formally migrated to ISO 45001, or if your safety system still looks and feels like an OHSAS 18001 program, the practical path forward is clear.

Start with an honest gap analysis. Compare your current safety documentation and practices against the requirements of ISO 45001, clause by clause. In most legacy systems, the biggest gaps show up in the newer requirements: understanding organizational context, demonstrating active leadership involvement, documenting worker consultation, and applying risk-based thinking rather than a static hazard register.

From there, the work usually falls into a few areas. Leadership needs to be brought into the system in a visible, documented way. Worker participation processes need to be built or formalized. Risk and opportunity assessment needs to replace or supplement the older hazard-only approach. And if you already hold ISO 9001 or ISO 14001, this is the moment to integrate safety into a single management system under the shared Annex SL structure rather than maintaining it separately.

None of this requires starting from scratch. A well-run OHSAS 18001 system already contains much of what ISO 45001 asks for. The migration is largely a matter of restructuring existing content, closing specific gaps, and demonstrating the leadership and worker involvement the newer standard expects. Organizations that approach it methodically, ideally with a gap analysis up front, typically find the transition far more manageable than they feared.

The bottom line is that OHSAS 18001 is gone, and the reasons it was replaced still matter. ISO 45001 exists because the older, reactive, delegated approach to safety left too many gaps. Moving to it is not just a certification formality. It is an opportunity to build a safety system that leadership owns, that workers help shape, and that anticipates risk instead of merely responding to harm.

QRC’s ISO 45001 consulting team helps organizations migrate legacy safety systems, close the gaps that matter, and integrate occupational health and safety with existing ISO 9001 and ISO 14001 systems. To see where your current system stands, a structured gap analysis is the right first step. Call (800) 244-5409 or contact us to talk it through.

ISO 9001 Gap Analysis: A Step-by-Step Guide

ISO 9001 Gap Analysis: A Step-by-Step Guide

Every successful ISO 9001 project starts with an honest look at where you stand today. That is exactly what an ISO gap analysis delivers: a structured, evidence-based comparison of your current management system against the requirements of the standard. Done well, it tells you precisely what already works, what is missing, and how much effort separates you from a certifiable quality management system.

This guide walks through a real gap analysis the way an experienced consultant runs one — from scoping the work to handing over a remediation roadmap. Whether you plan to do it yourself or bring in help, understanding the mechanics will make the exercise far more useful.


What an ISO Gap Analysis Actually Measures

An ISO gap analysis is not an audit, and it is not a pass/fail test. It is a diagnostic. The goal is to map the distance between two things: the requirements written into ISO 9001:2015 and the way your organization actually operates today.

That distinction matters. A requirement can be fully met, partially met, or entirely absent. A gap analysis captures all three states across every clause of the standard, then translates the findings into a plan of work. Organizations that skip this step almost always underestimate the effort — or waste months building documentation they did not need. A clear picture at the start keeps the whole project grounded in reality.


Step 1: Define the Scope

Before reviewing a single document, you need to agree on boundaries. Scope defines which sites, departments, products, services, and processes the quality management system will cover.

For a single-location manufacturer, scope is usually straightforward. For a company with multiple facilities, contract manufacturing, or a mix of design and production activities, scoping decisions shape the entire project. Clarify these questions up front:

  • Which physical locations are included?
  • Which products or service lines fall inside the system?
  • Are there any clauses you intend to exclude, and can you justify the exclusion? (Design and development under clause 8.3 is the most common candidate.)
  • Who owns each process, and who will provide evidence during the review?

Getting scope right early prevents the most expensive kind of rework — discovering halfway through that an entire function was left out.


Step 2: Review the Documentation

With scope set, the next step is a document review. You are looking for the “documented information” ISO 9001 requires, plus whatever procedures, work instructions, forms, and records your organization already maintains.

Gather what exists — quality manual (if you have one), procedures, process maps, job instructions, calibration records, training logs, supplier records, corrective action files, and management review minutes. Then compare that inventory against the standard’s requirements.

Most organizations are surprised here in two directions at once. They often already do many required things, just without documenting them in a way an auditor would recognize. At the same time, they discover mandatory elements — like a documented quality policy, measurable objectives, or a defined process for handling nonconforming output — that simply do not exist yet. The document review separates “we do this but need to formalize it” from “we need to build this from scratch.”


Step 3: Walk the Processes

Documents describe how work is supposed to happen. Process walkthroughs reveal how it actually happens. This is where a gap analysis earns its value.

Sit with the people who do the work. Follow an order from quote to delivery. Watch how a nonconformance gets recorded, or whether it gets recorded at all. Trace a customer complaint through to resolution. Ask how a new employee learns their job and how that training is verified.

Walkthroughs consistently surface gaps that documentation review misses: undocumented workarounds, processes that exist on paper but not in practice, and informal controls that work well but leave no evidence trail. They also uncover strengths — mature habits that only need light documentation to satisfy the standard. Talking to operators, not just managers, is what makes this step honest.


Step 4: Score Every Clause

Now the findings get organized. Working clause by clause through ISO 9001 — from clause 4 (context of the organization) through clause 10 (improvement) — assign each requirement a status. A simple, consistent scale works best:

  • Conforms — the requirement is met and evidence exists.
  • Partial — some elements are in place, but the requirement is not fully satisfied.
  • Gap — the requirement is not met, or no evidence exists.
  • Not applicable — the requirement is justifiably excluded from scope.

The high-value clauses to watch are the ones organizations most often underestimate: risk-based thinking and the actions to address risks and opportunities (clause 6.1), the context and interested-parties analysis (clauses 4.1 and 4.2), operational planning and control (clause 8.1), and the full internal audit and management review cycle (clauses 9.2 and 9.3). These are frequently thin or missing entirely, even in companies that run tight production floors.

Scoring at the clause level turns a general sense of “we have work to do” into a specific, countable list of tasks.


Step 5: Deliver the Report and Remediation Roadmap

The final step converts findings into action. A good gap analysis report does more than list deficiencies — it prioritizes them and sequences the fixes.

A useful report includes a clause-by-clause status summary, a plain-language explanation of each significant gap, an estimate of the effort involved, and a recommended order of work. Some gaps are quick administrative fixes. Others — building an internal audit program, establishing measurable objectives, rolling out risk assessments — take weeks and depend on other pieces being in place first. Sequencing matters, because you cannot run a meaningful management review before you have objectives to review or audit results to discuss.

The remediation roadmap ties it together with owners and target dates, giving leadership a realistic timeline to certification readiness. For most organizations, a well-run ISO 9001 implementation runs five to seven months from this point, and the gap analysis is what makes that estimate credible rather than a guess.


A Quick ISO Gap Analysis Checklist

Use this as a working checklist when you run your own review:

  • Confirm the scope: sites, products, services, and any justified exclusions.
  • Inventory all existing documented information and records.
  • Compare that inventory against every clause of ISO 9001.
  • Walk at least one full instance of each core process with the people who run it.
  • Verify the mandatory items exist: quality policy, measurable objectives, control of nonconforming output, internal audit program, management review.
  • Score each requirement — conforms, partial, gap, or not applicable.
  • Flag the usual weak spots: risk and opportunity actions, context analysis, competence and training evidence, corrective action.
  • Write findings into a prioritized report with effort estimates.
  • Build a remediation roadmap with owners and dates.
  • Set a realistic target date for your registrar audit.

Frequently Asked Questions

How long does an ISO gap analysis take?

For a single-location small or mid-sized organization, the on-site portion typically runs one to three days, with a written report following shortly after. Larger operations with multiple sites or complex processes take longer. The output should always be a documented report, not just a verbal summary.

Is a gap analysis the same as an audit?

No. An audit checks conformance against a defined system and can result in findings that affect certification. A gap analysis is a diagnostic that measures how far your current operations sit from the standard’s requirements. It informs the work ahead rather than judging a finished system.

Should we run the gap analysis ourselves or bring in a consultant?

Either can work. An internal team knows the operation intimately but may struggle to read the standard objectively or spot gaps in familiar routines. An experienced consultant brings pattern recognition from many implementations and an outside perspective, which is why organizations using a full-service program consistently pass their first registrar audit.

What are the most commonly missed requirements?

Risk-based thinking (clause 6.1), context of the organization and interested parties (clauses 4.1 and 4.2), measurable quality objectives, competence and training evidence, and a functioning internal audit and management review cycle. These tend to be thin even in well-run companies because they are management-system requirements rather than day-to-day production tasks.


A thorough ISO gap analysis is the foundation of a smooth, predictable certification project. If you would like an experienced team to run one for you and map the path to your registrar audit, explore QRC’s ISO 9001 consulting services or contact us to talk it through — call (800) 244-5409.

How AI Is Transforming ISO Compliance and Quality Management

How AI Is Transforming ISO Compliance and Quality Management

For most of the past three decades, ISO compliance work has been stubbornly manual. Someone drafts a procedure, someone else reviews it, evidence gets collected into folders, and internal auditors spend weeks reading documents to confirm the system does what it claims. The standards demand rigor, and rigor has always meant hours.

That is beginning to change. Artificial intelligence is now capable of doing much of the mechanical work inside a quality management system faster and more consistently than a human can—drafting first-pass documentation, reading through audit evidence, watching key performance indicators for drift, and flagging gaps before a registrar ever arrives. Used well, AI does not replace the quality professional. It removes the busywork that keeps quality professionals from doing the judgment work only they can do.

This article looks at where AI genuinely helps in ISO compliance and quality management, where it introduces real risk, and how to adopt it responsibly inside a certified or soon-to-be-certified management system.


Where AI actually helps in a QMS

The value of AI in ISO work is concentrated in a handful of repetitive, high-volume tasks. These are the places where the effort has always been disproportionate to the judgment required.

Drafting and maintaining documentation

Every ISO standard requires documented information—quality manuals, procedures, work instructions, forms, and records. Drafting that documentation from a blank page is slow, and keeping it current as processes change is slower still. AI language models are well suited to producing a structured first draft: a procedure that follows the clause structure of ISO 9001, a work instruction written in plain language for the shop floor, or a revision that reflects a process change described in a few sentences.

The important word is draft. AI can get a document eighty percent of the way there in minutes, but a qualified person still has to confirm that it describes what your organization actually does—not a generic template that happens to read well. Used this way, AI compresses documentation timelines dramatically without lowering the standard of the finished record.

Analyzing audit evidence

Internal audits generate a large volume of evidence: records, logs, corrective action reports, calibration certificates, training rosters. Historically an auditor reads through all of it looking for inconsistencies. AI can accelerate that review by scanning records for missing fields, expired dates, mismatched revision numbers, and patterns that suggest a nonconformity—then surfacing the exceptions for a human to judge.

The result is not a machine deciding conformity. It is an auditor spending their time on the twelve records that look wrong instead of reading the eight hundred that are fine.

Monitoring KPIs and quality data

Clause requirements around monitoring, measurement, and continual improvement assume you are watching your data. In practice, trends often go unnoticed until a management review meeting weeks later. AI-driven monitoring can watch quality KPIs continuously—scrap rates, on-time delivery, customer complaints, supplier performance—and flag statistically meaningful shifts as they happen, giving you the chance to open a corrective action while the cause is still fresh.

Preparing for surveillance and certification audits

Audit preparation is largely a gap-hunting exercise: comparing what the standard requires against what your evidence shows and finding the holes before the registrar does. AI is effective at this cross-referencing. It can compare your documented procedures against the clauses of your standard, check that each requirement is addressed somewhere in your system, and produce a prioritized list of gaps to close before a surveillance visit. That turns a scramble in the final weeks into a steady, manageable checklist.


The limits and risks you cannot ignore

AI earns its place in a QMS only if it is used with clear eyes about what it does poorly. In a compliance context, the failure modes matter more than they would almost anywhere else.

Hallucination

Large language models can produce confident, fluent text that is simply wrong—citing a clause that does not exist, inventing a control, or describing a process step your organization does not perform. In casual writing this is an annoyance. In a controlled document it is a nonconformity waiting to happen. Every AI-generated statement of fact—clause references, regulatory requirements, procedural steps—has to be verified against the actual standard and your actual process before it enters the system.

Accountability

ISO standards are built on the idea that identifiable people are responsible for the management system. A model cannot own a corrective action, sign off on a document, or be held accountable in an audit. Responsibility for every deliverable must remain with a named human, no matter how much of the drafting the machine did. AI is a tool the quality function uses; it is never the quality function.

Registrar expectations

Registrars are increasingly aware that AI is entering quality systems, and they will expect you to demonstrate control over it. If AI helped draft a procedure or analyze evidence, you should be able to explain how the output was reviewed and approved. Treating AI-generated content as controlled information—reviewed, versioned, and owned—keeps you on the right side of that conversation. Passing AI output straight into your system unreviewed is the fastest way to erode an auditor’s confidence.

Data confidentiality

Quality data often includes proprietary processes, customer information, and supplier terms. Feeding that material into a public AI tool can expose it in ways that violate customer agreements or your own information security controls—particularly relevant for organizations working toward ISO/IEC 27001. Any AI adoption has to account for where your data goes and who can see it.


How to adopt AI in your QMS responsibly

The organizations getting real value from AI in compliance are not the ones using it most aggressively. They are the ones that have wrapped it in the same discipline they apply to everything else in the management system.

A practical adoption path looks like this. Start with low-risk, high-volume tasks—first-draft documentation and evidence pre-screening—where a human reviews everything before it counts. Define, in writing, who reviews and approves AI-assisted output, so accountability is never ambiguous. Treat AI-generated documents as drafts subject to your normal document control process, with the same review and approval gates as anything else. Keep sensitive quality data out of tools that do not meet your confidentiality requirements. And record how AI is used in your processes, so you can show a registrar a controlled, deliberate approach rather than an improvised one.

Done this way, AI becomes another instrument under your existing controls—powerful, but governed. The judgment, the accountability, and the sign-off stay with your people. The machine simply does more of the typing, reading, and watching, so your people can do more of the thinking.


QRC’s AI-powered approach

This is exactly how QRC applies AI in its consulting work. Since 1993, QRC has helped more than 1,000 organizations implement ISO-compliant management systems, and clients using its full-service implementation program consistently achieve certification on their first registrar audit. Pairing veteran ISO consultants with AI tooling lets QRC accelerate the mechanical work—documentation drafting, gap analysis, audit preparation, and compliance monitoring—while human experts remain accountable for every deliverable.

The effect is a faster path to certification without cutting corners. A typical ISO 9001 implementation runs five to seven months, and AI-assisted drafting and analysis help compress the effort inside that window rather than lowering the bar the finished system has to clear. You can read more about how QRC combines human expertise with AI on its AI-powered ISO consulting page.

If you are implementing or maintaining a system under ISO 9001, ISO 13485, ISO/IEC 27001, or any other standard in QRC’s practice areas, the same principle applies: use AI to move faster on the mechanical work, and keep qualified people accountable for the result. QRC’s audit services and internal auditor training can help you build that discipline into your own team.

To talk through where AI fits in your quality management system, contact QRC or call (800) 244-5409.

ISO 9001:2026 – Why Smart Companies Are Preparing Before the Standard Is Released

Introduction

For many organizations, ISO 9001 certification is viewed as a project that only requires attention when an audit is approaching. However, experienced quality professionals know that successful organizations don’t wait for deadlines—they prepare well in advance.

Although ISO 9001:2026 has not yet been officially published, now is the ideal time to begin evaluating your Quality Management System (QMS) and identifying opportunities for improvement. Organizations that prepare early typically experience smoother transitions, fewer surprises during certification audits, and stronger business performance.

Why Is ISO 9001 Being Revised?

ISO standards are periodically reviewed to ensure they continue meeting the needs of modern organizations. Since ISO 9001:2015, businesses have experienced major changes including AI, digital transformation, supply chain disruption, cybersecurity, remote work, and increasing customer expectations. While the final requirements are not yet published, organizations can strengthen their systems now.

Don’t Wait for the Final Standard

Rather than waiting for the final publication, organizations should review documentation, strengthen internal audits, improve risk management, update quality objectives, and verify that processes accurately reflect current operations.

Focus on Business Improvement—Not Just Compliance

A well-designed Quality Management System should reduce waste, improve customer satisfaction, increase operational efficiency, reduce business risk, improve employee engagement, and increase profitability. Certification should confirm an effective system—not be the only objective.

How Artificial Intelligence Is Changing Quality Management

AI can assist with drafting procedures, developing audit questions, preparing management reviews, identifying risks, analyzing KPIs, and improving documentation. Used responsibly, AI can significantly improve productivity without replacing experienced quality professionals.

Five Actions You Can Take Today

1. Perform a QMS health check.
2. Strengthen risk-based thinking.
3. Improve internal audits.
4. Evaluate organizational knowledge.
5. Stay informed using credible sources.

Final Thoughts

ISO 9001:2026 should be viewed as an opportunity to improve organizational performance, not simply another compliance exercise. Organizations that prepare early are typically better positioned for a successful transition.

About Quality Resource Center

Quality Resource Center (QRC) has helped organizations implement, improve, and maintain ISO management systems for more than 30 years through consulting, auditing, and training services.