Clause 5 of ISO 9001:2015 is where the standard makes one thing clear: a quality management system isn’t the quality manager’s pet project — it’s top management’s responsibility. This clause defines what top management must do, what policy it must establish and how roles and responsibilities are assigned across the QMS.
In this guide we explain what each sub-clause (5.1, 5.2 and 5.3) requires, how to write a quality policy that’s actually useful, what documents auditors ask for, and the most common mistakes we see when working with companies through certification.
What you’ll find in this guide
- What does Clause 5 of ISO 9001 require?
- 5.1 Leadership and commitment
- 5.2 Quality policy
- 5.3 Organizational roles, responsibilities and authorities
- How to implement Clause 5 in an SME
- Documents and evidence auditors ask for
- Common mistakes auditors flag
- How QualityWeb 360 makes Clause 5 easier
- Frequently asked questions
What does Clause 5 of ISO 9001 require?
Clause 5 is called “Leadership” and has three sub-clauses:
- 5.1 — Leadership and commitment (including 5.1.1 general and 5.1.2 customer focus)
- 5.2 — Quality policy (5.2.1 establishing and 5.2.2 communicating)
- 5.3 — Organizational roles, responsibilities and authorities
In short: top management must take ownership of the QMS, not just sign a document. That’s demonstrated through the quality policy, clear role assignment, and evidence that management actively participates in reviewing and improving the system.
5.1 Leadership and commitment
This sub-clause is the heart of Clause 5. The standard requires top management to demonstrate leadership and commitment to the QMS through concrete actions, not just statements.
5.1.1 General — what management must do
- Take accountability for the effectiveness of the QMS (not fully delegate it to the quality manager)
- Ensure that quality policy and objectives are aligned with the strategic direction of the business
- Integrate QMS requirements into the organization’s business processes
- Promote the process approach and risk-based thinking
- Ensure resources needed for the QMS are available
- Communicate the importance of an effective QMS and conforming to its requirements
- Ensure the QMS achieves intended results
- Engage, direct and support people to contribute to the QMS
- Promote improvement
- Support other relevant management roles to demonstrate their leadership in their areas
5.1.2 Customer focus
Top management must demonstrate leadership and commitment with respect to customer focus by ensuring that:
- Customer requirements and applicable legal/regulatory requirements are determined, understood and consistently met
- Risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed
- The focus on enhancing customer satisfaction is maintained
5.2 Quality policy
The quality policy is top management’s public declaration of commitment to quality and QMS improvement. It has two parts: establishing it (5.2.1) and communicating it (5.2.2).
5.2.1 Establishing the quality policy
Top management must establish, implement and maintain a quality policy that:
- Is appropriate to the purpose and context of the organization (links to Clause 4) and supports its strategic direction
- Provides a framework for setting quality objectives
- Includes a commitment to satisfy applicable requirements
- Includes a commitment to continual improvement of the QMS
5.2.2 Communicating the quality policy
The policy must:
- Be available and maintained as documented information
- Be communicated, understood and applied within the organization
- Be available to relevant interested parties, where appropriate (typically published on the website or shared with customers on request)
Typical structure of a useful quality policy
- Company name and business activity
- Explicit commitment to quality and customer satisfaction
- Commitment to comply with legal and regulatory requirements
- Commitment to continual improvement
- Reference to the framework for quality objectives
- Signature and date from top management
Practical recommendation: 1 page max, clear language, no verbatim ISO jargon. If people can’t understand what the policy says, they can’t apply it.
5.3 Organizational roles, responsibilities and authorities
Top management must ensure that responsibilities and authorities for relevant roles are assigned, communicated and understood throughout the organization.
Key responsibilities that must be assigned
- Ensuring the QMS conforms to the requirements of the standard
- Ensuring processes are delivering intended outputs
- Reporting to top management on QMS performance and improvement opportunities
- Ensuring customer focus is promoted throughout the organization
- Ensuring QMS integrity is maintained when changes are planned and implemented
Important: ISO 9001:2015 no longer requires the “Management Representative” role as mandatory. Those responsibilities can be distributed among several people, but they must always be assigned and documented.
How to implement Clause 5 in an SME
In a 20-200 employee SME, here’s what practical implementation looks like:
Step 1 — Real management commitment (kickoff meeting)
Meeting with leadership to discuss what “taking accountability” for the QMS really means. It’s not just signing the policy — it’s allocating resources, attending the annual management review and knowing the key indicators. Output: management commitment minutes.
Step 2 — Draft the quality policy (2 hours)
One-page draft with the 4 mandatory commitments. Review with leadership. Sign and date. Communicate to all staff (email, posted notice, intranet) and publish on the website. Output: signed quality policy + evidence of distribution.
Step 3 — Roles and responsibilities matrix
Map each QMS process to its owner, backup and authorities. Document in a simple matrix (RACI or equivalent). Communicate to staff. Output: roles matrix + org chart + updated job descriptions.
Step 4 — Policy communication plan
Define how you ensure staff understands the policy: onboarding for new hires, periodic meetings, posters in operational areas, intranet messages. Keep evidence of distribution. Output: communication plan + distribution records.
Documents and evidence auditors ask for
- Signed and current quality policy (not 5 years old)
- Evidence of communication: meeting minutes, screenshots of postings, onboarding records
- Roles and responsibilities matrix for the QMS
- Up-to-date org chart
- Job descriptions including quality responsibilities
- Annual management review record (links to Clause 9.3)
- Evidence of resource allocation to the QMS (budget, headcount, infrastructure)
Common mistakes auditors flag
- Policy copied from the internet — the auditor reads a generic policy that doesn’t mention products, sector or the company’s actual purpose. Solution: write it specific to the business, in clear language.
- Unsigned or undated policy — without a signature from top management or a date, it doesn’t demonstrate current commitment. Solution: sign and date it; review and re-sign every 2-3 years.
- Staff doesn’t know the policy — the auditor interviews an operator who doesn’t know what it says or where to find it. Solution: periodic communication and visual summary in operational areas.
- Undocumented roles — everyone knows who does what verbally, but there’s no written matrix. Solution: document in a simple matrix even when it seems obvious.
- Management absent from the review — the “review” is signed by the quality manager without real participation from the general manager. Solution: formally convene the director and ensure attendance.
- Policy and objectives misaligned — the policy talks about excellence but objectives only measure output. Solution: every objective must trace back to a policy commitment.
How QualityWeb 360 makes Clause 5 easier
QualityWeb 360 is a 100% cloud platform that centralizes your entire ISO 9001 QMS. For Clause 5 specifically, it helps with:
📄 Document Control
Stores the current quality policy, roles matrix, org chart and job descriptions. Version control, electronic approval and top management’s signature is logged with a timestamp.
🔍 Traceability for audits
Every policy version is logged with author, date and signature. Staff distribution (read receipts) is stored as documentary evidence. When the auditor asks “how do you know staff knows the policy?”, the answer is one click away.
🔁 Periodic review with alerts
The system reminds you when the quality policy needs review (typically every 2-3 years) and when the annual management review is coming up. Evidence of leadership participation is stored for the external audit.
Frequently asked questions about ISO 9001 Clause 5
Does the quality policy have to be public?
The standard requires it to be available to relevant interested parties, which almost always includes customers. Most companies publish it on their website or share it on request. Publishing it on the website is the simplest option and demonstrates transparency.
How often should the quality policy be reviewed?
The standard sets no specific frequency but recommends review at each management review (at least annually). In practice, the policy is reissued or reaffirmed every 2-3 years or when there’s a strategic change (new business line, merger, new general manager).
Is the “Management Representative” still mandatory?
No. Since ISO 9001:2015, that specific role is no longer required. The responsibilities can be distributed across multiple management roles. Many companies still maintain a “QMS Manager” or equivalent — that’s fine, as long as the 5.3 responsibilities are covered and documented.
Who is “top management” in an SME?
In an SME it’s typically the general manager or CEO and, depending on size, the heads of area (operations, sales, finance). In small family businesses, the owner acts as top management. What matters is that they have real authority over resources and decisions, not just a title.
Do all directors need to sign the policy?
It’s not mandatory for all to sign, but the top authority (typically the general manager or equivalent) must. Some companies add multiple signatures for symbolism (the whole leadership team) — that’s valid but not required.
How do I prove staff “understands” the policy?
With evidence of communication and comprehension activities: documented onboarding talks, meeting minutes explaining it, quality dynamics, simple quizzes for new hires, posters in operational areas. Auditors typically interview an operator and an admin to verify.
Are quality policy and company mission the same thing?
No. The mission describes the business’s overall purpose. The quality policy is specific to the QMS: it declares commitments to quality, customer satisfaction, compliance with requirements and continual improvement. They can be aligned and share concepts, but they’re distinct documents with distinct purposes.
📚 Keep exploring the ISO 9001 clauses: