Clause 6 of ISO 9001: Planning Explained

Clause 6 of ISO 9001:2015 is where the standard asks you to think before acting: identify the risks and opportunities that can affect your QMS, define measurable quality objectives, and plan changes to the system. It’s the clause that changed most between 2008 and 2015, and the one that requires the most effort in a first certification.

In this guide we explain what each sub-clause (6.1, 6.2 and 6.3) requires, how to build a risk matrix that’s actually useful and not just decorative, what documents auditors ask for, and the most common mistakes we see when working with companies through certification.

What you’ll find in this guide

1. What does Clause 6 of ISO 9001 require?
2. 6.1 Actions to address risks and opportunities
3. 6.2 Quality objectives and planning to achieve them
4. 6.3 Planning of changes
5. How to implement Clause 6 in an SME
6. Documents and evidence auditors ask for
7. Common mistakes auditors flag
8. How QualityWeb 360 makes Clause 6 easier
9. Frequently asked questions

What does Clause 6 of ISO 9001 require?

Clause 6 is called “Planning” and has three sub-clauses:

• 6.1 — Actions to address risks and opportunities
• 6.2 — Quality objectives and planning to achieve them
• 6.3 — Planning of changes

In short: once the context is understood (Clause 4) and leadership is defined (Clause 5), the organization must translate all that into concrete plans: which risks to mitigate, which opportunities to pursue, which objectives to chase, and how to manage QMS changes without breaking the system.

6.1 Actions to address risks and opportunities

This sub-clause is the big novelty of ISO 9001:2015. The standard requires risk-based thinking applied to the QMS: when planning the system, you must consider context issues (4.1) and interested-party requirements (4.2) to determine risks and opportunities.

Why are risks and opportunities determined?

• Give assurance the QMS can achieve its intended results
• Enhance desirable effects
• Prevent or reduce undesired effects
• Achieve improvement

What must be done with the identified risks and opportunities?

• Plan actions proportional to the potential impact on conformity of products and services
• Integrate and implement them into the QMS processes
• Evaluate the effectiveness of the actions taken

Practical tool: risks and opportunities matrix

The standard does not require a specific risk-management methodology. The most-used tools are:

• Probability × impact matrix (the simplest for SMEs)
• FMEA (Failure Mode and Effects Analysis) — popular in manufacturing
• ISO 31000 — for companies that already have formal risk management
• Bow-tie — for critical risks in regulated industries

What matters: the chosen methodology must produce concrete actions with owner, due date and effectiveness evaluation, not a colorful matrix with no follow-up.

6.2 Quality objectives and planning to achieve them

Quality objectives are the concrete, measurable goals the organization commits to achieve. The standard requires establishing them for relevant functions, levels and processes.

Mandatory characteristics of a quality objective

• Consistent with the quality policy (links to Clause 5.2)
• Measurable (quantitative or qualitative but assessable)
• Applicable to product/service requirements and customer satisfaction
• Relevant to conformity and improvement
• Monitored
• Communicated
• Updated as appropriate

For each objective you must plan:

• What will be done
• What resources will be needed
• Who will be responsible
• When it will be completed
• How results will be evaluated

This is essentially a SMART-style action plan for each objective. Without that level of detail, the objective is just a wish.

Examples of well-formulated quality objectives

• “Reduce defect return rate from 3.5% to 2% by December 2026”
• “Achieve NPS >50 by the end of fiscal year 2026”
• “Reduce average lead time from 12 to 8 business days before Q3”
• “Train 100% of operations staff on the new control procedure by 06/30/2026”

6.3 Planning of changes

When the organization determines the need for changes to the QMS, those changes must be carried out in a planned manner. The standard requires considering:

• The purpose of the changes and their potential consequences
• The integrity of the QMS (the change must not break the system)
• The availability of resources
• The allocation or reallocation of responsibilities and authorities

Typical changes covered by 6.3: new production line, change of critical supplier, merger or acquisition, ERP system change, expansion to a new site, large organizational change, new regulation.

How to implement Clause 6 in an SME

Step 1 — Risk and opportunity identification session (half-day)

Meeting with process owners to identify 15-25 QMS risks and opportunities starting from the context analysis (SWOT/PESTLE) and interested parties. Rate each by probability and impact. Output: prioritized risks and opportunities matrix.

Step 2 — Define actions for priority risks

For the top 5-10 highest-severity risks and the top 3-5 most relevant opportunities, assign actions, owner, due date and how effectiveness will be evaluated. Output: risk treatment plan.

Step 3 — Set annual quality objectives

Define 4-8 quality objectives per year, aligned with the policy. Each with its SMART plan (what, resources, owner, due date, evaluation). Output: annual quality objectives document.

Step 4 — Change management procedure

Document the flow to authorize significant QMS changes: request, impact assessment, approval, implementation, validation. Keep a log of executed changes. Output: procedure + change log.

Documents and evidence auditors ask for

• Updated risks and opportunities matrix (at least annual review)
• Action plan for priority risks with owner and due date
• Effectiveness evaluation of actions taken
• Current quality objectives document
• Action plan per objective (resources, owner, due date, evaluation)
• Objective tracking record (monthly or quarterly)
• QMS change management procedure
• Log of executed changes with their evaluation

Common mistakes auditors flag

1. Generic risk matrix without actions — the organization lists 30 risks with colors but none has an assigned action plan. Solution: every significant risk needs a concrete action with owner and due date.
2. Non-measurable quality objectives — “improve quality”, “satisfy the customer”, “be efficient”. No numeric target. Solution: SMART with metric and deadline.
3. Objectives without a plan — the objective exists but there’s no plan for how to achieve it. Solution: every objective must have what/resources/owner/when/how to evaluate.
4. Objectives without follow-up — the objectives document exists but no one reviews progress until year-end. Solution: monthly or quarterly review in quality meetings.
5. Significant changes without impact assessment — the ERP is replaced or a critical supplier is hired without going through QMS change management. Solution: simple procedure, but applied consistently.
6. Risks identified but not reassessed after actions — the action was taken but no one verified whether it actually reduced the risk. Solution: closed loop with documented effectiveness evaluation.

How QualityWeb 360 makes Clause 6 easier

QualityWeb 360 is a 100% cloud platform that centralizes your entire ISO 9001 QMS. For Clause 6 specifically, it helps with:

Frequently asked questions about ISO 9001 Clause 6

Does the standard require a specific risk-management methodology?

No. ISO 9001:2015 doesn’t require ISO 31000, FMEA or any other specific methodology. What it requires is risk-based thinking applied to the QMS: identify, evaluate, treat, follow up. The organization chooses the tool that best fits its size and complexity.

How many quality objectives should I have?

There’s no mandatory number. In SMEs, the most reasonable approach is 4 to 8 objectives per year, covering critical dimensions: product, service, customer, processes, people. More than 10 objectives usually means some are just decorative without real follow-up.

How often are quality objectives reviewed?

Best practice is to review progress monthly or quarterly and reset them annually in the management review. If performance deviates significantly mid-period, the action plan must be adjusted — don’t wait until year-end to discover you didn’t hit it.

What changes fall under Planning of Changes (6.3)?

Significant QMS changes: organizational structure, critical processes, production infrastructure, information systems supporting the QMS, certified sites, QMS scope. Minor changes (e.g., updating an operational procedure) are managed via document control (Clause 7.5).

Difference between a risk and an opportunity?

A risk is a potential event with a negative effect on product/service conformity or customer satisfaction. An opportunity is a scenario that could improve performance or expand capabilities if seized. The standard requires addressing both, but the practical emphasis is usually on risks.

Do I have to document all risks or only the significant ones?

The standard requires documenting the actions taken, not necessarily listing all possible risks. In practice auditors expect a prioritized matrix where significant risks have an action plan. Low risks can be listed for traceability but don’t need active treatment.

Who’s responsible for QMS risk management?

Ultimate responsibility lies with top management (Clause 5.1). In practice, the quality manager coordinates the matrix, but process owners are the ones who identify risks in their area and execute treatment actions. It’s distributed work, not centralized.

---

📚 Keep exploring the ISO 9001 clauses:

• ← Clause 5 — Leadership
• → Clause 7 — Support
• Back to the clauses index