Clause 9 of ISO 9001:2015 is where the system stops being a manual and starts proving it actually works. This is where internal audits, quality KPIs and management review live — the three mechanisms your organization uses to look at itself in the mirror before the external auditor walks in.
In this guide we explain what each sub-clause (9.1, 9.2 and 9.3) requires, how to build an internal audit program that’s more than paper, what documents the external auditor expects, and the most common mistakes we see when working with companies on their certification.
What you’ll find in this guide
- What does Clause 9 of ISO 9001 require?
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- How to implement Clause 9 in an SME
- Documents and evidence auditors ask for
- Common mistakes auditors flag
- How QualityWeb 360 makes Clause 9 easier
- Frequently asked questions
What does Clause 9 of ISO 9001 require?
Clause 9 is called “Performance evaluation” and has three sub-clauses:
- 9.1 — Monitoring, measurement, analysis and evaluation (including customer satisfaction)
- 9.2 — Internal audit
- 9.3 — Management review
In short: the organization must measure what matters, audit itself before the external auditor arrives, and bring the results to the management table so decisions can be made. If Clause 4 was the foundation of the QMS, Clause 9 is the thermometer — without it you can’t tell whether the system actually works.
9.1 Monitoring, measurement, analysis and evaluation
Sub-clause 9.1 asks you to determine what you need to measure, how, when, and who analyzes the results. It has three blocks:
9.1.1 General — what to measure
The standard requires the organization to determine:
- What needs to be monitored and measured (process performance, product/service quality, customer satisfaction)
- Methods for monitoring, measurement, analysis and evaluation (inspection, surveys, KPIs)
- When monitoring is performed (frequency: daily, weekly, monthly, per batch)
- When the results are analyzed (monthly, quarterly, semiannually)
Typical output: a KPI dashboard with cards documenting formula, frequency, target, owner and data source.
9.1.2 Customer satisfaction
The standard requires you to gather information on customer perception of how well their requirements are being met. Common methods:
- Periodic satisfaction surveys (NPS, CSAT)
- Complaints and claims received
- Returns and warranty claims
- Compliments and recognitions
- Retention and repeat-purchase rate
- Meetings with key accounts
Important: having surveys isn’t enough. You must analyze the results and take action on findings. The auditor reviews whether the loop closes, not just whether surveys are sent.
9.1.3 Analysis and evaluation
Analysis and evaluation must assess:
- Conformity of products and services
- Degree of customer satisfaction
- QMS performance and effectiveness
- Whether planning has been effectively implemented
- Effectiveness of actions taken to address risks and opportunities
- External provider performance
- Need for improvements
Analysis results are mandatory input to the management review (9.3).
9.2 Internal audit
Sub-clause 9.2 requires the organization to conduct internal audits at planned intervals to verify whether the QMS conforms to the organization’s own requirements, the requirements of ISO 9001, and whether it is effectively implemented and maintained.
What the internal audit program must contain
- Frequency — at least once per year per process, before the external audit
- Methods — interviews, document review, field observation
- Responsibilities — who audits which process
- Planning requirements — scope, criteria, resources
- Reporting of findings — report format
Key requirements for internal auditors
- Objectivity and impartiality: the auditor cannot audit their own work
- Competence: demonstrable training in auditing (ISO 19011 is the reference)
- Documented qualification: training records or prior experience
Required audit outputs
- Audit report with findings (nonconformities, observations, improvement opportunities)
- Corrective action plan for each nonconformity
- Verification of effectiveness of actions taken
- Records retained as documented information
9.3 Management review
Sub-clause 9.3 requires top management to review the QMS at planned intervals (typically annually or semiannually) to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction.
Mandatory review inputs
- Status of actions from previous reviews
- Changes in external and internal issues (Clause 4)
- Information on QMS performance and effectiveness: customer satisfaction, achievement of objectives, process performance, nonconformities and corrective actions, monitoring and measurement results, audit results, external provider performance
- Adequacy of resources
- Effectiveness of actions to address risks and opportunities
- Opportunities for improvement
Mandatory review outputs
- Decisions and actions related to improvement opportunities
- Decisions on changes needed to the QMS
- Resource needs
The document that captures the evidence: the management review minutes, signed by participants, with date and decisions taken.
How to implement Clause 9 in an SME
In a 20-200 employee SME, here’s what practical implementation of Clause 9 looks like without turning it into bureaucratic overhead:
Step 1 — Define key indicators (one half-day session)
Meeting with process owners to select 8-15 truly useful indicators (not 50). Each KPI gets a card: formula, target, frequency, owner, source. Output: KPI dashboard and individual cards.
Step 2 — Launch customer satisfaction measurement
Send the first post-delivery or post-service survey. Start simple: 3-5 questions, 1-10 scale, space for comments. Define frequency (per sale, quarterly, annual). Output: survey template + send plan.
Step 3 — Annual internal audit program
Schedule audits by process. In SMEs the most practical approach is 2-3 cycles per year, each covering different processes, so that all processes are audited within 12 months. Assign auditors per process (with cross-coverage: nobody audits their own work). Output: annual program + checklists.
Step 4 — Management review (at minimum once a year)
Prepare a dossier with all mandatory inputs, convene top management (general manager and direct reports), review results, decide on actions and resources. Document everything in minutes. Output: management review minutes + derived action plan.
Documents and evidence auditors ask for
For Clause 9, external auditors always look for:
- KPI dashboard with results from the last 12 months
- Indicator cards (formula, target, frequency, owner)
- Evidence of customer satisfaction measurement (surveys, NPS, complaints)
- Annual internal audit program
- Signed internal audit reports
- Internal auditor qualification (certificates, training)
- Action plans derived from audit findings
- Verification of effectiveness of corrective actions
- Management review minutes with all required inputs and outputs
- Action plan derived from the management review
Common mistakes auditors flag
- Indicators with no target or not updated — the dashboard only shows last month’s data or has KPIs empty for 6 months. Solution: review monthly and publish the dashboard organization-wide.
- Satisfaction surveys sent but never analyzed — the owner sends surveys but results aren’t reported or acted on. Solution: close the loop with documented analysis and improvement plan.
- Audit program that never gets executed — the program exists on paper but audits never happen, or are crammed in the week before the external audit. Solution: distribute audits across the year, don’t bunch them.
- Auditor auditing their own process — the quality manager audits their own documentation system. Obvious lack of objectivity. Solution: rotate auditors or cross-audit between areas.
- Management review minutes missing required inputs — the minutes say “the system was reviewed” but indicators, audits, complaints, etc. are missing. Solution: use a template that lists each input and marks evidence.
- Management review without management — only the quality manager attends. No top management participation. Solution: bring in the general manager / leadership, it’s not optional.
How QualityWeb 360 makes Clause 9 easier
QualityWeb 360 is a 100% cloud platform that centralizes your entire ISO 9001 QMS. For Clause 9 specifically, it helps with:
📊 Centralized KPIs and audits
KPI dashboard with cards, targets and owners. Annual internal audit program with checklists, calendar and findings log. Everything in one place, accessible to the external auditor in seconds.
🔍 Traceability for audits
Every audit finding is linked to its corrective action, owner, due date and effectiveness verification. Management review minutes with all supporting documentation. Everything one click away when the auditor asks.
🔁 Periodic review with alerts
The system reminds you when to measure an indicator, run an audit or convene the annual management review. Evidence is logged so the next external audit becomes a routine check, not a fire drill.
Frequently asked questions about ISO 9001 Clause 9
How often must internal audits be carried out?
The standard doesn’t set a minimum frequency but requires planned intervals. In practice, auditors expect every process to be audited at least once a year before the external audit. In SMEs it’s common to split the year into 2-3 audit cycles to avoid concentrating the workload.
Who can be an internal auditor?
Anyone in the organization with demonstrable competence in auditing (ISO 19011 training or equivalent, prior experience). The only critical requirement is objectivity: no one can audit their own work. In SMEs it’s common to cross-audit between areas, or hire an independent external auditor for small departments.
Can the management review be fragmented?
Yes. The standard does not require a single annual meeting. It can be split into several sessions throughout the year as long as all mandatory inputs are covered and each part is documented. What matters is that top management participates and decisions are documented.
What happens if an indicator misses its target?
It’s not a nonconformity on its own. What’s evaluated is the response: did the organization analyze the gap?, identify root causes?, take action? A low KPI with documented analysis and action plan shows the system works. A low KPI ignored for months is what triggers a nonconformity.
Is a customer satisfaction survey mandatory?
The standard doesn’t specifically require a survey — it requires obtaining information on customer perception. Surveys are the most common method, but these also count: complaint analysis, returns, retention rate, key-account meetings, social media comments and reviews. What matters is having documented and analyzed evidence, not the specific method.
What tools are used for internal audits?
Most common is a per-process checklist mapped to ISO 9001 requirements, plus internal procedures. Some auditors also use the ISO 19011 audit guidelines. For the report, a template with: scope, criteria, findings (major NCs, minor NCs, observations, opportunities), evidence and closure plan.
Who must attend the management review?
At minimum the general manager (or equivalent) and the owners of key processes. That’s the difference between a real management review and a quality-manager-only formality. The general manager’s signature on the minutes is what demonstrates the commitment required by Clause 5 and by 9.3 itself.
📚 Keep exploring the ISO 9001 clauses: