ISO 9000 is a set of international standards of quality management that have become increasingly popular for large and small companies alike. "ISO is grounded on the 'conformance to specification' definition of quality, " wrote Francis Buttle in the International Journal of Quality and Reliability Management. "The standards specify how management operations shall be conducted. ISO 9000's purpose is to ensure that suppliers design, create, and deliver products and services which meet predetermined standards; in other words, its goal is to prevent non-conformity." Used by both manufacturing and service firms, ISO 9000 had been adopted by more than 100 nations as their national quality management/quality assurance standard by the end of 1997.

This quality standard was first introduced in 1987 by the International Organization for Standards (ISO) in hopes of establishing an international definition of the essential characteristics and language of a quality system for all businesses, irrespective of industry or geographic location. Initially, it was used almost exclusively by large companies, but by the mid-1990s, increasing numbers of small-and mid-sized companies had embraced ISO 9000 as well. In fact, small and moderate-sized companies account for much of the growth in ISO 9000 registration over the past several years. The total number of ISO 9000 registrations in the United States increased from a little more than 2, 200 in 1993 to more than 17, 000 in 1998; of those 17, 000 registrations, nearly 60 percent were held by companies with annual sales of $100 million or less.

The increased involvement of small and midsized firms in seeking ISO 9000 registration is generally attributed to several factors. Many small businesses have decided to seek ISO 9000 certification because of their corporate customers, who began to insist on it as a method of ensuring that their suppliers were paying adequate attention to quality. Other small business owners, meanwhile, have pursued ISO 9000 certification in order to increase their chances of securing new business or simply as a means of improving the quality of their processes. "The pressure for companies to become ISO 9000-certified is absolutely increasing and will continue to increase, " predicted one management consultant in an interview with Nation's Business. "The question many smaller companies have to ask is when, not if, they [will] get ISO 9000-registered.

Models of ISO 9000

The ISO 9000 quality standards are broken down into three model sets—ISO 9001, ISO 9002, and ISO 9003. Each of these models, noted Industrial Management contributors Stanislav Karapetrovic, Divakar Rajamani, and Walter Willborn, "stipulate a number of requirements on which an organization's quality system can be assessed by an external party (registrar)" in accordance with the ISO's quality system audits standard. "A quality system, " they added, "involves organizational structure, processes, and documented procedures constituted towards achieving quality objectives."

Each of the three sets concentrates on a different quality area. ISO 9001 is the most wide-ranging, for it specifies the various operating requirements in such areas as product design and development, production, installation, and servicing. ISO 9002 is concerned with quality assurance at the production and installation stages. ISO 9003 covers testing and inspections. As Karapetrovic, Rajamani, and Willborn noted, "if the minimum requirements are met [for the above operating areas], a registrar accredited by a national accreditation institution issues a certificate of compliance and the organization's quality system becomes ISO 9001, 9002, or 9003 registered."

It is worth noting that certification is handed out for individual quality systems, not companies; this means that one company may hold more than one ISO 9000 registration. Moreover, Harvey R. Meyer pointed out in Nation's Business that "the standards do not certify the quality of a product or service. Rather, they attest that a company has fully documented its quality-control processes and consistently adheres to them. If that's done, quality products and services generally follow."

In addition to ISO 9000, two related quality standards emerged in American industries in the late 1990s. ISO 14000, also known as the Environmental Management Systems Standards, is intended to combine environmental management systems with the ISO 9000 quality system. The second system, QS9000 is an adaptation of ISO 9000 to meet the specific needs of the "big three" American automobile manufacturers—Ford, General Motors, and Daimler Chrysler. Both systems were expected to have a substantial impact on U.S. companies.

Advantages of Iso 9000

The advantages associated with ISO 9000 certification are numerous, as both business analysts and business owners will attest. These benefits, which can impact nearly all corners of a company, range from increased stature to bottom-line operational savings. They include:

• Increased marketability—Nearly all observers agree that ISO 9000 registration provides businesses with markedly heightened credibility with current and prospective clients alike. Basically, it proves that the company is dedicated to providing quality to its customers, which is no small advantage whether the company is negotiating with a long-time customer or endeavoring to pry a potentially lucrative customer away from a competitor. This benefit manifests itself not only in increased customer retention, but also in increased customer acquisition and heightened ability to enter into new markets; indeed, ISO 9000 registration has been cited as being of particular value for small and mid-sized businesses hoping to establish a presence in international markets.
• 
  
• Reduced operational expenses—Sometimes lost in the many discussions of ISO 9000's public relations cache is the fact that the rigorous registration process often exposes significant shortcomings in various operational areas. When these problems are brought to light, the company can take the appropriate steps to improve its processes. These improved efficiencies can help companies garner savings in both time and money. "The cost of scrap, rework, returns, and the employee time spent analyzing and troubleshooting various products are all considerably reduced by initiating the discipline of ISO 9000, " confirmed Richard B. Wright in Industrial Distribution.
• 
  
• Better management control—The ISO 9000 registration process requires so much documentation and self-assessment that many businesses that undergo its rigors cite increased understanding of the company's overall direction and processes as a significant benefit.
• Increased customer satisfaction—Since the ISO 9000 certification process almost inevitably uncovers areas in which final product quality can be improved, such efforts often bring about higher levels of customer satisfaction. In addition, by seeking and securing ISO 9000 certification, companies can provide their clients with the opportunity to tout their suppliers' dedication to quality in their own business dealings.
• 
  
• Improved internal communication—The ISO 9000 certification process's emphasis on self-analysis and operations management issues encourages various internal areas or departments of companies to interact with one another in hopes of gaining a more complete understanding of the needs and desires of their internal customers.
• 
  
• Improved customer service—The process of securing ISO 9000 registration often serves to refocus company priorities on pleasing their customers in all respects, including customer service areas. It also helps heighten awareness of quality issues among employees.
• Reduction of product-liability risks—Many business experts contend that companies that achieve ISO 9000 certification are less likely to be hit with product liability lawsuits, etc., because of the quality of their processes.
• 
  
• Attractiveness to investors—Business consultants and small business owners alike agree that ISO-9000 certification can be a potent tool in securing funding from venture capital firms.

ISO/IEC 17025

ISO/IEC 17025, released in 1999, contains all the requirements that testing and calibration laboratories must meet to demonstrate that they operate quality management systems (QMS), are technically competent and can generate technically valid results. All ISO 9000 requirements that are relevant to the scope of testing and calibration laboratory QMS have been incorporated into ISO/IEC 17025, along with technical competency requirements.
ISO/IEC 17025 covers such matters as quality system; personnel; document control; review of requests, tenders and contracts; subcontracting of tests and calibrations; purchasing services and supplies; services to the client; control of records; internal audits; accommodation and environmental conditions; test and calibration methods and method validation; equipment; measurement traceability; sampling; handling of test and calibration items; and reporting the results.
ISO/IEC 17025 accreditation is a more thorough process than ISO 9000 registration because it recognizes a laboratory’s competence to produce technically valid results as well as its QMS conformance. When a laboratory is part of a larger facility, ISO/IEC 17025 accreditation can occur at the same time as ISO 9000, QS-9000 or ISO/TS 16949 registration if the auditor is working for both an accreditation body and a registrar.

ISO/IEC 15408

ISO/IEC 15408, released in 1999, is the first international information technology security evaluation criteria standard, defining Common Criteria (CC) used to evaluate security properties of information technology (IT) products and systems, such as operating systems, computer networks, distributed systems, applications and other hardware, firmware and software.
These requirements apply to both security functions of IT products and systems, and assurance measures used during security evaluation and validation. The CC can also be used as a guide by IT consumers, developers and evaluators in developing or procuring products or systems with IT security functions.
During a security evaluation or validation, an IT product or system is known as a Target of Evaluation (TOE). A set of security requirements and specifications used to evaluate or validate a TOE is a developer Security Target (ST). An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs is a user Protection Profile (PP). Evaluation and validation is an assessment of a PP, ST or TOE against CC security requirements.
The ISO/IEC 15408 CC is implemented in the U.S. by the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), which sets standards; monitors the quality of evaluations; and assures that the Common Evaluation Methodology (CEM), which addresses evaluation methodology and procedures, is used consistently across government-accredited, product testing and evaluation facilities.
Information technology security evaluations are conducted by Common Criteria Testing Laboratories (CCTLs), commercial testing laboratories accredited by National Voluntary Laboratory Accreditation Program (NVLAP), approved by the NIAP Validation Body and placed on the NIAP Approved Laboratories List.

Background.

ISO 9000 was first published in 1987. It was based on the BS 5750 series of standards from BSIthat were proposed to ISO in 1979. However, its history can be traced back some twenty years before that, to the publication of the United States Department of Defense MIL-Q-9858 standard in 1959. MIL-Q-9858 was revised into the NATO AQAP series of standards in 1969, which in turn were revised into the BS 5179 series of guidance standards published in 1974, and finally revised into the BS 5750 series of requirements standards in 1979 before being submitted to ISO.

BSI has been certifying organizations for their quality management systems since 1978. Its first certification (FM 00001) is still extant and held by Tarmac Limited, a successor to the original company which held this certificate. Today BSI claims to certify organizations at nearly 70,000 sites globally.The development of the ISO 9000 series is shown in the diagram to the right.

CRITICISM OF ISO 9000

A common criticism of ISO 9000 and 9001 is the amount of money, time, and paperwork required for registration. Dalgleish cites the "inordinate and often unnecessary paperwork burden" of ISO, and says that "quality managers feel that ISO's overhead and paperwork are excessive and extremely inefficient."

According to Barnes, "Opponents claim that it is only for documentation. Proponents believe that if a company has documented its quality systems, then most of the paperwork has already been completed." Wilson suggests that ISO standards "... elevate inspection of the correct procedures over broader aspects of quality," and therefore, "the workplace becomes oppressive and quality is not improved."

According to John Seddon, ISO 9001 promotes specification, control, and procedures rather than understanding and improvement. Wade argues that ISO 9000 is effective as a guideline, but that promoting it as a standard "helps to mislead companies into thinking that certification means better quality, ... [undermining] the need for an organization to set its own quality standards." Paraphrased, Wade's argument is that reliance on the specifications of ISO 9001 does not guarantee a successful quality system.

The standard is seen as especially prone to failure when a company is interested in certification before quality.Certifications are in fact often based on customer contractual requirements rather than a desire to actually improve quality. "If you just want the certificate on the wall, chances are you will create a paper system that doesn't have much to do with the way you actually run your business," said ISO's Roger Frost.Certification by an independent auditor is often seen as the problem area, and according to Barnes, "has become a vehicle to increase consulting services." 

Dalglesh argues that while "quality has a positive effect on return on investment, market share, sales growth, better sales margins and competitive advantage," that "taking a quality approach is unrelated to ISO 9000 registration."In fact, ISO itself advises that ISO 9001 can be implemented without certification, simply for the quality benefits that can be achieved.

Abrahamson argues that fashionable management discourse such as Quality Circles tends to follow a life cycle in the form of a bell curve, possibly indicating a management fad.