9001:2026
All articles
Leadership & policyJune 8, 202614 min read

The quality policy: what it really is, what ISO 9001 demands, and how to write one that works

A practical guide to the quality policy under ISO 9001 — its purpose, the exact clause 5.2 requirements, the essential components, common mistakes, and real anonymised examples from manufacturing, services, and healthcare.

Almost every certified organisation has one. Most are framed on a wall in reception, signed by the CEO, and quietly ignored by the people who actually do the work. The quality policy is one of the most under-used, under-appreciated artefacts in a QMS — and one of the easiest to get wrong in a way that auditors notice and employees feel.

This guide unpacks what a quality policy actually is, what ISO 9001 requires from it, the components every good policy contains, the mistakes that show up again and again, and three real (anonymised) examples that illustrate what 'good' looks like for very different organisations.

What a quality policy actually is

A quality policy is top management's public, written commitment to quality. It is the answer to the question: 'If we had to tell every employee, customer, supplier and regulator in three short paragraphs what quality means in this organisation and what we will do about it — what would we say?'

It is not the quality manual. It is not the quality objectives. It is not a procedure. It sits above all of those: a short, durable statement of intent from which everything else in the QMS should be traceable. A good policy is the constitution of the management system. A bad one is wallpaper.

The ISO 9001 context: what clause 5.2 actually requires

ISO 9001:2015 places the quality policy squarely in the leadership section. Clause 5.2 is split into two parts — 5.2.1 establishing the policy, and 5.2.2 communicating it — and the expected 2026 revision keeps the same structure with minor language updates.

Clause 5.2.1 — Establishing the quality policy

Top management must establish, implement and maintain a quality policy that:

  • is appropriate to the purpose and context of the organisation, and supports its strategic direction;
  • provides a framework for setting quality objectives;
  • includes a commitment to satisfy applicable requirements (customer, statutory and regulatory);
  • includes a commitment to continual improvement of the quality management system.

Clause 5.2.2 — Communicating the quality policy

The policy must:

  • be available and maintained as documented information;
  • be communicated, understood and applied within the organisation;
  • be available to relevant interested parties, as appropriate.

Two words in 5.2.2 deserve attention: 'understood' and 'applied'. An auditor is entitled to walk onto your shop floor, ask a production operator what the quality policy means for their job, and write a nonconformity if the answer is a blank stare. 'Available' is the easy part. 'Understood and applied' is where most policies fail.

The five essential components of a good quality policy

A policy that satisfies the standard, survives a thoughtful audit, and actually influences behaviour usually contains five things.

1. A statement of purpose and context

One or two sentences that anchor the policy in what the organisation actually does. A medical device manufacturer's policy should sound different from a logistics provider's. Generic policies that could be pasted into any company's letterhead are the single most common failure mode.

2. Commitments required by the standard

Explicit commitments to: meeting customer requirements, meeting applicable statutory and regulatory requirements, and continual improvement of the QMS. These three commitments are not optional — they are the minimum content the standard requires.

3. Organisation-specific commitments

What this organisation, in particular, cares about. Safety. On-time delivery. Patient outcomes. Sustainability. Supplier partnerships. Employee competence. These are the commitments that distinguish your policy from a template downloaded off the internet.

4. A framework for objectives

The policy should make it obvious how quality objectives flow from it. If your policy commits to 'delivering products that consistently meet customer requirements,' your objectives should include measurable targets for customer complaints, on-time-in-full delivery, or first-pass yield. An auditor will trace this linkage.

5. Top management endorsement

The policy must be issued under the authority of top management — typically signed and dated by the CEO, managing director, or equivalent. The signature is symbolic but it matters: it is the visible evidence that leadership owns the policy.

Three real examples (anonymised)

The following examples are adapted from real quality policies of certified organisations — names removed, sector and structure preserved. They illustrate how the same five components flex across very different contexts.

Example 1 — Precision engineering SME (≈ 180 employees)

[Company] designs and manufactures precision-machined components for the aerospace, defence and medical device sectors. Our customers trust us with parts whose failure is not an option. We are committed to: delivering products that meet every customer specification, drawing requirement and applicable regulatory requirement, including AS9100 and ISO 13485 where contractually invoked; protecting product integrity through disciplined process control, traceability and first-piece inspection; investing in our people, our measurement capability and our process technology to drive continual improvement of our quality management system; and treating every nonconformity as an opportunity to strengthen the system rather than to assign blame. This policy provides the framework within which our annual quality objectives are set and reviewed by the leadership team. Signed, [Managing Director], [Date].

Why it works: anchored in the actual products and customers, names the specific regulatory frameworks that apply, makes the cultural commitment about nonconformities explicit, and ties cleanly to annual objectives.

Example 2 — IT managed services provider (≈ 60 employees)

[Company] provides managed IT, cloud and cyber-security services to small and mid-sized organisations across the UK. Quality, for us, means our clients can rely on the systems we manage — every hour, every day. We commit to: meeting the service levels we agree with each client, and the statutory and regulatory requirements that apply to the services we deliver, including data protection and information security obligations; responding to incidents with urgency, transparency and a structured root-cause approach; continually improving our management system through measurable objectives, internal audit, client feedback and lessons learned from every incident; and developing the competence and well-being of the engineers who deliver our service. This policy is communicated to every employee at induction and reviewed annually by the senior leadership team. [CEO], [Date].

Why it works: very different from the engineering example, yet hits the same five components. The language ('every hour, every day', 'urgency, transparency') is concrete enough that staff can recognise themselves in it.

Example 3 — NHS-aligned community healthcare provider (≈ 1,200 staff)

[Trust] delivers community-based healthcare services to a population of approximately 450,000 people. Our quality policy reflects our duty to those patients and to the staff who care for them. We are committed to: providing safe, effective and person-centred care that meets the requirements of patients, commissioners, the Care Quality Commission, NHS England and all applicable clinical and regulatory standards; building a culture in which staff are supported to speak up about safety concerns and in which learning from incidents and near-misses is acted upon; using data — patient outcomes, patient experience, staff experience, incident trends — to set measurable quality objectives and to drive continual improvement of our quality management system; and working in partnership with primary care, social care and voluntary sector partners to deliver coordinated care. Approved by the Trust Board, [Date].

Why it works: explicit about the regulators that apply (CQC, NHS England), explicit about the cultural commitment (psychological safety to raise concerns), and explicitly approved by the board rather than a single executive — appropriate for the governance structure of a public-sector body.

Common mistakes that auditors flag

Across thousands of certification and surveillance audits, the same handful of policy weaknesses come up year after year.

  • Generic, template-derived language that could apply to any organisation in any sector — the auditor cannot tell what you actually do.
  • Missing one of the three mandatory commitments (most often: continual improvement of the QMS, which gets reduced to a vague 'we are committed to quality').
  • Policy not signed, not dated, or signed by someone who is not top management.
  • No traceable link between the policy and the current set of quality objectives.
  • Staff on the floor cannot explain, in their own words, what the policy means for their job.
  • Policy not reviewed for years — still referencing ISO 9001:2008 or organisational structures that no longer exist.
  • Policy not made available to interested parties — for example, not on the public website despite a commitment to transparency with customers.
  • Translated versions out of sync with the master English version after a revision.

From policy to practice — how to make it real

The policy is only as valuable as what it changes. A few practices separate organisations whose policy lives from those whose policy hangs on a wall.

  • Cover the policy in induction for every new starter, and have a short discussion — not a slide read-aloud — about what each commitment means in their role.
  • Translate the policy into a one-page 'what this means for me' summary for each functional area (production, customer service, engineering, etc.).
  • Review the policy at every management review, even if no changes are needed — and record the conclusion.
  • Cross-reference the policy explicitly in your quality objectives document, so the line of sight from policy to objective to KPI is unbroken.
  • Publish the policy on the public website if you commit to transparency or stakeholder communication; if you don't, do not claim you do.
  • Re-sign and re-date the policy after every change of top management or every major strategic change — not as a formality, but as a re-commitment.

What's expected to change in ISO 9001:2026

Clause 5.2 is not where the major changes of the 2026 revision are concentrated. The structural commitments — appropriateness to purpose and context, framework for objectives, satisfaction of applicable requirements, continual improvement — remain. Two adjustments are visible in the FDIS:

  • Sharper language around organisational culture and ethical conduct, picked up from the broader 2026 Harmonized Structure update — many organisations will choose to reflect this in their policy.
  • Climate change as a contextual issue (already added by amendment in 2024) flows naturally into the policy's 'purpose and context' opening for organisations whose activities have material climate implications.

Neither change forces a rewrite. Both are an invitation to revisit a policy that may have been drafted in 2016 and not seriously looked at since.

A short test for your current policy

Print your quality policy. Then answer, honestly:

  • Could it be a competitor's policy with the logo swapped? If yes, it is too generic.
  • Are the three mandatory commitments (customer requirements, applicable statutory/regulatory requirements, continual improvement of the QMS) all clearly present?
  • Can you draw a straight line from each commitment to at least one current quality objective?
  • If you stopped an operator, a sales person and a finance clerk in the corridor, could each give you a one-sentence answer about what the policy means for their work?
  • Is it signed by current top management, with a date in the last three years?
  • Is the version on your website (if any) the same version as the controlled internal copy?

A policy that passes this test is doing its job — and will sail through any clause 5.2 audit conversation. A policy that fails most of these questions is not a policy. It is a poster.

The quality policy is the only document in the QMS that everyone in the organisation is supposed to know. If they don't, the document isn't the problem — the way it was rolled out is.

Keep reading

Transition planning

ISO 9001:2026 transition guide: what to expect from the September 2026 release

ISO 9001:2026 is on track for publication in September 2026, with a three-year transition window for certified organisations. Here is what the past 2008-to-2015 transition tells us about timelines, certification body behaviour, and how to plan your own transition project.

Standard update

ISO 19011:2026 is here: hybrid audits, digital evidence, and a sharper focus on audit design

ISO 19011:2026 — Guidelines for auditing management systems — has been published as the fourth edition. Here is what changed versus ISO 19011:2018, why hybrid auditing is now embedded across the lifecycle, and what it means for audit programmes, auditors and certification bodies.