ISO9001 is changing in 2026! – What’s Changing and Why You Should Care (Part 2)

In our previous article, we unpacked the draft ISO 9001:2026 changes to Clauses 4–7, covering the strengthened expectations around leadership, planning and organisational support. This second article picks up right where that one left off — the natural next question is: what happens when we move into the "Do, Check, Act" end of the cycle?

Here, we're digging into Clauses 8 (Operation), 9 (Performance Evaluation) and 10 (Improvement). These are the clauses that keep your QMS alive day-to-day, and while the updates may be lighter than expected, they introduce some important clarifications around communication, change management and data-driven improvement.

Spoiler alert: while there's no massive overhaul, there are some important refinements you'll want on your radar.

If you haven't checked out the first part of this 2 part review of the proposed changes to ISOS9001 then here's the link you need to check out cluses 4-7 updates. 

Clause 8 – Operation

Clause 8 has always been the heavy hitter of ISO 9001 — it's the "Do" in the ol' PDCA cycle. So you might expect big changes here in the 2026 draft… but surprisingly, there aren't many. Honestly, we expected a bit more action. Instead, most of the updates come in the form of clarified notes.

A quick reminder: notes are not requirements.
If you don't follow a note, your auditor can't write you up for it. But notes do add important context around the things that are requirements — so they're absolutely worth paying attention to.

(Also: if it starts with NOTE: it's a note. If it doesn't… it's a requirement. No grey areas there!)

• Clause 8.1 – Operational Planning and Control -  There's a small wording tweak here, but it has a pretty meaningful impact. 2015 version: "The organisation shall ensure that outsourced processes are controlled."  The 2026 version now says: "The organisation shall ensure that externally provided processes, products or services that are relevant to the quality management system are controlled." This closes a long-standing loophole. It's no longer just outsourced processes — it now clearly includes products and services too. So if another organisation manufactures your entire product, guess what? That's in scope now. Another key phrase: "…that are relevant to the quality management system."  If you've excluded parts of your organisation from certification, anything that happens in those excluded areas isn't considered relevant. Otherwise, your QMS = your business system. They should never have been separate anyway.
• 8.2.1 – Customer Communication - Previously, the requirement around communication during disruptions was vague and left to interpretation. It said organisations should establish "specific requirements for contingency actions, when relevant." Now it reads:
  "…information related to contingency actions, including where relevant to any disruptions in the products or services provided." In other words, it's tightening up the intent — and keeping everyone honest. If something goes bump in the night, your customers shouldn't learn about it by surprise in a newspaper, social media or the 6pm News!
• 8.2.4 – Changes to Requirements for Products and Services - The wording has shifted a little, but the real takeaway is this:  It's no longer acceptable to simply update documentation. You must communicate those updates to all relevant interested parties — internal and external. This means your management of change process matters more than ever. And it highlights the need to properly understand who your interested parties actually are (check out clause 4 for this).
• 8.4.3 – Information for External Providers - This clause has also been expanded to ensure better alignment in your supply chain ecosystem. It used to say you must communicate requirements for:  "the external providers' interactions with the organization." Now it says: "…interactions with the organisation and, where applicable, its customers and other relevant interested parties." So you can't just say, "Well, I told my supplier." You now need to think about who else might need that information — customers, regulators, partners, etc. Again, a perfect match with the strengthened change-management requirements. 

Clause 9 – Performance Evaluation

Clause 9 is all about checking whether your system actually works, it's sadly an area of most companies QMS that gets little love, when it's genuinely one of the most critical parts of your system. It's the "C" in PDCA, and while the updates are minimal, a few are worth noting.

• 9.1.2 – Customer Satisfaction - The old wording focused on monitoring customers' perceptions and whether their needs and expectations were met.  The 2026 version simplifies this dramatically: "The organisation shall monitor the customers' satisfaction." Is this a huge change? Not really — but it is more direct. This feels like ISO saying: Stop guessing. Stop assuming no complaints = happy customers. Just find out whether they're actually satisfied. It's still not saying go off and do surveys (we really hate customer satisfaction surveys), there are many ways you can get actual data on customer satisfaction,  find one that works for you and then really do it and more importantly, look at what the data tells you!
• 9.2.2 – Internal Audit Programme -  This one is a subtle but important improvement. Before it said: "Define the audit criteria and scope for each audit." Now it says: "Define the audit objectives, criteria and scope for each audit." Objectives matter. They force you to ask: Why are we doing this audit? What do we want to learn?  What confidence do we want to gain? This pull-through from ISO 19011 encourages smarter, value-driven audits — not box-ticking exercises. This feels like a small change but we expect the outcomes of it to be really beneficial for organisations and those tasked with the internal audits.
• 9.3 – Management Review - There's a bit of reordering (not necessarily more logical…), and one new requirement: You must now review:
  "…changes in the needs and expectations of interested parties relevant to the QMS." This aligns perfectly with the updated focus on interested parties across the standard. If ISO wants you to check something, they put it in Clause 9 — and here it is.  It makes sense to get you to check that nothing has changed with your interested parties rather just assume that it's all status quo, or worse, never think about it at all. Given that understanding the wants and needs of those interested parties should 100% be part of your company strategic direction and reviews, it's always amazed me that companies don't review them on a regular basis.

Our wrap on Clause 9 changes in the draft - small but incredibly beneficial changes if you do it right and follow through on what ISO is trying to do here, making sure you are checking that your original assumptions are correct and that you understand why you are doing things, seems like a great idea to me.

Clause 10 – Improvement

Clause 10 has had a tidy-up and a slight reshuffle. The general section has been absorbed into Continual Improvement,  Continual Improvement is now 10.1, Nonconformity and Corrective Action is now 10.2 so a lot tighter than it was before, and to be fair we didn't really need that general section anyway.

But the real change?  Continual improvement is now far more data-driven.

The old version talked about "determining and selecting opportunities for improvement" — which left the door wide open for guesswork.

The new version requires you to base improvement decisions on:

• Monitoring
• Measurement
• Analysis
• Evaluation
• Management review results
• Real data, not gut feel

This reinforces ISO's message: Stop improving what you feel like improving. Improve what the evidence tells you matters.

It also adds clarity around the types of actions expected:

a) improving processes, products and services
b) addressing future needs and expectations
c) correcting, preventing or reducing undesired effects

A simple, tidy, logical improvement. 

Wrapping It All Up

Firstly remember this is still just a draft, it's not even the final draft (FDIS), so expect changes as the debates and feedback happen but I think that in reality the final draft that will be voted on to become the actual standard won't vary too far from what we are seeing here. 

That said, DO NOT rush out and change your ISO System just yet!

The ISO 9001:2026 draft isn't a revolution — it's a refinement. What you will notice, though, is a major thematic shift:

• Better change management
• Real consideration of environmental impacts
• Embedding a genuine quality culture
• Clear expectations for ethical behaviour

Why? - Because ISO is drawing a line in the sand.

For too long, some organisations treated ISO 9001 as a checklist for a certificate. With this update, ISO is saying:

"No more. Quality must live in your culture, not your paperwork."

Auditing ethical behaviour and culture will be challenging — no question. But from a business and brand-reputation perspective, it makes perfect sense.

The real question now becomes:
What does ethical behaviour and a quality-driven culture look like for your organisation?

Welcome to ISO's vision for what a genuinely good business looks like.

Welcome to ISO 9001:2026.