Customer focus

9 min readLast verified: March 2026By Our methodology

ISO 9001:2015 Clause 5.1.2 requires top management to prove “customer focus” by making sure customer requirements and applicable legal/regulatory requirements are identified, understood, and consistently met 1. To operationalize it, you need a closed-loop system that translates requirements into controlled processes, measures performance, and drives corrective action when commitments are missed.

Key takeaways:

  • Treat customer focus as an executive-owned control: requirements in, conforming outputs out, evidence retained.
  • Maintain a single, governed “source of truth” for customer, statutory, and regulatory requirements tied to QMS processes.
  • Prove consistency with metrics, internal audits, complaint handling, and CAPA records that show leadership oversight.

“Customer focus requirement” in ISO 9001 is not a slogan. Clause 5.1.2 is a leadership requirement that auditors test by asking one question: can your top management show, with evidence, that customer requirements and applicable statutory/regulatory requirements are systematically determined, understood across the organization, and met consistently 1?

For a Compliance Officer, CCO, or GRC lead, this clause maps cleanly to operational governance: capture obligations, assign ownership, embed them in procedures, monitor outcomes, and fix breakdowns. The trap is treating it as “Customer Satisfaction Survey Day.” Auditors want traceability from what the customer (and the law) requires, to what operations do, to how you verify performance and react when something fails.

This page gives requirement-level implementation guidance you can put into your management system immediately: scope, roles, step-by-step workflow, artifacts to retain, audit questions, common pitfalls, and a practical execution plan. The focus stays on execution: what evidence will satisfy a certification audit and what operational habits prevent customer commitments from drifting.

Regulatory text

ISO 9001:2015 Clause 5.1.2 (Customer focus) states: “Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that customer and applicable statutory and regulatory requirements are determined, understood and consistently met.” 1

What the operator must do

You must be able to show that top management:

  1. Ensures requirements are determined (you have a method to identify customer requirements and applicable statutory/regulatory obligations).
  2. Ensures requirements are understood (the right teams can explain what they are and how they affect daily work).
  3. Ensures requirements are consistently met (performance is monitored, nonconformities are addressed, and leadership intervenes when needed).

This is not limited to Sales or Customer Success. Clause 5.1.2 expects leadership to run a management system that prevents missed commitments, including legal/regulatory obligations tied to the product/service and its delivery.

Plain-English interpretation (what “customer focus” means in practice)

Customer focus means you run the business so customer commitments don’t depend on memory, heroics, or individual judgment calls. You translate customer requirements (contract terms, statements of work, SLAs, acceptance criteria, change requests) and applicable legal/regulatory requirements into controlled operational expectations, then verify you deliver to them repeatedly.

Auditors typically treat this as a “show me” clause:

  • Show me how you capture customer requirements before accepting work.
  • Show me how those requirements flow into design, production/service delivery, and quality checks.
  • Show me how top management reviews performance and takes action when performance slips.

Who it applies to (entity and operational context)

Applies to: Any organization operating an ISO 9001:2015 Quality Management System, regardless of industry or size 1.

Operational contexts where it gets tested hardest:

  • Contract-driven delivery: bespoke services, implementation projects, manufacturing to spec, regulated deliverables.
  • High-change environments: frequent scope changes, customer-specific configurations, multi-tenant product with enterprise add-ons.
  • Complex third-party supply chains: subcontractors, contract manufacturers, cloud/service providers that affect delivery commitments.
  • Heavily regulated products/services: where statutory/regulatory requirements are inseparable from customer requirements.

Accountable function: Top management is accountable; day-to-day ownership usually sits with Quality, Compliance/GRC, and Operational leaders. If your org has a CCO/GRC lead, you often become the “requirements system” owner and evidence steward.

What you actually need to do (step-by-step)

Use the workflow below as your operating model. It is designed to produce audit-ready traceability.

1) Define requirement sources and a single intake path

Create a controlled list of requirement inputs:

  • Customer contracts/MSAs/SOWs and amendments
  • SLAs, order forms, proposals that become binding
  • Product/service specifications and acceptance criteria
  • Complaints and feedback that imply requirements
  • Applicable statutory/regulatory obligations tied to the offering and jurisdictions

Control: A documented intake and review process that prevents “side agreements” from bypassing review.

2) Determine requirements before committing

Implement a pre-acceptance review:

  • Confirm customer requirements are complete, unambiguous, and achievable.
  • Identify statutory/regulatory obligations that attach to the scope.
  • Flag delivery dependencies (including third parties) that affect your ability to meet requirements.
  • Record decisions: accept, reject, or accept with conditions (e.g., revised scope, timeline, or responsibilities).

Evidence goal: You can show how leadership ensures requirements are determined, not discovered late.

3) Translate requirements into controlled internal requirements

Convert external commitments into internal controls:

  • Map contract/SLA requirements to process steps, checkpoints, and responsible roles.
  • Add them to documented procedures, work instructions, quality plans, or project plans.
  • Ensure design and change control incorporate customer requirements and legal/regulatory requirements.

Practical tip: Build a “requirements-to-process mapping” table for each major service line or product family. Auditors love it because it reduces handwaving.

4) Ensure understanding through role-based communication

“Understood” must be demonstrated, not assumed:

  • Train affected teams on the requirements that matter to their work.
  • Provide quick-reference artifacts (runbooks, checklists, acceptance test scripts).
  • Put requirements into tooling where work happens (ticket templates, QA gates, release criteria, project stage gates).

Leadership action: Top management sets expectations that work does not proceed without requirement clarity.

5) Monitor consistent conformance (operational verification)

Define how you verify requirements are met:

  • In-process checks (inspection, peer review, QA testing, service validation)
  • Final acceptance checks tied to customer acceptance criteria
  • SLA monitoring and incident/problem management where relevant
  • Complaint handling and root cause analysis when outcomes miss commitments

Key point: “Consistently met” is proven through objective monitoring plus corrective action, not through assurances.

6) Manage changes so you don’t drift out of compliance

Customer focus fails most often during change:

  • Require written change requests for scope, deliverables, timelines, and acceptance criteria.
  • Re-run statutory/regulatory impact analysis when scope changes.
  • Update internal mappings, procedures, and controls.

7) Put top management review on the record

Top management must be visibly engaged:

  • Review customer satisfaction signals, complaints, nonconformities, and on-time/on-spec delivery performance.
  • Assign actions, owners, and due dates.
  • Escalate systemic issues (capacity constraints, third-party failure patterns, recurring defects).

Artifact principle: If it’s not recorded, it didn’t happen in an audit.

Required evidence and artifacts to retain

Retain artifacts that prove “determined, understood, consistently met”:

Requirements determination

  • Contract/SOW review checklist and approvals
  • Regulatory applicability assessment records (where relevant)
  • Requirements register (customer + statutory/regulatory) with owners and applicability notes
  • Records of feasibility review and acceptance decisions

Requirements understanding

  • Training records and role-based acknowledgments
  • Controlled procedures/work instructions reflecting requirements
  • Internal communications or briefs for major customer commitments

Consistent conformance

  • QA/inspection/test records tied to acceptance criteria
  • Service delivery checklists and completion evidence
  • Customer acceptance/sign-off records (where applicable)
  • Complaint handling logs, investigations, and CAPA records
  • Management review minutes showing customer-related inputs and actions

Change control

  • Change request forms and approvals
  • Updated requirement mappings after changes
  • Post-change verification evidence

Common exam/audit questions and hangups

Expect auditors to probe these areas:

  1. “Show me how you know what the customer requires.”
    Hangup: requirements scattered across emails, decks, and tickets, with no controlled summary.

  2. “How do you ensure statutory/regulatory requirements are identified for each offering/jurisdiction?”
    Hangup: teams rely on tribal knowledge; no repeatable assessment.

  3. “Pick one customer and trace a requirement through delivery.”
    Hangup: no linkage from contract clause to operational checkpoint to evidence.

  4. “What does top management do when requirements are missed?”
    Hangup: escalation exists informally but not in management review records.

  5. “How do you control changes?”
    Hangup: sales concessions and delivery changes bypass governance.

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails audits Fix
Treating customer focus as a satisfaction survey program Clause 5.1.2 is about meeting requirements consistently Tie customer feedback to corrective actions and requirement updates
Requirements stored only in contracts Delivery teams can’t act on static legal text Convert to internal requirements and embed in procedures and checklists
No statutory/regulatory intake method “Applicable requirements” are required by the clause Add a documented applicability assessment step at intake and change
Top management “supports” but doesn’t review evidence Clause requires leadership demonstration Put customer metrics, complaints, and CAPA into management review minutes
Weak change control Drift breaks consistency Require controlled change requests and re-verification

Enforcement context and risk implications

ISO 9001 is a certifiable standard, not a regulator, so “enforcement” typically shows up as audit nonconformities, surveillance audit findings, or certification risk when you cannot prove consistent requirement conformance 1. Operationally, weak customer focus increases the likelihood of:

  • Contract breaches and disputes
  • Recurring defects and rework
  • Customer churn driven by missed commitments
  • Regulatory exposure where legal obligations attach to delivery

A practical 30/60/90-day execution plan

No fixed timeline is required by ISO 9001; use this as a pragmatic rollout pattern aligned to Clause 5.1.2 expectations 1.

First phase (immediate): establish the backbone

  • Appoint an executive owner and an operational process owner for customer requirements governance.
  • Stand up a requirements register template and define requirement sources.
  • Implement a contract/SOW intake checklist that includes statutory/regulatory applicability prompts.
  • Choose one service line/product to pilot end-to-end traceability.

Second phase (near-term): embed into operations

  • Build requirements-to-process mappings for priority offerings.
  • Add role-based training and quick-reference checklists in delivery workflows.
  • Define conformance checks (QA gates, acceptance criteria evidence) and store records centrally.
  • Start a recurring leadership review agenda item: complaints, nonconformities, and customer commitments performance.

Third phase (operationalize): prove consistency and close loops

  • Run an internal audit focused on Clause 5.1.2 traceability (sample customers, sample requirements).
  • Formalize change control triggers and re-assessment steps.
  • Tighten CAPA linkage: complaints and misses must feed root cause, corrective actions, and management review.
  • If you use Daydream, centralize third party and customer obligation tracking so contract requirements, delivery controls, and evidence are connected and searchable during audits.

Frequently Asked Questions

Does “customer focus” mean we must measure customer satisfaction?

Clause 5.1.2 requires ensuring requirements are determined, understood, and consistently met 1. Measuring satisfaction can help demonstrate performance, but auditors will still expect traceability from requirements to delivery evidence.

What counts as “customer requirements” for ISO 9001 audits?

Start with contractual documents (MSA/SOW/SLAs), documented acceptance criteria, and agreed change requests. Auditors typically expect you to show how these requirements are translated into internal controls and verified in delivery 1.

How do we show “top management” is involved without pulling executives into every customer issue?

Put customer-requirement performance, complaints, and systemic misses into management review inputs and record decisions and actions. The evidence should show leadership oversight and escalation paths 1.

We rely on third parties to deliver parts of the service. Does customer focus cover them?

Yes, if third-party performance affects your ability to meet customer and applicable statutory/regulatory requirements. Treat third-party dependencies as delivery risks and include them in intake reviews, monitoring, and corrective actions 1.

What is the minimum documentation set to pass an audit on this clause?

You need objective evidence of requirement determination (intake/review), understanding (procedures/training), and consistent conformance (verification records and CAPA), plus leadership review records. Auditors will accept different formats, but they will not accept missing traceability 1.

How do we handle “understood” across teams without excessive training overhead?

Use role-based micro-briefs tied to controlled checklists and workflow templates, then keep acknowledgment records for impacted roles. Pair this with periodic sampling in internal audits to confirm teams can explain how requirements affect their work 1.

Footnotes

  1. ISO 9001:2015 Quality management systems — Requirements

Frequently Asked Questions

Does “customer focus” mean we must measure customer satisfaction?

Clause 5.1.2 requires ensuring requirements are determined, understood, and consistently met (Source: ISO 9001:2015 Quality management systems — Requirements). Measuring satisfaction can help demonstrate performance, but auditors will still expect traceability from requirements to delivery evidence.

What counts as “customer requirements” for ISO 9001 audits?

Start with contractual documents (MSA/SOW/SLAs), documented acceptance criteria, and agreed change requests. Auditors typically expect you to show how these requirements are translated into internal controls and verified in delivery (Source: ISO 9001:2015 Quality management systems — Requirements).

How do we show “top management” is involved without pulling executives into every customer issue?

Put customer-requirement performance, complaints, and systemic misses into management review inputs and record decisions and actions. The evidence should show leadership oversight and escalation paths (Source: ISO 9001:2015 Quality management systems — Requirements).

We rely on third parties to deliver parts of the service. Does customer focus cover them?

Yes, if third-party performance affects your ability to meet customer and applicable statutory/regulatory requirements. Treat third-party dependencies as delivery risks and include them in intake reviews, monitoring, and corrective actions (Source: ISO 9001:2015 Quality management systems — Requirements).

What is the minimum documentation set to pass an audit on this clause?

You need objective evidence of requirement determination (intake/review), understanding (procedures/training), and consistent conformance (verification records and CAPA), plus leadership review records. Auditors will accept different formats, but they will not accept missing traceability (Source: ISO 9001:2015 Quality management systems — Requirements).

How do we handle “understood” across teams without excessive training overhead?

Use role-based micro-briefs tied to controlled checklists and workflow templates, then keep acknowledgment records for impacted roles. Pair this with periodic sampling in internal audits to confirm teams can explain how requirements affect their work (Source: ISO 9001:2015 Quality management systems — Requirements).

Authoritative Sources

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream
ISO 9001 Customer focus: Implementation Guide | Daydream