Resources — People

ISO 9001 Clause 7.1.2 requires you to identify the people needed to run and control your processes and to implement the QMS, then ensure those people are actually provided (headcount, roles, coverage, and availability). Operationalize it by mapping each process to required roles, setting staffing and competency criteria, and keeping objective evidence that resourcing is planned, assigned, and maintained. ¹

Key takeaways:

• You must define “who is needed” per process and for the QMS, not just keep an org chart. ¹
• Auditors look for objective evidence of coverage, responsibilities, and sustained capacity for controlled processes. ¹
• Make resourcing traceable: process map → role requirements → assignments → gaps → actions → monitoring. ¹

Clause 7.1.2 is a resourcing control. It forces a simple discipline: if a process must be controlled, someone must be accountable and available to operate it, monitor it, and maintain the QMS mechanisms around it. The trap is treating this as an HR exercise (“we have employees”) rather than a process control requirement (“each controlled process has defined human coverage, with clear responsibilities and capacity planning”).

For a Compliance Officer, CCO, or GRC lead supporting an ISO 9001 program, the fastest path is to translate “determine and provide persons necessary” into a staffing model tied to your process architecture. You need a defensible method to decide what roles are required, where coverage is critical (single points of failure), and how you confirm staffing remains adequate as volume, complexity, and change increase. ¹

This page gives requirement-level implementation guidance you can execute quickly: who owns what, how to document “necessary persons” without over-documenting, what evidence auditors expect, and how to avoid common findings such as undefined responsibilities, informal coverage, or resource decisions that are disconnected from process performance. ¹

Regulatory text

ISO 9001:2015 Clause 7.1.2: “The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.” ¹

What an operator must do:
You must (1) decide what human roles/capacity are required to implement and maintain the QMS and to run/monitor/control each process, and (2) ensure those people are assigned and available in practice. Evidence must show the determination method and the resulting provision (assignments, coverage, and ongoing maintenance), not just an intent statement. ¹

Plain-English interpretation (what this requirement really means)

• “Determine” means you have a reasoned basis for defining needed roles and coverage. It can be simple, but it must be explainable and repeatable. ¹
• “Provide” means you actually staff it: named role-holders, backups where needed, and time allocation sufficient to perform required controls (reviews, approvals, inspections, training, CAPA, internal audits, management review inputs). ¹
• “Operation and control of processes” means the people side of process control is planned, not accidental. If a process requires verification, segregation of duties, or defined approvals, your resourcing must support that design. ¹

Who it applies to (entity and operational context)

Applies to: any organization implementing or certified to ISO 9001. ¹

Operational contexts where it is commonly tested:

• Rapid growth or restructuring where responsibilities drift and controls fall between teams. ¹
• Reliance on key individuals (“only one person knows how to do X”), creating control gaps during absence or turnover. ¹
• High-change environments (new products, new sites, new software) where QMS tasks are added without adjusting ownership or capacity. ¹
• Processes dependent on third parties (contract manufacturing, outsourced calibration, outsourced service delivery) where you still need internal role coverage to manage and control the process interface. ¹

What you actually need to do (step-by-step)

1) Define your process inventory and control points

Create or confirm a list of QMS processes and operational processes that require control (for example: order-to-cash, design changes, purchasing, production/service delivery, nonconformance, CAPA, internal audit, document control). Tie each process to its control activities (approvals, reviews, verifications, monitoring). ¹

Artifact to produce: Process inventory with owners and key control points.

2) Translate each process into “required roles” (not names)

For each process, document:

• Process Owner (accountable for performance and control)
• Operators/Performers (do the work)
• Control roles (approvers, reviewers, inspectors, QA, internal auditors)
• Escalation/decision roles (management review inputs, risk acceptance)
• Backup coverage where absence would stop control activities or create unmanaged risk (define when a backup is required, not necessarily for every role). ¹

Keep it role-based first. Names come next.

Artifact to produce: Role-to-process matrix (a RACI-style table is acceptable if it is actually used).

3) Set resourcing criteria: how you decide what’s “necessary”

Auditors will ask: “How did you determine this is enough people?” Define a practical method, such as:

• Volume drivers (transactions, production lots, projects, service tickets)
• Complexity drivers (regulatory requirements, product criticality, customization)
• Control intensity (inspection/verification frequency, review cycles, segregation needs)
• Change load (engineering changes, supplier changes, software releases)
• Risk (where errors create customer impact or nonconformities) ¹

You do not need a perfect model. You need a consistent one that produces decisions you can defend.

Artifact to produce: Documented resourcing rationale (could be a standard work instruction plus notes in planning documents).

4) Assign named individuals and confirm time/availability

Convert roles into named assignments:

• Publish process ownership and control responsibilities in controlled documentation (QMS roles/responsibilities, process procedures, or an integrated governance document). ¹
• Confirm the assigned individuals have sufficient availability to perform required controls (for example, internal audits scheduled with assigned auditors; document review queues have owners). ¹
• For critical control roles, define backup assignments and handoff procedures (what must be covered during absence). ¹

Practical tip: Avoid “shared mailbox ownership” as your only coverage mechanism. It rarely proves accountability during an audit.

5) Identify gaps and create a resourcing action plan

Run a gap check:

• Unassigned processes or controls
• Single points of failure for critical controls
• Conflicts (same person both creates and approves where independence is expected by your own process design)
• Workload bottlenecks causing overdue reviews, inspections, CAPA, training, or supplier monitoring ¹

Then create actions: hiring, cross-training, role redesign, automation, or prioritization changes. Track to closure.

Artifact to produce: Resource gap log with actions, owners, and status.

6) Monitor resourcing as an ongoing QMS input

Make resourcing a standing input into:

• Management review (resource constraints, coverage issues, trends in overdue controls) ¹
• Internal audit planning (audit whether process ownership and control roles are operating as defined) ¹
• Change management (new process or system changes trigger a resourcing review) ¹

Tooling note: Daydream can help by turning your process inventory into an auditable control map, linking each process to accountable owners, required evidence, and gap actions so resourcing stays traceable as the org changes.

Required evidence and artifacts to retain

Auditors generally accept many formats, but you need objective evidence that shows determination and provision. Maintain:

• Process inventory / process map with defined owners ¹
• Role-to-process responsibility matrix (RACI or equivalent) ¹
• Job descriptions or role profiles for QMS-critical roles (internal auditor, document control, CAPA owner, production/service leads) ¹
• Staffing/coverage plan for key processes (including backup coverage decisions) ¹
• Training/competence records that support the resourcing decisions (keep this aligned with your competence process) ¹
• Evidence the system operates: completed approvals, completed internal audits, CAPA cycle evidence, management review inputs, and on-time process control records that demonstrate people were in place to perform them ¹
• Resource gap log and corrective actions when resourcing was inadequate ¹

Common exam/audit questions and hangups

Expect questions like:

• “Show me how you determined the people needed for this process.” Bring the role-to-process map and the method used (volume/complexity/risk). ¹
• “Who is the process owner for X, and how do you know they are accountable?” Point to controlled documentation and interview readiness. ¹
• “What happens when the only trained person is out?” Show backup coverage decisions, cross-training, or interim controls. ¹
• “Your CAPAs/audits/document reviews are overdue; how does resourcing address this?” Auditors read backlogs as a resourcing failure unless you can show prioritization and capacity management. ¹

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating “resources—people” as an org chart

Fix: Tie people to processes and control points. An org chart does not show coverage for QMS activities. ¹

Mistake 2: Undefined process ownership

Fix: Assign a named process owner for each QMS process, publish it, and train owners on their control responsibilities. ¹

Mistake 3: No evidence of the “determine” step

Fix: Write down the decision method. A one-page resourcing rationale is enough if it is consistently applied. ¹

Mistake 4: Overreliance on heroic effort

Fix: If controls only work because someone works nights/weekends, treat it as a nonconformity risk. Capture it as a resource gap and address root cause. ¹

Mistake 5: Outsourcing without internal control coverage

Fix: Even with third parties, you still need internal roles responsible for selection, monitoring, acceptance, and escalation. Document the interface ownership. ¹

Enforcement context and risk implications

ISO 9001 is a standard, not a regulator, so the “enforcement” mechanism is certification and customer oversight. The practical risk is straightforward: inadequate resourcing shows up as uncontrolled processes (missed inspections, weak change control, overdue CAPA, inconsistent training), which drives nonconformities and can put certification status or customer contracts at risk. Treat Clause 7.1.2 as an early-warning requirement: backlogs and unclear ownership often appear before larger quality failures. ¹

Practical 30/60/90-day execution plan

Days 1–30: Establish ownership and coverage visibility

• Confirm your process inventory and process owners. ¹
• Build a role-to-process matrix that includes QMS controls (audits, document control, CAPA, management review inputs). ¹
• Identify top resourcing risks: single points of failure, unassigned controls, chronic overdue work. ¹

Days 31–60: Formalize the determination method and close obvious gaps

• Document your method for determining “necessary persons” (drivers and decision criteria). ¹
• Assign backups for critical roles and define absence coverage. ¹
• Create and start tracking a resource gap log with actions. ¹

Days 61–90: Prove it works and make it durable

• Run an internal audit slice focused on process ownership and execution of control activities (do interviews and sample records). ¹
• Add resourcing status to management review inputs (constraints, coverage risks, backlog trends, actions). ¹
• Put a trigger into change management: new/changed process requires resourcing review and updated matrix. ¹

Frequently Asked Questions

Do we need a formal headcount model to satisfy ISO 9001 Clause 7.1.2?

No. You need a defensible method to determine necessary roles and coverage, plus evidence that people are provided and the QMS operates as designed. Keep it simple and consistent. ¹

Can third parties count as “persons necessary” for a process?

Yes, but you still need internal accountability for controlling the process interface (oversight, acceptance, escalation). Document who owns that control and keep evidence of ongoing management. ¹

What will an auditor sample to test “provide the persons necessary”?

They commonly interview process owners, review responsibility assignments, and sample records that prove controls were performed (approvals, inspections, audits, CAPA). Backlogs and missed controls often trigger deeper scrutiny. ¹

We’re a small company. Can one person hold multiple roles?

Yes, if your process design still achieves operation and control. Where independence is required by your own procedures, address conflicts with compensating controls or alternate approvers. ¹

How do we show “determined” without creating paperwork nobody maintains?

Put the determination logic into an owned artifact you already maintain, such as a process map with role requirements and a short resourcing rationale. Update it during change management and management review. ¹

What’s the fastest way to find resourcing gaps before the certification audit?

Start from overdue or inconsistent controls (CAPA aging, late document reviews, missed internal audits) and trace backward to ownership and capacity. Those symptoms usually map directly to Clause 7.1.2 weaknesses. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements