Production and service provision

ISO 9001:2015 Clause 8.5 requires you to run production and service provision under controlled conditions, with defined instructions, competent people, suitable equipment, verified outputs, and managed changes. To operationalize it quickly, map your “make/deliver” workflows, set control points, lock down work instructions and acceptance criteria, and retain objective evidence that controls were followed. ¹

Key takeaways:

• Controlled conditions must be designed into daily operations, not added as a quality afterthought. ¹
• Auditors look for objective evidence: instructions, records, approvals, traceability, and change control. ¹
• The fastest path is process mapping → control plan → training/competence → records discipline → change management. ¹

“Production and service provision” is where your quality management system meets reality: the point where your organization actually builds, configures, installs, delivers, or supports what the customer buys. Clause 8.5 is short at the top line, but it expands into an expectation that you control how work is performed, how outputs are accepted, and how changes are introduced so you can produce conforming outcomes consistently. ¹

For a Compliance Officer, CCO, or GRC lead, the practical challenge is speed: you need a way to translate a clause-level requirement into shop-floor steps, service desk routines, engineering release controls, and supplier/third-party handoffs without turning operations into paperwork theater. The core move is to define “controlled conditions” for each production or service workflow: clear work instructions, defined inputs/outputs, defined acceptance criteria, calibrated/fit-for-purpose resources, competent personnel, and records that prove the controls were executed. ¹

This page gives requirement-level implementation guidance you can assign, track, and audit. It is written to help you pass certification audits and, more importantly, prevent quality escapes, rework, customer complaints, and operational surprises caused by unmanaged variation. ¹

Regulatory text

Requirement (excerpt): “The organization shall implement production and service provision under controlled conditions.” ¹

What the operator must do: You must define and run day-to-day production and service activities with controls that ensure outputs meet requirements, and you must be able to prove those controls were applied. “Controlled conditions” is not a single document; it is a set of operational expectations embedded in procedures, work instructions, equipment readiness, personnel competence, verification/acceptance steps, and change control. ¹

Plain-English interpretation

If your organization makes a product or delivers a service, you need repeatable, documented ways of doing the work, plus checkpoints that prevent defects from moving forward. You also need disciplined handling of exceptions: nonconforming outputs don’t ship, and changes don’t go live until they are reviewed and authorized. Records matter because they are your proof that the system worked as designed. ¹

Who this applies to

Entity scope

This applies to any organization operating an ISO 9001:2015 quality management system and performing production or service provision activities. ¹

Operational scope (where auditors will probe)

• Manufacturing: fabrication, assembly, packaging, labeling, testing, rework, and release. ¹
• Services: onboarding, configuration, delivery, installation, maintenance, field service, support desk, professional services, and managed services. ¹
• Software/SaaS as “service provision”: build/release processes, configuration management, deployment approvals, incident response handoffs, and change/release records. ¹
• Third parties in your fulfillment chain: contract manufacturers, logistics providers, subcontracted service teams, cloud/IT providers that materially affect delivery. Clause 8.5 still expects your controls to extend through these operational interfaces. ¹

What you actually need to do (step-by-step)

Step 1: Define your production/service workflows end-to-end

Create a simple process map per major offering (product line or service line). Include:

• Start trigger (order, work request, build plan)
• Key handoffs (engineering → production, sales → delivery, support → engineering)
• Third-party touchpoints
• Decision points (accept/reject, release/hold, escalate) ¹

Practical tip: If you can’t explain the workflow on one page, you likely can’t control it consistently.

Step 2: Identify “controlled conditions” for each workflow

For each process step, document the minimum set of controls that make outcomes repeatable:

• Work instructions / SOPs: what to do, in what order, and what “done” means. ¹
• Acceptance criteria: measurable or observable conditions to accept output (specs, checklists, test results, service completion criteria). ¹
• Resource readiness: tools, systems, calibrated equipment where applicable, approved materials, correct versions of docs/software. ¹
• Competence: trained staff and role qualification requirements for tasks that affect conformity. ¹
• Verification points: inspections, peer reviews, test steps, supervisor sign-off, automated validations, or customer confirmation. ¹

Deliverable: a control plan (or equivalent) that ties each step to controls and required records. ¹

Step 3: Standardize documents and “version truth”

Make it hard to do the wrong thing:

• One authoritative repository for controlled documents (procedures, work instructions, templates). ¹
• Clear versioning and effective dates.
• Removal/archiving rules so obsolete instructions don’t remain in circulation. ¹

If you use Daydream for third-party due diligence and operational compliance workflows, treat work instructions and control plans like other controlled artifacts: assign owners, set review triggers, and require approvals before publishing updates so operations always sees the current version. ¹

Step 4: Build “accept/reject” discipline into the workflow

Auditors look for evidence that nonconforming outputs are detected and controlled before release. Establish:

• Clear criteria for what constitutes a nonconformity at each verification point. ¹
• Authority to stop work or place outputs on hold.
• Defined routing for disposition (rework, repair, scrap, concession, customer notification where applicable). ¹

Step 5: Operationalize change management for production/service provision

Changes are where quality systems fail in practice. Put lightweight but enforceable controls in place:

• Change request intake (what is changing, why, scope).
• Risk/impact review (effect on requirements, tooling, training, validation/testing, third parties). ¹
• Approval before implementation.
• Post-change verification that output still conforms. ¹

Step 6: Make records automatic, not heroic

Define “what gets recorded” per control point and bake it into tools/forms:

• Production travelers, batch records, work orders
• Service tickets with completion checklists and approvals
• Test logs, inspection results, peer review evidence
• Training/competence sign-offs ¹

Step 7: Extend controls to third parties that perform fulfillment activities

Where third parties perform steps that affect conformity, you need:

• Contractual clarity on requirements and acceptance criteria.
• Evidence you communicated the current specifications/instructions.
• Verification of third-party outputs (incoming inspection, service acceptance, periodic reviews). ¹

Required evidence and artifacts to retain

Keep objective evidence that controlled conditions exist and are followed. Common artifacts:

• Process maps and/or SIPOC/workflow diagrams for each offering. ¹
• Approved procedures and work instructions with version control and ownership. ¹
• Control plans, inspection/test plans, or service delivery checklists linked to acceptance criteria. ¹
• Production/service records: work orders, travelers, service tickets, installation reports, test results. ¹
• Equipment readiness evidence where relevant (maintenance logs, calibration status where applicable). ¹
• Training and competence records by role. ¹
• Change control records: request, review, approvals, validation/verification results, implementation notes. ¹
• Third-party requirements communication and acceptance records where third parties affect delivery. ¹

Common exam/audit questions and hangups

Auditors commonly press on “show me” topics:

• “Show me the controlled conditions for this process step. Where are the instructions and acceptance criteria?” ¹
• “How do you ensure staff are competent for this task? Show records.” ¹
• “How do you prevent use of obsolete documents on the floor or in the service team?” ¹
• “Pick a recent change. Show the approval and evidence you verified the output after the change.” ¹
• “Where a third party performs work, how do you control and accept their output?” ¹

Frequent implementation mistakes (and how to avoid them)

1. Work instructions exist but don’t match reality. Fix by walking the process, updating instructions with operators, and retiring old versions aggressively. ¹
2. Acceptance criteria are vague (“check quality”). Replace with concrete checks: measurements, test steps, pass/fail conditions, required approvals. ¹
3. Records are inconsistent across teams or shifts. Standardize forms/templates and make record completion a gating step for release/closure. ¹
4. Change control is bypassed for “small” changes. Define what qualifies as a change, require traceable approvals, and audit exceptions. ¹
5. Third-party output is trusted without verification. Add explicit acceptance steps and keep evidence of what you accepted and why. ¹

Enforcement context and risk implications

ISO 9001 is a certifiable standard, not a regulator in itself, but Clause 8.5 failures translate into business risk quickly: quality escapes, customer complaints, warranty/service costs, missed SLAs, and audit nonconformities that can threaten certification status. From a compliance operations standpoint, the risk is “uncontrolled variation”: work is performed differently across people, sites, or third parties, and you can’t prove conformity after the fact. ¹

Practical 30/60/90-day execution plan

You asked for speed, but specific day counts beyond the labels below are not source-backed. Use these phases as gates and adjust to your operational reality. ¹

First 30 days (stabilize and map)

• Inventory production/service processes that drive customer delivery. ¹
• Map workflows and identify control points and required records. ¹
• Freeze and publish “current best known” work instructions for critical steps; remove obsolete versions. ¹

Next 60 days (standardize controls and records)

• Build control plans with acceptance criteria for each critical step. ¹
• Implement role-based training and capture competence evidence. ¹
• Embed record capture into operational systems (tickets, work orders, checklists) and make it required for release/closure. ¹

Next 90 days (prove it works; close gaps)

• Run internal checks: sample recent jobs and trace evidence end-to-end (instructions used, checks performed, approvals recorded). ¹
• Formalize change control for production/service provision and test it on real changes. ¹
• Review third-party touchpoints and add acceptance verification where evidence is weak. ¹

Frequently Asked Questions

Does Clause 8.5 require documented work instructions for every task?

It requires controlled conditions for production and service provision, and work instructions are a common way to establish control. Focus documentation where lack of consistency would cause nonconforming output or where staff rely on tribal knowledge. ¹

We’re a services organization. What counts as “production”?

Your “production” is the service delivery workflow: onboarding, configuration, execution, support, and closure with acceptance criteria. Treat service tickets, runbooks, and completion checklists as the operational controls and records. ¹

What evidence is most persuasive in an audit?

Traceability from order/request to delivery, with objective records at each control point: current instructions, completed checklists, test/verification results, approvals, and change control where changes occurred. ¹

How do we show “controlled conditions” when third parties do part of the work?

Show that requirements were communicated, that the third party’s output was verified against acceptance criteria, and that nonconforming outcomes are handled consistently. Contracts help, but auditors also want operational records of acceptance. ¹

What’s the fastest way to improve without rewriting everything?

Start with the highest-risk workflow, define acceptance criteria and record requirements, then enforce version control and a simple change approval step. Tight controls on a few critical steps beat broad, unused documentation. ¹

How can a GRC team support operations without becoming the bottleneck?

Own the governance: define minimum control requirements, templates, record retention expectations, and change control rules. Let process owners run the work, and sample evidence periodically to confirm controls are followed. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements