Control of changes

ISO 9001:2015 Clause 8.5.6 requires you to review and control changes to production or service provision so output continues to conform to requirements, and to retain documented information about what changed, who authorized it, and what actions you took. Operationally, you need a single change-control workflow that evaluates impact, gates approval, and captures evidence end-to-end. ¹

Key takeaways:

• Treat “change control” as a controlled workflow with defined triggers, impact review, approvals, and post-change verification. ¹
• Keep documented information for each change: results of review, authorizing persons, and actions taken. ¹
• Scope includes both production changes and service delivery changes, including those introduced by third parties. ¹

“Control of changes” is the ISO 9001 requirement that prevents well-intended improvements from turning into quality escapes. Clause 8.5.6 applies any time you alter how you produce a product or deliver a service, whether that change is permanent (new equipment, revised work instruction) or temporary (alternate material, workaround, staffing substitution). The standard’s expectation is simple: you do not let changes flow straight into operations without a documented review, explicit authorization, and defined actions to preserve conformity. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to implement one consistent change-control mechanism that the business can follow without debate: clear triggers, a lightweight risk/quality impact review, a RACI for approvals, and a record that stands up in audits. Your highest leverage move is to connect change control to the places work already happens (ticketing, release management, production engineering, service delivery runbooks) and make “evidence capture” automatic. Tools like Daydream can help by standardizing change-intake forms, routing approvals, and producing audit-ready change records without chasing screenshots and email threads.

Regulatory text

ISO 9001:2015 Clause 8.5.6: “The organization shall review and control changes for production or service provision to ensure continuing conformity.” ¹

Operator interpretation:
You must (1) identify when a change affects production or service provision, (2) review the change for quality/conformity impact before implementation, (3) control the change through authorization and defined actions, and (4) retain documented information describing the change review results, who authorized it, and what actions you took. ¹

Plain-English requirement interpretation (what auditors expect)

Auditors generally look for two things:

1. A repeatable process: People know what counts as a change, how to submit it, who approves it, and what “done” means (including validation/verification and communication).
2. Traceable records: For a sample of changes, you can show the review, approval, and post-change checks, with enough detail to demonstrate conformity did not degrade. ¹

If you can’t reliably answer “What changed, why, what could it break, who approved it, and how did you verify it worked?” you will struggle with 8.5.6.

Who it applies to (entity and operational context)

Applies to: Any organization operating an ISO 9001 quality management system. ¹

Operational scope (typical):

• Manufacturing/production: process parameters, tooling, equipment, inspection methods, routings, rework/repair methods, change of materials, supplier process changes.
• Service delivery: support workflows, service scripts, onboarding steps, acceptance criteria, staffing/skills changes, service platform configuration, customer-facing commitments that alter delivery.
• Third parties: contract manufacturers, logistics providers, outsourced service desks, cloud/service providers involved in delivering the service or producing the product. A third party can introduce a “production or service provision” change; you still need control in your QMS. ¹

What you actually need to do (step-by-step)

1) Define “change” with practical triggers

Write a short definition and a trigger list that front-line teams can use. Include:

• Changes to documented procedures/work instructions
• Changes to equipment, tooling, software configurations used in service provision
• Changes to materials, suppliers, or supplier processes that affect your output
• Temporary deviations, concessions, or workarounds that alter the normal method of production/service ¹

Tip: If people argue whether something is a “change,” your definition is too abstract. Add examples from your environment.

2) Establish a single intake and classification workflow

Create a standard change request record (form or ticket) with:

• Description and reason for change
• Affected product/service, sites, lines, customers, or contracts
• Change type (permanent/temporary, planned/emergency)
• Proposed implementation date and rollback/contingency approach
• Required reviewers (quality, engineering/operations, service owner, third-party manager as applicable) ¹

Daydream fit: Use Daydream to standardize the intake template, enforce required fields, and route approvals based on change category and impacted scope.

3) Perform an impact review focused on “continuing conformity”

Your review should explicitly consider:

• Whether requirements (specs, SLAs, acceptance criteria, regulatory/customer requirements) are still met
• Risks to process capability and inspection/verification coverage
• Training and competency impacts
• Documentation updates needed (procedures, runbooks, checklists)
• Third-party dependencies and whether the third party must approve/implement corresponding controls ¹

Keep the review practical: a short checklist plus free-text rationale is often better than an overengineered scoring model.

4) Gate the change with clear authorization

Define approval roles by change risk:

• Low-impact changes: process owner + quality sign-off
• Higher-impact changes: add operations leadership, customer owner, or MRB/CAB equivalent
• Emergency changes: allow expedited approval but require after-the-fact review and documented stabilization actions ¹

Your control must show who authorized the change. Names, titles/roles, and date/time are the evidence auditors sample. ¹

5) Execute with controlled implementation actions

For each approved change, define actions such as:

• Update controlled documents (work instructions, checklists, service scripts)
• Train affected staff (or brief and document competency where training is informal)
• Update inspection plans or service QA checks
• Communicate to impacted teams and third parties
• Implement pilot/limited rollout where appropriate ¹

6) Verify effectiveness after implementation

You need proof that conformity continued. Choose verification appropriate to the change:

• First-article/first-run checks
• Increased sampling or targeted inspections for a defined period
• Service quality monitoring, call reviews, defect trend checks
• Customer acceptance where contractually required ¹

Record results and any corrective actions taken.

7) Close the loop with documentation and learnings

Close the change record only when:

• Verification evidence is attached/linked
• Deviations, issues, or rework are documented with disposition
• Permanent documents are revised and released through document control
• Temporary changes have an expiry date and a reversion plan ¹

Required evidence and artifacts to retain

Auditors will sample change records. Maintain documented information that covers:

• Change request record: description, rationale, scope, impacted outputs
• Review results: risk/impact discussion, required mitigations ¹
• Authorization: approving individuals, roles, dates ¹
• Actions taken: training/communications, document updates, inspection updates, third-party coordination ¹
• Post-change verification: test results, QA checks, monitoring outcomes, acceptance sign-off where applicable
• Rollback/contingency evidence: if invoked, what happened and why

Practical evidence rule: Avoid “approval in email.” If you must use email, capture it into the change record so the approval is not lost.

Common exam/audit questions and hangups

Auditors commonly probe:

• “Show me how you decide what counts as a controlled change.”
• “Give me three recent changes and walk me from request to verification.”
• “Who can approve an emergency change, and how do you prevent bypassing the process?” ¹
• “How do you control changes made by third parties that affect your delivered service or product?”
• “Where is the documented information showing results, authorizing persons, and actions taken?” ¹

Hangups that create findings:

• Review exists, but authorization is unclear (no named approver, only a team alias).
• Approvals exist, but verification is missing (change closed without evidence of continued conformity).
• Manufacturing controls exist, but service provision changes are unmanaged (common in software-enabled services and shared services).

Frequent implementation mistakes (and how to avoid them)

1. Treating document control as change control
   Updating a work instruction without a change review of operational impact fails 8.5.6 in practice. Tie document updates to a change request when the update affects production/service provision. ¹

2. No path for emergency changes
   People bypass controls under pressure. Create an emergency lane with minimal required fields, fast approvals, and mandatory post-implementation review. ¹

3. Overengineering the risk model
   If it takes too long, teams will route around it. Use a short impact checklist plus escalation rules.

4. Ignoring third-party-driven changes
   A supplier’s process tweak or a cloud provider configuration change can alter your output. Require notification obligations in third-party agreements and route material changes through your workflow.

5. Closing changes without effectiveness checks
   Make verification a required field and prevent closure until evidence is attached or linked.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the source catalog. Practically, the risk is audit nonconformities, increased defects, service disruptions, warranty claims, and customer dissatisfaction when changes bypass review or verification. Clause 8.5.6 is also a strong control for preventing “silent drift” where processes gradually change without visibility, eroding quality over time. ¹

A practical execution plan (30/60/90)

The standard does not prescribe timelines. Use phased execution to get control fast and then mature it. ¹

First 30 days (Immediate stabilization)

• Map where changes already happen (engineering change orders, IT releases, service runbooks, supplier change notices).
• Define “change” and publish triggers plus a one-page workflow.
• Stand up a single change request form/ticket with mandatory fields for review, authorization, and actions.
• Pilot in one production line or one service team; collect feedback and simplify.

By 60 days (Operational coverage)

• Expand to all production/service teams in scope of the QMS.
• Implement role-based approval routing and an emergency change lane with after-the-fact review.
• Add a verification checklist by change type (manufacturing vs service, permanent vs temporary).
• Update third-party management expectations: notification and approval requirements for changes that affect your output.

By 90 days (Audit readiness and continuous improvement)

• Run an internal sample test: pick recent changes and confirm each has review results, authorizing persons, actions taken, and verification evidence. ¹
• Train approvers on what “good” looks like (quality impact rationale, not rubber-stamp approvals).
• Add metrics that are qualitative and operational (e.g., recurring causes of emergency changes) without inventing numeric targets.
• Consider Daydream to centralize change records, approvals, and evidence capture so audit sampling is a click, not a scramble.

Frequently Asked Questions

Does ISO 9001 require a formal “change advisory board” (CAB)?

ISO 9001:2015 Clause 8.5.6 requires review, control, and documented authorization for changes, but it does not mandate a specific governance structure. Use a CAB-style group only where it fits your operational risk and complexity. ¹

What counts as “documented information” for control of changes?

Keep records that show the review results, who authorized the change, and what actions you took, plus evidence you verified continuing conformity. A controlled ticket with attachments/links typically works if it is retained and retrievable. ¹

How do we handle emergency changes without failing the requirement?

Allow expedited approval and implementation, but require a documented post-change review, verification results, and any stabilizing actions. Make the emergency lane explicit so it is controlled rather than ad hoc. ¹

Do service companies need this, or is it mainly for manufacturing?

It applies to “production or service provision,” so service delivery changes are in scope. Treat changes to service workflows, scripts, tooling/configuration, and acceptance criteria as controlled changes. ¹

How do we manage third-party changes that affect our output?

Require third parties to notify you of material process or service changes, then route those changes through your internal review and authorization. Keep the approval and any required mitigations in the change record. ¹

Can we approve changes by email or chat?

You can, but auditors will still expect a durable record showing the authorizing person and date. The safest approach is to capture the approval inside your change record (or attach the message) so the evidence is retained and searchable. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements