Conducting a Gap Assessment Against ISO 9001:2015

Conducting a Gap Assessment Against ISO 9001:2015

The gap assessment is your "current state" snapshot. It answers: Where are we today, against the ISO 9001:2015 standard, and what work needs to happen to close the gap?

Unlike the readiness checklist in Chapter 2 (which assessed your organisational capacity), the gap assessment evaluates your QMS itself: Do your processes, documentation, and practices meet the standard's requirements?

In our experience with Canadian manufacturers and service providers, the gap assessment is often the moment when people realise how much work lies ahead—or how close they are. We've seen auto parts suppliers in Ontario discover they're 80% there (mostly a matter of formalising existing practice) and aerospace contractors in Quebec realise they're at 40% (significant documentation and process redesign needed).

This chapter walks you through conducting a thorough gap assessment—whether internally or with external help.

Why a Formal Gap Assessment Matters

You could skip straight to building your QMS and hope for the best. But that's risky. A gap assessment:

1. Gives you baseline data - You know where you stand
2. Reveals priorities - You know what to tackle first
3. Builds credibility - Shows leadership you understand the scope
4. Prevents surprises - Better to discover gaps now than in the registrar's audit
5. Focuses resources - You don't waste effort on areas already compliant
6. Provides benchmarks - You can measure progress ("We've closed 20% of gaps; we're on track")

Types of Gap Assessments

Internal Gap Assessment

How it works:

You assemble a team (operations manager, quality lead, process owners, maybe an HR person). You work through the ISO 9001 standard clause by clause, evaluating compliance.

Pros:

• Inexpensive (uses internal time)
• Builds internal knowledge of the standard
• Your team becomes invested

  Cons:

• Time-consuming (40-60 hours of internal effort)
• Can be biased (people rating their own work)
• May lack external benchmark perspective
• Requires someone to facilitate and drive it

Best for:

Organisations with moderate process maturity and clear leadership commitment. You have the capacity to dedicate internal time.

External Gap Assessment

How it works:

You hire an external consultant or your chosen registrar to conduct the assessment. They interview people, review documentation, observe processes, and report findings.

Pros:

• Independent, credible evaluation
• Provides external benchmark perspective
• Faster (consultant brings experience)
• Identifies blind spots
• Produces a written report credible with leadership

  Cons:

• Cost ($3,000–$8,000 for a small-to-medium operation)
• Less ownership by your team
• Consultant leaves; your team needs to drive remediation

Best for:

Organisations without strong internal quality expertise, or those needing external credibility to justify investment.

Hybrid Approach

How it works:

You conduct an internal assessment with light external guidance. The external person helps you structure the assessment and validates findings.

Pros:

• Builds internal capability
• Adds external credibility
• More cost-effective than full external assessment
• Knowledge stays in-house

  Cons:

• Requires some internal capacity
• External person less invested in your success

Best for:

Most Canadian organisations we work with. You get internal engagement plus external quality assurance.

The Gap Assessment Framework: Clause by Clause

Regardless of whether you do this internally or externally, the assessment follows the same structure: evaluate each requirement of ISO 9001:2015 against your current state.

For each clause, you rate compliance:

• Compliant (C): Requirement is documented and in place, people are aware, evidence exists
• Partially Compliant (PC): Some elements are in place; some are missing
• Non-Compliant (NC): Little or no evidence of the requirement

  Then, for each non-compliant or partially compliant item, you identify:

• What's missing?
• Why is it missing?
• What work is needed to close it?
• Who owns it?
• By when?

Clause 4: Context of the Organisation

4.1: Understanding the Organisation and Its Context

Current State Questions:

• Do we have a documented understanding of our external environment (market, regulatory, competitive, economic, technological factors)?
• Do we document our internal environment (capabilities, resources, performance, culture)?
• Do we have a documented list of interested parties (customers, employees, regulators, suppliers, shareholders)?
• Do we know what each interested party needs and expects from us?
• Do we review this understanding regularly (annually? when things change?)?

Why This Matters:

A Tier 1 automotive supplier in Ontario must understand that their major OEM customer demands IATF-level quality, zero-defect thinking, and regular supply base audits. An aerospace contractor in Quebec must understand that their customer operates under FAA regulations and requires full traceability. A food processor in Manitoba must understand food safety regulations and retailer requirements.

Typical Gaps We Find:

• "We do understand our environment, but it's not documented." → Document it
• "We haven't formally identified interested parties." → List them (customer, employees, regulators, suppliers, owner/investors, community)
• "We don't have a process to review context annually." → Create one

4.2: Determining the Scope of the Quality Management System

Current State Questions:

• Have we formally defined the scope of our QMS (what's in scope, what's out of scope)?
• Is our scope documented and available to interested parties?
• Does our scope match our customer requirements and regulatory obligations?

  Typical Gaps:

• "We haven't formally defined scope. We just say 'our whole company.'" → Define it clearly ("Design, manufacture, and distribution of hydraulic components for OEM customers")
• "Our scope includes things that aren't actually certified (e.g., R&D facility in another country)." → Narrow and clarify scope

4.3: Quality Management System and Its Processes

Current State Questions:

• Have we mapped our key processes and how they interact?
• Do we have a process map or flowchart?
• For each process, do we know the owner, inputs, outputs, key controls, and how we measure effectiveness?
• Do we have a documented list of processes that form our QMS?

Why This Matters:

This is fundamental. You can't manage what you haven't mapped. A manufacturer needs to map: Sales/Order Entry → Design Review → Procurement → Production Planning → Manufacturing → Quality Inspection → Packaging → Shipping → Customer Support. A service firm maps: Sales → Project Planning → Delivery → Quality Review → Customer Handoff.

Typical Gaps:

• "We don't have a formal process map." → Create one (even a simple flowchart)
• "Our processes exist informally; key people know them, but they're not written." → Document them
• "We don't have clear ownership of processes." → Assign process owners

Clause 5: Leadership

5.1: Leadership and Commitment

Current State Questions:

• Has our CEO/General Manager/Owner made a public commitment to the QMS?
• Does leadership allocate budget for quality?
• Does leadership participate in QMS governance (steering committee, management review)?
• Does leadership address non-conformances when they arise?
• Is there evidence of leadership commitment (communications, budget decisions, visible support)?

Why This Matters:

Without leadership buy-in, everything else is theatre. If the boss doesn't care about the QMS, neither will anyone else.

Typical Gaps:

• "Leadership says it's important but doesn't show up to meetings." → Build the case for engagement
• "We don't have a formal communication about quality commitment." → Create one (memo, all-hands meeting, poster)
• "Quality problems are hidden from leadership." → Create an escalation process

5.2: Quality Policy

Current State Questions:

• Do we have a written quality policy?
• Does the policy commit to meeting customer requirements?
• Does the policy commit to continual improvement?
• Does the policy provide a framework for quality objectives?
• Is the policy communicated and understood throughout the organisation?

  Typical Gaps:

• "We don't have a quality policy." → Write one
• "We have a policy but nobody knows about it." → Communicate it (posters, new-employee orientation, toolbox talks)
• "Our policy is generic corporate language that doesn't reflect our industry or context." → Rewrite it to be specific and relevant

5.3: Organisational Roles, Responsibilities, and Authorities

Current State Questions:

• Is there a clear quality manager or QMS owner?
• Are QMS roles documented?
• Do people understand their responsibility for quality?
• Is there clear escalation authority (who can approve what)?
• Is it documented who's responsible for reporting QMS performance to leadership?

  Typical Gaps:

• "We don't have a dedicated quality manager." → OK, but who owns it? Assign responsibility
• "Everyone says quality matters, but nobody's accountable." → Create clear roles and responsibilities matrix
• "We don't have a process for raising quality issues up the chain." → Create one

Clause 6: Planning

6.1: Actions to Address Risks and Opportunities

Current State Questions:

• Do we have a process for identifying risks to our QMS?
• Have we done a formal risk assessment?
• For each risk, do we have planned responses (controls, mitigations)?
• Do we evaluate whether our responses are effective?

Why This Matters:

Risk-based thinking is new in the 2015 revision. You're not just reacting to problems; you're proactively managing what could go wrong.

Typical Gaps:

• "We don't have a formal risk process." → Create a simple risk identification and response process
• "We identify risks but don't document them." → Document risks, responses, and who's monitoring each one
• "Key risks are known informally but not managed systematically." → Formalise the process

6.2: Quality Objectives and Planning

Current State Questions:

• Do we have quality objectives?
• Are objectives measurable?
• Do we assign owners to objectives?
• Do we review progress?
• Are objectives tied to the quality policy?

  Typical Gaps:

• "We have vague goals like 'improve quality,' but nothing measurable." → Make them specific: "Reduce scrap from 2.5% to 1.8%"
• "We don't have a formal objective-setting process." → Create one (quarterly or annual)
• "Objectives are set but not communicated." → Communicate them throughout the organisation

6.3: Planning of Changes

Current State Questions:

• When we make changes (new supplier, new equipment, new process, new customer), do we plan the change carefully?
• Do we evaluate consequences?
• Do we update related documents?
• Do we communicate changes?

  Typical Gaps:

• "We change suppliers without a formal evaluation." → Create a supplier change control process
• "We buy new equipment and implement it without updating procedures." → Create a change control process
• "Changes are made informally without documenting impacts." → Formalise the process

Clause 7: Support

7.1: Resources

Current State Questions:

• Do we have adequate people to manage the QMS?
• Do we have adequate infrastructure (facilities, equipment, IT systems)?
• Do we have a budget for quality initiatives?
• Are resources clearly allocated and communicated?

  Typical Gaps:

• "We have nobody dedicated to quality." → OK, but is quality management clearly someone's responsibility?
• "We have the will but not the budget." → Build the business case to secure funding
• "Infrastructure is inadequate (e.g., no document management system)." → Invest in tools

7.2: Competence

Current State Questions:

• For each key role, do we know what competence is required?
• Do we assess whether people have that competence?
• Where competence is lacking, do we provide training?
• Do we maintain records of training and competence?

Why This Matters:

An internal auditor needs training in audit techniques. A production supervisor needs to understand procedures and customer requirements. An inspector needs to know measurement systems.

Typical Gaps:

• "We don't have a formal competence framework." → Identify key roles and required competencies
• "We do training but don't track it." → Create a training matrix and records
• "New hires aren't formally trained." → Create an onboarding program

7.3: Awareness

Current State Questions:

• Do employees understand the quality policy?
• Do employees understand how their work affects quality?
• Do employees understand what non-conformities are and how to report them?
• Do employees understand the benefits of improving quality?

  Typical Gaps:

• "We haven't formally communicated the quality policy." → Present it (all-hands meeting, posters, new-hire orientation)
• "Employees don't understand how their role contributes to customer satisfaction." → Communicate the connection
• "Employees are afraid to report problems." → Build a safe reporting culture

7.4: Communication

Current State Questions:

• Do we have a plan for internal communication (e.g., who needs to know about quality changes, customer complaints, new procedures)?
• Do we have a plan for external communication (e.g., what we tell customers about quality, what we tell regulators)?
• Are communication channels documented?
• Do we evaluate whether communication is effective?

  Typical Gaps:

• "We communicate haphazardly." → Create a communication plan
• "Changes are announced informally and don't reach everyone." → Create a formal process
• "We don't communicate our quality story to customers." → Develop customer-facing communication

7.5: Documented Information

Current State Questions:

• Do we have a document management system?
• Are procedures and work instructions documented?
• Are documents version-controlled (old versions archived)?
• Are documents approved before use?
• Are quality records kept (audit reports, training, non-conformances)?
• Can we easily retrieve documents and records?

Why This Matters:

Your QMS lives in documented information: procedures, work instructions, forms, records. If you can't manage these systematically, your QMS is fragile.

Typical Gaps:

• "Documents are everywhere: email, shared drive, paper files." → Create a central document management approach
• "We have procedures but they're not version-controlled; multiple versions exist." → Implement version control
• "We don't keep quality records." → Create a record retention system
• "Documents are approved informally." → Create an approval process

Clause 8: Operation

8.1: Operational Planning and Control

Current State Questions:

• Do we have documented procedures for each key process?
• Are customer requirements documented before work begins?
• Are work instructions clear?
• Do we monitor process performance?
• Do we keep records of work performed?

  Typical Gaps:

• "We have procedures but they're outdated." → Update them
• "Procedures exist but people don't follow them." → Enforce use; understand why compliance is low
• "We don't keep records of what we did." → Create a record system
• "Customer requirements aren't clear until problems arise." → Create a requirements review process

8.2: Determination of Requirements

Current State Questions:

• When a customer order arrives, do we understand all requirements (specifications, delivery date, quality standard, special needs)?
• Do we communicate requirements clearly to everyone who needs to know?
• Are regulatory or legal requirements identified and incorporated?
• Are internal standards applied?

  Typical Gaps:

• "Customer requirements are communicated verbally." → Document them in writing
• "We don't always check if we can meet requirements before accepting the order." → Create a feasibility check
• "Regulatory requirements aren't formally tracked." → Document them

8.3: Design and Development (if applicable)

Current State Questions:

• If we design products/services, do we have a design process?
• Does the process include gates and reviews?
• Are design changes controlled?
• Are design documents maintained?

  Typical Gaps:

• "We design but have no formal design process." → Create one
• "Designs are changed without evaluating impacts." → Create a design change control process
• "Design documentation is scattered or lost." → Create a design document repository

8.4: Control of Externally Provided Processes (Suppliers)

Current State Questions:

• Do we have a supplier approval process?
• Do we communicate our requirements to suppliers?
• Do we verify that suppliers deliver conforming product/service?
• Do we maintain supplier performance records?
• Do we have a process for addressing supplier non-conformances?

  Typical Gaps:

• "We use suppliers but haven't formally approved them." → Create a supplier approval process
• "We don't have supplier agreements in writing." → Document your expectations
• "We don't inspect incoming materials." → Implement incoming inspection
• "Supplier performance isn't tracked." → Create a scorecard

8.5: Control of Production and Service Provision

Current State Questions:

• Do we have procedures for each production/delivery step?
• Are procedures followed in practice?
• Are work instructions clear and available to operators?
• Is equipment maintained?
• Are measurement tools calibrated?
• Can we trace what was made when and by whom?

  Typical Gaps:

• "We have procedures but they're hard to follow or unclear." → Simplify and clarify
• "Equipment maintenance is informal." → Create a maintenance schedule and log
• "Inspection tools aren't calibrated." → Implement a calibration system
• "We don't track production batch numbers or serial numbers." → Implement traceability

8.6: Release of Products and Services

Current State Questions:

• Before a product ships or a service is delivered, is it inspected/reviewed for compliance?
• Is release approval documented?
• Is there a clear process for release authority?

  Typical Gaps:

• "Products ship without formal approval." → Create a release gate
• "Release happens informally." → Document who approved and when

8.7: Control of Nonconforming Outputs

Current State Questions:

• When we find a non-conforming product or service, is it documented?
• Do we investigate root cause?
• Do we take corrective action to prevent recurrence?
• Do we decide appropriately (scrap, rework, customer concession)?
• Is the customer informed if needed?

  Typical Gaps:

• "We don't have a non-conformance process." → Create one
• "We fix problems but don't investigate why they happened." → Build root-cause analysis into the process
• "Non-conformances are hidden." → Build a safe reporting culture
• "Corrective actions aren't tracked for effectiveness." → Create a follow-up system

Clause 9: Performance Evaluation

9.1: Monitoring, Measurement, Analysis, and Evaluation

Current State Questions:

• Do we monitor key process metrics (on-time delivery, scrap, defects, cycle time)?
• Do we measure customer satisfaction?
• Do we track compliance with procedures and regulations?
• Do we analyse results to understand trends?
• Do we evaluate whether the QMS is effective?

  Typical Gaps:

• "We don't have formal metrics." → Identify 3-5 key metrics
• "We collect data but don't analyse it." → Create monthly review of metrics
• "Customer complaints aren't tracked." → Create a log and analysis process
• "We don't know if the QMS is working." → Create a dashboard of QMS effectiveness

9.2: Internal Audit

Current State Questions:

• Do we conduct internal audits?
• Are auditors trained?
• Do audits cover all major processes?
• Are audit findings documented?
• Are corrective actions tracked?

  Typical Gaps:

• "We don't do internal audits." → Plan an audit program
• "We audit sporadically." → Create a formal audit schedule
• "Audits aren't thorough." → Train internal auditors
• "Audit findings don't result in action." → Create a corrective action follow-up process

9.3: Management Review

Current State Questions:

• Does leadership formally review QMS performance (quarterly or semi-annually)?
• Is review based on data (metrics, audit findings, customer feedback)?
• Do reviews result in decisions and action?
• Are reviews documented?

  Typical Gaps:

• "We don't have formal management review." → Schedule it (quarterly recommended)
• "Reviews are superficial." → Base them on data and decide on specific actions
• "Reviews happen but nothing changes." → Make sure decisions are acted on

Clause 10: Improvement

10.1: General

Current State Questions:

• Do we systematically identify improvement opportunities?
• Do we implement improvements?
• Do we measure the impact?

  Typical Gaps:

• "Improvements happen sporadically." → Create a formal improvement process
• "We have good ideas but don't follow through." → Track improvement projects to completion

10.2: Nonconformity and Corrective Action

Current State Questions:

• When non-conformities occur, do we analyse root cause?
• Do we take corrective action at the root, not just the symptom?
• Do we verify corrective action was effective?

  Typical Gaps:

• "We fix problems but don't prevent recurrence." → Strengthen root-cause analysis
• "Corrective actions are weak." → Train people on effective problem-solving
• "We don't follow up to verify effectiveness." → Create a follow-up system

10.3: Continual Improvement

Current State Questions:

• Is improvement part of the organisational culture?
• Do we use data, audits, and feedback to drive improvements?
• Do we implement improvements systematically?

  Typical Gaps:

• "Improvement isn't a priority." → Build the business case
• "Improvements happen informally." → Create a formal process (suggestion program, improvement projects)
• "People don't suggest improvements." → Build a culture of psychological safety

Documenting the Gap Assessment

Whether internal or external, document your findings in a structured format. A typical gap assessment report includes:

For each requirement:

• Requirement statement (from ISO 9001)
• Current state (what we're doing today)
• Compliance rating (Compliant, Partially Compliant, Non-Compliant)
• Gap description (what's missing)
• Recommended remediation (what needs to happen)
• Estimated effort (hours)
• Assigned owner
• Target completion date

Example:

Prioritising Remediation

Not all gaps are equal. Some are critical to meeting the standard; some are nice-to-have. Prioritise based on:

1. Criticality to the Standard: Some clauses are foundational (leadership, context, operational control). Others are more secondary.
2. Risk: A gap that increases the risk of customer non-conformity is urgent. A gap in documentation format is less urgent.
3. Regulatory Impact: Gaps related to regulatory compliance are critical.
4. Effort Required: Quick wins (low effort) are good to tackle first for momentum.
5. Dependencies: Some gaps depend on others being closed first (e.g., you can't train people on procedures until procedures exist).

A typical remediation plan focuses first on:

• Leadership commitment and policy
• Context and scope definition
• Process mapping and documentation
• Supplier management
• Operational controls
• Record systems
• Internal audit readiness

  Then, in a second wave:

• Detailed procedures and work instructions
• Competence and training programs
• Metrics and monitoring
• Management review

Sample Timeline: Gap Assessment to Readiness

For a small-to-medium operation:

Week 1-2: Assessment Planning

• Assemble assessment team
• Orient team to ISO 9001
• Plan assessment approach

  Week 2-4: Assessment Execution

• Conduct interviews with key people
• Review documents
• Observe processes
• Evaluate compliance

  Week 4: Analysis and Reporting

• Compile findings
• Draft report
• Present to leadership

  Weeks 5-8: Gap Assessment Review and Prioritisation

• Leadership reviews findings
• Team prioritises remediation
• Develops remediation plan

  Month 2-8: Gap Closure

• Execute remediation activities
• Document procedures
• Train staff
• Build systems

  Month 8+: Readiness Verification

• Conduct internal audit against ISO 9001
• Address remaining findings
• Brief registrar
• Schedule Stage 1 audit

The Gap Assessment as a Starting Point, Not the Finish Line

The gap assessment shows you where you stand. It's not a prediction of how long certification will take or a guarantee of success. What matters next is:

1. Leadership commitment to closing gaps
2. Resource allocation to support the work
3. Execution discipline to actually implement improvements
4. Culture change to make the QMS part of how you work
5. Persistence to stay the course over 12-18 months

We've seen organisations with minor gaps (80% compliant) struggle because they lacked commitment. We've also seen organisations with significant gaps (50% compliant) succeed because leadership was committed and they executed disciplined remediation.

The gap assessment is the beginning of the real work. The next chapter is where that work actually happens: building your quality management system.

Need help conducting your gap assessment?

PinnacleQMS conducts gap assessments for Canadian organisations pursuing ISO 9001 certification. We provide an external, credible evaluation and a roadmap for remediation. Contact us to discuss your assessment needs.

Next: Chapter 4: Building Your Quality Management System — Documentation and Processes.