The guiding philosophy of the standard has evolved over different revisions, each one carrying the year of its release.
The initial 1987 version, ISO 9000:1987, (originally issued as BS5750 by the British Standards Institute) focused on quality control via retroactive checking and corrective actions. This version was strongly influenced by the existing US Department of Defence Military Standards('MILSPECS') on manufacturing, and so was well-suited to the demands of a rigorous, stable, factory-floor manufacturing process.
The 1994 version emphasised quality assurance via preventive actions, and required evidence of compliance with documented procedures. There was a tendency of companies to implement the revision's requirements by creating shelf-loads of procedure manuals, and to become burdened with an ISO bureaucracy. Adapting and improving processes could be particularly involved in this kind of environment.
The 2000 version, ISO 9000:2000, introduced the concept of process effectiveness via process performance metrics[?], and so reduced the emphasis on having documented procedures if clear evidence could be presented to show that the process was working well. Expectations of continuous process improvement and tracking customer satisfaction were made explicit at this revision.
The International Organizations of Standards body does not itself issue certificates to organisations. It does certify third-party Certification Bodies who it authorises to examine ('audit' or 'assess') organisations that wish to apply for ISO 9000 compliance certification. Both ISO and the Certification Bodies charge fees for their services.
The applying organisation will be assessed based on an extensive sample of its sites, functions, products, services, and processes, and a list of problems ( 'action requests' or 'non-compliances' ) made known to management. Providing there are no major problems on this list, the certification body will issue an ISO 900x certificate for each geographical site it has visited once it receives a satisfactory improvement plan from the management showing how the problems will be resolved.
An ISO certificate is not a once-and-for-all award, it must be renewed at regular intervals recommended by the certification body - usually around 12 - 18 months.
Two types of auditing are required by the standard. Auditing by the external certification body, and audits by internal staff who have been trained for this process. It is perhaps healthier if internal auditors audit outside their usual management line to bring a degree of independence to their judgements. Thus a continual process of assessment, leading to corrective and preventive actions, is maintained throughout the scope of the certified organisation.
Under the 1994 standard the auditing process could be adequately addressed by performing 'compliance auditing', which could be characterised simply as:-
Under the 2000 standard the auditor performs a similar function but is required to make more value judgements on what is effective instead of adhering safely to the formalism of what is prescribed.
ISO 9000 is very lengthy. We offer here a brief encapsulization of the common members of the ISO 9000 family.
There are over 20 different members of the ISO 9000 family, and most of them are not explicitly referred to as "ISO 900x". For example, parts of the 10,000 range are also considered part of the 9000 family: ISO 10007:1995 talks about how to maintain a large system while changing individual components. It is highly recommended that a serious look be taken at the ISO website and documentation for a more in depth look at what each specification entails. Many have seemingly subtle variations.
To the casual reader however, it is useful to understand that when someone claims to be ISO 9000 compliant, they are probably using a blanket statement meaning they conform to one of the specifications in the ISO 9000 family. And more often than not, they are referring to ISO 9001, ISO 9002, or ISO 9003. The certification according to the ISO 9000:1994 can not be valid after year 2004.
As the paragraphs and clauses of the ISO 9000 standard have always been very generalised and abstract they have to be carefully interpreted to make sense within a particular organisation. Developing software is not like making cheese, or offering counselling services, yet the ISO 9000 guidelines can potentially be interpreted in each of these industries.
Over time industry sectors have wanted to standardize their interpretations of the guidelines within their own marketplace.
Relationship with Other Standards
ISO 9000 is quite similar to ISO 14000. Both pertain to how a product is produced, rather than how it is designed. ISO 9000 and ISO 14000 are more general, referring to a process, rather than any single product.
ISO 9000 is more about making sure the product -- any product or service -- has been produced in the most efficient and effective manner possible.
ISO 14000 exists to ensure the product -- any product or service -- has the lowest possible environmental ramifications.