Clause 7 is the support layer of ISO 9001. It does not define the product realization flow directly, but it determines whether the organization has the people, equipment, measurement control, institutional knowledge, communication structure, and documented information needed for that flow to work reliably.
This is where many organizations underestimate what auditors actually test. Support controls are not abstract back-office requirements. They show up in gage calibration, operator competency, machine readiness, knowledge retention, controlled procedures, and whether the right person can find the right instruction at the right time.
Visual Summary
Use the Clause 7 visual for a quick view of infrastructure, human capability, calibration discipline, knowledge capture, and document control.
Jump to Guide Sections
1. Why Clause 7 Is the Enabling Layer of the QMS
Clause 7 is where quality intent becomes operationally possible. Clauses 4 through 6 define context, leadership, risk, and planning. Clause 7 answers a harder question: do you actually have the support structure needed to execute that plan consistently?
What Clause 7 Prevents
Systems that look compliant on paper but fail in practice because the shop floor, lab, office, or service environment lacks the resources and controls to deliver repeatable results.
What Clause 7 Creates
A stable base of infrastructure, verified measurement, retained knowledge, trained people, clear communication, and controlled information that makes process performance sustainable.
2. Clause 7.1: Resources
Clause 7.1 requires the organization to determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the QMS. It covers people, infrastructure, process environment, monitoring and measuring resources, and organizational knowledge.
| Resource Category | Typical Examples | Why It Matters |
|---|---|---|
| People | Operators, inspectors, auditors, engineers, schedulers, customer-facing staff. | Processes fail when staffing, capability, backup coverage, or decision authority are inadequate. |
| Infrastructure | Buildings, utilities, machine tools, software platforms, networks, test benches. | Product conformity and data integrity depend on maintained and fit-for-purpose operating assets. |
| Environment for operation | Temperature, cleanliness, ergonomics, noise, ESD controls, human-factors conditions. | The work environment can directly affect quality, safety, concentration, and repeatability. |
| Monitoring and measuring resources | Calipers, torque testers, CMMs, software, standards, reference artifacts. | Unreliable measurement systems turn decisions into guesses and can invalidate evidence. |
| Organizational knowledge | Setup know-how, lessons learned, troubleshooting logic, customer-specific process knowledge. | When knowledge is not retained, quality performance becomes fragile and person-dependent. |
3. Clause 7.1.2-7.1.4: People, Infrastructure, and Environment
These sections are straightforward in wording but operationally important. The organization must determine and provide the people, infrastructure, and environment needed to achieve conformity. Auditors often test these areas through interviews and direct observation rather than documents alone.
| Area | Common Audit Questions | Strong Evidence |
|---|---|---|
| People | Do you have enough trained people to maintain process control, especially during absences, turnover, and demand spikes? | Staffing plans, cross-training coverage, role matrices, and evidence that workload does not routinely force control bypasses. |
| Infrastructure | Is equipment maintained and software controlled so the process can produce conforming outputs? | Maintenance schedules, downtime tracking, equipment qualification, validated software logic, and prompt escalation for failures. |
| Environment | Are cleanliness, temperature, handling, ergonomics, lighting, or ESD conditions controlled where they affect quality? | Defined environmental controls, visual standards, audits, and corrective action when conditions drift out of range. |
4. Clause 7.1.5: Monitoring and Measuring Resources
Clause 7.1.5 protects the validity of measurement data. If the organization makes quality decisions from bad or uncontrolled measurements, the rest of the system can appear effective while actually drifting into nonconformance.
What Must Be Controlled
- Identification of the device and its intended use.
- Calibration or verification at defined intervals.
- Traceability to recognized standards where applicable.
- Protection from damage, deterioration, or misuse.
- Action when a device is found out of tolerance.
What Auditors Test
- Can the operator identify whether the gage is in calibration?
- Can the lab or quality team show traceability?
- Is there a reaction plan for out-of-tolerance findings?
- Were affected results assessed when a device failed calibration?
| Failure Pattern | Operational Risk |
|---|---|
| Expired calibration labels still in use | Product acceptance decisions may be invalid, and confidence in historical results is weakened. |
| No impact assessment after out-of-tolerance discovery | The organization cannot determine whether suspect product was shipped or whether process capability conclusions remain valid. |
| Software-based measurement logic not controlled | Inspection outputs can change without visibility if revisions, settings, or algorithms are not managed. |
5. Clause 7.1.6: Organizational Knowledge
Organizational knowledge is one of the most overlooked controls in ISO 9001. It is the knowledge specific to the organization that is needed to achieve conformity of products and services. In practice this includes lessons learned, process tuning, customer-specific conditions, troubleshooting logic, and historical judgment that may never appear in standard work unless captured intentionally.
| Knowledge Source | Examples | Protection Method |
|---|---|---|
| Internal experience | Setup tricks, root-cause lessons, process tuning logic, issue histories. | Lessons-learned repositories, standard work updates, troubleshooting guides, layered handoff routines. |
| External knowledge | Customer standards, supplier data, industry guidance, regulatory changes. | Controlled external-document review and defined update ownership. |
| Specialist knowledge | One expert holding key inspection, programming, quoting, or validation logic. | Succession plans, shadowing, cross-training, and deliberate capture into reusable formats. |
6. Clause 7.2: Competence
Competence is more than training attendance. The organization must determine necessary competence, ensure people are competent on the basis of education, training, or experience, take actions to acquire necessary competence, and retain appropriate documented information as evidence.
| Training Activity | Why It Is Not Enough Alone | Better Competence Evidence |
|---|---|---|
| Signed attendance sheet | Shows presence, not ability. | Observation of performance, work demonstration, qualification signoff, error-rate improvement, or successful audit interview. |
| Generic annual training completion | May not match specific job risk. | Role-based competency matrix aligned to quality-affecting tasks and process risks. |
| One-time onboarding training | Does not address drift, retraining, or changes. | Requalification triggers, refresher training, and post-change competence checks. |
7. Clause 7.3: Awareness
Awareness is different from competence. People need to understand the Quality Policy, relevant quality objectives, how their role contributes to effectiveness, the implications of not conforming, and the value of their work in the system.
Strong Awareness Signal
An operator, planner, or lab technician can explain how their work ties to customer requirements, process performance, and what happens when controls are skipped.
Weak Awareness Signal
The Quality Policy is posted on the wall, but employees cannot explain its meaning or connect it to the work they perform every day.
8. Clause 7.4: Communication
Clause 7.4 requires the organization to determine what it will communicate, when, with whom, how, and who communicates. In mature systems, communication is treated as a controlled process for quality-relevant information, not a casual expectation.
| Communication Need | Typical Audience | Control Method |
|---|---|---|
| Process or spec changes | Operators, inspectors, planners, suppliers, affected customers. | Formal change notices, revision releases, training signoff, supplier flow-down. |
| Nonconformance escalation | Production, quality, leadership, sometimes customer. | Escalation matrix, containment alerts, structured response timing. |
| Objective and KPI status | Leadership, process owners, frontline teams. | Tier boards, management review, shift reviews, dashboards with action ownership. |
9. Clause 7.5: Documented Information
Documented information in ISO 9001 includes both documents and records. The organization must ensure documented information is available and suitable for use where and when needed, and adequately protected from loss of confidentiality, improper use, or loss of integrity.
| Control Need | Practical Implementation |
|---|---|
| Identification and description | Title, unique ID, revision level, date, and origin or owner so the user knows what the document is and which version is current. |
| Review and approval | Formal release controls before issue and re-approval when meaningful changes occur. |
| Access and availability | Users can quickly find the right version at point of use without searching personal drives or relying on memory. |
| Protection and retention | Records are stored securely, backed up as needed, retained for defined periods, and protected from unauthorized change. |
| Obsolete information control | Old documents are removed from use or clearly marked to prevent accidental application of superseded instructions. |
10. Quick Reference: Clause 7 Audit Readiness
Resource and Infrastructure Checks
- Resource planning reflects actual process needs and current demand.
- Infrastructure and maintenance systems support reliable operation.
- Environmental conditions are controlled where they affect quality.
- Organizational knowledge is retained rather than held by one person.
People and Communication Checks
- Competence requirements are defined by role and risk.
- Evidence shows people can perform, not just that they attended training.
- Employees can explain the quality relevance of their role.
- Quality-critical communications are defined, controlled, and timely.
Measurement and Document Checks
- Measurement devices are identified, calibrated, traceable where applicable, and protected.
- Out-of-tolerance events trigger impact review and containment logic.
- Controlled documents are current at point of use.
- Records are retained, protected, and retrievable when needed.
Leadership Questions
- Where are your biggest competence or knowledge-retention risks?
- How do you know measurement data is trustworthy?
- What quality-critical information has to move quickly, and how is that controlled?
- How do you ensure obsolete instructions do not remain in active use?