For the first time in over a decade, ISO 9001 is changing. The 2015 edition has been the world’s most widely used management system standard, with more than a million certified organizations, and it is now being replaced. After ISO’s technical committee voted in 2023 to revise rather than reaffirm the standard, a first public draft (the DIS) appeared in August 2025, and the Final Draft International Standard (FDIS) went to ballot in spring 2026. Publication is expected in the second half of 2026, most likely in the autumn, followed by a transition period expected to last three years.
For organizations holding or pursuing certification, the practical question is not whether to act but when. The honest answer is now, even though the standard is not yet published, for three reasons: the draft is stable, the most demanding new expectations are the ones that take longest to build evidence for, and the cheapest place to find a gap is an internal audit rather than your certification body’s transition audit. This post covers where the revision stands, what is actually changing, the one area where the marketing has run ahead of the standard, and the readiness steps internal audit can take today.
Where the revision stands
FDIS is the near-final stage. The substantive content is largely locked; what remains is editorial. The sequence so far: the DIS published in August 2025, the FDIS went to ballot in spring 2026, and publication is expected in the second half of 2026. One caveat worth stating plainly: the exact publication date is not fixed, and sources cite different autumn dates, so treat “second half of 2026” as the safe framing rather than a specific day.
Once published, a transition period expected to run three years begins, likely to around 2029. Certificates to ISO 9001:2015 remain valid throughout, and organizations move to the new edition at a scheduled surveillance or recertification audit within the window. The clause numbers referenced below come from the current draft and could shift slightly before publication, so treat them as a guide to where each change lives, not a final citation.
What is actually changing
The revision keeps the Harmonized Structure, the common clause skeleton shared across ISO management system standards, and it keeps the process approach. The changes are refinements rather than a new framework, but several of them change what an auditor will look for. The most significant:
- Climate change moves into the core text. The February 2024 amendment that added climate to Clause 4 is being integrated into the body of the standard. Determining whether climate change is a relevant context issue is no longer a bolt-on; it is part of how you establish the direction and scope of the QMS.
- Quality culture and ethical behaviour become explicit. The draft adds expectations, in leadership (around Clause 5.1.1) and awareness (around Clause 7.3), for top management to actively promote a culture of quality and ethics, with awareness expected to go beyond knowing that a policy exists.
- Risks and opportunities are separated. Clause 6.1 is being split so risks and opportunities are addressed distinctly rather than bundled, pushing organizations toward deliberate opportunity-based thinking instead of a single risk-register exercise.
- Strategic alignment is made explicit. The quality policy and objectives are expected to tie clearly to the organization’s strategic direction.
- Organizational knowledge broadens. Clause 7.1.6 knowledge is expected to support all QMS outcomes, compliance, customer satisfaction, and improvement, not only product and service conformity.
- Supply chain resilience is strengthened. Expectations around external providers and contingency are firmer, reflecting a decade of disrupted supply chains.
- The standard gains its first annex. An informative Annex A provides guidance on structure and terminology, the first time ISO 9001 has carried an annex.
Climate: a determination you can evidence today
The climate requirement is not waiting for 2026. The 2024 amendment added it to ISO 9001:2015, and auditors have been checking it since. The test is narrow and often misunderstood: the standard does not require a climate programme. It requires that you determine whether climate change is a relevant issue in your context, and that any climate-related requirements from interested parties are considered. Concluding that climate is not relevant to your ability to deliver conforming products and services can be valid, but it has to be a documented determination, not silence. Because the 2026 edition folds this into the core context clause, organizations that handled the amendment properly are already ahead. Those that quietly skipped it have a finding waiting in their next audit, current edition or new.
Quality culture and ethics: the hardest evidence to backfill
Of all the changes, the culture and ethics expectations are the ones to start on first, because they are the hardest to produce on demand. You cannot generate a year of evidence that leadership actively promotes a culture of quality the week before an audit. Auditors will look for observable signals: how quality objectives are communicated and reinforced, whether raising quality concerns is visibly supported, and whether awareness training explains why the QMS matters rather than simply confirming that a policy exists. That trail has to accumulate over time, so start capturing it now, regardless of when the standard publishes.
The AI question: context, not requirements
A great deal of the commentary around the 2026 revision claims it introduces AI requirements. Read the draft and that is not what it does. AI and digital technology appear as part of strategic context and as enablers an organization may choose to consider, not as auditable requirements. There is no new clause that requires you to govern AI in order to be certified to ISO 9001:2026.
This matters for two reasons. First, do not let a vendor sell you an “AI gap assessment” against requirements that do not exist in the standard. Second, where AI genuinely needs governing, the standard for that is ISO 42001, the AI management system standard. The two are complementary: ISO 9001’s discipline around data quality and process control directly supports the data-management expectations in ISO 42001. If AI materially affects the quality of your products or services, that is a real conversation, but it belongs in your context analysis and, if warranted, a separate management system, not in a misreading of ISO 9001.
What is not changing
It is worth being equally clear about what stays the same, because the revision is more evolution than rewrite. The Harmonized Structure is preserved, so the familiar clause skeleton remains: context, leadership, planning, support, operation, performance evaluation, and improvement. The process approach, risk-based thinking, and the Plan-Do-Check-Act cycle all stay central. Your existing QMS is not invalidated, and certificates to ISO 9001:2015 remain valid throughout the transition. In practice, a well-run quality system migrates to the new edition through targeted updates, not a rebuild.
What internal audit should do now
The transition period is generous, but the work that earns the smoothest transition audit starts well before publication. A practical sequence:
- Confirm your climate determination is documented. This is auditable under the current edition today. Check that your Clause 4.1 context and 4.2 interested-party analysis record a climate determination, and that the conclusion is reasoned rather than absent.
- Start the quality-culture and ethics evidence trail. This is the longest lead-time item. Begin capturing how leadership promotes quality and how awareness goes beyond policy acknowledgement.
- Review how you handle risks and opportunities. If your Clause 6.1 treatment bundles the two, start separating them so the split in the new edition is a formatting change, not a rethink.
- Check strategic alignment. Confirm your quality policy and objectives visibly connect to the organization’s strategic direction, and that you can show the link on request.
- Run a gap assessment against the draft. Map your current QMS documentation and practices to the FDIS to find the deltas while there is still time to close them deliberately.
- Schedule an internal audit against the new edition. Once the standard publishes, build at least one internal audit cycle around the new expectations before your certification body’s transition audit. Internal audit is where you want to find the gaps.
The transition, and why early beats late
When ISO 9001:2026 publishes, the transition period begins. Existing certificates stay valid through it, and organizations move to the new edition at a scheduled surveillance or recertification audit. The exact transition length and rules are confirmed through the international accreditation system, now operating as GACI following the merger of IAF and ILAC in January 2026, but a three-year window is the working expectation.
Three years sounds like room to wait. It is not, for one reason: the new expectations that take the most work, the culture and ethics evidence and any genuine strategic-alignment or supply-chain changes, are the ones that cannot be assembled quickly. Organizations that treat the transition as a documentation exercise to be done in year three will find the evidence-based requirements hard to satisfy from a standing start. The ones that begin now will treat their transition audit as a confirmation rather than a scramble.
The ISO 9001:2026 revision is not the upheaval some of the marketing suggests, and it is not nothing. It sharpens leadership accountability, makes climate and ethics explicit, and tightens the link between the QMS and the business it is meant to serve. For an internal audit programme the work is clear and the timing is favourable: validate what is already auditable today, begin the evidence trails that take time to build, and run a gap assessment against the draft so the move to the new edition is a managed change rather than a deadline. The cheapest gap is the one you find yourself.