I am working with a company who develops no hardware, only ML based software. What are the mandatory clauses of ISO 9001 that apply to them if they need to go for a certification? No manufacturing, no plants, only software. What is the best approach for them?
If they decide to go for ISO 9001 certification only clauses from section 8 can be candidates for classification as non-applicable. ISO 9001:2015 is a generic standard applicable to all kinds of organizations. The company:
Has clients and consumers – clause 8.2 is applicable.
Develops software - clause 8.3 is applicable.
Buys resources - clause 8.4 is applicable.
Software must be manufactured, lines of code have to be written and tested, bugs must be removed - clauses 8.5, 8.6, and 8.7 are applicable.
Inside 8.5 typical candidates for non-applicability are:
Subclause 8.5.3 – does the company works with confidential information provided by the client? Does the company install the software at the client’s premises? If a new version of software originates problems for the client, does the company is liable? If yes to one of these questions the clause is applicable.
Subclause 8.5.4 – preservation seems not applicable at first sight but then look into the “NOTE”. You can find there the word “transmission”. What is that about? It is about how information is transmitted and protected, preventing risks of loss, tampering, and protection of information which may include property of the customer and supplier. There are examples of this information transmitted electronically such as electronic payments, mail, electronic files, computer files, information available on websites, etc.
Subclauses 8.5.5 and 8.5.6 – include after-sales support and new versions
It seems that all clauses are applicable.
While considering the use of ISO 9001 for software development activities, consider this support ISO/IEC/IEEE 90003:2018 - Software engineering — Guidelines for the application of ISO 9001:2015 to computer software - https://www.iso.org/standard/74348.html
For more information about exclusion, the right ISO wording is applicability, consider the following: