Last updated: 2026-04-08
Effective communication is the connective tissue of any functioning Quality Management System (QMS). Yet, in my experience auditing and consulting with over 200 organizations, Clause 7.4 is one of the most consistently underestimated requirements in the entire ISO 9001:2015 standard. Organizations pour effort into documented procedures and risk registers, then stumble during audits because they cannot demonstrate who communicates what, when, how, and to whom.
This guide gives you the complete picture of ISO 9001 Clause 7.4 — what it actually requires, how to implement it without bureaucratic overhead, and how to avoid the nonconformities I see repeatedly in the field.
What Does ISO 9001 Clause 7.4 Actually Require?
ISO 9001:2015 Clause 7.4 states that the organization shall determine the internal and external communications relevant to the QMS. Specifically, the standard requires you to define five elements for each relevant communication:
- What will be communicated
- When to communicate
- With whom to communicate
- How to communicate
- Who communicates
That's it. The standard is deliberately concise — ISO 9001:2015 is a requirements-based standard, not a prescriptive how-to manual. There is no mandatory "Communication Plan" document required by the standard. However, in practice, organizations that do not formalize these five elements almost always have audit findings.
Citation hook: ISO 9001:2015 Clause 7.4 requires organizations to determine all QMS-relevant communications across five dimensions — what, when, with whom, how, and who — for both internal and external audiences.
Why Clause 7.4 Is More Strategic Than You Think
Most practitioners treat Clause 7.4 as a checkbox item. That's a mistake. Communication directly underpins a half-dozen other clauses:
- Clause 5.1 (Leadership): Top management must communicate customer focus and quality policy commitment.
- Clause 6.2 (Quality Objectives): Objectives must be communicated to relevant personnel.
- Clause 7.3 (Awareness): Employees must be aware of the quality policy and their contribution — you can't achieve awareness without communication.
- Clause 8.2 (Customer Requirements): External communication with customers about product and service requirements is a QMS process.
- Clause 9.3 (Management Review): Outputs from management review must be communicated.
- Clause 10.2 (Nonconformity and Corrective Action): Findings and actions must reach the right people.
According to the International Organization for Standardization, ISO 9001 is the world's most widely adopted management system standard, with over 1.1 million certificates issued across 178 countries as of the latest ISO Survey. Organizations that treat communication as an integrated process — rather than an afterthought — demonstrate stronger QMS performance across all of these linked clauses.
Internal vs. External Communication: Key Differences
Understanding the distinction between internal and external communication is foundational to building a compliant and effective framework.
Internal Communication
Internal communication covers all QMS-relevant information exchanged within the organization. This includes:
- Communicating the quality policy to all employees
- Sharing quality objectives and performance results
- Distributing process changes, procedure updates, and work instruction revisions
- Communicating audit findings and corrective action status
- Management review outputs reaching relevant departments
- Escalation and reporting of nonconformities
External Communication
External communication covers QMS-relevant exchanges with outside parties, including:
- Customer requirements, feedback, and complaints
- Supplier and subcontractor quality expectations and performance feedback
- Regulatory and statutory body communications (e.g., FDA, EPA, industry regulators)
- Certification body and notified body correspondence
- Interested party communications (investors, community stakeholders)
Internal vs. External Communication Comparison Table
| Dimension | Internal Communication | External Communication |
|---|---|---|
| Primary Audiences | Employees, managers, departments | Customers, suppliers, regulators, certifiers |
| Typical Channels | Intranet, meetings, email, noticeboards | Email, contracts, portals, formal letters |
| Trigger Examples | Process change, new objective, audit result | Customer complaint, regulatory inquiry, supplier nonconformance |
| Ownership | QMS Manager / Process Owners | Sales, Procurement, Quality, Senior Leadership |
| Documentation Needed | Meeting minutes, training records, memos | Contracts, complaint logs, regulatory correspondence |
| Key Linked Clauses | 5.1, 6.2, 7.3, 9.3, 10.2 | 8.2, 8.4, 8.5.6, 10.2 |
| Common Audit Findings | No evidence quality policy was communicated | No process for managing customer complaints |
The Five Questions You Must Answer for Every Communication
The cleanest way to comply with Clause 7.4 is to build a simple Communication Matrix that answers the five standard questions for each identified communication. Here's a practical structure:
1. What Will Be Communicated?
Be specific. "Quality information" is not enough. Identify the exact content: quality policy, audit schedule, corrective action status, supplier performance scorecard, etc.
2. When Will It Be Communicated?
Define frequency or trigger. Is this monthly? Upon a process change? When a nonconformity reaches a defined severity threshold? Vague timing like "as needed" often leads to nonconformities.
3. With Whom Will It Be Communicated?
Name the role, department, or external party — not individuals by name (people change; roles don't). Examples: all production staff, the procurement team, regulatory agency X, certified customers.
4. How Will It Be Communicated?
Specify the channel: all-hands meeting, email broadcast, QMS document portal update, customer portal notification, formal letter, etc. The channel must be appropriate for the audience and content.
5. Who Is Responsible?
Assign a specific role or job title. Ambiguous ownership like "management" is a common source of audit findings. Be explicit: "QMS Manager," "Sales Director," "Process Owner — Production."
Building a Practical Communication Matrix
A Communication Matrix is not required by the standard, but it is the most auditor-friendly way to demonstrate compliance. Here's an example template:
| Communication | What | When | With Whom | How | Who (Owner) |
|---|---|---|---|---|---|
| Quality Policy | Policy statement and intent | Onboarding + annual refresh | All employees | Training session + intranet post | HR / QMS Manager |
| Quality Objectives | Objectives and KPI results | Quarterly | Department heads + Top management | Management review meeting | QMS Manager |
| Audit Findings | Nonconformities and observations | Within 5 business days of audit close | Auditees + Process Owners | Written report via QMS portal | Lead Auditor |
| Corrective Action Status | Open/closed CARs and due dates | Monthly | Quality team + affected process owners | Email report | QMS Manager |
| Customer Complaints | Complaint details and status | Within 24 hrs of receipt | Customer + Customer Service Manager | CRM system log + email acknowledgment | Customer Service Manager |
| Supplier Performance | Scorecard results | Quarterly | Approved suppliers | Formal scorecard via email | Procurement Manager |
| Regulatory Changes | Updated requirements affecting QMS | Upon notification from regulatory body | Relevant process owners + Senior Leadership | Email + meeting briefing | QMS Manager / Legal |
| Management Review Output | Decisions and action items | Within 2 weeks of review meeting | All relevant department heads | Meeting minutes via QMS portal | Management Representative |
Common Nonconformities in Clause 7.4 Audits
After leading audits across hundreds of organizations in industries ranging from medical devices to aerospace to food manufacturing, these are the Clause 7.4 findings I encounter most often:
1. No Evidence the Quality Policy Was Communicated
The policy is posted on a wall or uploaded to a SharePoint folder. There is no record that employees were informed of its content or relevance to their work. Clause 7.3 and 7.4 are both cited.
2. Communication Ownership Is Undefined
The Communication Matrix (if one exists) lists "Management" or "QMS Team" as the responsible party. Auditors will push for a specific role — and rightly so.
3. External Communication Processes Are Missing
Internal communications are well-documented, but there is no defined process for handling customer complaints, regulatory inquiries, or supplier feedback. This is especially critical in regulated industries.
4. No Process for Communicating Changes
When a process, product, or regulatory requirement changes, there is no defined mechanism for ensuring the right people are notified. Clause 8.5.6 (Control of Changes) is often cited alongside 7.4 in these situations.
5. Communication Is Inconsistent Across Sites
For multi-site organizations, communication practices vary significantly by location. An effective QMS requires consistent communication processes regardless of geography.
Citation hook: The most frequent ISO 9001 Clause 7.4 audit nonconformity is the inability to demonstrate that the quality policy was effectively communicated to all relevant personnel — not merely displayed or uploaded to a shared drive.
Clause 7.4 in Regulated Industries: Higher Stakes
If your organization operates in a regulated sector, Clause 7.4 compliance carries additional weight. Consider:
- Medical Devices (ISO 13485 / FDA 21 CFR Part 820): External communication with regulatory bodies (FDA, Health Canada, MDR notified bodies) must be formally documented and traceable. Adverse event reporting timelines are legally mandated.
- Aerospace (AS9100D): Customer communication requirements are often contractually specified and may include first-article inspection reports, nonconformance reporting to customers, and documented configuration change notifications.
- Food Safety (ISO 22000 / FSMA): External communication with regulatory agencies and internal communication of food safety hazard information are explicit requirements layered on top of ISO 9001 principles.
- Automotive (IATF 16949): Customer-specific requirements (CSRs) often mandate specific communication formats, portals, and response times that must be integrated into your Clause 7.4 framework.
A 2023 analysis of IATF 16949 audit findings published by the IATF identified communication-related nonconformities as appearing in the top 10 most cited clauses during surveillance audits, underscoring the practical compliance challenge organizations face.
How to Implement Clause 7.4 Without Bureaucratic Overhead
Here's my recommended implementation sequence for organizations building or refreshing their Clause 7.4 framework:
Step 1: Conduct a Communication Inventory
List every significant communication that currently occurs (or should occur) related to your QMS. Don't start from scratch — your existing processes almost certainly have communications embedded within them. Surface them.
Step 2: Map Against the Five Requirements
For each identified communication, apply the five-question test: What, When, With Whom, How, Who. Gaps become immediately obvious.
Step 3: Build (or Simplify) Your Communication Matrix
Use the table structure above. Keep it to one or two pages. The goal is a living document that auditors can review and that staff can actually use — not a 40-page binder.
Step 4: Assign Ownership and Communicate the Matrix
Ironically, your Communication Matrix itself needs to be communicated. Ensure every process owner knows their communication responsibilities.
Step 5: Review During Management Review
Include a standing agenda item in your management review (Clause 9.3) to assess whether your communication processes are working. Are complaints being logged? Are audit findings reaching the right people in time? Are regulatory changes being communicated promptly?
Step 6: Retain Evidence
You don't need to document every conversation. Focus on retaining evidence for high-stakes communications: quality policy awareness, audit findings, corrective actions, regulatory correspondence, and customer complaints. Meeting minutes, email trails, training records, and system logs are all acceptable forms of evidence.
What Auditors Look For in Clause 7.4 Reviews
When I conduct third-party audits, here is exactly how I assess Clause 7.4:
- I ask to see your communication process or matrix. If none exists, I ask how you determine what gets communicated and to whom.
- I sample three to five communications from across your QMS — typically the quality policy, a recent audit finding, a customer complaint, and a supplier notification.
- I verify evidence that each communication actually occurred: records, acknowledgment logs, training sign-offs, email threads.
- I test ownership by asking a process owner if they know their communication responsibilities. This is one of the most revealing steps.
- I look for feedback loops — does your communication process include any mechanism for confirming that the message was received and understood?
Organizations that pass Clause 7.4 cleanly on first audit almost always share one trait: their communication responsibilities are assigned to specific roles and are embedded in existing process documentation, not treated as a separate standalone system.
Citation hook: ISO 9001:2015 Clause 7.4 does not require a standalone communication procedure — it requires demonstrable evidence that relevant communications occur with defined ownership, timing, and method for both internal and external audiences.
Connecting Clause 7.4 to Continual Improvement
Communication is not static. As your organization grows, your QMS evolves, and your regulatory environment changes, your communication requirements will shift. Treat Clause 7.4 as a dynamic process:
- After every management review: Confirm communication processes are still fit for purpose.
- After every audit cycle: Use findings to identify whether communication gaps contributed to nonconformities.
- After significant organizational changes (mergers, new sites, leadership turnover): Re-map communication ownership and channels.
- After customer or regulatory feedback: Assess whether your external communication processes need refinement.
For a deeper look at how communication integrates with your broader QMS documentation and continual improvement framework, see our guide on ISO 9001 Clause 10.2 Nonconformity and Corrective Action and our overview of ISO 9001 Clause 7.3 Awareness Requirements.
Summary: Clause 7.4 Compliance Checklist
Use this checklist to self-assess your organization's Clause 7.4 compliance:
- [ ] All QMS-relevant communications have been identified (internal and external)
- [ ] Each communication defines: What, When, With Whom, How, and Who
- [ ] Ownership is assigned to specific roles (not generic "Management")
- [ ] A Communication Matrix or equivalent record exists and is maintained
- [ ] Evidence of key communications is retained (policy awareness, audit findings, customer complaints, etc.)
- [ ] External communication processes address customers, suppliers, and regulators
- [ ] Communication processes are reviewed during management review
- [ ] Changes to processes or requirements trigger defined communication actions
- [ ] Multi-site organizations have consistent communication practices across locations
Work With an Expert
At Certify Consulting, I've helped over 200 organizations across regulated and non-regulated industries build communication frameworks that satisfy Clause 7.4 on first audit — and more importantly, that actually improve operational performance. Our 100% first-time audit pass rate reflects what happens when communication is treated as a system, not an afterthought.
If your organization is preparing for ISO 9001 certification or a surveillance audit, reach out to discuss how we can support your QMS communication framework.
Last updated: 2026-04-08
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.