Can small organizations exclude any ISO 9001 clauses from their scope?

Small organizations cannot exclude ISO 9001:2015 clauses simply because of their size. The current standard does not permit broad clause-by-clause “exclusions” as ISO 9001:2008 did. Instead, it requires that:

• All requirements that are applicable to the organization’s products and services are implemented, and
• Any requirement that does not apply to the organization’s activities is treated as “not applicable” and justified in the scope of the QMS.

What “not applicable” really means in ISO 9001:2015

Under ISO 9001:2015, you do not remove entire clauses because you are small. You determine, based on your business model and processes, which specific requirements do not apply and why. Typical, defensible “not applicable” cases include:

• Design and development requirements if you truly perform no design and build only to fully defined customer or regulatory specifications.
• Post-delivery activities that are not relevant if you have no warranty, servicing, or field support obligations, and no regulatory or contractual expectations in that area.
• External provision of processes, products, and services details that do not apply if you do not outsource at all (rare in practice).

In each case, the justification must be traceable to the nature of your products and services, not to your headcount or revenue.

Constraints and expectations in regulated, industrial environments

In aerospace and other regulated manufacturing contexts, the bar for claiming a requirement is “not applicable” is higher:

• Customer contracts, regulatory requirements, and sector standards (for example, AS9100) may effectively reintroduce requirements you hoped to omit.
• Prime contractors and OEMs often expect design, configuration control, and post-delivery controls even for small suppliers, because they need traceability and risk control across the supply chain.
• Auditors will test your justification against what you actually do in your operations, not only what is written in procedures.

For example, if you say design is not applicable but you regularly interpret incomplete customer drawings, choose materials, or modify configurations, an auditor may determine you are performing design or development activities and expect those requirements to be applied.

How to approach scope and applicability as a small organization

For a small manufacturer or MRO provider, a practical approach is:

1. Map your real activities: Sales, contract review, purchasing, production, inspection, test, delivery, service, and change control across existing MES, ERP, and QMS tools.
2. Compare to ISO 9001 clauses: Identify which requirements clearly apply and which might be candidates for “not applicable.” Be careful with borderline areas like design, post-delivery support, and control of externally provided processes.
3. Check against customer and regulatory requirements: A requirement is not truly optional if contracts, flowdown clauses, or regulations demand it, even if ISO 9001 alone might allow you to treat it as not applicable.
4. Document your justification: In your QMS scope statement and supporting documentation, clearly state any non-applicable requirements and the operational reason for each.
5. Align with existing systems: In brownfield environments, your MES/ERP/PLM/QMS stack may already implement controls that touch a clause you hoped to omit. In practice, it can be simpler and lower risk to explicitly include such requirements than to argue they do not apply.

Why “we are small” is not enough

ISO 9001 is written to be scalable. A 20-person shop and a 2,000-person plant both apply the same clauses but with different levels of formality and tooling. The standard expects that:

• You may implement simpler controls, fewer records, and leaner documentation if your processes and risks are simpler.
• You do not discard whole requirement areas (such as risk-based thinking, competence, document control, or internal audits) because you have limited staff.

Relying on organizational size alone as the rationale for excluding requirements is risky and unlikely to withstand an audit in defense or aerospace supply chains.

Key takeaway

Small organizations cannot exclude ISO 9001 clauses just because they are small. You must:

• Apply all requirements relevant to what you actually do.
• Justify any “not applicable” requirements in your scope based on your activities, contracts, and regulatory obligations.
• Expect customers and auditors in regulated sectors to scrutinize these decisions closely, especially for design, outsourcing, and post-delivery controls.