The draft introduces a visible shift: leadership is expected to promote a quality culture and ethical behaviour, and people must be aware of those expectations as part of 7.3. That sounds abstract until you translate it into day-to-day choices that can be seen, heard and verified.

The real test is whether decisions, incentives, conversations and controls already reflect the stance that integrity is non-negotiable, particularly under pressure. Auditors cannot certify a virtue; they can test whether conduct, awareness and governance practices coherently point to it.

Leadership in practice: decisions under pressure, not posters on walls

A medium-sized fabricator accepts a rush order that would normally tempt the line to skip a hold-point.

Before the shift, the operations director gathers the team and repeats the house rule: no bypasses, ever. He funds overtime, brings in an extra checker and personally attends the first two sign-offs.

When a pallet fails inspection that night, the nonconformity remains in the log with the director’s commentary preserved: “why we did not ship.”

One week later, the management review minutes record the decision to add a relief inspector to the late shift for three months. In the next certification audit, interviewees can recall the incident and the stance taken.

The auditor does not need a “code of ethics” to see culture; they can triangulate the director’s briefing notes and rota change, the nonconformance record with timestamps, the review minutes, and the interviews.

That chain of evidence shows leadership promoting ethical behaviour and quality culture in Clause 5.1.1 terms, precisely because a short-term commercial incentive was declined when it clashed with integrity expectations.

Summaries of the DIS make clear that ethics and culture now sit inside leadership and commitment rather than in peripheral guidance, so auditors are right to expect this level of lived example.

On a different stage, a SaaS company faces a quarter-end release deadline with unresolved security defects. The CTO refuses a green light, issues a company-wide note explaining why delaying protects customers, and runs an open Q&A.

The decision appears in change-control records, the risk register shows the hazard and the accepted delay, release notes evidence the deferral, and town-hall recordings show messaging consistent with the quality policy.

When an auditor uses ISO 19011’s interview-observation-document triangulation, they will find coherence: people can describe the expectation, they observed leadership live it, and the records show the decision trail.

DIS commentaries emphasise that Annex guidance and leadership text now direct organisations toward behaviour, not just paperwork; this is what that looks like.

Awareness that changes behaviour: from onboarding slides to speak-up reflexes

Awareness under Clause 7.3 expands to include the organisation’s quality culture and ethical behaviour. In real terms, onboarding is no longer a one-off slide.

A construction company rewrites its induction so that a foreman can describe in their own words what to do when a client pressures for a shortcut.

Micro-learning modules ask staff to recall an instance of pressure and how they responded; managers run short “moral rehearsal” discussions on Fridays, using an anonymised dilemma from the week.

Internal audits sample not just training completion, but recall: randomly selected operatives explain the escalation route and whether they believe they will be backed if they stop unsafe or nonconforming work.

The auditor corroborates with corrective-action history that shows no punitive response for stop-the-line calls, and with HR data showing promotions that rewarded people who upheld standards under stress.

DIS summaries from reputable sources name this directly: employees must be aware of the organisation’s quality culture and ethical behaviour; awareness is no longer satisfied by role descriptions alone.

A small distributor with a limited budget achieves the same intent without bureaucracy. The MD opens the Monday stand-up with a five-minute “integrity moment” drawn from a customer complaint, invites a driver to explain how they handled it, and closes with the house expectation on substitutions and traceability.

The auditor hears consistent recall in interviews, sees the stand-up notes in Teams, and traces a recent complaint through to a management review where the root cause included incentive pressure on the sales team.

In the review minute, leadership accepts that commission rules unintentionally discouraged telling the truth about availability, and alters the scheme. Because 5.1.1 now expects leadership to promote culture and ethics, the changed incentive becomes hard evidence of promotion by systemic design, not slogans.

Planning, risks and the “culture root cause”: building ethics into the mechanics

The DIS tightens planning by separating risks and opportunities and absorbing the 2024 climate amendment into context.

This is the right place to make ethical risk visible. A medical devices supplier adds “integrity risk” to its 6.1 register with scenarios that actually happen: supplier offers of “expedited” certificates, data massaging in complaint trending, and schedule pressure on validation protocols.

For each scenario, the register names control like dual-signoff on any retrospective data entry, supplier integrity criteria and whistleblowing routes. When an internal nonconformity later exposes a back-dated training record, the corrective action includes a cultural root-cause analysis: why did a supervisor feel compelled to back-date rather than escalate?

The action is not merely “retrain on LMS”; it includes reducing unrealistic training windows and introducing a simple “missed-deadline confession” pathway with no penalty when declared honestly.

At audit, the assessor can read across the risk register, corrective-action trail, and changes to planning assumptions. That kind of triangulation is what ISO 19011 encourages when auditing less tangible elements like leadership and culture, and it directly answers the DIS’s intention to close the gap between paper and behaviour.

Management review as the culture dashboard: what “good” looks like in minutes and data

If ethics and quality culture are real, they appear in management review without being forced. A credible review pack now includes a short narrative on culture: trends in near-miss and concern reporting, time-to-closure for integrity-related issues, hotspots where schedule pressure correlates with defects, and outcomes from a brief quarterly pulse survey on “freedom to speak up” and “I believe leadership will back a difficult right decision.”

In a lean operation, this might be two charts and a narrative paragraph; in an enterprise, it might be a dashboard fed by ticketing and HR systems. The reviewer reads minutes where leadership actions follow the signals: a surge in “work-to-rule” reports leads to extra cover on a line; an uptick in “late-stage spec change” defects leads to a stop-and-fix with the sales director and a tougher change-approval gate.

Summaries of the DIS from DNV, BSI and others make it plain that leadership’s responsibility now includes making culture and ethics lived priorities; management review is where auditors can see whether this is monitored like any other critical performance condition.

Supplier governance where ethics meets quality: how to make it auditable

Culture collapses quickly at the boundary with suppliers. A telecoms integrator changes its approved-supplier criteria to include integrity criteria, not just price and lead-time. It requires declaration of subcontracting, proof of anti-bribery controls where relevant, and spot verification of test reports with issuing labs.

When a lab certificate looks suspicious, the integrator logs a supplier nonconformity, pauses receipts from that lot, notifies impacted customers, and runs a joint 8D with the supplier.

Later, purchasing sends a communication reminding suppliers that falsified documents are a stop condition. In audit, the assessor can follow the thread: approved supplier file with integrity criteria, the specific incident record, the containment action, the customer notice, and the preventive signal to the supply base.

Because ISO/DIS 9001 is aligning with broader governance expectations and explicitly naming ethics within leadership responsibilities, supplier-edge behaviour becomes part of the picture rather than an afterthought.

Internal audits that actually detect culture: technique, sampling and proof

Auditors following ISO 19011 will avoid pass-fail judgments based on slogans and will seek converging lines of evidence. They will enter a shift meeting and quietly observe whether managers shut down uncomfortable news or reward candour; they will ask operators to recall the last time they refused a shortcut and what happened next; they will request two recent nonconformities where the root cause included pressure or incentives, and examine whether actions addressed the cultural cause rather than only the procedure.

They will sample an area under commercial stress rather than only a tidy cell. They will check whether a high-risk area shows fewer reports than comparable areas and ask why.

They will corroborate with documents that cannot be “re-written for the audit”: time-stamped ticket logs, LMS analytics showing overdue training acknowledged rather than back-dated, and recordings of town-halls in which executives publicly take ownership for a delay or a recall.

ISO 19011 explicitly guides auditors to evaluate leadership and commitment with interviews, observation and document review, and to expand Annex A techniques for concepts like context and leadership; that guidance maps neatly to the DIS’s behavioural emphasis.

Small organisations without bureaucracy: credible evidence that still fits on one page

A five-person consultancy will not build dashboards, but it can still show culture. The principal keeps a short “decision log” where any dilemma with a client or supplier is recorded in plain language alongside the choice made and the value appealed to.

When a client pressures them to post-date a report to match a bid, the log shows the refusal and the explanation sent. The quality policy includes a single sentence on how integrity governs delivery, and the awareness requirement is met through quarterly “case reflections” captured in meeting notes.

During the audit, interviews elicit consistent stories, and the decision log substantiates them. DIS commentary from credible sources notes that the ethics and culture additions are behavioural; they do not require a new pile of forms, and the 7.3 expansion is about what people actually know and do.

What “bad” looks like and how to catch it early

A manufacturer boasts of its “safety and quality first” values but shows chronic back-dating of calibration and training records each quarter-end, with identical timestamps and user IDs.

Customer complaints spike after late engineering changes, but the culture section of the management review is blank.

Operators cannot recall a single instance of a manager backing a stop, and the nonconformance log shows several “no defect found” closures with identical boilerplate.

An ISO-savvy auditor will apply 19011’s sceptical sampling: pull raw audit-trail exports from the LMS to test time-sequence plausibility, trace a late-stage change to shipped product and customer notices, and interview across shifts for recall of leadership actions taken when targets and integrity clashed.

If the only evidence of “ethical behaviour” is a framed value statement, the organisation has not met the spirit of the DIS additions to 5.1.1 and 7.3, as even critical commentators note the language exists but warn of “unenforceable platitudes” if not anchored in behaviour and evidence.

Writing it into the system so it survives leaders and auditors alike

Organisations can formalise the behavioural intent without bureaucracy by updating three artefacts.

The quality policy gains a sentence that links quality to ethical conduct and the organisation’s strategic direction so it is not generic.

The internal audit programme adds a short section on “culture and ethics assessment points” so auditors always probe behaviour under pressure, including supplier interfaces.

The management review agenda includes a standing item on culture signals with two or three data points and a narrative, scaled to the size of the business.

DIS overviews from BSI, DNV, RigCert and others all converge on the same proposition: ethics and culture are now part of leadership accountability and the awareness obligation; planning and review mechanics should therefore absorb them like any other critical factor.

Closing thought for both sides of the table

Auditors are not asked to moralise; they are asked to evidence whether leadership promotes a quality culture and ethical behaviour, and whether people know it and live it.

Organisations are not asked to add binders; they are asked to align decisions, incentives and conversations with the stance they claim.

When a difficult right decision leaves tracks in minutes, logs, rotas, and the memories of the people who were there, auditors will find it. When “ethics” is only a poster, they will find that too.

Sources

Title: ISO 9001:2026 Draft Update Version Released (DNV); accessed on: 14 October 2025; https://www.dnv.us/news/2025/ba_iso-90012026_update-released/ DNV

Title: ISO 9001:2026 – Key Changes and Guidance (BSI); accessed on: 14 October 2025; https://www.bsigroup.com/en-CA/products-and-services/standards-services/iso-9001-2026-key-changes-and-guidance/ BSI Group

Title: Draft of ISO 9001:2026—What to Expect (RigCert); accessed on: 14 October 2025; https://rigcert.education/resources/draft-of-iso-9001-2026-what-to-expect rigcert.education

Title: ISO 9001:2026 – Key Updates & Transition Guidance (SGS); accessed on: 14 October 2025; https://www.sgs.com/en-us/showcases/iso-9001-2026-key-updates-and-transition-guidance SGSCorp

Title: ISO 9001:2026 Revision – Key Changes and How to Prepare (Advisera); accessed on: 14 October 2025; https://advisera.com/articles/iso-9001-2026-revision-key-changes/ Advisera

Title: ISO 9001:2026 Revision: Key Changes, Timeline & What to Expect (9001Simplified); accessed on: 14 October 2025; https://www.9001simplified.com/learn/next-iso-9001-revision.php 9001simplified.com

Title: ISO 9001:2015 vs. ISO/DIS 9001:2025—Main differences (Advisera); accessed on: 14 October 2025; https://advisera.com/articles/iso-9001-2015-vs-dis-9001-2025-main-differences/ Advisera

Title: ISO 19011—Guidelines for Auditing Management Systems (ASQ overview); accessed on: 14 October 2025; https://asq.org/quality-resources/iso-19011 ASQ

Title: ISO 19011:2018—Guidelines for auditing management systems (PDF extract); accessed on: 14 October 2025; https://synersia.org/wp-content/uploads/2021/02/ISO-19011-2018-Pedoman-Audit-Sistem-Manajemen-EN.pdfsynersia.org

Title: The new Draft International Standard (DIS) for ISO 9001:2026 has officially landed (NEPIC); accessed on: 14 October 2025; https://www.nepic.co.uk/%E2%AD%90%EF%B8%8F%E2%AD%90%EF%B8%8Fthe-new-draft-international-standard-dis-for-iso-90012026-has-officially-landed%E2%AD%90%EF%B8%8F%E2%AD%90%EF%B8%8F/ NEPIC

Title: ISO 9001:2026 Final Draft (?) Gets Weirder Still (Oxebridge—commentary); accessed on: 14 October 2025; https://www.oxebridge.com/emma/iso-90012026-final-draft-gets-weirder-still/ oxebridge.com