What ISO 9001 Requires in Terms of Documented Procedures
ISO 9001:2015 uses the term documented information rather than the older "documented procedures" and "quality records" terminology of the 2008 version. This change reflects the standard's format-neutrality — documented information can be a written SOP, a process map, a video, or any other format that adequately describes how the process works.
The standard contains two types of documented information requirements:
📄 Documented Information to be Maintained
These are your procedures — written instructions describing how processes are performed. ISO 9001:2015 specifies when to "maintain documented information" throughout Clauses 4–10.
Examples: Document control procedure, internal audit procedure, corrective action procedure.
📊 Documented Information to be Retained
These are your records — evidence that processes were performed. ISO 9001:2015 specifies when to "retain documented information" as evidence of conformance.
Examples: Audit reports, training records, inspection records, nonconformance reports.
In practice, most organizations seeking ISO 9001 certification maintain 15–30 procedures covering all significant QMS processes — far more than the 6 explicitly mandated ones. Auditors expect to find documented procedures for any process where inconsistent execution could affect product or service quality, customer satisfaction, or regulatory compliance.
The 6 Mandatory ISO 9001 Procedures
These procedures are explicitly required by ISO 9001:2015. Without them, your QMS is non-conformant and you will fail a certification audit.
Document Control Procedure
Clause 7.5Defines how documented information is created, reviewed, approved, updated, distributed, and disposed of. Specifies version numbering, approval authorities, storage locations, and retention periods. This is the meta-procedure that governs all other procedures.
Records Management Procedure
Clause 7.5Establishes how quality records are identified, stored, protected, retrieved, retained, and disposed of. Defines retention periods for each record type and responsibilities for records custody. Often combined with the Document Control procedure.
Internal Audit Procedure
Clause 9.2Defines the process for planning, conducting, and reporting internal quality audits. Covers audit scope and criteria, audit program management, auditor competency, audit report format, and corrective action follow-up for audit findings.
Management Review Procedure
Clause 9.3Specifies how and when top management reviews the QMS — including the required inputs (audit results, customer feedback, process performance, risks and opportunities), how decisions and action items are documented, and follow-up responsibilities.
Nonconforming Outputs Procedure
Clause 8.7Defines how products or services that fail to meet requirements are identified, segregated, evaluated, and dispositioned. Covers containment actions, notification to customers when required, evaluation of impact, and linkage to the corrective action process.
Corrective Action Procedure
Clause 10.2Establishes the process for identifying nonconformities, conducting root cause analysis, determining and implementing corrective actions, verifying effectiveness, and preventing recurrence. This procedure is central to the ISO 9001 philosophy of continual improvement.
How to Structure an ISO-Compliant SOP
ISO 9001 does not mandate a specific procedure format, but auditors expect certain elements to be present. This structure is widely accepted as best practice across certification bodies:
| Section | Content |
|---|---|
| Document Header | Document number, title, revision, effective date, approval signature |
| Purpose / Objective | 1–2 sentences: why this procedure exists and what it achieves |
| Scope | What the procedure covers, who it applies to, where it starts and ends |
| Normative References | Related ISO clauses, regulatory standards, and internal documents |
| Terms and Definitions | Organization-specific terminology used in the procedure |
| Responsibilities | Who performs each step; who is accountable for outcomes (RACI) |
| Procedure | Numbered, action-verb steps describing how the process is performed |
| Associated Records | List of records created by following this procedure |
| Revision History | Date, revision number, author, and description of each change |
5 Steps to Document Your ISO 9001 Procedures
Identify your required documented information
Review all ISO 9001:2015 clauses that specify 'documented information shall be maintained' or 'documented information shall be retained.' Create a documentation matrix listing each required document, its purpose, current status, and owner.
Choose a consistent procedure format
Establish a standard template for all procedures including: document header (number, title, revision, date, approval), purpose, scope, references, definitions, responsibilities, procedure steps, associated records, and revision history. Consistent format makes audits simpler and employees more familiar with where to find information.
Write procedures with subject matter experts
Interview the people who perform each process. Verify that procedures describe actual current practice, not theoretical ideal practice. An auditor may interview operators and compare their answers to the written procedure — any significant discrepancy is a finding.
Implement document control from day one
Every procedure requires a unique document number, revision level, effective date, and approval signature before release. Establish your document control procedure first — all subsequent procedures are controlled under it.
Train and verify competence
ISO 9001 requires evidence that persons performing documented procedures are competent. For each procedure, define the required competence (training, experience, qualification) and maintain training records. After initial release, confirm staff can locate and follow the procedure correctly.
20 Most Common ISO 9001 Procedures
Beyond the 6 mandatory procedures, most certified organizations maintain these additional documented procedures to demonstrate QMS compliance. Generate any of these with WorkProcedures' AI in under 2 minutes.
How WorkProcedures Helps Teams Achieve ISO 9001 Compliance
Building a complete ISO 9001 documentation system from scratch typically takes 3–6 months with traditional methods. WorkProcedures compresses this timeline significantly by generating structured, ISO-aligned first-draft procedures in under 2 minutes each.
AI-Generated First Drafts
Generate complete ISO 9001 procedure first drafts from a brief description. The AI produces structured output with all required sections — purpose, scope, responsibilities, numbered steps, associated records, and revision history.
ISO-Aligned Templates
Pre-built procedure templates designed for ISO 9001 compliance, including all 6 mandatory procedures and the most common QMS procedures — ready to customize for your organization.
Document Control Built In
Automatic version history, approval workflows, and change tracking satisfy ISO 9001 document control requirements without manual administration overhead.
Distribution and Acknowledgment
Assign procedures to the relevant employees and track acknowledgment — producing the training records and awareness evidence required by ISO 9001 Clause 7.3.
Common ISO 9001 Documentation Mistakes
⚠️ Procedures don't reflect actual practice
The most common cause of audit failures: auditors interview operators and find their answers don't match the written procedure. Always write procedures based on how work actually happens, not how it should theoretically happen.
⚠️ Missing document control for QMS procedures themselves
Ironically, many organizations that have a document control procedure fail to apply document control to their own QMS documents. Every procedure must have a document number, revision level, effective date, and approval evidence.
⚠️ Responsibilities not clearly assigned
Procedures that say 'the team is responsible' rather than naming specific roles create accountability voids. ISO 9001 Clause 5.3 requires clearly assigned responsibilities — your procedures must reflect this.
⚠️ Records not identified
Every procedure that generates records should list those records explicitly (including their retention period). Auditors look for this connection between procedure steps and the records that evidence their completion.
⚠️ Outdated procedures still in circulation
Superseded procedure versions accessible to employees are a significant audit finding. Your document control procedure must specify how obsolete documents are removed from use and whether they are retained for reference.
Frequently Asked Questions
What procedures does ISO 9001:2015 require?
ISO 9001:2015 requires organizations to maintain documented procedures for: document control (Clause 7.5), records management (Clause 7.5), internal audits (Clause 9.2), management review (Clause 9.3), control of nonconforming outputs (Clause 8.7), and corrective action (Clause 10.2). Beyond these six, the standard requires documented information for all processes significant to the QMS — which in practice means most organizations need 15–30+ documented procedures to demonstrate compliance.
What is the difference between ISO 9001 'documented information' and a procedure?
ISO 9001:2015 uses the term 'documented information' instead of the older ISO 9001:2008 terminology of 'documented procedures.' The change was deliberate — the standard is format-neutral. Documented information can be a traditional SOP, a process map, a checklist, a video, or any other format that effectively describes how the process works. What matters is that the information is controlled (versioned, approved, accessible) and current.
How should an ISO 9001 procedure be structured?
A compliant ISO 9001 procedure typically includes: a header (title, document number, revision, effective date, approval signatures), purpose/scope, references (related clauses and documents), definitions of key terms, responsibilities (RACI), the procedure steps, associated records, and revision history. The exact format is not mandated by the standard — choose what works best for your team as long as it addresses these elements.
Can I use AI to write ISO 9001 procedures?
Yes. AI SOP tools like WorkProcedures can generate ISO 9001-compliant procedure first drafts that include all required structural elements — purpose, scope, responsibilities, numbered steps, associated records, and version history. The generated draft requires review by your quality team to incorporate organization-specific details, correct process descriptions, and accurate references to your QMS structure. AI generation reduces writing time by 80% while the human review ensures accuracy and compliance.
How often should ISO 9001 procedures be reviewed?
ISO 9001 does not specify a mandatory review frequency, but annual review of all procedures is the industry standard. Procedures should be reviewed immediately when: the underlying process changes, a nonconformity or corrective action reveals a procedure gap, new regulations affect the covered process, or an internal audit identifies documentation weaknesses. Each procedure should have a 'Next Review Date' field and a named owner responsible for conducting the review.