Introduction
Many organizations approaching ISO 9001:2015 certification expect a mountain of paperwork. In reality, the 2015 revision dramatically simplified documentation requirements compared to its predecessor. ISO 9001:2008 required six specific documented procedures plus a quality manual — none of that is mandatory anymore.
ISO 9001:2015 replaced the old terminology of "documents," "procedures," and "records" with a single term: documented information. This covers everything from policies to calibration logs, but the distinction between what you must maintain versus retain is critical. It's also one of the most commonly misunderstood aspects of the standard.
This article covers every mandatory document and record required by ISO 9001:2015 with full clause references, clarifies the maintain vs. retain distinction, and addresses the non-mandatory procedures most organizations add anyway.
TL;DR
- ISO 9001:2015 requires 4 documents to maintain: QMS Scope, Quality Policy, Quality Objectives, and documented QMS process information (Clause 4.4)
- 18+ categories of records to retain are required, spanning calibration, competence, audits, management reviews, and corrective actions
- No quality manual required — and no mandatory written procedures
- Most organizations add non-mandatory procedures for document control, internal audits, and corrective action to close common process gaps
- Design and development records (Clauses 8.3.2–8.3.6) only apply if your organization performs those activities within scope
The 4 Mandatory Documents You Must Maintain
Maintain vs. Retain — What's the Difference?
The ISO/TC 176 documented-information guidance draws a clear line between these two types:
- Maintained = describes how processes should operate; can be updated over time (equivalent to the old procedures and policies)
- Retained = evidence that something happened; cannot be revised after the fact (equivalent to the old records)
ISO 9001:2015 requires organizations to maintain only 4 documented information items.
QMS Scope — Clause 4.3
The scope defines the boundaries of your Quality Management System: which products, services, locations, and processes are included. It must also document any exclusions along with justification for why specific clauses don't apply.
Auditors check this document first. It frames the entire certification audit.
Quality Policy — Clause 5.2
The Quality Policy must be a formal, written statement approved by top management. It needs to:
- Commit to customer satisfaction and continual improvement
- Be appropriate to the organization's context and purpose
- Be communicated to all personnel
- Be available to relevant interested parties
A boilerplate policy will flag immediately in audit — it must reflect your organization's actual strategic direction.
Quality Objectives — Clause 6.2
Documented quality objectives must be measurable, monitored, and aligned to the Quality Policy. For each objective, you must document:
- What will be done
- What resources are required
- Who is responsible
- When it will be achieved
Vague statements like "improve customer satisfaction" don't meet this requirement. You need specific, trackable targets with owners and timelines.
QMS Process Information — Clause 4.4
Clause 4.4 is a maintained documented-information requirement — and the one most frequently missing from simplified lists. Organizations must maintain documented information sufficient to support the operation of their QMS processes. That includes:
- Process maps and flowcharts
- Process interaction descriptions
- Sequence and linkage documentation
- Any other records needed to ensure processes operate as intended
The 18 Mandatory Records You Must Retain
Records document what happened — unlike documents, they cannot be revised after the fact. The tables below cover all 18 retained documented-information requirements, verified against ISO/TC 176 guidance.
Note: Records marked with an asterisk (*) are conditional — they only apply when the relevant activity falls within your QMS scope.
Support Operations Records — Clauses 7–8
| Clause | Record Required |
|---|---|
| 7.1.5.1 | Monitoring and measuring equipment calibration/verification records |
| 7.1.5.2* | Basis used for calibration when no international/national standard exists |
| 7.2 | Evidence of personnel competence, training, skills, and qualifications |
| 8.2.3 | Results of product/service requirements reviews and any new requirements |
| 8.4.1 | Evaluation, selection, monitoring, and re-evaluation of external providers |
| 8.5.2* | Unique identification of outputs when traceability is required |
| 8.5.3 | Customer or external-provider property that is lost, damaged, or unsuitable |
| 8.5.6 | Results of production/service provision change reviews and authorized actions |
| 8.6 | Evidence of conformity with acceptance criteria and traceability to the release authority |
| 8.7.2 | Nonconforming outputs: description, actions taken, concessions, and decision authority |
Design and Development Records — Clauses 8.3.2–8.3.6*
These five records apply only if design and development is within your QMS scope. If your organization excludes it, document the exclusion and its justification in your QMS Scope statement.
| Clause | Record Required |
|---|---|
| 8.3.2 | Records demonstrating design and development requirements have been met |
| 8.3.3 | Design and development inputs |
| 8.3.4 | Design and development control activities |
| 8.3.5 | Design and development outputs |
| 8.3.6 | Design and development changes, including review results and authorization |
Performance Evaluation and Improvement Records — Clauses 9–10
| Clause | Record Required |
|---|---|
| 9.1.1 | Monitoring, measurement, analysis, and evaluation results |
| 9.2.2 | Implementation of the internal audit program and audit results |
| 9.3.3 | Results of management reviews (evidence that leadership evaluated QMS performance) |
| 10.2.2 | Nature of nonconformities, actions taken, and corrective action results |
The management review record (9.3.3) confirms that leadership evaluated QMS performance, not just attended a meeting. Auditors scrutinize the corrective action record (10.2.2) more than almost any other — it must show the complete cycle: problem identified, root cause analyzed, action implemented, and effectiveness confirmed.
Non-Mandatory Documents That Most Organizations Need
ISO 9001:2015 doesn't prescribe written procedures. But that flexibility comes with a practical risk: without documented guidance, processes drift. Staff turnover, rapid growth, and multi-site expansion are the most common triggers.
A useful rule: if a process won't happen consistently without written instructions, document it.
NQA confirms that Clause 7.5.1(b) requires documented information the organization determines necessary for QMS effectiveness — meaning the organization itself decides what needs to be written down based on risk and process control needs.
Commonly Added Procedures
| Procedure | Relevant Clause(s) |
|---|---|
| Addressing risks and opportunities | 6.1 |
| Competence, training, and awareness | 7.1.2, 7.2, 7.3 |
| Document and record control | 7.5 |
| Sales / customer requirements | 8.2 |
| Production and service provision | 8.5 |
| Nonconformities and corrective actions | 8.7, 10.2 |
| Internal audit | 9.2 |
| Management review | 9.3 |
| Monitoring customer satisfaction | 9.1.2 |
Multi-site organizations feel this most acutely. When the same process runs differently across locations, auditors will find it — and it's far easier to close that gap before Stage 2 than during it.
How to Control Your ISO 9001 Documentation
Clause 7.5 requires document controls even though a written procedure for document control is technically non-mandatory. Controls must address:
- Who can create, approve, update, and access documents
- How obsolete documents are identified and managed
- Where and when documents are available to those who need them
Documented information can exist in any format — paper, digital files, spreadsheets, videos, photos, templates, or process diagrams. What matters is that it's identifiable, accessible, protected from unintended changes, and retained or disposed of appropriately.
Practical minimum requirements:
- Document naming convention — consistent file or document naming that identifies what the document covers and its revision status
- Version control — clear indication of which version is current and a record of what changed
- Approval workflow — defined process for who reviews and approves new or revised documents before release
Strong document control is what gives auditors confidence the QMS is actively managed. A system where people are uncertain which version of a procedure is current, or where obsolete documents are still accessible, raises immediate audit concerns.
Version drift — where different sites or teams work from different document versions — is one of the most common audit findings in multi-site operations. Synergistic Systems' cloud-based QMS intranet addresses this directly, with permission levels for each documentation folder and records database that give every location access to the same controlled documents. For organizations managing quality across multiple sites, a single source of truth for controlled documents is far more reliable than shared drives or paper-based systems.
Building Your QMS Documentation Without Starting From Scratch
Organizations have three realistic options:
| Approach | Pros | Cons |
|---|---|---|
| Write internally | Fully customized | Time-intensive; risks missing audit requirements |
| Purchase templates | Faster starting point | Requires significant customization; may not fit your processes |
| Work with a consultant | Practical audit experience; built for your processes | Investment required |
For first-time certification or complex multi-site operations, the risk of documentation nonconformities at the Stage 1 or Stage 2 audit is real. Stage 1 audits specifically assess documented system readiness — shortcomings identified there can delay the certification timeline.
Synergistic Systems takes a collaborative approach: a 10-step fixed-price methodology includes a documentation development phase where consultants work directly with your team to translate actual operational processes into compliant, audit-ready documented information. All deliverables are hosted on a secure cloud-based QMS intranet included in the engagement:
- Quality Policy and quality objectives
- Scope statement and documented procedures
- Work instructions, forms, and records
With 25+ years of implementation experience across hundreds of projects spanning manufacturing, aerospace, food processing, oil and gas, and professional services, the firm has worked alongside every major accredited registrar including DNV, BSI, Bureau Veritas, Lloyd's Register, SGS, and Intertek.
Documentation is not the goal — a functioning QMS that improves processes, customer satisfaction, and operational performance is. Getting the documentation right is simply what makes that performance sustainable.
Frequently Asked Questions
What documents are required by ISO 9001:2015?
ISO 9001:2015 requires 4 maintained documents (QMS Scope, Quality Policy, Quality Objectives, and QMS process information under Clause 4.4) plus 18+ categories of retained records. The main body of this article covers each with its clause reference.
What are the 6 mandatory procedures for ISO 9001:2015?
ISO 9001:2015 does not have 6 mandatory procedures — that was the 2008 version. The 2015 revision removed all requirements for specific documented procedures, giving organizations flexibility to document what their own processes require based on risk and complexity.
Which document is not mandatory under ISO 9001:2015?
A quality manual is not mandatory, nor are specific written procedures for corrective action, document control, or internal audits — all of which were required under ISO 9001:2008. The 2015 standard mandates only 4 documents and 18+ record types.
Does ISO 9001:2015 require a quality manual?
ISO 9001:2015 does not require a quality manual. Many organizations create one voluntarily to consolidate the 4 mandatory documents in one place or to satisfy customer expectations, but auditors cannot cite its absence as a nonconformity.
What records must be kept to comply with ISO 9001:2015?
18+ categories of records must be retained, covering training and competence, calibration, external provider evaluation, product conformity, internal audits, management reviews, and corrective actions. Design and development records (Clauses 8.3.2–8.3.6) only apply when those activities fall within QMS scope.
Can some ISO 9001:2015 documentation requirements be excluded?
Yes. Exclusions are permitted for clauses not applicable to your operations — most commonly Clause 8.3 for design and development. Any exclusion must be documented and justified within the QMS Scope and cannot remove requirements that affect your ability to deliver conforming products or services.
