In This Article
- ISO 9001:2015 requires approximately 20 specific documented items (documents + records)
- The term "documented information" replaces separate "documents" and "records" terminology from the 2008 version
- A quality manual is no longer mandatory but remains useful for many organizations as a reference and onboarding tool
- Over-documentation is a common mistake that creates maintenance burden without adding value to your QMS
- Document control (Clause 7.5) applies to all documented information regardless of format - paper or electronic
Documentation Overview
ISO 9001:2015 uses the term "documented information" to encompass both documents (policies, procedures, plans, specifications) and records (evidence of activities performed and results achieved). Understanding what must be documented - and what should be documented - is one of the most common areas of confusion for organizations pursuing ISO 9001 certification.
The standard requires documented information that is:
- Explicitly required by ISO 9001 - the standard uses phrases like "maintain documented information" (for documents) and "retain documented information" (for records)
- Determined by the organization as necessary for the effectiveness of the QMS
"Maintain documented information" = You need a document (policy, procedure, plan) that is kept current and can be updated.
"Retain documented information" = You need a record (evidence) that is preserved and should not be altered after the fact.
Understanding this distinction is critical. Documents tell people what to do; records prove that it was done.
One of the significant changes in ISO 9001:2015 compared to the 2008 version was the reduction in prescriptive documentation requirements. The standard no longer mandates a quality manual, six mandatory procedures, or a specific documentation structure. Instead, it focuses on what needs to be documented to ensure effective process operation and control.
Mandatory Documents
The following documents are explicitly required by ISO 9001:2015 (where the standard states "maintain documented information"):
| Document | Clause | Purpose |
|---|---|---|
| QMS Scope | 4.3 | Defines boundaries and applicability of the QMS, including justification for any requirements deemed not applicable |
| Quality Policy | 5.2 | Top management commitment, framework for quality objectives, commitment to requirements and continual improvement |
| Quality Objectives | 6.2 | Measurable objectives at relevant functions, levels, and processes, with plans for achieving them |
| Criteria for Evaluation and Selection of External Providers | 8.4 | How suppliers are assessed, selected, and monitored |
| Documented Information for Process Operation | 4.4 / 8.1 | Information necessary to support the operation of QMS processes (extent determined by organization) |
In addition, if your organization performs design and development (Clause 8.3), you must maintain documented information for the design and development process, including inputs, controls, and outputs.
Mandatory Records
The following records are explicitly required by ISO 9001:2015 (where the standard states "retain documented information"):
| Record | Clause | Purpose |
|---|---|---|
| Monitoring and Measuring Resources - Calibration/Verification | 7.1.5 | Evidence that measurement equipment is calibrated or verified against traceable standards |
| Competence | 7.2 | Evidence of competence of persons performing work affecting quality (education, training, experience) |
| Planning of Operational Activities | 8.1 | Evidence that processes are carried out as planned |
| Review of Requirements for Products and Services | 8.2.3 | Results of the review and any new requirements for products and services |
| Design and Development Inputs | 8.3.3 | Requirements essential for the specific type of products and services being designed |
| Design and Development Controls | 8.3.4 | Results of reviews, verification, and validation activities |
| Design and Development Outputs | 8.3.5 | Outputs that meet input requirements |
| Design and Development Changes | 8.3.6 | Changes, review results, authorization, and actions taken to prevent adverse impacts |
| External Provider Evaluation, Selection, and Performance Monitoring | 8.4 | Results of evaluations, re-evaluations, and monitoring of external provider performance |
| Traceability | 8.5.2 | Unique identification of outputs when traceability is required |
| Customer/External Provider Property | 8.5.3 | Records when property is lost, damaged, or found unsuitable, and communication to owner |
| Production/Service Provision Change Control | 8.5.6 | Results of review of changes, persons authorizing the change, actions taken |
| Release of Products and Services | 8.6 | Evidence of conformity with acceptance criteria and traceability to authorizing person(s) |
| Control of Nonconforming Outputs | 8.7 | Description of nonconformity, actions taken, concessions obtained, authority for the decision |
| Monitoring, Measurement, Analysis, and Evaluation Results | 9.1.1 | Evidence of monitoring and measurement results |
| Internal Audit Programme and Results | 9.2 | Evidence of the implementation of the audit programme and audit results |
| Management Review Results | 9.3 | Evidence of the results of management reviews |
| Nonconformity and Corrective Action | 10.2 | Nature of nonconformities, actions taken, and results of corrective actions |
The Quality Manual Question
One of the most frequently asked questions about ISO 9001:2015 documentation is: "Do we still need a quality manual?"
The short answer is no - ISO 9001:2015 does not require a quality manual. This was a deliberate change from the 2008 version, which explicitly mandated one. However, the answer is more nuanced than a simple yes or no.
Why Many Organizations Still Maintain One
- Customer requirements: Many customers, especially in regulated industries, contractually require their suppliers to maintain a quality manual
- Convenient reference: A quality manual serves as a single point of reference that describes your QMS, its scope, processes, and how they interact
- Onboarding tool: It helps new employees understand the QMS quickly
- Marketing value: It demonstrates organizational maturity to clients and stakeholders
- Legacy systems: Organizations certified to ISO 9001:2008 already have one and find value in maintaining it
What to Include If You Choose to Have One
If you decide to maintain a quality manual, consider including:
- QMS scope and justification for any exclusions
- Quality policy
- Process interaction map
- References to supporting procedures and documentation
- Organizational structure and responsibilities
- Overview of how each clause is addressed
While auditors cannot raise a nonconformity for the absence of a quality manual, most appreciate when organizations have one. It speeds up the audit process by giving the auditor a roadmap of your QMS. Think of it as optional but beneficial - especially during initial certification audits where the auditor is learning about your organization for the first time.
Recommended (Non-Mandatory) Documents
Beyond the explicit requirements, the following documents are commonly maintained by certified organizations and are considered good practice:
Procedures and Processes
- Document control procedure
- Procedure for control of records
- Internal audit procedure
- Corrective action procedure
- Management review procedure
- Risk and opportunity management procedure
- Customer complaint handling procedure
- Purchasing and supplier management procedure
- Training and competence procedure
- Product/service realization procedures
Plans and Registers
- Risk register (recommended though not mandated)
- Training plan
- Calibration schedule
- Internal audit schedule
- Supplier approved list
- Process interaction map
- Communication plan
- Change management log
Operational Documents
- Work instructions for critical processes
- Inspection and test plans
- Product/service specifications
- Job descriptions with competence requirements
- Customer satisfaction survey forms
- Nonconformance report forms
- Corrective action report forms
Document Control Requirements
Clause 7.5 requires that documented information be controlled to ensure it is available, suitable for use, and adequately protected. Specific control activities include:
Creation and Updating (7.5.2)
- Appropriate identification and description (title, date, author, reference number)
- Appropriate format (language, software version, graphics) and media (paper, electronic)
- Appropriate review and approval for suitability and adequacy
Control of Documented Information (7.5.3)
- Distribution, access, retrieval, and use: Ensure the right people have access to the right version at the right time
- Storage and preservation: Protect against loss, damage, deterioration, and unauthorized alteration
- Control of changes: Maintain version control so that changes are tracked and previous versions are identifiable
- Retention and disposition: Define how long records are kept and how they are disposed of securely
| Control Activity | For Documents | For Records |
|---|---|---|
| Version Control | Required - track current vs. obsolete versions | Not typically versioned (records are point-in-time) |
| Approval | Required before issue and after updates | May require authorization (e.g., release records) |
| Distribution | Ensure current versions are available where needed | Ensure retrievable when needed |
| Retention | Maintain current version; manage obsolete copies | Retain for defined period per retention schedule |
| Protection | Prevent unauthorized changes | Prevent alteration, loss, or deterioration |
Common Documentation Mistakes
After years of auditing organizations against ISO 9001, these are the documentation pitfalls that appear most frequently:
Mistake #1: Over-Documentation
The problem: Creating mountains of procedures, work instructions, and forms for every conceivable activity, resulting in a documentation system that is impossible to maintain and that nobody uses.
The fix: Document what is required by the standard, what is needed for effective process operation, and nothing more. A lean, well-maintained documentation system is far more effective than a comprehensive but neglected one. Ask yourself: "If this document disappeared, would it affect our ability to deliver quality products and services?"
Mistake #2: Not Maintaining Records
The problem: Activities happen but are not recorded, or records are generated but not filed or retained properly. When the auditor asks for evidence, it cannot be found.
The fix: Build record generation into your processes. If a procedure says "review shall be conducted," the output of that review must be recorded. Use checklists, templates, and digital tools to make recording easy and consistent.
Mistake #3: Confusing Documents and Records
The problem: Treating records like documents (updating them after the fact) or treating documents like records (never updating them once created).
The fix: Understand the fundamental difference. Documents are living - they should be updated when processes change. Records are historical - they capture what happened at a point in time and should not be altered. A completed inspection form is a record; the inspection procedure is a document.
Mistake #4: Documents That Do Not Reflect Reality
The problem: Procedures describe an idealized process that nobody actually follows, or processes have evolved but documentation has not been updated.
The fix: Involve process owners when creating and reviewing procedures. Conduct periodic "walk-throughs" where you observe the actual process and compare it to the documented procedure. Update documentation whenever processes change, not just at annual review time.
Mistake #5: No Document Control
The problem: Multiple versions of the same document in circulation, no approval process, no way to identify the current version, obsolete documents still in use.
The fix: Implement a simple but effective document control system. This does not need to be complex software - even a well-managed shared drive with naming conventions and an access-controlled master list can work. The key elements are: version numbering, approval records, a master document register, and a process for withdrawing obsolete versions.
Say what you do. Do what you say. Prove that you did it.
Your documents describe your processes (say what you do). Your people follow those processes (do what you say). Your records prove activities were carried out (prove that you did it). If these three align, your documentation system is working as intended.
The most effective QMS documentation is that which genuinely helps people do their jobs better, not documentation maintained solely to satisfy an auditor. If your documented information serves your organization first and the standard second, you have the right balance.
Frequently Asked Questions
Is a quality manual required for ISO 9001:2015?
No, a quality manual is not required by ISO 9001:2015. This was a deliberate change from the 2008 version, which explicitly mandated one. However, many organizations choose to maintain a quality manual because it serves as a convenient single-point reference for employees and auditors, aids onboarding of new staff, and demonstrates organizational maturity to clients and stakeholders.
What is the difference between a document and a record in ISO 9001?
Documents are "maintained" - they are living documents like policies, procedures, and plans that are kept current and updated when processes change. Records are "retained" - they are evidence of activities performed and results achieved, captured at a point in time and should not be altered after the fact. A simple way to remember: documents tell people what to do; records prove that it was done. A completed inspection form is a record; the inspection procedure is a document.
How should ISO 9001 documents be controlled?
ISO 9001 Clause 7.5 requires documents to be controlled to ensure availability where needed, protect integrity against unauthorized changes, manage distribution so current versions are accessible, control changes with version tracking, and retain records for defined periods per a retention schedule. Key activities include identification, review and approval, version control, access management, and secure disposition of obsolete versions.
Can ISO 9001 documentation be electronic?
Yes, ISO 9001 documentation can be in any format - paper, electronic, or a combination. The standard does not prescribe a specific format. Electronic documentation is increasingly common and can be more effective for version control, distribution, and access management. Cloud-based document management systems, SharePoint, and dedicated QMS software are all acceptable as long as the document control requirements of Clause 7.5 are met.
What records must be kept for ISO 9001?
ISO 9001:2015 requires approximately 18 specific records including: calibration and verification records (7.1.5), competence evidence (7.2), operational planning records (8.1), contract review results (8.2.3), design and development records for inputs, controls, outputs, and changes (8.3), supplier evaluation records (8.4), traceability records (8.5.2), product release evidence (8.6), nonconforming output records (8.7), monitoring and measurement results (9.1.1), internal audit results (9.2), management review outputs (9.3), and corrective action records (10.2).