ISO 9001 Documented Information Requirements Explained

ISO 9001:2015 explicitly requires fewer documents than most people expect. You must maintain four: the scope of your quality management system (QMS), your quality policy, your quality objectives, and the documentation your own processes need to operate. Beyond that, the standard sets out roughly 21 points where you must retain records as evidence.

Since 2015 the standard has used a single term, "documented information", in place of the old split between documents and records. The current edition is ISO 9001:2015, amended in 2024 to add climate change considerations, and a new edition is expected in September 2026.

In the UK, certification is normally delivered by a UKAS-accredited certification body. The standard is widely used across the public sector too; the UK Hydrographic Office publishes its own ISO 9001:2015 certificate on GOV.UK.

Certification also matters in tendering. Contracting authorities routinely ask for ISO 9001 "or equivalent" as quality management evidence, because section 22 of the Procurement Act 2023 prevents them from requiring particular qualifications without allowing equivalents.

What Documented Information Means

ISO 9001:2015 uses two verbs to signal two different obligations. Where a clause says "maintain" documented information, a living document must exist and be kept current, such as a policy, scope statement or procedure. Where a clause says "retain" documented information, a record must be kept as evidence of what happened.

The 2008 edition controlled documents and records under two separate clauses. The 2015 edition merged them into clause 7.5.3, control of documented information, which covers identification, format, availability, protection and version control.

Whatever you create must therefore be controlled. An uncontrolled work instruction pinned to a noticeboard is a common audit finding, however good its content.

The Four Documents You Must Maintain

The QMS scope (clause 4.3) defines the boundaries of your system, the products and services covered, and the justification for any requirement you treat as not applicable. Design and development is the most common exclusion. Auditors check the scope matches what the business actually does and that exclusions are credible.

The quality policy (clause 5.2) demonstrates top management commitment. It must fit your organisation's purpose, provide a framework for setting quality objectives, and commit to meeting applicable requirements and to continual improvement. Auditors expect staff to know it and apply it, rather than finding it framed in reception and nowhere else.

Quality objectives (clause 6.2) must be measurable, consistent with the quality policy, and set at relevant functions, levels and processes. Auditors look for monitoring of progress and a plan for each objective: what will be done, by whom, by when and with what resources.

Process-support documentation (clauses 4.4 and 7.5.1) is whatever you determine your processes need to run reliably, such as procedures, work instructions, flow charts and forms. The extent is your decision, based on the size and complexity of the organisation and the competence of your people.

The Records You Must Retain

The retained records run through the resourcing, operational and performance clauses. The main requirements are:

• Calibration records (7.1.5) showing measuring equipment is fit for purpose and traceable to measurement standards.
• Competence records (7.2) covering education, training, skills and experience, plus evidence that training was evaluated for effectiveness.
• Operational records (8.1) showing processes ran as planned, such as job sheets, inspection sheets and batch records.
• Contract review records (8.2.3) evidencing the review of customer requirements and any later changes.
• Design and development records (8.3), where design is in scope, covering inputs, reviews, verification, validation, outputs and changes.
• External provider records (8.4) showing how suppliers are evaluated, selected, monitored and re-evaluated, and against what criteria.
• Production and service records (8.5), including traceability identification, problems with customer property, and authorised changes to production.
• Release records (8.6) evidencing conformity with acceptance criteria, traceable to the person authorising release.
• Nonconforming output records (8.7) describing the problem, the action taken, any concession obtained and who decided.
• Performance results (9.1.1), including monitoring data and customer satisfaction information.
• Internal audit records (9.2.2) evidencing the audit programme and the results of each audit.
• Management review records (9.3.3) covering the required inputs and the decisions and actions that came out.
• Corrective action records (10.2.2) showing the nature of each nonconformity, the action taken and whether it worked.

What Auditors Expect Beyond the Minimum

The 2015 edition dropped the mandatory quality manual and the six documented procedures the 2008 edition required. In practice, certification auditors still expect documented procedures covering control of documented information, internal audit, nonconforming outputs and corrective action as a working minimum.

The aim is a QMS that is documented, rather than a pile of documents that exists for its own sake. The following steps keep the set lean and audit-ready.

1. Map Your Processes

List the processes in your QMS with their inputs, outputs and owners. The maintained documents and retained records then attach to specific processes rather than sitting in a generic folder.

2. Document Where Absence Creates Risk

Write a procedure or work instruction where the lack of one would cause inconsistency, error or a training problem. Where a competent person can do the job reliably without one, a record of competence may be enough.

3. Apply Document Control From the Start

Give every document an owner, a version and a review date, and make the current version the only one in circulation. This satisfies clause 7.5.3 and avoids the classic finding of staff working from superseded forms.

4. Complete an Internal Audit Cycle Before Stage 2

External auditors expect a full internal audit cycle covering every QMS process before the certification audit, plus at least one management review. Both generate retained records the assessor will ask for on day one.

Recent Changes and the 2026 Revision

Amendment 1:2024 added climate change to the standard. Organisations must now determine whether climate change is a relevant issue in their context (clause 4.1) and whether interested parties have climate-related requirements (clause 4.2). No new certificate is needed, but auditors check the point at surveillance visits.

A sixth edition of ISO 9001 is at Final Draft International Standard stage, with publication expected in September 2026. A three-year transition period is anticipated, so ISO 9001:2015 certificates remain valid in the meantime.

The revision is evolutionary. Documented information terminology and the core document and record requirements carry over, with the changes focused on quality culture and ethics in leadership, restructured risk requirements, a consolidated continual improvement clause and expanded guidance in Annex A.

Quick Reference

Clause	Documented information	Document or record
4.3	Scope of the QMS, with justified exclusions	Document
5.2	Quality policy	Document
6.2	Quality objectives	Document
4.4 and 7.5.1	Information needed to support process operation	Document
7.1.5	Calibration and measurement traceability evidence	Record
7.2	Competence evidence	Record
8.1 to 8.6	Operational, contract review, design, supplier, traceability and release evidence	Record
8.7 and 10.2	Nonconformity and corrective action evidence	Record
9.1.1	Monitoring and measurement results	Record
9.2.2	Internal audit programme and results	Record
9.3.3	Management review results	Record

Common Mistakes

• Treating maintain and retain as interchangeable, so policies go stale and evidence goes missing.
• Writing a quality manual out of habit when the 2015 edition no longer requires one.
• A scope statement that does not match what the business actually does, or exclusions with no justification.
• Quality objectives that cannot be measured, or that are set once and never monitored.
• Competence records that do not match the people actually performing controlled work.
• Closing nonconformities with quick fixes and no root-cause analysis of why they happened.
• Booking the stage 2 audit before a full internal audit cycle and management review have taken place.

How Policy Pros Can Help

We write ISO documentation that is lean, controlled and matched to how your business actually works, rather than a template pack you will spend months untangling. Our ISO policy writing service covers the maintained documents, the procedures auditors expect, and the registers and forms that generate your retained records.

If you are building or refreshing a QMS, our quality policies and procedures service produces a documentation set scaled to your size and processes, ready for a UKAS-accredited certification audit.

Many organisations certify to more than one standard. If information security is on your roadmap, see our ISO 27001 mandatory documents list for the equivalent documentation requirements under that standard.