Documentation is where most organisations get stuck with ISO 9001. There is a common fear that certification requires mountains of paperwork that nobody reads. The reality is more nuanced — the 2015 revision of the standard significantly reduced prescriptive documentation requirements, but you still need a well-structured set of documents to pass your certification audit and, more importantly, to run your quality system effectively.
What the Standard Actually Requires
ISO 9001:2015 uses the term "documented information" instead of the older terminology of "documents" and "records." This is not just a language change — it reflects a shift toward flexibility in how you maintain your quality system documentation.
The standard requires documented information in two ways. Some clauses say you "shall maintain" documented information, which means you need a document that defines how something works (a procedure, policy, or plan). Other clauses say you "shall retain" documented information, which means you need records that prove something was done (audit reports, training records, test results).
Mandatory Documents
While the standard gives organisations flexibility, certain documents are explicitly required. These are the non-negotiable elements that every certified organisation must have.
Your quality management system needs a defined scope statement that describes what your QMS covers and any exclusions. You need a quality policy that commits to meeting requirements and continual improvement. You need quality objectives that are measurable and aligned with your policy.
For operational control, you need criteria for evaluating and selecting external providers (suppliers), along with records of the results. You need records of monitoring and measurement results. You need records of management review outputs and internal audit results. You need records demonstrating the competence of people doing work that affects quality. And you need records of any nonconformities and the corrective actions taken.
Recommended Documents
Beyond the mandatory minimum, most organisations find they need additional documentation to run their QMS effectively. These are not strictly required by the standard, but auditors expect to see them and they make your system much easier to manage.
A quality manual is no longer mandatory but remains useful as an overview of your entire system — how it is structured, what processes it covers, and how they interact. Most certification bodies still expect to see one, even if the standard does not require it.
Procedures for key processes are essential in practice. At minimum, you should document your procedures for document control, internal auditing, management review, corrective action, and handling nonconforming outputs. These are the backbone processes that keep your QMS functioning.
Beyond these core procedures, you will likely need operational procedures that describe how your business delivers its products or services. The level of detail should match the complexity and risk of each process — a high-risk manufacturing process needs more detailed documentation than a routine administrative task.
The Document Hierarchy
A well-organised QMS typically follows a hierarchical structure. At the top level, you have your quality manual and quality policy — these set the strategic direction. Below that, you have procedures that describe how processes work. Below procedures, you have work instructions that provide step-by-step detail for specific tasks. And at the base, you have forms and records that capture evidence of activities performed.
Not every process needs all four levels. Simple processes might need only a procedure. Complex or high-risk processes might need detailed work instructions and multiple forms. The key is proportionality — document what needs to be documented, no more and no less.
Document Control
Whatever documents you create, you need a system for controlling them. Document control ensures that everyone is working from the correct, current version of each document and that obsolete versions are removed from use.
Your document control system needs to address several things: how documents are approved before issue, how they are reviewed and updated, how changes are identified, how current versions are made available where needed, how documents remain legible and identifiable, how external documents are controlled, and how obsolete documents are prevented from unintended use.
This sounds bureaucratic, but it does not have to be. A simple naming convention, version numbering system, and a central location for current documents (whether that is a shared drive, a document management system, or a platform) is usually sufficient.
Records Management
Records are the evidence that your QMS is working. They prove that processes were followed, decisions were made, and actions were taken. The standard requires you to retain records in several areas, and your certification auditor will want to see them.
Key records include training records showing staff competence, internal audit reports, management review minutes, customer complaint records and corrective actions, supplier evaluation records, monitoring and measurement results, and records of nonconforming outputs.
Records need to be legible, identifiable, stored securely, and retrievable when needed. You should also define how long you retain different types of records — there is no single answer, but most organisations keep quality records for at least three years.
Common Documentation Mistakes
The most frequent mistake is over-documentation. Writing 50-page procedures for simple processes creates a system that nobody follows. Keep documents as short and clear as possible while still meeting their purpose. If a process can be described in one page, do not write five.
Another common mistake is writing aspirational documents that describe how you wish things worked rather than how they actually work. Your documents need to reflect reality. Auditors will compare what your documents say against what your people actually do — and any mismatch is a nonconformity.
A third mistake is treating documentation as a one-time project. Your documents should be living references that are reviewed and updated as your processes evolve. Build regular document review into your management review process.
How Many Documents Do You Need?
For a typical small to medium business, a complete QMS document set usually includes 30 to 40 documents: a quality manual, quality policy, scope statement, 8 to 10 core procedures, 8 to 12 operational procedures, several registers and plans, and a set of forms and templates.
This might sound like a lot, but many of these are short documents — a form might be a single page, a register might be a simple table. The total volume is much less intimidating than the count suggests.
Getting It Right
The best approach to QMS documentation is to start with what you need for your certification audit, keep it proportionate to your operations, write it in plain language that your team will actually read, and plan for ongoing maintenance from day one. Your documentation should serve your business, not the other way around.