ISO 9001:2015 uses the term “documented information” instead of a fixed list of procedures or a “quality manual.” The standard itself explicitly requires only a core set of documents and records, but many regulated plants maintain a larger QMS library to satisfy customers, regulators, and internal risk expectations.
Core documented information explicitly required
The following items are directly required by ISO 9001:2015. Wording and structure can vary, and they can live in multiple systems (QMS, MES, ERP, PLM), as long as they are controlled and accessible.
- Scope of the quality management system (clause 4.3)
- Documented information needed by the organization for the effectiveness of the QMS (clause 4.4.2) – at minimum, this includes the items below, but can be broader based on risk.
- Quality policy (clause 5.2.2) – documented and communicated.
- Quality objectives and planning to achieve them (clause 6.2.1 & 6.2.2).
- Criteria and methods for operation and control of processes where needed to ensure effective operation (clause 4.4.1). In practice, this often means documented procedures, work instructions, or routings for key processes.
- Documented information needed to support the operation of processes (clause 7.5.1b) – typically includes selected SOPs, work instructions, and specifications, particularly for special processes or regulated operations.
Records that must be retained
The standard calls out specific records that must be retained as evidence that processes are performed as planned. At a minimum, these include:
- Monitoring and measurement results (clause 9.1.1) as applicable to your processes and products.
- Evidence of fitness for purpose of monitoring and measuring resources (e.g., calibration) (clause 7.1.5.1).
- Evidence of competence for persons doing work under your control (e.g., training records, qualifications) (clause 7.2).
- Design and development planning, inputs, controls, verification, validation and changes, where design is in scope (clause 8.3.2 to 8.3.6).
- Evidence that production and service provision meet requirements (clause 8.5.1).
- Traceability records where traceability is a requirement (clause 8.5.2).
- Records of property belonging to customers or external providers if applicable (clause 8.5.3).
- Control of changes in production or service provision (clause 8.5.6).
- Results of the review and verification of externally provided processes, products and services (supplier evaluations, approvals, monitoring) (clause 8.4.1 & 8.4.2).
- Results of design and development reviews, verification and validation (clause 8.3.2 to 8.3.4).
- Records of nonconformities and actions taken (clause 8.7.2).
- Results of corrective actions (clause 10.2.2).
- Results of internal audits (clause 9.2.2).
- Results of management reviews (clause 9.3.3).
In industrial and aerospace contexts, many of these records live in multiple systems and formats: QMS software, MES logs, ERP data, PLM change records, calibration systems, and sometimes controlled spreadsheets. ISO 9001:2015 does not mandate specific tools; it requires that these records exist, are controlled, and are retrievable.
What is no longer strictly mandatory compared to older versions
ISO 9001:2015 removed some explicit documentation requirements that were present in ISO 9001:2008, such as:
- No explicit requirement for a single quality manual.
- No explicit list of six required documented procedures (e.g., control of documents, control of records, internal audit) as standalone procedures.
However, the underlying controls are still required. You still need defined methods for document control, records control, nonconformance management, internal audits, and corrective action. They can be embedded in broader procedures, digital workflows, or system configurations, but you must be able to demonstrate that they are defined, consistently applied, and under change control.
Regulated and aerospace contexts: what is typically expected
In regulated manufacturing (e.g., aerospace with AS9100, medical devices, defense), the “practical minimum” goes beyond ISO 9001:2015’s explicit list. You will typically see:
- A structured QMS document hierarchy (policy / system procedures / process procedures / work instructions / forms) under formal document control.
- Digitally controlled work instructions and routings in MES/ERP, often treated as QMS documents with formal review and approval workflows.
- Integrated nonconformance, MRB and CAPA workflows with traceability to product, process, and root cause analysis records.
- Formal configuration management and change control records for product and process changes, often managed in PLM or engineering systems.
- Structured supplier management records (audits, scorecards, approvals) beyond what ISO 9001 alone would strictly require.
Full replacement of legacy QMS/MES/ERP document repositories purely to “simplify” ISO 9001 documentation often fails in aerospace-grade environments because of validation costs, downtime risk, interface complexity, and long equipment and tooling lifecycles. Most organizations instead layer tighter document control and traceability on top of existing systems and phase changes in gradually under formal change control.
Key dependencies and tradeoffs
- Risk-based documentation level: ISO 9001:2015 expects you to determine the necessary level of documented information based on process risk, complexity, and competence levels. Highly manual, special, or safety-critical processes usually need more detailed documentation.
- System coexistence: In brownfield environments, acceptable evidence is often distributed: an NC in the QMS, a routing in MES, calibration in a gage system, training records in an LMS. This is compatible with ISO 9001 as long as records are controlled and retrievable.
- Traceability and auditability: The practical question in audits is less “Do you have document X?” and more “Can you show clear, controlled evidence that process Y is defined and consistently executed, and that you can trace from nonconformance or complaint back to relevant records?”
In summary, ISO 9001:2015 mandates a focused but not exhaustive set of documents and records. Regulated manufacturers typically maintain a much richer documentation set and supporting systems to manage risk, customer expectations, and sector-specific standards, while balancing integration burden and change-control realities.
