ISO 9001:2015 is intentionally flexible about documentation, but auditors still expect a coherent, controlled evidence set. The exact list depends on your scope, process complexity, regulatory overlay (e.g., aerospace, medical), and how much is in electronic systems vs paper. The items below are a practical baseline for a manufacturing / industrial operation.
1. Top-level QMS definition and governance
- QMS scope statement and any exclusions, with justification.
- Quality policy and quality objectives with evidence they are communicated and reviewed.
- High-level QMS description (often a quality manual, even if not formally required) showing how you address each ISO 9001 clause.
- Organizational chart and key roles/responsibilities relevant to the QMS.
- Documented process map or interaction of key processes (e.g., value stream or SIPOC-style map).
2. Document control and records management
- Procedure for control of documented information (creation, review, approval, revision, distribution, retention, and archival).
- Master list or index of controlled documents, or equivalent capability in your DMS/MES/ERP.
- Examples of current and superseded documents demonstrating version control and traceability.
- Records retention schedule aligned with regulatory and customer requirements.
3. Risk-based thinking and planning
- Business / quality planning outputs showing how risks and opportunities are identified and addressed.
- Risk assessments for key processes (e.g., PFMEA, risk registers, or equivalent).
- Change management / management of change procedure for process, product, equipment, or software changes.
- Evidence of how risk controls are implemented and monitored (e.g., control plans, error-proofing measures, inspection strategies).
4. Operational process documentation
What you need here depends heavily on how you run operations (paper travelers vs MES vs ERP-integrated flows), but auditors will look for documented information that defines and controls how work is done.
- Documented procedures or standard work for core processes, for example:
- Order review / contract review.
- Design and development (if in scope).
- Purchasing and supplier management.
- Production and service provision, including setup, operation, in-process checks, and release.
- Equipment calibration and maintenance.
- Identification, traceability, and preservation of product.
- Work instructions, travelers, routings, or digital work instructions for representative operations, with revision control.
- Process specifications, inspection plans, sampling plans, and acceptance criteria.
- Evidence of process validation/qualification where applicable (e.g., special processes, software tools, test methods).
5. Supplier and purchasing controls
- Approved supplier list (ASL) and criteria for approval, monitoring, and reevaluation.
- Purchasing / supplier control procedures.
- Supplier performance monitoring records (e.g., scorecards, OTD/quality metrics, corrective actions).
- Sample POs, contracts, and flowdown requirements to suppliers.
- Incoming inspection or receiving verification procedures and records.
6. Production, inspection, and release records
In brownfield environments, these may be split across MES, ERP, LIMS, spreadsheets, and paper. Auditors care less about where they live and more about consistency, control, and traceability.
- Completed travelers, batch records, or digital execution records showing:
- Operator sign-offs and timestamps.
- Process steps performed as planned.
- Traceability to materials, tooling, and test equipment where applicable.
- In-process and final inspection records, including measured results vs specifications.
- Evidence of product release decisions and authority (e.g., acceptance stamps, digital approvals).
- Rework, repair, and deviation/concession records where relevant.
7. Calibration and equipment maintenance
- Calibration procedure and criteria (including recall and out-of-tolerance handling).
- Calibration certificates and records (including unique ID, dates, status, and results).
- List of measurement equipment in the calibration system and their status.
- Preventive maintenance procedures and schedules for key production and test equipment.
- Maintenance records demonstrating execution of planned maintenance and repairs.
8. Competence, awareness, and training
- Competence and training procedure.
- Role or job descriptions showing competence requirements for key positions.
- Training plans and records tied to specific roles, processes, and controlled documents.
- Evidence of operator qualifications or certifications where required (e.g., special processes, inspections, programming).
- Records showing communication of the quality policy and relevant objectives.
9. Customer and stakeholder feedback
- Customer complaint handling procedure.
- Complaint logs and investigation records.
- Customer satisfaction monitoring methods and results (e.g., surveys, scorecards, key customer metrics).
- Records of customer returns, concessions, field failures, and related actions.
10. Nonconformity, corrective action, and improvement
- Procedures for nonconforming outputs and for corrective action (and preventive activities if maintained separately).
- Nonconformance reports (NCRs) and MRB records, including disposition decisions.
- Corrective action records (e.g., 8D, RCCA) showing root cause analysis, containment, actions, effectiveness checks, and closure.
- Trend data on scrap, rework, defects, and other quality KPIs.
- Continuous improvement project logs or Kaizen records, linked to data where possible.
11. Internal audit and management review
- Internal audit program, schedule, and methodology (process-based audits preferred).
- Internal audit reports, nonconformities, and follow-up actions.
- Evidence that all QMS processes and applicable ISO 9001 clauses have been audited over the cycle.
- Management review procedure or agenda template.
- Management review minutes, inputs (KPIs, audit results, customer feedback, risks), and outputs (decisions, actions).
12. Context of the organization and interested parties
- Documented analysis of organizational context where maintained (e.g., SWOT, PESTLE, risk register) and how it informs QMS planning.
- List or analysis of interested parties and their relevant requirements (e.g., customers, regulators, owners, employees, key suppliers).
Brownfield and multi-system realities
In most regulated manufacturing environments, evidence is distributed across legacy systems, shared drives, point tools, and paper. ISO 9001 does not require a single system, but auditors will test your ability to:
- Locate current, approved documents quickly, with clear revision status.
- Trace from a sample product or order back to its records (materials, process steps, inspections, releases, NCs, and actions).
- Show how changes are controlled across systems (e.g., when a spec or routing changes, how training, WIs, and ERP/MES are kept aligned).
Full system replacement purely for audit convenience is usually difficult to justify in regulated, long-lifecycle plants because of validation burden, downtime risk, and integration complexity. A more realistic approach is to tighten document control, improve indexing and evidence trails across existing systems, and only replace where risk and lifecycle justify it.
Practical preparation steps
- Start from your current ISO 9001 clause matrix and ensure there is at least one piece of documented information mapped to each requirement.
- Run a mock audit on a few real orders or batches, tracing requirements from contract through release and shipment, and list any gaps or slow retrieval points.
- Verify that all sample documents you will likely pull (procedures, WIs, travelers, inspection reports) show consistent revision control and signatures/approvals.
- Ensure internal audit and management review records are recent, complete, and show follow-up on issues.
Having the documents above available, current, and clearly linked to how you actually run the plant will do more for audit readiness than producing a long, generic checklist that does not match reality on the floor.
