FocusIMS ISO Certification Simple to Achieve & Easy to Maintain
FocusIMS
ISO Certification Simple to Achieve & Easy to Maintain
Compliance Getting Certification Maintaining Certification

Mandatory Procedures Of ISO 9001: A Quick Guide

Six Mandatory Procedures Of ISO 9001
by |Published

Understand the mandatory procedures of ISO 9001 and how they apply to your business for quality compliance and certification success.

The following processes are core ISO 9001 certification requirements that help you maintain control over your quality management system (QMS). While the standard has evolved beyond prescriptive “mandatory procedures,” these activities are essential for maintaining a compliant, controlled, and continuously improving system.

These essential controls include: Control of Documented InformationInternal AuditControl of Nonconforming OutputsCorrective Action, and the foundational principle of Risk-Based Thinking to drive prevention.

This guide breaks each control down for you. You will see how managing documented information keeps your data accurate and accessible. Learn how internal audits help you check that things are working as planned. Understand how the processes for nonconformance, corrective action, and risk help you respond to problems and prevent them from recurring.

If you are working with integrated management systems, these controls give structure to your system and make your business easier to manage.

1. Control of Documented Information

Documented Information is a central requirement within ISO 9001 and covers both documents (planning information) and records (evidence of results). It refers to how you create, update, control, access, archive, and protect all information relevant to your QMS. Compliance with ISO 9001 document control requirements ensures your QMS is functional and your business decisions come from accurate and authorised information.

Poor control of documented information can lead to confusion, operational delays, and nonconformities. An effective system eliminates outdated information from circulation, secures your records, and confirms that you use the correct versions across your business.

What Information Do You Need to Control?

Documented information applies to all forms of information relevant to your QMS, regardless of medium (paper or digital). This includes information generated internally as well as that received from external parties, such as customers, regulators, and suppliers.

You must control a wide range of documented information under ISO 9001. These include:

  • Policies, procedures, and work instructions
  • Specifications, designs, and drawings
  • Forms and reports
  • Audit reports and management review documents
  • Evidence of training, inspection, and test results

Identify all information (e.g., title, reference number, revision status) to ensure it is traceable and suitable for its intended use.

What is the Distinction Between Documents and Records?

Documents (Planning Information) are crucial in planning and controlling processes (e.g., policies, procedures). You can revise and update them as needed.

Records (Evidence of Results) are objective evidence that you performed activities and achieved results (e.g., completed forms, audit results, signed approvals). Once created, you must not alter them to ensure their integrity and authenticity.

How to Retain, Protect, and Retrieve Documented Information

You must define how long you will keep records, based on legal, regulatory, contractual, and business needs. A system to allow authorised users to retrieve information keeps your operations running smoothly while maintaing compliance.

You must protect documented information from unauthorised access, damage, tampering, or loss. This includes secure digital backups for electronic information and physical safeguards. Follow secure, documented protocols for the final disposal of information once its retention period ends.

2. Internal Audit Procedure (Clause 9.2)

Internal audits are mandatory procedures of ISO 9001 as it is a required part of the QMS. They assess how well your QMS is working by confirming that you are following your documented processes, complying with requirements, and achieving your objectives. They also highlight where opportunities for improvement exist. A strong internal audit process strengthens your case for ISO 9001 certification in Australia.

What are the Objectives and Frequency of Internal Audits?

Your internal audit must check whether the processes in your QMS are effective and aligned with business objectives. Schedule audits regularly, with frequency dependent on the complexity and risk level of the processes involved. High-risk or past problem areas may need more frequent audits.

How to Select an Auditor and Ensure Impartiality

The people conducting your internal audits must be objective and cannot audit their own work or activities they are responsible for. Select auditors based on their knowledge, experience, and training. Where impartiality is difficult to achieve internally, consider engaging an external party.

What are Audit Reporting and Follow-Up Requirements?

The auditor must report their findings, covering what was audited, what was compliant, and any nonconformities or areas of concern. Findings must be communicated to management, and Corrective Actions (see below) must be determined and implemented for any nonconformities identified.

3. Control of Nonconforming Outputs (Clause 8.7)

Clause 8.7 of ISO 9001 requires a process to identify, manage, and prevent nonconforming outputs (products or services that do not meet requirements) from progressing through your operations or reaching the customer.

How Are Nonconformities Identified, Contained, and Corrected?

You must have a clear method to detect nonconforming outputs at every stage. Once identified, containment is essential. Isolate, tag, or quarantine affected items to prevent unintended use. After containment, you move to correction (repairing or reworking the item). The item must then be re-verified to confirm that it now meets specified requirements.

In some cases, correction is not possible. You must define a controlled process for making decisions to:

  • Return or recall the output.
  • Inform the customer and disclose the issue.
  • Seek approval to accept the output under an authorised concession.

What Documentation is Required for Recordkeeping and Analysis?

You must retain documented information related to each nonconforming output, describing the nonconformity, the actions taken, any concessions granted, and who authorised the decision. This allows for traceability and provides the input necessary for Corrective Action.

4. Corrective Action Procedure (Clause 10.2)

Corrective action is one of the mandatory procedures of ISO 9001 if you are serious about continuous improvement. It focuses on eliminating the root causes of existing nonconformities or failures. It is a reactive process triggered by actual problems. The goal is to prevent the identified problem from recurring by addressing its source.

Corrective action is a central part of a CAPA (Corrective and Preventive Action) system, which supports most ISO-certified quality management systems.

What Triggers Corrective Actions and How is Investigation Performed?

Clear evidence of nonconformance must trigger corrective actions. This includes audit findings, customer complaints, defective outputs, or process failures.

Once triggered, you must conduct a systematic, data-driven investigation to distinguish between symptoms and root causes. Common investigation tools include 5 Whys or Fishbone Diagrams.

How is Action Planning, Implementation, and Effectiveness Verified?

After identifying the root cause, a plan must be developed detailing required actions, resources, responsibilities, and expected completion times.

Crucially, corrective action is incomplete until you confirm that it worked. You must check the resolution and verify that the nonconformity has not returned (an effectiveness check) before formally closing the action.

5. Prevention Through Risk-Based Thinking (Clause 6.1)

ISO 9001:2015 replaces the standalone, documented procedure for Preventive Action with the concept of Risk-Based Thinking. This fundamental change means prevention is not a separate step; it is integrated directly into the planning, operation, and performance evaluation of the entire QMS.

You are expected to think ahead, assess what could go wrong, and prevent it before it happens, making risk management a core business activity.

How to Identify and Assess Risks and Opportunities

Risk identification begins with understanding your internal and external context (Clause 4). You must look at what could prevent you from meeting objectives (threats) and what could allow you to exceed them (opportunities).

Key questions include:

  • What are the most likely and most serious risks to meeting customer requirements?
  • Where are our processes most vulnerable to failure?
  • What opportunities exist to improve efficiency or customer satisfaction?

You must assess both the likelihood and impact of these risks and opportunities.

How Are Actions Planned and Monitored to Address Risks?

Once risks and opportunities are identified, you must plan actions to address them.

  • For Risks: You might choose to avoid the risk, reduce it through process controls, transfer it, or accept it.
  • For Opportunities: You plan actions to pursue the benefit (e.g., launching a new product line, improving process efficiency).

You need to monitor the outcomes to check if your actions actually reduced the risks or successfully realised the opportunities. This feedback loop is essential for continual improvement.

How Do the Mandatory Procedures of ISO 9001 Interlink?

The mandatory procedures of ISO 9001 are not isolated checklists. They function as a connected system that supports operational control, consistent performance and informed decision-making. The strength of your QMS lies in how well these procedures work together, especially when supported by structured processes and the right tools, such as integrated management system software.

  • Control of Documented Information provides the foundation, ensuring audits, nonconformities, and corrective actions have clear, traceable evidence.
  • Risk-Based Thinking informs the planning of your QMS, guiding where to focus your resources to prevent problems.
  • When a Nonconformity occurs (Control of Nonconforming Outputs), it triggers a formal Corrective Actionprocess.
  • The investigation for Corrective Action uses Risk-Based Thinking to determine the root cause, identify if similar failures could occur elsewhere, and update the risk register.
  • Internal Audits review the effectiveness of all these controls and generate findings that often become triggers for new Corrective Actions.

For those asking how to implement ISO 9001 quality management system properly, begin with these procedures. Done well, these interlinking controls are your strongest tools for building trust, improving outcomes, and maintaining control over your quality management system.

Stop managing complex documents.

FocusIMS ensures ISO 9001 compliance by centralising risk management and prevention through its Hazard Register and audit features. The platform handles all reactive issues, routing nonconforming outputs, incident investigation, and the resulting Corrective Actions through a single Incidents module for consistent tracking. Additionally, it provides a dedicated Document List and records management functionality to maintain accurate and accessible documented information across the QMS.

Get all your mandatory ISO 9001 procedures instantly, in one place.

Start your FocusIMS 7-Day FREE Trial
Book a FREE Discovery Meeting

You may also like

Leave a comment

Your email address will not be published. Required fields are marked *