FocusIMS ISO Certification Simple to Achieve & Easy to Maintain
FocusIMS
ISO Certification Simple to Achieve & Easy to Maintain
Compliance Getting Certification Maintaining Certification

Six Mandatory Procedures Of ISO 9001: A Quick Guide

Six Mandatory Procedures Of ISO 9001
by |Published

The six mandatory procedures of ISO 9001 are core ISO 9001 certification requirements that help you maintain control over your quality management system (QMS). These include control of documents, control of records, internal audit, control of nonconforming outputs, corrective action, and preventive action through risk-based thinking. Needless to say, each one plays a specific role in making sure your processes are clear, consistent, and auditable.

This guide breaks them down for you. You will see how document and record control keep your information accurate and accessible. You will learn how internal audits help you check that things are working as planned. In addition, you will understand how the procedures for nonconformance, corrective action, and risk help you respond to problems and prevent them from recurring.

If you are working with integrated management systems, these procedures give structure to your system and make your business easier to manage.

1. Control of Documents

Control of documents is a central requirement within ISO 9001 and forms one of the six mandatory procedures of ISO 9001. It refers to how you create, approve, distribute, access, revise, archive, and dispose of documented information. With proper document control, your QMS is functional and your business decisions come from accurate and authorised information.

Poor document control can lead to confusion, operational delays, and nonconformities. An effective system eliminates outdated information from circulation, secures your current records, and confirms that you use the correct versions across your business.

Definition and Scope

Document control applies to all forms of documented information relevant to your QMS. Recorded data include documents generated internally as well as those received from external parties, such as customers, regulators, and suppliers.

You must control a wide range of documents under ISO 9001. These include:

  • Quality management system procedures
  • Quality manual
  • Work instructions
  • Specifications, designs, and drawings
  • Forms and reports
  • External communications
  • Internal audit reports
  • Management review documents
  • Records related to the QMS

Each of these documents plays a role in how your business operates and demonstrates conformance with ISO 9001. Controlling them properly supports consistent outcomes, reduces operational risks, and strengthens compliance. You must clearly identify these documents, ensure they are traceable, and confirm they are suitable for their intended use.

The scope of document control is broad. It covers everything from high-level policy documents down to specific work instructions and operational records. Each document must be uniquely identifiable, including a title, reference number, revision status, and issue date.

Document Approval and Review Process

Before issuing or revising any document, authorised personnel must review and approve it for suitability and accuracy. Only authorised personnel should carry out these tasks, ensuring that content aligns with your business practices, legal requirements, and the goals of your QMS.

The review process should be systematic and documented. You must maintain records of who approved the document, its date of approval, and under what conditions. This provides traceability and supports accountability. The same level of control applies to revised documents. You must review and reapprove revisions before use and remove the superseded versions from circulation.

Accessibility and Version Control

Once someone approves a document, they must make it available to the people who need it, at the right place and time. This could mean access through a shared drive, document management system, or printed materials in designated locations. You must control accessibility, regardless of the method, to prevent unauthorised changes.

Version control is essential. You need to identify the latest approved version and prevent anyone from using previous versions by mistake. This may involve revision numbers, update logs, or automated systems that restrict access to outdated files.

Obsolete Document Handling

Withdraw outdated documents from use right away. Once declared obsolete, destroy, mark, or achive the documents to prevent accidental use. If retained for legal or knowledge purposes, store them separately and manage with care.

Define how long to keep documents based on business, legal, or regulatory requirements. Disposal should be secure and documented, especially if it involves sensitive information.

2. Control of Records

Records provide proof that your business is meeting the requirements of your QMS. Unlike documents, which guide how you should perform the work, records show what you actually did. The procedure for control of records is one of the six mandatory procedures of ISO 9001. It ensures that your records are accurate, reliable, and available when needed.

Records support compliance, decision-making, traceability, and accountability. Correct record management prevents data loss, protects sensitive information, and strengthens your audit readiness.

Difference Between Documents and Records

Documents are crucial in planning and controlling processes. These include policies, procedures, manuals, and work instructions. You can revise and updated them as needed. Records, on the other hand, are evidence of results. Once created, you must not alter them. To meet ISO 9001 requirements, you must control various types of records across your business. Here are some examples:

  • Training records
  • Audit reports
  • Calibration certificates
  • Corrective and preventive action records
  • Inspection and test results
  • Customer complaints
  • Supplier evaluations
  • Attendance and timesheets
  • Management review records

You must manage both documents and records. But records demand stricter control to protect their integrity and authenticity.

Retention and Retrieval Requirements

You must define how long you will keep each record. Retention periods should reflect legal, regulatory, contractual, and business needs. For example, you may need to store financial records for several years, while you might keep audit reports for a shorter period.

You also need a system that allows authorised users to retrieve records quickly and efficiently. Whether you store records electronically or physically, you must organise, label, and index them so you can easily locate them when needed.

Protection Against Damage or Loss

You must protect records from unauthorised access, damage, tampering, or environmental threats such as fire, water, or corrosion. This includes secure digital backups for electronic records and physical safeguards such as fireproof cabinets or restricted access storage.

Regular audits of your record storage systems can help you identify weak points and reduce the risk of accidental loss or corruption. Your approach must protect both confidentiality and availability.

Record Disposal Protocols

Once a record reaches the end of its retention period, dispose it securely. This applies to both paper and digital formats. You should follow defined procedures such as shredding, digital deletion, or destruction by an approved contractor.

Document the disposal process. This ensures transparency and demonstrates that your organisation manages information responsibly and in compliance with regulatory requirements.

Whether you’re managing records manually or through an ISO 9001 compliance software, your controls must be consistent and well-documented. Each step, from record creation to final disposal, must show that your business takes information management seriously.

3. Internal Audit Procedure

Internal audits are a required part of the six mandatory procedures of ISO 9001. They assess how well your QMS is working not just on paper, but in practice. These audits confirm that you are following your documented procedures, complying with requirements, and achieving your objectives. They also highlight where things are falling short.

You are verifying that controls are in place and ensuring their consistent application across your operations from financial reporting to customer service, from project delivery to risk management. A strong internal audit process strengthens your case for ISO 9001 certification in Australia.

Here’s what your internal audit procedure needs to cover.

Objectives and Frequency

Your internal audit must check whether the processes in your QMS are effective and aligned with business objectives. You should examine whether the team is following the planned arrangements and meeting the performance requirements.

Schedule audits regularly. The frequency will depend on the complexity and risk level of the processes involved. High-risk areas or past problem areas may need more frequent audits. You must also conduct audits when major changes occur, such as system upgrades, process redesigns or new compliance obligations.

Auditor Selection and Impartiality

The people conducting your internal audits must be objective. That means auditors cannot audit their own work or review activities they are directly responsible for. Select auditors based on their knowledge, experience, and training, not convenience.

Your auditor pool should include staff who understand your operational context and compliance requirements. Where impartiality is difficult to achieve internally, consider engaging an external party.

Planning and Conducting Audits

Internal audits must follow a structured plan. You must:

  • Define audit objectives, scope, and criteria
  • Prepare an audit schedule based on risk and importance
  • Notify the areas you are auditing
  • Review relevant procedures and records before starting

Auditors should gather evidence through interviews, observations, and sampling of documents and records. They must assess both conformance and effectiveness. You’re looking for gaps in compliance and identifying opportunities to strengthen how your processes operate.

Audit Reporting and Follow-Up

Once the audit is complete, your auditor must report their findings clearly. The report should cover:

  • What you audited
  • What was compliant
  • What wasn’t
  • Any areas of concern or risk
  • Opportunities for improvement

Communicate findings to management and relevant teams. Then comes the follow-up. You must determine and implement corrective actions for any nonconformities identified. Track actions until verified and closed.

You must ensure your system improves over time and reflects actual performance. Internal audits create accountability and build confidence that your business is operating as planned.

By following a clear and consistent internal audit procedure, you demonstrate that your management system is compliant, controlled, monitored, and constantly improving.

4. Control of Nonconforming Outputs

Clause 8.7 of ISO 9001 is clear. You must have a process to identify, manage, and prevent nonconforming outputs from progressing through your operations or reaching the customer—whether that’s an internal handover or a final external delivery. As one of the six mandatory procedures of ISO 9001, controlling nonconforming outputs is about protecting product integrity, customer trust, and the credibility of your Quality Management System.

Identifying Nonconformities

You must have a clear and consistent method to detect nonconforming outputs at every stage—during production, inspection, service delivery, or post-delivery. This can include physical product defects, administrative errors, incomplete documentation, or anything that fails to meet a specified requirement.

Identification should be immediate and unambiguous. Use tagging, labelling, digital alerts, or quarantine areas to mark affected items clearly. The priority is to ensure they are not mistakenly passed along to the next stage of your process.

Containment and Correction

Once identified, containment is essential. That might mean isolating faulty components, halting a process, returning items to a previous step, or issuing a product recall. You must also empower employees at every level to stop the process if something is wrong. Delaying containment only increases the risk and the cost.

After containment, you move to correction. Fix the issue—then re-verify. It’s not enough to repair or rework an item and move on. It must be tested again to confirm that it now meets your specified requirements.

Sometimes correction isn’t possible or practical. In those cases, you may:

  • Return or recall the output
  • Suspend delivery
  • Inform the customer and disclose the issue
  • Seek approval under an authorised concession

Always use a controlled process for these decisions. Your quality management policies and procedures must define who has the authority to approve concessions and under what conditions.

Evaluation and Root Cause Analysis

Correcting a nonconforming output doesn’t end the issue. You must evaluate why it happened. Was it a training issue? A supplier error? Equipment failure? A lapse in procedure?

Conduct a root cause analysis to identify the origin of the nonconformity and take steps to prevent recurrence. This might involve updating documentation, revising procedures, retraining staff, or improving inspections. Address the cause, not just the symptom.

Recordkeeping and Reporting

Clause 8.7.2 requires that you retain documented information related to each nonconforming output and the decisions you’ve made. Your records must show:

  1. A clear description of the nonconformity
  2. What actions were taken in response
  3. Whether a concession was granted and the terms of that decision
  4. Who authorised the action or acceptance

You can use any format that suits your operations—forms, spreadsheets, or an integrated system—as long as it is reliable, accessible, and consistently applied. The key is traceability. You must be able to track nonconformities, monitor trends, and confirm that they have been resolved appropriately.

Controlling nonconforming outputs is not just a technical exercise. It is a safeguard built into your daily operations. It prevents errors from compounding, protects customers from faulty products or services, and ensures that what you deliver reflects the standards you’ve promised.

5. Corrective Action Procedure

Corrective action under ISO 9001 focuses on eliminating the root causes of existing nonconformities or failures. It is a reactive process triggered by actual problems, not hypothetical risks. The goal is to prevent recurrence by addressing the source, not just the surface-level symptoms. This procedure is one of the six mandatory procedures of ISO 9001 and plays a central role in maintaining system integrity and customer confidence.

When applied correctly, corrective action supports compliance with ISO and other regulatory bodies, helps resolve complaints, reduces operational risk, and contributes to continual improvement across your business. It also forms a core part of a CAPA (Corrective and Preventive Action) system, which underpins most ISO-certified quality management systems.

Triggering Corrective Actions

Clear evidence of nonconformance must trigger corrective actions. This can include audit findings, customer complaints, defective outputs, process failures, missed deadlines, or safety events. Internal observations like patterns of delay, repeated errors, or recurring service issues can also prompt corrective actions.

You must have a system that allows employees at every level to raise concerns. These triggers must initiate a formal review, not just a workaround. ISO 9001 employee training should reinforce this process, ensuring your team understands what to report, when to escalate, and how to document their observations properly.

Investigation and Analysis Methods

Once your system confirms a problem, your next step is to understand why it happened. The investigation should be systematic, impartial, and data-driven. You must distinguish between symptoms and root causes.

Common investigation tools include:

  • 5 Whys: Repeatedly asking why a problem occurred to uncover its origin.
  • Fishbone Diagrams (Ishikawa): Mapping out potential causes across categories like people, process, equipment, and environment.
  • Pareto Analysis: Prioritising issues based on frequency or impact.
  • Process Mapping: Reviewing the actual workflow to locate the deviation.
  • FMEA or FTA: Analysing failures and their effects systematically.

You must involve people with direct knowledge of the issue and use verifiable data—not assumptions—to guide your decisions.

Action Planning and Implementation

After verifying the root cause, you must develop the corrective action plan. This plan should define required actions, required resources, who is responsible, and expected time of task completion.

The plan might include process changes, retraining staff, revising documents, replacing faulty equipment, or engaging with suppliers. Every task must be specific, achievable, and measurable. Temporary fixes must have clear labels as such, with timelines for permanent solutions defined.

Implement all corrective actions through a formal change control process to prevent unintended consequences.

Effectiveness Checks and Closure

Corrective action is incomplete until you confirm that it worked. This means checking issue resolution and ensuring it hasn’t returned. You must:

  • Re-test or re-audit the affected process
  • Monitor ongoing performance data
  • Interview relevant staff
  • Verify that the new controls are followed and understood

If the problem persists, revisit your investigation and update the action plan. Do not close the corrective action until confirmation of its effectiveness.

Each corrective action record must include a clear description of the issue, supporting evidence, root cause analysis, the action plan, implementation details, effectiveness results, and formal sign-off by an authorised individual.

6. Preventive Action (Risk-Based Thinking)

Preventive action has evolved under ISO 9001:2015. The earlier version of the standard required a documented procedure for preventive action. That’s no longer the case. Instead, the standard now embeds risk-based thinking directly into planning, operations and performance evaluation.

You are not simply reacting to problems. You are expected to think ahead, assess what could go wrong, and prevent it before it happens. This change is reflected in iso 9001 clause 6, which requires that those responsible for planning and risk management are competent and clear on their roles. Clause 8.5.3 reinforces the need to document specific preventive actions when they are required.

This section outlines how we approach risk-based thinking as part of the six mandatory procedures of ISO 9001.

Transition from Preventive Action to Risk-Based Approach

The shift from standalone preventive actions to integrated risk-based thinking marks a fundamental change. It means we no longer wait for non-conformities to occur before acting. Instead, risk management is woven into daily business decisions—from setting objectives to allocating resources and managing suppliers.

You consider both threats and opportunities. Preventive thinking becomes part of how you define priorities, structure projects, and monitor results. Every level of the business, from frontline staff to executive leadership, shares responsibility for identifying and managing risk.

Identifying and Assessing Risks and Opportunities

Risk identification begins with understanding your internal and external context. You need to look at who your stakeholders are, what they expect, and how your processes could fall short or exceed expectations.

Start by asking:

  • What could prevent us from meeting our customer requirements?
  • What are the most likely and most serious risks to our objectives?
  • Where are we dependent on people, suppliers, or equipment?
  • What compliance failures could affect our ability to deliver work?

You can use a variety of tools—risk matrices, process mapping, SWOT analysis, incident trend reviews—to assess both likelihood and impact. This isn’t a theoretical exercise. The risks you identify must be relevant, measurable and linked to your actual operations.

Planning Actions to Address Risks

Once you’ve identified your risks, you must decide what to do about them. This involves determining the level of risk you’re willing to accept and then putting actions in place to control the rest.

You might choose to avoid the risk entirely, reduce it through process controls, transfer it by using insurance or outsourcing, or accept it if the risk is minor and manageable. Whatever the strategy, your actions need to be clearly planned.

Each action should answer:

  • What are we going to do?
  • Who is responsible?
  • What resources are required?
  • When will it be completed?
  • How will we know it worked?

Planning must be proportionate. You do not overcomplicate. But you must be deliberate and thorough, especially when the risk could lead to a major nonconformity or safety hazard.

Monitoring Outcomes

Planning is not the end of the process. You need to check if your actions actually reduced the risks. This is where monitoring becomes essential. You review performance indicators, audit reports, project outcomes and feedback channels.

If a risk materialises despite your controls, review the process again. Don’t just update the register—make real changes to how the risk is managed. This feedback loop is critical for keeping your quality management system relevant and effective.

You are expected to document preventive measures under clause 8.5.3 where appropriate, especially when they form part of your response to significant or emerging risks. This ensures traceability, accountability and improvement over time.

Risk-based thinking, when done properly, supports consistent service delivery, strengthens compliance, and improves decision-making at every level of the business.

Interlinking the Procedures

The six mandatory procedures of ISO 9001 are not isolated checklists. They function as a connected system that supports operational control, consistent performance and informed decision-making. The strength of your QMS lies in how well these procedures work together, especially when supported by structured processes and the right tools, such as integrated management system software.

Here’s how these procedures intersect to support traceability, accountability and continual improvement.

Control of Documents and Records Supports Audits

Maintaining accurate, accessible and up-to-date documentation is a foundation of audit readiness. Every procedure—whether it’s about managing change, reporting nonconformities, or verifying actions—relies on clear records to demonstrate adherence to processes.

Effective document control means your audits are more than compliance exercises. They become precise assessments of performance. You can show evidence of decisions made, changes implemented, and controls applied. Outdated versions are removed from use. Approval workflows are defined. And every document has a custodian who understands its importance.

Linking Nonconformity, Corrective Action and Risk-Based Thinking

When a nonconformity is identified, you’re expected to do more than just fix the immediate issue. You must find out why it happened, determine if similar issues could occur elsewhere, and apply controls to prevent recurrence.

This is where risk-based thinking becomes practical. A single nonconformance may reveal a broader vulnerability. If a supplier repeatedly misses delivery deadlines, the issue is not only supplier performance—it may be your supplier selection criteria or lack of ongoing monitoring.

Corrective actions, when rooted in thorough investigation and risk analysis, help strengthen your overall system. You’re not just reacting; you’re preventing.

Using Audit Results to Identify Systemic Issues

Audits provide a structured review of how your business actually operates compared to how it is supposed to operate. But the true value of audits lies in what you do with the results.

Repeated findings, inconsistent processes or delays in implementation reveal systemic weaknesses. These patterns can highlight areas where your training is insufficient, where your procedures are too vague, or where responsibilities are unclear.

When audit findings are tracked and evaluated over time, you build a data-driven picture of where improvements are most needed. This insight feeds into your management review and planning processes.

Ensuring Traceability Through Documentation

Every step you take to correct, improve or prevent an issue must be supported by records. Documentation is what allows you to trace actions from identification to resolution. It shows who was responsible, what was decided, when it occurred, and what the outcome was.

This traceability is what protects your business during audits, legal disputes or customer complaints. It also ensures that you are not relying on memory or informal communication to run critical processes.

Interlinking your procedures means your documents don’t exist in isolation. The output of one process becomes the input for another. Your corrective action log feeds your risk register. The audit findings inform your management review. And the documented procedures support consistent training and onboarding.

When all parts of your quality management system reinforce each other, your compliance is stronger, your operations are clearer, and your customers are more confident in your ability to deliver.

Conclusion

The six mandatory procedures of ISO 9001 are the structural supports of any compliant and effective quality management system. They are not just a regulatory formality. When applied correctly, they ensure that your processes are repeatable, measurable and accountable.

By following these procedures, you give your business the ability to maintain control even as conditions shift. You track issues as they arise, you analyse the root causes, and you apply corrective actions in ways that prevent recurrence. These are not abstract ideals. They are practical safeguards that protect your operations, reputation and contractual obligations.

Procedural adherence also fuels continuous improvement. Every documented action, every audit, every nonconformity tells a story about how your business works and how it could work better. You are not just complying—you are learning. Each review provides insight. Each improvement adds stability. Over time, these small, structured changes build a stronger, more reliable system.

For those asking how to implement ISO 9001 quality management system properly, begin with these six procedures. Use them to track performance, inform decisions and guide your improvements. Then embed them into daily work through reliable systems, supported by software that makes data and documentation easy to manage, review and update.

Done well, these procedures are not only the backbone of compliance. They are also your strongest tools for building trust, improving outcomes and maintaining control.

You may also like

Leave a comment

Your email address will not be published. Required fields are marked *