Browse Templates
Quality Management Systems · ISO 9001:2015

How to Design an ISO 9001:2015 QMS Documentation Pack That Survives an Audit

What the standard actually requires, how to structure your documentation hierarchy, and the naming conventions that keep a QMS in control - updated for Amendment 1:2024 and the upcoming 2026 revision.

Alan Bryant · IRCA Lead Auditor April 2026 15 min read

Building an ISO 9001:2015 QMS documentation pack correctly is one of the most important steps in any certification programme. Most organizations stack named procedures, call them a QMS, and discover at Stage 1 that they've produced a system of documents rather than a documented system. ISO 9001:2015 is explicit about the difference - and auditors find it immediately.

This guide sets out the architecture, mandatory documented information, document hierarchy, naming convention, and core templates you need to build a pack that works in practice and holds up under scrutiny. Where ISO's own published guidance makes a point clearly, I'll quote it. Where practical experience fills the gaps, I'll say so.

Two time-sensitive notes before we start: ISO published Amendment 1:2024 adding explicit climate-change consideration text into the common management system structure (Clauses 4.1 and 4.2). Separately, a revised ISO 9001 edition is in development with publication expected around September 2026. Both are addressed at the end of this guide.

What ISO 9001:2015 Actually Requires

To understand this, the 2015 revision reduced prescriptive mandatory procedures and replaced "documents and records" with documented information. Maintained information is kept current - what used to be called a document. Retained information is kept as evidence - what used to be called a record. That distinction shapes how your pack is built.

In fact, ISO's implementation guidance puts it plainly: ISO 9001 requires a documented QMS, not a system of documents. You can read ISO's guidance on documented information directly on their site. The amount of documentation varies with organizational size, complexity, and competence. There is no prescribed list of mandatory procedure titles. There is, however, a specific list of what must be maintained and retained as objective evidence.

What Must Be Maintained

  • QMS scope (Clause 4.3)
  • Quality policy (Clause 5.2)
  • Quality objectives (Clause 6.2)
  • Documented information to support operation and provide confidence processes are carried out as planned (Clause 4.4 - extent is organization-determined)

What Must Be Retained as Records

  • Evidence of competence (7.2)
  • Calibration/verification evidence where applicable (7.1.5)
  • Customer requirements review results (8.2.3)
  • Design and development evidence where applicable (8.3)
  • Supplier evaluation and re-evaluation (8.4.1)
  • Traceability evidence where required (8.5.2)
  • Nonconformance handling (8.7)
  • Internal audit results (9.2.2)
  • Management review outputs (9.3.3)
  • Corrective action evidence (10.2.2)
  • Release and acceptance records (8.6)

Risk-Based Thinking and Documented Information

On risk-based thinking and documentation: ISO does not prescribe one specific way to document risks and opportunities. Organizations decide what documented information is needed as objective evidence. A risk register is valuable - it is not mandatory. What is mandatory is evidence that risk-based thinking was applied.

ISO 9001:2015 Mandatory vs Recommended Documents

With that established, the table below maps what the standard requires against what experience shows typically earns its place in a real QMS pack. The "when recommended becomes necessary" column is where judgement calls get made.

Category Mandatory documented information Clause Practical additions that typically add value
QMS top layer QMS scope; quality policy; quality objectives 4.3, 5.2, 6.2 Quality Manual (optional — useful for multi-site, rapid onboarding); QMS process map; context and interested parties register
Process definition Documented info sufficient to support operation and evidence processes carried out as planned 4.4 Process maps; turtle diagrams; procedures; work instructions; checklists. Extent scales with process risk and complexity.
Competence Evidence of competence 7.2 Competency matrix; training plans; authorization logs. Evidence must match role criticality — inspection vs admin roles need different depth.
Calibration Evidence of fitness for purpose of measurement resources; basis when no standards exist 7.1.5 Calibration program register; equipment list. Only required when measuring equipment is used to verify conformity.
Customer requirements Results of review of requirements and new requirements 8.2.3 Contract review checklist; quotation sign-off form. Often the best evidence of customer focus under audit.
Nonconformance Nature of nonconformities; actions taken; concession authority 8.7 NCR form; concession request form. Needs clear linkage to corrective action when systemic patterns emerge.
Internal audit Audit program implemented; audit results 9.2.2 Annual audit calendar; process-based checklists; auditor competency log. Frequency is risk-based — the standard sets no fixed interval.
Management review Evidence of management reviews and results 9.3.3 Agenda template; action log; input pack. Format is not specified — minutes are common but not required.
Corrective action Nature of NC; actions taken; results and effectiveness 10.2.2 CAPA form with RCA method; effectiveness check template. Audited heavily — needs clear closure evidence.
Climate change (Amd 1:2024) Determine whether climate change is a relevant issue; note if interested parties have climate-related requirements 4.1, 4.2 Climate relevance note in context register; climate-related risks in the R&O register. Not a new procedure — but must be demonstrably considered.

ISO 9001:2015 Documentation Hierarchy

However, a robust QMS pack is significantly easier to build, maintain, and audit when structured as a clear hierarchy. ISO guidance explicitly lists examples of documents that can add value — organization charts, process maps, procedures, work instructions, forms — while noting none are specifically required. Structure them so each level answers a different question — as a result, the QMS becomes easier to navigate for both staff and auditors.

1
Direction — Policy, Scope, Objectives

Quality policy, QMS scope statement, quality objectives register. Optionally: a Quality Manual or documented summary that maps processes to clauses. Why we do what we do and what we commit to.

2
Process Control — Process Maps and Procedures

Process architecture maps showing interactions; procedures that define who does what, when, with what controls and what records result. How our processes work.

3
Task Control — Work Instructions and Job Aids

Detailed how-to instructions for specific tasks. Checklists, acceptance criteria, inspection points. Add these where they genuinely reduce risk and variation - not as a completeness exercise. How we do specific tasks.

4
Evidence — Forms and Records

Blank forms (maintained) that when completed become records (retained). NCR reports, CAPA forms, release checklists, competence assessments, audit reports. That we did what we said we'd do.

E
External Documents — Standards, Specs, Customer Requirements

Controlled as external documented information, tracked in a register, and updated whenever the source changes. What we must comply with beyond our own system.

ISO 9001:2015 documentation hierarchy four levels

The Naming Convention That Keeps a QMS in Control

Additionally, a QMS without a consistent naming convention becomes unmanageable quickly - especially when audit time arrives and the auditor asks for the current version of a document and you're unsure whether Corrective Action Procedure v3 FINAL (1) revised.docx is it. The scheme below is vendor-neutral, audit-friendly, and supports versioning, filtering, and retention control.

Recommended file naming pattern
<CODE>_<TITLE>_Rev<##>_<YYYY-MM-DD>.<ext>

Example: PRO-QMS-007_Internal_Audit_Rev02_2026-03-11.pdf

Document type prefixes
POL
Policy — top-level commitments
MAN
Manual / summary document
PRO
Procedure — process-level control
WI
Work instruction — task-level
FRM
Form / template (blank)
REG
Register / log (rolling record)
MAP
Process map / visual model
EXT
External documents register

ISO 9001:2015 Core Templates

As a result, the two documents every QMS pack must have - and that auditors look at first — are the Quality Policy and the QMS Scope Statement. Both are mandatory maintained documented information. Both are regularly under-done. Below are working templates you can adapt directly.

Template 1: Quality Policy — POL-QMS-001

Template: POL-QMS-001 Quality Policy
[Organization Name] Quality Policy
Document ID: POL-QMS-001 | Rev: [##] | Effective: [YYYY-MM-DD]
Owner: [Top Management] | Approved by: [Name / Role]

1. Purpose
States [Organization Name]'s commitments for delivering consistent
products/services and continually improving the QMS.

2. Policy statements
[Organization Name] commits to:
- Meet applicable customer, statutory, and regulatory requirements.
- Enhance customer satisfaction through effective process control.
- Establish, monitor, and achieve quality objectives aligned with
  our strategic direction.
- Promote risk-based thinking to prevent issues and seize
  improvement opportunities.
- Provide competent people and suitable resources for conformity.
- Continually improve the suitability, adequacy, and effectiveness
  of the QMS.

3. Communication and availability
- Communicated to all persons working under our control.
- Reviewed at planned intervals; current version at: [location].

4. Review history
Rev [##] | Date | Summary | Approved by

Auditing note: ISO/IAF guidance is explicit that policy deployment is assessed through evidence of understanding - not by asking staff to recite the text. Your evidence should show how the policy was communicated and what people actually understand about its relevance to their work.

Template 2: QMS Scope Statement - MAN-QMS-SCO-001

Template: MAN-QMS-SCO-001 QMS Scope
QMS Scope Statement
Document ID: MAN-QMS-SCO-001 | Rev: [##] | Effective: [YYYY-MM-DD]

1. Organization
[Legal name, site(s), primary activities]

2. Scope — what the QMS covers
The QMS applies to:
- [Products / services]
- [Sites / locations]
- [Key outsourced processes and how controlled]

3. Boundaries and applicability
- Included requirements: [summary]
- Non-applicable requirements (if any): [clause] and justification.
  Justification must be based on the nature of products/services
  and the ability to meet customer requirements.

4. Interfaces
- Customer interface: [sales → order acceptance → delivery → review]
- Supplier interface: [outsourcing, critical suppliers]
- Internal handoffs: [key cross-function handover points]

5. Related documents
- MAP-QMS-001 QMS Process Map
- EXT-QMS-001 External Documents Register

The QMS Process Loop

Consequently, everything in the documentation pack should connect to a closed PDCA loop. The process architecture below reflects how ISO's process approach guidance structures the system - from context through leadership and planning, into operations, and back through performance evaluation and improvement.

Interested parties and contextLeadership and planningSupport: people, competence, resources, documented informationOperations: deliver products and servicesPerformance evaluation: KPIs, audits, management reviewsImprovement: NCR, corrective action, continual improvement → back to leadership and planning.

In practice, any document that doesn't connect to at least one node in this loop is a candidate for removal. Any node in this loop without supporting documented information is an audit finding waiting to happen.

Continual Improvement KPIs That Actually Drive Action

Furthermore, ISO's process approach guidance gives clear examples of what performance measures look like — on-time delivery, lead times, failure and waste rates, process costs, incident frequency. The set below is balanced across quality, delivery, customer, supplier, and system health. Each one is only useful if it has a defined decision trigger.

On-Time Delivery
OTD% = on-time ÷ total × 100
Monthly · Scheduling and capacity trigger
NCR Rate
NCRs per 100 jobs/orders
Monthly · Spike triggers containment review
Repeat NCR Rate
Repeat-cause NCRs ÷ total NCRs
Monthly · CAPA quality review trigger
CAPA Effectiveness
% effective at first verification
Monthly · RCA method review trigger
Complaint Response Time
Median days to first response
Monthly · Staffing and training trigger
Audit Closure Time
Avg days to close findings
Monthly · Management escalation trigger
Supplier Performance
% on-time + % conforming receipt
Monthly/Quarterly · Re-evaluation trigger
QMS Document Health
% documents reviewed by due date
Quarterly · Resourcing and control trigger

Two Updates You Cannot Ignore in 2026

Amendment 1:2024 — Climate Action

ISO published Amendment 1:2024 adding explicit climate-change consideration into the common management system structure (Clauses 4.1 and 4.2). This is not a new procedure requirement. It requires organizations to determine whether climate change is a relevant issue and to note whether interested parties have climate-related requirements. Demonstrable consideration — documented to the extent useful — is what auditors will look for. A brief climate relevance note in your context register is the minimum practical response.

ISO 9001 Revision — Expected September 2026

A revised ISO 9001 edition is in development as a Draft International Standard (ISO/DIS 9001), with ISO indicating publication around September 2026. The safest response now is to keep your documentation process-based and aligned to the Annex SL clause structure (4–10). A strong context → risks → objectives → controls → KPIs → review → improvement chain will absorb minor revisions without rebuilding.

Calibrating Your ISO 9001:2015 Pack by Size and Sector

Small Organizations

Small organizations should keep documentation lean: one combined Quality Manual and scope, a handful of core procedures, and strong use of checklists and registers. ISO is clear that extent differs by size, complexity, and competence. Conformity can be demonstrated without extensive documentation — provided the objective evidence exists and is retrievable.

Service Organizations

Service-heavy organizations should emphasize contract review, service planning, service completion acceptance, and customer property controls. Rather than machine setup sheets, work instructions in this context often look like scripts, checklists, and service job plans.

Manufacturing Organizations

Manufacturing contexts need stronger traceability controls where required, mature inspection and test plans, a calibration program with clear equipment governance, and operational change control that covers both planned and emergency changes.

BryantHub ISO 9001:2015 QMS documentation pack templates
BryantHub Quality Toolkit

The Complete ISO 9001:2015 QMS Documentation Pack

Every template, form, register, and procedure referenced in this guide — built to BryantHub standard, ready to adapt and release. Designed for practitioners who need a system that works in the real world, not a filing cabinet.

Explore the Toolkit Download a Free Sample
AB
Alan Bryant
IRCA Certified Lead Auditor · BSI Associate Tutor · Founder, BryantHub