What Are The Procedures For ISO 9001:2015 Certification?

What You Need And What You Don't

ISO 9001 is the international standard for quality management systems (QMS). You can apply it to any organization and although it began as a relatively prescriptive document, the 2015 revision has no specific requirement for you to document procedures.

So, if the standard can apply to any organization, no matter what the industry, and there are no instructions about what procedures to record, how's a business to know which procedures to document?

Let's break that question down and start with the "how can the same standard apply to all organizations" element.

How Can One Standard Apply To Any Organization?

It is possible for one standard to apply to any organization because ISO9001 specifies what you need for the framework of your QMS and not the detail of your business operations. You can think of it in the same way as the tax system, except it doesn't involve the pain of paying a percentage of your profits each year. However, you will see some industry specific standards.

Industry Specific ISO 9001

There are several industry specific standards which use ISO 9001 as a foundation.

For example:

  • AS9100 - Aircraft, Space and Defense (AS&D) industry.
  • ISO/TS 29001–Petroleum, petrochemical and natural gas industries
  • ISO/IEC 90003–Software engineering
  • ISO 18091–Local government
  • ISO 13485–Medical devices

The existence of these standards would, at first glance, appear to contradict the assertion that ISO 9001 is suitable for all businesses. But the standard covers only the framework of the system. It does not apply to the specific risk management, operational procedures or organizational outputs of an organization.

Some industries have complex statutory, regulatory, and customer requirements against which they, and/or their products and services, are assessed. To avoid maintaining separate management systems for quality management, regulatory compliance, customer requirements, etc. These industries develop their own standards which roll these elements into one "mega-standard" which is ISO 9001 plus the rules, regulations, and requirements specific to their sector.

The good news is that we developed Keeni.Space for businesses requiring operating procedure software to facilitate operations for rocket launches and space vehicles, where time is a premium and safety is vital. The Keeni platform combines years of lessons learned from the field, with stringent regulatory conditions and processes, to produce an intuitive management system. The Keeni is now deployed in industries beyond aerospace.

Now onto the next piece of our opening question "no instructions about which procedures to record".

What ISO 9001 Says About Procedures

In a change from previous versions, ISO 9001:2015 no longer has a requirement for any specific documented procedures. Which sounds like a fabulous excuse to throw caution to the wind, dump all of your documented procedures, save the time and effort spent in maintaining them, and do something less boring instead.

However, don't get too excited just yet.

While the standard does not require any specific procedures, it says that you must document and maintain the information you need to ensure your quality management system is effective.

The clause in question, clause 7.5.1 (b), states that:

"The organization's quality management system shall include documented information determined by the organization as being necessary for the effectiveness of the quality management system."

"Documented information" is the phrase now used in all ISO standards and covers every kind of document.

"Determined by the organization" this is the part of the clause which gives an organization the freedom to decide which elements of their system need procedures and documented information.

However, an organization must be able to show:

  1. The criteria they use to decide which procedures and documented information they include in their quality management system.
  2. How they apply that criteria.
  3. The outcomes of this decision-making process.

External auditors may ask organizations to justify the exclusion of any procedures and documented information from the quality management system.

"Necessary for the effectiveness of the quality management system." Meaning a way of ensuring an element of the system works - for example through procedures.

Now we know what the standard says about procedures we can get to "how's a business to know which procedures to document?"

Examples Procedures for your ISO Quality Management System?

While ISO 9001:2015 does not specify specific procedures, Keeni provides example procedures for your ISO Quality Management System. Signup and we will email them to you.

Procedures To Document for ISO?

The standard requires an organization to apply a risk management approach to its quality management system, and it is this approach which will dictate which procedures you generate or identify as crucial for control.

The logical next step is that if the procedure is crucial for control, you should document that procedure, and everything else associated with it. These documents then become part of your quality management system.

Therefore, when deciding which procedures to document in your QMS, you need to split your thinking into two streams.

Stream one is the quality management system structure itself. These are the elements such as the control of documented information and the control of non-conformities and corrective action.

Stream two is the operations of your organization. These are the procedures that control the crucial steps in your organization's processes.

How Do You Identify Procedures For The Quality Management System Structure?

This is the easier of the two streams of procedures to identify and document, because while the exact detail of the procedure will vary from organization to organization, the requirement for and the overarching purpose of the procedure itself will be the same.

As a result, organizations should establish documented procedures to:

  1. Control documented information. This procedure should explain how you will:
    • Allocate roles and responsibilities for the control of documented information.
    • Ensure documented information is accurate and adequate for purpose before it becomes part of the management system.
    • Regularly review and update documented information.
    • Identify the changes to documented information and the current document revision status.
    • Recall and manage all obsolete documented information and prevent its unintentional use.
    • Make documented information available at its point of use.
    • Ensure documented information remains legible, identifiable and readily accessible.
  2. Manage non-conformities and corrective actions. This procedure should explain how you will:
    • Allocate roles and responsibilities for the reporting of and control of non-conformities and corrective actions.
    • Identify and document non-conformities and corrective actions.
    • Investigate all non-conformities and identify their root causes.
    • Develop appropriate corrective actions.
    • Identify those responsible for carrying out the corrective action.
    • Communicate the root causes and corrective actions to those responsible.
    • Allocate a timeframe for the corrective action to take place.
    • Re-investigate to ensure the corrective action has taken place.
    • Document each step of the corrective action.
  3. Implement your internal audit process. This procedure should explain how you will:
    • Identify the roles, responsibilities, and authorities of those involved in the internal audit process.
    • Ensure internal auditors are qualified to carry out internal audits.
    • Communicate the internal audit process and its role in the organization to stakeholders, as appropriate.
    • Schedule internal audits and specify how frequently partial audits and full audits will take place.
    • Report and communicate the results of internal audits.
  4. Control nonconforming outputs: Nonconforming outputs can be goods or services, depending on the business. This procedure should explain how you will:
    • Identify the roles, responsibilities, and authorities of those involved in identifying nonconforming outputs.
    • Prevent nonconforming outputs from reaching customers.
    • Where necessary, dispose of nonconforming outputs.
    • Provide a mechanism by which customers can communicate the receipt of a nonconforming output.
    • Investigate the root cause of how a nonconforming output was created or reached a customer.
    • Communicate the results of your investigation and suggest corrective actions to a customer.
    • Address the root cause of the non-conformity by identifying a suitable corrective action.
Six Examples Procedures for ISO 9001:2015

While ISO 9001:2015 does not specify specific procedures, Keeni provides six example procedures for your ISO Quality Management System:

  • Control of Documents procedure
  • Control of Records procedure
  • Internal Audit procedure
  • Corrective Action procedure
  • Preventive Action procedure
  • Control of Nonconforming Products procedure

Signup for free and we will email these six example procedures to you.

How Do You Identify Procedures Specific To Your Organization?

Remember way back at the beginning of this article when we spoke about documented information which is "necessary for the effectiveness of the quality management system"?

In order for the quality management system to be effective, an organization must:

  1. Identify the potential risks to their business, and
  2. Develop the documented information necessary to control those risks.

Some of this documented information will be procedures.

Therefore, to identify the procedures specific to the needs of your organization, you must first have a clear picture of the processes that make up your business. Then you need to identify the points in those processes where there are potential risks to your business.

You can begin this exercise by using process mapping.

Process Mapping

Almost everything we do involves a process whether it's making coffee at home or building rockets at work. The only difference is the complexity and number of the processes involved.

When mapping the processes of your organization you need to start by brainstorming what you do at a macro-level and then break that information down into the individual processes which make it happen. Finally, you would keep breaking those down until you arrive at a point where the process can no longer be broken down into a smaller process. For example:

Macro: We bake, distribute, and sell pies.


  • Purchasing ingredients
  • Recruiting trained staff
  • Baking the pies
  • Cleaning the equipment
  • Packaging the end product
  • Sending the product to customers

Baking the pies breaks down into other processes such as:

  • Measuring ingredients
  • Mixing
  • Portioning the mix
  • Baking the mix

And so on.

Identifying Risks

Once you break down all of your processes, it's time to take a look at each one to determine if deviation from that process, or a problem with the inputs and outputs of that process will present a risk to your business.

Using the "baking pies" example again, this was broken down into constituent processes, one of which was measuring ingredients. Risks to the business, if something goes wrong with this process might include:

  1. Customer dissatisfaction with a product which tastes different.
  2. Loss of revenue if end customers or suppliers are lost.
  3. Wasted product if the mistake is caught before the distribution process.
  4. Budgetary issues if expensive ingredients are wasted.

And so on.

Once you know which processes have potential risk factors, you can control those processes with procedures.

These are the procedures you should consider documenting for your ISO 9001 quality management system.

The Difference Between A Process And A Procedure

Some people use the words process and procedure interchangeability, but they are two different things.

A Process is WHAT you do.
A Procedure is HOW you do it.

Using our now familiar baking example, measuring ingredients is the process and the step-by-step of "take the bag of flour to the scales and weigh out 15 lbs of flour directly into the mix bowl" etc. is the procedure we use.

How Do You Document A Procedure?

To document a procedure, you must first brainstorm exactly what happens in that procedure, step by step. This is best done in partnership with the people who carry out the procedure.

Buy in from all stakeholders will ensure the continued use of a documented procedure and help prevent, "Oh yes, I know we have that procedure written down, but it doesn't work so we ignore it and do it like this."

The procedure itself should detail:

  • Who is responsible for the document and who carries out the procedure.
  • The inputs and outputs of the procedure.
  • A clear walkthrough of each step of the procedure.
  • References to associated documents such as checklists.

Once you have documented the first drafts of your procedures, you should implement a management system. Digitizing operating procedures with modern software is the foundation for an effective ISO 9001:2015 certification. Thriving businesses use procedures for ISO certification to remove human error from their operations and incorporate constant process improvement into their daily routines. Keeni operating procedure software helps organizations transition from paper procedures, procedures in Word docs and PDF files, or spreadsheets in Excel to a system-oriented approach.

With Keeni you can easily upload the document for your procedure. Keeni converts the document into a procedure template that you can then make actionable. Engagement with your procedures is critical. Keeni gives you all the functionality you need to make your business processes actionable, auditable, and compliant for your ISO certifications.

Do You Have To Maintain A Hard Copy Of Your Procedures?

ISO 9001 no longer requires you to have a hard copy of your management system or the procedures that are included.

It is perfectly acceptable to only have procedures in an electronic format.

Control Of The Medium Of Your System

If you choose to have a purely electronic QMS, you will have to show how you maintain and control not only the documented information itself but the medium in which it is created and used.


ISO 9001 does not prescribe any specific documented procedures as part of a standard compliant management system. What it says is that an organization must document procedures necessary for its effective operation.

There isn't a list of documented procedures, you must have. Instead, work out which documented procedures you should have.

Once you have your procedures documented in an electronic format such as a PDF or Word document, use Keeni as the management system for your digital workflows. Keeni procedure software improves team productivity and quality control.

Examples Procedures for ISO Quality Management System

While ISO 9001:2015 does not specify specific procedures, Keeni provides six example procedures:

  • Control of Documents procedure
  • Control of Records procedure
  • Internal Audit procedure
  • Corrective Action procedure
  • Preventive Action procedure
  • Control of Nonconforming Products procedure

Signup for free and we will email these six example procedures to you.