ISO 9001 SOP Requirements: Everything You Need to Know

How ISO 9001 Approaches Documentation

One of the most significant changes in the ISO 9001:2015 revision was the shift in documentation language. The 2008 version explicitly required "documented procedures" for six specific processes. The 2015 version replaced this with the broader term "documented information" — which can be a procedure, a record, a specification, or any other form of documented evidence.

This flexibility confused a lot of quality managers, particularly those who built their QMS around the 2008 requirement for six specific documented procedures. Does ISO 9001:2015 actually require fewer SOPs? Not necessarily. What it requires is documentation where it's needed to support confidence that processes are being carried out as planned (Clause 4.4.2). In practice, most organizations that were compliant under 2008 still need most of the same SOPs — they just have more flexibility in how they're structured.

This guide focuses on what ISO 9001:2015 explicitly requires, what is strongly implied by audit practice, and what documentation choices you actually have.

Mandatory Documented Information in ISO 9001:2015

ISO 9001:2015 explicitly requires documented information to be maintained (procedures) or retained (records) in the following areas:

Documented Information to Maintain (Procedures)

Clause 4.3 — Quality Management System Scope

The scope of the QMS must be documented. This is typically a statement in the Quality Manual or equivalent document defining which products, services, locations, and processes are included — and explicitly excluded.

Clause 4.4.2 — Process Information

Information needed to support the operation of processes must be maintained. This is the primary driver for most SOPs. Any process where inconsistency would risk product quality or customer satisfaction needs documented information. The standard doesn't prescribe which processes — that's a risk-based determination.

Clause 5.2 — Quality Policy

The quality policy must be documented, appropriate to the organization, and communicated.

Clause 6.1 — Quality Objectives

Quality objectives must be documented along with who is responsible, what will be done, what resources are needed, when it will be completed, and how results will be evaluated.

Clause 7.1.5.1 — Measuring Equipment

Where equipment is used to verify product conformity, calibration records and the basis for calibration must be documented.

Clause 7.2 — Competence

The competence requirements for personnel affecting quality conformity must be documented, along with evidence that those requirements are met.

Clause 8.1 — Operational Planning

Processes needed to meet product and service requirements must be documented to the extent needed to demonstrate conformity. This is a key driver for production and service delivery SOPs.

Clause 8.4.1 — Externally Provided Processes

Criteria for evaluation, selection, monitoring, and re-evaluation of external providers must be documented.

Clause 8.5.1 — Production and Service Provision

Documented information defining the characteristics of products to be produced or services to be provided, and the results to be achieved, must be available at appropriate points.

Clause 8.5.6 — Control of Changes

The results of review of changes, including who authorized the change and any necessary actions, must be documented.

Documented Information to Retain (Records)

ISO 9001:2015 requires records to be retained as evidence of conformity in numerous clauses. Key ones include:

• Clause 7.1.5.1 — Calibration records
• Clause 7.2 — Evidence of competence
• Clause 8.2.3 — Review of product requirements
• Clause 8.3.2 — Design and development inputs (if applicable)
• Clause 8.4 — External provider evaluation records
• Clause 8.5.2 — Traceability records (if traceability is required)
• Clause 8.6 — Product release records (evidence of conformity)
• Clause 8.7 — Nonconforming output records
• Clause 9.1.2 — Customer satisfaction monitoring
• Clause 9.2 — Internal audit results
• Clause 9.3 — Management review outputs
• Clause 10.2 — Corrective action records

SOPs That Are Practically Mandatory

ISO 9001:2015 gives you flexibility, but auditors and certification bodies have formed strong expectations over decades of practice. While the standard doesn't enumerate required SOPs, these are the procedures where absence of documentation typically generates audit findings:

Document and Record Control (Clause 7.5)

The standard requires documented information to be appropriately controlled — creation, review, approval, distribution, access, protection, and disposition. In practice, a Document Control SOP is essential. Without it, you have no defensible system for managing all the other documented information the standard requires.

Internal Audit (Clause 9.2)

The audit program and individual audit results must be documented. A procedure for how internal audits are planned, conducted, and followed up is expected by every certification body.

Corrective Action (Clause 10.2)

When nonconformities occur, the organization must take action to control, correct, and address consequences. The determination of root cause and corrective actions must be documented. A CAPA procedure is standard practice.

Control of Nonconforming Outputs (Clause 8.7)

Products that don't meet requirements must be identified and controlled to prevent unintended use or delivery. An SOP covering nonconforming product identification, quarantine, disposition, and record-keeping is effectively mandatory.

Management Review (Clause 9.3)

While not as prescriptive, the inputs and outputs of management review must be retained as documented information. A procedure for how management reviews are conducted and documented helps ensure consistency.

Competence and Training (Clause 7.2)

Evidence of competence must be retained. An SOP covering how training needs are identified, training is conducted, and competence is verified is strongly expected.

Building an ISO 9001-Compliant SOP

Beyond having the right SOPs, the SOPs themselves need to meet certain criteria to satisfy clause 7.5. Every SOP should:

Include appropriate identification

Document number, title, version number, effective date, and review date. These are typically in the header or footer. Clause 7.5.2 requires documented information to be appropriately identified and described.

Be reviewed and approved

Clause 7.5.2 requires documented information to be reviewed and approved for suitability and adequacy. This means sign-off from appropriate personnel — typically the document owner and a QA representative. Electronic approvals are acceptable if your system controls them appropriately.

Be available where needed

Clause 7.5.3 requires documented information to be available and suitable for use, at the point where it's needed. A production SOP that lives only on the QA manager's computer is a distribution failure.

Be protected

Loss of confidentiality, improper use, or loss of integrity of documented information must be prevented. For electronic documents, this typically means controlled access, version control, and backup. For paper, controlled distribution lists and obsolete document retrieval processes.

Common ISO 9001 Documentation Audit Findings

Knowing what generates findings helps you prioritize your documentation effort:

1. Obsolete documents in use. Old versions of SOPs circulating alongside current ones. This is a document control failure, not an SOP content failure.
2. SOPs that don't match actual practice. Procedures that describe what should happen, not what does happen. The most common and most serious finding.
3. Missing records. An SOP requires a record; no record exists. Usually a training failure — the procedure wasn't followed.
4. Unapproved documents. SOPs without required signatures or without evidence of review since a regulatory revision.
5. Incomplete corrective actions. CAPA records that identify root cause but show no evidence of effectiveness verification.
6. Gaps between process and documentation. A process step happens but no SOP covers it. Common in rapidly growing organizations.

Practical Approach: Start With the Audit-Critical SOPs

If you're building an ISO 9001 QMS from scratch or preparing for your first certification audit, don't try to document everything at once. Start with the procedures that auditors will look for first:

1. Document Control procedure
2. Internal Audit procedure
3. Corrective Action / CAPA procedure
4. Nonconforming Product Control
5. Competence and Training
6. Your core operational processes (the ones that make your product or deliver your service)

Get these six categories right first. Then fill in supporting procedures for calibration, supplier management, customer complaints, and whatever else your risk assessment identifies as needing documented control.

ISO 9001 and AI-Generated SOPs

AI-generated SOPs are permissible under ISO 9001, with the same caveats as any other SOP. The standard cares about content accuracy and process conformance — not about how the document was initially drafted. What matters is that the SOP is reviewed by qualified personnel, approved through your document control process, and accurately describes how the process should be executed.

The practical risk is hallucination: AI tools that invent ISO 9001 clause references that don't exist, or describe process steps that don't match your actual operations. Tools designed specifically for regulated industry SOP generation — with verified regulation references and structured input collection — reduce this risk significantly.