ISO 9001 Mandatory Documents: The Complete Checklist (2026)

If your colleague, your consultant, or a Google result has told you that ISO 9001 requires a Quality Manual, that statement has been wrong since September 2015 and it has never been less true than it is now. The current version of the standard quietly removed the Quality Manual as a mandatory document, along with the six mandatory procedures that the older version used to demand. A decade later, I still meet Australian businesses paying consultants to write Quality Manuals because nobody told them they did not need one.

So let us clear the air. The current ISO 9001 has a precise, finite list of documents and records you must keep. It is shorter than most people think. It is also less rigid. The standard now talks about documented information rather than splitting things into documents and records, and it gives you flexibility in how you structure that information. What it does not give you is permission to skip it.

This checklist covers exactly what you need for ISO 9001 certification in Australia in 2026. What is genuinely required, what is expected but not strictly demanded, and what is just consultant inertia from the older standard. Use it to audit your own system, or to brief whoever is building it for you.

The myth of the Quality Manual (and why it matters)

The previous version of ISO 9001 explicitly required a Quality Manual that documented the scope of the system, its procedures, and the interaction between processes. The current version said: keep the requirements, drop the artefact. You still need to document the scope. You still need to define your processes and how they interact. You no longer need to do it in a single bound document called a Quality Manual.

Why does this matter beyond semantics? Because the old approach produced enormous, dense Quality Manuals that nobody read, that were maintained by one person, and that lived in a folder on the shared drive untouched between audits. The new approach lets you put the right information in the right place at the right level of detail. Your scope can live on a one-page document. Your process maps can live in your workflow tool. Your work instructions can sit alongside the work, not in a manual.

If you still want to keep a Quality Manual because your customers expect to see one in supplier audits, fine, keep one. But know that you are doing it for marketing, not for compliance. The standard does not care.

What “mandatory” actually means under the current standard

The standard distinguishes between two types of documented information.

Information that must be maintained is the equivalent of what the old standard called documents. It describes how things are done in the present. Procedures, policies, scope statements, objectives. It is updated when things change.

Information that must be retained is the equivalent of what the old standard called records. It is evidence that something happened. Audit reports, training records, calibration certificates, customer complaint records, corrective action records. It is preserved unchanged as proof.

The mandatory list across both categories adds up to roughly four maintained items and twenty retained items. That is your floor. Anything else you choose to document is your choice. As we will see, there are several highly recommended but technically optional documents that auditors will expect to see anyway.

The 4 mandatory documents you must maintain

These are the four pieces of documented information the standard explicitly requires you to keep current.

1. Scope of the Quality Management System. A statement that defines the boundaries of the system. Which products, services, sites, and functions are covered, and any parts of the standard you are excluding (with justification). Typically a short standalone document or a section in your master reference. One page is enough.
2. Quality Policy. A top-management-signed statement of intent regarding quality. It must be appropriate to your context, provide a framework for quality objectives, include a commitment to satisfy applicable requirements, and include a commitment to continual improvement. Most Australian quality policies are too long. One page, four to six commitments, is the right form.
3. Quality Objectives. Measurable objectives derived from the policy, set at relevant functions and levels. Each objective should specify what will be done, what resources are required, who is responsible, when it will be completed, and how results will be evaluated. Typically a register or spreadsheet, reviewed quarterly.
4. Documented information you have determined as necessary for the effectiveness of your system. This is the catch-all. It is your responsibility to determine what additional documented information your specific system needs. There is no fixed list. It depends on the size and complexity of your business, the competence of your people, and the regulatory environment you operate in. For most Australian SMEs, this means a handful of documented procedures for the processes that genuinely need them. The ones that are complex, are performed infrequently, or have significant consequences if performed incorrectly.

That is your maintained documentation. Four items. One scope. One policy. One objectives register. One judgement call about what else is needed.

The 20 mandatory records you must retain

These are the pieces of documented information the standard explicitly requires you to retain as evidence. I have grouped them by area so you can match them to your existing records register.

Resources and people

• Evidence that monitoring and measurement equipment is fit for purpose. Calibration certificates, verification records, equipment registers.
• The basis used for calibration when no internationally traceable standard exists. This applies if you use proprietary or in-house reference standards.
• Evidence of competence for staff whose work affects system performance. Training records, qualifications, experience evidence, induction records.

Operation, products and services

• Evidence that products and services conform to requirements. Inspection records, test results, sign-offs.
• Results of customer requirement reviews. Quote reviews, contract reviews, order acceptance records.
• Records of any new or changed customer requirements. Variation records, change requests.

Design and development (only if applicable)

• Records of design and development inputs. Design briefs, customer specifications, regulatory inputs.
• Records of design and development controls. Review meetings, verification, validation records.
• Records of design and development outputs. Drawings, specifications, BOMs, the released design package.
• Records of design and development changes. Engineering change notices, change approvals.

If your business does not do design and development, these four are not applicable to you and you can document the exclusion in your scope.

Supply chain and customer property

• Records of evaluation, selection, monitoring and re-evaluation of external providers. Approved supplier list, performance reviews, supplier audits.
• Records of any customer property that is lost, damaged, or otherwise unsuitable for use. Incident records, customer notifications.

Production and service provision

• Records of changes in production or service provision that ensure continued conformity. Change management records.
• Records of conformity with acceptance criteria for product or service release. Release authorisations, sign-offs, traceability records.
• Records of nonconforming outputs and the actions taken. Nonconformance reports, scrap records, concession records.

Performance evaluation

• Results of monitoring and measurement of system performance. KPI dashboards, customer satisfaction surveys, process performance data.
• Internal audit programme and audit results. Annual audit plan, audit reports, findings, closure evidence.
• Results of management reviews. Meeting minutes capturing all required inputs and outputs.

Improvement

• Records of nonconformities and any subsequent actions taken. Corrective action register, root cause analysis, action evidence.
• Results of corrective actions. Verification of effectiveness, closure records.

That is twenty mandatory records, slightly fewer if you exclude design and development. If your system does not have evidence in each applicable category, your auditor will raise a finding.

The “highly recommended but technically optional” documents

The standard gives you flexibility, but auditors interpret that flexibility in practice. There is a category of documents the standard does not explicitly demand but that competent auditors will expect to see, because without them they cannot verify that you have met other requirements. JAS-ANZ accredited auditors are particularly clear on this. If you are pursuing certification, treat these as effectively mandatory.

• A documented context analysis covering the internal and external issues relevant to your system. Nothing in the standard says it must be documented, but you will struggle to demonstrate it during an audit without something written.
• A documented register of interested parties and their requirements. Same logic.
• A documented register of risks and opportunities and how you address them. The standard requires you to plan actions to address risks and opportunities, and in practice this almost always lives in a risk register.
• Documented process maps. The standard requires you to determine the processes needed for the system and how they interact. A process map is the easiest way to demonstrate this.
• A communication plan covering what you communicate, when, with whom, how, and who communicates it.
• A change management procedure showing how you plan changes to the system in a controlled manner.
• A document control procedure or policy covering how documented information is created, approved, identified, distributed, accessed, retrieved, retained, and disposed of.

If you are working with a consultant who tells you these are not needed, get a second opinion. The standard’s flexibility is real, but real auditors operate on practice as well as text.

Document and record retention rules

The current standard does not specify how long records must be retained. It is your responsibility to determine retention periods based on customer requirements, regulatory requirements, statutory requirements, and contractual requirements. Most Australian businesses set their retention policy as the longest applicable requirement.

A reasonable default for most quality records is five to seven years from the end of the relevant audit cycle. Records related to product safety, regulated industries, or long-life capital goods may need to be retained for ten years or longer. Records for design and development of medical devices, defence equipment, or aerospace components are governed by separate, much longer retention requirements.

Document your retention rule in a single retention schedule. Auditors will ask to see it.

Version control and the things that fail audits

The single most common documented-information finding in ISO 9001 audits is poor version control. The mandatory list above is necessary but not sufficient. The standard also requires that documented information be suitably identified and described, and that changes be controlled.

In practice this means every controlled document needs a unique identifier, a version or revision number, an issue date, an approver, and a method of change history. Records need to be uniquely identifiable so that you can retrieve them. Obsolete documents need to be removed from points of use, or clearly marked as obsolete if retained.

The audit-failure pattern I see most often is what I call the orphan document. A team has a procedure they wrote three years ago, it is still being used, but it is not in the document register, it has no version number, and there is no review record. The auditor finds it being used during the on-site walk-through. That is a major nonconformity in most certification bodies’ books.

A second pattern is the ghost record. A record that should exist but does not, because nobody remembered to fill the form. Equipment was used before calibration. A change was made to a process without a documented review. A supplier was added without an evaluation record. These are corrective action findings waiting to happen.

The fix for both patterns is the same. A working document control system, even if it is just a register and a clear procedure, plus genuine training so that staff know what records they must complete and when.

How to actually structure your documentation

There is no required structure. There are good ones and bad ones. The structure I recommend most often for Australian SMEs is a four-tier model.

Tier 1: Strategic documents

Quality policy, scope of the system, organisational chart, context and interested parties analysis, risks and opportunities register, quality objectives. These are the what of your system. Five to ten documents in total.

Tier 2: Process maps and procedures

Documents that describe how key processes work. Sales, production, service delivery, purchasing, internal audit, document control, management review. The how at the level of the business. Ten to twenty documents for a typical SME.

Tier 3: Work instructions and forms

Detailed how-to documents and controlled forms. Lives in the work, alongside the people doing the work. Quantity varies enormously based on business complexity.

Tier 4: Records

Completed forms, reports, certificates, evidence. Generated by operating the system. Stored according to your retention schedule.

Build top-down. Get the strategic documents right first, then the process layer, then work instructions where they are genuinely needed, and let records be the natural output of operation. The most common mistake is to start with templates from a previous business and try to retrofit them to your context. Do not. Start with your scope statement, your context, and your processes, and let the documentation grow from there.

Frequently asked questions

Is the Quality Manual still mandatory?

No. The current version of ISO 9001 removed the explicit requirement for a Quality Manual. You can still keep one as a marketing or convenience document, but the standard does not require it. The four maintained documents and the documented information you determine necessary for system effectiveness are sufficient.

How many mandatory procedures does ISO 9001 require?

Zero explicitly mandatory procedures. The previous version required six (control of documents, control of records, internal audit, control of nonconforming product, corrective action, preventive action). The current version absorbed those requirements into the broader concept of documented information and left it to the organisation to decide which procedures it needs.

What is documented information?

Documented information is the term the standard uses for any information that must be controlled and maintained by the organisation. It covers what the old standard called documents (current procedures, scope, policy, objectives) and records (evidence of past activity). It can exist in any medium, paper, electronic, video, photograph, provided it is controlled.

Do I need a Statement of Applicability for ISO 9001?

No. A Statement of Applicability is required for information security certification (ISO 27001), not for ISO 9001. The quality standard has a scope statement instead, which serves a similar but simpler purpose.

How long do I need to keep records?

The standard does not specify a fixed period. You define your own retention schedule based on customer, regulatory, statutory, and contractual requirements. Five to seven years from the end of the relevant audit cycle is a common default for general records.

What documents do auditors actually look at first?

Most auditors start with the scope, the policy, the objectives, the latest internal audit report, the latest management review minutes, and the corrective action register. If those six are clean, they have a strong indicator that the system is being run rather than performed for the audit.

Can I keep my documentation in our existing software (Notion, Confluence, Google Drive)?

Yes, provided your tool meets the document control requirements: version control, approval, distribution, access, retrieval, retention, and disposal. Most modern collaboration tools can be configured to meet these requirements with the right discipline. The standard is medium-agnostic.

Use this checklist as a self-audit

Print this list, or copy it into your review tool, and walk through it against your existing documentation. If you can produce a current version of every maintained document and a representative sample of every retained record, you are in good shape for an audit. If there are gaps, those gaps are your roadmap.

If you are starting from scratch and want a structured ISO 9001 implementation tailored to your scope, QS2000 runs fixed-price programmes for Australian SMEs. We provide the documentation framework, the process design support, the internal audit, and the audit-day support, and we make sure you finish with a system you actually use, not a folder of paperwork.