What Documents Are Required for ISO Certification?
ISO certification, particularly for widely adopted standards like ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 45001 (Occupational Health & Safety), and ISO 27001 (Information Security), is a formal recognition that an organization’s management system meets international requirements. Achieving certification requires not only implementing the standard but also preparing and maintaining a set of mandatory and supporting documents that demonstrate compliance.
While the exact list varies slightly depending on the specific ISO standard and the size, nature, and complexity of the organization, the core documentation framework is similar across most management system standards, especially those following the Harmonized Structure (Annex SL).
1. Mandatory Documents Explicitly Required by the StandardsMost ISO standards clearly state which documents and records are "required." For ISO 9001:2015, for example, clause 7.5.1 specifies that the quality management system must include:
- Scope of the QMS (documented statement)
- Quality policy
- Quality objectives
- Documented information required by the standard itself
- Documented information determined by the organization as necessary for the effectiveness of the QMS
Specific mandatory documented information in ISO 9001 includes:
- Scope of the quality management system (4.3)
- Quality policy (5.2)
- Quality objectives (6.2)
- Operational control procedures (e.g., for production, service provision, purchasing, etc.) – at least to the extent needed for effectiveness
- Criteria for evaluation and selection of suppliers
- Evidence of competence (training records, etc.)
- Calibration records
- Results of management reviews
- Internal audit results and program
- Non-conformity and corrective action records
ISO 14001:2015 and ISO 45001:2018 follow a similar pattern, requiring:
- Environmental/OH&S policy
- Risks and opportunities
- Aspects (environmental) or hazards (OH&S) with associated controls
- Legal and other requirements register
- Emergency preparedness and response plans
ISO 27001:2022 is more prescriptive and explicitly requires:
- Information security policy
- Statement of Applicability (SoA) – the key document listing which Annex A controls are applied and why
- Risk assessment and risk treatment methodology and results
- Risk treatment plan
- All applicable policies and procedures referenced in Annex A controls that the organization has chosen to implement
Although the 2015 and later revisions moved away from mandating six specific documented procedures (as in the 2008 version of ISO 9001), organizations still need documented procedures whenever they are necessary to ensure effective planning, operation, and control of processes. Common examples include:
- Document control procedure
- Record control procedure
- Internal audit procedure
- Non-conformity and corrective action procedure
- Preventive action (now embedded in risk-based thinking)
- Training and competence evaluation procedure
Records are the objective evidence auditors look for. Typical records include:
- Management review minutes
- Internal and supplier audit reports
- Training and competence records
- Calibration and maintenance records
- Customer satisfaction data
- Design and development records (if applicable)
- Process monitoring and measurement results
- Non-conformity, corrective, and preventive action records
- Supplier evaluation and monitoring records
While not strictly required by the standard, most organizations develop additional documents to help run the system effectively:
- Quality manual (optional since 2015, but many still keep one as an overview)
- Process maps, flowcharts, and turtle diagrams
- Work instructions and standard operating procedures (SOPs)
- Forms and templates
- Risk and opportunity registers
- Context of the organization analysis
- Interested parties and their requirements
- Compliance obligation registers (especially for ISO 14001 and ISO 45001)
Standard
Key Mandatory Documents
ISO 9001:2015
Scope, Quality policy & objectives, Risk & opportunities, Operational procedures as needed, Supplier criteria
ISO 14001:2015
Environmental policy, Aspects & impacts, Compliance obligations, Emergency response plans
ISO 45001:2018
OH&S policy, Hazard identification & risk assessment, Legal requirements register, Incident investigation records
ISO 27001:2014
ISMS scope, Information security policy, Risk assessment & treatment, Statement of Applicability, Applicable policies & procedures
6. Important Notes- "Documented information" replaces the old terms "documented procedure" and "record." It can be in any format and on any medium (paper, electronic, video, etc.).
- The standard emphasizes risk-based thinking; organizations must document whatever is necessary to ensure processes are carried out as planned.
- Over-documentation is a common audit finding. Only create documents that add value.
- Certification bodies (e.g., Bureau Veritas, DNV, SGS, TÜV) will perform a Stage 1 (documentation review) and Stage 2 (implementation audit). Having all required documented information ready and accessible is essential for a smooth process.
The documents required for ISO certification are not an endless pile of paperwork but a logical set of policies, procedures, plans, and records that prove your management system is planned, implemented, maintained, and continually improved. The exact list depends on the standard and your organization’s unique risks, processes, and legal requirements. Focus on creating documented information that is truly necessary for effectiveness, keep it simple and practical, and you will not only pass the certification audit but also gain a management system that genuinely helps your business perform better.