ISO 9001:2015 requirements: a clause-by-clause plain-English guide

ISO 9001:2015 is the most widely used management system standard in the world, with over one million certified organisations. But the standard itself is a deceptively short document — roughly 30 pages of normative text written in deliberately generic language so it can apply to a software start-up, a precision engineering firm, and a hospital with equal force. That genericness is also why most people find it hard to read.

This guide walks through every requirement clause — 4 through 10 — in plain English. For each clause we cover what the standard actually demands, what an auditor will look for, the documented information you must keep, and the findings that come up most often. It is written for quality managers, internal auditors, and anyone preparing for certification or a recertification audit ahead of the ISO 9001:2026 transition.

A quick orientation: clauses 1, 2 and 3 are scope, normative references and terms — they contain no requirements. Clauses 4 to 10 are where the work is. The structure follows the Harmonized Structure (formerly Annex SL), so if you know ISO 14001 or ISO 27001, the shape will be familiar.

Clause 4 — Context of the organisation

Clause 4 is the foundation. Before you can manage quality, you have to be clear about what your organisation does, who it does it for, and what could derail it. This was new in 2015 and is still the clause that generates the most confused implementations.

4.1 Understanding the organisation and its context

You must determine the external and internal issues relevant to your purpose and strategic direction that affect your ability to deliver intended results. External issues typically include market conditions, regulatory environment, technology shifts, and supply chain risks. Internal issues include culture, knowledge, performance, and resources.

What auditors look for: evidence that you have actually thought about this — a SWOT analysis, a PESTLE table, minutes of a strategy session, or a context register. The standard does not require a specific format, but it does require that the issues are monitored and reviewed.

4.2 Needs and expectations of interested parties

You must identify the interested parties relevant to the QMS and their relevant requirements. Interested parties always include customers and applicable statutory and regulatory bodies. They commonly also include owners, employees, suppliers, neighbours, and certification bodies.

Common finding: organisations list interested parties but never translate their requirements into anything actionable. The point of this clause is that interested party requirements should feed your QMS planning — not sit in a spreadsheet nobody reads.

4.3 Determining the scope of the QMS

You must define the boundaries and applicability of your QMS — what sites, products, services, and processes are in. The scope must be documented and available. Any clause you exclude must be justified, and exclusions are only allowed where they do not affect your ability to provide conforming products and services.

4.4 Quality management system and its processes

You must determine the processes needed for the QMS, their sequence and interaction, the inputs and outputs, the criteria and methods for operation and control, the resources, responsibilities, risks and opportunities, and how you will evaluate and improve them. This is where the process approach lives.

Documented information required: to the extent necessary to support the operation of processes, and to retain confidence that processes are being carried out as planned. A process map, turtle diagrams, or a process interaction matrix are all acceptable evidence.

Clause 5 — Leadership

Clause 5 is where ISO 9001:2015 made one of its most significant shifts: it removed the management representative role and pushed accountability for the QMS onto top management itself. Auditors take this seriously — expect them to ask to speak to your MD or CEO.

5.1 Leadership and commitment

Top management must demonstrate leadership and commitment by taking accountability for QMS effectiveness, ensuring quality policy and objectives are established and compatible with strategic direction, integrating QMS requirements into business processes, promoting the process approach and risk-based thinking, ensuring resources are available, communicating the importance of effective quality management, and supporting other relevant management roles.

5.1.2 specifically addresses customer focus: top management must ensure customer and applicable regulatory requirements are determined, met, and that risks and opportunities affecting conformity are addressed.

5.2 Policy

Top management must establish a quality policy that is appropriate to the purpose and context of the organisation, supports its strategic direction, provides a framework for setting objectives, includes a commitment to satisfy applicable requirements, and includes a commitment to continual improvement. The policy must be documented, communicated, understood and applied, and available to interested parties as appropriate.

5.3 Organisational roles, responsibilities and authorities

Top management must assign responsibility and authority for ensuring the QMS conforms to ISO 9001, ensuring processes deliver intended outputs, reporting on QMS performance and opportunities for improvement, promoting customer focus, and maintaining QMS integrity during change. These responsibilities can be spread across multiple people — there is no longer a single 'management representative' requirement.

Clause 6 — Planning

Clause 6 introduced risk-based thinking as a foundational concept of the standard. There is no requirement for a formal risk register, but you must show that risks and opportunities have been considered and addressed.

6.1 Actions to address risks and opportunities

When planning the QMS, you must consider the issues from 4.1 and the requirements from 4.2 and determine the risks and opportunities that need to be addressed to give assurance that the QMS can achieve its intended results, enhance desirable effects, prevent or reduce undesirable effects, and achieve improvement.

You must plan actions to address these risks and opportunities, integrate them into QMS processes, and evaluate their effectiveness. Risks must be proportionate to potential impact on conformity. A simple risk register with likelihood, impact, mitigation, and owner is usually sufficient.

6.2 Quality objectives and planning to achieve them

You must establish quality objectives at relevant functions, levels and processes. Objectives must be consistent with the quality policy, measurable, take account of applicable requirements, be relevant to conformity and customer satisfaction, be monitored, communicated, and updated as appropriate.

For each objective you must determine what will be done, what resources are required, who is responsible, when it will be completed, and how results will be evaluated. The classic finding here is vague objectives like 'improve customer satisfaction' — auditors want SMART objectives with owners and target dates.

6.3 Planning of changes

When the organisation determines the need for changes to the QMS, the changes must be carried out in a planned manner. You must consider the purpose of the change and its consequences, the integrity of the QMS, availability of resources, and allocation of responsibilities. This applies to organisational changes, process changes, and significant IT changes.

Clause 7 — Support

Clause 7 covers the resources and infrastructure that make the QMS run: people, equipment, environment, measurement, knowledge, communication, and documented information.

7.1 Resources

You must determine and provide the resources needed to establish, implement, maintain and continually improve the QMS. This breaks down into people (7.1.2), infrastructure (7.1.3 — buildings, equipment, IT, transport), environment for the operation of processes (7.1.4 — physical, social and psychological factors), monitoring and measuring resources (7.1.5 — including measurement traceability where required), and organisational knowledge (7.1.6 — the know-how needed to operate processes and achieve conformity).

7.1.5 is one of the most-checked subclauses in regulated industries: calibration records, calibration certificates traceable to national standards, and evidence that out-of-tolerance equipment triggers a review of previous results.

7.2 Competence

You must determine the necessary competence of persons doing work that affects QMS performance, ensure they are competent on the basis of appropriate education, training or experience, take action to acquire the necessary competence where gaps exist, and retain documented information as evidence.

7.3 Awareness

Persons doing work under the organisation's control must be aware of the quality policy, relevant quality objectives, their contribution to QMS effectiveness, and the implications of not conforming. Awareness is tested by auditors walking the floor and asking employees questions — not by training records.

7.4 Communication

You must determine internal and external communications relevant to the QMS — what to communicate, when, with whom, how, and who communicates. A simple communication matrix usually satisfies this.

7.5 Documented information

The QMS must include documented information required by the standard and any documented information you determine necessary for QMS effectiveness. When creating or updating documented information, you must ensure appropriate identification, format, review and approval. Documented information must be controlled to ensure availability where needed, and adequate protection from loss of confidentiality, improper use, or loss of integrity. Documented information of external origin must also be identified and controlled.

Clause 8 — Operation

Clause 8 is the largest clause in the standard and covers how you actually deliver products and services. It is also where most non-conformities are raised in real audits.

8.1 Operational planning and control

You must plan, implement and control the processes needed to meet requirements by determining product/service requirements, establishing criteria for processes and acceptance, determining required resources, implementing process control, and retaining documented information to demonstrate processes have been carried out as planned. Outsourced processes must be controlled in line with 8.4.

8.2 Requirements for products and services

Customer communication (8.2.1) must cover product information, enquiries and contracts, customer feedback including complaints, handling of customer property, and contingency arrangements. Requirements must be determined (8.2.2) before commitment — including statutory, regulatory, and any considered necessary by the organisation. Requirements must be reviewed (8.2.3) before commitment, with records kept of the review and any new requirements. Changes to requirements (8.2.4) trigger updates to documented information and notification of relevant people.

8.3 Design and development of products and services

Where you design products or services, you must establish, implement and maintain a design and development process covering planning, inputs, controls, outputs and changes. This includes determining stages and controls, review/verification/validation activities, responsibilities and authorities, and required documented information. Inputs must be adequate, complete and unambiguous; controls must ensure intended results are achieved; outputs must meet input requirements and specify monitoring/acceptance criteria. This clause can be excluded if the organisation does no design activity — but only with strong justification.

8.4 Control of externally provided processes, products and services

You must ensure externally provided processes, products and services conform to requirements. This applies to suppliers, contractors, and any outsourced process. You must determine and apply criteria for evaluation, selection, monitoring of performance, and re-evaluation. The type and extent of control must be based on the potential impact on the organisation's ability to consistently meet requirements.

Clause 8.4 generates more findings than almost any other — typically around weak supplier evaluation, no re-evaluation, no defined criteria for outsourced processes, and lack of evidence that supplier performance is actually monitored.

8.5 Production and service provision

Production and service provision must be carried out under controlled conditions (8.5.1) including availability of documented information defining characteristics and results, suitable monitoring resources, monitoring at appropriate stages, suitable infrastructure and environment, competent persons, validation of processes where output cannot be verified, and actions to prevent human error. Identification and traceability (8.5.2), property belonging to customers or external providers (8.5.3), preservation (8.5.4), post-delivery activities (8.5.5), and control of changes (8.5.6) each have their own specific requirements.

8.6 Release of products and services

Planned arrangements must be implemented to verify that product and service requirements have been met. Release must not proceed until planned arrangements have been satisfactorily completed (or otherwise approved by relevant authority and customer). Records of release must identify the person authorising release.

8.7 Control of nonconforming outputs

Outputs that do not conform to requirements must be identified and controlled to prevent unintended use or delivery. You must take appropriate action based on nature and effect: correction, segregation, return, suspension, informing the customer, or obtaining authorisation for use under concession. Documented information of the nonconformity, actions taken, concessions, and the authority deciding the action must be retained.

Clause 9 — Performance evaluation

Clause 9 forces the organisation to step back and ask: is the QMS actually working? It covers monitoring and measurement, internal audit, and management review.

9.1 Monitoring, measurement, analysis and evaluation

You must determine what needs to be monitored and measured, the methods to use, when monitoring/measurement is performed, and when results are analysed and evaluated. Customer satisfaction (9.1.2) must be monitored — through surveys, feedback, complaints data, market share analysis, or warranty claims. Analysis and evaluation (9.1.3) must use data to evaluate conformity, customer satisfaction, QMS performance, planning effectiveness, risk and opportunity actions, supplier performance, and need for improvement.

9.2 Internal audit

Internal audits must be conducted at planned intervals to determine whether the QMS conforms to the organisation's own requirements and the requirements of ISO 9001, and is effectively implemented and maintained. You must plan, establish, implement and maintain an audit programme considering importance of processes, changes affecting the organisation, and results of previous audits. Auditors must be objective and impartial — they cannot audit their own work.

9.3 Management review

Top management must review the QMS at planned intervals — typically annually but for large organisations, often quarterly with rolling agendas. Inputs (9.3.2) are specified: status of actions from previous reviews, changes in external/internal issues, information on QMS performance including customer satisfaction, feedback from interested parties, extent of objectives met, process performance, conformity of products/services, nonconformities and corrective actions, monitoring and measurement results, audit results, supplier performance, adequacy of resources, effectiveness of risk and opportunity actions, and opportunities for improvement. Outputs (9.3.3) must include decisions on opportunities for improvement, any needed changes to the QMS, and resource needs.

Clause 10 — Improvement

Clause 10 is short but important. It contains the explicit requirement to continually improve — the engine of every QMS.

10.1 General

You must determine and select opportunities for improvement and implement actions to meet customer requirements and enhance customer satisfaction. This includes improving products and services, correcting/preventing/reducing undesired effects, and improving QMS performance and effectiveness.

10.2 Nonconformity and corrective action

When a nonconformity occurs — including from a complaint — you must react to it, evaluate the need for action to eliminate causes (so it does not recur), implement the action, review effectiveness, update risks and opportunities if necessary, and make changes to the QMS if necessary. Corrective actions must be appropriate to the effects encountered. Documented information must show the nature of the nonconformity and actions taken, and the results of corrective action.

Common finding: organisations confuse correction (fixing the immediate problem) with corrective action (addressing the cause). A returned defective unit replaced with a good one is correction. Identifying why the defect was missed and changing inspection is corrective action.

10.3 Continual improvement

You must continually improve the suitability, adequacy and effectiveness of the QMS. Outputs of analysis and evaluation, and outputs of management review, must be considered to determine whether there are needs or opportunities that should be addressed as part of continual improvement.

How auditors actually use the standard

Reading the standard from front to back is useful once. After that, auditors rarely think in clauses — they think in processes. A typical audit trail will start with a customer order, follow it through requirements review, planning, production, release, delivery, and post-delivery. Along the way the auditor touches a dozen different clauses without naming them.

If you want to internalise the standard, stop reading it linearly. Take one process — sales, design, production, calibration, supplier management — and map it against every clause that applies. You will find the same handful of clauses (7.5, 8.1, 8.4, 8.5, 9.1, 10.2) appear in almost every process.

Documented information required by ISO 9001:2015

ISO 9001:2015 specifies the following documented information that must be maintained (kept current) or retained (kept as evidence):

• Scope of the QMS (4.3)
• Documented information needed to support process operation (4.4)
• Quality policy (5.2)
• Quality objectives (6.2)
• Evidence of fitness for purpose of monitoring and measuring resources (7.1.5.1)
• Basis used for calibration where no measurement standards exist (7.1.5.2)
• Evidence of competence (7.2)
• Documented information determined as necessary for QMS effectiveness (7.5.1)
• Evidence that processes have been carried out as planned (8.1)
• Results of the review of requirements (8.2.3)
• New requirements for products and services (8.2.3)
• Records of design inputs, controls, outputs and changes (8.3)
• Records of evaluation, selection, monitoring and re-evaluation of external providers (8.4)
• Characteristics of products and services and activities to be performed (8.5.1)
• Records of unique identification where traceability is required (8.5.2)
• Records of customer/external provider property lost, damaged or unsuitable (8.5.3)
• Results of review of changes for production and service provision (8.5.6)
• Records of authorised release of products and services (8.6)
• Records of nonconforming outputs and actions taken (8.7)
• Results of monitoring and measurement (9.1.1)
• Evidence of implementation of the audit programme and audit results (9.2.2)
• Evidence of the results of management reviews (9.3.3)
• Evidence of the nature of nonconformities and any subsequent actions taken (10.2.2)
• Results of any corrective action (10.2.2)

Common audit findings by clause

• 4.1 — context determined once at certification and never reviewed
• 4.2 — interested parties listed but requirements not flowed into the QMS
• 5.1 — top management cannot explain how they take accountability for QMS effectiveness
• 6.1 — risks identified but no link to actions or objectives
• 6.2 — vague objectives without owners, dates, or measurement
• 7.1.5 — calibration overdue or no traceability to national standards
• 7.2 — training records present but no evidence of competence evaluation
• 8.4 — supplier list maintained but no evidence of ongoing performance monitoring
• 8.5.6 — production changes not formally controlled
• 9.2 — internal audits late, narrow scope, or auditors auditing their own area
• 9.3 — management review missing several required inputs
• 10.2 — correction recorded but no root cause analysis or effectiveness review

Looking ahead to ISO 9001:2026

ISO 9001:2026 — expected in September 2026 — will retain the same clause structure 4 through 10. The Harmonized Structure is the foundation for all current ISO management system standards, and the 2026 revision will tighten alignment rather than restructure. Expect clarified language around culture and ethics, climate change as a contextual issue, and updated terminology — but the requirements you implement against the 2015 standard today will carry forward almost in full.

In other words: if you are reading this in preparation for a first certification, work to ISO 9001:2015 with confidence. The transition to 2026 will be evolutionary, not revolutionary.