The 2015 revision eliminated the quality manual requirement and six mandatory procedures. What it added is more demanding. Here's what actually changed — and what your registrar looks for during surveillance.
When ISO 9001:2015 replaced the 2008 revision, the documentation requirements changed in ways that many organizations still have not fully absorbed. The 2015 revision eliminated the explicit requirement for a "quality manual" as a specific document, removed six mandatory documented procedures that had been explicitly required in the 2008 version, and replaced "documents and records" with the single term "documented information."
For quality managers who had built their QMS documentation structures around the 2008 requirements, this created a compliance dilemma. The new standard was less prescriptive. But less prescriptive did not mean less demanding — it meant the organization bore more responsibility for determining what documentation was necessary and for demonstrating that their choices were adequate.
Most organizations responded to this change in one of two ways: they kept their existing documentation structure and reframed it in 2015 language, or they dramatically reduced their documentation on the theory that the standard required less. Both approaches have audit failure modes.
The 2015 standard requires documented information in two categories: information explicitly required by specific clauses, and information the organization determines is necessary for QMS effectiveness.
The first category is a defined list. Auditors know it and will check it systematically. The explicitly required documented information includes:
Scope of the QMS (Clause 4.3), Quality policy (Clause 5.2.2), and Quality objectives (Clause 6.2.1). These three are the most familiar, retained from prior versions.
Evidence of fitness for purpose of monitoring and measuring resources (Clause 7.1.5.1) — your calibration records and equipment maintenance evidence.
Evidence of competence (Clause 7.2) — training records and qualification matrices demonstrating personnel are competent for the work they perform.
Information about results of reviews of customer requirements (Clause 8.2.3) — records that customer requirements were reviewed before contract acceptance.
Results of supplier evaluations and actions (Clause 8.4.1) — documented evidence of how you evaluate, select, and monitor external providers.
Product and service release evidence (Clause 8.6) — records that products meet acceptance criteria before release, including who authorized the release.
Results of nonconforming output reviews and actions (Clause 8.7.2) — NCR records.
Results of performance monitoring and measurement (Clause 9.1) — your quality metrics data.
Results of internal audits (Clause 9.2.2), Results of management reviews (Clause 9.3.3), and Results of corrective actions (Clause 10.2.2).
This list is longer than many organizations expect when told the 2015 revision "requires less documentation."
The 2008 version explicitly required documented procedures for: control of documents, control of records, internal audit, control of nonconforming product, corrective action, and preventive action. The 2015 version does not explicitly require these as separate procedures.
What it requires instead is that these processes are controlled and that the organization retains documented information to support operation of these processes. The practical difference is smaller than it appears. Your internal audit process still needs to be documented well enough that auditors can see it is consistently executed. Your corrective action process still needs to produce traceable records. The format is flexible. The underlying requirement is not.
Organizations that eliminated their corrective action procedure on the basis that "2015 doesn't require documented procedures" and replaced it with an informal approach have generated audit findings consistently. The standard removed the prescriptive requirement for a procedure. It did not remove the requirement for a controlled, consistently-executed process.
One of the most significant additions in the 2015 revision — and the least implemented — is the requirement to determine the context of the organization (Clause 4.1) and to document how external and internal issues relevant to the organization's purpose affect the QMS.
This has direct documentation implications. An organization in an industry with high regulatory scrutiny — medical devices, aerospace, defense — has a QMS context that requires more extensive documented information than an organization in a lower-risk industry. The context justifies and shapes the documentation approach.
Auditors use the context determination as a lens for evaluating documented information adequacy. If your context analysis identifies customer-specified quality requirements as a significant external issue, but your QMS has no documented mechanism for capturing and flowing down those requirements, the gap between your context assessment and your documentation structure is a finding.
The context requirement is not administrative. It is an argument for why your documentation approach is appropriate for your situation.
ISO 9001:2015 introduced "risk-based thinking" as a replacement for the formal preventive action requirement of the 2008 revision. The practical meaning for documentation is that the level of documentation for any process should be proportionate to the risk associated with variation in that process.
A high-risk process — one where variation directly causes safety defects, significant customer impact, or regulatory noncompliance — warrants extensive documentation: detailed work instructions, controlled distribution, regular review against current specifications, and documented evidence of execution.
A low-risk administrative process may warrant a brief procedure with lighter control requirements. The standard permits this differentiation. Treating every process with identical documentation rigor wastes resources and creates noise. Treating every process with minimal documentation creates unacceptable risk.
The auditor's question is whether the documented information approach is appropriate given the risks the organization faces. This is a judgment call — one that auditors apply based on their knowledge of your industry, your customer base, and your regulatory environment.
Surveillance audits by accredited registrars have a consistent pattern. The scope of each surveillance is narrower than the initial certification audit, but the depth within that scope is often greater.
Registrars typically sample across several process areas and look for:
Procedure-to-practice alignment. They observe processes and compare what they see to what the documented procedures describe. Gaps between documented and actual practice are findings regardless of whether the outcome of the actual practice is acceptable.
Record completeness. Required records that cannot be produced, or records that exist but do not contain required information elements. A product release record that does not identify who authorized release fails 8.6 regardless of whether the product was actually good.
Corrective action closure quality. Actions closed without documented evidence of root cause analysis and effectiveness verification. This is among the most reliably cited findings in surveillance audits across all sectors.
Management review evidence. Documentation that top management reviewed QMS performance data — including customer feedback, audit results, and quality objectives performance — with documented outputs and action items.
Calibration compliance. Current calibration status of measurement equipment used in the processes being audited. Lapsed calibration on in-use equipment generates findings quickly.
The pattern is consistent: registrars are not primarily looking for documentation that says the right things. They are looking for evidence that the documented system is operating as described and producing the outcomes it claims to produce. A beautifully written QMS manual backed by inconsistent execution generates findings. A simple, honest system that is consistently followed does not.
Coplain helps you build and maintain the documentation your ISO 9001 QMS actually needs — not more, not less. Free trial at coplain.com.
Coplain turns any work instruction into a print-ready, audit-proof job aid in minutes.
Try Coplain free →