ISO 9001 Requirements

ISO 9001 requirements at a glance

• Standard: ISO 9001:2015
• Core structure: Clauses 1–3 (introductory), 4–10 (mandatory requirements)
• Key themes: Context, leadership, planning, support, operation, performance evaluation, and improvement
• Documentation: Quality policy, objectives, risk assessments, audit records, corrective actions
• UK relevance: Supports compliance with Consumer Rights Act; often required for tenders
• Upcoming update: 2026 revision to include sustainability and climate resilience requirements

What are the ISO 9001 requirements?

ISO 9001 sets out a framework for running your business in a way that ensures quality, consistency, and continual improvement — built around the Plan–Do–Check–Act (PDCA) cycle.

The Standard is made up of 10 clauses. Clauses 1–3 introduce the scope, terminology, and references; Clauses 4–10 outline the actual requirements your organisation must meet to achieve and maintain certification.

At a glance:

• Clauses 1–3: Provide context — defining what the Standard covers and the terms it uses.
• Clause 4: Sets the context of your organisation.
• Clause 5: Defines leadership and accountability.
• Clause 6: Focuses on planning and risk-based thinking.
• Clause 7: Covers support — from resources to training.
• Clause 8: Details operational control and supplier management.
• Clause 9: Explains performance evaluation and audits.
• Clause 10: Drives continual improvement.

Together, they follow the PDCA cycle:

• Plan: Understand context, set objectives, and plan for risks.
• Do: Deliver your services under controlled, consistent conditions.
• Check: Monitor, measure, and audit performance.
• Act: Review results and drive continual improvement.

This risk-based approach was introduced in the 2015 revision, helping organisations identify potential issues before they affect quality or customer satisfaction.

You’ll find a detailed clause-by-clause breakdown further down this page — including practical checklists and UK-specific examples to help you apply each requirement in your business.

The 7 principles of ISO 9001

• Customer focus – Meeting customer needs and enhancing satisfaction.
  Example: Map your complaint process to Consumer Rights Act expectations.
• Leadership – Setting clear direction and alignment across your business.
  Example: Directors review quality objectives during management meetings.
• Engagement of people – Involving and empowering employees at every level.
  Example: Include quality training in staff inductions.
• Process approach – Managing activities as linked processes, not isolated tasks.
  Example: Visualise sales-to-delivery workflows to reduce handover errors.
• Improvement – Continually enhancing performance through data and feedback.
  Example: Use customer feedback to refine processes and service quality.
• Evidence-based decision making – Relying on facts and data, not assumptions.
  Example: Monitor KPIs such as on-time delivery and customer satisfaction.
• Relationship management – Building strong supplier and partner relationships.
  Example: Maintain approved supplier lists and review performance regularly.

ISO 9001 requirements by clause

Clause 4 – Context of the organisation

This clause is about understanding your business environment and the factors that could impact how you deliver quality. You’ll look at both internal factors (like staffing, resources, or culture) and external ones (such as market conditions, regulations, or supply chain risks).You’ll also determine who your interested parties are (customers, regulators, suppliers, employees, shareholders, etc.) and understand what they expect from your organisation.

Checklist:

• SWOT or PESTLE analysis covering internal/external issues
• List of interested parties and their needs/expectations
• A defined scope for your QMS, outlining what parts of your business are covered and why.
• Process map showing how core activities link together

UK tip: If your business operates in sectors affected by post-Brexit changes (like importing goods or managing overseas suppliers), include this context — it shows awareness of external risks that could affect quality or continuity.

Clause 5 – Leadership

Clause 5 focuses on management’s role in driving quality. ISO 9001 expects visible leadership commitment — not just a policy on paper. Senior leaders are responsible for setting direction, communicating expectations, and making sure people have what they need to deliver.

Checklist:

• A quality policy that reflects your business goals and commitment to continual improvement.
• Clearly defined roles and responsibilities for quality.
• Regular management reviews where leadership discusses performance, risks, and improvement opportunities.
• Leadership involvement in promoting a culture of quality.

Tip: Leadership involvement is a core audit focus. Including objectives here strengthens the link to planning (Clause 6).

Clause 6 – Planning

Clause 6 introduces risk-based thinking — one of the key updates in ISO 9001:2015. It’s about identifying the things that could stop you from meeting customer expectations and planning how to prevent them. You’ll also set measurable quality objectives and plan any changes in a controlled way.

Checklist:

• A risk and opportunity register showing how risks are identified, rated, and managed.
• Quality objectives that are measurable, achievable, and linked to your policy.
• Evidence of planning to achieve those objectives (who’s responsible, by when, how measured).
• A process for managing planned changes (e.g. new systems, processes, or suppliers).

UK tip: Risks might include Brexit-related supply chain disruptions, rising material costs, or changes in UK legislation (like product safety or consumer protection). Including these examples in your risk register shows you understand your operating environment.

Note: While ISO 9001 doesn’t specifically cover Health & Safety (that’s ISO 45001), it does require you to identify risks that could affect quality — including safety-related risks in your operations.

Clause 7 – Support

Clause 7 is all about providing the resources, training, and information your team needs to make the QMS work. It covers people, infrastructure, competence, awareness, communication, and control of documents and records.

Checklist:

• A competence and training matrix that shows people are qualified for their roles.
• A document control system that tracks versioning, approvals, and updates.
• Adequate facilities, tools, resources, and infrastructure for quality delivery
• Evidence that your team is aware of the quality policy, objectives, and their contribution to them

Tip: Keep training simple but focused. For example, integrate GDPR or data handling training if staff deal with customer data as part of quality processes.

Clause 8 – Operation

This is where you show how you deliver your product or service. Clause 8 covers everything from customer communication to design, purchasing, production, and managing nonconformities. It’s the part of ISO 9001 that deals with your day-to-day operations.

Checklist:

• Contract or order review records to confirm customer requirements before work starts.
• Design and development process (if applicable) showing planning, review, verification, and validation.
• Approved supplier list and evaluation records to show control of purchasing and external providers.
• Production or service records — evidence that work was done to agreed standards.
• Nonconformity and corrective action records where things didn’t go to plan.

Tip:

• If you import materials or products, ensure your purchasing requirements include UKCA or CE marking compliance and checks on product safety documentation.
• For service-based businesses, focus on how you control contractors or outsourced work to maintain quality consistency.

Clause 9 – Performance evaluation

Clause 9 is about checking whether your system is working as intended. You’ll monitor, measure, and analyse performance, gather feedback, and conduct internal audits and management reviews.

Checklist:

• KPIs or metrics for quality performance (on-time delivery, customer complaints, returns).
• Customer feedback records and actions taken as a result.
• Internal audit reports and evidence that findings are followed up.
• Management review minutes showing leadership decisions and improvement actions.

Tip: Show your internal audits are objective, planned, and based on risk and performance.

Clause 10 – Improvement

The final clause closes the PDCA loop. It’s where you demonstrate that you don’t just fix problems — you learn from them and make your system stronger.

Checklist:

• A corrective action process that finds the root cause and prevents recurrence.
• An improvement log tracking ideas, suggestions, and results.
• Evidence that improvements have a measurable impact (e.g. reduced defects, fewer complaints).

UK tip: Many UK organisations link improvement goals to tender feedback or customer satisfaction scores — it’s a great way to show continual improvement in action.

Together, Clauses 4 to 10 make up the backbone of your QMS — from understanding your business and planning for risk to delivering consistent quality and improving every time.

When implemented properly, they don’t add bureaucracy — they clarify who does what, how you measure success, and how you keep getting better.

ISO 9001 documentation and records requirements

Your documentation is the backbone of your quality management system. It provides evidence that your processes are working and that you’re meeting the ISO 9001 requirements.

ISO 9001 doesn’t require piles of paperwork — but it does expect you to control the information that affects quality. That means keeping the right documents, in the right format, and making sure they’re up to date and accessible when needed.

In simple terms:
If it shows how you do something or proves that you’ve done it — it’s probably a controlled document or record.