Is a quality manual required by ISO 9001?

No. ISO 9001 requires 'documented information' appropriate to the organization. Keep a clear process map, policy, needed procedures, and complete records.

Do we need to validate quality-related software?

When software affects conformity or QMS performance, control and validate it proportionately to risk; in regulated contexts, follow CSV expectations.

Can design and development be excluded?

Yes, if design is not applicable to your business. Justify the exclusion in scope and ensure all applicable clauses are fulfilled.

How long is ISO 9001 certification valid?

Certificates typically operate on a three-year cycle with periodic surveillance audits. Ongoing performance and improvement are required to maintain certification.

Is ISO 9001 certification legally required?

Usually not. It is often a customer or market expectation and can reduce audit burden by demonstrating system maturity.

ISO 9001 – Quality Management SystemsGlossary

ISO 9001 – Quality Management Systems

Q: How does ISO 9001 relate to ISO 13485 and GMP?

ISO 9001 is a generic QMS standard; ISO 13485 and GMP add sector-specific requirements. Many organizations implement ISO 9001 principles and overlay applicable regulatory controls.

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • QMS Framework & Continual Improvement • Quality, Operations, Leadership

ISO 9001 is the globally recognized framework for building a process‑based Quality Management System (QMS) that delivers consistent products and services and drives continual improvement. It emphasizes the process approach, risk‑based thinking, and Plan‑Do‑Check‑Act (PDCA) across the business—from understanding customer needs and context to controlling operations, engaging people, and learning from performance. ISO 9001 does not prescribe how to make your product; it requires that you define, control, and improve your processes under governed Document Control, with verified competency, supplier oversight, and effective CAPA.

“ISO 9001 turns quality from a department into a management system—visible, measured, and relentlessly improved.”

TL;DR: ISO 9001 is the universal QMS blueprint. Map your processes, set quality objectives and metrics, manage risks and changes, ensure competence and training, control suppliers via SQM, and use audits, data, and CAPA to improve. Certification is achieved through independent audits; sustaining it requires governed documents, good metrics, and leadership commitment.

1) What ISO 9001 Covers—and What It Does Not

Covers: a management system for quality spanning context, leadership, planning, support, operations, performance evaluation, and improvement. It requires defined processes, risk/opportunity management, documented information, competent people, infrastructure, supplier control, monitoring/measurement, internal audits, and management review.

Does not cover: product‑specific technical requirements, regulatory GMP/medical device particulars, or a prescriptive set of procedures. ISO 9001 certification is system certification, not product certification; regulated industries often layer sector standards (e.g., ISO 13485) or GMP expectations (GMP).

2) System & Data Integrity Anchors

Govern policies, procedures, and records under Document Control with effective dates, version history, and approval workflows. Electronic records should be attributable and retained per policy (Record Retention) with sound Data Integrity practices. Where quality decisions rely on validated software (e.g., MES/LIMS/QMS), apply proportionate CSV; in regulated environments, align e‑signatures with Part 11/Annex 11.

3) The ISO 9001 Evidence Pack

Maintain documented information that shows: QMS scope and process map; quality policy and measurable objectives (with owners and targets); risk/opportunity determination and actions (Risk Register); competence and training matrices; infrastructure and calibration status (Calibration); supplier evaluation/monitoring (Supplier Qualification, Quality Agreements); operational controls and acceptance criteria (Control Plans); internal audits; management reviews; nonconformity and CAPA; customer feedback/complaints (RMA where applicable).

4) From Gap to Certification—A Standard Path

Begin with leadership commitment and scope. Map processes and interfaces; perform a gap assessment; set objectives and KPIs; stand up risk controls and change governance (Change Control/MOC). Train roles, run the QMS, audit internally, and hold a management review. Choose a certification body; pass Stage 1 (readiness) and Stage 2 (effectiveness) audits; then maintain via surveillance audits and continual improvement.

5) Interpreting ISO 9001 Requirements

Use the process approach: define inputs, outputs, owners, resources, and measures for each process; control interactions and handoffs. Apply PDCA to each process and to the system overall. Treat risks as practical control needs (e.g., supplier change notices, training for new equipment) rather than abstract registers; verify that actions reduce occurrence, detection gaps, or impact.

6) Clause Themes in Practice

Context & Leadership: understand stakeholders and commit resources; publish a policy and objectives tied to customer and business outcomes. Planning: address risks/opportunities; plan changes. Support: competence, infrastructure, environment, measuring resources, documented information. Operation: plan and control product/service realization, including external providers. Performance: monitor, analyze, audit, review. Improvement: handle nonconformity and drive CAPA and breakthrough changes.

7) Process Controls & Metrics

Translate requirements into control plans, acceptance criteria, and in‑process checks; measure KPIs like on‑time delivery, first‑pass yield, defect rate, complaint rate, and cycle time. Where applicable, apply SPC to critical characteristics and trend stability and capability over time.

8) Risk‑Based Thinking & Change

Use practical tools (e.g., PFMEA) to prioritize controls and verification. Route significant changes through MOC, updating procedures, training, inspection plans, and supplier instructions, and confirming effectiveness in the next management review.

9) Documented Information—Create Less, Use More

ISO 9001 requires “documented information,” not a specific “quality manual.” Keep procedures lean, embed work instructions in systems (MES/WMS), and ensure records are searchable and traceable (Retention, Integrity). Remove obsolete content quickly through governed updates.

10) Suppliers & Outsourced Processes

Qualify and monitor suppliers (Supplier Qualification) with risk‑proportionate controls—e.g., incoming inspection, certificates, Quality Agreements, and performance reviews under SQM. Use SCAR to correct systemic issues.

11) Nonconformity, CAPA & Learning

Log product and process nonconformities (Deviation/NC), contain impact, and investigate with effective RCA. Implement CAPA, verify effectiveness, and close the loop via audits and management review. Treat complaints, returns, and warranty claims as input to prevention, not just fixes.

12) Internal Audit & Management Review

Run risk‑based internal audits that test process effectiveness, not just paper compliance. In management review, evaluate performance trends, audit/CAPA status, supplier performance, customer feedback, risks/opportunities, resource needs, and improvement priorities; issue decisions and actions with owners and due dates.

13) Metrics That Demonstrate QMS Control

On‑Time Delivery (OTD): customer promise vs actual.
First‑Pass/Final Yield: by process family and rolled.
Defect Rate / DPPM: in process and at customer.
Complaint & Return Rate: trend and closure time.
CAPA Effectiveness: recurrence and lead time to verify.
Audit Closure: time to close findings; repeat findings.
Supplier Performance: OTD, quality score, SCAR cycle time.

Use dashboards to detect drift early and to prove improvement after changes or projects.

14) Common Pitfalls & How to Avoid Them

Paper QMS. Embed controls in systems (MES/WMS/LIMS) and daily management, not binders.
Too many procedures. Keep them lean and role‑based; retire what people don’t use.
Weak change control. Route changes via MOC, update training, and check effectiveness.
Audits as events. Use layered internal audits and gemba checks, not annual surprises.
Metrics without action. Tie KPIs to owners and PDCA; review at the right cadence.
Uncontrolled suppliers. Formalize selection, monitoring, and escalation under SQM.

15) What Belongs in the Certification Dossier

QMS scope and process interactions; quality policy and objectives with evidence of monitoring; risk/opportunity log and actions; resource and competence records (Training Matrix); calibration/maintenance evidence; supplier evaluation and performance; operational controls and acceptance criteria; internal audit program and results; management review outputs; nonconformity and CAPA records; change records; customer feedback trend and actions—governed under Document Control and Retention.

16) How This Fits with V5 by SG Systems Global

Governed QMS backbone. The V5 platform provides versioned Document Control, role‑based approvals, and effective‑dating so “documented information” is current, linked, and audit‑ready across policies, SOPs, and work instructions.

Closed‑loop improvement. V5 QMS orchestrates Internal Audits, findings, RCA, and CAPA with effectiveness checks and dashboards, feeding management review packs automatically.

Operational integration. V5 connects QMS to execution—MES for controlled production and eBMR, and WMS for inventory and status—so evidence is captured at source with audit trails and traceable identity.

Risk & supplier control. V5 maintains a centralized Risk Register and supplier lifecycle (SQM, Supplier Qualification, Quality Agreements, SCAR) with scorecards and alerts.

Evidence by design. KPIs, audit schedules, training status, and change history are reportable by process, site, or product family—making ISO 9001 certification and surveillance audits a review of live, linked records rather than a scramble for files.

Bottom line: V5 operationalizes ISO 9001—what you plan, you run; what you run, you measure; what you measure, you improve—on one governed platform.

17) FAQ

Q1. Is a quality manual required?
No. ISO 9001 requires “documented information,” not a specific manual. Keep a clear process map, policy, procedures where needed, and complete records.

Q2. How does ISO 9001 relate to ISO 13485 and GMP?
ISO 9001 is generic; ISO 13485 adds medical device specifics and regulatory controls. GMP (cGMP) adds sector regulations. Many organizations implement ISO 9001 principles and overlay sector requirements.

Q3. Do we have to validate software under ISO 9001?
When software affects product/service conformity or QMS performance, control and validate it proportionate to risk—often under CSV expectations in regulated contexts.

Q4. Can we exclude design and development?
If not applicable to your business model, you may scope out design and development with clear justification; all applicable requirements must still be met.

Q5. How long is certification valid?
Certificates typically run on a three‑year cycle with periodic surveillance audits. Sustained performance and closed‑loop improvement keep certification in good standing.

Q6. Is ISO 9001 certification required by law?
Generally no, but many customers and sectors expect it. It often reduces audit burden and signals system maturity to stakeholders.