Read this article summarized with
Table of contents

ISO 9001 Work Instructions and SOPs: Requirements and Software

Jure Špeh
Jure Špeh Co-founder and CTO MSc of Electrical Engineering, building AI tools that turn video recordings into structured work instructions and SOPs.
A quality team reviewing SOPs and work instructions on a tablet and clipboards during an ISO 9001 audit on a machine shop floor.

What ISO 9001:2015 actually requires for SOPs and work instructions: Clause 7.5 document control, SOP vs work instruction, what auditors check, and how to digitize it.

TL;DR

ISO 9001:2015 does not demand a specific set of SOPs or work instructions. It requires that the documented information you do keep is identified, approved before use, version-controlled, and available where the work happens (Clauses 7.5 and 8.5.1). SOPs sit at the process level; work instructions sit at the task level; both are optional tools for meeting those requirements. The hard part is not writing them once, it is keeping one current, approved version in front of every worker, and being able to prove it in an audit.

  • Neither SOPs nor work instructions are mandatory. ISO 9001:2015 explicitly requires only four documents plus a set of records. Everything else is whatever your organization decides it needs under Clause 7.5.1.
  • A procedure (SOP) is process-level; a work instruction is task-level. “SOP” is not an ISO term, but in practice it maps to the standard’s “procedure.”
  • Clause 7.5 is really about control: identification (title, author, reference number), review and approval before use, version control, and controlled distribution.
  • Clause 8.5.1 is the point-of-use clause: the documented information that defines the work must be available to the people doing it.
  • The common audit failure is operational, not editorial: an operator following an obsolete printout because the current version never reached the floor.

Who this is for

If you are getting ISO 9001 certified, keeping a certification, or just trying to standardize how work gets done, you have probably run into the same confusion everyone does: which documents are actually required, what the difference between an SOP and a work instruction is, and how much “document control” you really need. This guide answers those plainly, then shows what it takes to keep the system running once the auditor has gone home.

A quick, honest note before we start: exact clause wording is copyrighted by ISO. The clause numbers and requirements below are accurate and paraphrased from the standard and reputable certification-body guidance. When you need the exact text, buy the standard or read it on the ISO online browsing platform.


What ISO 9001 says about documentation

The 2015 revision changed the vocabulary in a way that still trips people up. ISO 9001:2015 replaced the old terms “documents,” “records,” “documented procedures,” and “quality manual” with a single umbrella term: documented information. (ISO 9001 explained)

The standard signals two subtypes through its verbs:

  • “Maintain” documented information means the living documents you keep current: procedures, SOPs, work instructions, templates.
  • “Retain” documented information means the records you keep as evidence that work was done: completed checklists, inspection results, training records.

Two things disappeared in 2015 that many people still believe are required. The quality manual is no longer mandatory, and the six mandatory documented procedures were removed entirely. ISO 9001:2015 mandates zero specific procedures. (NQA: Procedures and ISO 9001)

Just as important: the standard is format-neutral. Documented information can be a Word file, a PDF, a photo, a video, a checklist, or a screen in an app. Nothing in ISO 9001 says a work instruction has to be a printed page.


Are SOPs and work instructions mandatory for ISO 9001?

No. This is the single most common misconception in online guidance, and it is worth stating flatly.

ISO 9001:2015 explicitly requires only a short list of mandatory documents, plus a set of mandatory records. The table below is the whole list of what the standard names outright. (Advisera: mandatory documents list)

Documented informationTypeClause
Scope of the QMSDocument (maintain)4.3
Quality policyDocument (maintain)5.2
Quality objectivesDocument (maintain)6.2
Criteria for evaluating and selecting suppliersDocument (maintain)8.4.1
Calibration of monitoring and measuring equipmentRecord (retain)7.1.5.1
Evidence of competence (training, skills, experience)Record (retain)7.2
Review of requirements for products and servicesRecord (retain)8.2.3
Characteristics of products and servicesRecord (retain)8.5.1
Conformity of outputs to acceptance criteriaRecord (retain)8.6
Nonconforming outputsRecord (retain)8.7.2
Monitoring and measurement resultsRecord (retain)9.1.1
Internal audit program and resultsRecord (retain)9.2
Management review resultsRecord (retain)9.3
Corrective action resultsRecord (retain)10.2

Records that apply only when the activity is relevant (design and development under 8.3, customer property under 8.5.3, and change control under 8.5.6) are left out here for brevity. Everything beyond this list, including SOPs and work instructions, is documented information you decide you need.

SOPs and work instructions are not on that list. They are one common, optional way to satisfy two clauses:

  • Clause 7.5.1, which asks you to keep the documented information you determine is necessary for the effectiveness of your QMS, and
  • Clause 8.5.1, which asks that the information defining your production or service activities is available where the work is carried out.

In other words, you write a work instruction where you need one to get the task done consistently, not because a clause commands it. Our ISO 9001 work instructions glossary entry covers this distinction in more depth.


The ISO 9001 documentation hierarchy

Most quality systems organize documented information into levels of increasing detail. The pyramid is a long-standing convention, not a 2015 requirement, but it is still the clearest way to think about it.

LevelDocumentAltitudeAnswers
1Quality manual / policyWhole QMSScope and framework (optional since 2015)
2Procedure / SOPProcess levelWhat is done, who does it, in what order
3Work instructionTask / step levelExactly how to perform one task
4Forms and recordsEvidenceProof the work was done

The rule of thumb from The 9000 Store is the one to remember: if the procedure does not give someone enough guidance to complete the task, write a work instruction for that task. Not before.


SOP vs work instruction (standard operating procedure vs work instruction)

The distinction is about altitude. A procedure describes a whole process; a work instruction zooms in on a single task inside it.

Procedure / SOPWork instruction
AltitudeProcess levelSingle task or step
AnswersWhat is done, who does it, in what orderExactly how to perform the step
ScopeOften spans people and departmentsOne operator, one task
DetailGeneralSpecific: tools, settings, accuracy
ISO 9001:2015 statusOptional, format not mandatedOptional, used where extra detail is needed

One clarification worth making: “SOP” is not a term ISO 9001 defines. In QMS practice, an SOP is used interchangeably with the standard’s Level-2 “procedure.” A work instruction is the more granular Level-3 document. If you want the long version with examples, see our breakdown of SOP vs work instruction.


What Clause 7.5 requires: document control

This is where certification is won or lost. Clause 7.5 governs how documented information is created, updated, and controlled, and it has three parts.

7.5.1 General. Your QMS includes the documented information the standard requires, plus whatever you determine is necessary for it to work. The standard openly says the amount will differ by organization size, process complexity, and the competence of your people. A shop full of 20-year veterans needs fewer instructions than one hiring seasonal crews every spring.

7.5.2 Creating and updating. When you create or update a document, you must ensure appropriate:

  • Identification and description (for example, a title, date, author, or reference number),
  • Format and media (language, software, graphics; paper or electronic), and
  • Review and approval for suitability and adequacy before it is used.

That last point is the one teams underestimate. A procedure is not “done” when someone finishes writing it. It is done when a competent person has reviewed and approved it for use, and you can show who did so.

7.5.3 Control of documented information. The current, approved information must be available and suitable for use where and when it is needed, and protected from improper use or loss of integrity. For control, you address, as applicable: distribution, access, retrieval, and use; storage and preservation; control of changes (version control); and retention and disposition. Documents of external origin that you rely on, like a customer spec or a regulation, must also be identified and controlled. (ISO Tracker: document control)

And Clause 8.5.1, the point-of-use clause, closes the loop: production and service work must run under controlled conditions, including the availability of documented information that defines the characteristics of the product or the activity, and the results to be achieved. The instruction has to reach the person doing the job.


What an auditor actually looks for

Translate the clauses into what a certification auditor checks at your workstation, and the list is short and concrete:

  1. A unique identifier on each controlled document (a reference number, not just a filename).
  2. A visible revision or version level, current and matching the master.
  3. Evidence of approval before use, with a name and a date, not an anonymous “published.”
  4. Only the current version in use at the point of work. An operator holding last year’s printout is the classic finding.
  5. Obsolete copies removed or clearly marked, while still retained for audit and legal history.
  6. Controlled distribution and access, so the right people have the right documents.
  7. Control of external-origin documents, such as customer drawings and standards.

Notice that none of this is about how well the document is written. It is about whether the right version is controlled, approved, and in the right hands.


Where teams actually fail

The theory is not the hard part. Keeping it true, every day, on a real floor, is. The failures we see over and over:

  • Obsolete printouts. A change gets approved in the master file, but the laminated copy at the machine never gets swapped. The operator is now following an uncontrolled document.
  • The shared-drive graveyard. Procedures live in a folder nobody can navigate, in three near-identical versions, and no one knows which is current.
  • No approval evidence. Someone edited the procedure, but there is no record of who reviewed or approved it, so the auditor cannot confirm 7.5.2(c).
  • The instruction never reaches the floor. It exists, correctly, in a system the frontline worker cannot open, so 8.5.1 fails in practice even though the paperwork looks fine.
  • English-only in a multilingual crew. The document is available, but not in a language half the shift can read.

Every one of these is a document-control problem, and every one is solvable by making sure a single approved version is always the one people reach.


How SOPX handles ISO 9001 document control

SOPX is an AI SOP and work-instruction platform. You film a process on a phone or import an existing PDF, and the AI structures it into a clean, step-by-step digital procedure. What makes it fit ISO 9001 is not the authoring speed, though; it is that document control is built into how procedures are created, approved, and delivered. Here is the mapping, clause by clause.

ISO 9001:2015 requirementWhat it asks forHow SOPX supports it
7.5.2(a) IdentificationTitle, date, author, unique reference numberA Document ID (a unique reference like SOP-PROD-014) on every procedure, plus title, owner, and last-updated date
7.5.2(c) Review and approval before useSign-off for suitability before releaseAn optional approval flow: submit for review, an approver approves before it publishes, with an optional “require a different approver” rule for four-eyes separation
7.5.3.2 Control of changesVersion control; who changed what, and whenAutomatic versioning plus procedure history, a read-only trail of created, submitted, approved, published, and restored, each with a name and timestamp
7.5.3.1 / 8.5.1 Availability at point of useThe current version, where and when it is neededOperators open the latest approved version by link or QR code at the workstation; full screen mode shows one step at a time on the floor
Obsolete-version controlPrevent use of superseded copiesOne published version is the single source of truth; publishing a new version archives the old one automatically
7.5.3.2 Distribution and accessControl who can reach each documentWorkspaces, teams, and role-based access decide who can view, comment, edit, or manage
External-origin documentsIdentify and control incoming docsImport an existing PDF procedure and it becomes a structured, controlled digital SOP
Retained documented informationEvidence the work was doneRun mode captures step checklists, a signature, and notes when a run is completed
Availability in the reader’s languageUsable information at the point of useAI translation into 50+ languages from the same procedure

A note on plans, so the picture is honest: Document IDs and comments are available on every plan. The approval flow and procedure history are on the Pro and Enterprise plans. Full details are on the pricing page.

The point is not that software makes you compliant. It is that the two things auditors care most about, a single controlled version and proof of its lifecycle, stop being manual discipline you have to enforce and become the default way the system behaves.


A concrete example

A metal fabrication shop is preparing for its ISO 9001 surveillance audit. The auditor points at a laminated instruction taped to a press and asks the supervisor, Sofia, to prove it is controlled.

Sofia opens the procedure in SOPX on a tablet. The header shows Document ID SOP-PROD-014 and the current version. She opens procedure history and reads the trail out loud: the current version was created from the previous one, submitted for review to the quality lead, sent back once for a missing torque tolerance, resubmitted, approved by the quality lead, and published, at which point the old version was archived automatically. Every step has a name and a date.

Then she scans the QR code on the laminated sheet. It opens the same current version, in the operator’s language, on a phone with no login. The printed sheet and the live version match because the QR always points at whatever is currently published.

No binder. No “let me find the master copy.” That is what Clauses 7.5 and 8.5.1 are asking for, demonstrated in about ninety seconds. For the deeper story on the sign-off gate and the audit trail, see our write-up on the approval flow, procedure history, and Document IDs.


Getting started: a short document-control checklist

Whether you use SOPX or not, this is the sequence that gets you to real control:

  1. Decide what actually needs a document. Start with the four mandatory documents and the required records, then add SOPs and work instructions only where a task needs them to be done consistently. Do not paper the whole plant.
  2. Give every controlled document a unique ID that follows it across revisions.
  3. Require review and approval before use, and keep the evidence of who approved and when.
  4. Version every change so you can always show what changed and why.
  5. Put the current version at the point of use, in the language of the person doing the work.
  6. Retire obsolete versions the moment a new one is approved.
  7. Keep the records (completed checklists, sign-offs) that prove the work was done to the current instruction.

For the ongoing part, our guide on keeping work instructions up to date covers the review cadence and ownership that stop documents from going stale between audits.


A note on the ISO 9001:2026 revision

As of mid-2026, ISO 9001:2015 is still the current, valid edition. A revision is in its final stages: the draft moved to the FDIS ballot stage in 2026, with publication of the next edition expected around September 2026 and a three-year transition period to follow. Certification bodies describe the update as evolutionary rather than a rewrite, so the document-control principles in Clause 7.5 are not expected to change materially. Treat anything labeled “ISO 9001:2026” as forthcoming, not current, and re-verify against the published text once it is released. (Separately, a 2024 amendment added climate-change consideration to Clauses 4.1 and 4.2 of the 2015 edition.)


Frequently asked questions

Are work instructions mandatory for ISO 9001?

No. ISO 9001:2015 does not explicitly require work instructions. They are an optional way to satisfy Clause 7.5.1 (keep the documented information you need) and Clause 8.5.1 (make the information defining the work available at the point of use). You create them only where a task needs that level of detail.

What documents are mandatory for ISO 9001:2015?

Only four documents are explicitly required: the QMS scope (4.3), the quality policy (5.2), the quality objectives (6.2), and supplier evaluation criteria (8.4.1). Alongside these, the standard requires a set of records as evidence (for example, competence, calibration, internal audit and management review results). Everything else is whatever your organization determines it needs.

What is the difference between an SOP and a work instruction?

A procedure or SOP works at the process level: what is done, who does it, and in what order. A work instruction works at the task level: exactly how to perform one step, including tools, methods, and required accuracy. You write a work instruction when the procedure alone does not guarantee the task is done the same way every time.

Is a quality manual still required under ISO 9001:2015?

No. The quality manual was mandatory under ISO 9001:2008 but is no longer required in the 2015 edition. It is still allowed and can be useful, but you may document your scope and process interactions in any suitable form.

What does Clause 7.5 require for document control?

That documented information is identified (title, author, reference number), reviewed and approved for suitability before use, version-controlled, protected, and made available where and when it is needed. It also asks you to control distribution, access, storage, changes, and retention, and to control documents of external origin.

Can ISO 9001 work instructions be digital, such as video or a checklist?

Yes. ISO 9001 is format-neutral. A work instruction can be a video, an annotated photo, a checklist, or a screen in an app, as long as it is identified, approved, controlled, and available at the point of use. This is exactly why platforms like SOPX satisfy the standard while replacing binders and shared drives.

How do you prevent an audit finding for obsolete documents?

Make sure only one approved version can be reached at the point of work, and that approving a new version automatically retires the old one. The frequent finding, an operator using a superseded printout, happens when the master file and the copy on the floor drift apart. A single live version that everyone opens by link or QR code removes that gap.


Further reading and resources

Authoritative references worth bookmarking:

From SOPX:

If you want to see how this works on your own procedures, you can start free: give one procedure a Document ID, turn on the approval step, and publish it to a QR code at the workstation. That single procedure is enough to show your auditor what controlled documented information looks like in practice.