What ISO 9001 Actually Requires (And It's Not What You Think)

A customer just sent you a questionnaire. One of the questions: "Are you ISO 9001 certified?"

You typed "no" and moved on — and then spent the rest of the day wondering whether you should have.

You know ISO 9001 is about quality. You've heard it's complicated and expensive. You assume it's meant for Boeing, not a 20-person machine shop in Ohio.

Here's what's true: ISO 9001 is absolutely applicable to small manufacturers. And while getting certified takes real work, what the standard actually requires isn't as mysterious as the consultants make it sound.

This is a plain-language breakdown of what ISO 9001 actually asks for.

What ISO 9001 Is, In Plain Terms

ISO 9001 is an international standard for quality management. The current version is ISO 9001:2015. At its core, it asks you to prove one thing: that you have a system in place to consistently deliver what your customers expect — and that you fix things when you don't.

That's it. The standard doesn't tell you how to run your shop. It doesn't require specific software, specific forms, or a certain number of employees. It says: know what you do, do it consistently, keep records that prove it, and fix problems when they show up.

Sections 4 through 10 contain the actual requirements. Here's what each one really means.

Section 4: Know Your Business

Before you can have a quality system, you need to understand what kind of shop you are and what your customers need from you.

This means documenting the basics: what your business does, who your customers are, what they care about, and what factors — external or internal — affect your ability to deliver quality work.

For a small shop, this might be two pages. A brief description of your business, your key customers, their main requirements, and the biggest risks to your ability to deliver consistently.

Section 5: Leadership Has to Actually Be Involved

The owner or plant manager has to be part of the quality system — not just on paper. ISO 9001 requires leadership to set a quality policy, make sure people know their responsibilities, and review quality performance regularly.

This does not require a full-time quality manager. It requires the shop owner or operations manager to:

Sign a one-page quality policy
Hold a management review once or twice a year
Make sure employees understand what's expected of them

Section 6: Think About What Could Go Wrong

The core idea here is simple: identify your quality risks before they become quality problems.

ISO 9001 asks you to think about what could go wrong in your processes and have a plan for it. For most small shops, this means a list of your most common quality failures and what you do to prevent them. It doesn't have to be a formal risk register. It has to be real.

Section 7: The Right Resources and Records

You need the right people, equipment, and environment to do your work — and records proving it.

For most shops, this means:

Calibration records for measurement tools (calipers, gauges, torque wrenches)
Training records for employees doing quality-critical work
Documentation that your work environment is appropriate for the job

This is one of the first places auditors look. If you can't show that your measurement tools have been calibrated and your people have been trained, the audit goes sideways fast.

Section 8: Operations — The Heart of It

This is where most of the actual work is. Section 8 covers how you plan, control, and deliver your product.

It requires:

Documented processes for your key operations. Not a 200-page manual — specific work instructions or procedures for the steps where quality can slip.
Customer requirements captured before you accept a job. You need a written record of what the customer asked for.
Change control — a process for managing spec changes mid-job. If the customer changes the drawing, that has to be documented.
Inspection and verification — evidence that you checked your work before shipping. First article, in-process checks, final inspection — whatever your process requires.
Control of nonconforming product — what happens when something fails inspection?

That last one gets the most attention from auditors. A bad part is going to happen. What matters is whether you have a documented process for catching it, quarantining it, and deciding what to do.

Section 9: Measuring How You're Doing

You need to track your quality performance and look at the data. This doesn't require dashboards or software. It requires:

Some way to track whether customers are satisfied (complaints, returns, feedback)
Internal audit — at least once a year, verifying that your system is actually working
Management review — a formal look at quality data and a decision on what to improve
Analysis of trends — are the same problems happening over and over?

The point of this section is that quality isn't something you check once. It's something you monitor.

Section 10: Fix Problems for Real

When something goes wrong — a customer complaint, a failed inspection, a supplier defect — you need a documented process for figuring out why it happened and preventing it from happening again.

Auditors care about this more than almost anything else in the standard, and most small shops fall short here — not because they don't fix problems, but because they don't document what they did and why.

A corrective action doesn't need to be a 10-page report. It needs to answer four questions: What happened? Why did it happen? What did you do about it? How do you know it won't happen again?

What You Don't Need

A lot of consultants make ISO 9001 sound more complicated than it is. Here's what the standard does NOT require:

A quality department or full-time quality manager
Any specific software system
Hundreds of forms and procedures
A quality manual (the 2015 revision removed this requirement)

What it requires is a system — documented processes and records that prove your shop does what it says and fixes problems when it doesn't. That system can live in a shared folder if the records are there and up to date.

Getting Certified

Certification requires a third-party audit by an accredited registrar. The process has two steps:

Stage 1 audit: The auditor reviews your documentation to verify that your system meets the standard on paper.
Stage 2 audit: The auditor visits your shop and confirms that you're actually doing what your documentation says.

Once certified, you maintain it through surveillance audits (typically annual) and a full recertification audit every three years.

Certification costs $2,000–$8,000 depending on your shop size and registrar. Getting your system ready is where most of the work — and the cost — is.

Building This Without a Full-Time Quality Manager

Most small shops don't have a dedicated quality manager. The owner or operations manager handles quality alongside everything else. That's fine — ISO 9001 doesn't require a title. It requires a system.

If you want to build that system without dedicating someone full-time to it, CLEO is designed exactly for that. It guides your team through the core quality processes — problem tracking, documentation, internal audits, management review, and supplier issues — and keeps your records organized and audit-ready. At $99/month, it costs less than one hour with a quality consultant.

Start Here

If a customer is asking about ISO 9001, here's what to do this week:

Write down your five most important quality processes — how you quote jobs, set up for production, inspect finished work, handle rejected parts, and respond to customer complaints.
Identify your two or three biggest quality risks — the things that, if they went wrong, would cost you that customer's trust.
Start logging corrective actions, even informally. Every time something goes wrong and you fix it, write down what happened and what you did.

That's the foundation. Everything else in ISO 9001 is documentation and consistency built on top of it.