ISO 9001

ISO 9001 Audit Preparation Checklist

May 2026 · 6 min read · By ASOW Suite GRC

ISO 9001 audits are not pass-or-fail events in the way many organizations treat them. An auditor's job is to assess whether your management system is real — whether it actually operates, generates evidence, and drives improvement — not whether your binder is organized.

That said, being prepared eliminates unnecessary stress and ensures you can demonstrate what you have built. This checklist covers the areas most commonly reviewed in both certification and surveillance audits, with the specific evidence auditors typically request.

Important: This checklist covers ISO 9001:2015 requirements. If you are working toward a different standard (ISO 14001, ISO 45001, IATF 16949), the structure is similar but the domain-specific requirements differ.

Area 1: Context and scope

Clause 4 — Context of the organization

  • Documented scope of the QMS — what is included, what is excluded, and why
  • Evidence of analysis of internal and external issues relevant to the organization's purpose (e.g., SWOT or PESTLE analysis, or equivalent)
  • Identification of interested parties and their relevant requirements
  • Process map or equivalent showing how core processes interact

Area 2: Leadership and commitment

Clause 5 — Leadership

  • Quality policy — documented, communicated, and understood by staff (auditors will ask employees what it means)
  • Quality objectives — specific, measurable, and linked to the quality policy
  • Organizational chart or equivalent showing roles and responsibilities
  • Evidence of top management involvement (management review records, signed policies)
  • Customer focus evidence — records showing customer requirements are identified and met

Area 3: Risk and opportunity management

Clause 6 — Planning

  • Risk register or equivalent — showing identified risks, assessed likelihood and impact, and defined controls
  • Opportunity register or evidence that opportunities are considered alongside risks
  • Evidence that risk actions have been implemented (not just planned)
  • Objectives and plans showing how risks and opportunities were considered in target-setting
  • Change management process — how planned changes are evaluated before implementation

Area 4: Document and record control

This is typically the area where auditors spend the most time. They look for consistency between what your procedures say and what your records show.

Clause 7.5 — Documented information

  • Document register — all controlled documents listed with current version and review date
  • Evidence that documents are reviewed and approved before issue
  • Evidence that obsolete documents are removed from use (or clearly marked)
  • Records retention schedule — how long records are kept and in what format
  • Externally originated documents (customer specs, standards) identified and controlled
  • Evidence that documents are accessible to those who need them

In practice, auditors will pick 3–5 documents and check: Is the current version in use? Does the practice on the floor match what the document says? Can the person doing the work find the document they need?

Area 5: Competence and training

Clause 7.2 — Competence

  • Competence requirements defined for roles that affect quality
  • Training records — showing what training was completed, by whom, and when
  • Evidence of training effectiveness evaluation (not just attendance records)
  • Records for temporary staff or contractors who perform quality-affecting work
  • Awareness records — evidence employees understand the quality policy and their role in it

Area 6: Operational control

Clauses 8.1–8.7 — Operations

  • Work instructions for processes with quality-critical steps
  • Inspection and test records — incoming material, in-process, final product
  • Nonconformity records — documented instances where output did not meet requirements
  • Customer property records (if applicable) — how customer-supplied materials are controlled
  • Calibration records for measurement equipment used in quality-affecting activities
  • Records of customer communication — orders, complaints, feedback

Area 7: Performance monitoring and management review

Clauses 9.1–9.3 — Performance evaluation

  • KPI data — at least 3–6 months of performance records against defined objectives
  • Customer satisfaction data — survey results, complaint trends, retention rates
  • Internal audit records — audit plan, audit reports, findings, and follow-up actions
  • Management review meeting records — agenda, attendees, inputs reviewed, outputs decided
  • Evidence that management review outputs resulted in action (not just discussion)

Area 8: Nonconformity and corrective action

Clause 10 — Improvement

  • Nonconformity and corrective action log — all NCs recorded with root cause and correction
  • Evidence of root cause analysis (not just symptomatic fixes)
  • Verification records — confirming corrective actions were effective
  • Customer complaint records and their resolution status
  • Evidence of continual improvement — actions taken based on data, not just reactive NCs

What auditors are actually looking for

Beyond the checklist, experienced auditors evaluate three things:

  • Consistency. Does the system describe what actually happens? Are the records consistent with the procedures?
  • Understanding. Do the people doing the work understand why they follow the procedures — not just what to do?
  • Evidence of improvement. Is there any indication that the system is getting better over time, based on what you measured?

A system that has all the right documents but shows no evidence of improvement activity will raise more questions than a less complete system with clear improvement records.

Two weeks before the audit

  • Run an internal audit against this checklist — assign findings and close them before the external audit
  • Confirm all document versions are current in your register
  • Review open corrective actions — close what can be closed; document status for the rest
  • Brief department leads on what auditors will ask in their area
  • Prepare a short tour agenda so auditors see operations in context, not just records rooms

Keep audit evidence always ready

ASOW Suite GRC structures document control, risk records, corrective actions, and management review outputs in a single integrated system — so your audit evidence is current as a matter of routine, not a pre-audit scramble.