For organisations seeking ISO 9001, ISO 14001 or ISO 45001 certification in Australia, the mandatory documented requirements are defined within each standard.

Certification bodies accredited by JAS-ANZ assess whether required documented information:

• Has been established

• Is controlled through a documented control process

• Is current and approved

• Is retained where required

• Demonstrates conformity to the relevant ISO standard

• Demonstrates compliance with applicable Australian legislation

Each standard requires two categories of documented information:

1. Documented information to be maintained

2. Documented information to be retained as evidence

“Maintained” means the information must be kept current and controlled.
“Retained” means records must be kept as objective evidence of conformity.

The following outlines the mandatory documented requirements under each standard.

ISO 9001:2015 – Mandatory Documented Requirements

ISO 9001:2015 specifies documented information required to demonstrate effective operation of a Quality Management System.

Documented Information to Be Maintained

1. Scope of the Quality Management System (Clause 4.3)

The organisation must maintain documented information defining:

• The products and services covered by the QMS

• The physical and organisational boundaries of the system

• Any exclusions, with justification

The scope must reflect actual operations and certification boundaries.

2. Quality Policy (Clause 5.2)

A documented quality policy must:

• Be appropriate to the organisation’s purpose

• Include commitment to meeting customer and regulatory requirements

• Include commitment to continual improvement

• Be communicated and available

3. Quality Objectives (Clause 6.2)

The organisation must maintain documented quality objectives including:

• Measurable targets

• Assigned responsibilities

• Required resources

• Timeframes

• Evaluation methods

4. Operational Planning and Control (Clause 8.1)

Documented information must be maintained to support operational processes where necessary to ensure:

• Consistent delivery of products and services

• Control of outsourced processes

• Defined acceptance criteria

The extent of documentation depends on organisational complexity.

Documented Information to Be Retained as Evidence

5. Evidence of Competence (Clause 7.2)

Records must demonstrate that personnel are competent based on:

• Education

• Training

• Skills

• Experience

6. Monitoring and Measuring Resources (Clause 7.1.5)

Records must demonstrate:

• Calibration or verification of equipment

• Traceability to measurement standards where applicable

7. Review of Customer Requirements (Clause 8.2.3)

Records must demonstrate review and acceptance of customer requirements before commitment.

8. Design and Development Records (Clause 8.3 – if applicable)

Where design applies, records must include:

• Design inputs

• Design outputs

• Design reviews

• Verification

• Validation

• Design changes

9. Control of Externally Provided Processes (Clause 8.4)

Records must demonstrate:

• Supplier evaluation

• Selection criteria

• Monitoring and re-evaluation

10. Identification and Traceability (Clause 8.5.2 – where required)

Where traceability is required, documented records must be retained.

11. Nonconforming Outputs (Clause 8.7)

Records must demonstrate:

• Description of nonconformity

• Actions taken

• Concessions obtained

12. Monitoring and Measurement Results (Clause 9.1)

Records demonstrating conformity of products and services.

13. Internal Audit Programme and Results (Clause 9.2)

Documented:

• Audit programme

• Audit criteria

• Audit scope

• Audit findings

14. Management Review Outputs (Clause 9.3)

Records of:

• Decisions

• Actions

• Resource allocation

• Improvement opportunities

15. Nonconformity and Corrective Action (Clause 10.2)

Records must include:

• Nature of nonconformity

• Corrective action taken

• Results of action

• Evidence of effectiveness

ISO 14001:2015 – Mandatory Documented Requirements

ISO 14001 requires documented information demonstrating environmental management and legal compliance.

Documented Information to Be Maintained

1. Scope of the Environmental Management System (Clause 4.3)

Defined environmental boundaries of the EMS.

2. Environmental Policy (Clause 5.2)

Documented policy including commitments to:

• Environmental protection

• Compliance with obligations

• Continual improvement

3. Environmental Aspects and Impact Evaluation (Clause 6.1.2)

Documented methodology and records identifying:

• Environmental aspects

• Associated impacts

• Significance criteria

4. Compliance Obligations Register (Clause 6.1.3)

Documented register identifying:

• Applicable federal environmental legislation

• State or territory EPA regulations

• Other binding environmental obligations

5. Environmental Objectives and Planning (Clause 6.2)

Documented environmental objectives and action plans.

6. Operational Controls (Clause 8.1)

Documented controls required to manage significant environmental aspects.

7. Emergency Preparedness and Response (Clause 8.2)

Documented emergency response procedures.

Documented Information to Be Retained

8. Monitoring and Measurement Results (Clause 9.1)

Environmental monitoring records.

9. Evaluation of Compliance (Clause 9.1.2)

Records demonstrating evaluation of compliance with legal obligations.

10. Internal Audit Programme and Results (Clause 9.2)

Documented audit planning and retained findings.

11. Management Review Outputs (Clause 9.3)

Records of management review decisions and actions.

12. Nonconformity and Corrective Action (Clause 10.2)

Records demonstrating:

• Environmental nonconformities

• Corrective actions

• Effectiveness verification

ISO 45001:2018 – Mandatory Documented Requirements

ISO 45001 requires documented information demonstrating occupational health and safety risk control.

In Australia, this must align with Work Health and Safety legislation applicable in the relevant jurisdiction.

1. Scope of the OH&S Management System (Clause 4.3)

The organisation must document the scope of its OH&S management system.

This must clearly define:

• Physical and organisational boundaries

• Activities, products and services covered

• Relevant internal and external issues

• Any justified exclusions

The scope must reflect actual operations in Australia, including site locations and contracted activities where applicable.

2. OH&S Policy (Clause 5.2)

A formally documented OH&S policy is mandatory.

It must include commitments to:

• Providing safe and healthy working conditions

• Eliminating hazards

• Reducing OH&S risks

• Fulfilling legal and other requirements

• Continual improvement of the OH&S management system

• Worker consultation and participation

The policy must be approved by top management and communicated internally.

3. Hazard Identification and Risk Assessment Methodology (Clause 6.1.2)

ISO 45001 requires documented methodology for managing risks.

This must define:

• How hazards are identified

• How risks are assessed

• Criteria for determining significance

• How risk controls are selected and implemented

While the standard does not mandate a specific format, most organisations maintain a hazard register or risk register that is formally controlled.

4. Legal and Other Requirements Register (Clause 6.1.3)

The organisation must document how it identifies and accesses applicable legal requirements.

This register must identify:

• Relevant WHS legislation (state or federal)

• Applicable codes of practice

• Industry-specific regulatory obligations

• Any contractual safety obligations

For Australian certification, auditors will expect clear linkage between identified legal requirements and operational controls.

5. OH&S Objectives and Planning (Clause 6.2)

Documented OH&S objectives must be established and maintained.

The documentation must include:

• The objective itself

• Measurable targets (where practicable)

• Assigned responsibility

• Timeframes

• Evaluation method

Objectives must be consistent with the OH&S policy.

6. Operational Controls (Clause 8.1)

The organisation must document operational controls necessary to manage OH&S risks.

This may include:

• Safe Work Method Statements (SWMS)

• High-risk activity procedures

• Contractor control processes

• Maintenance controls

• Procurement safety controls

The level of documentation must reflect the level of risk.

7. Emergency Preparedness and Response (Clause 8.2)

Documented emergency procedures are mandatory.

These must address:

• Potential emergency scenarios

• Roles and responsibilities

• Communication protocols

• Emergency response actions

• Testing and review of emergency arrangements

In Australia, this typically includes fire response, medical emergencies, chemical spills, and site evacuation procedures.

Documented Information to Be Retained

Retained documented information provides objective evidence that the OH&S system is functioning.

8. Monitoring and Measurement Results (Clause 9.1)

The organisation must retain records demonstrating:

• Safety performance monitoring

• Inspection results

• Incident frequency data

• Health surveillance results (where applicable)

Monitoring must align with identified risks and objectives.

9. Evaluation of Compliance (Clause 9.1.2)

The organisation must retain records demonstrating periodic evaluation of legal compliance.

This includes evidence that:

• WHS legal requirements are reviewed

• Compliance is assessed

• Gaps are identified

• Corrective action is taken if needed

Auditors in Australia pay close attention to this area.

10. Incident Investigation Records (Clause 10.2)

The organisation must retain records relating to incidents and nonconformities.

These must include:

• Description of the incident

• Immediate actions taken

• Root cause analysis

• Corrective actions implemented

• Verification of effectiveness

These records demonstrate system responsiveness and continual improvement.

11. Internal Audit Programme and Results (Clause 9.2)

The organisation must maintain a documented audit programme and retain:

• Audit scope

• Audit criteria

• Audit reports

• Identified nonconformities

• Follow-up actions

The audit programme must consider the importance of processes and results of previous audits.

12. Management Review Outputs (Clause 9.3)

Records must be retained demonstrating that top management reviews the OH&S system.

These records must include decisions relating to:

• Improvement opportunities

• Resource needs

• Changes to policy or objectives

• Risk management effectiveness

Management review is a mandatory certification requirement.

Australian Certification Requirements

For ISO certification in Australia:

• Certification bodies must be accredited by JAS-ANZ

• Documented information must be controlled

• Records must be retained for defined periods

• Legal registers must reference applicable Australian federal and state legislation

• Auditors verify both documentation and implementation
  

The mandatory documented requirements are those defined in ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

No additional Australian-specific documentation is mandated beyond demonstrating compliance with applicable Australian laws.