This article explains how to develop procedures that work in daily operations and meet ISO expectations. It is written for managers, project leads, safety officers, and business owners. Examples use ISO 9001 terminology because it is widely applied, but the structure also fits ISO 14001, ISO 45001, ISO 39001, and others.
What Is a Procedure in General?
A procedure is a controlled set of steps that explains what to do, in what order, and who is responsible. It translates a process into consistent actions so that results remain repeatable even when staff change. In ISO terms, a procedure forms part of the organisation’s “documented information” used to control how work is performed. Well-written procedures bring structure and clarity to operations, enabling the same outcome to be achieved regardless of who carries out the task.
Procedures are important because they ensure consistency, help organisations comply with regulatory or customer requirements, and provide a clear learning path for new staff. They also build risk control directly into daily work, which reduces errors and improves customer confidence.
A good procedure is written for the people who will actually perform the work. It clearly identifies the roles involved, defines the inputs and outputs of the process, specifies the evidence that proves completion, and is reviewed periodically or when the process or risks change.
It is helpful to understand how a procedure differs from other documents. A policy describes the organisation’s intentions or rules, such as “We calibrate measuring devices at planned intervals.” A procedure explains how to achieve that intention, for example, “How to plan, perform, and record calibration.” A work instruction goes further into technical detail for one specific task or tool, such as “How to calibrate Vernier Caliper Model VC200.” Forms and records then provide proof that the steps were carried out, such as a “Calibration Record CR-05.”
In practice, procedures are everywhere. Most of the time, they are already being implemented by the organization but just lack written documentation. Let see the examples below.
Not every task needs a written procedure. Generally, you need one when the task is high risk, customer-facing, regulatory-sensitive, or involves multiple departments. A written procedure is also essential when the task is carried out frequently or by different people, and inconsistency could harm quality, safety, the environment, or reputation.
Where none of these apply, a simple checklist or work instruction may be enough. Regardless of scope, the essence of a good procedure is the same: it is a practical tool that makes work clearer, safer, and more consistent.
What Is an ISO Procedure?
An ISO procedure is a formally controlled document that explains how a process is carried out to meet the requirements of an ISO management system standard. It goes beyond a basic “how-to” guide by including details such as process inputs and outputs, roles and responsibilities, required competence, and the specific records needed as proof of completion.
Each procedure must be approved, given a unique identifier and revision number, stored so only the latest version is used, and regularly reviewed for accuracy and relevance.
Unlike informal procedures, ISO procedures incorporate risk-based thinking and the process approach, ensuring potential risks are identified and controlled, and that processes link logically with other parts of the management system.
They also include change control, with any updates recorded in a revision history and communicated to relevant staff. In short, ISO procedures are structured, auditable documents that show an organisation’s processes are well-managed, compliant, and capable of consistent, repeatable results.
How Does an ISO Procedure Generally Look?
ISO standards do not prescribe an exact format for procedures, but a clear and consistent structure has become widely accepted by organisations and certification bodies around the world. This format is designed to make the procedure easy for staff to follow while also containing the control elements auditors expect to see.
It begins with a header that captures the key document control details: the procedure title, a unique document identifier, the revision number, the effective date, the document owner, and the name or position of the approver. These elements provide traceability, demonstrate authority, and confirm that the version in use is current.
The main body of the procedure typically starts with a Purpose section, explaining why the document exists, followed by a Scope that defines the boundaries of where and when it applies. The References section lists related ISO clauses, legislation, or internal documents, while Definitions clarify any technical terms or abbreviations used.
The Roles and Responsibilities section assigns specific duties, often using a Responsible–Accountable–Consulted–Informed (RACI) format. Inputs and Outputs define what starts the process and what deliverables result from it. The Procedure Steps section then sets out the sequence of actions in logical order, with acceptance criteria and linked records for each step to ensure consistency and accountability.
Additional sections strengthen compliance and audit readiness. Records and Retention specifies exactly what evidence is kept, who owns it, how long it is stored, and where. Performance and Monitoring outlines key performance indicators (KPIs) or checks that measure the effectiveness of the process. Risks and Opportunities identify potential issues the procedure is designed to control, as well as areas where improvement is possible.
The Change and Training section explains how the document is updated, approved, and communicated to relevant staff, often linking to training requirements. Many organisations also add a footer stating “Controlled Copy – Uncontrolled When Printed” to make sure outdated paper versions are not mistakenly used.
Skeleton of a Globally Accepted ISO Procedure
Procedure Title: [e.g., Control of Nonconforming Outputs]
Document ID: QP-07 | Rev: 1.2 | Effective Date: YYYY-MM-DD
Owner: [Role/Position] | Approved by: [Role/Position]
- Purpose
Explain why this procedure exists in one or two sentences.
Example: “To ensure training courses are designed, developed, and delivered in a consistent manner that meets learner requirements and complies with ISO 9001.” - Scope
Define where and when the procedure applies.
Example: “This procedure applies to all public, in-house, and online courses delivered by the organisation across all locations.” - References
List ISO clauses, laws, regulations, or related internal documents.
Example: “ISO 9001:2015 clauses 8.3 and 8.5; Training Policy TP-01; Course Outline Template FR-05.” - Definitions
Provide explanations for terms or abbreviations used.
Example: “‘Learner’ means a registered participant in a training program. ‘LMS’ refers to the Learning Management System used to manage enrolments and course materials.” - Roles and Responsibilities (RACI)
State who is Responsible, Accountable, Consulted, and Informed.
Example: “Trainer (R) prepares and delivers course content; Training Manager (A) approves course design; Sales (C) confirms client requirements; Quality Department (I) monitors delivery KPIs.” - Inputs and Outputs
Inputs: [Triggers, forms, data]
Outputs: [Deliverables, records, approvals]
Example: “Inputs: confirmed training request, approved course outline, trainer assignment. Outputs: completed training session, attendance records, learner feedback, and issued certificates.” - Procedure Steps
7.1 [Step title]: [Action description]. Criteria: [Acceptance standard]. Record: [Form/system ID].
7.2 …
Include risk controls where relevant.
Example:
1. Design Course: The Training Manager reviews client requirements and updates the course outline. Criteria: Outline approved before delivery. Record: Course Outline FR-05.
2. Develop Materials: Trainer prepares slides, exercises, and assessments. Criteria: Materials reviewed for accuracy and branding. Record: Training Pack FR-06.
3. Schedule Course: Coordinator confirms date, venue, or online platform. Criteria: Schedule published two weeks in advance. Record: Training Calendar.
4. Deliver Course: Trainer conducts session following the approved outline. Criteria: All modules covered; attendance ≥ 75%. Record: Attendance List FR-07.
5. Collect Feedback: Participants complete evaluation forms at session close. Criteria: At least 80% response rate. Record: Feedback Forms FR-08.
6. Close and Report: Training Manager reviews feedback and submits delivery report. Criteria: Report completed within five working days. Record: Delivery Report FR-09. - Records and Retention
List each record, owner, retention period, and storage location.
Example: “Attendance List FR-07 (Owner: Training Coordinator) retain 5 years; Feedback Forms FR-08 (Owner: Quality Department) retain 3 years; Delivery Report FR-09 (Owner: Training Manager) retain 5 years.” - Performance and Monitoring
Describe KPIs, checks, or audits used to verify effectiveness.
Example: “KPIs include learner satisfaction ≥ 4.0/5, on-time course delivery ≥ 95%, and certificate error rate ≤ 0.5%.” - Risks and Opportunities
Summarise key risks controlled by this procedure and improvement possibilities.
Example: “Risks: incomplete delivery due to trainer absence, technical issues in online platforms. Controls: backup trainer list and platform test. Opportunity: automate course evaluation analysis through LMS.” - Change and Training
Explain how changes are requested, approved, communicated, and how staff are trained.
Example: “Any change is raised through Document Change Request DCR-05. After approval, Quality issues an updated revision. Trainers and coordinators are briefed within five working days, with attendance recorded in the LMS.”
Footer: “Controlled Copy – Uncontrolled When Printed”
This skeleton can be applied across any industry and adapted to suit the scale and complexity of the organisation’s operations. It balances operational clarity with the control requirements of ISO management system standards.
Example of a Full Procedures List for an ISO 9001
Full list of procedures needed as per ISO 9001 requirements may vary according to the nature of the business operation. For example, a training service provider may require procedures that address both the delivery of training and the supporting activities that ensure quality and compliance.
ISO 9001:2015 does not prescribe an exact list of required procedures, but certification bodies expect to see a set of controlled documents that cover all critical processes in the organisation. These procedures ensure that course delivery is consistent, learner requirements are met, and the overall quality management system functions effectively.
The following list reflects a practical, auditable framework for training operations. It is grouped by key ISO 9001 process areas while remaining specific to the training industry.
1. Context, Risk, and Quality Objectives Management
Covers identification of internal and external issues, stakeholder needs, risks and opportunities, establishment of the quality policy, and setting measurable objectives.
2. Control of Documented Information
Details how all training materials, operational documents, and records are created, approved, distributed, revised, and retained.
3. Trainer Competence and Resource Management
Combines verification of trainer qualifications, ongoing competency development, and management of venues, equipment, and online platforms to maintain a suitable learning environment.
4. Supplier and External Provider Control
Defines how external trainers, venue providers, and other suppliers are selected, evaluated, and monitored for performance.
5. Enquiry Handling, Registration, and Contract Review
Outlines the process from initial client enquiry to confirming course requirements, verifying prerequisites, and finalising registration and payment.
6. Course Design, Development, and Delivery
Combines creation or updating of training programs with the preparation, facilitation, and execution of training sessions, including attendance management.
7. Assessment, Examination Integrity, and Certification
Covers the secure administration of assessments, marking and recording results, and issuing of certificates in line with agreed criteria.
8. Control of Nonconforming Services
Explains how to handle errors such as incorrect certificates, incomplete course content, or cancellations, including corrective actions.
9. Customer Feedback, Complaints, and Improvement
Details how feedback is collected, analysed, and used for improvement, and how formal complaints are managed and resolved.
10. Internal Audit and Management Review
Combines planning and execution of internal audits with the management review process to evaluate system performance and decide on improvement actions.
Conclusion – Create Workable and Less Bureaucratic Procedures
Creating ISO-compliant procedures does not have to be a complicated or bureaucratic exercise. The essence of an effective procedure lies in its clarity, consistency, and ability to demonstrate control over the processes that matter most to the organisation.
By adopting a globally accepted template and tailoring it to actual operations, businesses can ensure that their procedures are not only audit-ready but also genuinely useful tools for staff.
Ultimately, ISO procedures are not just paperwork; they are a foundation for building trust with customers, regulators, and stakeholders. When well designed, they help organisations improve efficiency, enhance customer satisfaction, and maintain a culture of continual improvement.
By keeping the documentation lean, risk-aware, and regularly reviewed, any organisation can transform procedures from a compliance requirement into a practical advantage.