7.0 Support

ISO Navigator Pro

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret the fundamentals of ISO 9000:2015 to help understand, and better implement, the requirements of ISO 9001:2015, ISO 14001:2015 and OHSAS 18001:2007. The ISO Navigator Pro™ database divides the requirements into four sequential stages; Plan, Do, Check and Act.

If you're looking for integrated ISO 9001:2015 and ISO 14001:2015 EQMS documentation, please click here.

7.5 Documented Information

7.5.1 General

It should be noted that there is no need to maintain a documented procedure but your organization may still chose to operate one. You should ensure that you organization’s QMS includes documented information required to be maintained and retained by ISO 9001:2015, and the documented information identified by your organization to demonstrate the effective operation of its QMS as defined below.

The terms ‘documented procedure’ and ‘record’ used ISO 9001:2015 have both been replaced by the term ‘documented information’, which is defined as information required to be controlled and maintained by an organization, as well as the medium on which it is contained. Operational procedures, work instructions, flow charts, process maps, signs, placards, container markings, labels etc. are all examples of ‘documented information’. Documented information can be in any format and media and from any source.

The organization needs to determine the level of documented information necessary to control its QMS. ‘Access’ can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

7.5.2 Creating & Updating

You should seek to confirm that when documented information is created or updated, your organization has ensured that it is appropriately identified and described (e.g. title, date, author, reference number). It must be in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic). Confirm that documented information is reviewed and approved for suitability and adequacy.

You should seek to confirm that when documented information is created or updated, your organization has ensured that it is appropriately identified and described (e.g. title, date, author, reference number). It must be in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic). Confirm that documented information is reviewed and approved for suitability and adequacy.

Documents that you use as a business should have clear document control. You will already be used to doing this. It also expects a clear format and for it to be approved. This is to prevent anyone just using documents that they see fit. It seems slightly unnecessary when you are a SME as there may be a very small team or even 1 of you. For larger businesses this is really important so that documents are used properly and changes that have been incorporated for the good don’t get lost when someone else doesn’t understand them or removes them.

7.5.3 Control of Documented Information

A robust document control process invariably lies at the heart of any compliant management system; almost every aspect of auditing and compliance verification is determined through the scrutiny of documented information. With this in mind, it becomes apparent that the on-going maintenance of an efficient document management system must not be overlooked.

Your organization must control the documented information required by the QMS. A suitable process must be implemented to define the controls needed to; approve, review, update, identify changes, identify revision status and provide access. The documented information process should define the scope, purpose, method and responsibilities required to implement these parameters.

In order to comply with the documented information requirements, it is essential that all personnel understand what types of information that should be controlled and more importantly, how this control should be exercised. To get the most out of your documented information process, it must communicated to ensure that staff and other users of the documentation information understand what they must do in order to manage that information effectively and efficiently. Demonstrate the organization's arrangements for controlling documented information required by ISO 9001 and your organizations own requirements, including:

  1. Availability e.g. document accessibility (hard copy, electronic media), readily available at the point of use;
  2. Suitability e.g. format, media suitable to the environment, ease of understanding, language, interpretation;
  3. Protection e.g. document authentication, document markings (official, secret, restricted, confidential, private, sensitive, classified, unclassified), access controls (individual, role specific),
  4. Physical security (master documents, server rooms, libraries) IT security (User ID, password, servers, download, back up, encryption, ‘read only’, ‘read/write’), protection from corruption and unintended alterations.

Demonstrate the organization's arrangements for document retention e.g. organization/legal/contractual retention periods, storage, preservation, back up, retention of knowledge, disposal, obsolescence e.g. withdrawal, replacement, legacy archive and suitable identification (‘for information only’, ‘not to be used after….’, ‘uncontrolled copy’, ‘for reference purposes only’, etc.

Describe how the organization protect electronic data, e.g. security policy, system access profiles, password rules, storage and back-up policy including protection from loss, unauthorized changes, unintended alteration, corruption, physical damage Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

Departmental managers should always be responsible for promoting good documented information practices in their area whilst supporting overall compliance to the requirements. Individuals and their line managers should be responsible for the information that they create, as well as being responsible for their retention and disposal in line with legislative requirements and organizational needs.

Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organization’s management system. You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned.

Free internal audit checklists

Check out our free internal audit checklists. The audit checklist is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.