Management system guidance
7.0 Support
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
7.5 Documented information
The guidance shown on this page is relevant to ISO 9001, ISO 14001 and ISO 45001. It should be noted that there is no need to maintain a documented procedure but organizations may still chose to operate one. If you need a procedure and forms to help control your business's documents and records, click here.
Ensure that your organization’s management system includes the documented information that is required to be maintained and retained by ISO 9001, ISO 14001 and ISO 45001, and the documented information identified by the organization to demonstrate the effective operation of its management system processes as defined below.
7.5.1 Documented information - general
The terms ‘documented procedure’ and ‘record’ used in earlier versions of the starndards have been replaced by the term ‘documented information’, which is defined as the information required to be controlled and maintained by an organization, as well as the medium on which it is contained.
Operational procedures, work instructions, flow charts, process maps, signs, placards, container markings, labels etc. are all examples of ‘documented information’. Documented information can be in any format and media and from any source.
The organization needs to determine the level of documented information necessary to control its management system. ‘Access’ can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information. Your organization must have the following documents and records available (for re-certification over a period of three years):
Maintain and retain the following quality management system documentation:
- The scope of the quality management system (4.3);
- Information necessary to support the operation of QMS processes (4.4);
- The quality policy (5.2);
- The quality objectives (6.2);
- Evidence of fitness for purpose of monitoring and measuring resources (7.1.5.1);
- Evidence of the basis used for calibration of the monitoring and measurement resources (7.1.5.2);
- Evidence of competence of people doing work under the control of the organization that affects the performance and effectiveness of the QMS (7.2);
- Documented information required by the QMS (7.5.1b);
- Results of the review and requirements for the products and services (8.2.3);
- Records to demonstrate compliance with design and development requirements (8.3.2);
- Records of design and development inputs (8.3.3);
- Records of the activities of design and development controls (8.3.4);
- Records of design and development outputs (8.3.5);
- Design and development changes, including the results of the review and the authorization of the changes and necessary actions (8.3.6);
- Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and any actions arising (8.4.1);
- Evidence of the unique identification of outputs when traceability is a requirement (8.5.2);
- Records of property of the customer or external provider that is lost, damaged or non-conforming and of its communication to the owner (8.5.3);
- Results of the review of changes for production or service provision, the persons authorizing the change, and necessary actions taken (8.5.6);
- Records of authorized release of products for delivery to the customer including acceptance criteria and traceability to the authorizing person(s) (8.6);
- Records of non-conformities, actions taken, concessions and the identity of the authority deciding the action in respect of the nonconformity (8.7);
- Results of the evaluation of the performance and the effectiveness of the QMS (9.1.1);
- Evidence of the implementation of the audit programme and the audit results (9.2.2);
- Evidence of the results of management reviews (9.3.3);
- Evidence of the nature of the nonconformities and any subsequent actions taken (10.2);
- Results of any corrective actions (10.2).
Maintain and retain the following OHS management system documentation:
- Description of the scope (4.3);
- OHS policy (5.2);
- Division of roles, responsibilities and authorities (5.3);
- Risks and opportunities (6.1.1);
- The processes and actions required to identify and address risks and opportunities in 6.1.2 - 6.1.4 (6.1.1);
- The methodologies for assessing the OHS risks and criteria to determine them (6.1.2.2);
- Legal and other requirements (6.1.3);
- OHS objectives and the plans to realize them (6.2.2);
- Evidence of competences (7.2);
- Evidence of communication activities (7.4.1);
- Processes for operational planning and control (8.1.1);
- Processes and plans for preparedness and response to emergency situations (8.2);
- Evidence of the results of monitoring, measurements, analyses and evaluations of the performance (9.1.1);
- Evidence of maintenance, calibration or verification of equipment measurements (9.1.1);
- Compliance assessment (9.1.2);
- Internal audit programme and results of internal audits (9.2.2);
- Results of the management review (9.3);
- The background of incidents and deviations, measures taken and the results of measures and corrective measures, and their effectiveness (10.2);
- Evidence of the results of the continuous improvement process (10.3).
Maintain and retain the following environmental management system documentation:
- The scope of the EMS is maintained as documented information and available to interested parties (4.3);
- The environmental policy is maintained as documented information (5.2);
- Maintain documented information relating to; (a) risks and opportunities that need to be addressed, and (b) processes needed in Section 6 to the extent necessary to have confidence they are carried out as planned (6.1.1);
- Maintain documented information relating to; (a) environmental aspects and associated environmental impacts, (b) criteria used to determine significant environmental aspects, and (3) significant environmental aspects (6.1.2);
- Maintain documented information concerning compliance obligations (6.1.3);
- Maintain documented information on the environmental objectives (6.2.1);
- Retain appropriate documented information as evidence of competence (7.2);
- Retain documented information as evidence of communication, as appropriate (7.4.1);
- The EMS must include: (a) documented information required by 14001:2015, and (b) documented information determined by the organization as being necessary for the effectiveness of the EMS (7.5.1);
- Maintain documented information to the extent necessary to have confidence that processes have been carried out as planned (8.1);
- Maintain documented information to the extent necessary to have confidence that processes are carried out as planned (8.2);
- Retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results (9.1.1);
- Retain documented information as evidence of the compliance evaluation result(s) (9.1.2);
- Retain documented information as evidence of the implementation of the audit programme and the audit results (9.2.2);
- Retain documented information as evidence of the results of management reviews (9.3);
- Retain documented information as evidence of: (a) the nature of the non-conformities and any subsequent action taken, and (b) the results of any corrective action (10.2).
Additional recommended documentation and records
- Results of the context and stakeholder analyses (see 4.1 and 4.2);
- Process application matrix (4.3);
- Description of the organization and responsibilities;
- Overview of documented information and records (including any descriptions of processes and procedures other than those more or less required on the basis of 6.1.1, 8.1 and 8.2).
7.5.2 Creating and updating
You should seek to confirm that when documented information is created or updated, your organization has ensured that it is appropriately identified and described (e.g. title, date, author, reference number). It must be in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic). Confirm that documented information is reviewed and approved for suitability and adequacy.
You should seek to confirm that when documented information is created or updated, your organization has ensured that it is appropriately identified and described (e.g. title, date, author, reference number). It must be in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic). Confirm that documented information is reviewed and approved for suitability and adequacy.
Documents that you use as a business should have clear document control. You will already be used to doing this. It also expects a clear format and for it to be approved. This is to prevent anyone just using documents that they see fit.
It seems slightly unnecessary when you are a SME as there may be a very small team or even one of you. For larger businesses this is really important so that documents are used properly and changes that have been incorporated for the good don’t get lost when someone else doesn’t understand them or removes them.
7.5.3 Control of documented information
A robust document control process invariably lies at the heart of any compliant management system; almost every aspect of auditing and compliance verification is determined through the scrutiny of documented information. With this in mind, it becomes apparent that the on-going maintenance of an efficient document management system must not be overlooked.
Your organization must control the documented information required by the QMS. A suitable process must be implemented to define the controls needed to; approve, review, update, identify changes, identify revision status and provide access. The documented information process should define the scope, purpose, method and responsibilities required to implement these parameters.
In order to comply with the documented information requirements, it is essential that all personnel understand what types of information that should be controlled and more importantly, how this control should be exercised.
To get the most out of your documented information process, it must communicated to ensure that staff and other users of the documentation information understand what they must do in order to manage that information effectively and efficiently. Demonstrate the organization's arrangements for controlling documented information required by ISO 9001 and your organizations own requirements, including:
- Availability e.g. document accessibility (hard copy, electronic media), readily available at the point of use;
- Suitability e.g. format, media suitable to the environment, ease of understanding, language, interpretation;
- Protection e.g. document authentication, document markings (official, secret, restricted, confidential, private, sensitive, classified, unclassified), access controls (individual, role specific),
- Physical security (master documents, server rooms, libraries) IT security (User ID, password, servers, download, back up, encryption, ‘read only’, ‘read/write’), protection from corruption and unintended alterations.
Demonstrate the organization's arrangements for document retention e.g. organization/legal/contractual retention periods, storage, preservation, back up, retention of knowledge, disposal, obsolescence e.g. withdrawal, replacement, legacy archive and suitable identification (‘for information only’, ‘not to be used after….’, ‘uncontrolled copy’, ‘for reference purposes only’, etc.
Ensure your organization protects electronic data, e.g. security policy, system access profiles, password rules, storage and back-up policy including protection from loss, unauthorized changes, unintended alteration, corruption, physical damage. Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
Departmental managers should always be responsible for promoting good documented information practices in their area whilst supporting overall compliance to the requirements. Individuals and their line managers should be responsible for the information that they create, as well as being responsible for their retention and disposal in line with legislative requirements and organizational needs.
More information on PDCA
Planning
Context
Planning
Support
Doing
Support
Operations
Checking
Monitoring, measurement, analysis and evaluation
Acting
Improvement
Want to know more?
- Read our customer's feedback
- Client list - who's using our templates?
- How the templates are formatted and download examples
- Why we use turtle diagrams and process maps
- What's the difference between a process and a procedure?
- About documented information
SSL certification
A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.
Free PDCA guidance
ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.