Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO9001 Document Control: A Quick Guide

One of the first things that many people mention when discussing ISO9001 is documents – as in “you’re going to need a lot of documents”. Whilst this may be true in many cases, it’s by no means the main purpose of creating a quality management system, or QMS. However, it is somewhat inevitable that your QMS will contain documents and that they will need to be controlled. In this article we’re going to look at the what, why and how of achieving this fundamental building block of ISO9001.

ISO9001 documents on a purple background

What is ISO9001 documented information?

Previous versions of the ISO9001 standard used to talk about “documents and records” but in recent years this has been replaced with the more general term of “documented information”. This is defined in ISO9000 (the fundamentals and vocabulary companion to ISO9001) as:

“information required to be controlled and maintained by an organization and the medium on which it is contained.” (term 3.8.6)

So it’s important to be clear from the start that we’re not necessarily talking about paper here. Many a QMS does include paper documents and records, and that’s fine where appropriate, but there’s no requirement in ISO9001 to use paper. What we’re really interested in is the information, and that could be held in a wide variety of different forms, including Microsoft Word documents, spreadsheets, presentations, smartphone apps, cloud applications, microfiche and paper forms.

Which documented information do we need to have for ISO9001?

The 2015 version of the ISO9001 standard is less prescriptive than the previous one, so the list of documented information that you must be able to demonstrate has grown shorter. However, there are still many points in the standard that insist on having something to show an auditor, and these include:

  • The scope of the QMS
  • How the processes of the QMS operate and how you can tell that they are working
  • The quality policy
  • Your quality objectives
  • Monitoring and measurement tool calibration and verification
  • Evidence of competence of people involved in the QMS
  • Customer requirements, and changes to them
  • Design and development inputs, outputs and changes
  • Production information about what is to be produced and how it is released
  • Traceability information where applicable
  • Damage to customer property
  • Management reviews and internal audits reports, including around nonconformities found

So the standard tells you the kind of information that needs to be documented, without laying down any strict rules about document structure, titles or medium.

What are the requirements around the control of documented information?

Having clarified what information needs to be documented for the effective operation of your QMS, the ISO9001 standard sets out the areas that must be considered to ensure that information is available appropriately, commonly referred to as ISO9001 document control.

This means you need to think about questions such as:

  • How do we identify and label it when it is initially created?
  • What format and medium should it be held on?
  • Who will check that the information is correct (and how often)?
  • How do we make it available to the right people at the right time?
  • How will people know that they are using the latest version of the information?
  • How do we protect the information so that it is not lost, damaged or stolen?
  • How will we handle changes to the information?

The answers to the above questions are going to depend on relevant factors such as the industry you’re in, the size and culture of the organization, the competence of the people involved, the technology available, the criticality of the processes and even unpredictable factors such as the weather.

For example, the approach taken for a pharmaceutical company making life-saving drugs to very tight tolerances will differ from that of a company making bespoke garden chairs. Both require an emphasis on quality, but the consequences of using inaccurate or out of date information during the manufacturing process will differ in seriousness.

How do organizations control their documented information?

Unsurprisingly, the majority of documented information for ISO9001 purposes is nowadays held electronically. As previously stated, this will be in a mixture of formats, including office applications and online systems. A process approach for ISO9001 document control is often used that addresses the full lifecycle of a particular type of documented information. For more traditional “documents” this will include defining who can create them, who must approve them, how version numbering will work, where they should be stored and how people will access the latest version. This is best achieved using a workflow or document management system such as Microsoft SharePoint, Confluence or Huddle. Such tools can often inform users when a new version of a document has been approved and can usually help with automated version numbering too.

For some environments good old fashioned paper works well and provides a level of simplicity and visibility that some electronic tools can lack. This may be especially true in an environment where computer usage is difficult, for example where heavy gloves need to be worn or online access is patchy.

Final thoughts

ISO9001 document control needs to be fully thought through and adapted according to the specific need. The standard allows for a wide degree of variability in how the basic principles are applied, but remember it’s really about the information rather than the medium on which it is held.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 


More ISO9001 Resources

CertiKit is a provider of the ISO9001 toolkit, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO9001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO9001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Great library of documents that helped tremendously in the development of our respective systems. The organization and hierarchy of the documents were easy to follow.

GC&E Systems Group, Inc.
USA

View all Testimonials