What documents are required for ISO 9001?

Many organizations think that the ISO 9001 Quality Management System requires you to document everything you do. How true is this?

If you’ve not yet developed your Quality Management System, or you’ve thought about implementing one and been put off by the idea that you basically need to put everything in writing and keep it in neatly organized files, you may want to think again. The idea that you need folders full of documented procedures that record everything you do is rather dated. In fact, it was never really true at all.

Certainly, since the introduction of the 2015 version of the ISO 9001 standard (which every organization must have transitioned to by 15th September 2018), the requirement has changed and is less onerous.

Indeed, one of the stated objectives when introducing ISO 9001:2015 was “for the amount and detail of documentation required to be more relevant…”

What is the Purpose of Documented Information?

There are four key reasons for maintaining documented information:

• Communication of information
• Evidence of conformity
• Knowledge sharing
• To disseminate and share the organization’s experiences (for example, technical specifications that can be used as the basis for design and development for new products)

Two Types of Documented Information

There are generally two types of documented information:

• Documented information that is to be MAINTAINED and
• Documented information that is to be RETANED.

When documented information is to be MAINTAINED, it refers to how an activity or process must be performed (previously known as a ‘documented procedure’). This is information that can be changed and updated continuously. It’s information that supports the company’s processes, quality policy and quality objectives.

This includes the Quality Management System itself, which of course requires documenting. However, ISO 9001:2015 gives you flexibility in the way you choose to document your system, both in terms of the amount of documented information needed to demonstrate effective planning, operation and control of processes and to provide evidence of continual improvement. 

When documented information is to be RETAINED, it relates to what is called a ‘registration’. This is something that must be kept as proof of the outcome of an activity or process. (previously known as ‘RECORDS’). It is something that is factual and cannot be changed.

Control of Documented Information

Firstly, it should be pointed out that long gone are the days when you had shelves buckling under the weight of folders full of printed documents, often to be found under half an inch of dust! It’s not practical, and in many cases not secure.

So naturally, much of your documented information will be not just be in print (including photographs) but also stored digitally and in all manner of formats such as spreadsheets, specifications, procedures, drawings, process diagrams, videos, images reports and templates.

Naturally, you will need some system for controlling your documented information, and ISO 9001: 2015 requires that you have something in place to enable this.

Keeping control of your documentation puts you in control of your processes, and it’s this strong governance that drives compliance.

The matter of document control is a specialism in its own right, and the way you approach it depends on a number of factors, most notably the size of your organization and the type and complexity of your processes.

Required Documented Information

Listed below are the mandatory documents as required by ISO 9001:2015:

• Documented information to be maintained:
• Scope of the QMS (clause 4.3)
• Quality policy (clause 5.2)
• Quality objectives (clause 6.2)
• Criteria for evaluation and selection of suppliers (clause 8.4.1)
• Documented information to be retained:
• Monitoring and measuring equipment calibration records (clause 7.1.5.1)
• Records of training, skills, experience and qualifications (clause 7.2)
• Product/service requirements review records (clause 8.2.3.2)
• Record about design and development outputs review (clause 8.3.2)
• Records about design and development inputs (clause 8.3.3)
• Records of design and development controls (clause 8.3.4)
• Records of design and development outputs (clause 8.3.5)
• Design and development changes records (clause 8.3.6)
• Characteristics of product to be produced and service to be provided (clause 8.5.1)
• Records about customer property (clause 8.5.3)
• Production/service provision change control records (clause 8.5.6)
• Record of conformity of product/service with acceptance criteria (clause 8.6)
• Record of nonconforming outputs (clause 8.7.2)
• Monitoring and measurement results (clause 9.1.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Examples of Non-mandatory documented information to be maintained:
• Procedure for determining context of the organisation and interested parties (clauses 4.1 and 4.2)
• Procedure for addressing risks and opportunities (clause 6.1)
• Procedure for competence, training and awareness (clauses 7.1.2, 7.2 and 7.3)
• Procedure for equipment maintenance and measuring equipment (clause 7.1.5)
• Procedure for document and record control (clause 7.5)
• Procedure for Sales (clause 8.2)
• Procedure for design and development (clause 8.3)
• Procedure for production and service provision (clause 8.5)
• Procedure for management of nonconformities and corrective actions (clauses 8.7 and 10.2)
• Procedure for monitoring customer satisfaction (clause 9.1.2)
• Procedure for internal audit (clause 9.2)
• Procedure for management review (clause 9.3)