ISO 9001:2015 states that documented information required by the management system, must be controlled to ensure:
- Availability and suitability for use, where and when it is needed,
- Adequate protection. EG from loss of confidentiality, improper use, or integrity.
The organisation is also required to address the following activities as applicable, for the control of documented information:
- Its distribution, access, retrieval, and use,
(Note that access can imply a decision regarding the permission to only view the documented information or give authority to view and change the documented information.)
- Its storage and preservation, including maintaining legibility,
- Control of its changes,
- Its retention and disposition.
In addition, documented information from external sources, required by the organisation for the planning and operation of its management system, must be appropriately identified and controlled.
Also documented information retained as evidence of conformity (IE records,) must be protected from unintended changes.
Comment:
Availability, suitability, and distribution were briefly touched on in article 7.5.2 - Creating and updating, under relevant format. IE: Readily accessible at point of use such as shop floor work instructions. Adequate protection and access can be achieved using system passwords or permissions for electronic medium.
Preservation may be addressed through appropriate physical storage arrangements for hard copy documents, but increasingly includes periodic backup arrangements of electronic files and media – possibly using cloud based storage. (if this is an outsourced activity – how do you ensure it is working effectively?)
Change control can be problematic with hard copy documented information, requiring records of points of issue, receipt and recovery of obsolete documents. The move to electronic documentation and suitable system based access controls, can make this a much more manageable task.
Retention periods for documented information (records) will depend on the document and the organisations or interested parties' requirements. IE Customer or legislative requirements for verification and test data, corporate guidelines etc.
Disposition will again depend on the nature of the documented information, increases in electronic storage capacity increasingly makes archiving a cost effective option, but consideration should be given to corporate confidentiality and legal requirements when considering appropriate disposition. Shredding is often a method employed to deal with hard copies of sensitive information and specialist companies can ensure hard drives are properly wiped as opposed to file addresses only being erased. (Note: Due to the criticality of document and data management in any organisation – ensure that the requirements of clause 8.4 series are complied with when using external services.)
Documented information from external sources could include: International standards, customer specifications or drawings, equipment manuals etc. Similar controls to internally generated documents must be applied. Note that such Documented Information can also form part of a business's Organisational Knowledge as discussed in article 7.1.6
Audit Check:
During the course of an audit, examples of documented information may be easily collected for later confirmation of control. IE: correct issue and authorisation.
Auditors may also query and investigate further, any uncontrolled documents which appear to be necessary for production and service provision. IE: Unidentified forms used to record test or inspection data, posted aide-memoires, photographs or sketches highlighting specific customer requirements, "little black books" containing critical process equipment settings or computer operating instructions, photocopied extracts of drawings and specifications etc. If found to be systematic – IE multiple instances, such documents can lead to a nonconformity being raised. (More importantly of course, if they are required to effectively operate the business – they need to be under effective control!)
