Management system guidance

Documented information

What does 'documented information' mean?

ISO Navigator Pro

The terms ‘documented procedure’ and ‘record’ have both been replaced by the term ‘documented information’, and is defined as information required to be controlled and maintained by your organization, as well as the medium on which it is contained.

Documented information demonstrates compliance and can be in any format and media and from any source, e.g.; paper, magnetic, electronic or optical computer disc, photograph, master sample, I.T. network, or portable media.

Documented information can range from descriptions of your internal processes, such as process maps or procedures, to technical data, such as drawings, engineering reports, or design models created from customer requirements for a specific project.

Regardless of the type or purpose of the documented information, it is imperative to ensure that the appropriate controls are maintained so that the necessary document reviews and approvals are obtained before release of documented information; this should include defined review periods and methods, access permissions, and approval authority.

  1. Top management are responsible for assigning authors for documents;
  2. Document Authors are responsible for writing the document, creating related forms, requesting a document number and submitting the document to the Department Manager for review;
  3. Document Authors are responsible for using ‘controlled’ language (e.g., using short, clear sentences, and avoiding jargon) in order to encourage shared understanding and good data quality;
  4. Document Authors are responsible for ensuring the correct document identification is used e.g., subject title, document identification, date, author, reviewer, approver, reference number, version number, change history are included;
  5. Document Controllers are responsible for assigning document numbers and maintaining the master document list;
  6. Senior Managers are responsible for approving documents for their area of responsibility, ensuring that the contents are accurate and can be understood by end users and recipients. A rewrite should be not required for minor syntax, grammar or sentence structure errors that do not affect the factual or technical content of the document;
  7. Document Authors should ensure that when all comments are received and, after investigation as to appropriateness, comments are incorporated and the document resubmitted for approval;
  8. All employees are responsible for reviewing the documents as they use them and submitting Request for Changes;
  9. Document Authors should ensure that each revision control is maintained, each revision will require management approval/signature before issue;
  10. The Quality Manager is responsible for ensuring that all internally generated documents comply with the quality management system requirements.

All internal quality management system documentation and technical documentation should follow the ‘Prepare’, ‘Check’, and ‘Approve’ process, evidenced by the signatures of competent individuals shown on document control sign-off pages. All relevant documents should be signed off in three categories:

  1. Prepared – by a competent Author should produce the document, checking their own work to ensure it complies with any codes, requirements or standards governing that work.
  2. Checked – by a competent Reviewer should undertake a formal detailed check/review of the standards used, deliverables, calculations, drawings and specifications. This role is undertaken by a competent person of the same discipline, not the Author, but can be a member of the same team.
  3. Approved – by a competent, Senior Manager, of the same discipline but not a member of the same team should undertake a review of the document after detail checking has taken place to ensure the document is consistent with requirements.

Many documents cross functional lines and can be accessed from more than one function. It is, therefore, vital that documented procedures, work instructions, templates, and forms are established in close consultation with the staff who perform the associated work.

Therefore, all policies, plans, procedures, process maps, forms and templates that are applicable to the quality management system, that are generated internally, should be coordinated through process owners and process users for input before approval.

Storing and preserving documented information

Paper-based record retention systems should be stored in a suitable environment to minimise deterioration or damage and to prevent loss. The space provided in the document’s headers and footers are ideal as a means of document identification. Records should be printed on a robust material which can withstand normal handling and filing and long-term storage.

All users should be given specific rights and permissions to access the hard copies or electronic media that apply to their work. This will prevent unauthorized access to documents outside of the users’ area of responsibility and ensures that all relevant documented information is available at the point of use, whilst ensuring that obsolete documents cannot be used unintentionally.

Ideally, computer-based archival systems should have at least one backup system which is updated every 24 hours. Computer based systems must include appropriate safeguards against the possibility of access by unauthorised personnel to prevent tampering with your data.

All computer hardware used for data backup must be situated in a different location from that containing the original working data and in an environment that ensures they remain in good condition.

Auditing documented information

From an internal audit perspective, key aspects of your quality management system are its processes, procedures, checklists and forms. Audits often involve a systematic inspection and comparison of actual operating methods with the procedures and forms specified to establish conformity and traceability.

The Document Controller should demonstrate to the Auditor how the document management system works, including how documented information is made available for use when and where it is needed, how it is changed in a controlled manner, and how it is stored and maintained in such a way that it is readily retrievable.

Internal auditors may also focus on the permissions and privileges to access documented information and, more importantly, who has the authority to make changes and approve changes to the documentation.

Existing ISO 9001:2008 documents

In ISO 9001:2008, the quality manual helped to establish and document the framework of your organization's quality management system while articulating those aspects of the QMS to any interested parties.

While there is no requirement for a quality manual or documented procedures in ISO 9001:2015, it is suggested that if they add value, then they should not simply be binned. You will be expected to maintain the integrity of the QMS during the transition process.

You do not need to renumber your existing documentation to correspond to the new clauses. It is down to each organization to determine whether the benefits gained from renumbering will exceed the effort involved.

Neither do you need to restructure your management system to follow the sequence of and titles of the requirements. Providing all of the requirements contained in ISO 9001:2015 are met, your organization’s quality management system will be compliant.

  1. If your quality manual fits your business and your customers require it, keep it!
  2. If your procedures are effective and define how your key processes operate, keep them!
  3. If the quality policy and related objectives align with business strategy, and they are communicated and adding value, keep those too!

The type and extent of documented information that your organization should retain and maintain, in order to be compliant with ISO 9001:2015, clearly depends on the nature of your organization’s products and processes.

The following criteria can be used to assess the different types of ISO 9001:2008 documents and information that your organization should retain and maintain as documented information by determining whether the information:

  1. Communicates a message internally or externally;
  2. Provides evidence of process and product conformity;
  3. Provides evidence that planned outputs were achieved;
  4. Provides knowledge sharing.

If any of the above criteria apply to any type of document or information within your organization's domain, then it should be retained and maintained as a form of 'documented information' as per Clause 7.5 of ISO 9001:2015.

More on ISO 9001:2015

Free management system interpretation guidance

Planning - Context, leadership and management system planning

This is the 'Plan' part of the PDCA process. Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organizational policies. This is often implemented using stated objectives, work instructions or procedures as required for consistent process output.

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System
ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities
    5.4 Consultation & Participation
ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
6.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives

Doing - Support and operations

This is the 'Do' part of the PDCA process. Ensure the availability of resources and information necessary to support the operation and monitoring of your processes. This may be through management review or other methods that define resource requirements.

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
7.1 Resources 7.1 Resources 7.1 Resources
7.2 Competence 7.2 Competence 7.2 Competence
7.3 Awareness 7.3 Awareness 7.3 Awareness
7.4 Communcation 7.4.1 Communcation - General 7.4.1 Communcation - General
7.5 Documented Information 7.4.2 Internal Communcation 7.4.2 Internal Communcation
  7.4.3 External Communcation 7.4.3 External Communcation
  7.5 Documented Information 7.5 Documented Information
ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
8.1 Operational Planning & Control 8.1 Operational Planning & Control 8.1.1 General
8.2 Customer Requirements 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.3 Design & Development   8.1.3 Management of Change
8.4 Purchasing   8.1.4 Outsourcing
8.5 Product & Service Provision   8.2 Emergency Preparedness
8.6 Release of Products & Services    
8.7 Nonconforming Outputs    

Checking - monitoring, measuring, analysing and evaluating

This is the 'Check' part of the PDCA process. Monitor, measure and analyse process performance. Monitor and measure processes and products against policies, objectives and requirements, and report the results. The methods employed and the timing of such analysis should be based upon priorities established by the organization.

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
9.1 Monitoring & Measurement 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.2 Internal Audit 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.3 Management Review 9.2 Internal Audit 9.2 Internal Audit
  9.3 Management Review 9.3 Management Review

Acting - implementing improvement actions

This is the 'Act' part of the PDCA process. Implement the actions necessary to achieve the planned results, and for the continual improvement of those processes. Auditors will expect to see evidence that corrective action is taken when measurable objectives and performance indicators fall below target or a pre-defined action level.

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement

How to apply the latest quality management principles

The latest and current quality management principles (QMPs), stated in ISO 9000:2015, are intended to provide the foundation by which any organization can continually improve its performance.

You can learn to apply the latest quality management principles in the context of your business's own particular operations by reviewing and documenting its activities in the context of each quality management principle.

Want to know more?

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.