Document Control in ISO 9001:2015: What the Standard Requires

ISO 9001:2015 requires a documented quality management system (QMS) – as opposed to simply a system of documents.

This article gives an overview of what ISO 9001:2015 requires in terms of document control.

What is document control in relation to ISO 9001?

The term “documented information” in ISO 9001:2015 refers to the important information within an organization’s QMS – the documents and records – that must be kept organized and controlled.

Within ISO 9001:2015, control over documented information ensures that:

• the right people have access to a QMS when and where they need it
• no unauthorized or unrecorded changes can be made to its required content.

While having document controls in place is a requirement of ISO 9001:2015, the way those controls are implemented is not specified. They can be scaled to the size and complexity of an organization.

Main objectives of an organization’s documented information include:

• communicating information
• evidence of conformity
• knowledge sharing
• dissemination and preservation of an organization’s experiences.

Documents can be in any format, including paper, magnetic, electronic or optical computer disc, photograph or master sample.

ISO 9001:2015 requirements for documented information

There are two clauses within ISO 9001:2015 – 4.4 and 7.5 – that are important to understand fully.

Clause 4.4

This clause requires an organization’s QMS and processes to “maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned”.

Clause 7.5.1

This clause outlines what the QMS documentation must include:

• documented information required by this international standard
• documented information determined by the organization as being necessary for the effectiveness of the quality management system.

The note after this clause clarifies how QMS documented information can differ from one organization to another due to the:

• size of organization and its type of activities, processes, products and services
• complexity of processes and interactions
• competence of persons.

All the documented information that forms part of the QMS must be controlled in accordance with clause 7.5 documented information.

The following two sections assist users of ISO 9001:2015 to understand the intent of the general documented information requirements.

Documents you’re required to maintain

Documented information that must be maintained by the organization for the purposes of establishing a QMS include:

• the scope of the quality management system (4.3)
• documented information necessary to support the operation of processes (4.4)
• the quality policy (5)
• the quality objectives (6.2)
• this documented information is subject to the requirements of clause 7.5.

An organization must also maintain documented information that’s used to communicate information necessary for the organization to operate. Although ISO 9001:2015 doesn’t require specific documents, examples that add value to a QMS include:

• organization charts
• process maps, process flow charts and/or process descriptions
• procedures
• work and/or test instructions
• specifications
• documents containing internal communications
• production schedules
• approved supplier lists
• test and inspection plans
• quality plans
• quality manuals
• strategic plans
• forms.

Documents you’re required to retain

All documented information is subject to the requirements in clause 7.5. Documented information that must be retained by the organization to provide evidence of results achieved (records) include:

1. Documented information to the extent necessary to have confidence that the processes are being carried out as planned. (4.4)
2. Evidence of fitness for purpose of monitoring and measuring resources. (7.1.5.1)
3. Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist). (7.1.5.2)
4. Evidence of competence of person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS. (7.2)
5. Results of the review and new requirements for the products and services. (8.2.3)
6. Records needed to demonstrate that design and development requirements have been met. (8.3.2)
7. Records on design and development inputs. (8.3.3)
8. Records of the activities of design and development controls. (8.3.4)
9. Records of design and development outputs. (8.3.5)
10. Design and development changes, including the results of the review and the authorization of the changes and necessary actions. (8.3.6)
11. Records of the evaluation, selection, monitoring of performance and re‐evaluation of external providers and any actions arising from these activities. (8.4.1)
12. Evidence of the unique identification of the outputs when traceability is a requirement. (8.5.2)
13. Records of property of the customer or external provider that’s lost, damaged or otherwise found to be unsuitable for use and its communication to the owner. (8.5.3)
14. Results of the review of changes for production or service provision, the persons authorizing the change and necessary actions taken. (8.5.6)
15. Records of the authorized release of products and services for delivery to the customer including acceptance criteria and traceability to the authorizing person(s). (8.6)
16. Records of nonconformities, the actions taken, concessions obtained and the identification of the authority deciding the action in respect of the nonconformity. (8.7)
17. Results of the evaluation of the performance and the effectiveness of the QMS. (9.1.1)
18. Evidence of the implementation of the audit programme and the audit results. (9.2.2)
19. Evidence of the results of management reviews. (9.3.3)
20. Evidence of the nature of the nonconformities and any subsequent actions taken. (10.2.2)
21. Results of any corrective action. (10.2.2)

An organization is free to develop other records that may be needed to demonstrate conformity of its processes, products and services and QMS. These records are also subject to the requirements clause 7.5.

Basic questions to consider

Within ISO 9001:2015, there are seven required document control elements.

1. Can you approve documents for adequacy prior to issue?

   Your QMS must have a procedure that guarantees the right people see and approve documents (ensuring they serve their purpose) prior to release.

2. Can you identify the changes and control current document revision status?

   Your QMS must track and record changes made to quality documentation for auditing purposes.

3. Can you make relevant documents available at points of use?

   Your employees (and third-party suppliers) must be able to access documents within your QMS when and where they need to.

4. Can you ensure the documents remain legible and readily identifiable?

   The documents within your QMS must be clear, labeled and easy to find, which is easier to achieve in a digital (rather than paper) format.

5. Can you identify external documents and control their distribution?

   Where standards and operational information necessary to your quality processes are contained within external documents, they must be accessible and controlled within your QMS.

6. Can you prevent obsolete documents from unintended use?

   Your QMS must ensure that obsolete documents are clearly labeled. The difference between “issue” and “drafts” of documents must be shown.

7. Can you apply suitable identification if obsolete documents are retained?

   Document version histories must be labeled to ensure they can’t be mistaken for current issues.

Simplifying document control with isoTracker

isoTracker’s document management software makes it simple to comply with document control standards. It is easy to use, cloud-based, automated, secure and accurate. It saves your organization time and eliminates mistakes.

It provides access to a single, consistent document repository – anywhere, any time. It has automated document approval workflows, task notifications and document archiving. It also provides the security of daily backups, encryption, fine-grained access control and full document activity history.

The module can stand alone or integrate with isoTracker’s other quality management software.

Sign up for a free 60-day trial of isoTracker’s quality management software or contact us to discuss your needs.

Get a free trial now