ISO 9001:2015 Clause 7.5 Documented Information
ISO 9001:2015 defines documented information as meaningful data that is required to be controlled and maintained by the organization and the medium on which it is contained. Notes to this definition indicate that documented information can refer to the Quality Management System (QMS) and its processes, documentation, and records.
Documented information replaces the requirement for procedures, records and other items of documentation in ISO 9001:2015. Documented information can be of two types:
- Documented information that needs to be maintained. This will cover procedures, policies, etc. that would have been referred to as “documented procedures” or just “documents” in ISO 9001:2008
- Documented information that needs to be retained. This will cover what ISO 9001:2008 called “records”.
A particular support requirement is now documented information. Gone are the terms documents, documented procedures, and records; everything is now known as documented information whether that’s records, procedures, processes, etc. and in whatever form e.g. paper, electronic, etc. Documented information can be used to communicate a message, provide evidence of what was planned has actually been done, or knowledge sharing. Documentation Information is the information required to be controlled and maintained by an organization and the medium on which it is contained. It can be in any format and media and from any source such as paper, magnetic, electronic, or optical computer disc, photograph, master sample, etc. It can refer to:
- quality management system, including related processes;
- information created in order for the organization to operate (documentation);
- evidence of results achieved (records).
One of the important objectives in the revision of the ISO 9001 series of the standard had been that the amount and detail of documentation required by the organization have to be more relevant to the desired results of the organization’s process activities. ISO 9001:2015 allows an organization flexibility in the way it chooses to document its quality management system (QMS). This enables each individual organization to determine the correct amount of documented information needed in order to demonstrate the effective planning, operation, and control of its processes and the implementation and continual improvement of the effectiveness of its QMS. It is stressed that ISO 9001 requires (and always has required) a “Documented quality management system”, and not a “system of documents”.
The QMS needs to include documented information required by the ISO 9001 standard as well as documented information determined by the organization necessary for the effectiveness of the QMS. The organization must determine what documented information is necessary for the effectiveness of the management system. The extent of documented information for a management system can differ from one organization to another due to the size of the organization and its type of activities, processes, products, and services, the complexity of processes and their interactions, and the competence of persons. Auditors will need to understand the term ‘documented information’, however organizations are still free to use whatever terms suit their own requirements.
The following are some of the main objectives of an organization’s documented information:
- Communication of Information: As a tool for information transmission and communication. The type and extent of the documented information will depend on the nature of the organization’s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.
- Evidence of conformity: Provision of evidence that what was planned has actually been done.
- Knowledge sharing
- To disseminate and preserve the organization’s experiences. A typical example would be a technical specification, which can be used as a base for the design and development of a new product or service.
Documented Information has the following sub-clauses:
7.5.2 Creating and Updating
7.5.3 Control of Documented Information
The Organization’s QMS must include all documented information required by ISO 9001 and the documented information determined by the organization as being necessary for the effectiveness of the QMS. The extent of documented information can differ from one organization to another due to the size of the organization and its type of activities, processes, products, and services; complexity of processes and their interactions; competence of persons.
The requirement of this clause is linked to clause 4.4 (Quality management systems and its processes) which requires an organization to “maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned.”Clause 7.5.1 specifies all the different types of documentation needed for your QMS. The need to have additional documentation beyond those specified in this standard may depend upon – customer; regulatory and your own organizational requirements. Other factors to consider may include the complexity of products/Services and processes, type of activities, the effect on quality, the risk of customer dissatisfaction, economic risk, effectiveness and efficiency, the competence of personnel. Clause 7.5.1b requires you to have documents needed to ensure the effectiveness of the QMS. Each organization must determine what documentation is needed to achieve this based upon the complexity of products/services and processes, type of activities, effect on quality, the risk of customer dissatisfaction, economic risk, effectiveness and efficiency, the competence of personnel. There is no need for a Quality manual and six mandatory procedures in ISO 9001:2015. A document is an information that is written or recorded on some medium such as paper or computer. A document may specify requirements for e.g. a drawing or technical specification, may provide direction for e.g. quality plan, or show results or evidence of activities performed for e.g. records. The term “Documented Information” is used for all document requirements in ISO 9001:2015. For specific terminology used in ISO 9001:2008 such as “document” or “documented procedures”, “quality manual” or “quality plan”, ISO 9001:2015 defines requirements to “maintain documented information”. In ISO 9001:2008 the term “records” was used to denote documents needed to provide evidence of conformity with requirements. In 9001:2015 this is now expressed as a requirement to “retain documented information”. The organization is responsible for determining what documented information needs to be retained, the period of time for which it is to be retained and the media to be used for its retention. The requirement to “maintain” documented information may also include the possibility that the organization can “retain” that same documented information for a particular purpose, for e.g. to retain previous versions of it. When the term “information” rather than “documented information” is used, the organization may choose not to document the” information”. (e.g. in clause 4.1 states: “The organization shall monitor and review the information about these external and internal issues”). The organization can decide whether or not it is necessary or appropriate to maintain documented information.
Documented information needed to be maintained by the organization for the purposes of establishing a QMS (high-level transversal documents) includes:
- The scope of the quality management system (clause 4.3).
- Documented information necessary to support the operation of processes (clause 4.4).
- The quality policy (clause 5.).
- Quality objectives (clause 6.2).
- This documented information is subject to the requirements of clause 7.5.
Documented information maintained by the organization for the purpose of communicating the information necessary for the organization to operate may include and not limited to(clause 4.4)
- Organization charts
- Process maps, process flow charts and/or process descriptions
- Work and/or test instructions
- Documents containing internal communications
- Production schedules
- Approved supplier lists
- Test and inspection plans
- Quality plans
- Quality manuals
- Strategic plans
These are low-level specific documents and ISO 9001:2015 does not specifically require any of them. But in case such documents are part of QMS, they are subjected to all the controls given in clause 7.5.2 (creating and Updating) and clause 7.5.3(Control of documented information).
Documented information needed to be retained by the organization for the purpose of providing evidence of result achieved (records) includes:
- Documented information to the extent necessary to have confidence that the processes are being carried out as planned (clause 4.4).
- Evidence of fitness for the purpose of monitoring and measuring resources (clause 126.96.36.199).
- Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist) (clause 188.8.131.52).
- Evidence of competence of the person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2).
- Results of the review and new requirements for the products and services (clause 8.2.3).
- Records needed to demonstrate that design and development requirements have been met (clause 8.3.2)
- Records on design and development inputs (clause 8.3.3).
- Records of the activities of design and development controls (clause 8.3.4).
- Records of design and development outputs (clause 8.3.5).
- Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6).
- Records of the evaluation, selection, monitoring of performance and re‐evaluation of external providers and any and actions arising from these activities (clause 8.4.1)
- Evidence of the unique identification of the outputs when traceability is a requirement (clause 8.5.2).
- Records of the property of the customer or external provider that is lost, damaged or otherwise found to be unsuitable for use and of its communication to the owner (clause 8.5.3).
- Results of the review of changes for production or service provision, the persons authorizing the change, and necessary actions taken (clause 8.5.6).
- Records of the authorized release of products and services for delivery to the customer including acceptance criteria and traceability to the authorizing person(s) (clause 8.6).
- Records of nonconformities, the actions are taken, concessions obtained and the identification of the authority deciding the action in respect of the nonconformity (clause 8.7).
- Results of the evaluation of the performance and the effectiveness of the QMS (clause 9.1.1)
- Evidence of the implementation of the audit programme and the audit results (clause 9.2.2).
- Evidence of the results of management reviews (clause 9.3.3).
- Evidence of the nature of the nonconformities and any subsequent actions taken(clause 10.2.2).
- Results of any corrective action (clause 10.2.2).
In addition, Organizations may develop other records that are be needed to demonstrate the conformity of their processes, products and services, and quality management system, and in case such document is part of QMS, they are subjected to all the controls given in clause 7.5.2 (creating and Updating) and clause 7.5.3(Control of documented information).
7.5.2 Creating and Updating
When creating and updating documented information the organization must ensure appropriate identification and description (e.g., a title, date, author, or reference number); format (e.g., language, software version, graphics), and media (e.g., paper, electronic); review and approval for suitability and adequacy.
While ISO 9001:2015 does not require a documented procedure for creating, updating, and control of documented information, still we need a procedure for creating, updating, and ultimately control of documented information. Your system for managing documented information doesn’t itself have to be documented, which is a big change from ISO 9001:2008, which required documented procedures for both document control and control of records, documenting them will act as evidence that adequate organization knowledge is available with the organization regarding creation, updating, and control of documented information. ISO 9001:2015 doesn’t require you to write a procedure for how you control documented information. Should you do it anyway? Yes! It’s a potentially complicated topic that should be communicated in a consistent manner. Describe your system within maintained documented information (i.e., a documented procedure) and you’ll have much less confusion.
You have to ensure the following practices are in place when you create and update documented information:
- Identification: Documents and records must-have titles, document numbers, or something that indicates their identity. As long as you can differentiate between different documented information, knowing which ones address which topics, then you’ve met this requirement.
- Format: The documents must be usable for their purpose. The format must be appropriate to the purpose and users, and the media must be accessible and understandable. For example, if the medium is electronic, then users would need to have access to a computer or other interface that can display the electronic media. Another example might relate to a company that has a high percentage of employees who speak Marathi their documentation would need to be graphically formatted (to make language irrelevant) or translated into Marathi, the language predominantly spoken by the employees.
- Review and approval for suitability and adequacy: Somebody must review and approve the documented information before it’s used. Who performs this function is completely up to you. There are many ways to signify review and approval: signatures, initials, email approval, electronic signatures, meeting minutes, or click-box approval within a document control program. Review and approval do have to be traceable, meaning it must be clear who performed it. It should also be secure, which means the organization has prevented imposters from making reviews/approvals under somebody else’s name.
7.5.3 Control of Documented Information
Documented information required by Your QMS and by ISO 9001 must be controlled to ensure it is available and suitable for use, where and when it is needed; It must is adequately protected from loss of confidentiality, improper use, or loss of integrity.
For the control of documented information, the organization must address, as applicable: distribution, access, retrieval, and use; storage and preservation, including preservation of legibility; control of changes (e.g., version control); retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the system must be identified as appropriate, and controlled. Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
Once the documented information exists, the next logical step is controlled. Here are the control requirements from ISO 9001:2015:
- Availability: The documented information exists where it’s supposed to exist. The organization has dedicated the resources to create the documented information and the information is suitable for the need it was intended to fill.
- Protection: The documented information is protected from tampering, unauthorized changes, and damage. People who shouldn’t see the documented information are prevented from seeing it. Appropriate safeguards put in place by the organization to ensure information isn’t misused in any way. System passwords and employee training are two ways to accomplish this.
- Distribution: You can assess the documented information. Employees don’t struggle to find it, and they understand how to interpret its meaning. If a computer or program is necessary to access the documented information intended for employees, then employees can operate it. In the case of retained information (e.g., records), they can be retrieved within a reasonable amount of time.
- Storage: The organization specifies where the documented information is located. This applies to retained documented information (records) and maintained documented information (documents). The location is accurate and verifiable, and there are controls to preserve the information.
- Preservation could include periodic backups of computer files and periodic monitoring to ensure continued legibility. The controls for “preservation” are very similar to the controls for “protection,” described above.
- Change control: The organization is able to ensure that the correct versions of documented information are available. When documented information is revised, the revisions are incorporated into the information in use (after review and approval). There are safeguards in place to prevent employees from incorrectly accessing and using obsolete information.
- Retention: We say how long we retain documented information. Remember, the term “retain” refers to records, so this is the requirement for establishing a retention time. Every record in your system could conceivably have a different retention time, and ISO 9001:2015 provides no guidance on the appropriate retention times of records. This is completely up to the organization and its needs.
- Disposition refers to what happens to the record after the retention times have elapsed. Typical dispositions include archive, shred, or recycle.
Finally, ISO 9001:2015 addresses external documents and preventing unintended alterations of retained information. An external document is published outside the organization and used within the scope of the management system. Examples of external documents possibly requiring control include:
- Troubleshooting and/or calibration manuals published by equipment manufacturers
- Test procedures, specifications, and/or engineering drawings published by customers or other bodies
- Instructions, specifications, and/or procedures published by suppliers
- Standards published by industrial organizations applicable to the organization
- International standards such as ISO 9001
Once external documents have been determined, they must be identified, and they must be controlled. Like internal documents, there must be a title, document number, or another unique identifier. Such identification typically comes from the source that publishes the document, and the organization simply adopts it. Make sure that all the other aspects of “control” are applied to external documents.
The last requirement provided by ISO 9001:2015 concerns retained documented information that provides evidence of conformity. In other words, records that prove you met requirements. The organization must ensure that people can’t make unauthorized changes to records. This is a restatement of the protection and preservation requirements already discussed.
What to control?
“Do I need to control this?” is one of the most frequently asked questions in organizations working toward, or maintaining, a formal management system. Given the universe of documented information possibly requiring control, the question is understandable. Besides, most people would rather not control something if they don’t have to. Here are some questions to ask when determining whether a document should be controlled:
- Does the documented information guide the production of products (i.e., goods or services) provided by the organization?
- Does the documented information guide the verification, inspection, or testing of products provided by the organization?
- Does the documented information define customer and/or product requirements?
- Is the documented information used for controlling processes?
- Is the documented information used for decision-making by production personnel?
- Is the documented information used for collecting data that could be used later for decision-making within the scope of the management system (e.g., a form)?
- Is the information so critical that failure to keep it updated would pose a risk to the organization or its customers?
- Does the documented information address or relate to a requirement from ISO 9001?
If the answer to one or more of these questions is yes, then the documented information should probably be controlled. For illustration purposes, consider the following scenarios:
- An interoffice memo is posted on a wall in the fabrication department. The memo gives a number of functional and packaging requirements for a product that’s fabricated there. Because of where the document has been posted and the information it contains, the memo should be controlled. Ignore the fact that memos are rarely controlled; in this case, it provides customer requirements, guides decision making, and relates directly to ISO 9001 requirements. Even if the memo duplicates information contained elsewhere in controlled specifications, the uncontrolled memo would still be a problem. Eventually, there will be a discrepancy between the information on the memo and the information contained in the controlled specifications. The organization should either control the posted memo or get rid of it.
- A training department develops videos to train employees on the proper setup and operation of production lines. The videos are included in the training program for new hires and existing employees. In this case, document control is required because the videos define process control, guide the production of products, and relate to the training requirements of IS0 9001.
- Product defect samples are displayed in a lighted glass cabinet in the visual inspection area, The samples illustrate the limits of various defects that can be considered acceptable to customers, and they’re used when inspectors aren’t certain of the criteria. Currently, the display cabinet is labelled “for reference only.” Despite this declaration. the samples should be controlled because they define customer requirements.
- An organization develops a checklist that’s used to record the results of product inspection. The blank checklist defines exactly what’s to be inspected as indicated by the spaces that inspectors must complete. These blank forms need to be controlled as documents and then as records once they’re completed.
These scenarios highlight the fact that documented information needn’t be limited to traditional procedures, work instructions, and the like. The term “documented information” can encompass a wide range of things, all of which might require control, depending on the information they contain. Some examples include Databases, Photos, Drawings, diagrams, sketches, audio, video, Product samples, and defect samples, Paint swatches for color matching, Checklists, Flow diagrams, Blank forms, etc
Organizations preparing to implement a QMS
For organizations that are in the process of implementing a QMS, and wish to meet the requirements of ISO 9001:2015, the following comments may be useful.
- For organizations that are in the process of implementing or have yet to implement a QMS, ISO 9001:2015 emphasizes a process approach. This includes:
- determining the processes necessary for the effective implementation of the quality management system determining the interactions between these processes.
- documenting the processes to the extent necessary to assure their effective operation and control. (It may be appropriate to document the processes using process mapping tools. It is emphasized, however, that documented process mapping tools are not a requirement of ISO 9001:2015).
2. Analysis of the processes should be the driving force for defining the amount of documented information needed for the quality management system, taking into account the requirements of ISO 9001:2015. It should not be the documented information that drives the processes.
Organizations wishing to adopt an existing QMS
For organizations that currently have a QMS the following comments are intended to assist in understanding the changes to documented information that may be required or facilitated by the transition to ISO 9001:2015:
- An organization with an existing QMS should not need to rewrite all of its documented information in order to meet the requirements of ISO 9001:2015. This is particularly true if an organization has structured its QMS based on the way it effectively operates, using a process approach.
- An organization may be able to carry out some simplification and/or consolidation of existing documented information in order to simplify its QMS.
Demonstrating conformity with ISO 9001:2015
For organizations wishing to demonstrate conformity with the requirements of ISO 9001:2015, for the purposes of certification/registration, contractual, or other reasons, it is important to remember the need to provide evidence of the effective implementation of the QMS.
- Organizations may be able to demonstrate conformity without the need for extensive documented information
- To claim conformity with ISO 9001:2015, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.3 of ISO 9000:2015 defines “objective evidence” as “data supporting
the existence or verity of something” and notes that “objective evidence may be obtained through observation, measurement, test, or other means.”
- Objective evidence does not necessarily depend on the existence of documented information, except where specifically mentioned in ISO 9001:2015. In some cases, (for example, in clause 8.1 (e) Operational planning and control, it is up to the organization to determine what documented information is necessary in order to provide this objective evidence.
- Where the organization has no specific documented information for a particular activity, and this is not required by the standard, it is acceptable for this activity to be conducted using as a basis the relevant clause of ISO 9001:2015. In these situations, both internal and external audits may use the text of ISO 9001:2015 for conformity assessment purposes.
Documentation requirements in tabular form
From the text, it is normally evident when “documented information” relates to “records” as evidence of performed activity/process and when “documents information” relates to how to perform an activity/ process. Normally the standard refers to “shall maintain documented information” when the meaning is how to perform an activity/process and “shall retain documented information” when the meaning is to keep evidence of performed activity/process.
These are the minimum documentation requirements. Organizations themselves can decide that they need additional documented information.
|Clause 4.3 Determining the scope of the quality management system||The scope of the organization’s quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system.
Click here for an example of how a scope could be derived
|4.4.2 (Quality management system and its processes)||To the extent necessary, the organization shall:
a) maintain documented information to support the operation of its processes;
b) retain documented information to have confidence that the processes are being carried out as planned.
Example of Quality Manual
|5.2.2 (Communicating the quality policy)||The quality policy shall:
a) be available as documented information;
b) be communicated, understood and applied within the organization;
c) be available to interested parties, as appropriate;
Examples of the Documented statement of Quality Policy
|6.2 (Quality objectives and planning to achieve them)||The organization shall maintain documented information on quality objectives.
Example of functional objectives
|184.108.40.206 General(Monitoring and measuring resources)||The organization shall retain appropriate documented information as evidence of fitness for the purpose of monitoring and measuring devices.
Example of formats for Details of Instruments
|220.127.116.11 (Measurement traceability)||When measurement traceability is a requirement or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be:
a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information; Example of Instrument calibration history card
|7.2 (Competence)||The organization shall:
d) retain appropriate documented information as evidence of competence.
Example of format for List of Employees
Example of format for Employee Training Plan &Record
Example of format for Staff Induction Program
Example of format for Competency Matrix
Example of format for Skill Matrix
Example of format for Training Need Identification
|7.5.1 General (Documented information)||The organization’s quality management system shall include:
a) documented information required by this International Standard;
b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.
NOTE The extent of documented information for a quality management system can differ from one organization to another due to:
– the size of the organization and its type of activities, processes, products, and services;
– the complexity of processes and their interactions;
– the competence of persons.
|8.1.e (Operational planning and control)||determining and keeping documented information to the extent necessary
1) to have confidence that the processes have been carried out as planned;
2) to demonstrate the conformity of products and services to their requirements.
NOTE “Keeping” implies both the maintaining and the retaining of documented information. Example of format for Process plan
Example of template for Project Quality plan
Example of format for the Quality plan
|18.104.22.168 (Review of requirements related to products and services)||The organization shall retain documented information, as applicable:
a) on the results of the review;
b) on any new requirements for the products and services.
Example of format for contract review
Example of format for verbal order register
|8.3.2 (Design and development planning)||In determining the stages and controls for design and development, the organization shall consider:
j) the documented information needed to demonstrate that design and development requirements have been met.
Example of Procedure for design and development
Example of format for Design planning
Example of format for Development Inquiry Register
|8.3.3 (Design and development inputs)||The organization shall retain documented information on design and development inputs. Example of format for the Design input record|
|8.3.4 (Design and development control)||The organization shall apply controls to the design and development process to ensure that:
f) documented information of these activities is retained
Example of format for design and development review
Example of format for Design verification report
Example of format for Design validation
|8.3.5 (Design and development output)||The organization shall retain documented information on the design and development outputs.
Example of format for the Design output
Example of a list of design output
|8.3.6 (Design and development changes)||The organization shall retain documented information on:
a) design and development changes;
b) the results of reviews;
c) the authorization of the changes;
d) the actions are taken to prevent adverse impacts.
Example of format for the Design change record
|8.4.1 General (Control of externally provided products and services)||The organization shall retain documented information of the results of these activities and any necessary actions arising from the evaluations.
Example of format for List of approved suppliers
Example of format for Evaluation Rating of Suppliers
Example of Procedure for Purchasing
Example of Supplier audit checklist
Example of format for Supplier Registration form
|8.5.1 (Control of production and service provision)||Controlled conditions shall include, as applicable:
a) the availability of documented information that defines:
1) the characteristics of the products to be produced, the services to be provided, or the activities to be performed;
2) the results to be achieved;
Examples of Inspection and test plan
Example of Procedure of Production
Examples of the Production schedule
Example of format for Machine preventive Maintenance Chart
Example of format for Machine Breakdown Maintenance Report
|8.5.2 (Identification and traceability)||The organization shall control the unique identification of the outputs when traceability is a requirement and shall retain the documented information necessary to enable traceability.
Example of Tags
Example of the format of Equipment register
|8.5.3 (Property belonging to customers or external providers)||When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.
Example of format for a list of customer-supplier items
Example of format for list of customer drawing
|8.5.6 (Control of changes)||The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.
Example of procedure for Change Management
Examples of change management log
Example of the change request form
|8.6 (Release of goods and services)||The organization shall retain documented information on the release of products and services. The documented information shall include:
a) evidence of conformity with the acceptance criteria;
b) traceability to the person(s) authorizing the release.
Example of format for Pre Delivery Inspection Report
|8.7.2 (Control of nonconforming outputs)||The organization shall retain documented information that:
a) describes the nonconformity;
b) describes the actions taken;
c) describes any concessions obtained;
d) identifies the authority deciding the action in respect of the nonconformity.
Example of format for Product N.C Register
Example of format for Cause-Effect Analysis
Example of Procedure for control of non-conforming Output
|9.1.1 General (Monitoring, measurement, analysis, and evaluation)||The organization shall retain appropriate documented information as evidence of the results Example of format for Internal audit summary
Example of format for Analysis of Quality objectives
Example of format for NCR closer report
Example of format for Incoming Inspection report
Example of the Inspection plan
Example of format for First piece /last off Inspection report
Example of format for In-process Inspection report
Example of format for visual Inspection for packaging
|9.2.2 (Internal Audit)||The organization shall:
f) retain documented information as evidence of the implementation of the audit programme and the audit results.
Example of Procedure for Internal QMS Audit
Example of the form of Internal Audit Observation Sheet
Example of the form of Internal Audit Summary Sheet
Example of Format of List of Internal Auditors
Example of formats for Audit Schedule and Audit Plan
Example of Format of Internal Audit corrective action report
|9.3.3 (Management review)||The organization shall retain documented information as evidence of the results of management reviews.
Example of a record of Management review conducted
Example of Procedure for Management Review
Template of Management Review Agenda and Minutes
|10.2.2 (Nonconformity and corrective action)||The organization shall retain documented information as evidence of:
a) the nature of the nonconformities and any subsequent actions are taken;
b) the results of any corrective action.
Example of Procedure for Correction and Corrective action
Example of the form of Corrective action
Example of format for Continual Improvement Plan
Example of procedure for non-conforming output
Furthermore, in ISO 9001:2015 in several places uses the wording “shall determine”. The word “determine” implies a discovery process that results in knowledge. There is no explicit “documentation” requirement, but where “determine” is used the organization should at least be able to demonstrate and give confidence of completeness and control of such activities/processes.
|4.1 (Understanding the organization and its context)||The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system.|
|4.2 (Understanding the needs and expectations of interested parties)||Due to their impact or potential impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine:
a) the interested parties that are relevant to the quality management system;
b) the requirements of these interested parties that are relevant to the quality management system.
|4.3 (Scope)||The organization shall determine the boundaries and applicability of the quality management system to establish its scope.|
|4.4 (QMS and its processes)||The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall:
a) determine the inputs required and the outputs expected from these processes;
b) determine the sequence and interaction of these processes;
c) determine and apply the criteria and methods (including monitoring, measurements, and related performance indicators) needed to ensure the effective operation and control of these processes;
d) determine the resources needed and ensure their availability;
e) assign the responsibilities and authorities for these processes;
f) address the risks and opportunities as determined in accordance with the requirements of 6.1;
g) evaluate these processes and any needed to ensure that these processes achieve their intended results;
h) improve the processes and the quality management system.
|6.1.1 (Actions to address risks and opportunities)||When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
|6.2.2 (Quality objectives and planning to achieve them)||When planning how to achieve its quality objectives, the organization shall determine:
a) what will be done,
b) what resources will be required,
c) who will be responsible,
d) when it will be completed, and
e) how the results will be evaluated.
|7.1.1 General(Resources)||The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the quality management system.|
|7.1.2 (People)||The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.|
|7.1.3 (Infrastructure)||The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes to achieve conformity of products and services.|
|7.1.4 (Environment for the operation of processes)||The organization shall determine, provide and maintain the environment necessary for the operation of its processes and achieve conformity of products and services.|
|7.1.5 (Monitoring and measuring resources)||The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements.
The organization shall determine if the validity of previous measurement results have been adversely affected when measuring equipment is found to be unfit for its intended purpose and shall take appropriate action as necessary.
|7.1.6 (Organisational knowledge)|| The organization shall determine the knowledge necessary for the operation of its processes and to chief conformity of products and services.
When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.
|7.2 (Competence)|| The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system;
|7.4 (Communication)||The organization shall determine the internal and external communications relevant to the quality management system including:
a) on what it will communicate,
b) when to communicate,
c) with whom to communicate,
d) how to communicate
e) who communicates.
|8.3.3 (Design and development inputs)||The organization shall determine requirements essential for the specific type of products and services being designed and developed. The organization shall consider:
a) functional and performance requirements;
b) information derived from previous similar design and development activities;
c) statutory and regulatory requirements;
d) standards or codes of practice that the organization has committed to implement;
e) potential consequences of failure due to the nature of the products and services.
|8.4.1 General( Control of externally provided processes, products and services)|| The organization shall determine the controls to be applied to externally provided processes, products and services when:
a) products and services from external providers are intended for incorporation into the organization’s own products and services;
b) products and services are provided directly to the customer(s) by external providers on behalf of the organization;
c) a process, or part of a process is provided by an external provider as a result of a decision by the organization.
The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements.
|8.4.2 (Type and extent of control)|| The organization shall:
a) determine the verification, or other activities, necessary to ensure that the externally provided processes, products, and services meet requirements.
|9.1.1 General (Monitoring, measurement, analysis, and evaluation)|| The organization shall determine:
a) what needs to be monitored and measured;
b) the methods for monitoring, measurement, analysis, and evaluation needed to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall be analyzed and evaluated.
|9.1.2 (Customer satisfaction)||The organization shall monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information.|
|10.1 General (Improvement)||The organization shall determine and select opportunities for improvement and implement necessary actions to meet customer requirements and enhance customer satisfaction.|