ISO 9001:2015 - The likely impact (Part III)

What 'documented information' is required by ISO 9001:2015?

There are twelve posts in this series. To read Part II, please click here.

An Executive Summary could read as follows...

ISO 9001:2015 will probably merge documents and records under the term 'documented information' and there will be no mandatory quality manual, procedures or quality records. These significant changes may lead to much greater flexibility in how information is managed within the quality management system, but some envisage a potential downside; i.e. ...

policies-procedures (1)Newcomers to ISO 9001:2015 may be confused about where to start documenting their system; also, exactly what they need to record and document in relation to the requirements of the standard; and hence, when their organisation's documented information is ready for audit?

What does the 2014 committee draft of ISO 9001 actually say?

The Draft BS EN ISO 9001 Quality Management Systems - Requirements published in 2014 (the 'DIS') defines documented information as that which is "required to be controlled and maintained by the organization".

The Notes make it clear that this documented information can be in any format and media and from any source. It can refer to the quality management system (3.33), including related processes (3.12), or it can be information (3.50) created for the organization (3.01) to operate (i.e. documentation). It can also be evidence of results achieved (records).

The source for the above references is ISO DIS 9000:2014,

ISO 9001:2008 was designed to allow an organization greater flexibility in the way it chooses to document its quality management system (QMS).

Clause 4.2.1. General provided an explanation of what quality management system documentation and records were required; specifically:

a) documented statements of a quality policy and quality objectives;

b) a quality manual

c) documented procedures required by this International Standard

d) documents needed by the organization to ensure the effective planning, operation and control of its processes, and

e) records required by this International Standard;

In 2012, the ISO Document ISO/TC 176/SC 2/N 525R2, titled: ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2008, asked the question 'What is a "document"?' and defined at least some of the main objectives of an organization's documentation. These were:

a) Communication of Information

b) Evidence of conformity

c) Knowledge sharing

In terms of category a), both the type and extent of documentation depended on âthe nature of the organizationâs products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture". [Ibid, page 1].

Out with the old... in with the new ISO 9001 terms and definitions

Which terms and definitions are going to be defined and used when ISO 9001:2015 is published?

And does it matter?

For a start, due to the introduction of Annex SL, the requirements  for documents and records (documented information) are now contained within each of the clauses numbered 4 through 10 in the new structure. See further down.

At the same time, familiar document references will be erased from the standard. As mentioned, one of the most notable deletions is "Quality Manual". This might be a 'shocker' for those whose QM careers date all the way back to the introduction of ISO 9001 in 1987.Yet this is only one among a number of changes that set ISO 9001:2015 apart as a "major revision" of the QMS Standard.

Documented information now means both documents and records.

A.6 Documented information explains, [due to the introduction of Annex SL common management system framework] a "common clause on 'Documented Information' has been adopted without significant change or addition". This means that the terms documented procedure and record have been replaced in ISO 9001 with "documented information".

I counted the text "documented information" appearing a total of 34 times in the committee draft of ISO 9001 between Clauses 4 to 10.

From that figure alone, you can appreciate that ISO 9001:2015 will require the creation/maintenance of a sizeable number of documents!

How should you manage your required documented information?

The wording in the DIS sets out requirements for creating and updating:

  • identification and description (e.g. a title, date, author, or reference number);
  • format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
  • review and approval for suitability and adequacy.

Documented information should also be controlled to ensure:

a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

To address these requirements, the following activities are necessary:

a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.

You should also identify and control documented information of "external origin" which is necessary for the planning and operation of your QMS.

It is - and will continue to be - necessary to regularly review documents to make sure they are up-to-date, suitable and reflect your practices. Review processes should also check for changes in relevant standards, regulations, specifications and other external documented information.

Documented information will be used to support the operation of processes and be retained "to the extent necessary to have confidence that the processes are being carried out as planned" [4.4 Quality management system and its processes]. Audit criteria will include a set of policies (3.07), documented information (3.11) or requirements used as a reference against which audit evidence (3.61) is compared.

What the questions that you need to ask to ensure that your documented information meets the requirements? - Here are just a few suggestions:

  • Who in your organisation approves documented information for release?
  • How do you know that the documented information has been approved?
  • What are the steps in your process for reviewing, updating and re-approving documented information? Does it include a regular review of changes and who is responsible for the different parts of this process?
  • How do you identify changes?
  • How do you manage your documented information so that you know which version you are looking at, and whether it is the current version?
  • Who has access to the documented information and is the current version available where it is needed, for example by teams operating in the field?
  • What means are used to provide access (e.g. document management system on the organisation's server, cloud application, paper documents)?
  • Who is responsible for distributing documented information to where it is needed - both electronically (e.g. via intranet access, document attachments, download links, etc) and in paper form?
  • Is documented information from external sources, such as relevant standards, current legislation, product specifications from your suppliers, being reviewed, updated and made available via controlled processes?
  • Are you deleting, destroying, or obsoleting old documented information so that only the current version is in use? And who is responsible for checking that end users only have access to the current version?
  • How will you archive and segregate obsolete documented information that you want retain?
  • Which items of documented information contain confidential data?
  • What information security measures are you taking to protect data?

Once again here, this is not an exhaustive list, but it does highlight the complexity of the task of managing the documented information.

You can find a further discussion of this topic on an earlier CogniDox blog; see:

Document Control, ISO 9001 and CogniDox DMS

Mark Hammar's post on the excellent 'ISO 9001 Blog' (dated May 20, 2014) has some helpful tips and advice on ISO 9001 document control:

Some Tips to make Document Control more useful for your QMS

Given the sheer number of new documents that are likely to be required, a document management system (DMS) hosted on your server or in the cloud is worth considering before you transition.

In our earlier post (see above) on the subject of using a DMS versus other approaches, we showed how CogniDox maps to the list in Mark Hammar's post to give you much greater control over your documented information.

Mark's useful tips will help to make your controls better suited to your organisation's needs. He lists them under the following seven categories:

  1. Approve for Adequacy (who is responsible for approving this)
  2. Review/Update and Re-Approve
  3. Changes and Revision Status identified
  4. Relevant Versions at point of use
  5. Legible and identifiable.
  6. Control of External Documents
  7. Prevent use of Obsolete Documents

As we said on May 28, 2014: "To rattle through a quick mapping of tips to CogniDox features, we would find that the ability to create workflows with mandatory approvers delivers #1. The review and notification process takes care of #2. Version history and the event log provides #3. A clear link to latest and approved-latest versions solves #4 (as does the ability to hide any version other than the approved-latest one). Tip #5 is supported by embedded metadata in the documents, so readers can see what they are using. Weâd look to limited partner access and/or the extranet portal functionality for #6. Finally, tip #7 can be achieved by marking the document as obsolete."

Increased flexibility in terms of the documented information required by ISO 9001:2015 will not lessen the daunting challenge of controlling the large amount of data contained within your quality management system. A DMS can greatly improve the efficiency and effectiveness of your QMS.

But regardless of how you manage documented information, it will soon be time to say a heartfelt 'Hasta la vista!' to your trusty Quality Manual.

Sources referenced plus recommended reading

The following sources are useful in understanding the development process that has led to the publication of the ISO 9001 Committee Draft (the 'DIS'), including the much debated topic of 'risk-based thinking'.

Firstly, the Draft International Standard (DIS) issued for public comment:

Draft BS EN ISO 9001 Quality Management Systems - Requirements, Date: 14 May 2014, which is available from the ISO StoreBSI Shop, IT Governance Ltd, and other distributors worldwide.

Even though the FDIS (final draft international standard) is expected soon, - possibly later this month? - the ISO/DIS 9001 draft issued in May 2014 makes for interesting and necessary reading, - especially the Clause 0.5 'Risk-based thinking' and the schematic (Figure 2 on page 9) with the box labelled 'Plan the Process - (Extent of planning depends on RISK)'!

For those looking for straightforward answers to the simple questions regarding the 2015 version and transition process, I recommend BSI's FAQ on ISO 9001:2015 in the ISO Revisions series - see reference below:

ISO 9001:2015 Revision, Frequently Asked Questions - Approaching change, BSI Group, July 2014 [PDF]

For a more detailed discussion about the importance of risk in quality management and why this idea is not new, BSI's white paper is useful:

ISO 9001 Whitepaper, The importance of risk in quality management - Approaching change, BSI Group, December 2014 [PDF]

The BSI White Paper 'ISO 9001: Understanding the changes' from ISO Revisions is also useful in explaining the likely impact of ISO 9001:2015:

ISO 9001 Whitepaper, Understanding the changes, Approaching change, BSI Group, July 2014 [PDF]

I also recommend an earlier white paper by Evgeny Avanesov, D.B.A., Prof. at TEST-St.-Petersburg, and (as stated on the document in 2009) a Member of Russian delegation in ISO/TC 176, ISO/TC 207, - see the link:

Risk Management in ISO 9000 Series Standards [PDF]

Although this document was published in 2009, it is interesting to revisit because it came out when the common concepts and ideas for "future activities ISO/TC 176 on the revision of ISO 9001" were being formulated.

The author provides "Examples of the requirements of ISO 9001:2008, indirectly associated with the risk management". The Table on page 6 of 11 is worth reading whether you believe that 'risk-based thinking' is a new idea, or something that you do already (see the Conclusion of BSI's 2014 white paper - and the ISO's white paper titled 'ISO 9001 and Risk').

For the ISO's own (easily digested) explanation of Risk-based Thinking, view their slideshare presentation at:

Note slide 4 of 12: What is "risk-based thinking"? which features a version of the statement found in the DIS, Clause 0.5, "Risk-based thinking"; i.e. "the concept of risk has always been implicit in ISO 9001 - this revision makes it more explicit and builds it into the whole management system".

The ISO white paper on the same subject of ISO 9001 and Risk can be downloaded from 'Public' information on the ISO TC/176/SC2 Home Page:

Note the frequently quoted line: "Risk-based thinking has always been in ISO 9001 - this revision builds it into the whole management system." [Source: ISO Document N1222, July 2014, page 2], - which appears, in a longer and more detailed form, in the committee draft of the standard.

What does the Chair of the ISO 9001 subcommittee have to say?

Watch the video of the Google hangout where Nigel Croft, Chair of the ISO subcommittee responsible for ISO 9001 talks to us about how the revision is progressing:

This addresses the thorny subject of risk-based thinking, which as he points out, does not necessarily mean using formal risk management.

In small, low-risk organisations, the 'risk-based thinking' may simply be "intuitive"; in others, a full risk management process may be appropriate.

Nigel covers other relevant topics in an equally transparent, friendly way.

There are twelve posts in this series. To read Part IV, please click here.

This post was authored by: Michael Shuff

Apply risk based thinking to quality processes


CogniDox is designed for Document Control. It provides ISO-compliant procedures for information governance; including version control, document lifecycle, review/approval workflows, access control, and auditability.

It also enables you to create a graphical Quality Management System (QMS) as a collection of interlinked web pages. The gQMS provides a strong focal point for your quality initiative, and demonstrates Leadership and commitment. By making the process visual, it dramatically improves end-user adoption.

Contact us to find out more.

Tags: Document Control, ISO 9001, Quality Management