Documented

Information
Guidance
ISO 9001:2015
 Documented Information Guidance
ISO 9001:2015

Table of Contents
Introduction ..........................................................................................................................................2

Existing ISO 9001:2008 Documents .......................................................................................................2

Interpreting ISO 9001:2015 Clause 7.5 ...................................................................................................3

Clause 7.5.1 - General.......................................................................................................................................................... 3

Clause 7.5.2 - Creating & Updating ................................................................................................................................. 3
Clause 7.5.3 - Controlling Documented Information.................................................................................................... 4

How to Develop Your Documentation ...................................................................................................4

Step 1: Determine how QMS documentation can be integrated into existing documents ................................. 4
Step 2: Tailor the documentation to your organization’s needs ................................................................................ 4
Step 3: Determine a standard format for all documents ............................................................................................. 4
Step 4: Determine what records are required ................................................................................................................ 5
Step 5: Prototype each new document ........................................................................................................................... 5
Step 6: What to maintain as documented information................................................................................................ 6
Step 7: What to retain as documented information ..................................................................................................... 6
QMS Documentation Worksheet...................................................................................................................................... 8

Organizational Knowledge ....................................................................................................................9

What is Organizational Knowledge? ................................................................................................................................ 9

Sources of Organizational Knowledge............................................................................................................................. 9
Auditing Organizational Knowledge ..............................................................................................................................10

Page 1 of 11
 Documented Information Guidance
ISO 9001:2015

Introduction
A robust document control process invariably lies at the heart of any compliant quality management system
(QMS); almost every aspect of auditing and compliance verification is determined through the scrutiny of
documented evidence. With this in mind, it becomes apparent that the on -going maintenance of an efficient
document management system must not be overlooked.

Your organization must control the documentation required by the QMS and ensure that a suitable process is
implemented to define the controls needed to; approve, review, update, identify changes, identify revision
status and provide access. The document control procedure that is included with this document will help you
to define the scope, purpose, method and responsibilities required to implement these parameters.

The procedure also defines the controls needed for the identification, storage, protection, retrieval, retention
and disposition of records and ensuring that they remain legible and identifiable throughout their retention
period. This is because records are an important organizational asset; as they provide the primary route for
evidence based verification and traceability since they demonstrate compliance with customer and regulatory
requirements. Records will prove the efficacy of your QMS:

1. Records prove compliance against requirements;

2. Develop and implement the control of records procedure;
3. Maintain the legibility and accessibility of QMS documents and records.
Implementing a document management system could mean keeping certain records that your organization
might not be already keeping. Some of these records may seem a little confusing until you become more
familiar with the quality standard.

Of course, you are free to keep more records than those listed in this document, if you feel that your
business needs them, but as we always preach; keep your system simple. The fewer docum ents and records
you keep, the fewer things that will be audited, and the more time you will have to actually run your business.

Keep in mind that you are free to combine some of these records where it makes sense, for example, you
could combine the corrective and preventive action request log with a simple checkbox to note which one it
is. You could also combine both corrective and preventive action requests onto one form, again with a simple
check box to designate its purpose.

Existing ISO 9001:2008 Documents

While there is no requirement for a management system manual or documented procedures in ISO
9001:2015, it is suggested that if they add value to operations, then your ISO 9001:2008 documents should
not simply be binned. You will be expected to maintain the integrity of your QMS and its documentation
when transitioning from ISO 9001:2008 to ISO 9001:2015, this can evidenced using management review
meeting minutes, SWOT analysis documents or risk and opportunity trackers.

You need to restructure your management system to follow the sequence of and titles of the requirements.
Providing all of the requirements contained in ISO 9001:2015 are met, your organization’s quality
management system will be compliant.

1. If your system manual fits your business and your customers require it, keep it!

Page 2 of 11
 Documented Information Guidance
ISO 9001:2015

2. If your procedures are effective and define how your key processes operate, keep them!

3. If the quality policy and related objectives align with business strategy, and they are communicated
and adding value, keep those too!

You do not need to renumber your existing documentation to correspond to the new clauses. It is down to
each organization to determine whether the benefits gained from renumbering will exceed the effort
involved.

Interpreting ISO 9001:2015 Clause 7.5

In order to comply with ISO 9001:2015 Clause 7.5 Documented Information, it is essential that all personnel
understand what type of documents should be controlled and more importantly, how this control should be
exercised.

The type and extent of documented information that your organization should retain and maintain, in order
to be compliant with ISO 9001:2015, clearly depends on the nature of your organization’s products and
processes. The following criteria can be used to assess the different types of documentation and information
that your organization should retain and maintain as documented information by determining whether the
information:

1. Communicates a message internally or externally;

2. Provides evidence of process and product conformity;
3. Provides evidence that planned outputs were achieved;
4. Provides knowledge sharing.
If any of the above criteria apply to any type of document or information within your organization's domain,
then it should be retained and maintained as a form of 'documented informa tion' as per Clause 7.5 of ISO
9001:2015.

If you don’t want to control external documents, you must specifically state this in the procedure and on the
documents themselves, which are ‘For Reference Only’ and are not updated. For multi-site/corporate
certifications the auditor will expect to see that system documentation and changes are centrally managed
(usually performed at the headquarters location) with further control of documents at the local level, as
applicable.

Clause 7.5.1 - General

Clause 7.5.1 of ISO 9001:2015 is identical to the requirements from ISO 9001:2008 – Document Control. It
should be noted that there is no need to maintain a documented procedure but your organization may still
chose to operate one. You should ensure that you organization’s management system includes documented
information required to be maintained and retained by ISO 9001:2015, and the documented information
required identified by your organization to demonstrate the effective operation of its QMS.

Clause 7.5.2 - Creating & Updating

Clause 7.5.2 of ISO 9001:2015 is comparable to the requirements from ISO 9001:2008 – Document Control.
You should seek to confirm that when documented information is created or updated, your organization has
ensured that it is appropriately identified and described (e.g. title, date, author, reference number). It must be

Page 3 of 11
 Documented Information Guidance
ISO 9001:2015

in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper,
electronic). Confirm that documented information is reviewed and approved for suitability and adequacy.

Clause 7.5.3 - Controlling Documented Information

Clause 7.5.3 of ISO 9001:2015 is comparable to the requirements from ISO 9001:2008 – Control of Records.
A robust document control process invariably lies at the heart of any compliant management system; almost
every aspect of auditing and compliance verification is determined through the scrutiny of documented
information. With this in mind, it becomes apparent that the on-going maintenance of an efficient document
management system must not be overlooked.

Your organization must control the documented information required by the QMS. A suitable process must
be implemented to define the controls needed to; approve, review, update, identify changes, identify revision
status and provide access. The documented information process should define the scope, purpose, method
and responsibilities required to implement these parameters.

Departmental managers should always be responsible for promoting good documented information
practices in their area whilst supporting overall compliance to the requirements. Individuals and their line
managers should be responsible for the information that they create, as well as being responsible for their
retention and disposal in line with legislative requirements and organizational needs.

How to Develop Your Documentation

Step 1: Determine how QMS documentation can be integrated into existing documents
Before you dive into your documentation, learn how deep the water is. Find out what documentation already
exists, what its purpose is, and whether it works. The goal of this search is to locate materials you can use to
begin your QMS implementation and documentation. Many facilities use the same format for all of their
documents. An example of existing documentation might be a quality plan or tracking report.

Step 2: Tailor the documentation to your organization’s needs

You will probably have to compromise in producing documentation that meets your needs while also
meeting your budget. Here are some questions to help you determine what fits your needs:

1. How can we use or revise existing documents rather than creating new ones?
2. Does our business operate in a single location or many? This will affect who creates some of the
documents and where they are located. It may also affect how many versions of a document might
be necessary to cover different circumstances.
3. What is our current computer capability? Many companies use an electronic system to maintain
documents.
4. What security precautions do we need? While computer systems are handy, they often can be
accessed by a number of people. Electronic documentation can be edited or destroyed. Security, or
at least restrictions on who can change data, can be a critical issue for many companies that use
electronic documentation systems.

Step 3: Determine a standard format for all documents

Before developing your QMS documents, plan the format (document and page appearance) for the
documents. If a company standard exists, use it. If not, the need for QMS documentation provides an

Page 4 of 11
 Documented Information Guidance
ISO 9001:2015

opportunity to create a standard company format. Consider whether pages are single or double-sided and
why; choose margins, header, footer, typefaces, text, headings, etc. Include plans for bulleted and numbered
lists, tables, and even paragraph spacing. Once you have a consistent format for documents, anyone who
writes one will use the established format and fill in the necessary text. All documents will look like part of an
organized, integrated system. Most importantly, documents will be easier to read and understand!

Step 4: Determine what records are required

Records provide evidence that the processes that make up your QMS are being implemented as described.
Start by identifying what QMS records are required. Look at your other procedures and work instructions to
determine what evidence is needed to demonstrate implementation. Also consider records that are required
by various legal requirements. Focus on records that add value, and avoid bureaucracy.

If records have no value or are not specifically required, don’t collect them. The records you choose to keep
should be accurate and complete. In designing your records management process, be sure to consider:

1. Who needs access?

2. To what records?
3. In what circumstances?
If your organization uses computers extensively, consider using an electronic EMS records management
system. Maintaining records electronically can provide an excellent means for rapid retrieval of records as
well as controlling access to sensitive records. Think about which records might require additional security.

Do you need to restrict access to certain records? Should a back-up copy of critical records be maintained at
another location? Should a hard copy of some records be maintained in case an inspector arrives and your
computer system is down (this has actually happened to facilities).

Step 5: Prototype each new document

Prototyping means visualizing what you will need in the document and creating an outline for it before you
actually have information to fill in. This is like drafting a document, but in an outline fashion. As you consider
what is needed for the document, you also gain understanding about what you may need to support the
QMS. It’s a way of ‘outlining’ your QMS as well as designing documents.

The best people to prototype or provide early input to documents, are the people who will use the
document. Involving them in the process should help make sure the documents are usable and applied to
support the QMS. The following questions will help you plan your documents. Consider these questions for
each document you identify as necessary for your company:

1. What is the document’s purpose?

2. Who will use it and how will they use it?
3. How long should the document be?
4. What must be included in the document? Which information is most critical?
5. Is it process- focused? Process focus rather than regulation- or program- focus helps people who use
the documents to better understand how their jobs fit into the rest of the company functions.
6. How the information is best arranged?
7. Will the user read document sequentially or randomly?

Page 5 of 11
 Documented Information Guidance
ISO 9001:2015

Step 6: What to maintain as documented information

Documented information is required to be controlled and maintained by your organization. Your QMS
documentation should be updated as needed based on any system improvements you put in place but keep
your QMS documentation simple! Maintain the following data as ‘documented information’:

Maintain the following documentation Clause

The scope of the Quality Management System (QMS) 4.3

Information necessary to support the operation of processes 4.4

Quality policy 5.2

Quality objectives 6.2

Documented information required by ISO 9001:2015 7.5.1a

Step 7: What to retain as documented information

Where ISO 9001:2008 used the term ‘records’, ISO 9001:2015 defines records as ‘retained documented
information’. You may need to generate certain forms in order to implement your QMS. When these forms
are filled out, they become records. Forms should be simple and understandable for the users.

Master forms should be signed by the initiator and date indicated to evidence their authority. Forms should
be controlled via their unique number and revision status. Standard forms, e.g. pre-printed material should
be reference by the appropriate procedures and work instructions. Retain the following data as ‘documented
information’ (A record):

Retain the following documentation Clause

Documented information to the extent necessary to have confidence that the processes are being carried
4.4
out as planned

Evidence of fitness for purpose of monitoring and measuring resources 7.1.5.1

Evidence of the basis used for calibration of the monitoring and measurement resources (when no
7.1.5.2
international or national standards exist)

Evidence of competence of people doing work under the control of the organization that affects the
7.2
performance and effectiveness of the QMS

Evidence of communications to external parties and interested parties 7.4.1

Documented information required by the QMS 7.5.1b

Results of the review and new requirements for the products and services 8.2.3

Records to demonstrate compliance with design and development requirements 8.3.2

Records of design and development inputs 8.3.3

Records of the activities of design and development controls 8.3.4

Records of design and development outputs 8.3.5

Design and development changes, including the results of the review and the authorization of the changes
8.3.6
and necessary actions

Page 6 of 11
 Documented Information Guidance
ISO 9001:2015

Retain the following documentation Clause

Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and
8.4.1
any actions arising

Evidence of the unique identification of outputs when traceability is a requirement 8.5.2

Records of property of the customer or external provider that is lost, damaged or non-conforming and of its
8.5.3
communication to the owner

Results of the review of changes for production or service provision, the persons authorizing the change,
8.5.6
and necessary actions taken

Records of authorized release of products for delivery to the customer including acceptance criteria and
8.6
traceability to the authorizing person(s)

Records of non-conformities, actions taken, concessions and the identity of the authority deciding the
8.7
action in respect of the nonconformity

Evidence of the evaluation of the performance and the effectiveness of the QMS 9.1.1

Evidence of compliance evaluations 9.1.2

Evidence of the implementation of the internal audit programme 9.2.2

Evidence of internal audit results 9.2.2

Evidence of the results of management reviews 9.3.3

Evidence of the nature of the non-conformities 10.2.2

Evidence of any subsequent actions taken to correct non-conformities 10.2.2

Results of any corrective actions 10.2.2

The basics of records management are straightforward; decide what records you will keep, how you will keep
them and for how long. You should also think about how you will dispose of records once you no longer
need them. We suggest the following retention periods for your retained documented information:
Document Suggested Retention Period

Management review minutes 2 Years

Internal and external audit reports 5 Years
Process monitoring and inspection records 5 Years
Risk and opportunity assessments and registers 10 Years
Business plans 5 Years
Swot analysis records 5 Years

Pestle analysis records 5 Years

Corrective action reports 5 Years
Complaint records 2 Years
Inspection and test reports 5 Years
Non-conformance reports 5 Years
Design review records 5 Years

Training and competence records 10 Years

Page 7 of 11
 Documented Information Guidance
ISO 9001:2015

Document Suggested Retention Period

Calibration results and certificates 5 Years
Maintenance records 5 Years
Permits, licenses, and other approvals 10 Years
Reports of progress towards meeting objectives and targets 2 Years
Job descriptions, performance evaluations and training records 5 Years

QMS Documentation Worksheet

Self-Assessment Response

Do we have existing documentation of our QMS? If yes, how is this QMS

documentation maintained? E.g. electronically, or in paper form?

Who is responsible for maintaining QMS documentation within our

organization?
Do we have a QMS manual or other summary document that describes the
key elements of the QMS? If so, does this document describe the linkages
among system elements?
What does our QMS documentation consist of? (List components such as
environmental policy, QMS manual, activity-level procedures or work
instructions, emergency plans, etc.)
Is our QMS documentation integrated with other organizational
documentation (such as human resource plans or quality procedures)? If so,
how do we ensure proper coordination between environmental and these
other functions?

How will we keep our QMS documentation up-to-date?

Have we identified what records need to be maintained? Where is this

defined? What records are kept? Who keeps them? Where are they kept?
How are they kept?

Have we determined records retention times? Where is this defined? How

long are they kept? How are they disposed?

Have we established an effective storage and retrieval system? How are they
accessed?

Page 8 of 11
 Documented Information Guidance
ISO 9001:2015

Organizational Knowledge
What is Organizational Knowledge?
‘Organizational Knowledge’ is a new requirement and is closely linked with ‘documented information’. You
should seek and record evidence that your organization has taken steps to identify the internal and external
knowledge necessary to ensure the continued product conformity.

Check that organizational knowledge is communicated as necessary and that it is maintained and retained in
accordance with Clause 7.5 – Documented Information. Check that organizational knowledge is reviewed
before changes to the QMS are made when responding to change.

Sources of internal knowledge often include the organization’s intellectual property; knowledge gained from
experience; lessons learned from failures and successes; capturing and sharing undocumented knowledge
and experience; the results of improvements in processes, products and services. Sources of external
knowledge often include other ISO standards; research papers; conferences; or knowledge gathered from
customers or external parties.

You should seek to evidence to confirm how your organization has determined and made available the
knowledge needed to keep up to date with changing situations and knowledge related to new products and
services. You determine whether your organization has considered internal and external sources, such as:

1. Lesson learnt from non-conformities and corrective actions, near miss situations and successes;
2. Gathering knowledge from customers, suppliers and partners;
3. Capturing knowledge that exists within the organization, through mentoring or succession planning;
4. Benchmarking against competitors;
5. Sharing organizational knowledge with interested parties to ensure sustainability of the organization;
6. Updating the necessary organizational knowledge based on the results of improvement;
7. Knowledge from conferences, attending trade fairs, networking seminars, or other external events.

Sources of Organizational Knowledge

There is a strong link between organizational knowledge and the competence of employees, the latter being
peoples’ ability to apply knowledge to their work. Organizational knowledge can be defined as information
combined with experience, context, interpretation, and insights that are useful when making decisions and
taking action specific to your QMS. Examples of organizational knowledge include:
1. Documented information regarding a process, product or service;
2. Previous specifications and work instructions;
3. The experience of skilled people operating their processes;
4. Mentoring and coaching by more experienced employees;
5. Knowledge of technologies and infrastructure relevant to our organization, etc.
Sources of internal knowledge also include your business’s intellectual property; knowledge gained from
experience and coaching; lessons learnt from failures and successes; capturing and sharing undocumented
knowledge and experience; the results of improvements in processes, products and services.

Page 9 of 11
 Documented Information Guidance
ISO 9001:2015

Sources of external knowledge often include other ISO/International standards; research papers; webinars
from conferences; or knowledge gathered from, or about; our customers, stakeholders or other external
parties. Your organization should assimilate and deploy internal and external sources of knowledge, such as:

1. Lessons learnt from non-conformities, corrective actions, and the results of improvement;
2. Gathering knowledge from customers, suppliers and partners, benchmarking against competitors;
3. Capturing knowledge existing within the organization, e.g. through mentoring/succession planning;
4. Sharing knowledge with relevant interested parties to ensure sustainability of the organiz ation;
5. Knowledge from conferences, attending trade fairs, networking seminars, or other external events.
Organizational knowledge should be maintained and available to the extent necessary. When addressing
changing needs and trends, your organization should consider its current knowledge and determine how to
acquire or access any necessary additional knowledge and required updates. The knowledge necessary for
the operation of processes and to achieve products and service conformity are evident through the following
types of document:

1. Contract review requirements (Clause 8.2.3);

2. Demonstrate the operation of processes (maintain & retain documented information) (Clause 4.4.2);
3. Records of monitoring and measuring resources (Clause 7.1.5.1);
4. Competence records of personnel, training records, cross training, training feedback (Clause 7.2);
5. Operational planning and control process documents and records (Clause 8.1);
6. Supplier evaluation records (Clause 8.4.1);
7. Change control records (Clause 8.5.6);
8. Product non-conformity records (Clause 8.7.2);
9. Corrective action records (Clause 10.2.2);
10. Quality policy (Clause 5.5.2);
11. Quality Objectives (Clause 6.2.1);
12. Identification and traceability records (Clause 8.5.2);
13. Records of the release of products/services (Clause 8.6);
14. QMS performance and effectiveness (Clause 9.1.1);
15. Internal audit programmes and reports (Clause 9.2.2);
16. Management review minutes (Clause 9.3.3).

Auditing Organizational Knowledge

Ensure that your organization uses the PDCA (Plan/Do/Check/Act) approach to address organizational
knowledge. An auditor would look for the following evidence to meet the requirements of Clause 7.1.6
Organizational Knowledge:

Self-Assessment - Plan Response

Has top management provided the leadership and direction for establishing
strategies to use organizational knowledge and policies and objectives to
optimize the value derived from organizational knowledge?
Has the organization identified the scope of organizational knowledge
relevant to its business and related risks and opportunities associated with
each type of organizational knowledge?

Page 10 of 11
 Documented Information Guidance
ISO 9001:2015

Self-Assessment - Plan Response

Has the organization defined the process needed to manage organizational
knowledge - identify, obtain, accumulate, store, communicate, use, maintain,
protect and evaluate the performance of organizational knowledge
management against objectives?
Has the organization defined roles, authority and responsibilities for
organizational knowledge process activities listed above?
Has the organization determined competency requirements and provided
appropriate training and awareness for all employees using organizational
knowledge,
Has the organization established processes for communication, participation
and consultation?
Has the organization determined the nature and extent of documentation
required to manage organizational knowledge?
Has the organization identified any applicable regulatory and other
requirements?
Has the organization defined organizational knowledge change management
process?

Self-Assessment - Do Response
Has the organization implemented the organizational knowledge plan
defined above?
Has the organization performed organizational knowledge activities –
assign responsibilities, identify, obtain, accumulate, store, maintain, protect,
communicate, use and evaluate the performance of organizational
knowledge?

Self-Assessment - Check Response

Has the organization tracked organizational knowledge performance
measures?
Does the organization investigate loss, irretrievability or theft of
organizational knowledge?
Has the organization evaluated compliance to applicable regulatory
requirements?
Has the organization maintained appropriate records of organizational
knowledge management activities?

Self-Assessment - Act Response

Has the organization reviewed data from CHECK stage and determined
improvement actions?
Has the organization verified achievement of organizational knowledge
goals and objectives?

Page 11 of 11