Explaining ISO 9001 Clause 7.5.3 Control of Documented Information

In this article, I'm going to walk you through Clause 7.5.3 Control of documented information. I'm going to break it down and give you some examples along the way so that you can take it away and apply it within your own organization. 
You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you.  No more guessing!  

It's broken down into these two sub-clauses. 7.5.3.1 and 7.5.3.2.

Alright, so 7.5.3.1 is telling us that:

Documented information required by the quality management system and by this International standard (that means by ISO 9001:2015) shall be controlled to ensure:

       a) it is available and suitable for use where and when it is needed.

Okay, let's think about that. It is available and suitable for use where and when it is needed. If we need to access documented information within our organization, we need to ensure it's available to the right people. It's suitable for their use. To help determine if it's suitable ask yourself the following questions:

• Do they need it in electronic form?
• Do they need it to be accessed from a tablet?
• Does it need to be in a hard copy?
• Does it need to be more visual like a video? 

And then what does 'where and when it is needed' mean? This is all about the suitability or determining suitability or the type of documented information that your organization is going to create to ensure it does the best job it possibly can for the people that need it. They need it to be available so they can access it. How though? As I mentioned before, hard copies, electronic, and video images even, and then is it available where and when it's needed.
That might apply to different types of information across your business.

Here at Auditor Training Online, we have documented information in a number of different ways:

• Dropbox
• One Note.
• Video via Vimeo records
• Asana, a project management platform

We have created all these different types of documented information on different platforms that are available to people. So, we've chosen, which ones are just in Dropbox. Which ones are in OneNote, which ones are Vimeo records, and which ones are in Asana. Therefore, people can access what they need to access, where and when it's needed. Right. I hope that breaks that down a bit more for you.

Then the next section says…

        b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

Okay, so if you are creating this documented information, you need to make sure it's protected. If you are saving your documented information electronically you might think about different levels of access from different people can, Is it read-only to some of the team or can other members of the team edit the document? If it's a hard copy particularly if you are archiving it or storing it. Is it looked after? Is it protected or is it in the elements?

I remember years ago on an audit I was in an outdoor shed and there were boxes and boxes of archive boxes there, and I opened them all and they were what looked like training records, but because they had been stored in this shed which wasn't waterproof a number of the records had been damaged. These training records were integral to the business, to be retained for evidence of assessments and so on. But they hadn't been adequately protected.

Make sure only the right people and the people that you want to access the documentation are getting access and storing it adequately. 

Moving on to Clause 7.5.3.2…

For the control of documented information, the organization shall address the following activities as applicable:

Remember that this says 'as applicable', therefore this might not be applicable to you. So …

1. a) distribution, access, retrieval, and use.
2. To control our documented information, we need to ensure that we address distribution.
   How are we distributing the documentation?
3. Is it controlled or are we putting it out there so that anyone can access it? So that's not protecting it.
4. What is your distribution process? This might depend on what the documented information is as well.
5. Who is to get access to it? That will determine who you distribute it to.
6. Does the whole organization need to access it? Is it internal? Is it external?
7. Considering all those possibilities, you need to ensure that you maintain control of it. I touch on this in the earlier parts of this article. You might put different permissions in place. Different people might be able to view documentation. Others might be able to view and edit. Again, it depends on the type of documentation.
8.  
9. Retrieval and use are always interesting for me when conducting audits. I'm always asking, can I see it? So, it's always interesting to see how easily people can retrieve or find documentation.
10. Possibly your naming conventions where you save things, and save your documented information needs to be clear and understood to ensure that these things can be found. Ensure a simple retrieval process is implemented so people can find what they need with ease.

Then there is …

1. b) storage and preservation, including preservation of legibility.

This is actually very similar to what I talked about up here with protection. And I use that example of what looked like training records that hadn't been stored adequately or preserved, they'd been quite damaged by the weather and rain. That covers legibility as well. If they need to refer to these training records, then they actually weren't legible, They weren't able to provide this evidence in a legible format because they hadn't saved copies of them electronically either. The same goes for electronic copies. Storage and preservation ensure that the documentation that you're saving electronically can't easily be deleted. 

Then there is …

1. c) control of changes (e.g. version control).

This point is very, very important. I get scared when I'm looking at the documentation and I see that it's version 1 dated December 2012, and I'm thinking, "Oh, that's like 10 years old. Is what I'm reading current? Have they reviewed this? Am I doing the right thing?" Version control is very, very important when you are reviewing, updating, and controlling your documentation.

A common one is your quality policy, which doesn't change that often. They could become outdated easily. I've seen some quality policies that are five or six years old, and even though they've been reviewed, there were no changes made. So, the company didn't update the version number or the date of the version. I always recommend in those instances, if you are reviewing documentation and there isn't a change, still update the reviewed date so you are demonstrating that you have reviewed it and there were no changes.

Then we have …

1. d) retention and disposition.

Okay, so just recapping, we're talking about the control of documented information, and we need to address the activity of retention and disposition. So how long are we retaining this documentation? Now remember when we talk about documented information, it's not just about your procedures. So, maintaining documented information as procedures. It's also records and evidence. It's important to have some sort of retention schedule, particularly with your records and evidence, like how long do you need to keep training records for, for instance.

And then disposition, so disposition isn't just disposal, it can include archiving. At what point is it okay to dispose of or shred or do we archive this? You need some sort of timeframes in place based on different types of documented information as to how long you retain them, and then what the disposition process is. Is it archive and disposal or straight to disposal?

What I do normally for this type of thing is a table people have within their systems. They have all their different types of documented information, and they might have column headings for how long they're retained, and then when they are disposed of and how (shredded). 

Then it says …

Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate and be controlled.

Okay, this is a key area here. It's saying, you have to look after and control your documented information for your internal information. If you are receiving documented information externally, which could be copies of ISO standards, legislative documents, drawings, specifications or tenders from customers, customer orders, or anything that comes from an external origin. These control elements need to be considered as well. It is not just for your internal documentation, so as you're working through this, consider your documents of external origin as well. 

Then it goes on to say…

Documented information retained as evidence of conformity shall be protected from unintended alterations.

Documented information is retained as evidence of conformity. If you are retaining records of evidence you don't want them to be tampered with. This goes back to access, storage, preservation, retention and disposition. How you are managing this will influence how or if people can make changes to this evidence. 

And then finally, the note at the end says …

NOTE   Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

Now that I’ve explained all of these requirements, can you see more clearly how you could action and demonstrate these requirements in your ISO 9001 management system?