Management Systems - What Needs to Be Documented?

This is always a hot topic in the classroom training environment.  Some students really struggle with understanding why the Standards do not ‘require’ some clauses or processes to be documented. 

 To help all of us to understand the requirements for documented information we need to understand a few core terms and definitions first.

ISO 9000:2015 Fundamentals and Vocabulary states the following:

Process – set of interrelated or interacting activities that use inputs to deliver an intended result

Procedure – specified way to carry out an activity or a process
Note:  Procedures can be documented or not (this is very important to remember)

Record – document stating results achieved or providing evidence of activities performed

Document – information and the medium on which it is contained
Note: The medium can be paper, magnetic, electronic or optical computer disc, photograph or master sample, or combination thereof.  A set of documents, for example specifications and records, is frequently called ‘documentation’.

Documented information – information required to be controlled and maintained by an organization and the medium on which it is contained
Note: Documented information can be in any format and media and from any source and can refer to:

• The management system including related processes

• Information created in order for the organization to operate (documentation)

• Evidence of results achieved (records)

Wow!  I know that’s a lot to take in, however the main take-away message here is that we are only required to ‘document’ a procedure or requirements when the Standards state so.  And if the Standard states that a procedure shall be determined or maintained this does NOT mean documented.  The key words we are looking for are ‘the organization shall retain documented information’ or ‘the organization shall maintain documented information’.

What’s the difference between retain and maintain documented information?

In the High Level Structure implemented in ISO 9001, 14001 and 45001 ‘documented information’ is used for all documented requirements which could be any documentation, documented procedures or records.

The break-down of this is:

• ‘Retain documented information’ – is where records are needed to provide evidence of conformity with requirements.  The organization is responsible for determining what documented information needs to be retained, the period of time for which it is to be retained and the media to be used for its retention.
• ‘Maintain documented information’ – is where we would normally document the procedure on how to carry out the process, activity or task.  So this documented information is more the ‘how’ to do something rather than the evidence or records.  This would be the Policy, objectives, documented procedures etc.

So what do I document then?

The High Level Structure clause 7.5.1 General (documented information) states that:

The organization’s management system shall include:

• Documented information required by the International Standard
• Documented information determined by the organization as being necessary for the effectiveness of the management system

So, as you can see in

a), yes there are mandatory requirements stated by the Standards for documented information – that’s straight forward.  Document what we are required to. Then ;
in b), it is up to the individual organization to determine what else is to be documented and this is a risk based approach – if the organization determines that documented information is required to ensure the effectiveness, control and consistent output then it may be documented.

So, this means that every Organization’s level of documented information may be quite different.  The extent of documented information for a management system can differ from one organization to another due to:

• The size of the organization (this could be the number of employees as well as the physical size).  Normally the higher the number of employees the more documentation may be required to control and maintain a consistent output.
• The type of activities, processes, products and services (complexity, risk, many different types or a single non-complex type).  The more complex or many different types may require more documentation to ensure a consistent output.
• The competence of persons (If we are employing qualified trades people we may not need to document how every single task they conduct is to be carried out as they are competent in their trade and come with these skills)

Don't forget to take a look at the next article in this series - Management System's, What needs to be documented? Part 2