Procedure for the Control of Documented Information
ISO9001 Toolkit: Version 3 ŠCertiKit
Procedure for the Control of Documented Information
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes the controls in place for naming and versioning of documents and associated attributes.
Areas of the standard addressed The following areas of the ISO9001 standard are addressed by this document: •
•
7. Support o 7.5 Documented information ▪ 7.5.1 General ▪ 7.5.2 Creating and updating ▪ 7.5.3 Control of documented information 8. Operation o 8.1 Operational planning and control
General guidance You may decide to change the version control scheme suggested in this document if it differs from that already in use within your organization. If you currently have a quality management system in other areas of your business such as ISO27001 then it may be preferable to make use of existing procedures for document control. Note that the printing and physical signing of approved documents is not a necessity; auditors will generally accept other methods of showing that a document has been officially approved such as digital signing and the use of an “Approved” folder structure. You may find that many of the decisions about naming conventions for system-generated records etc. have already been made by the developers of the software in use e.g. for security monitoring. However, you will still need to consider how to manage relevant records that are often fairly uncontrolled, such as meeting minutes and reports.
Version 1
Page 2 of 18
[Insert date]
Procedure for the Control of Documented Information
You will need to establish the differing types of documented information you have and their owners before agreeing a consistent method of control. Ideally you will document any resulting procedures as part of the QMS.
Review frequency We would recommend that this document is reviewed annually.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Version 1
Page 3 of 18
[Insert date]
Procedure for the Control of Documented Information
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 18
[Insert date]
Procedure for the Control of Documented Information
Procedure for the Control of Documented Information
Version 1
DOCUMENT REF
QMS-DOC-07-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 18
[Insert date]
Procedure for the Control of Documented Information
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 18
DATE
[Insert date]
Procedure for the Control of Documented Information
Contents 1
Introduction ............................................................................................................... 8
2
Document control procedure ..................................................................................... 9 2.1
Overview ..................................................................................................................... 9
2.2
Document control procedure ..................................................................................... 10
2.3
Creation of documents ............................................................................................... 11
2.3.1 2.3.2 2.3.3 2.3.4
3
Naming convention ................................................................................................................... 11 Version control .......................................................................................................................... 12 Document status ....................................................................................................................... 13 Documents of external origin .................................................................................................... 13
2.4
Document review ...................................................................................................... 13
2.5
Document approval ................................................................................................... 14
2.6
Communication and distribution ................................................................................ 15
2.7
Review and maintenance of documents ..................................................................... 15
2.8
Archival of documents ............................................................................................... 15
2.9
Disposal of documents ............................................................................................... 16
Records lifecycle ....................................................................................................... 17 3.1
Identification ............................................................................................................. 17
3.2
Storage ...................................................................................................................... 17
3.3
Protection.................................................................................................................. 18
3.4
Retrieval .................................................................................................................... 18
3.5
Retention .................................................................................................................. 18
3.6
Disposal ..................................................................................................................... 18
Figures Figure 1: Document control procedure ....................................................................................... 10
Tables Table 1: Document subject area references ................................................................................ 12 Table 2: Revision history ............................................................................................................ 12 Table 3: Revision history ............................................................................................................ 13 Table 4: Document approval boards ........................................................................................... 14 Table 5: Document approval....................................................................................................... 14 Table 6: Distribution list ............................................................................................................. 15
Version 1
Page 7 of 18
[Insert date]
Procedure for the Control of Documented Information
1 Introduction “Documented information” is defined by ISO as “information required to be controlled and maintained by an organization and the medium on which it is contained”. This term covers what used to be referred to as “documents and records” and for reasons of clarity this procedure still draws a distinction between these two types of documented information. The use of documented information is an essential part of the Quality Management System (QMS) in order to set out management intention, provide clear guidance about how things should be done and provide evidence of activities that have been performed. The ISO9001 standard requires that all documented information that makes up the QMS must be controlled to ensure that it is available and suitable for use, where and when needed, and is adequately protected. Such control is essential in order to ensure that the correct processes and procedures are always in use within the organization and that they remain appropriate for the purpose for which they were created. The general principles set out in the standard and adopted within this procedure are that all documented information must be: • • • • •
Readily identifiable and available Dated, and authorised by a designated person Legible Maintained under version control and available to all people and locations where relevant activities are performed Promptly withdrawn when obsolete and retained where required for legal or knowledge preservation purposes
This procedure sets out how this level of control will be achieved within [Organization Name].
Version 1
Page 8 of 18
[Insert date]
Procedure for the Control of Documented Information
2 Document control procedure This procedure applies to “documents” (as opposed to “records” which are covered later) which are generally created via a word processor (or similar office application) and describe management intention such as policies, plans and procedures.
2.1 Overview The overall process of control for documents is shown in the following diagram:
Version 1
Page 9 of 18
[Insert date]
Procedure for the Control of Documented Information
2.2 Document control procedure
Figure 1: Document control procedure
Version 1
Page 10 of 18
[Insert date]
Procedure for the Control of Documented Information
Each of these steps is described in more detail in the remaining sections of this procedure.
2.3 Creation of documents The creation of documents will be at the request of the [Organization Name] management team and may be done by any competent individual appropriate to the subject and level of the document. However, there are several rules that must be followed when creating a document to be used in the QMS.
2.3.1 Naming convention The convention for the naming of documents within the QMS is to use the following format: QMS-DOC-xx-yy Document Title Vn Status dd Where: • • • • • • • •
QMS: Quality Management System DOC: Document Xx: Subject area reference (see Table 1) Yy: Unique document number Document Title: Meaningful description of document Vn: Version number Status: Status of document (Draft or Final) Dd: Number of draft, if appropriate
A unique number will be allocated for each document and an index of document references maintained within the QMS Quality System - see QMS Documentation Log for more details. Subject areas references are designed to map onto the sections of the ISO9001 standard as follows (further subject areas may be created as required):
Version 1
Page 11 of 18
[Insert date]
Procedure for the Control of Documented Information
REF
ISO9001 SUBJECT AREA
00
Introduction and project resources
01
1.
Scope
02
2.
Normative references
03
3.
Terms and definitions
04
4.
Context of the organization
05
5.
Leadership
06
6.
Planning
07
7.
Support
08
8.
Operation
09
9.
Performance evaluation
10
10. Improvement
Table 1: Document subject area references
2.3.2 Version control Document version numbers will consist of a major number only e.g. V2 is Version 2. When a document is created for the first time it will have a version number of 1 and be in a status of Draft. Each time a draft is distributed, any further changes will result in the draft number being incremented by 1 e.g. from 1 to 2. For example, when a document is first created it will be Version 1 Draft 1. A second draft will be V1 Draft 2 etc. When the document is approved it will become V1 Final. The version number will be incremented when a subsequent version is created in draft status. For example, a revision of an approved document which is at V1 Final will be V2 Draft 1 then V2 Draft 2 etc. until approved when it will become V2 Final. Documents must include a revision history as follows:
VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Table 2: Revision history
Version 1
Page 12 of 18
[Insert date]
Procedure for the Control of Documented Information
Once the document reaches its final version, only approved versions should be recorded in this table.
2.3.3 Document status The status reflects the stage that the document is at, as follows: • •
Draft: Under development and discussion i.e. it has not been approved Final: Following approval and release into live work environment
2.3.4 Documents of external origin Documents that originate outside of the organization but form part of the QMS will be allocated a reference and a header page attached at the front of the document, setting out information that is normally included in internal documents i.e.: • • • • •
Document reference Version Date Status Distribution
Such documents will then be subject to the same controls as those that originate internally.
2.4 Document review Draft documents will be reviewed by a level and number of staff appropriate to the document content and subject. Guidelines are as follows:
DOCUMENT TYPE
REVIEWERS
Strategy Policy Procedure Plan Table 3: Revision history
Version 1
Page 13 of 18
[Insert date]
Procedure for the Control of Documented Information
Once approved, the date of next scheduled review should be recorded in the QMS Documentation Log.
2.5 Document approval All documents must go through an approval board to ensure that they are correct, fit for purpose and produced within local document control guidelines. The board will differ dependent upon the type of document and may go to numerous groups prior to being approved. In standard terms, approval boards are:
DOCUMENT TYPE
APPROVERS
Strategy Policy Procedure Plan Table 4: Document approval boards
Each document that requires approval should have a table for the purpose as shown below:
NAME
POSITION
SIGNATURE
DATE
Table 5: Document approval
Once approved a copy of the document must be printed and signed by the approver. [Note – you may choose to do this electronically rather than by printing a copy]. This copy will then be retained in a central file Upon approval of a new version of a document, all holders of previous versions will be instructed to obtain a new version and destroy the old one.
Version 1
Page 14 of 18
[Insert date]
Procedure for the Control of Documented Information
2.6 Communication and distribution A distribution list will be included as follows:
NAME
TITLE
Table 6: Distribution list
This list must be accurate as it will be used as the basis for informing users of the document that a new version is now available.
2.7 Review and maintenance of documents All final documents must be stored electronically and in paper format both locally and offsite to ensure that they are accessible in any given situation. QMS documents are stored electronically on the shared drive under the relevant sub-folder (e.g. Management responsibility, Management review etc.). The drive is a shared drive to which all appropriate members of [Organization Name] have access, in line with the published access control policy. Final documents are stored in paper format in a filing structure that mimics the electronic version. [State the location of the paper files].
2.8 Archival of documents Approved documents exceeding their useful life are stored in a Superseded Folder on the shared drive in order to form an audit trail of document development and usage. They should be marked as being superseded in order to prevent them being used as a latest version by mistake.
Version 1
Page 15 of 18
[Insert date]
Procedure for the Control of Documented Information
2.9 Disposal of documents Paper copies of approved documents that have been superseded are to be disposed of in secure bins or shredded, in line with agreed information classification guidelines and asset handling procedures.
Version 1
Page 16 of 18
[Insert date]
Procedure for the Control of Documented Information
3 Records lifecycle This section describes the control of the type of documented information that generally shows what has been done i.e. is a “record” of activity, such as a completed form, log or meeting minutes.
3.1 Identification There is a variety of types of record that may form part of the QMS, and these will be associated with the specific processes that are involved, such as: • • • •
Completed business forms Audit reports Risk and opportunity assessments Training records
In addition, there will be more general items such as meeting minutes which could apply across processes. In terms of identification, in many cases this will be dictated by the tool creating the record. For those records that are manually created the following rules will apply: 1. Meeting minutes will be named according to the subject of the meeting and the date 2. Reports will be named according to the subject of the report and the reporting period 3. Logs will be named with the title of the log and the date/time period covered For any other types of record not covered, the creator should use common sense to ensure that the name chosen gives a good indication as to the contents of the file and it should be stored in a location relevant to its purpose.
3.2 Storage Many records within the QMS will be stored in application databases specifically created for the purpose. For non-database records, a logical filing structure will be created according to the area of the QMS involved. [Describe the filing structure on your server in which you will store your QMS records] Where possible, all records will be held electronically; paper documents should be scanned in if an original electronic copy is not available.
Version 1
Page 17 of 18
[Insert date]
Procedure for the Control of Documented Information
3.3 Protection Records held in application databases will be subject to regular backups in line with the agreed backup policy. File storage areas will also be backed up regularly, with all latest backups held at an offsite location. Access to the records will be restricted to authorised individuals in accordance with the [Organization Name] access control policy.
3.4 Retrieval Records will generally be retrieved via the application that created them e.g. the service desk system for security incidents and an event viewer for logs. Reporting tools will also be used to process and consolidate data into meaningful information.
3.5 Retention The period of retention of records within the QMS will depend upon their usefulness to [Organization Name] and any legal, regulatory or contractual constraints. Business -related records will generally be kept for a period of at least seven years. Particular care will be taken where records may have some commercial relevance in the event of a dispute e.g. contracts and minutes of meetings with suppliers and these should be kept for the same length of time. Records that are particularly detailed and only relevant for a short period of time such as event logs should only be kept as long as there is an immediate requirement for them.
3.6 Disposal Many systems provide for the concept of archiving and, in most cases, this should be used rather than deletion. However, once it has been decided to dispose of a set of records, they should be deleted using the appropriate software. If such records are held on hardware that is also to be disposed of then all hard disks must be shredded by an approved contractor. Paper copies of records that are to be disposed of should be shredded in line with agreed information classification guidelines and asset handling procedures.
Version 1
Page 18 of 18
[Insert date]