Page 1

Procedure for the Control of Documented Information

ISO9001 Toolkit Version 2 ŠCertiKit


Procedure for the Control of Documented Information

Implementation Guidance (The header page and this section must be removed from final version of the document)

Purpose of this document This document describes the controls in place for naming and versioning of documents and associated attributes.

Areas of the standard addressed The following areas of the ISO9001 standard are addressed by this document: 7.5 Documented information 7.5.1 General 7.5.2 Creating and updating 7.5.3 Control of documented information

General Guidance You may decide to change the version control scheme suggested in this document if it differs from that already in use within your organization. If you currently have a quality management system in other areas of your business such as ISO27001 then it may be preferable to make use of existing procedures for document control. Note that the printing and physical signing of approved documents is not a necessity; auditors will generally accept other methods of showing that a document has been officially approved such as digital signing and the use of an “Approved� folder structure. You may find that many of the decisions about naming conventions for systemgenerated records etc. have already been made by the developers of the software in use e.g. for security monitoring. However, you will still need to consider how to manage relevant records that are often fairly uncontrolled such as meeting minutes and reports. You will need to establish the differing types of documented information you have and their owners before agreeing a consistent method of control. Ideally you will document any resulting procedures as part of the QMS.

Review Frequency We would recommend that this document is reviewed annually.

Version 1

Page 2 of 16

[Insert date]


Procedure for the Control of Documented Information

Toolkit Version Number ISO9001 Toolkit Version 2 ©CertiKit.

Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Replace the text [Organization Name] with the name of your organization and click the Modify button to update it 3. Press Ctrl a on the keyboard (if using a Mac, this is Command a) to select all text in the document (or use Select, Select All on the ribbon) 4. Press F9 on the keyboard to update all fields. If using a Mac, right-click (if enabled) or Control-click, and select Update Field 4. 5. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Implementation Resources folder.

Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit Limited is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are

Version 1

Page 3 of 16

[Insert date]


Procedure for the Control of Documented Information

reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 16

[Insert date]


Procedure for the Control of Documented Information

[Replace with your logo]

Procedure for the Control of Documented Information

Document Ref. Version: Dated: Document Author: Document Owner:

Version 1

Page 5 of 16

QMS-DOC-07-1 1 [Insert date]

[Insert date]


Procedure for the Control of Documented Information

Revision History Version Date

Revision Author

Summary of Changes

Distribution Name

Title

Approval Name

Version 1

Position

Signature

Page 6 of 16

Date

[Insert date]


Procedure for the Control of Documented Information

Contents 1

INTRODUCTION ....................................................................................................................................... 8

2

DOCUMENT CONTROL PROCEDURE ................................................................................................ 9 2.1 OVERVIEW ................................................................................................................................................ 9 2.2 CREATION OF DOCUMENTS ..................................................................................................................... 10 2.2.1 Naming Convention ...................................................................................................................... 10 2.2.2 Version Control ............................................................................................................................ 11 2.2.3 Document Status ........................................................................................................................... 11 2.2.4 Documents of External Origin ...................................................................................................... 11 2.3 DOCUMENT REVIEW ............................................................................................................................... 12 2.4 DOCUMENT APPROVAL ........................................................................................................................... 12 2.5 COMMUNICATION AND DISTRIBUTION .................................................................................................... 13 2.6 REVIEW AND MAINTENANCE OF DOCUMENTS ........................................................................................ 13 2.7 ARCHIVAL OF DOCUMENTS ..................................................................................................................... 13 2.8 DISPOSAL OF DOCUMENTS ...................................................................................................................... 14

3

RECORDS LIFECYCLE ......................................................................................................................... 15 3.1 3.2 3.3 3.4 3.5 3.6

IDENTIFICATION ...................................................................................................................................... 15 STORAGE................................................................................................................................................. 15 PROTECTION ........................................................................................................................................... 16 RETRIEVAL.............................................................................................................................................. 16 RETENTION ............................................................................................................................................. 16 DISPOSAL ................................................................................................................................................ 16

List of Figures FIGURE 1 – DOCUMENT CONTROL PROCEDURE ......................................................................................................... 9 FIGURE 2 - REVISION HISTORY ................................................................................................................................ 11 FIGURE 3 - DOCUMENT APPROVAL .......................................................................................................................... 13 FIGURE 4 - DISTRIBUTION LIST................................................................................................................................ 13

List of Tables TABLE 1 - DOCUMENT SUBJECT AREA REFERENCES .................................................................................................. 10 TABLE 2 - DOCUMENT REVIEW GUIDELINES ............................................................................................................. 12 TABLE 3 - DOCUMENT APPROVAL BOARDS ............................................................................................................... 12

Version 1

Page 7 of 16

[Insert date]


Procedure for the Control of Documented Information

1 Introduction “Documented information” is defined by ISO as “information required to be controlled and maintained by an organization and the medium on which it is contained”. This term covers what used to be referred to as “documents and records” and for reasons of clarity this procedure still draws a distinction between these two types of documented information. The use of documented information is an essential part of the Quality Management System (QMS) in order to set out management intention, provide clear guidance about how things should be done and provide evidence of activities that have been performed. The ISO9001 standard requires that all documented information that makes up the QMS must be controlled to ensure that it is available and suitable for use, where and when needed, and is adequately protected. Such control is essential in order to ensure that the correct processes and procedures are in use at all times within the organization and that they remain appropriate for the purpose for which they were created. The general principles set out in the standard and adopted within this procedure are that all documented information must be: ➢ ➢ ➢ ➢

Readily identifiable and available Dated, and authorised by a designated person Legible Maintained under version control and available to all people and locations where relevant activities are performed ➢ Promptly withdrawn when obsolete and retained where required for legal or knowledge preservation purposes This procedure sets out how this level of control will be achieved within [Organization Name].

Version 1

Page 8 of 16

[Insert date]


Procedure for the Control of Documented Information

2 Document Control Procedure This procedure applies to “documents” (as opposed to “records” which are covered later) which are generally created via a word processor (or similar office application) and describe management intention such as policies, plans and procedures. 2.1

Overview

The overall process of control for documents is shown in the diagram below.

Document Creation

Document Review

Documents of External Origin

Document Approval

Communication And Distribution

Review and Maintainance

Archival

Disposal

Figure 1 – Document control procedure

Version 1

Page 9 of 16

[Insert date]


Procedure for the Control of Documented Information

Each of these steps is described in more detail in the remaining sections of this procedure. 2.2

Creation of Documents

The creation of documents will be at the request of the [Organization Name] management team and may be done by any competent individual appropriate to the subject and level of the document. However there are a number of rules that must be followed when creating a document to be used in the QMS. 2.2.1

Naming Convention

The convention for the naming of documents within the QMS is to use the following format: QMS-DOC-xx-yy Document Title Vn Status dd where: QMS DOC xx yy Document Title Vn Status dd

= Quality Management System = Document = Subject area reference (see Table 1) = Unique document number = Meaningful description of document = Version n = Status of document (Draft or Final) = Number of draft, if appropriate

A unique number will be allocated for each document and an index of document references maintained within the QMS Quality System - see QMS Documentation Log for more details. Subject areas references are designed to map onto the sections of the ISO9001 standard as follows (further subject areas may be created as required): Subject Area Reference 00 01 02 03 04 05 06 07 08 09 10

ISO9001 Subject Area Introduction and project resources 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement

Table 1 - Document subject area references

Version 1

Page 10 of 16

[Insert date]


Procedure for the Control of Documented Information

2.2.2

Version Control

Document version numbers will consist of a major number only e.g. V2 is Version 2. When a document is created for the first time it will have a version number of 1 and be in a status of Draft. Each time a draft is distributed, any further changes will result in the draft number being incremented by 1 e.g. from 1 to 2. For example, when a document is first created it will be Version 1 Draft 1. A second draft will be V1 Draft 2 etc. When the document is approved it will become V1 Final. The version number will be incremented when a subsequent version is created in draft status. For example, a revision of an approved document which is at V1 Final will be V2 Draft 1 then V2 Draft 2 etc. until approved when it will become V2 Final. Documents must include a revision history as follows: Revision History Version Date

Revision Author

Summary of Changes

Figure 2 - Revision history

Once the document reaches its final version, only approved versions should be recorded in this table. 2.2.3

Document Status

The status reflects the stage that the document is at, as follows: Draft = Under development and discussion i.e. it has not been approved Final = Following approval and release into live work environment 2.2.4

Documents of External Origin

Documents that originate outside of the organization but form part of the QMS will be allocated a reference and a header page attached at the front of the document, setting out information that is normally included in internal documents i.e.: • • •

Document reference Version Date

Version 1

Page 11 of 16

[Insert date]


Procedure for the Control of Documented Information

• •

Status Distribution

Such documents will then be subject to the same controls as those that originate internally. 2.3

Document Review

Draft documents will be reviewed by a level and number of staff appropriate to the document content and subject. Guidelines are as follows: Document Type Strategy Policy Procedure Plan

Reviewers

Table 2 - Document review guidelines

Once approved, the date of next scheduled review should be recorded in the QMS Documentation Log. 2.4

Document Approval

All documents must go through an approval board to ensure that they are correct, fit for purpose and produced within local document control guidelines. The board will differ dependent upon the type of document and may go to numerous groups prior to being approved. In standard terms, approval boards are: Document Type Strategy Policy Procedure Plan

Approvers

Table 3 - Document approval boards

Each document that requires approval should have a table for the purpose as shown below:

Version 1

Page 12 of 16

[Insert date]


Procedure for the Control of Documented Information

Approval Name

Position

Signature

Date

Figure 3 - Document approval

Once approved a copy of the document must be printed and signed by the approver. [Note – you may choose to do this electronically rather than by printing a copy]. This copy will then be retained in a central file Upon approval of a new version of a document, all holders of previous versions will be instructed to obtain a new version and destroy the old one. 2.5

Communication and Distribution

A distribution list will be included as follows: Distribution Name

Title

Figure 4 - Distribution list

This list must be accurate as it will be used as the basis for informing users of the document that a new version is now available. 2.6

Review and Maintenance of Documents

All final documents must be stored electronically and in paper format both locally and off-site to ensure that they are accessible in any given situation. QMS documents are stored electronically on the shared drive under the relevant sub-folder (e.g. Management responsibility, Management review etc.). The drive is a shared drive to which all appropriate members of [Organization Name] have access, in line with the published access control policy. Final documents are stored in paper format in a filing structure that mimics the electronic version. [State the location of the paper files]. 2.7

Archival of Documents

Approved documents exceeding their useful life are stored in a Superseded Folder on the shared drive in order to form an audit trail of document development and

Version 1

Page 13 of 16

[Insert date]


Procedure for the Control of Documented Information

usage. They should be marked as being superseded in order to prevent them being used as a latest version by mistake. 2.8

Disposal of Documents

Paper copies of approved documents that have been superseded are to be disposed of in secure bins or shredded, in line with agreed information classification guidelines and asset handling procedures.

Version 1

Page 14 of 16

[Insert date]


Procedure for the Control of Documented Information

3 Records Lifecycle This section describes the control of the type of documented information that generally shows what has been done i.e. is a “record” of activity, such as a completed form, log or meeting minutes. 3.1

Identification

There is a variety of types of record that may form part of the QMS and these will be associated with the specific processes that are involved, such as: • • • •

Completed business forms Audit reports Risk and opportunity assessments Training records

In addition there will be more general items such as meeting minutes which could apply across processes. In terms of identification, in many cases this will be dictated by the tool creating the record. For those records that are manually created the following rules will apply: 1. Meeting minutes will be named according to the subject of the meeting and the date 2. Reports will be named according to the subject of the report and the reporting period 3. Logs will be named with the title of the log and the date/time period covered For any other types of record not covered, the creator should use common sense to ensure that the name chosen gives a good indication as to the contents of the file and it should be stored in a location relevant to its purpose. 3.2

Storage

Many records within the QMS will be stored in application databases specifically created for the purpose. For non-database records, a logical filing structure will be created according to the area of the QMS involved. [Describe the filing structure on your server in which you will store your QMS records] Where possible, all records will be held electronically; paper documents should be scanned in if an original electronic copy is not available.

Version 1

Page 15 of 16

[Insert date]


Procedure for the Control of Documented Information

3.3

Protection

Records held in application databases will be subject to regular backups in line with the agreed backup policy. File storage areas will also be backed up regularly, with all latest backups held at an offsite location. Access to the records will be restricted to authorised individuals in accordance with the [Organization Name] access control policy. 3.4

Retrieval

Records will generally be retrieved via the application that created them e.g. the service desk system for security incidents and an event viewer for logs. Reporting tools will also be used to process and consolidate data into meaningful information. 3.5

Retention

The period of retention of records within the QMS will depend upon their usefulness to [Organization Name] and any legal, regulatory or contractual constraints. Business -related records will generally be kept for a period of at least 7 years. Particular care will be taken where records may have some commercial relevance in the event of a dispute e.g. contracts and minutes of meetings with suppliers and these should be kept for the same length of time. Records that are particularly detailed and only relevant for a short period of time such as event logs should only be kept as long as there is an immediate requirement for them. 3.6

Disposal

Many systems provide for the concept of archiving and in most cases this should be used rather than deletion. However once it has been decided to dispose of a set of records they should be deleted using the appropriate software. If such records are held on hardware that is also to be disposed of then all hard disks must be shredded by an approved contractor. Paper copies of records that are to be disposed of should be shredded in line with agreed information classification guidelines and asset handling procedures.

Version 1

Page 16 of 16

[Insert date]

Profile for CertiKit Limited

QMS-DOC-07-1 Procedure for the Control of Documented Information  

QMS-DOC-07-1 Procedure for the Control of Documented Information  

Profile for public-it