ISO 9001 Quality Management System: What Mandatory Documents and Records Are Required?

When auditors review clients’ management systems, they often discover businesses have more procedures than they require. During an audit, the auditor will review: 1. What is required by the standard itself 2. That you are implementing your procedures. E.g. If you have a procedure that says you do things a certain way, the auditor will check that this is the case. If you don’t implement your procedures, then a nonconformance would be raised. Having experience as an ISO Auditor, our Managing Director Charlene has seen many businesses incorporate generic procedures into their business which have added no real value. Charlene tells us, “Often in this case the business isn’t aware of what is in the procedure and they have merely added them ‘to keep the auditor happy’. Which is unnecessary and makes the auditing process worse for all parties.” So What’s New? Having mandatory procedures is the old version of ISO 9001 and thankfully it has since been updated to the 2015 version. The latest version makes it so much easier to integrate a management a system into your business. At Armour, we take a lean approach to documentation. If it doesn’t add value, either get rid of it or modify it so it can add value to the overall business. The core of many ISO standards adopts a ‘Risk and Process’ based approach. A Risk and Process based approach means identifying the highest compliance risks to your organisation and making them a priority for the organisation’s compliance controls, policies and procedures. To identify your Risk and Process approach, ask yourself these two questions: What are our business core processes? Examples of these may include, sales and enquiries, service or production processes, design (if applicable), purchasing, accounts, human resources etc. Second question and perhaps the most important one: What is the risk of something going wrong? For example, a client not getting the proper service or not complying with legislation. The higher the risk, the more robust the controls need to be. An example of a control could be the implementation of a procedure to prevent deviation. More on this in our upcoming blogs. For now, you can find a list of mandatory documents, also referred to as ‘Documented Information’ required by ISO 9001 : 2015 below. In truth, they are mandatory because they add a lot of value and fit every single business. Mandatory Documents Required for ISO 9001 : 2015 • Scope of the QMS • Quality Policy • Objectives for use) • Criteria for evaluation and selection of suppliers (How suppliers are identified and approved Mandatory Records Required for ISO 9001 : 2015 • Monitoring and measuring equipment calibration records • Records of training, skills, experience, and qualifications (competence records) • Product/service requirements review records • Record about design and development outputs • Records about design and development inputs • Records of design and development controls • Records of design and development outputs • Design and development changes records • Characteristics of product to be produced and service to be provided • Records about customer property • Production/service provision change control records • Record of conformity of product/service with acceptance criteria • Record of nonconforming outputs • Monitoring and measurement results • Internal audit program • Results of internal audits • Results of the management review • Nonconformances • Results of corrective actions Non-Mandatory Procedure Examples (Sometimes helpful depending on risk) • Determining context of the organisation and interested parties • Addressing risks and opportunities • Competence, training, and awareness • Equipment maintenance and measuring equipment • Document and record control • Sales & enquiries • Design and development • Production and service provision • Management of nonconformities and corrective actions • Procedure for monitoring customer satisfaction • Procedure for internal audit • Procedure for management review We recommend going through these lists and comparing what you currently have. Our Armour platform can help you do this in the most efficient way. After completing this exercise, we can anticipate the following outcomes: 1. You realise that you are compliant to a huge part of the standard as a matter of running your own business. It’s basically making sure that you run a high-quality business, I mean, don’t we all strive for that? 2. You have an insane amount of documentation that you don’t need. (Time for a clean up!) We recommend starting with the basic requirements and build on it based on risk. Implementation and buy in is much easier that way.