Re: Auditing Information Technology in the ISO 9001 workplace
Similarly, those of us whose workplaces contract with Google for their email may find the Googledocs option so tempting. And it looks really great for sharing inputs to processes. But I have never found anyone who could adequately describe to me how this meets the requirements of 4.2.4.
The requirements of §4.2.4 are broad, and therefore I think that they can indeed be met by Google docs or another cloud solution. The clause reads:
Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.
The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records.
Records shall remain legible, readily identifiable and retrievable.
The key is "...a documented procedure to define the controls needed...". The organization defines which are the controls needed. If the software is proving useful to its users, then it is very likely that it is already meeting most of the controls needed, possibly except the retention and disposition (people tend not to think of these when the records are in process). These needed controls need only be documented.
If retention and disposition are not being met, one way meeting them might be to classify the records into two categories: active and inactive. Upon closeout of a contract/project, its records become inactive. At this time they are printed or exported to disk, deleted from gDocs, and filed locally for the required inactive period along with other records for the contract/project.
There is a risk of loss of data by Google during the active period. The standard allows you to define whether that risk is acceptable or not. For some critical records, it might not be, and then you may need some backup plan (say, exporting even when the record is active). But I suspect for most records such risk is indeed ok.
Pancho