ISO 9001:2000 - Documents Requiring Control - Documents of External Origin



Thanks! That helped. I was just about to ask about emails specifically. :D

Wes Bucey

Prophet of Profit
This seems to be an old thread. I found the initial post through Google, and it was really informative. Thanks to whoever posted it! :)

I have a somewhat silly question regarding controlling external documents. I apologize in advance for its silliness, but I figure it's better to be sure than be sorry after the audit. :D Is there a need to control communications (e.g. letters, memos) from external parties?
I also welcome you to the Cove. In my post #13 above, I touch on the concept of "control"
The essence of a document control system is to ensure documents
  • are protected from harm (or unauthorized modification),
  • are "managed" (stored and easily found and retrieved and run through an authorized revision system)
  • are "controlled" (to ensure superseded, obsolete, or unauthorized versions do not find their way into the manufacturing or other process and activities of the organization.)
This refers to documents which have an impact on the product or service you render to a customer. To determine if the document needs to be "controlled" in addition to beng retained and managed, you first have to decide if the document (correspondence) impacts the product or service (is it an order? an explanation of a print? a waiver of a requirement? OR merely a pleasantry about the weather?)

If it is worth controlling, to what extent? Do you restrict who may read? copy? implement an action based on the content?

Too often, folks go overboard in controlling documents which do not need to be controlled merely because they do not understand the spirit and intent of the word "control."


Thanks, Wes. :)

My follow-up question would be, in cases where communications with clients or external parties are handled by many different project managers, how do you manage to make sure that all those important correspondences are indeed controlled? Especially in the case of e-mails?


Excellent "article", it sums up a lot of techniques to fullfill iso9001:2000 4.2.3 and 4.2.4 requirements thumbs up:agree1: :applause:

i would also like to share a couple of thoughts i use in training:

- Documents and records are the memory cells of a company, it is the means to communicate then recollect, analyze, and improve
- Documents and records are means but not an end, just like a pipe may carry water from the ground floor to the 2nd floor, having too much of such means may actually inhibit the flow all together
- Product Brochures and marketing letters are some of the documents a lot of organizations do not exercise careful control over, leading to misinforming the customer

A data flow diagram, or document flow diagram may prove useful to elaborate on the transfer of documents between different department

In regards of the project communication question,in the PMI BOK (Project Management Institute - Body Of Knowledge) there is the need to establish a communication plan prior to project initiation, where there shall be a formal agreement with all stakeholders on the form and channels of communication to be utilized and when, you may begin by classifying the nature of communication to be performed at first,such as submission of drawings, periodic reports, progress review meetings,....etc. so that you'd have all regular (expected) communication performed through previously identified channels, then any irregular communication may be classified based on what it affects, so that you's identify the relevant personnel for every element and in turn identify the recepients who would be interested in such information accordingly
Last edited by a moderator:

Wes Bucey

Prophet of Profit
Thanks, Wes. :)

My follow-up question would be, in cases where communications with clients or external parties are handled by many different project managers, how do you manage to make sure that all those important correspondences are indeed controlled? Especially in the case of e-mails?
I can envision a system where an organization makes a primary decision whether Quality-related correspondence documents are sorted according to the product or service provided or to the customer who may receive multiple products and services.

In a company which offers "off-the-shelf" products to multiple customers, it may make sense to sort by customer, since requests and changes are probably only for quantity, shipping details, delivery dates, or a choice between regularly offered options. Hence, regardless of who in the organization communicates with the customer, ALL the correspondence should be shunted to a "customer correspondence folder," since rarely will the correspondence have anything to do with how the product is manufactured.

Where an organization produces a product or service unique to a single customer, regardless of how many other unique products are produced for the customer, correspondence should be relegated to a Product File since it will most likely affect quantity or characteristics.

The essence of modern Customer Relationship Management software is to manage and control all customer correspondence (phone, email, hard copy) so that any employee of the organization may have it all available for review when corresponding with the customer or when working on the product or service.

Does that clarify the situation of dealing with correspondence?


Does that clarify the situation of dealing with correspondence?

It does, thanks! :) My particular dilemma, actually, is making sure that each of these managers know what to do with different types of correspondences. Some people can be really stubborn even after you've oriented them about records control. :D But mirrorcrax also made a good point about establishing the communication plan during project planning. All these ideas will help me make suggestions for refining our system. :)


Not all forms require control, in the same way that not all documents require control, obviously.

If a form is used for the recording of Quality Critical data (e.g. analytical results, batch records, works orders) then of course it is also critical that they be controlled effectively.

Many I point out that this isn't just an ISO requirement. It is a GMP requirement and one that is widely applied across many regulated industries, including where some companies do not have ISO certification (as it isn't strictly needed).


Quite Involved in Discussions
How about applying the new requirements for ISO9001:2008 for Clause 4.2.3 f " to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled.
Basically my concern is how to create a provision of system for determining control for other non-manufacturing external documents, i.e. HR, Accounting and Import-Export. :confused:
Thank you very much in advance for the usual prompt attention you will give this request.
Top Bottom