Search the Elsmar Cove!
**Search ALL of** with DuckDuckGo including content not in the forum - Search results with No ads.

Informational Required Documents/Records in ISO 9001:2015


Involved In Discussions
Hi All,
I think the new standard gives flexibility to change the QMS to a more purpose driven one which meets business requirements. Process mapping our business rather than a series of procedures has helped to link the areas together and highlights the gaps. However, I'm not clear on the risk side of things. What will the audit requirement look like, and more importantly what will the business requirement look like, as anyone got examples from the other areas, financial etc that use this approach to point me in the right direction


Involved In Discussions
I read this discussion and I was just thinking the other way around.
Not what the stripped requirements on documentation would mean internally, but what it would mean if you would get audited.

Internally you would be challenged indeed to take the responsibility to determine what is significant to put under the flag of control.
However... if you would get audited, I think there will be some interesting discussions with the ISO auditor and customers on what is really significant for your company.


Hi Covers! Has there been a change to the list of required records posted by the OP based on the released DIS?

I noticed that results/records of Preventive Actions are missing. Is this really the case (PA records not needed anymore) or has it just been reworded to fit the risk management direction of the DIS? Thanks.



Risk management and risk-based thinking replace PA, and they require "documented information" as appropriate.

Just 2c


After reading through CD-ISO-9001, unless I am missing something, these are all that I see that will be required:

what we currently refer to as documents:
- [4.3] Scope & justifications for exclusions (limited to 7.1.4 and 8)
- [5.2] Quality Policy
- [6.2.a-g] Quality Objectives and information

what we currently refer to as records:
- [7.1.4] Evidence of fitness of monitoring & measurement equipment
- [7.2.d] Evidence of employee competence
- [7.5.b] Information determined by the organization as being necessary
- [8.1.c] Information that processes have been completed as planned
- [8.2.3] Basically Order intake & processing)
- [8.4.2] Provider evaluations (ability to provide)
- [8.4.3] (Basically Purchase Order)
- [8.4.3] Provider evaluations (performance)
- [8.6.2] Unique identification for traceability
- [8.6.3] Customer property lost, damaged, or unsuitable
- [8.6.6] Review of change
- [8.7] Evidence of conformity
- [8.7] Person releasing to customer
- [8.8] Nonconforming goods and actions taken
- [9.1.1] Records that monitoring and measurement have been completed
- [9.2.f] Audits were held and results
- [9.3] Results of Management Review
- [10.1.a] Nature of nonconformance's and actions taken
- [10.1.b] Results of Corrective Actions

It appears that as long as everyone knows our processes, we do not need to have anything in writing. I did not see anything that states we need to have processes in writing, although some should be.

Have I missed something? :confused:
For me this is a long-overdue breath of fresh air. The focus at last moves from documented procedures, to processes that work, supported with appropriate documented information - which can be procedures, records, either or both. Indeed, a completed record might sometimes be an example to follow, which communicates the process better than does a procedure.

To audit a non-documented procedure the auditor might interview a few people who execute it and ask them what it is. If they all say substantially the same thing, it's communicated - somehow - systematically. Then the auditor needs evidence it's systematically executed - observation perhaps, or maybe records - and evidence that it's effective - records, almost certainly.

(The auditor might also wonder how it's communicated, if not in writing. I've seen some orgs do it by osmosis: never parachute people in to senior positions and have everyone learn from the ground up by copying their seniors. The procedures can become second nature, not written because "everyone does it that way." When the culture is well led, nobody changes the process except through discussion with colleagues and change that's managed, if informally. It can work, especially when everyone is focused upon common objectives expressed in the quality policy and measurable goals. Critically, such systems can be responsive and adaptive in changing market and customer conditions, and good at responding to disruptive events.)

The only part of this that documented procedures helped with was the first, communicating - and even that wasn't guaranteed, so auditors were often wise to do all the above anyhow. For intelligent organizations and auditors, there's little change but to remove excessive focus upon 5 or 6 mandatory documented procedures.

Just my 2c

John Broomfield

Staff member
Super Moderator

Undocumented procedures have been recognized for 14 years now but you have to study the definition of procedure.

Grant you, the six orphan processes, that belonged to no one, probably needed their documented procedures so people could understand, use and improve these often new processes.

BTW, I could see no specified requirement in the DIS for records of risk management or of the ephemeral "risk-based thinking".




4.4.f requires the organization to determine "the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them" and the last para of 4.4 requires "documented information to the extent necessary." In many but not all situations there will be something like a risk register and documented mitigation plans. In some cases these will reconcile with risks identified in 10k filings which the management system might address.

Some situations won't have documented plans. For example, if a new product idea risks diluting sales of existing product, the new idea might simply be dumped: no documented risk info, necessarily.

When documented info is used with regard to risk, it might address relevant details of processes that deal with risk under 6.1, as well as 4.4. But this would not be mandatory, the organization has the choice, of course.

9.3.1.d requires management to review the effectiveness of actions taken to address risks and opportunities; this is surely often going to be presented to them in written reports - although yes, there's no mandate for such. And 9.3.2 requires documented information on the results of management reviews which might, or might not, mention risk.

But you're right, John, the organization has huge latitude in what it documents with regard to risk and that could well be nil.

On undocumented procs being ok since 2000, yep, true - but I've lost count of the number of organizations I've audited that still have useless documentation they hope will please auditors, sometimes written for them by consultants who ought to know better - but who play it safe, because they're paid to get the organization certified and perceive less risk of certification failure if they document, document, document. "Do you actually do this?" I have often asked. "No," comes the response, "Our consultant wrote it for us." This is a culture that seems to take forever to change. It's born of fear, I think, fear of auditors (who rarely visit and are unknown quantities), fear of failing certification and increased costs of extra audits, an example of the kind of fear that Deming said should be driven out.


John Broomfield

Staff member
Super Moderator

Agreed, trying to "second guess" or please the auditor is a huge problem.

Of course, it detracts from accepting, planning, designing, operating and improving processes so they fulfill their objectives and result in services and products that fulfill customer requirements.

9001:2015's lack of specificity may make the problem of unnecessary "documented information" even worse.



Captain Nice
Staff member
<snip> Undocumented procedures have been recognized for 14 years now but you have to study the definition of procedure. <snip>
I remember "undocumented procedure" arguments/discussions (definition of what a "procedure" is) with ISO 9001 auditors back in 1990, and I went through the "a flow chart is not a procedure" auditor "interpretation" back in 1994 in a company I worked with where we did the "required documented procedures" (and many other procedures) in a flow chart format. That one was fun... :notme:
Top Bottom