ISO 9001 Quality Management System: What Mandatory Documents and Records Are Required?
When auditors review clients’ management systems, they often discover businesses have more procedures than they require. During an audit, the auditor will review:
What is required by the standard itself
That you are implementing your procedures. E.g. If you have a procedure that says you do things a certain way, the auditor will check that this is the case. If you don’t implement your procedures, then a nonconformance would be raised.
Having experience as an ISO Auditor, our Managing Director Charlene has seen many businesses incorporate generic procedures into their business which have added no real value. Charlene tells us, “Often in this case the business isn’t aware of what is in the procedure and they have merely added them ‘to keep the auditor happy’. Which is unnecessary and makes the auditing process worse for all parties.”
So What’s New?
Having mandatory procedures is the old version of ISO 9001 and thankfully it has since been updated to the 2015 version. The latest version makes it so much easier to integrate a management a system into your business.
At Armour, we take a lean approach to documentation. If it doesn’t add value, either get rid of it or modify it so it can add value to the overall business.
The core of many ISO standards adopts a ‘Risk and Process’ based approach. A Risk and Process based approach means identifying the highest compliance risks to your organisation and making them a priority for the organisation’s compliance controls, policies and procedures. To identify your Risk and Process approach, ask yourself these two questions:
What are our business core processes? Examples of these may include, sales and enquiries, service or production processes, design (if applicable), purchasing, accounts, human resources etc.
Second question and perhaps the most important one: What is the risk of something going wrong? For example, a client not getting the proper service or not complying with legislation.
The higher the risk, the more robust the controls need to be. An example of a control could be the implementation of a procedure to prevent deviation. More on this in our upcoming blogs.
For now, you can find a list of mandatory documents, also referred to as ‘Documented Information’ required by ISO 9001 : 2015 below. In truth, they are mandatory because they add a lot of value and fit every single business.
Mandatory Documents Required for ISO 9001 : 2015
Scope of the QMS
Quality Policy
Objectives
Criteria for evaluation and selection of suppliers (How suppliers are identified and approved for use)
Mandatory Records Required for ISO 9001 : 2015
Monitoring and measuring equipment calibration records
Records of training, skills, experience, and qualifications (competence records)
Product/service requirements review records
Record about design and development outputs
Records about design and development inputs
Records of design and development controls
Records of design and development outputs
Design and development changes records
Characteristics of product to be produced and service to be provided
Records about customer property
Production/service provision change control records
Record of conformity of product/service with acceptance criteria
Record of nonconforming outputs
Monitoring and measurement results
Internal audit program
Results of internal audits
Results of the management review
Nonconformances
Results of corrective actions
Non-Mandatory Procedure Examples (Sometimes helpful depending on risk)
Determining the context of the organisation and interested parties
Addressing risks and opportunities
Competence, training, and awareness
Equipment maintenance and measuring equipment
Document and record control
Sales & enquiries
Design and development
Production and service provision
Management of nonconformities and corrective actions
Procedure for monitoring customer satisfaction
Procedure for internal audit
Procedure for management review
We recommend going through these lists and comparing what you currently have. Our Armour platform can help you do this in the most efficient way.
After completing this exercise, we can anticipate the following outcomes:
You realise that you are compliant to a huge part of the standard as a matter of running your own business. It’s basically making sure that you run a high-quality business, I mean, don’t we all strive for that?
You have an insane amount of documentation that you don’t need. (Time for a clean up!)
We recommend starting with the basic requirements and building on them based on risk. Implementation and buy-in is much easier that way.
If you want to find out more or just chat with a consultant to help understand what this would look like for your business, drop us an email at info@armour.ai. Or start a free trial of Armour today.