The management system of the organisation is required by ISO 9001:2015 to include documented information:

1. As defined by ISO 9001:2015 specifically
2. As determined by the organisation to be necessary for the effectiveness of the management system. (This may include regulatory requirements also.)

It is also recognised within the standard that the extent of documented information required for the management system will differ from one organisation to another. IE: Depending on the size of the business and the type of its activities, processes, products, and services. Also, the complexity of its processes, their interactions, and the competence of personnel.

Comment:

The 2008 release of the standard referred to "documented procedures" and "records". These were replaced by the single term "documented information" in the 2015 update. IE: Information required to be controlled and maintained by the organisation and the medium on which it is held. This new term can therefore refer to any documents such as procedures, instructions or records whether electronic or hard copy.

Another major change was the requirement for the six mandatory documented procedures in the 2008 release being deleted, as has the explicit requirement for a Quality Manual. (If an organisation finds a manual useful, it can still be included in the Management System however, indeed many businesses find such a document a useful method of documenting some higher level processes.)

These changes came about as a direct result one of the key drivers of the 2015 update of the standard. IE: To allow organisations flexibility in the way they chose to document their Management Systems. This is in recognition that the previous requirements were apportioning unnecessary and non-value added documentation, on some organisations. EG: Some smaller businesses more reliant on training, experience and competence than documented procedures.

This change then enables each individual organisation to determine the appropriate amount of documented information needed in order to operate effectively.

Organisations which have not yet implemented a Management System could utilise the following steps to ensure the appropriate amount of documented information is built into the new systems:

1. Understand the documented information requirements as laid out in ISO 9001:2015
2. Establish what processes are required for the effective implementation of the business management system
3. Determine and map the interactions including inputs and outputs, between these processes (E.g. Using Process Maps.)
4. After considering all factors, including risk and the competency of personnel, document processes to the extent necessary to assure effective operation and control. (Process Maps utilised in the initial mapping may also be used as operational documentation in the final management system.)

Note: Although step 1 recommends understanding and compliance with the basic requirements of the ISO 9001:2015 standard, it must be the business process requirements and their complexity, which determine the level of documented information required.

Audit Check:

There is a requirement for organisations to demonstrate the effectiveness of its processes and management system and conformity with the standard. IE Via objective evidence or data. However, this need not necessarily be in the form of documented information unless specifically specified in the clauses of the standard.

If the requirement is specified however, auditors will look for appropriate documented evidence. Where this is not the case, expect the auditor to request interviews with personnel and management to establish compliance!