7.5 Documented Information

7.5.1 General

The organization’s quality management system shall include:

a. documented information required by this International Standard;

b. documented information determined by the organization as being necessary for the effectiveness of the quality management system.

NOTE: The extent of documented information for a quality management system can differ from one organization to another due to:

− the size of organization and its type of activities, processes, products, and services;

− the complexity of processes and their interactions;

− the competence of persons.

7.5.2 Creating and Updating

When creating and updating documented information, the organization shall ensure appropriate:

a. identification and description (e.g., a title, date, author, or reference number);

b. format (e.g., language, software version, graphics) and media (e.g., paper, electronic);

c. review and approval for suitability and adequacy.

NOTE: Approval implies authorized persons and approval methods are identified for the relevant types of documented information, as determined by the organization.

7.5.3 Control of Documented Information

7.5.3.1 Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

a. it is available and suitable for use, where and when it is needed;

b. it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity).

7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:

a. distribution, access, retrieval, and use;

b. storage and preservation, including preservation of legibility;

c. control of changes (e.g., version control);

d. retention and disposition;

e. prevention of the unintended use of obsolete documented information by removal or by application of suitable identification or controls if kept for any purpose.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate and be controlled.

Documented information retained as evidence of conformity shall be protected from unintended alterations.

When documented information is managed electronically, data protection processes shall be defined (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage).

NOTE: Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.