ISO 9001 Expert Tips

Table of Contents

The following tips are designed to help employees at small and midsize businesses comply with ISO 9001 requirements. You may find these ISO 9001 tips useful during the ISO 9001 implementation phase or even later on to improve ISO 9001 compliance.

What Is Document Control?

Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use. We all handle many documents every day. These documents include forms that we fill out, instructions that we follow, invoices that we enter into the computer system, holiday schedules that we check for the next day off, rate sheets that we use to bill our customers, and many more. An error on any of these documents could lead to problems. Using an outdated version could lead to problems. Not knowing if we have the latest version or not could lead to problems. Just imagine setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement. That's why there is much importance given to the ISO 9001 control of documents and records.

Records are a special kind of document: records show results achieved or provide evidence of activities that have been performed. Because records are proof of something, records cannot be revised. However, there are different requirements for different records. For example, some records have to be retained for 7 years (think of tax records), while others must be securely destroyed after 1 year (think of certain customer data governed by your privacy policy). For ISO compliance, your company needs to formalize the specific requirements for records; this is typically done through the record retention guide.

ISO 9001 gives you tools (also referred to as "requirements") that show you how to control your documents and records through a comprehensive document management system. The ISO 9001 Quality Management Manual contains more information and a simple, easy-to-follow ISO 9001 document control procedure.

ISO 9001 Documents

There are no “ISO 9001 documents” that need to be controlled, and “non ISO 9001 documents” that don't need control. The ISO 9001 system affects the entire company, and all business-related documents must be controlled. Only documents that don't have an impact on your products, services or company don't need to be controlled - all others need control. This means, basically, that any business-related document must be controlled, and your ISO 9001 procedure on document control explains how to do it.

However, how much control you apply really depends on the individual document.

The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).

The Quality Policy, an important corporate policy document, shows the signatures of all executives.

Work instructions often just show a note in the footer indicating approval by the department manager.

Some documents don't even need any approval record: if the person who prepared a document is also responsible for its content (e.g., the quality manager prepares instructions for his auditors), a separate approval (and record of approval) is superfluous.

On the other hand, identifying a document through a revision date, source and title is basics. It really should be done as a good habit for any document you create.

Please note that documents could be in any format: hardcopy or electronic. This means that, for example, the pages on the corporate internet need to be controlled. Control of electronic documents tends to be easier than control of hardcopies as many file storage systems already include features that meet the requirements of the ISO standard for document management system.

Responsibility for Document Control

Document control is the responsibility of all employees who create documents or who use documents. It is important that all employees understand the purpose of document control and how to control documents in accordance with your ISO 9001 document control procedure. All employees, therefore, will need to have access to your ISO document control procedure and know where to find it.

Please be aware that if you copy a document or print one out from the corporate intranet and then distribute it, it is you who will be responsible for controlling its distribution. The original author won't know that you distributed copies of his documents, so the original author can't control your distribution.

Consider an ISO document control example that could affect us all: the human resources manager puts the holiday schedule on the corporate intranet as well as the main bulletin board. You make copies of the schedule and hand them out to the employees in your department. Now the human resources manager finds a mistake, corrects the schedule and adds a big, red annotation to the schedule on the intranet and on the bulletin board. Will your department employees, who rely on the printout you gave them earlier, know about the change?

Dating Documents

Your ISO 9001 document control procedure requires you to show on every document when it was created or last updated. Many people may have thought to use their word processor's automatic date function for this, but... should you use the automatic date field on documents?

Generally not. If you enter the automatic date field into a document, the field will automatically be updated to always show the current date, no matter when you actually created or updated the document.

Example 1: For example, if you use the automatic date field in a fax and you save the fax on your computer for future reference, you won't be able to tell when you wrote the fax: when you open the fax on your computer, it will always show today's date.

Example 2: Another example is entering the automatic date field in the footer of a document that you frequently change and then print. You may have used the automatic date field as an easy way to see on your printouts when they were printed; your idea here probably was that the document with the latest date is the most current printout. However, you may make one printout today and another tomorrow without having made any changes to the document. Though both printouts are identical, they now show different dates. This will inevitably lead to confusion.

ISO document control requires us to show on any document when it was created or last revised. The automatic date field is not suitable for this. Therefore, as a general rule, don't use the automatic date field to identify the revision date.

Controlling Forms

Yes, ISO 9001 control of documents and records also includes forms. Forms must be controlled as long as the form has an impact on your products, services or your company. Forms can be both documents and records.

Blank forms are similar to work instructions as they guide the user to provide certain information. If the form is outdated or incomplete, the user will not be prompted to supply all the necessary information. It is, therefore, important to control blank forms like any other document. Refer to the document control procedure in the ISO 9001 Quality Management Manual to see a simple system on how to meet this ISO 9001 requirement.

Once a form has been filled in, however, the form becomes a record. At this point, you need to be concerned with filing, storage, archiving and eventually destruction. Your company's own record retention guide specifies how long records must be kept and how you can get rid of them (for example, do you need to shred them or is the recycle bin okay?).

Complete ISO 9001 Documentation

Some auditors like to ask this question, so it is best to know that our ISO 9001 quality management system is documented through the following:

The Quality Policy is the top-level document that sets the course of all your quality efforts.

The Quality Manual contains a high-level description of the company's quality management system and its various components.

The Quality Management Manual contains the fundamental documents of the quality management system: a scope statement, the main process map, and all the ISO 9001 quality system procedures that directly address all ISO 9001 requirements. It also includes the quality policy making it a comprehensive ISO 9001 policies and procedures manual.

Operating procedures are used to provide guidance on how and in which sequence key activities must be performed.

Work instructions are detailed step-by-step directions that help us consistently perform activities as intended.

Forms guide us in the collection of certain required information. Once a form has been filled out, the information contained in it becomes a record.

Records provide evidence of the operation of various aspects of our quality management system.

The above listed documents are for most companies the documents required for ISO 9001 certification. However, ISO 9001:2015 is no longer explicit on the number of documents nor on their names. In fact, ISO 9001 names only a few mandatory documents: the quality policy, the process map, the scope statement, as well as numerous specified records.

But attention, it's a common misconception that the freedom to decide how your ISO 9001 quality management system is documented means that there are less documents required for ISO 9001 certification. Most small to midsize companies are well advised to adhere to the proven documentation system shown above and consider these documents to be required for ISO 9001 certification. It is also recommended to have a comprehensive set of ISO 9001 quality system procedures that addresses all ISO 9001 requirements that are applicable to your company.

The only real exception is the ISO 9001 quality manual. The quality manual is mainly used for marketing and, for most companies, doesn't add value to the operation of the quality management system. In fact, since the publication of ISO 9001:2015, there are no ISO 9001 quality manual requirements and the quality manual is not one of the mandatory documents for ISO 9001.

ISO 9001 Policies and Procedures

A policy is a high-level, strategic document, while procedures describe how the policy is achieved. In the case of ISO 9001, the quality policy is the top-level document, which includes a commitment to satisfy ISO 9001 requirements. The procedures (also often referred to as quality procedures or ISO 9001 procedures) describe how your company implements the ISO 9001 requirements.

We recommend combining all quality procedures in a single, comprehensive procedures manual. In order to make this manual complete, also include the quality policy and the scope statement. To further increase its usability, we also included in the ISO 9001 Quality Management Manual an introduction to the company and the quality management system.

An ISO 9001 policies and procedures manual like the Quality Management Manual contains all the quality procedures but not all employees need to be concerned with all of them. In fact, most procedures affect only managers. Every employee, however, must be familiar with the quality policy and the document control procedure at a minimum.

All employees need to know about the quality policy, know that the quality policy contains the corporate strategy related to quality and customer satisfaction, and know that all other ISO 9001 documents must follow this policy. All employees must also be familiar with the content of the quality policy and understand its meaning. It is, however, not necessary to memorize the quality policy.

All employees must be familiar with the requirements of the document control procedure and actively follow the requirements of the document control procedure. Those who write or approve documents must be familiar with the requirements concerning the issuing of documents. Those who use documents must be familiar with the requirements in order to know if they are using the current version of the correct document.

Process Identification and Definition

Management at each division and department needs to identify all their key processes (or activities). The number of processes depends on the complexity of the division or department and on how detailed you want to be. For the purpose of meeting ISO 9001:2015 requirements, about 10 key processes or less should be sufficient to describe the activities of the entire department, office or facility.

Once the key processes are identified, management (or better, the process owner) needs to further define the process through the following:

Process inputs and their source

Outputs and their destination

Methods to evaluate the performance of the process (these are the metrics and related goals)

Process owner (use only the title, not the name of the person)

Documentation needs for the process (including work instructions, forms and records)

Required resources (ranging from work space to equipment to training)

Risks and opportunities associated with the process

Improvement goals

Defining inputs and outputs actually identifies how the processes interact with each other. An excellent way of describing the interaction of processes is the use of flowcharts? In fact, flowcharts are the ideal and recommended method of defining the interaction of processes.


Flowcharts are often used in ISO 9001 documentation. Flowcharts illustrate the interaction of processes. Flowcharts are often used to show how the key processes (also referred to as "activities") in an office or at a production facility interact; flowcharts are also often used to explain how to perform work, for example, as work instructions or as parts of procedures.

The following explains how to create and read flowcharts. Though there exist numerous flowchart shapes, the following shapes are sufficient for most flowcharts. Note the arrows which are used to connect the different shapes in the correct order.

This is the shape used to describe a process (or activity). In this example, the process is called “Check invoice”. The arrows show inputs and outputs of the process and are used to connect with preceding and following processes.

How to show a process

This is the shape used to describe a decision. A decision in a flowchart has usually two or more possible outcomes. In this example, the decision is “Is the invoice correct?” and the two possible outcomes are “yes” and “no”.

How to show a decision

Some decisions have several possible outcomes: the decision “From which supplier?” could have either of the outcomes “Supplier A”, “Supplier B”, or “Supplier C”.

How to show another decision

This shape describes a document. In this example, the document is called “Invoice”. This shape is typically used as the input or output of a process.

How to show a document

The following example illustrates how to use all three shapes to define the interaction of processes:

How to use flowcharts

Whichever tool you use, please keep it simple for the user. Some sophisticated shapes might make much sense to you, but most users will be confused as they won't understand the subtle differences. On the other hand, feel free to use colors if it makes the flowchart more user-friendly.

Though it is possible to create flowcharts using MS Word or PowerPoint, a dedicated flowcharting software will be much easier to use and the resulting flowcharts will be more user-friendly. Flowchart software allows to drag and drop shapes, connect them with the click of a button, and the shapes will remain connected even if you move them around. Flowcharting software doesn't need to be expensive. Take a look at our discounted offer for MyDraw Flowchart Software.

For more information on flowcharts and flowcharting software, please see our article on ISO 9001 Flowcharts.

Audit Preparation

Internal and external audits are a regular occurrence and important to continuing ISO 9001 compliance. ISO 9001 audits are typically more challenging for management than for workers. ISO 9001 is a quality MANAGEMENT system and provides many requirements on activities of managers and executives. In fact, the purpose of ISO 9001 is to positively impact how the company is managed.

All audits may cover any or all sections of the ISO 9001 quality management manual. As a general rule, almost all audits cover the following:

Objectives: Managers and staff on every level have objectives that they are committed to achieve. What are yours, how do you achieve them, and how do you measure success?

Quality policy: Do you understand the content of the quality policy? How does the quality policy relate to your work? How do your objectives relate to the quality policy?

Customer feedback: The opinion of customers is crucial for future success and, therefore, must be collected, analyzed and used as basis for further action. Do you know what your customers think of your products or services?

Management reviews: Top management periodically reviews key topics concerning the quality management system; meeting notes provide evidence to auditors. Do those management reviews serve as basis of executive decision making?

Internal audits: Of particular importance is the question if nonconformities from prior audits have been properly corrected. An extensive list of insider audit preparation tips is included with our ISO 9001 Certification Package.

Document control: Are your work instructions current? Is there a chance that you mistakenly use obsolete documents? How do you know that you are using the correct and current documents? ISO 9001 control of documents and records is always a main focus of auditors. Make sure that you know where to find the ISO document control procedure.

Process interaction: Do you know how your work processes affect other processes? Do you understand what impact your work has on other processes?

Suppliers: How do you select suppliers? Are those approved suppliers? What do you do if a supplier doesn't perform to expectations?

ISO 9001 standard: Internal auditors, management representatives, and others responsible for implementation and documentation of ISO 9001 requirements need to have access to a copy of the ISO 9001 standard. Be sure to have your copy of the ISO 9001 standard readily available.

Continuous Improvement

Implementing ISO 9001 and achieving ISO 9001 compliance is not a one-time benefit to your company. While you are utilizing your procedures and work instructions in daily business activities, you are not only benefiting from better quality and increased efficiency but you are also continually improving the way that your company operates. In fact, the ISO 9001 requirements are designed to make the entire company continually improve. This is a very important aspect of ISO 9001 compliance because companies that don't continue to improve are soon overtaken by the competition.

    payment options

    ISO 9001 Simplified Money-Back Guarantee