I fixed the title.

It’s a testament to just how screwed up ISO is that, some 35 years after ISO 9001 was published, readers continue to be entirely baffled by the requirements for control of documents and records. This is not rocket science, but ISO consistently fails to explain a simple thing in simple terms. Chaos ensues.

In 2015, things got much worse after ISO’s home office mandated that all standards adopt an entirely new term to replace words that humans had been using, happily and without confusion, for thousands of years. Instead of using the terms “document” or “record,” everything is now combined into a single bucket of “documented information.”

The intent was to allow readers to decide when to satisfy a requirement with a document or a record. Oversensitive Dutch people (yes, I’m blaming the Dutch) felt ISO was being too mean by telling people what to do in a standard that exists literally to tell people what to do. So they have created a “requirements” standard that features lots of vague suggestions instead and now no one knows how to satisfy any requirement.

Why Control Documents & Records?

So even though the standard came out in 1987 — and that version, itself, was based on a standard from the 1950s! — people still don’t understand document control. I blame this partially on the fact that ISO doesn’t include a justification for each clause in the standard. Other standards from publishers outside of ISO often include a rationale preceding each requirement, explaining its intent; for ISO standards, paragraphs just pop up, without any context, and thus without the reader knowing why a given thing matters. (It’s something we’re adding to the next version of Oxebridge Q001.)

What would the intent of “documented information” be, then? Because “DI” is to tackle two separate concepts which are totally not the same thing — documents vs. records — there will always be two simultaneous answers:

  1. The intent of having control over documents is to ensure that people within the organization have access to the latest, approved information. If people use obsolete or incorrect information, they will do their work wrong. That’s it.
  2. For records, the intent is to ensure that records are filled out properly and then retained so that you can go back and see what happened in the past, should you need to. Again, that simple.

The Dutch invention of “documented information” mangles this all up, so now you don’t know when you’re talking about reading something (like a document) or recording something (for a record.) Now, the entire clause 7.5 jumps, without any warning, from words describing controls that apply to documents, to those that apply to records — with that jump sometimes happening in the same sentence!

Here’s a snippet from the standard; I’ve color-coded it to illustrate the rapid changes in subject.

The real-world impact of this word salad is that readers become totally confused. For example, since the 2015 edition of ISO 9001, I am routinely asked if a user must change the revision number of a form every time it’s filled out. On its face, that idea is ludicrous; imagine every time you made an entry in your Receiving Log you had to increment the revision on the Receiving Log. By next week your form would be at revision 1,466! But as crazy as that sounds, a lot of people reading ISO 9001:2015 have no prior experience in management systems or document control, so they make crazy assumptions — because the standard leads them there. If you read 7.5, it certainly looks like ISO 9001 is saying that both documents and records must undergo “control of changes (e.g. version control)“, since they lumped everything into a single concept called “documented information.”

Wrapping Your Head Around It

To properly implement clause 7.5, you take one absolutely crucial step first, and mentally break the clause in half. You will apply one set of controls to documents, and an entirely different set of controls to records. With that done, implementing 7.5 becomes much easier.

An even better approach is to go back and read the original 1987 ISO 9001 text since it explained everything you’d need to do, and still fully complies with the 2015 language. Here’s what they required for documents in that version: 

And here are the record requirements.

Simple, right? It reveals that it made no sense for Dick Hortensius and his Dutch pals to have gone in and tinkered with these clauses to the point of incomprehensibility, given we had perfectly good text over 30 years ago, that still works today.

But if you’re still confused, stay tuned. The next two articles in this series will discuss practical methods for the controls for both documents and records.


ISO 17000 Series Consulting