ISO 9001 Control of Forms & Records (4.2.4)

One of our frequently answered questions has to do with the control of Forms and Records. Why do forms have to be controlled, and how in the world can we control them all?

Well, forms are designed to make sure that you collect the data that is required. Forms often are also acting as work instructions, indicating steps and order of steps for a process, telling what data to collect and specifying the acceptable limit

Record Management or RM is the managing or maintaining of official records to enable evidence of business activities. ISO 9001 § 4.2.4 requires the control of records and highlights several key practices. The content specifies that record management is required to enable:

  • Verification of activities of an organization.
  • Effective operation of quality management system.

Records management addresses six key issues:

  • Identification
  • Storage
  • Protection
  • Retrieval
  • Retention
  • Disposition

Importance of Records Management

ISO 15489 Information and Documentation - Records Management and Guidelines for Implementation.

Part 1: General
Part 2: Guidelines for implementation

This 2 standard series provides guidance on records management in support of a quality process framework to comply with ISO 9001

It says records are information created, received, and maintained as evidence in pursuance of legal obligations or in the transaction of business. Records are a valuable source of information and an important business asset. A systematic approach to managing these records is essential to protect and preserve them as evidence of actions.

When a record management system is in place, you ensure that you have:

  • Information about business activities.
  • Proof of business decisions.
  • Accountability to convince future stakeholders.
An effective RM system can provide continuous and ready access to all relevant records in the minimum possible time.

Principles of Records Management

Policy:
Organizations need to define and document a policy to create and manage authentic, reliable and usable records that are capable of supporting business functions and activities. Record management policies and procedures should ensure that record creators are identified and authorized. In addition, steps need to be put in place to protect records against unauthorized addition, deletion, alteration, use and concealment.

Authenticity:
An authentic record is one that:

  • Is what it claims to be.
  • Is created or sent by the person purported to have done so.
  • Is created or sent at the time indicated.
To ensure the authenticity of records, an organization should implement and document policies and procedures that control the creation, receipt, transmission, maintenance, and disposal of records

Reliability:
A reliable record is one whose contents can be trusted as a full and accurate representation of transactions, activities or facts. To ensure reliability, records need to be created:

  • At the time of the related transaction / incident or soon after.
  • By individuals who have direct knowledge of the facts regarding the transaction.
  • By instruments routinely used within the business to conduct the transaction.

Integrity:
The integrity of a record refers to its being complete and unaltered. Records need to be protected against unauthorized changes. In the event a record needs to be altered, policies and procedures need to specify the additions or annotations that may be made to a record after it is created. Only an authorized person should be allowed to handle the records while making alterations. In addition, it is important that any annotation, addition, or deletion should be explicitly indicated and traceable.

Further, to maintain integrity of records, the record system should include controls to enable access monitoring, user verification, authorized destruction and security to prevent unauthorized access, destruction, alteration, or removal of records.

Usability:
A usable record is one that can be located, retrieved, presented and interpreted quickly. The record should be capable of being connected to the business activity or transaction that produced it.

While you will probably never have an audit of your QMS or EMS delving as deeply into Record Control as this information might indicate, I would suggest an opportunity for improvement based upon ISO 15489-1. Peruse the document to ensure that you have legal, secure and manageable records.