7.5 Documented information
ISO 14001:2015 Clause 7.5 Documented information has eliminated the long-standing distinction between documents and records. Now they’re both referred to as “documented information”. Why ISO chose to abandon two common-sense concepts and replace them with one that is needlessly awkward and esoteric is not entirely clear. According to ISO’s definition, the term documented information refers to information that must be controlled and maintained. So, whenever ISO 14001 2015 uses the term documented information it implicitly expects you to control and maintain that information and its supporting medium. An annex to the new ISO 14001 2015 standard further says that “this international standard now uses the phrase ‘retain documented information as evidence of’ to mean records, and ‘maintain documented information’ to mean documentation other than records.” So, whenever the new ISO 14001 standard refers to documented information and it asks you to maintain this information, it is talking about what used to be referred to as documents, and whenever it asks you to retain this information, it is talking about what used to be called records. So sometimes documented information must be maintained and sometimes it must be retained. So, while the official definition of the term documented information abandons the distinction between documents and records, through the use of the words “maintain” and “retain” and because of what this means (according to Annex A), the main body of the standard actually restores this distinction. In other words, while documents and records were officially kicked out the front door, they were actually allowed back in through the back door.
The old ISO 14001 standard asked organizations to establish a wide range of procedures. These included an environmental aspects procedure, a legal requirements management procedure, an awareness procedure, a communications procedure, a documents procedure, an operational procedure, an emergency preparedness and response procedure, a monitoring and measurement procedure, a compliance evaluation procedure, a nonconformity management procedure, a record keeping procedure, and an audit procedure. Now, only one procedure is left. The new ISO 14001 2015 standard asks you to establish an emergency preparedness and response procedure in section 8.2, and that’s the only one. Instead of asking you to write procedures, the new standard expects you to maintain and control a wide range of documents (i.e., documented information). Since the new standard doesn’t tell you what to call these documents, you can call them procedures if you like. And, of course, you still need to have documents except that now they’re called “documented information”. So, while on the surface this looks like a radical change, it probably isn’t.
Documented Information has the following sub-clauses:
The organization’s environmental management system must include documented information required by ISO 14001:2015 standards and also those determined by the organization as being necessary for the effectiveness of the environmental management system.
The extent of documented information for an environmental management system can differ from an organization to another due to the size of the organization and its type of activities, processes, products, and services, the need to demonstrate fulfilment of its compliance obligations, the complexity of processes and their interactions and the competence of persons doing work under the organization’s control.
7.5.2 Creating and updating
When creating and updating documented information, the organization must ensure appropriate identification and description (e.g. a title, date, author, or reference number) and format (e.g. language, software version, graphics) and media (e.g. paper, electronic); It must also ensure appropriate review and approval for suitability and adequacy.
7.5.3 Control of documented information
Documented information required by the environmental management system and ISO 14001:2015 Standard must be controlled to ensure that it is available and suitable for use, where and when it is needed. It must is adequately protected from loss of confidentiality, improper use, or loss of integrity. For the control of documented information, the organization must address the following activities
- distribution, access, retrieval, and use;
- storage and preservation, including preservation of legibility;
- control of changes (e.g. version control);
- retention and disposition.
Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system must also be identified, as appropriate, and controlled.
Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
As per Annex A (Guidance on the use of ISO 14001:2015 standard) of ISO 14001:2015 standard it further explains:
An organization should create and maintain documented information in a manner sufficient to ensure a suitable, adequate and effective environmental management system. The primary focus should be on the implementation of the environmental management system and on environmental performance. not on a complex documented information control system. In addition, an organization may choose to create additional documented information for purposes of transparency, accountability, continuity, consistency, training or ease in auditing. Documented information originally created for purposes other than the environmental management system may be used. The documented information associated with the environmental management system may be integrated with other information management systems implemented by the organization. It does not have to be in the form of a manual.
In the ISO 14001:2015, the term “documented information” is meant to describe any Information that is required to be controlled and maintained by the organization, and the medium on which it is contained. Documented information can refer to the Environmental Management System and its processes, documentation, and records. So, in brief, it includes anything that you require to be recorded to make sure your EMS functions properly and that you can demonstrate that this is the case. In this, the requirements for documented information are captured, and they are fairly basic. A document is information that is written or recorded on some medium such as paper or computer. A document may specify requirements for e.g. a drawing or technical specification, may provide direction for e.g. Occupational Control Procedure, or show results or evidence of activities performed for e.g. records. The term “Documented Information” is used for all document requirements in ISO 14001:2015. For specific terminology used in ISO 14001:2004 such as “document” or “documented procedures”, “Environmental manual” or “EMP”, ISO 14001:2015 defines requirements to “maintain documented information”. In ISO 14001:2004 the term “records” was used to denote documents needed to provide evidence of conformity with requirements. In 14001:2015 this is now expressed as a requirement to “retain documented information”.Clause 7.5.1 specifies all the different types of documentation needed for your QMS. The need to have additional documentation beyond those specified in this standard may depend upon – Compliance obligation including regulatory requirements and your own organizational requirements. Other factors to consider may include the complexity of products/Services and processes, type of activities, environmental issues, significant environmental aspects, economic risk, effectiveness and efficiency, the competence of personnel. There is no need for manual or procedures for ISO 14001:2015. This information is expected to be tailored to your company because it is noted that the extent of the documented information can differ due to the size of the organization, the complexity of the organization, and the competence of the people. The organization is responsible for determining what documented information needs to be retained, the period of time for which it is to be retained and the media to be used for its retention. The requirement to “maintain” documented information may also include the possibility that the organization can “retain” that same documented information for a particular purpose, for e.g. to retain previous versions of it. Lastly, there are requirements for the control of documented information, particularly how:
- it is available and suitable for use,
- it is adequately protected,
- it is distributed applicably, and
- access, retrieval, use, storage, and preservation are controlled.
Finally, there needs to be a control of changes, retention of documented information, and disposition when these documents are removed from use. If you look closely, you will see that these requirements are very much the same as those already in place for documented procedures and records, only merged into one set of requirement. Many people make the mistake of changing the definitions that they use in their management system to match those in the standard when this is not a requirement. The standard is not there to dictate what you will call something, or even how you will number any documents that are in your system (matching the document numbers in the EMS to the ISO 14001 standard is also something people sometimes do unnecessarily). If you want to continue to use the terms “procedure” and “record” because this is what the people in your company understand, then go ahead. The requirements of the ISO 14001 standard are there to give you a framework to build an Environmental Management System that works the best for your company in your effort to meet legal requirements and improve your environmental performance. So, if you see a benefit in replacing some of your current procedures, or merging your two procedures for documents and records because it is simpler – then do so. However, if the procedures you have in place are working for you, then don’t change them just for the sake of change. While the purpose of an EMS is to create improvements in your company, and all improvement requires change – not all changes are improvements. Make the changes that help you improve, and leave the things that are already working well. In this way, you get the benefits that you want from your Environmental Management System.
While ISO 14001:2015 does not require a documented procedure for creating, updating and control of documented information, still we need a procedure for creating, updating and ultimately control of documented information. Your system for managing documented information doesn’t itself have to be documented, which is a big change from ISO 9001:2008, which required documented procedures for both document control and control of records, documenting them will act as an evidence that adequate organization knowledge is available with the organization regarding creation, updating, and control of documented information. ISO 14001:2015 doesn’t require you to write a procedure for how you control documented information. Should you do it anyway? Yes! It’s a potentially complicated topic that should be communicated in a consistent manner. Describe your system within maintained documented information (i.e., a documented procedure) and you’ll have much less confusion. You have to ensure the following practices are in place when you create and update documented information:
- Identification: Documents and records must have titles, document numbers, or something that indicates their identity. As long as you can differentiate between different documented information, knowing which ones address which topics, then you’ve met this requirement.
- Format: The documents must be usable for their purpose. The format must be appropriate to the purpose and users, and the media must be accessible and understandable. For example, if the medium is electronic, then users would need to have access to a computer or other interface that can display the electronic media. Another example might relate to a company that has a high percentage of employees who speak Marathi their documentation would need to be graphically formatted (to make language irrelevant) or translated into Marathi, the language predominantly spoken by the employees.
- Review and approval for suitability and adequacy: Somebody must review and approve the documented information before it’s used. Who performs this function is completely up to you. There are many ways to signify review and approval: signatures, initials, email approval, electronic signatures, meeting minutes, or click-box approval within a document control program. Review and approval do have to be traceable, meaning it must be clear who performed it. It should also be secure, which means the organization has prevented imposters from making reviews/approvals under somebody else’s name.
Once the documented information exists, the next logical step is controlled. Here are the control requirements from ISO 14001:2015:
- Availability: The documented information exists where it’s supposed to exist. The organization has dedicated the resources to create the documented information and the information is suitable for the need it was intended to fill.
- Protection: The documented information is protected from tampering, unauthorized changes, and damage. People who shouldn’t see the documented information are prevented from seeing it. Appropriate safeguards put in place by the organization to ensure information isn’t misused in any way. System passwords and employee training are two ways to accomplish this.
- Distribution: You can assess the documented information. Employees don’t struggle to find it, and they understand how to interpret its meaning. If a computer or program is necessary to access the documented information intended for employees, then employees can operate it. In the case of retained information (e.g., records), they can be retrieved within a reasonable amount of time.
- Storage: The organization specifies where the documented information is located. This applies to retained documented information (records) and maintained documented information (documents). The location is accurate and verifiable, and there are controls to preserve the information.
- Preservation could include periodic backups of computer files and periodic monitoring to ensure continued legibility. The controls for “preservation” are very similar to the controls for “protection,” described above.
- Change control: The organization is able to ensure that the correct versions of documented information are available. When documented information is revised, the revisions are incorporated into the information in use (after review and approval). There are safeguards in place to prevent employees from incorrectly accessing and using obsolete information.
- Retention: We say how long we retain documented information. Remember, the term “retain” refers to records, so this is the requirement for establishing a retention time. Every record in your system could conceivably have a different retention time, and ISO 14001:2015 provides no guidance on the appropriate retention times of records. This is completely up to the organization and its needs.
- Disposition refers to what happens to the record after the retention times has elapsed. Typical dispositions include archive, shred, or recycle.
Finally, ISO 14001:2015 addresses external documents and preventing unintended alterations of retained information. An external document is published outside the organization and used within the scope of the management system. Examples of external documents possibly requiring control include:
- Troubleshooting and/or calibration manuals published by equipment manufacturers
- Test procedures, specifications, and/or engineering drawings published by Regulatory bodies or supplier
- Reports, Communication, Notices received from Regulatory bodies or External Consultants
- Standards published by industrial organizations applicable to the organization
- International standards such as ISO 14001
Once external documents have been determined, they must be identified, and they must be controlled. Like internal documents, there must be a title, document number, or other unique identifiers. Such identification typically comes from the source that publishes the document, and the organization simply adopts it. Make sure that all the other aspects of “control” are applied to external documents.
The last requirement provided by ISO 14001:2015 concerns retained documented information that provides evidence of conformity. In other words, records that prove you met requirements. The organization must ensure that people can’t make unauthorized changes to records. This is a restatement of the protection and preservation requirements already discussed.
Organizations themselves can decide that they need additional documented information.
|4.3 Determining the Scope of Environmental Management system||The scope shall be maintained as documented information and be available to interested parties.|
|5.2 Environmental Policy||The environmental policy shall be maintained as documented information|
|6.1.1 General||The organization shall maintain documented information of its:
– risks and opportunities that need to be addressed;
– processes needed in 6.1.1 to 6.1.4, to the extent necessary to have confidence they are carried out as planned.
|6.1.2 Environmental aspects||The organization shall maintain documented information of its:
– environmental aspects and associated environmental impacts;
– criteria used to determine its significant environmental aspects;
– significant environmental aspects.
|6.1.3 (Compliance obligations)||The organization shall maintain documented information on its compliance obligations.|
|6.2.1 Environmental objectives||The organization shall retain documented information on the environmental objective.|
|7.2 Competence||The organization shall retain appropriate documented information as evidence of competence.|
|7.4.1 Communication – General||The organization shall retain documented information as evidence of its communications, as appropriate.
|7.5.1 Documented information – General||The organization’s environmental management system shall include:
a) documented information required by this International Standard;
b) documented information determined by the organization as being necessary for the effectiveness of the environmental management system.
NOTE The extent of documented information for an environmental management system can differ from one organization to another due to:
– the size of organization and its type of activities, processes, products and services;
– the need to demonstrate fulfilment of its comlaince obligations
– the complexity of processes and their interactions;
– the competence of persons.
|8.1 Operational planning and control||The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned.
|8.2 Emergency preparedness and response)||The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned.|
|9.1.1 Monitoring, measurement, analysis and evaluation – General||The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results.|
|9.1.2 Evaluation of compliance||The organization shall retain documented information as evidence of the compliance evaluation result(s).|
|9.2.2 Internal audit programme||The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results.|
|9.3 Management review||The organization shall retain documented information as evidence of the results of management reviewsExample of Procedure for Management Review Meeting|
|10.1 Non-conformity and corrective action||The organization shall retain documented information as evidence of:
• the nature of the nonconformities and any subsequent actions taken;
• the results of any corrective action.
Furthermore, the new standard in several places uses the wording “shall determine”. In Appendix A3 it is explained that “determine” means to establish or find out. There is no explicit “documentation” requirement, but where “determine” is used the organization should at least be able to demonstrate and give confidence of completeness and control of such activities/processes.
|4.1 Understanding the organization and its context||The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization.|
|4.2 Understanding the needs and expectations of interested parties|| The organization shall determine:
• the interested parties that are relevant to the environmental management system;
• the relevant needs and expectations (i.e. requirements) of these interested parties;
• which of these needs and expectations become its compliance obligations.
|4.3 Scope||The organization shall determine the boundaries and applicability of the quality management system to establish its scope.|
| 6.1 Actions to address risks and opportunities
|When planning for the environmental management system, the organization shall consider:
and determine the risks and opportunities, related to its:
that need to be addressed to:
Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact.
|6.1.2 Environmental aspects||Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective.
The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria.
|6.1.3 Compliance obligations||The organization shall:
a) determine and have access to the compliance obligations related to its environmental aspects;
b) determine how these compliance obligations apply to the organization.
|6.2.2 Planning to achieve objectives||When planning how to achieve its environmental objectives, the organization shall determine:
• what will be done;
• what resources will be required;
• who will be responsible;
• when it will be completed;
• how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives
|7.1 Resources||The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system.|
|7.2 Competence||The organization shall:
|8.1 Operational planning and control||Consistent with a life cycle perspective, the organization shall:
a) determine environmental requirements for the procurement of products and services, as appropriate;
|9.1.1 Monitoring, measurement, analysis and evaluation – General||The organization shall determine:
|9.1.2 Evaluation of compliance||The organization shall determine the frequency that compliance will be evaluated;|
|The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system.|
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org or call at +96565019055. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.