(Finally) arrived in the information society?

With the major revision of September 2015, has ISO 9001 finally made the leap into the information society, or has it even arrived there? A look at the changes in this regard compared to the previous version reveals that a lot has actually happened. First of all, there is the new High Level Structure (HLS), now also called "basic structure". In addition to a completely new structure, it has also introduced new requirements, partly in the form of new chapters, into ISO 9001, including the topic of "knowledge of the organization".

However, the HLS is not entirely new. It was already used in ISO/IEC 27001, among others, in 2013. This standard is used as a suitable basis for an effective information security management system (ISMS). This requirement applies to every organization that wants to, and absolutely should, secure its data, its (documented) information, i.e. its knowledge and that of its customers.

A risk-based approach now runs through all chapters like a common thread, al-though without calling for a separate risk management process. Linked to this in some way, and closely linked from the point of view of the standard, is the omnipresent requirement to identify "opportunities" for the organisation. In order to take away a little of the odour of a lottery from this elementary matter, it would have been better to translate this as "opportunities" (opportuni-ties) in accordance with the original English text.

The new standard ultimately gives its users a significantly higher degree of freedom in the implementation of many requirements - the revision as an opportunity! For example, also in the question of how to deal with the requirements relating to the knowledge of the organization and the associated documentation of information.

Knowledge of the organization - a central resource
In Chapter 7.6.1, the new standard states in Note I what it understands by "organizational knowledge": "Organizational knowledge is knowledge that is specific to the organization; it is generally acquired through experience. It is information that is applied and exchanged with a view to achieving the goals of the organization." The chapter on the management of organizational knowledge is completely new in ISO 9001. The requirements in this respect are intended both to prevent the loss of knowledge (which can happen, for example, through personnel turnover or through failures in knowledge transfer) and to motivate the acquisition of knowledge (e.g. through experience, exchange, consultation or benchmarking). However, no systematic and structured knowledge management is required. The knowledge of the organization is in any case a central resource, regardless of whether it is managed by a separate process or not!

What is information anyway?
What at first appears to be a seemingly random collection of individual data becomes information when these data are given a certain meaning, e.g. through a certain arrangement, an addition or the integration into a context. In the best case, the resulting information then carries meaningful knowledge about things, circumstances or people. It can be an invaluable asset to an organization - but only if its content is actually useful to the organization! Seen in this way, information is data of value - the value is decided by the organisation. The availability of information, its integrity and trustworthiness must be guaranteed, regardless of what this information may be used for in detail. The security of information is particularly important in this respect. And never before has the demand for security standards for the transmission and storage of data and information been so high as in today's information society.

Which knowledge is relevant to be classified as documented information? The standard states that the quality management system must contain exactly the documented information that the organization has determined to be necessary for this system to be effective. This depends on the specific situation that characterizes an organization: which industry it belongs to, how large it is, which interested parties have which expectations, how complex its processes are designed, how well-developed the competence of its employees is, etc. The new standard thus focuses strongly on the quality management system as being necessary for this system to be effective. The new standard therefore focuses strongly on the value of information (Figure 1).

Documented information - knowledge plus competence plus awareness
What is behind the new term? A charming approach sums up the idea as succinctly as possible, including the titles of four chapters of the standard: knowledge + competence + awareness = documented information. "Information" as an isolated term, on the other hand, contains no requirement that this information be documented. In such situations, it is up to the organization to decide whether it is necessary or appropriate to maintain documented information. This, in turn, is dependent on the value that this information represents for the organization!

Chapter 7.5 provides an example of the degrees of freedom granted by the new standard. In the 2008 version of ISO 9001, based on Chapter 4.2.1, for example, at least six "documented procedures" are still required and - classically - the maintenance of a QM manual. Both requirements have been dropped with the revision. At the same time, the documentation requirement has been retained across many chapters.

However, both the view of the topic and the terminology have changed. What were once procedures, documents and records are now combined in "documented information". The term is used for all documents and evidence required in the standard. According to the annex of ISO 9001:2015, it is not mandatory to use the structure and terminology of the standard in the organization. Rather, the term that is most suitable for the organization should be chosen.

Throw old requirements overboard with the paper
A great opportunity lies in the fact that the standard now more strongly adapts the possibilities of modern communication technology and focuses more on company-specific concerns. Each organization decides for itself which information is important for quality management and the achievement of organizational goals and which is not. The organization also freely chooses the type, scope and location of the documentation of its information, including the storage of the respective data, at its own discretion and requirements. All of this offers the possibility to look at the topic of documentation from a new perspective. For organizations, the new standard may well be the impetus to do away with the paper that still carries the requirements for control and documentation from the last millennium.

However, all this does not mean that an organisation is no longer "allowed" to keep a QM manual. The documentation of information in a classic QM manual can make sense for various reasons, e.g. for easy dissemination to external interested parties. However, if these reasons do not exist - and this can be the case in today's business world - the question arises as to whether this does not mean that one or the other opportunity is missed that the application of modern software, e.g. in mobile hardware, has to offer; a smartphone or another data carrier can certainly be used for storage, which increases the availability and flexibility enormously depending on the situation. The documented information can be a sound recording or a video and not just the classic paper. One possible limitation: the security of the documented information decreases as the degree of availability increases - but only if no appropriate measures are taken to secure it.

Handling of documented information
Chapter 7.5.2 formulates the requirements for the creation, maintenance and updating of documented information. At least three aspects must be taken into account, whereby the standard places emphasis on appropriateness and suitability (partial overlap with the control of documented information, see there):

• Labelling and description → quick retrieval of the documented information and its reliable assignment;
• Storage: format and medium → avoidance of media discontinuities, different versions (version control), redundancies, read-back after storage, preservation of readability;
• Review and approval → Avoidance of overregulation. The rigid principle of "creator-processor-reviewer-releaser" is not always appropriate. It could therefore also be possible and sensible to have the creator approve the work, e.g. in the case of the very frequently applicable, simple work instructions in non-sensitive areas.

If the standard requires that information be maintained, it must be updated as necessary and be available at all times; in this context, it cannot be ruled out that older versions may need to be retained, possibly in order to document an earlier status. In the 2008 version of ISO 9001, these were documents with a default status. If only a retention is required, for example as proof of the competence of employees, the information must be stored and available, which was previously referred to as a document with evidence character. The term "retention period" is no longer used by the standard. The length of time for which documented information is (should or must be) retained is determined by the organization itself depending on the content of the documented information, preferably with the assistance of a legal expert. (Graph 2).

Control of documented information
Chapter 7.5.3 contains requirements for the management of documented information. Its management is necessary in order to make it available. At first glance, little has changed compared to the 2008 version (chapter 4.2.3 / 4.2.4). However, with the use of modern means of communication to manage the documented information, entirely new aspects arise. Possible questions are: Which documented information should be managed at which communication level with which communication medium and how and where should it be stored? What about the availability at the place and time of need, the integrity (authenticity), the confidentiality and the security of the documented information (internal as well as external information marked as such)?

Protect documented information effectively
At this point, at the latest, the information security (ISO/IEC 27001:2013 standard) mentioned above comes into play again. Although ISO 9001:2015 requires the availability, integrity and confidentiality of documented information, as well as protection against unauthorized access, etc., it does not provide organizations with the management tools and technical and organizational procedures needed for this purpose - or it does not explicitly require their use.

The necessary trust in the security of data or documented information is particularly important with regard to the expectations of the interested parties of an organization. ISO/IEC 27001 is based on a risk management process that runs through the entire organizational structure and begins with the design of processes and systems. Especially when modern communication media such as e-mail, social media or cloud solutions etc. form the basis for documented information (which is now standard in some industries), such a procedure is the first choice.

This includes, above all, the aspect of "awareness among employees". Every technical or organisational solution can be as good as it is: If people are not aware of the possible consequences (the risk) of their actions, they are very unlikely to act correctly in terms of protection. Another important point is that, as already mentioned above, the standard is also based on the HLS - the two standards thus complement each other perfectly in a management system!

Value of information is in the foreground
In summary, it can be said that ISO 9001:2015 places the value of information for the management system or the organization in the foreground when deciding on its documentation. As can be seen from the note in chapter 7.5.1, the determination of the necessary scope is also based on this. Another important aspect is the term "appropriateness". Information is a significant (organisational) value; the information society provides us with vast amounts of data every day - but by no means all of it is valuable - this is precisely where the principle of appropriateness comes into play.

What is considered appropriate in terms of scope and content is determined by the organization itself, but is based on various factors. For example, the scope of the documentation depends on the competence of the staff employed. Further factors are:

• Strategy and goals of the organization
• Scope of the management system
• relevant expectations of interested parties
• required/necessary processes and their complexity
• Risks and opportunities with regard to required processes
• technology in use
• Product/service offering
• Risks and opportunities with regard to products/services
• Compliance requirements

The requirement for documented information - an opportunity
It is clear that the higher degree of freedom offers more opportunities to take company-specific concerns into account and to avoid or reduce overregulation. At the same time, this means a higher acceptance by the actual target group of the documented information - and that is certainly not the auditors! Companies have the task of deciding for themselves which information is relevant for the management system and to what extent and on which data carrier it should be stored. And they must ensure that the resource "knowledge of the organization" is protected.

The opportunities that arise from the appropriate implementation of the new requirements are the actual gain from the revision. In this respect, the question posed at the beginning, whether ISO 9001 in its new version has now (finally) arrived in the information society, can only be answered with a resounding yes! And the good thing is: A transfer of the ISO 9001 topics to the documented information is - if the underlying set of rules allows it - also possible to any other management system.
possible.