ISO 9001:2000

4.2.4 Control of Records

Change: None
Procedure Required: YES
Record(s) Required: NONE

Comments:
This section clearly specifies the requirements for control of records (essentially the same as required in ISO 9001:1994). A documented procedure for control of records must be developed which must define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.

Note:
ISO 9000:2000 only requires the following 18 records to be established and maintained:

• Records from management review (sec. 5.6.1)
• Records of education, training, skills and experience (sec. 6.2.2e)
• As appropriate, records needed to provide evidence that the realization processes and resulting product meet requirements (sec. 7.1d)
• Records of the results of, and actions arising from the review of requirements related to the product (sec. 7.2.2).
• Records relating to design and development inputs (sec. 7.3.2)
• Records of the results of design and development reviews and any necessary actions (sec. 7.3.4)
• Records of the results of design and development verification and any necessary actions (sec. 7.3.5)
• Records of the results of design and development validation and any necessary actions (sec. 7.3.6)
• Records of results of the review of design and development changes and any necessary actions (7.3.7)
• Records of the results of evaluations and any necessary actions arising from the evaluations of suppliers (sec. 7.4.1)
• Where traceability is a requirement, records of the unique identification of the product (sec. 7.5.3)
• Records of any customer property that is "lost, damaged or otherwise found to be unsuitable for use" (sec. 7.5.4)
• Records of the results of calibration and verification (sec. 7.6)
• Records of internal audit results (sec. 8.2.2)
• Records indicating the person authorizing release of product (sec. 8.2.4)
• Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained (sec. 8.3)
• Records of the results of corrective action taken (sec, 8.5.2e)
• Records of the results of preventive action taken (sec, 8.5.3d)
  

Guidance:
When developing the procedure for control of records, I suggest that you:

• interpret "identification" to mean "unique identification"
• describe whether records are stored in commercial file cabinets, fire-resistant file cabinets, electronically, etc.
• interpret "protection" as including "access" (e.g., locked file cabinets or password protection on computer networks)
• interpret "retrieval" to mean whether use of a sign-out log is required
• describe "how" records are "dispositioned" (e.g., trash, paper shredder, and whether electronic files special deletion tools to ensure that the files can not be recovered)
  

CAUTION - Phantom Requirement:
Some ISO 9000 auditors liberally interpret the first sentence of section 4.2.4, "Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system" to mean that every requirement in the standard must be supported with a record providing evidence of compliance. However, the majority of ISO 9000 auditors interpret the standard as only requiring the 18 records specifically mentioned.