If you’re going to take part in an ISO audit, you’ll certainly come across the following terms: mandatory requirements, documented requirements, and evidence. But what does each of them actually mean?
In the world of Management Systems, it’s common to have doubts about what truly needs to be documented, what is mandatory, and how to present evidence that everything is working as planned. These three concepts — mandatory requirements, documented requirements, and evidence — are related, but they serve different purposes and have distinct demands within ISO standards.
Mandatory Requirements
If you read an ISO requirement standard, such as ISO 9001, ISO 37001, ISO/IEC 27001, and so on, you’ll often see the word “shall.” This means that the implementation of that requirement is mandatory for the organization.
Mandatory requirements are the minimum expectations set by the standard that an organization must fulfill in order to be in conformity. These can be either operational or strategic in nature.
Documented Requirements
Some requirements must be documented. In other words, it’s not enough just to carry out the action required — it also has to be described in a document.
Take ISO 9001:2015 clause 5.2.2, Communicating the Quality Policy, for example:
“The quality policy shall:
- Be available and be maintained as documented information;
- Be communicated, understood, and applied within the organization;
- Be available to relevant interested parties, as appropriate.”
Once again, note the use of the word “shall” in the standard, indicating that this is mandatory. The clause also clearly states that the quality policy must be maintained as documented information, meaning it should be written down and accessible to relevant interested parties.
In short, documented requirements are those that require a written record or document as proof of adoption.
Evidence
If you’re being audited for a third-party certification, you’ll often hear the auditor ask: “What’s the evidence for that?”
Evidence refers to the proof that the management system is being implemented as planned. This could include records, monitoring results, meeting minutes, audit reports, photos, videos, or other documents that demonstrate compliance with the requirement.
Evidence may be part of a documented requirement, but it goes far beyond that.
For example, let’s look at clause 4.1 of ISO 9001:2015 – Understanding the Organization and Its Context:
“The organization shall determine external and internal issues that are relevant to its purpose and strategic direction and that affect its ability to achieve the intended result(s) of its quality management system.
The organization shall monitor and review information about these external and internal issues.”
Notice that there is no mention of “documented information” in this clause, but it is still a mandatory requirement. So how do you prove implementation? With evidence!
To support your implementation, you could present a context analysis document (e.g., SWOT, PESTEL, or CANVAS analysis), meeting minutes from a brainstorming session, or even a recording of that meeting.
We hope this helped!
