A procedure is a list of specific instructions or rules about the way certain things will be done. Both ISO 9001 and ISO 27001 require certain procedures to be documented and the documentation of many others is deemed to be optional but may be practically essential as proof of compliance for audit purposes. In the language of the Standards, certain procedures “shall” rather than “should” be documented.
The mandatory procedures for ISO 9001 which I have now identified are similarly listed in most of my sources. They comprise :
MP 1 Document Control
MP2 Control of Records
MP3 Internal Auditing
MP4 Control of Non-conformance
MP5 Corrective Action
MP6 Preventive Action
For the moment these are text dumps in my draft manual. My primary focus here is covering off the minimum documentation requirement .
I make one small voluntary addition here. It seems prudent to me to run regular internal checks on our data destruction equipment to verify it is destroying data in the way it should. So I have also added a procedure for this under Verification of Purchased Product clause of ISO 9001. I am not sure if it should necessarily go under this heading but I plan to include it as a procedure wherever it should be placed.
Based on historical diary entries