Great news received with the revised ISO standards – no mandatory procedures, only a list of “documented information” e.g. minutes of the management review, audit reports etc. Much more difficult, however, writing a short procedure than a long one. As Mark Twain said: “If only I had more time, I would write thee a shorter letter”. Does this mean we can get away with zero procedures? Perhaps in a one-person business, but definitely not in a larger organization. Unfortunately the larger the organization, the more controls are required and consequently additional policies and procedures needed as risks are higher. Someone abuses the credit card and puts fuel into their private vehicle, so we now need a policy for use of company credit cards! How will the 3rd party auditors audit this? I believe you are innocent until proven guilty, so if you inform the auditors that you don’t believe you need a procedure for document control, the auditor will have to prove that in fact you do due to the high risk as evidenced for example by uncontrolled policies and procedures found on site during the audit.