Tools for Document Management
AgileLab primarily uses three tools for document management:
The AgileLab handbook is the central repository for managing how the company operates, ensuring efficient and easy communication and information flow. It provides access to information about processes and guidelines for all branches and remote workers.
The handbook is designed to make all company information accessible to everyone, regardless of when they joined the team.
Responsibility: The handbook and its updates are managed by Internal IT and/or other authorized functions.
SharePoint is used to enhance teamwork for project teams, departments, and divisions. It allows for the sharing of files, data, news, and resources.
Responsibility: The "Compliance" SharePoint site is managed by the Compliance team.
All staff can collaborate easily and securely within and outside the organization, using PCs, Macs, and mobile devices.
AgileLab uses this public repository for compliance, which serves as a supplement to other tools and contains key documents for both the public and staff.
Responsibility: Agilecompliance.website is managed and updated by the Compliance team as needed or at least every six months.
Information Classification All information resources are classified into one of the following three categories. The information must be appropriately labeled to ensure easy identification of its classification.
Restricted: Information whose unauthorized disclosure (even within the organization) could cause significant harm in terms of financial losses, legal actions, or reputation damage.
Access is limited to personnel with specific roles, permissions, or access rights mandated by law, such as:
Disciplinary records. Audit reports. Personal health and safety consultations and reports. Payroll and personnel management documents. Controlled: Information generally available to anyone within AgileLab's areas and containing business value for the organization or requiring protection due to personal data.
Access is limited to internal staff based on their job responsibilities, including:
Business continuity plans. IT procedures related to networks, backups, etc. Contracts. Sensitive business files. Work plan development. Documentation related to vendors. Public: Information that can be made available to the public without causing harm or prejudice if disclosed.
Contact information. Press releases. Policies and procedures. Forms. Meeting minutes not exempted. Statistics and performance indicators. General information on hiring and employment conditions. If information is grouped, the highest classification applies to all information within the group.
Purpose and Scope This instruction defines the procedures and responsibilities for managing AgileLab's primary documentation within the management system. This includes documented information such as guidelines, instructions, forms/records, their identification, issuance, distribution, modification, storage, and disposal.
It also covers documentation such as laws, regulations, various external and internal technical documents.
For proper document management, adherence to the rules of preparation, coding, and processing as defined below is necessary:
Documents are written using simple, clear, and understandable language for the intended recipients.
The wording should be prescriptive and not subject to interpretation. When using concepts, abbreviations, or equipment names that are not universally known, a glossary should be provided.
The treatment should be straightforward and linear, leaving specific instructions or alternative steps to supporting instructions.
Forms should contain clear explanatory references for the fields to be completed. Where possible, grids with predefined options should be used rather than blank spaces. If coded information is used, a glossary should be specified in the document's notes.
Coding and Identification
All documents that impact quality are uniquely coded using the following criteria:
Chapters of the management system guidelines
The chapters of the guidelines refer to the paragraph numbering of the relevant reference standard, such as ISO 9001:2015, with the addition of chapters from ISO 27001 and ISO 22301, following the High-Level Structure numbering.
For example, the chapter 4 (Organizational Context) of the guidelines, in compliance with UNI EN ISO 9001:2015, corresponds to paragraph 4 (Organizational Context) of the referenced standard.
The guidelines are managed with a code (LGSI) and revision index.
Quality Guidelines, Information Security, and Business Continuity Chapters
Purpose: Provides a brief description of the objectives pursued.
Scope: Describes when and to what extent the chapter applies.
General Information and Responsibilities: Provides a macro description of the company's activities with clear reference to management responsibilities.
The body of the instruction consists of only two paragraphs:
Purpose: Describes the purpose of the operational instruction.
Instruction: Contains the text of the operational instruction.
It clarifies what needs to be done, when, and by whom.
For each activity, it defines the required documentation and data to be recorded.
In many cases, the completion of one activity is a prerequisite for starting the next. Ensure that this is clear from the description.
In other cases, activities are performed simultaneously, and the results of two activities may form the basis for a third.
Format and Support
Documentation is collected and stored within the public repository www.Agilecompliance.website, while classified documents are stored in SharePoint.
These documents, whether written or stored electronically, allow for trend analysis and the improvement of the management system's implementation and effectiveness.
Registration forms, often consisting of lists or tables, are not rigidly structured and only require the general rules mentioned for their preparation.
Files or electronically stored documents should include identification and be coded with the file name or topic identification and/or issuance date (at least in the file indexing).
If documents are completed in file format, the date should be included, and if a signature is required, the compiler's name should be used instead.
Access to electronic documents (if applicable) is password protected.
Files or electronically stored documents are safeguarded through regular backup activities (at different times during the day and on dedicated media). Data related to document management, technical management, accounting, and system management are backed up by AMM. The backup media are stored in locations ensuring their physical protection.
The information systems do not require backups, as support contracts with software vendors cover updates and system functionality.
To safeguard electronic data, an antivirus solution with automatic updates is implemented.
Retention periods for documentation have been identified and summarized in the system's documentation summary module.
Responsibilities for issuance, verification, and approval
System documents are prepared by the Quality Representative in collaboration with the function responsible for their application and approved by the Management.
The organization has defined appropriate rules for modifications, archiving, distribution, and management of obsolete documents, as described below:
Each function may propose modifications to documents or the data contained within. The proposed changes are reviewed and submitted for verification and approval to the same functions that performed the original document verification and approval activities.
The Quality Representative (RQ) is responsible for archiving the issued documentation and managing the archive of obsolete documents.
RQ also manages the archiving of externally sourced documents such as standards and conformity certificates, whether in electronic or hard copy form.
The company also manages electronic data. By exclusively using cloud services for storage, AgileLab adheres to the methods indicated by the primary provider (Microsoft) for enterprise environments, including AWS and Google for some additional services.
RQ is responsible for distributing all system documents and maintaining traceability of the distribution performed.
Sending or delivering documents to external entities is done via certified mail, and RQ is responsible for preserving the corresponding email.
Distribution of the Handbook, which contains binding documents on privacy (Section A), information security (Section B), and system administrators (Section C), is also provided to internal and external stakeholders as needed.
It should be noted that AgileLab uses Microsoft Intune for device and application management. The terms and features of the service can be viewed at the following link: [insert link]
RQ separately retains obsolete or superseded versions of documents as a historical record of changes over time.
Management of Standards and Laws
RQ is responsible for collecting, cataloging, and updating standards, laws, directives issued by Italian or international standardization bodies, as well as industry-specific regulations. Additionally, legal requirements are also considered. These documents are relevant to the functioning of the implemented systems and should be available in their updated version for review.
All external reference documents are summarized in the dedicated Module 01-5 Document List, which is managed by RQ in collaboration with the relevant function units (RFUs).
It is the responsibility of RQ to keep this document up to date, conducting at least semi-annual verifications documented directly in the module.
Any new documents must be communicated to other function managers and, if necessary, to the operators.
RQ should update the collection of cited documents by acquiring new versions and ensuring the list remains current. Support for this activity is obtained through:
Website: www.uni.com/it-it Website: www.bancaditalia.it/statistiche/raccolta-dati Cloud service providers Organizational consulting firms RQ resolves difficult interpretation issues with the collaboration of:
Legal firms for legal interpretation difficulties Qualified consulting firms for technical issues Relevant authorities In case of revision, RQ must obtain the document by archiving the old version as obsolete and updating the document list.
All documentation (document list, individual standards, circulars) is archived by RQ in electronic form or, if unavailable electronically, in hard copy form.
Documented information is managed in accordance with applicable regulations and covers the following points:
Risks and opportunities (6.1) Indicators and objectives (6.2.1) Information security risk assessment process (6.1.2) Statement of Applicability for controls (Appendix A of the standard) (6.1.3 d) Risk treatment plan (6.1.3) Objectives for information security (6.2) Documented information for personnel (7.2.2) Documented information for requirement reviews (8.2.3) Design requirements (8.3) Supplier evaluation (8.4.1) Documented information necessary to provide confidence in process conformity and product reliability (8.5.d) Results of process validation (8.5) Evidence related to traceability (8.5.2) Records related to customer property preservation (8.5.3) Results of change reviews related to production and service delivery (8.5.6) Records of approval for product release (8.6) Nonconforming products (8.7) Business continuity plan (8.8) Performance and effectiveness evaluation of the management system (9.1.1) Internal audits (9.2) Management review documented information (9.3.3) Evidence of product conformity (10.2.2) Corrective actions (10.2.2) The responsibility for archiving rests with the functions responsible for the various activities under the supervision of the Quality Manager.
The responsibility for managing documented information is assigned to the functions responsible for their issuance.
When contractually required, quality records are made available for customer evaluation by agreement. In defining storage locations, the company has considered:
Immediate traceability Adequate preservation It should be noted that access to documentation is granted to all function managers, with the exception of documented information related to the responsibilities of the Management, which is accessible only to the Management itself.
The responsibility for eliminating archived material upon expiration rests solely with the Management.