I have a PhD and have been creating/building/working in an ISO17025 laboratory for over 30 years. Today, I was helping a fellow company with an internal audit. On one of the ISO controlled forms I noticed that full names of companies have been completely spelt out (process deficiency, confidentiality deficiency). The lab manager (not very experienced) said that because those non-ISO clients are on an ISO form, they don't count for confidentiality and process rules under ISO. Shocked, I didn't know what to say. Is it a documentation deficiency to list non-ISO clients on ISO internally controlled documents?