3.4 Clause 7.5 — Documented information
Key Takeaways
- Clause 7.5 covers both documented information mandated by ISO 9001 and documented information the organization itself determines is necessary; the required volume scales with organization size, process complexity, and staff competence
- "Maintained" documented information (procedures, policy) is kept current; "retained" documented information (records) is fixed evidence of a result — both must be identified, formatted, and reviewed/approved before use
- Control of documented information covers distribution/access/retrieval/use, storage/preservation, control of changes, and retention/disposition, plus control of externally originated documents
- The most common real-world finding is an obsolete document still in use at the point of work even though the master register is correct — availability where and when needed is what Clause 7.5.3.1 actually requires
7.5.1 General
Clause 7.5 governs documented information — the term ISO 9001:2015 uses to replace the older "documents" and "records" language from prior editions, though auditors still commonly use those legacy terms informally. The QMS must include both documented information required by ISO 9001 itself (explicit mandatory requirements scattered through the standard) and documented information the organization has determined is necessary for the effectiveness of its own QMS. A note to the clause acknowledges that the extent of documented information can differ from one organization to another depending on the size of the organization and its type of activities, processes, products, and services; the complexity of processes and their interactions; and the competence of persons. This is why a lead auditor should never demand a specific procedure or form just because a previous auditee had one — the requirement is for adequate control, not a fixed set of documents.
It is useful to distinguish two categories of documented information, even though the standard itself does not use these exact labels formally:
| Category | Nature | Examples |
|---|---|---|
| Maintained documented information | Living instructions/references, kept current | Procedures, work instructions, the quality policy, the QMS scope |
| Retained documented information | Evidence of results, fixed once created | Calibration records, training records, audit reports, management review minutes |
7.5.2 Creating and Updating
When creating or updating documented information, the organization must ensure appropriate:
- Identification and description — a title, date, author, or reference number
- Format — including language, software version, and graphics — and media, whether paper or electronic
- Review and approval for suitability and adequacy before the document is used
7.5.3 Control of Documented Information
Clause 7.5.3.1 sets the objective: documented information required by the QMS and by ISO 9001 must be controlled to ensure it is available and suitable for use, where and when needed, and that it is adequately protected — from loss of confidentiality, improper use, or loss of integrity.
Clause 7.5.3.2 then lists the specific activities the organization must address, as applicable:
- Distribution, access, retrieval, and use
- Storage and preservation, including preservation of legibility (a real concern for records stored in harsh production environments)
- Control of changes, such as version control
- Retention and disposition — how long records are kept and how they are eventually disposed of
Two additional details matter for the exam. First, documented information of external origin — supplier drawings, customer specifications, applicable standards — that the organization has determined is necessary for planning or operating the QMS must also be identified and controlled; a common finding is an obsolete customer specification still in use on the shop floor because external documents were never brought under the same control regime as internal ones. Second, documented information retained as evidence of conformity must be protected from unintended alterations — records, once created, should not be editable in a way that lets someone quietly rewrite history (paper records altered without a single-line-through correction and initials, or electronic records with no audit trail of changes, are both classic findings here).
Retention periods themselves are not prescribed by ISO 9001; the organization determines them based on statutory, regulatory, contractual, or its own business needs, and the auditor's job is to confirm a retention schedule exists and is being followed, not to impose an external standard of "how long is long enough." A calibration record might be retained for the life of the equipment plus a defined period, while a customer complaint file might follow a contractual retention clause — either can be compliant provided the organization can explain and demonstrate the basis for its own decision.
Which Documented Information Is Mandatory?
The standard scatters explicit "shall retain/maintain documented information" requirements throughout its clauses rather than collecting them in one place, which is exactly why an auditor benefits from knowing the pattern rather than memorizing a static list. Examples referenced elsewhere in this guide include: the scope of the QMS (4.3); the quality policy (5.2); quality objectives (6.2); criteria for the operation of processes and the controls applied (4.4); evidence of competence (7.2); evidence of fitness for purpose of monitoring and measuring resources, including calibration (7.1.5); and — covered in later chapters — results of monitoring, measurement, internal audit, and management review (Clause 9), and records of nonconformity and corrective action (10.2).
What the Auditor Checks
Typical objective evidence includes a document-control procedure describing how creation, review, approval, distribution, and revision are handled; a master document list or equivalent register showing current revision levels; version-control history or change logs demonstrating superseded documents were withdrawn from use; access permissions in an electronic document management system, or physical control (e.g., controlled-copy stamps) in a paper-based one; a documented retention schedule with defined retention periods and disposition methods; and, most importantly, spot checks in the workplace confirming that the document in use at the point of work matches the current approved revision — a finding of an obsolete work instruction still posted at a workstation, even if the master list shows the correct revision, is a genuine and common nonconformity against clause 7.5.3.1's requirement that documented information be available and suitable for use where and when needed.
During a floor walk, a lead auditor finds a work instruction posted at a workstation that is one revision behind the version listed as current on the organization's master document register. The operator is unaware a newer revision exists. Which requirement is most directly breached?