Chapter 1: What ISO Clause 7.5 Actually Requires (Document Control 101)

ISO 9001:2015 clause 7.5 requires documented information to be identified, controlled for revision, accessible to those who need it, protected from loss or unauthorized change, and retained per defined retention rules. The same three sub-clauses (7.5.1 general, 7.5.2 creating/updating, 7.5.3 control) appear verbatim in 14001, 45001, 13485, 22000, IATF 16949, AS9100, FSSC 22000, 17025 and 22301. One well-designed document-control system covers all 10 standards. That single architectural fact is the reason most North American manufacturers are running three or four parallel control systems when they only need one.

The exact text of clause 7.5 (and where it appears across 10 standards)

Clause 7.5 of ISO 9001:2015 is split into three sub-clauses, and each one carries equal weight during a certification audit. Sub-clause 7.5.1 (General) requires the quality management system to include documented information required by the standard plus documented information determined as necessary for the effectiveness of the QMS. Sub-clause 7.5.2 (Creating and updating) requires that when creating or updating documented information, the organization ensures appropriate identification and description (title, date, author, reference number), appropriate format (language, software version, graphics) and media (paper, electronic), and appropriate review and approval for suitability and adequacy. Sub-clause 7.5.3 (Control of documented information) requires that documented information is available where needed, protected from loss of confidentiality and integrity, distributed and accessed under control, retained, preserved (including legibility), and disposed of per defined retention rules.

The reason this matters across a multi-standard environment is that ISO Annex SL — the harmonized high-level structure published by ISO — fixes clause 7.5 as common text across every modern management system standard. The clause numbering, sub-clause structure, and requirements are identical word-for-word.

ISO 13485 and ISO/IEC 17025 use older numbering (4.2.4/4.2.5 and 8.3 respectively) because both standards predate the Annex SL harmonization, but the substantive requirements — identification, review, approval, distribution control, retention — are the same. Manufacturers running ISO 9001 alongside ISO 13485 often build two parallel SOP libraries when one structured library with medical-device-specific metadata fields would satisfy both.

What "documented information" actually means

ISO 9001:2015 collapsed the older terms "document" and "record" into a single term: documented information. This was not cosmetic. It signaled that auditors evaluate both controlled instructions and the evidence those instructions produce against the same control framework — identification, protection, retention, retrieval.

In practice, documented information divides into two functional categories. Documents are the prescriptive set: the quality manual (still required by ISO 13485 even though optional in ISO 9001), policies, procedures, work instructions, forms, drawings, specifications, control plans, FMEAs, and HACCP plans. These tell people what to do and how to do it. Records are the descriptive set: completed inspection sheets, calibration certificates, training records, internal audit reports, management review minutes, nonconformance reports, CAPA records, supplier evaluations, and customer complaint logs. These prove what was actually done.

Both must be controlled. The control mechanism differs: documents need version control (only the current revision is in use), while records need integrity control (originals cannot be altered after the fact). A blank inspection form is a document; the same form filled in by a CMM operator on April 24 is a record. Auditors at manufacturing facilities will trace both directions — pulling the current revision of an inspection procedure and asking for the records it produced last month, or pulling a completed record and asking which revision of the procedure was active when it was generated.

The five things every document must demonstrate (per 7.5.3)

Every controlled document — paper or electronic — must demonstrate five attributes during an audit. Missing any one of them is a finding.

Unique identification. Every document needs a title, a unique identifier (typically a code like QP-001 or WI-MFG-014), an issue or revision date, and an owner. Auditors will ask why two documents share the same code or why a procedure has no owner listed. "Accountability gaps" is the most common minor finding written against this attribute.

Defined format and medium. The standard requires the format (language, graphics, software version) and medium (paper, electronic, both) to be defined and consistent. Mixing PDF and Word versions of the same procedure across departments creates a 7.5.2 finding because the "appropriate format" requirement is not being applied uniformly.

Documented review and approval. Every document needs evidence of review for suitability and approval before release. This is where signature blocks, electronic approval workflows, or system audit trails earn their existence. A procedure with no approver, an expired approver who left the company two years ago, or an "approved" stamp with no date all fail this attribute.

Version and revision control. Only the current revision can be in use at the point of work. Superseded revisions must be either removed from circulation or marked clearly as obsolete. The classic finding: a quality engineer at a US plant pulls SOP-014 Rev 3 from a controlled binder while the live system shows Rev 5 was released six weeks ago.

Controlled distribution and access. People who need the document must have access; people who could misuse it should not. Confidential design files, customer-proprietary drawings, and FDA submission documents need access controls. Auditors verify this by asking a line operator to retrieve the current procedure for the task they are performing — and timing how long it takes.

These five attributes are exactly what the PinnacleQMS platform automates: every document on the system carries metadata for identification, format, approver, revision, and access control by default, which is why PinnacleQMS clients pass certification audits at a 98% first-attempt rate across 250+ certifications.

Common misreadings of clause 7.5 that fail audits

Six specific misreadings show up in finding letters from accredited auditors year after year. Each one is preventable.

"Cloud-based means controlled." Storing procedures in SharePoint, Google Drive, or Dropbox does not satisfy 7.5.3 unless the platform enforces revision control, approval workflows, and access logs. Auditors regularly write findings against companies whose "QMS" is a SharePoint folder where anyone with edit access can overwrite a controlled procedure. The control requirement is functional, not technological.

"Records don't need version control." True for the record itself, false for the form template. The blank form is a controlled document and must carry a revision number. A 2024 inspection record filled in on a 2019 form template is a finding because the operator was using an obsolete document.

"Email approval is good enough." ISO 9001 does not prohibit email approvals, but the approval evidence must be retained, retrievable, and tied to a specific document revision. An email saying "approved" with no document version reference and no retention policy fails 7.5.2.

"External documents aren't our problem." Customer drawings, supplier specifications, regulatory standards (FDA 21 CFR Part 820, Health Canada MDR, ISO standards purchased from ANSI), and statutory requirements are explicitly in scope. Clause 7.5.3 requires that "documented information of external origin determined by the organization to be necessary" is identified and controlled. Auditors at automotive suppliers routinely ask to see the customer-specific requirements register and the revision-control mechanism for it.

"Retention means we keep it forever." Retention means defined retention. ISO 9001 requires retention rules to be defined and applied; it does not require infinite retention. IATF 16949 adds specific minimums (production part approvals, tooling records, control plans retained for the length of production plus one calendar year minimum). ISO 13485 and FDA 21 CFR Part 820 require retention for the lifetime of the device plus a minimum period. Defining "indefinite" retention for everything triggers data-protection findings under privacy frameworks and is not what the standard requires.

"The procedure says X but we do Y — that's fine because operators know better." This is the single most common finding across healthcare and medical device clients. Documented information must reflect actual practice. Either the procedure changes through controlled revision, or the practice changes — but the gap between document and reality is a clause 7.5 nonconformance every time.

How accredited auditors verify clause 7.5 in practice

Accredited auditors — those operating under ANAB or SCC accreditation in North America — follow a predictable verification sequence. Understanding the sequence is the difference between a clean audit and a finding letter.

Sampling, not exhaustive review. No auditor reads every procedure. They sample. The sample typically includes the quality manual or QMS overview document, two to four procedures selected by process risk (the auditor will pick the highest-risk processes — production, design control, supplier management, calibration), one or two work instructions per procedure traced down, and three to five records produced under each sampled procedure within the past audit cycle.

Trace forward and trace backward. Auditors trace forward from a controlled procedure to the records it produced ("Show me the last five inspection reports generated under QP-007") and backward from a record to the procedure that governed it ("This calibration certificate was issued February 12 — which revision of the calibration procedure was active that day, and where is the evidence?"). A document-control system that cannot answer the backward trace fails the audit.

Evidence at the point of use. Auditors leave the conference room. They walk to a CNC cell, a packaging line, a food-processing facility, or a testing lab and ask the operator on the floor to retrieve the current procedure for the task they are performing. If the operator cannot retrieve it within a reasonable time, or retrieves an obsolete revision, the finding is written against 7.5.3 — "documented information not available where needed." This is the single most common major finding across all 10 standards.

External document control. Auditors verify that customer specifications, regulatory documents, and purchased standards are tracked and controlled. For ISO 17025 testing laboratories, this includes the controlled register of test methods (ASTM, ISO, EPA, FDA reference methods) and evidence that the lab is using the current published version of each method.

Approval audit trail. Auditors will ask to see who approved a specific document, when, and against which revision. Electronic systems must produce this on demand; paper systems must have signed and dated approval pages stored alongside the controlled master. Missing or undated approvals are the second most common minor finding.

A document-control system that survives this verification sequence on the first attempt — across all 10 standards a manufacturer might hold — looks the same in every successful implementation: structured metadata on every document, automated revision control, role-based access, time-stamped approval workflows, and a retention engine that applies the right rule to each document type. That is what every chapter of this guide is going to build, clause by clause and standard by standard. Multi-standard manufacturers ready to compress three or four parallel control systems into one structured library can review the PinnacleQMS implementation process or Contact Us to Know More about cross-standard document-control architecture.