Documented information

ISO 9001:2015 Clause 7.5 requires you to maintain the documented information the standard demands and any additional documentation you decide is needed to run an effective QMS. To operationalize it, define what must be documented, control it through a lifecycle (create, approve, distribute, revise, retain), and keep objective evidence that people use the right versions. ¹

Key takeaways:

• Build a QMS document register that separates “required by ISO” from “required by your operations,” and assign owners to each.
• Control documents and records end-to-end: identification, review/approval, versioning, access, change control, retention, and disposition.
• Keep audit-ready evidence: approvals, revision history, training/acknowledgements, access controls, and retained records that prove process performance.

“Documented information” is ISO 9001’s umbrella term for the documents and records that define your QMS and prove it works in practice. Clause 7.5 is not asking for paperwork for its own sake. It is asking for controlled information that enables consistent execution and provides objective evidence during internal audits, management review, customer audits, and certification audits. The requirement is intentionally flexible: you must include documented information explicitly required by ISO 9001, and you must also decide what additional documented information is necessary for your QMS to be effective. ¹

For a CCO, GRC lead, or compliance owner supporting ISO 9001, the operational problem is predictable: documentation sprawl, inconsistent templates, tribal knowledge, uncontrolled edits, and records scattered across email and shared drives. Auditors typically do not fail you because your writing style is imperfect; they fail you because controls around approval, versioning, availability, and retention are weak, or because staff are using outdated instructions. This page gives you requirement-level implementation guidance: what to define, how to run the lifecycle, what evidence to retain, and where teams get stuck.

Regulatory text

ISO 9001:2015 Clause 7.5 states: “The organization's QMS shall include documented information required by this International Standard and determined necessary for QMS effectiveness.” ¹

What the operator must do

You must do two things at the same time:

1. Include documented information required by ISO 9001 (whatever the standard explicitly calls for across clauses).
2. Decide and maintain additional documented information needed for effectiveness, based on your processes, risks, complexity, outsourcing/third parties, customer requirements, and regulatory commitments relevant to your scope. ¹

This is a control requirement, not a formatting requirement. The audit focus is whether your documentation is appropriate, controlled, available, and actually used, and whether your records provide objective evidence that the QMS performs.

Plain-English interpretation (what Clause 7.5 really means)

• Documents: information that tells people what to do (policies, procedures, work instructions, process maps, SOPs, forms, checklists).
• Records: information that proves what was done (completed forms, inspection results, training completion evidence, audit reports, CAPA records, management review outputs).

Clause 7.5 expects you to control both categories so the QMS runs consistently and you can prove it. ¹

Who it applies to

Entities

• Any organization operating an ISO 9001:2015 Quality Management System, including organizations seeking initial certification or maintaining certification. ¹

Operational context (where it shows up)

• Process execution on the shop floor or in service delivery (people need the right instructions).
• Regulated or customer-audited environments (customers ask for controlled procedures and objective evidence).
• Multi-site operations (standardized documents, localized records).
• Outsourced processes and third parties performing QMS-impacting work (you must control expectations and retain evidence of conformity through agreements, specs, and acceptance records).

What you actually need to do (step-by-step)

Step 1: Set your “documented information scope”

Create a one-page decision rule your organization can follow:

• What types of processes require documented procedures or work instructions?
• What outputs require retained records?
• What third-party activities require controlled specs, SLAs, quality agreements, or acceptance criteria?

Deliverable: Documented Information Standard (a short internal standard) that defines document vs. record, minimum metadata, and control expectations. ¹

Step 2: Build and maintain a QMS document register

Create a register (spreadsheet or GRC tool) with at least:

• Document/record name
• Type (policy/procedure/WI/form/record)
• Process owner
• Approver
• Current version and effective date
• Location (system of record)
• Applicable sites/teams
• Retention rule (for records)
• Link to related risks/controls (optional but helpful)

Practical tip: Add a column for “ISO-required / org-determined” so you can defend why it exists and why it matters. ¹

Step 3: Implement document control (creation through change)

Define a simple lifecycle and enforce it:

1. Draft (authoring with template)
2. Review (SME + quality/compliance)
3. Approval (named approver; no anonymous approvals)
4. Publication (single source of truth)
5. Change control (requests, impact review, re-approval)
6. Archiving (superseded versions controlled; prevent accidental use)

Minimum controls auditors expect to see in practice:

• Unique ID/title
• Version number or revision date
• Owner and approver
• Change history (what changed and why)
• Controlled distribution/access (who can edit vs. view)

Deliverable: Document Control Procedure and templates that make compliance the default. ¹

Step 4: Implement record control (retention through disposition)

Records fail audits more often than documents because they are messy and decentralized. For each record type, define:

• Where it is created (system/process step)
• Where it is stored (system of record)
• Who is responsible for completeness and review
• Retention and disposition method
• Access control and confidentiality needs

Deliverable: Records Retention Schedule for QMS records tied back to the register. ¹

Step 5: Make the documents usable on the front line

Operationalize availability:

• Ensure staff can access the current version where they do the work (shop floor terminals, service desks, mobile access, or printed controlled copies where needed).
• Prevent “local copies” becoming the real process.

If you have multiple sites, define what can be locally tailored and what must remain global.

Step 6: Prove adoption (training, acknowledgements, and verification)

Control is not complete until you can show people follow the current documents:

• Training assignments for new/changed procedures
• Acknowledgements (read-and-understood) for critical documents
• Spot checks during internal audits (ask staff to show the current instruction and walk through it)

Evidence can be lightweight, but it must be consistent and retrievable.

Step 7: Run governance through internal audit and management review

Add documented information health checks to your internal audit program:

• Sampling for obsolete versions in use
• Sampling for missing approvals
• Sampling for missing records and incomplete forms
• Sampling for retention/disposition compliance

Feed results into management review and corrective actions. ¹

Required evidence and artifacts to retain

Use this as your “audit-ready pack” list:

Core controlled documents

• Document Control Procedure (how you manage documents and records)
• Document templates (policy/procedure/WI/forms) with required metadata
• Document register / master list with owners, versions, locations
• Records retention schedule for QMS records (or integrated into your enterprise schedule)

Objective evidence (records)

• Approval records (workflow logs, signatures, or approval emails captured in the system of record)
• Revision history / change log for controlled documents
• Training completion or acknowledgement records for key documents
• Internal audit reports that sample documented information controls
• Evidence of retrieval (ability to produce specific records on request)

Third-party related evidence (where relevant)

• Controlled specifications, quality agreements, or acceptance criteria shared with third parties
• Incoming inspection/acceptance records tied to third-party deliverables
• Records of nonconformance and corrective actions involving third parties

Common exam/audit questions and hangups

Auditors and customer assessors tend to probe in predictable ways:

1. “Show me your master list. How do you know this is the current version?”
   Hangup: multiple repositories, unmanaged PDFs, uncontrolled SharePoint folders.

2. “How do you prevent use of obsolete documents?”
   Hangup: printed copies with no control stamp, local copies in team folders.

3. “Pick a process. Show the procedure and the last three records it produces.”
   Hangup: procedures exist, but records are missing, incomplete, or unretrievable.

4. “Who approves changes, and how do you assess impact?”
   Hangup: edits happen without re-approval or without retraining affected staff.

5. “What documented information did you determine was necessary beyond ISO’s minimum?”
   Hangup: you can’t explain your rationale, so it looks arbitrary.

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating Clause 7.5 as a document-writing exercise

Fix: start from process risk and operational need. Document what people must do consistently and what you must prove later. ¹

Mistake 2: No clear separation between “documents” and “records”

Fix: define both terms internally and map each process to the records it must generate, store, and retain.

Mistake 3: “Shared drive control” with no real approvals or versioning

Fix: require formal approval before publication and enforce read-only access for published versions.

Mistake 4: Change management does not trigger training

Fix: set a rule: if a change affects how work is performed, assign training or acknowledgement and retain completion evidence.

Mistake 5: Documentation ownership is unclear

Fix: assign an accountable owner and an approver per item in the register, not just per department.

Enforcement context and risk implications

ISO 9001 is a certifiable standard, not a regulator. The practical “enforcement” is through certification audit findings, customer audit findings, and contract consequences. Weak control of documented information commonly leads to:

• Inconsistent process execution and quality escapes
• Inability to prove conformity during audits
• Corrective action workload and operational disruption
• Customer confidence issues when you cannot produce objective evidence quickly

If your QMS scope includes third-party performed processes, poor documentation control increases the risk of misaligned requirements, acceptance disputes, and gaps in traceability.

Practical 30/60/90-day execution plan

First 30 days (stabilize control)

• Assign a single owner for documented information governance (often Quality, sometimes GRC/Compliance in shared models).
• Inventory existing QMS documents and key records; create the first version of the document register.
• Choose a system of record (even if temporary) and stop uncontrolled publishing outside it.
• Publish minimum templates and naming/versioning rules.
• Identify “high-risk documents” (those that drive critical operations) and lock down editing rights.

Days 31–60 (operationalize lifecycle)

• Implement review/approval workflow and change logging.
• Define record storage locations and responsibilities by process.
• Draft or update the Document Control Procedure and records retention rules.
• Run a pilot in one function or site; test retrieval by simulating an audit request (pick a process, pull the procedure plus related records).

Days 61–90 (prove effectiveness and close gaps)

• Roll out training/acknowledgements for critical procedures.
• Add documented information controls to internal audit checklists and complete a first sampling cycle.
• Remediate: obsolete docs in circulation, missing approvals, missing records, unclear retention.
• Prepare an “audit retrieval pack” routine so the team can respond to document/record requests consistently.

Tooling note: Teams often start in SharePoint or a QMS tool. If you need tighter control and audit-friendly reporting across policies, procedures, records, and third-party artifacts, Daydream can centralize document registers, approvals, and evidence collection so retrieval is repeatable under audit pressure.

Frequently Asked Questions

Do we have to document every process to meet the documented information requirement?

No. Clause 7.5 requires documented information required by ISO 9001 and whatever you determine is necessary for QMS effectiveness. Document processes where consistency, risk, complexity, or auditability requires it. ¹

What’s the difference between a controlled document and a record?

A controlled document tells people what to do and must be version-controlled and approved. A record proves what happened and must be retained, retrievable, and protected from inappropriate change. ¹

Can we keep QMS documents in SharePoint or Google Drive?

Yes, if you can demonstrate control: formal approval, versioning, access restrictions, change history, and prevention of obsolete use. If you cannot consistently prove those controls, move to a system that can. ¹

How do we show auditors that only current versions are in use?

Maintain a master list with current versions and make it the single source of truth, then show access controls and a process that removes or clearly marks superseded versions. Internal audit sampling that checks points of use helps. ¹

What documented information should we require from third parties?

Require whatever is needed to define and verify conformity, such as specifications, acceptance criteria, and evidence of results. Store those artifacts under your documented information controls if they affect your QMS outcomes. ¹

What will most likely trigger a nonconformity under Clause 7.5?

Common triggers include missing approvals, uncontrolled changes, obsolete instructions in circulation, and missing or unretrievable records for a selected process. Auditors usually test this by sampling. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements