Documented information — Creating and updating

ISO 9001:2015 Clause 7.5.2 requires you to control how documented information is created and changed so every document is clearly identified, in an appropriate format, and reviewed and approved before use. To operationalize it quickly, standardize document metadata, templates, and approval workflows, then retain proof of review/approval and version history. ¹

Key takeaways:

• Every controlled document needs consistent identification (title, owner, version, date, status) and fit-for-purpose format/media.
• Changes must follow a defined review-and-approval workflow with objective evidence (who approved what, when, and which version).
• Auditors will test control operation by sampling documents and tracing them from creation through approval to current use.

Clause 7.5.2 is a practical control requirement: if you cannot show that documents are identifiable, readable, current, and approved, your QMS will fail in day-to-day execution even if your processes are sound. The clause focuses on three things you can operationalize: (1) identification (what the document is and how to recognize the current version), (2) format and media (how the document is presented and stored so users can reliably use it), and (3) review and approval (how you validate suitability and adequacy before release or after changes). ¹

For a Compliance Officer, CCO, or GRC lead, treat this as a control design and evidence problem. You need a documented rule for document creation/updates, a workflow that enforces it (manual or system-based), and artifacts that make audits easy: metadata, change history, and approval records. If you manage third parties, this requirement also applies to externally provided documents you control (procedures, work instructions, quality plans) and to documents that govern third-party work. ¹

Regulatory text

ISO 9001:2015 Clause 7.5.2: “When creating and updating documented information, the organization shall ensure appropriate identification, format, and review and approval.” ¹

What the operator must do

• Ensure appropriate identification so users can tell what the document is, who owns it, and what the current approved version is. ¹
• Ensure appropriate format and media so the document is usable (readable, accessible to intended users, and maintained in a controlled system or method). ¹
• Ensure review and approval for suitability and adequacy before release and after updates, with evidence that the approval happened. ¹

Plain-English interpretation

Your organization must run document control like a production process: every QMS document has a defined identity, a standard way it is presented/stored, and a gate that stops unapproved drafts from becoming “the procedure people follow.” If a document changes, you must be able to prove the updated version was reviewed and approved, and users can reliably find and use the approved version. ¹

Who it applies to (entity and operational context)

This requirement applies to any organization operating an ISO 9001:2015 quality management system, regardless of industry or size. ¹

Operationally, it applies wherever you create or update documented information used to run the QMS, including:

• Policies, procedures, work instructions, SOPs, quality manuals, process maps.
• Forms and templates that collect quality records (inspection logs, CAPA forms, training sign-offs).
• Quality plans, control plans, test methods, and specifications.
• Documents that govern third-party work (supplier quality requirements, incoming inspection criteria, outsourced process instructions). ¹

Owners typically include process owners, QA/QC, compliance/GRC, engineering, operations, and document control administrators.

What you actually need to do (step-by-step)

1) Define the documented information lifecycle (one page is enough)

Create a short “Document Creation and Update Control” procedure that states:

• Which documents are controlled (scope) and which are not (examples: personal notes, informal drafts).
• Required metadata fields (see below).
• Required review/approval roles by document type and risk.
• Where controlled documents live (system of record) and how drafts are handled.
• Rules for effective dates, versioning, and superseded documents. ¹

2) Standardize identification (metadata) for every controlled document

Use a minimum required set of fields that appear on the document and/or in the document repository:

Recommended identification fields

• Document title
• Unique document ID or code (consistent naming convention)
• Version or revision identifier
• Status (Draft / In Review / Approved / Obsolete)
• Effective date
• Document owner (accountable role)
• Approver(s) (role-based, not just names)
• Function/process area (so users can find it)
• Page numbering (where relevant) ¹

Practical control: make it hard to publish a document without these fields. If you manage documents in SharePoint/Confluence/Google Drive, enforce this via templates plus required properties. If you have an eQMS, enforce via required fields and workflow gates.

3) Set format and media rules that match how work happens

Clause 7.5.2 does not force paper or electronic. It requires “appropriate” format/media. Translate “appropriate” into operational criteria you can defend:

Format/media acceptance criteria

• Readable at point of use (shop floor, lab, remote work, mobile).
• Accessible to intended users without workarounds.
• Controlled location is defined (single system of record).
• Critical documents have change control and version history.
• If printed copies are used, rules define how you prevent uncontrolled use (print watermark, controlled distribution list, print validity statement). ¹

Common pattern: one authoritative digital copy, with controlled printing only where required by operations.

4) Implement a review and approval workflow (release gate)

Define a workflow that answers four audit questions: who reviews, who approves, what they check, and how you prove it.

Workflow design (minimum viable)

1. Author drafts using the approved template.
2. Technical review by process owner or SME for correctness and feasibility.
3. Quality/compliance review for alignment to QMS requirements (and any regulated constraints you follow).
4. Approval by authorized approver(s) before release; approval creates an immutable record of version + date + approver identity. ¹

What reviewers should check (make it a checklist)

• Document identification fields complete
• Scope and purpose clear
• Responsibilities defined
• Steps match current process
• References/linked docs are current
• Forms/records referenced exist and are accessible
• Training/communication trigger identified (if applicable)
• Risk or impact considerations addressed for material changes ¹

5) Control updates: change request, impact check, and re-approval

Treat updates as controlled change:

• Initiate a change request (even lightweight).
• Describe the change and why it’s needed.
• Identify impacted processes, records, training, and third-party requirements.
• Route to the same (or defined) review/approval path.
• Publish the new version and retire the old one with clear “obsolete” status and retention rules. ¹

6) Make “current version at point of use” easy

Auditors will sample where work occurs. Build a retrieval method that front-line teams can follow:

• One QMS portal or index by process area.
• Searchable titles and consistent naming.
• Clear “Approved” status visible without opening the file.
• Redirect or archive superseded versions so they do not appear in normal search results.

7) Operationalize with tooling (without over-engineering)

If you already have Microsoft 365, Google Workspace, Confluence, or an eQMS, you can meet 7.5.2 by configuring:

• Templates with required fields
• Controlled folder permissions
• Mandatory approval step (workflow) before changing status to “Approved”
• Version history and audit logs
• Read-only access for most users; edit rights limited to document control/owners

If you need faster execution and cleaner evidence for audits, Daydream can act as a control hub to define document control requirements, map them to owners, and track evidence requests so approvals, version history, and document registers stay audit-ready.

Required evidence and artifacts to retain

Auditors expect objective evidence that identification, format/media control, and review/approval are real controls, not aspirations. Maintain:

• Documented procedure for creating/updating documented information. ¹
• Document register or master list showing current versions, owners, and status.
• Templates (SOP, WI, policy) with required metadata fields.
• Approval records: e-signature logs, workflow screenshots, email approvals (prefer workflow logs), meeting minutes tied to document version.
• Revision history within the document or system logs (what changed, when).
• Access control evidence: repository permissions and roles for who can edit/approve.
• Obsolete document control evidence: archive location, labeling, retrieval restrictions.

Common exam/audit questions and hangups

Expect these questions (and prepare a one-minute answer plus artifacts):

• “Show me how you know this is the current approved procedure.” (document register + status/metadata)
• “Who approved this version and when?” (workflow approval record tied to version)
• “What triggers re-approval when changes occur?” (change control rule + sampled change record)
• “How do operators access documents at point of use?” (portal/index demo)
• “How do you prevent use of obsolete documents?” (archive controls + labeling + permissions)
• “Are externally provided documents controlled?” (supplier docs in controlled repository with identification and approval where relevant) ¹

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails in audit/operations	Fix
Documents lack clear version/status	Users can’t prove “current”	Add required metadata fields and a visible status block
Approvals happen in email only	Evidence is scattered and hard to trace to a version	Centralize approvals in a workflow or attach the email approval to the document record
Templates vary by department	Identification and format become inconsistent	Publish controlled templates; block ad hoc formats for controlled docs
Old versions remain easy to find	Operators may use obsolete instructions	Archive/lock superseded versions; ensure search defaults to current
“Approval” is a rubber stamp	Suitability/adequacy is not demonstrated	Use a reviewer checklist; require comments for major changes
Third-party governing docs are unmanaged	Outsourced work drifts from expectations	Bring supplier quality requirements into the same document control approach

Enforcement context and risk implications

ISO 9001 is a certifiable standard rather than a regulator, so “enforcement” typically occurs through certification audits and customer audits. The practical risk is operational: uncontrolled documents drive nonconforming product/service, inconsistent training, weak CAPA execution, and avoidable audit findings. Clause 7.5.2 is also a common root cause behind repeat nonconformities because teams “fix the process” but fail to control the procedure that defines it. ¹

A practical 30/60/90-day execution plan

First 30 days (stabilize and stop document drift)

• Assign a document control owner and define approver roles by document type.
• Publish a single document template set (policy/SOP/WI/form) with required identification fields.
• Stand up a system of record (or clean up the existing repository) and create a document register.
• Implement a minimum approval gate: no status change to “Approved” without recorded approval. ¹

By 60 days (control updates and make evidence easy)

• Implement change request + impact check for updates, including training and third-party impacts.
• Migrate high-use/high-risk procedures into the controlled format.
• Establish rules for printed copies and point-of-use access.
• Run an internal sample test: pick a few documents and trace creation → approval → current availability → obsolete handling.

By 90 days (prove consistent operation)

• Expand control to remaining QMS documents and externally provided documents that govern quality-critical work.
• Train document authors/reviewers on the checklist and workflow expectations.
• Conduct an internal audit focused on 7.5.2: verify identification, format/media, and approval records across departments.
• Use Daydream (or your existing GRC tooling) to track control ownership, testing, and evidence requests so future audits are routine instead of a scramble.

Frequently Asked Questions

Do we need a formal document numbering system to meet ISO 9001 Clause 7.5.2?

The clause requires “appropriate identification,” not a specific numbering method. A numbering system helps, but you can also meet the intent with consistent titles, version IDs, owners, and statuses that clearly distinguish the current approved document. ¹

Are forms and templates “documented information” that must be reviewed and approved?

If a form/template is controlled and used to run the QMS (for example, CAPA forms or inspection checklists), treat it as documented information and approve it before release. Keep version control so records created from the form remain interpretable over time. ¹

Can we approve documents via email?

Email can work if you can reliably tie the approval to a specific version and retain it as objective evidence. A workflow tool is usually easier because it preserves version history and approval logs in one place. ¹

How do we handle minor edits like typos?

Define what qualifies as an editorial change versus a process change, and still record the update with version history. Many teams allow streamlined review for editorial-only edits but still require approval before release to avoid ambiguity during audit sampling. ¹

What counts as “appropriate format and media” for shop-floor teams without easy computer access?

If paper is the point-of-use format, define controlled printing rules, labeling (effective date/version), and how you replace obsolete copies. The key is that the format works for the user and remains controlled. ¹

Do we need to control third-party documents provided by suppliers?

If you rely on those documents to meet quality requirements (specifications, test methods, supplier work instructions you adopt), control their identification, storage, and version status in your system of record. Apply review/approval to confirm suitability before use. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements