ISO 9001:2015 Documented Information in a Quality Management System (Clause 7.5)
Introduction
A Quality Management System (QMS) relies on a robust framework of documented information, encompassing both documents and records. This is a core requirement of ISO 9001:2015, specifically Clause 7.5. Understanding the distinction is vital: you must maintain controlled documents like procedures and policies, ensuring your processes are consistent and reliable. At the same time, you must retain records such as audit reports and training logs to provide verifiable evidence of conformity. This dual approach gives your organization a single source of truth and a verifiable history. The level of detail and control for this information must be tailored to your organization’s size, complexity, and activities to build an efficient and trustworthy system that supports continuous improvement.
Ready to streamline your QMS documentation? Contact Maxicert for expert guidance.
7.5.1 General
The organization’s quality management system shall include:
a) documented information required by this International Standard,
b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.
NOTE: The extent of documented information for a quality management system can differ from one organization to another due to:
- the size of organization and its type of activities, processes, products and services;
- the complexity of processes and their interactions;
- the competence of persons.
7.5.2 Creating and Updating
When creating and updating documented information, the organization shall ensure appropriate:
a) identification and description (e.g., a title, date, author, or reference number);
b) format (e.g., language, software version, graphics) and media (e.g., paper, electronic);
c) review and approval for suitability and adequacy.
7.5.3 Control of Documented Information
7.5.3.1 Control Requirements
Documented information required by the quality management system and by this International Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity).
ISO 9001:2015 Clause Guide Panel
- Clause 1
- Clause 2
- Clause 3
- Clause 4 – Sub-clause 1
- Clause 4 – Sub-clause 2
- Clause 5 – Sub-clause 1
- Clause 5 – Sub-clause 2
- Clause 5 – Sub-clause 3
- Clause 6 – Sub-clause 1
- Clause 6 – Sub-clause 2
- Clause 7 – Sub-clause 1
- Clause 7 – Sub-clause 2
- Clause 7 – Sub-clause 3
- Clause 7 – Sub-clause 4
- Clause 8 – Sub-clause 1
- Clause 8 – Sub-clause 2
- Clause 8 – Sub-clause 3
- Clause 8 – Sub-clause 4
- Clause 8 – Sub-clause 5
- Clause 8 – Sub-clause 6
- Clause 8 – Sub-clause 7
- Clause 8 – Sub-clause 8
- Clause 8 – Sub-clause 9
- Clause 8 – Sub-clause 10
- Clause 8 – Sub-clause 11
- Clause 8 – Sub-clause 12
- Clause 9 – Sub-clause 1
- Clause 9 – Sub-clause 2
- Clause 9 – Sub-clause 3
- Clause 9 – Sub-clause 4
- Clause 10
7.5.3.2 Control Activities
For the control of documented information, the organization shall address the following activities, as applicable:
- distribution, access, retrieval and use;
- storage and preservation, including preservation of legibility;
- control of changes (e.g., version control);
- retention and disposition.
Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled.
Documented information retained as evidence of conformity shall be protected from unintended alterations.
NOTE: Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
ISO 9001:2008 vs ISO 9001:2015 Terminology
- Where ISO 9001:2008 would have referred to documented procedures (e.g., to define, control or support a process), this is now expressed as a requirement to maintain documented information.
- Where ISO 9001:2008 would have referred to records, this is now expressed as a requirement to retain documented information.
Documenting Your Quality Management System
Documented information can refer to:
- Information created in order for the organization to operate (documentation), and/or
- Evidence of results achieved (records).
This clause describes what documentation is required by the standard. The term documented information is used to cover the range of different types of documents.
It is entirely up to you whether you think it will be helpful to have “documented information” (documented procedures).
Minimum Required Documented Information
The minimum documented information required to be created, controlled and/or maintained in a management system includes:
- Scope of the management system
- Policy
- Objectives
- Evidence of competence
- Documented information of external origin necessary for the planning and operation of the management system
- Documented information necessary to have confidence that the processes have been carried out as planned
- Monitoring, measurement, analysis and evaluation results
- Evidence of internal audit programme implementation
- Internal audit results
- Management review results
- Nature of nonconformities and actions taken
- Corrective action results
Documented information, originally created for purposes other than the MSS, may be used.
Importance of Documented Information
The important issue is that your people have the information they need to do their job.
Documented information comes in many different formats and in various media. Electronic storing and distribution is one common approach.
Creating Awareness in the Organization
Scope
Clause 4.3
Support the Processes
Clause 4.4
Quality Policy
Clause 5.2.2 a
Quality Management System
Clause 4.4
Consistently Providing
Clause 5.1.20
Enhancing Customer Satisfaction
Clause 5.1.2 d
Quality Policy Commitment
Clause 5.1.2
System Integrity
Clause 5.3 e
Infrastructure
Clause 7.1.3
Work Environment
Clause 7.1.4
Monitoring & Measuring
Clause 7.1.5 b
Organizational Knowledge
Clause 7.1.6
Requirement Determination
Clause 8.2.2
Design & Development
Clause 8.3.1
Traceability
Clause 8.5.2
Process Outputs Conformity
Clause 8.5.4
QMS Audit
Clause 9.2.1 b
Audit Program
Clause 9.2.2 a
Management Review Resources
Clause 9.3.1 c-6
Types of Documented Information in Different Formats
The following list is not inclusive, but indicates the many different forms documents may take:
| Category | Examples |
|---|---|
| Procedures & Instructions | Procedures, Work instructions, Operating instructions, User manuals |
| Compliance & Standards | Regulatory requirements, Industry standards |
| Planning & Scheduling | Schedules, Manufacturing routers, Control plans |
| Design & Specifications | CAD files, Specifications, Drawings, Master sample |
| Supplier & Quality | Preferred supplier lists, Inspection certificates, Reports, Samples (sales) |
| Customer & Market | Restaurant menus, Customer surveys |
| Education & Training | College curricula, Speaker notes, Visual aids (e.g. photographs) |
| Operations & Support | Call center scripts, Meeting agendas and minutes, Forms |
| Specialized Examples | Medical examples, SME consultant’s telephone contact list, SME setup notes, SME website (contact details) |
Information That Is NOT Documented Information
- Internal and external issues (4.1)
- Interested parties (4.2)
- Intellectual property, lessons learned (7.1.6-Note 1)
- Products and services (8.2.1)
- Information for external providers (8.4.3)
- Competence
- Customer views and opinions of the organisation and its products and services (9.1.2)
- Customer views (9.1.2 Note)
- Monitoring, measuring and other sources (9.1.3)
- Conformance of the quality management system (9.2.1)
- Quality performance, including trends, etc. (9.3.1 c)
Evidence (That Is Not Information)
Give details of different levels of controls (risk): type and extent of control, status and importance necessary and sufficient, confidential.
Consider giving details – documented information for the user with the least experience. The type and extent of control might vary on:
- the size and complexity of the organisation, and
- the risk/impact of the products/services provided.
How Documentation Should Be Designed
- Documentation should indicate who does what, where, when, why and how.
- Identify the creator (author), reader, updater, etc.
- Must clearly and accurately reflect what actually happens, not a wish list.
- Use simple guidance when sufficient (e.g., “push” or “pull” on a door instead of a full work instruction).
Level of Detail in Documentation
The level of detail depends on:
- the methods used,
- the skills needed,
- training undertaken, and
- the extent of supervision required.
Excessive detail does not necessarily give you more control. Competence reduces the need for detailed documentation provided everybody has the necessary information.
Providing the Necessary Information
This clause is about controlling documents from both internal and external sources:
- Internal: drawings, procedures, instructions, acceptance criteria, reference materials.
- External: regulations, standards, codes, specifications.
Different documents and media require different controls.
Documented Information in Different Media
Documented information can be contained in various media and formats, such as:
- written documents,
- electronic data storage,
- video,
- audio tapes,
- posters, pictures,
- social media (websites, blogs, Facebook, YouTube).
Control of Documented Information (DI)
- Make sure the DI in use is the applicable document (latest issue).
- DI generated from activities = statement of facts (previously called records).
- If electronic: back up often, protect from deletion, prevent unintended changes.
- Use consistent processes for different media—decide which copy is the definitive one.
Control of DI of external origin: ensure documents are accessible, current, identifiable and staff know they have the correct version.
Approval and Updating
- Approval required before issuing, removal or revision.
- Can use signatures for written DI; for electronic DI, use passwords, dates, access controls.
- Periodic review (e.g. during internal audits or management review).
- Updating may result from clause 8.5.6 or 6.3.
Documented Records as Evidence
Records show both evidence of results and are useful for:
- root cause analysis,
- trend analysis.
Keep only what adds value/required by standards or business.
Retention: dictated by statutory/regulatory requirements, customer criteria, liability claims, or business control.
Definitive List of Records Mandated by ISO 9001
- Process execution (4.4)
- Fitness for purpose of monitoring & measuring resources (7.1.5)
- Basis for calibration (7.1.5)
- Competence (7.2)
- Process execution results (8.2.3)
- Design & development outputs/changes (8.3.5–8.3.6)
- Conformance/re-evaluation of external providers (8.4.1)
- Traceability (8.5.2)
- Results of review of changes (8.5.6)
- Conformity to acceptance criteria (8.6)
- Nonconformance & actions taken (8.7, 10.2.2)
- Audit program & results (9.2.2)
- Management review results (9.3)
- Corrective action results (10.2.2)
Examples include:
design files, calculations, customer orders, contracts, internal audit reports, nonconformance reports, service failures, warranty claims, customer complaints, corrective action reports, external provider evaluations, test/inspection results, calibration reports, competence evidence, traceability records, release documentation.
Record Management
- Ensure proper access, retrieval, distribution and use.
- Preservation must reduce risks of deterioration, damage or loss.
- Storage must be appropriate for medium use.
- Address software/hardware obsolescence for electronic records.
- Maintain backups.
Conclusion
Effectively managing your documents and records is essential for a good Quality Management System. By controlling this information, you can ensure your processes are consistent, your employees have what they need to do their jobs, and you can prove that you’re meeting requirements. This ultimately helps you improve your business over time.
For organizations aiming for a smooth and successful certification process, expert guidance is invaluable. Maxicert provides reliable ISO certification and consulting services, helping you master documented information requirements and build a quality system that drives business improvement.
Free 60–90 day implementation plan available after consultation.
FAQ
What's the difference between "maintaining" and "retaining" documented information in ISO 9001?
Maintaining documented information means keeping living documents, like procedures, current and controlled. Retaining means keeping records, like audit reports, as evidence of past actions.
What types of documented information are required by the ISO 9001 standard?
The standard mandates a minimum set of documents, including the scope of the QMS, the quality policy and objectives, and evidence of competence. It also requires records from management reviews, internal audits, corrective actions, and monitoring.
How should an organization control documented information of external origin?
External documents like standards and regulations must be controlled. They need to be identified, protected from changes, and staff must have access to the correct, current version.
Client Testimonials
What Our Clients Say About Us?
We are trusted by thousands of clients belonging from technology, manufacturing, healthcare and various sectors
Their presence in Oman made us even better to accomplish our goal of achieving ISO certificates on time, we will definitely recommend their services.
Mr. Sailesh Mohanakrishnan Division Manager – Khimji Ramdas, Oman