Understanding Section 7.5

By Jared Clark | September 1, 2025

Documented Information

This is an educational article on Section 7.5 of ISO 9001, entitled “Documented Information”.

The purpose of this article is to give you an understanding of what Section 7.5 requires.

This article is directed towards:

  • Those responsible for compliance to section 7.5
  • Those responsible for document management activities generally.
  • Others interested in understanding section 7.5

Section 7.5 is entitled “Documented Information.” Documented information is intentionally a broad term. It can refer to a document that is communicating a message, or providing evidence of what was planned or accomplished, or sharing organizational knowledge, or any other number of things.  

The official definition is:

“meaningful data and its medium that is required to be controlled and maintained by the organization.” The medium referred to in this definition can include paper, magnetic, electronic, photographic, or almost any medium for communicating information. Software code, electronic forms, internet sites, and automated processes can also an acceptable form of documented information.

Documented information is often referred to in the standard as information that is either “maintained” or “retained.”

  • Generally, documented information that needs to be maintained is referring to documents like policies and procedures. In previous versions of ISO 9001 this was referred to simply as “documented procedures” or just “documents.”
  • Documented information that needs to be retained refers to what was previously called “records” – such as documented information “Retained as evidence” of conformity.

The language of the standard may seem unnecessarily vague, but ISO is trying to allow greater flexibility to organizations by the use of broader terms.

Section 7.5 starts off with two general requirements. It requires you to document:

  • Information explicitly required in the various sections of ISO 9001, and
  • Information determined by your organization as being necessary for the effectiveness of the quality management system.

These two general requirements are addressed in the Evata system as part of the training and implementation of Section 4.4. Section 4.4 is entitled “the quality management system and its processes” and it is in this section that we address the question of “What processes need to be documented?”

In this training, however, we will focus on the more specific document control requirements that take up the rest of section 7.5. Such as:

  • Document formatting
  • … creation
  • … identification
  • … approval
  • … access
  • … storage
  • … protection
  • … confidentiality
  • … distribution
  • … revision
  • … retention
  • … and disposition.

Before you feel overwhelmed about the number of controls listed, you should understand that the aim of ISO 9001 is to allow your organization a fair deal of discretion in what it documents and how it controls those documents.

ISO has stated:

“[One] of the most important objectives in the revision of the ISO 9000 series of standards ha[s] been…for the amount and detail of documentation required to be more relevant to the desired results of the organization’s process activities…[to] enable each individual organization to determine the correct amount of documented information needed in order to demonstrate the effective planning, operation and control of its processes.”

Consistent with this policy, ISO employs, let’s say, “flexible” terms in section 7.5, to allow companies more discretion in relation to documentation requirements.

For example, the standard uses the term “appropriate” to qualify the extent of:

  • Identification
  • Formatting, and
  • Reviews and approvals…

…that you have to do.

This is a pretty vague term meant to allow you some flexibility on these points.

Notice also that the standard simply requires “adequate” protection and availability. Again, a fairly vague term to allow you some flexibility.

Also, note that the standard only requires that you “address” the following:

  • Distribution
  • Access
  • Storage
  • Revision control
  • Retention and disposition

So hopefully you can see that no details are provided about the extent to which you need to meet these requirements, because the extent is left up to you so long as it is arguably “Appropriate” “Adequate” and sufficiently “Addressed”.

For example, you may decide that some documents do not require revision control. As long as this is a deliberate and justified decision, and not an oversight, you have successfully “addressed” the issue of revision control. But you should document your decision and its justification as a policy so that it is clear that this is not an oversight or attempt to avoid the standard’s requirements.

As a side note:  Although many auditors will agree with what I just said, please note, however, that some auditors do not interpret the standard the same way. To them, to “address” revision control is the same as “establishing” or “implementing” revision control.  This is an erroneous interpretation. If the standard wanted to compel revision control in all instances it would have simply said so, as it does in many other instances throughout the standard — something to the effect of “the organization shall implement revision control of all documented information.” ISO 9001 has many such provisions throughout its contents, however, ISO does not say anything to that effect in relation to revision control. ISOs omission of such direct language is clearly intentional, and is entirely consistent with its policy to ensure documentation requirements are relevant to your actual needs. If you are worried about this, then consider using Evata’s recommended auditors who share our philosophy of interpretation.

Section 7.5 also requires you to identify and control external documents.

External documents are “documented information of external origin, determined by your organization to be necessary for the planning and operation of the quality management system.”

ISO 9001 is an example of an external document. Industry standards, Best practices, Reference books, Guides, Benchmark data – all would be considered documented information of external origin if “necessary for the planning and operation of the QMS.”

You may have heard of a Master Document List, or a Document Tracker, or a Document Control Register.

Such a document is an easy way to organize your document control requirements.

[SLIDE 8]

Here we see one row of an example Master Document List (or MDL).

  • On the top row we see the control categories.
  • On the second row we see how the Sales Order Form is controlled for each category.

A Master Document List is not always necessary. For example, if the same controls apply to all of your documents with only slight deviations, then a simple procedure outlining those controls is all that is necessary – a document-by-document inventory of controls would not be necessary in such a case. However, perhaps you haven’t given a lot of thought to document control up to this point — completing an MDL will help you realize whether your document control requirements are very similar or very different for all documents. An MDL is sometimes a necessary first step to a better system. For example, perhaps you plan to control all of your documents using a document management software. First you would probably need to inventory your documents and determine your control requirements, before you could implement them in an automated solution.  

For more information non how to implement this section, watch our implementation videos for section 7.5, and review our template library for examples.

Posted in Understanding ISO 9001 and tagged , ,