What does ISO 9001 require for documented information?

ISO 9001 Clause 7.5 requires organisations to: create and update documented information with appropriate identification and format, and review and approval; control documented information to ensure it is available and suitable for use where needed; protect it against loss of confidentiality, improper use, or loss of integrity; and prevent unintended use of obsolete information. The standard doesn't prescribe specific document types or formats - it requires organisations to determine what documented information is necessary for their quality management system and control it accordingly.

Does ISO 9001 require a document control procedure?

ISO 9001:2015 does not require a documented procedure for document control specifically - unlike the 2008 version which mandated this. However, it does require that documented information itself be controlled according to the requirements of Clause 7.5, and that the organisation maintain documented information as evidence that it does so. In practice, most organisations maintain a document control procedure because it provides a clear, auditable description of how Clause 7.5 requirements are met. The absence of a procedure makes it harder to demonstrate consistent compliance.

What are external documents under ISO 9001?

External documents under ISO 9001 are documents of external origin that the organisation determines are necessary for the planning and operation of its quality management system. These include supplier specifications, regulatory standards, industry standards referenced in procedures, customer requirements documents, and any other external sources that inform how the organisation operates. ISO 9001 Clause 7.5.3 requires external documents to be identified and their distribution controlled - meaning the organisation needs a register of which external documents it relies on, what version is current, and how changes are tracked.

How does ISO 9001 handle obsolete document versions?

ISO 9001 Clause 7.5.3 explicitly requires that documented information of external origin and obsolete documented information be protected against unintended use. For obsolete versions, this means either removing them from all points of use, marking them clearly as obsolete, or restricting access so they cannot be inadvertently retrieved and used. Auditors check for this by asking to see the current version of a procedure at the point of use and verifying it matches the current approved version. Old versions accessible in shared drives or filing systems are a common finding.

How many documents does ISO 9001 require?

ISO 9001:2015 explicitly requires maintained documented information (formerly 'documents') for: the quality management system scope, the quality policy, quality objectives, and six specific areas including competence evidence, product conformity evidence, and others. It requires retained documented information (formerly 'records') for over twenty specific situations. Beyond these explicit requirements, the standard requires whatever documented information the organisation determines is necessary for the effectiveness of the quality management system - which for most manufacturing organisations means significantly more than the minimum. The right amount is whatever provides sufficient evidence of compliance under audit.

Can a CCMS satisfy ISO 9001 document control requirements?

Yes. A Component Content Management System directly satisfies ISO 9001 Clause 7.5 requirements through: built-in approval workflows that record who approved what version and when; a publishing gate that prevents unapproved content from reaching any output, satisfying the requirement to prevent unintended use of obsolete information; version control at the component level with complete audit trails; and single-source architecture that ensures point-of-use documents are always the current approved version. Author-it is purpose-built for regulated environments where document control is an audit requirement, not just a best practice.

Article

What ISO 9001 actually requires from your doc team

Q: What is the difference between documents and records in ISO 9001?

ISO 9001:2015 replaced the older distinction between 'documents' and 'records' with the single term 'documented information.' Information created and updated to describe processes and requirements (formerly called documents) and information maintained as evidence of conformity (formerly called records) are both covered by Clause 7.5. The practical distinction remains relevant - process descriptions and procedures are controlled for current use, while evidence records are retained to demonstrate what was done. The standard refers to information to be 'maintained' (kept current) and information to be 'retained' (kept as evidence).

Read time:

6 min

Why it matters:

Technical documentation teams are the frontline of ISO 9001 compliance - but most don't know exactly what the standard requires of them.

Who it's for:

Technical writers, documentation managers, and quality leads in ISO-certified manufacturing organisations.

Summary:

ISO 9001 doesn't just require good documentation - it requires controlled documentation. Clause 7.5 places specific obligations on technical documentation teams that go well beyond writing clear procedures. Understanding exactly what the standard asks for helps documentation teams design processes that satisfy auditors, not just readers. This article translates the formal language of Clause 7.5 into practical requirements your team needs to meet.

‍

ISO 9001 Clause 7.5 documented information requirements mapped across four categories - mandatory documents, mandatory records, external documents, and organisation-determined content

What Clause 7.5 actually asks

ISO 9001:2015 Clause 7.5 uses the term documented information to cover what older versions of the standard split into documents and records. Your team is responsible for both - the living documents that describe how things should be done, and the records that prove they were done that way.

The standard requires that documented information be available, suitable for use, and adequately protected. It requires that you control how documents are created, updated, approved, distributed, and retired. For a technical documentation team in manufacturing, that's a comprehensive mandate that touches every part of your workflow.

The four categories your team owns

Most technical documentation teams in manufacturing are responsible for content across four distinct categories, each with its own Clause 7.5 implications.

Quality procedures - SOPs, work instructions, assembly procedures, quality plans - are the core of what most doc teams think about. These must be approved before issue, versioned, available at point of use, and protected from obsolete versions remaining in circulation.

Records and evidence - inspection logs, calibration records, training records, non-conformance reports - capture what actually happened. Unlike procedures, records aren't updated after the fact. They need to be legible, retrievable, and retained for defined periods. The challenge for doc teams is often that records are owned by different functions and only partially managed through the QMS.

Planning and policy documents - the quality manual, quality objectives, scope statements - are often owned by quality management rather than technical publications, but documentation teams typically handle the format, version control, and distribution. These have the same Clause 7.5 requirements as operational documents.

External references - supplier specifications, regulatory standards, customer requirements - are often overlooked. ISO 9001 requires that external documents of external origin that are relevant to the QMS be identified and controlled. Your team doesn't write them, but you're responsible for tracking which ones are in use and ensuring they're current. See how manufacturing documentation teams manage this in practice.

Approval is a requirement, not a formality

Clause 7.5 requires that documented information be approved for adequacy before issue. This means a named person or role has reviewed the content and explicitly signed off that it's fit for purpose. It doesn't mean a manager glanced at it and nodded - it means a traceable, recoverable record that the approval happened.

In practice, many documentation teams handle approvals through email. The problem isn't that email is invalid - it's that email is fragile. Threads get deleted, inboxes get archived, people leave the organisation. If an auditor asks for the approval history on a procedure updated 18 months ago and the approver is no longer with the company, you need the record to exist somewhere other than their Outlook.

Built-in approval workflows - where sign-off is recorded in the document management system alongside the content - solve this permanently. The trail is in the system, not in someone's inbox. Author-it's Review and Approve module was built for exactly this requirement.

Version control at the right level

Most documentation teams track versions at the document level - version 1, version 2, version 3. ISO 9001 requires that you be able to identify the revision status of documents and ensure current versions are available. Document-level version control is sufficient for that requirement.

The problem is that document-level version control doesn't handle shared content well. If the same specification or warning appears in twelve different work instructions, and that specification changes, you have to update twelve documents and increment twelve version numbers. Each update is an approval event. Each approval is a potential gap in your trail.

Component-based version control - where shared content exists as a single component referenced by multiple documents - reduces this to one update, one approval, and one version increment. Every document that references the component automatically reflects the change. The version number for the shared specification changes once. This is the structured authoring approach, and it's particularly valuable for manufacturers with high content reuse across product lines. Use the Structured Content Challenge to benchmark your current reuse level.

Protection against unintended use of obsolete versions

This is the Clause 7.5 requirement that documentation teams most commonly struggle with. The standard requires measures to prevent the unintended use of obsolete documented information. In a shared drive environment, that typically means labelling old versions as OBSOLETE and hoping no one uses them anyway.

The architectural solution is a publishing gate - a system control that prevents any content that hasn't been through the approval workflow from reaching any published output. In Author-it, unapproved content cannot be published, regardless of what someone tries to do. Obsolete versions aren't accessible for publication because the system prevents it, not because someone remembered to label them.

Before and after - manual Word-based document management versus Author-it structured content workflow for ISO 9001 compliance

What good looks like for a technical documentation team

An ISO 9001-compliant documentation team in manufacturing has: a clear scope of what's controlled and who owns it, a consistent approval process with a recoverable trail, version control that scales with the complexity of your product lines, a distribution mechanism that doesn't rely on human memory, and a publishing gate that makes obsolete-version protection automatic rather than procedural.

Most teams can get most of this right most of the time with manual processes. ISO 9001 requires all of it, right, all of the time. That's the gap a structured content management system closes. The ROI calculator can help quantify the cost of the manual overhead your team is currently carrying to approximate this level of control.

ISO 9001 tech documentation FAQ

Q: What does ISO 9001 Clause 7.5 require from a technical documentation team?

A: ISO 9001 Clause 7.5 requires technical documentation teams to create, approve, version, distribute, and retire documented information in a controlled way. Specifically: all documents must be approved before issue, changes must be reviewed and re-approved, current versions must be available at point of use, obsolete versions must be prevented from unintended use, and external documents must be identified and controlled. It applies to procedures, work instructions, records, policy documents, and relevant external references.

Q: What is the difference between documents and records in ISO 9001?

A: ISO 9001:2015 uses the term documented information for both. Documents describe how things should be done - SOPs, work instructions, quality plans. Records prove that they were done - inspection logs, training records, calibration certificates. Documents are updated over time and need version control and approval workflows. Records capture a point-in-time state and need retention, protection from alteration, and retrievability. Both are controlled under Clause 7.5.

Q: Does ISO 9001 require a technical documentation team to control external documents?

A: Yes. ISO 9001 Clause 7.5 requires that external documents of external origin - supplier specifications, regulatory standards, customer requirements - that are relevant to the quality management system be identified and controlled. This means your team needs to track which external documents are referenced in your QMS, monitor for changes, and ensure internal documentation is updated when external sources change.

Q: How should a documentation team handle document approvals to satisfy ISO 9001?

A: ISO 9001 requires that documented information be approved for adequacy before issue and re-approved after updates. The approval must be traceable - you need to be able to demonstrate who approved a document and when. Email approvals can satisfy this if the trail is reliably preserved. The most robust approach is a built-in approval workflow in a document management system where sign-off is recorded against the document, not in someone's inbox. This makes the approval trail independent of individual employees and email retention policies.

Q: What does version control mean for a technical documentation team under ISO 9001?

A: ISO 9001 requires that you identify the current revision status of documents and ensure current versions are available at point of use. At minimum, this means each document has a clear version identifier, you can demonstrate what the current version is, and previous versions are not accessible for operational use. In practice, most manufacturing teams also track change history - what changed between versions and why - as this is often checked during audits.

Q: How does a CCMS help technical documentation teams meet ISO 9001 requirements?

A: A Component Content Management System addresses every Clause 7.5 requirement: built-in approval workflows with complete audit trails, component-level version control that scales with complex product lines, single-source publishing that makes current versions always available without manual distribution, a publishing gate that prevents obsolete or unapproved content from being published, and role-based access that controls who can create, edit, approve, and view content. The result is ISO compliance that's architectural rather than procedural.

Q: What is the most common ISO 9001 finding for technical documentation teams?

A: The most common findings involve Clause 7.5 document control: outdated versions in use at point of use, missing or unverifiable approval trails for recent revisions, external documents referenced in the QMS but not formally tracked, and obsolete versions accessible in shared systems. These findings are rarely deliberate - they're the result of manual processes that work most of the time but don't have the systematic controls to guarantee compliance consistently.

Related Resources

ISO compliance across global manufacturing operations - a structured content playbook

Article

ISO compliance across global manufacturing: a playbook

Manufacturing

Compliance

SOP

ISO compliance doesn't get easier as you scale globally. More sites, more languages, more product lines - and one set of standards to satisfy across all of them. Here's the structured content playbook that makes it work.

From certification to continuous ISO compliance - how a CCMS keeps manufacturers audit-ready

Article

How a CCMS keeps ISO-certified manufacturers compliant

Manufacturing

Compliance

Getting ISO certified is the easy part. Staying compliant across product lines, sites, and years is the harder challenge - and it's one a CCMS is built to solve.

What ISO 9001 actually requires from your documentation team - four documented information categories

Article