Why Clause 7.5.2 Trips Up More Organisations Than It Should
Clause 7.5.2 is one of those requirements that looks simple on paper but generates a surprising number of nonconformities during certification and surveillance audits. The clause sits within the broader documented information requirements of Clause 7.5, and it deals specifically with how an organisation creates and updates its documented information. Not what documents you need. Not how you store them. How you make them and keep them current.
On this page
If you are a quality manager, HSE manager, or internal auditor preparing for a certification audit, this clause deserves more attention than it usually gets. This article walks through what the clause actually requires, what auditors look for in practice, and where organisations consistently fall short.
What Clause 7.5.2 Actually Says
Clause 7.5.2 applies across all three of the main management system standards: ISO 9001, ISO 14001, and ISO 45001. Because all three follow the High Level Structure, the wording is essentially identical. The clause requires that when creating and updating documented information, the organisation shall ensure appropriate identification and description, appropriate format and media, and review and approval for suitability and adequacy.
That is three distinct requirements packed into one short clause. Let us look at each one properly.
Identification and Description
Every document your management system relies on needs to be identifiable. That means it should have a title, a date, an author or owner, a version or revision number, or some other reference that lets people know which version they are looking at and whether it is current.
In practice, auditors check whether documents can be distinguished from one another and whether staff can confirm they are using the right version. A procedure with no version number and no date creates ambiguity. If two versions of the same procedure are floating around the business, that is a problem waiting to happen, and it is exactly the kind of thing a certification auditor will flag.
Description goes further than just a title. It includes enough context for a user to understand what the document covers, who it applies to, and where it fits in the management system. A document titled Procedure 12 tells nobody anything. A document titled Corrective Action Procedure v3 Approved June 2024 gives a user meaningful information immediately.
Format and Media
ISO does not require your documents to look a particular way. The standard is deliberately flexible here. Documents can be paper based, digital, stored in a cloud system, embedded in software, or even recorded as video or audio in some contexts. The requirement is that the format and media are appropriate for the purpose.
What does appropriate mean in practice? It means the format supports correct use. A one page visual work instruction on the shop floor is more appropriate than a dense ten page procedure document that nobody will read. A digital form that auto populates fields and timestamps entries is more appropriate than a handwritten log in a high volume production environment.
Auditors are not looking for a particular format. They are checking whether the format actually serves the people who use the document. If the format creates barriers to correct use, that is a problem. If workers in a noisy environment are expected to reference a lengthy PDF on a shared computer, the format is arguably not appropriate for the context.
Review and Approval
This is where most nonconformities against Clause 7.5.2 originate. The standard requires that documented information is reviewed and approved for suitability and adequacy before use. That means someone with appropriate authority needs to sign off on a document before it becomes live in the system.
The approval does not have to be a wet ink signature. It can be an electronic approval in a document management system, a record in a register, or an email trail. What it cannot be is the absence of any approval at all.
In smaller organisations, it is common to find procedures that were written years ago, never formally approved, and have been in use ever since. Nobody questioned them because they seemed to work. But from an audit perspective, a document without evidence of review and approval is a document that may not reflect current practice, may contain errors, and has not been verified as suitable for its intended use.
The Relationship Between 7.5.2 and 7.5.3
Clause 7.5.2 and Clause 7.5.3 on control of documented information are closely linked. Creating and updating documents is only half the story. Once a document has been created and approved, it needs to be controlled: distributed to the right people, protected from unintended alteration, and retained or disposed of appropriately.
A common mistake is treating 7.5.2 and 7.5.3 as the same requirement. They are not. Clause 7.5.2 governs the creation and update process. Clause 7.5.3 governs what happens to documents after they exist. Both need to be addressed, and auditors will check both.
What Auditors Actually Check Against Clause 7.5.2
When an auditor sits down to assess conformity against Clause 7.5.2, they are not just reading your document control procedure. They are looking at the evidence that the procedure is actually being followed. Here is what that looks like in practice.
Sampling Documents for Identification
An auditor will typically pull a sample of your documented information and check whether each document has appropriate identification. They will look for a document title, version or revision number, date of creation or last review, and some indication of who authored or owns the document.
If you have a document management system, the auditor may ask you to demonstrate how a staff member would find the current version of a procedure. If the system makes it easy to accidentally access an old version, that is a concern even if the current version is technically available.
Checking the Approval Trail
For a sample of documents, the auditor will ask to see evidence that the document was reviewed and approved before use. This might be an approval signature on the document itself, an entry in a document register showing who approved it and when, or an electronic workflow record from your document management system.
The auditor is also checking that the person who approved the document had appropriate authority to do so. A procedure for hazardous chemical handling approved by an administration officer with no relevant technical authority raises questions. The approval needs to come from someone who can genuinely assess whether the document is suitable and adequate for its purpose.
Reviewing Recent Updates
Auditors are particularly interested in documents that have been recently updated. They will look at what triggered the update, whether the update was reviewed and approved before the new version went live, and whether old versions were managed appropriately.
A common scenario: a quality manager updates a procedure in response to a corrective action. The update is made, the document is saved, but no formal review or approval is recorded. The corrective action is closed. The auditor finds the updated procedure with no approval evidence and raises a nonconformity against both the corrective action process and Clause 7.5.2.
Format Suitability in Context
Auditors who conduct site walkthroughs will pay attention to how documented information is being used in practice. If a work instruction is posted on a wall in a format that is difficult to read, or if workers are referencing a printed copy that has clearly been there for years without being updated, the auditor will ask questions.
The question is not whether the format is polished. The question is whether the format supports correct and consistent use of the information. If it does not, the format may not be appropriate for the context.
Common Nonconformities Against Clause 7.5.2
Based on real audit experience across a range of industries and organisation sizes, these are the nonconformities that come up most frequently against this clause.
- Documents with no version control: Procedures and forms that have been updated informally without any version numbering or dating, making it impossible to confirm which version is current.
- No evidence of approval: Documents in active use with no record of who reviewed or approved them, or when. This is especially common with legacy documents that predate the management system.
- Approval by an inappropriate person: Documents approved by someone who lacks the technical knowledge or organisational authority to assess suitability and adequacy.
- Format that does not match the context: Complex text based procedures in environments where workers need quick visual references, or paper based systems in environments where documents are frequently updated and paper copies become outdated quickly.
- No process for managing updates: The organisation creates documents when the system is set up, but there is no defined process for how updates are initiated, reviewed, approved, and communicated.
Practical Steps to Get Clause 7.5.2 Right
Getting this clause right does not require expensive software or complex systems. It requires a clear, consistently applied process. Here is what works in practice.
Establish a Document Register
A simple document register that lists every piece of documented information your management system relies on, along with the current version number, date of last review, and name of the approving person, goes a long way. It does not have to be sophisticated. A well maintained spreadsheet is perfectly adequate for most small to medium organisations.
The register serves two purposes. It gives you control over what is current, and it gives an auditor a clear picture of your document landscape without having to hunt through folders.
Define Who Can Approve What
Write down who has authority to approve different types of documented information. Operational procedures might require sign off from the relevant department manager. System level procedures might require sign off from the management representative or quality manager. Safety related documents might require sign off from the HSE manager or a competent person in that area.
This does not need to be a complex matrix. A simple statement in your document control procedure that defines approval authority is sufficient. What matters is that it is defined and followed consistently.
Build Review Triggers Into Your System
Documents should be reviewed periodically and whenever there is a significant change to the process, regulation, or risk they relate to. Build those triggers into your system. Common approaches include a scheduled annual review of all documents, a requirement to review affected documents as part of the corrective action process, and a requirement to review documents when relevant legal or regulatory requirements change.
For more on how documented information fits into the broader audit picture, the article on auditing documented information using a Clause 7.5 checklist approach provides practical guidance on what auditors examine across all three subclauses.
Choose Formats That Match the Work
When creating new documents or updating existing ones, think about who will use the document and in what conditions. A maintenance technician working in a plant environment needs something different from an office based quality manager reviewing data. Consider whether a flowchart, a checklist, a visual work instruction, or a short video would serve the user better than a traditional procedure document.
The standard does not prescribe format. Use that flexibility to create documents that people will actually use correctly.
Clause 7.5.2 in an Integrated Management System
If your organisation operates an integrated management system covering ISO 9001, ISO 14001, and ISO 45001, Clause 7.5.2 applies equally across all three. The good news is that you only need one document creation and update process. You do not need separate processes for quality, environmental, and safety documents.
What you do need is to make sure that process is robust enough to cover the different types of documented information each standard requires. Environmental aspects registers, hazard registers, and quality plans all need to go through the same identification, format, and approval requirements.
Integrated management systems also raise questions about who has appropriate authority to approve documents that span multiple disciplines. A procedure covering both environmental and safety requirements may need review from both the environmental manager and the HSE manager before approval. Define that clearly in your process.
A Note on Electronic Document Management Systems
Many organisations use dedicated document management software to handle Clause 7.5.2 requirements. These systems can automate version control, route documents for approval, notify owners when reviews are due, and archive superseded versions. They make conformity easier to demonstrate because the approval trail is built into the workflow.
However, software does not guarantee conformity. Auditors regularly find nonconformities in organisations using sophisticated document management systems because the system is not configured correctly, approval workflows are being bypassed, or documents are being created outside the system and used informally.
The system is a tool. The process behind it still needs to be sound.
How Internal Auditors Should Approach Clause 7.5.2
If you are conducting an internal audit and Clause 7.5.2 is in scope, your job is to verify that the organisation has a process for creating and updating documented information, and that the process is being followed. Here is a practical approach.
Start by reviewing the document control procedure to understand what the organisation says it does. Then select a sample of documents from different parts of the management system, including some that have been recently created or updated. For each document, check for appropriate identification, check whether the format is suitable for its intended use, and look for evidence of review and approval.
Ask the document owners how they know when a document needs to be updated, and what they do when an update is needed. The answers will tell you whether the process is understood and followed, or whether it exists only on paper.
For auditors building their skills in this area, the ISO 9001 Clause 7.5 documented information overview provides a solid grounding in all three subclauses and how they connect.
Preparing for a Certification Audit Against Clause 7.5.2
If you are preparing your organisation for a certification audit, here is a practical checklist for Clause 7.5.2 readiness.
- Review your document register and confirm every document has a current version number and date.
- Check that every document in active use has evidence of review and approval by an appropriate person.
- Confirm that your document control procedure defines who can approve what types of documents.
- Walk through your most recently updated documents and verify the approval trail is complete.
- Check that formats are appropriate for the contexts in which documents are used.
- Confirm that staff who use documented information know how to access the current version.
None of this is complicated. But it does require discipline and consistency. The organisations that struggle with Clause 7.5.2 are usually those that created a document control system at the start of their certification journey and then let it drift. Regular internal audits of the documented information process are the most effective way to keep it on track.
If you want to build the skills to audit documented information requirements confidently, Audit Workshop offers practical internal auditor and lead auditor training across ISO 9001, ISO 14001, and ISO 45001. The training is grounded in real audit practice, not just clause recitation, and covers exactly the kind of evidence gathering and nonconformity identification that Clause 7.5.2 requires. You can explore the available courses at auditworkshop.com.
