Why Clause 7.5.3 Trips Up So Many Organisations
Clause 7.5.3 is one of those requirements that looks simple on the surface and turns out to be surprisingly nuanced in practice. The clause sits within the Support section of ISO 9001, ISO 14001, and ISO 45001, and it deals with the control of documented information. That means making sure your documents and records are available when needed, protected from loss or misuse, and managed in a way that prevents people from accidentally working off outdated versions.
On this page
In audit after audit, this is where quality managers and system owners get caught. Not because they have no documents, but because the controls around those documents are patchy, inconsistently applied, or simply assumed to be working when they are not. If you are preparing for a certification audit or want to tighten up your internal audit programme, this article walks you through what the clause actually requires, what auditors look for, and where organisations typically fall short.
What Clause 7.5.3 Actually Says
The clause is structured around two main obligations. First, documented information must be controlled to ensure it is available and suitable for use where and when it is needed. Second, it must be adequately protected from loss of confidentiality, improper use, or loss of integrity.
Beyond those two principles, the clause lists specific activities that organisations must address as appropriate. These include:
- Distribution, access, retrieval, and use
- Storage and preservation, including preservation of legibility
- Control of changes, including version control
- Retention and disposition
That phrase as appropriate gives organisations some flexibility, but it does not mean you can ignore any of these activities. It means you need to think about each one in the context of your organisation and apply controls that are fit for purpose. An auditor will ask you to demonstrate that you have done exactly that.
It is also worth noting that Clause 7.5.3 applies to both documents and records. Documents are the instructions, procedures, forms, and plans that tell people what to do. Records are the evidence that something was done. The controls required for each are slightly different, and auditors will probe both.
Distribution, Access, Retrieval, and Use
The first area auditors examine is whether the right people can get to the right documents at the right time. This sounds obvious, but it breaks down in practice more often than you would expect.
A common scenario: a procedure is updated and uploaded to the shared drive, but the team working in the field still has the old laminated version pinned to the wall. Or a new employee is given access to a document management system but no one has explained how to find the relevant procedures for their role. Or a critical work instruction exists only on one person's computer and is unavailable when they are on leave.
When auditing this area, look for evidence that:
- Documents are stored in a location that is accessible to the people who need them
- Access permissions are appropriate, meaning people can read what they need and cannot inadvertently modify controlled documents
- There is a process for distributing updated documents to relevant personnel
- Obsolete documents have been removed from points of use or clearly marked as superseded
For organisations using a document management system, the auditor will often request a demonstration. They may ask you to find a specific procedure and show them how you would know whether it is the current version. For organisations still using paper-based systems, the challenge is ensuring that field copies match the master and that obsolete versions are not still in circulation.
Storage, Preservation, and Legibility
Documents and records need to remain legible, identifiable, and retrievable throughout their required retention period. This is straightforward for digital systems with proper backups, but it creates real problems for organisations that rely on paper records or informal storage arrangements.
Legibility is one of those requirements that gets overlooked until an auditor picks up a faded inspection record or a handwritten form that no one can decipher. The standard does not specify a format, but it does require that documented information remains usable. If your records become unreadable over time, that is a genuine nonconformity.
For digital records, preservation means ensuring that files are backed up, that formats remain accessible over time, and that records stored in software systems are not lost when a system is upgraded or a subscription lapses. Auditors have found organisations that could not retrieve records from a previous year because the software had been replaced and no export had been taken.
Storage also includes protecting records from environmental damage. Physical records stored in areas prone to flooding, heat, or pest damage are at risk. The auditor will want to see that you have thought about this and put appropriate controls in place.
Version Control and Change Management
Version control is one of the most commonly audited aspects of Clause 7.5.3 and one of the most common sources of nonconformities. The requirement is that documented information must be controlled for changes, which means people must be able to identify the current version of any document and understand what has changed.
Effective version control typically involves:
- A document identifier and version number or date on every controlled document
- A review and approval process before changes are issued
- A record of what changed and why, often captured in a revision history or change log
- A process for withdrawing or archiving superseded versions
The auditor will test this by selecting a sample of documents and checking whether they have version identifiers, whether the version in use matches what is recorded in the document register, and whether there is evidence of a review and approval process. They may also ask staff whether they know how to check if a document is current.
One area that catches organisations out is external documents. Legislation, standards, customer specifications, and supplier documents that are incorporated into the management system also need to be controlled. You need a process for monitoring when external documents are updated and ensuring the current version is in use.
Retention and Disposition
Every organisation must decide how long to keep records and what to do with them when the retention period expires. Clause 7.5.3 requires that these decisions are made and documented. The clause does not specify retention periods. Those are determined by legal requirements, contractual obligations, and the organisation's own judgement about what is needed to demonstrate conformity.
Common retention considerations include:
- Legal and regulatory requirements, which may specify minimum retention periods for certain types of records
- Contractual requirements from customers or clients
- The organisation's own need to demonstrate conformity over time, for example during warranty periods or for traceability purposes
- Certification body requirements for records related to the management system itself
Auditors will look for a documented retention schedule or equivalent and will check whether it covers the key record types in the system. They will also check whether records are actually being disposed of in accordance with the schedule, or whether the organisation is retaining everything indefinitely because no one has made a decision about disposition. Indefinite retention is not automatically a problem, but it can indicate that the organisation has not thought through its obligations, particularly around privacy and data protection.
Protection of Documented Information
The requirement to protect documented information from loss of confidentiality, improper use, or loss of integrity is particularly relevant for records that contain sensitive information. This includes personnel records, customer data, supplier contracts, incident reports, and audit findings.
Protection controls might include:
- Access restrictions so that only authorised personnel can view or modify sensitive records
- Password protection for digital files
- Secure physical storage for paper records
- Controls to prevent unauthorised copying or distribution
- Audit trails or logs showing who has accessed or modified a record
For organisations operating under ISO 27001 or subject to the Australian Privacy Act, this area will already be well developed. For organisations whose primary certification is ISO 9001, ISO 14001, or ISO 45001, the information security controls around documented information are sometimes underdeveloped. Auditors will probe this, particularly for records that contain personal information or commercially sensitive data.
What Auditors Actually Check in Practice
Having audited management systems across a wide range of industries, the practical approach to auditing Clause 7.5.3 follows a consistent pattern. The auditor will not simply review your document control procedure and tick a box. They will trace the clause through the system.
A typical audit sequence might look like this:
- Review the document control procedure to understand the stated controls
- Select a sample of documents from the document register and verify that the current versions are in use at points of use
- Ask a frontline worker how they find the procedure for a specific task and whether they know how to check if it is current
- Select a sample of records and check legibility, completeness, and storage conditions
- Ask about the retention schedule and verify that it covers the records sampled
- Check for obsolete documents at points of use
- Review evidence of the document approval process for a recently updated document
The most revealing question is often the simplest: how do you know that the document you are working from is the current version? If the worker cannot answer that question confidently, or if the answer reveals a gap in the system, you have found something worth pursuing.
For a broader look at how auditors approach documented information across the full Clause 7.5 requirement, the article on Auditing Documented Information: A Clause 7.5 Checklist Approach provides a useful companion reference. And if you want to understand how creating and updating requirements feed into the control requirements, the article on Clause 7.5.2 Creating and Updating Documented Information covers the upstream requirements that set the foundation for what Clause 7.5.3 then controls.
Common Nonconformities Against Clause 7.5.3
Based on real audit experience, these are the nonconformities that come up most frequently:
- Obsolete documents at points of use. The classic finding. The document register shows version 3 of a procedure, but the laminated copy on the factory floor is version 1. This is a straightforward nonconformity and one that is entirely preventable.
- No retention schedule or an incomplete one. The organisation has a document control procedure but has not defined how long records must be kept. Or the schedule exists but does not cover key record types like internal audit records, training records, or nonconformity reports.
- No evidence of document approval. Documents have been updated but there is no record of who reviewed and approved the change. The approval process exists in theory but is not being followed in practice.
- External documents not controlled. The organisation is working from a version of a standard, regulation, or customer specification that has since been updated. No process exists for monitoring external document changes.
- Records not legible or retrievable. Handwritten records that cannot be read, digital records stored in formats that are no longer supported, or records that cannot be located when requested during the audit.
- Access controls not applied. Sensitive records are accessible to people who should not have access, or conversely, people who need documents to do their job cannot access them without going through an unnecessarily complicated process.
If you want to understand how document and record control issues connect to broader audit findings, the article on Common ISO 9001 Clause 7 Nonconformities Auditors Keep Finding is worth reading alongside this one.
Practical Steps to Strengthen Your Controls
If you are reviewing your document control arrangements ahead of an audit, these are the practical steps that make the most difference:
Conduct a physical walk-through. Go to the places where work is actually done and check what documents are in use. Compare them against your document register. Look for laminated procedures, printed copies tucked behind equipment, and informal cheat sheets that may have replaced the official procedure.
Test your retrieval process. Ask someone who was not involved in setting up the system to find a specific procedure. Time how long it takes. Note any confusion or difficulty. If the person who needs the document cannot find it quickly, the control is not working.
Review your retention schedule. Check that every significant record type is covered. Cross-reference against legal requirements applicable to your industry and jurisdiction. Make sure the schedule is being followed in practice, not just on paper.
Check your external document process. List the external documents that are incorporated into your system and verify that you are working from the current version. Establish a process for monitoring updates, whether through regulatory alerts, supplier notifications, or periodic review.
Audit your approval records. For any document updated in the past 12 months, check whether there is a record of review and approval. If approvals are happening verbally or informally, that is a gap that needs to be addressed.
Review access permissions. For digital systems, check who has edit access to controlled documents. Ensure that the people who need read access have it and that edit access is restricted to those responsible for document control.
Document Control in Integrated Management Systems
For organisations running an integrated management system covering ISO 9001, ISO 14001, and ISO 45001, Clause 7.5.3 applies across all three standards simultaneously. The good news is that the requirement is identical in all three, so a single document control process can satisfy all of them. The challenge is ensuring that the process covers all the document types relevant to each standard.
Environmental records such as waste disposal manifests, water usage logs, and environmental monitoring data need the same level of control as quality records. Safety records including hazard identification records, incident reports, and inspection records are equally subject to the retention and protection requirements. When auditing an integrated system, the auditor will sample across all three domains, so gaps in any one area will be found.
Building Auditor Competence in This Area
Understanding Clause 7.5.3 thoroughly is not just useful for quality managers setting up or reviewing their systems. It is essential knowledge for anyone conducting internal audits or pursuing a career in ISO auditing. Auditing document control requires you to understand both what the standard requires and how to trace those requirements through a real system, across different document types, different storage formats, and different organisational contexts.
If you are building your auditing skills or preparing to sit a lead auditor course, the practical application of clauses like 7.5.3 is exactly the kind of content that separates auditors who can follow a checklist from auditors who can actually find things. At Audit Workshop, the internal auditor and lead auditor training courses for ISO 9001, ISO 14001, and ISO 45001 work through clauses like this in practical detail, using real audit scenarios to build the judgement you need to audit effectively. If you want to move beyond theory and develop genuine audit competence, that is where the training is focused.
