Controlling Documented Information Under ISO 14001
ISO 14001 Clause 7.5
- Documents and records the standard requires
- Properly created and controlled
ISO 14001 Clause 7.5 - Documented Information
ISO 14001:2026 Clause 7.5 covers the documented information the environmental management system needs - both the documented information specifically required by the standard, and any additional information the organisation decides is necessary for the EMS to be effective. The clause has three parts: general requirements (7.5.1), creating and updating (7.5.2), and control (7.5.3).
The standard uses the term documented information to cover what older standards called procedures, work instructions, records and other paperwork. In substance the requirements have not changed, but the standard now treats all documented information consistently rather than separating documents from records.
What Documented Information the Standard Requires
The standard names specific items that must be available as documented information, including:
- the scope of the EMS;
- the environmental policy;
- the processes for environmental aspects, compliance obligations, and risks and opportunities;
- environmental aspects, the criteria for significance, and the significant aspects determined;
- compliance obligations;
- risks and opportunities to be addressed;
- environmental objectives;
- evidence of competence;
- evidence of communications;
- evidence of operational planning and control;
- evidence of monitoring, measurement, analysis and evaluation;
- evidence of compliance evaluation;
- the audit programme, audit implementation and audit results;
- evidence of management review results;
- evidence of nonconformities and corrective actions.
In addition the organisation determines any further documented information it needs to make the EMS effective. The amount can vary considerably between organisations. The standard explicitly notes that the extent depends on the size of the organisation, the complexity of its processes, the competence of its people, and the need to demonstrate compliance.
Creating and Updating Documented Information
Sub-clause 7.5.2 covers the basics of creating and updating. The standard requires:
- identification and description of the document - examples given are title, date, author and reference number, but none of these is individually required;
- a suitable format and media - paper or electronic, the choice of language, software version, graphics where useful;
- review and approval for suitability and adequacy.
The standard does not specify a document register, version numbers, periodic review, or specific approval workflows. These are good practice in many organisations but they are not requirements of Clause 7.5 itself. What the clause requires is that documents are properly created and approved.
Controlling Documented Information
Sub-clause 7.5.3 covers control during the life of the document. The organisation makes sure documented information is:
- available and suitable for use, where and when needed;
- adequately protected from loss of confidentiality, improper use or loss of integrity.
Where applicable, control also covers distribution, access, retrieval and use, storage and preservation including legibility, control of changes such as version control, and retention and disposition. Documented information of external origin - regulatory approvals, supplier manuals, applicable standards - is identified and controlled where it is necessary to the EMS.
The most common mistake at this clause is overdoing it. People hear control of documented information and build elaborate systems with version numbers, signatures, change control logs and periodic review schedules for every document. None of that is required by the standard.
What is required is that documents are available, suitable, protected from loss or misuse, and controlled enough that people are using the current version. A small organisation can meet that with a shared drive that has the current versions of everything in clearly named folders. A larger one will use a document management system. Both are fine.
I will check whether documented information required by the standard is actually available, and whether it is the current version. If a procedure was updated three months ago but two operational sites are still working from a copy from a year ago, that is a control failure. If the legal register dates from 2022, the organisation has a problem.
Documents do what documents do. Make sure people can find them, make sure people are using the latest version, and make sure they are protected from being lost, leaked or messed with. The standard does not care whether you use folders, an intranet, a document management system or a filing cabinet. It cares whether the system actually works.
Practical Compliance Guidance
Documented information control is supported by the document register where used, and by the procedures the organisation follows for creating, approving and updating documents. The IMS1 Manual references documented information control in Section 7.5.
The following alphaZ documents support compliance with ISO 14001:2026 Clause 7.5.
| alphaZ document | How to use it |
|---|---|
| ISO 9001/14001/45001 IMS Toolkit | The full set of integrated management system documents covering the requirements of all three standards, including the IMS1 Manual. |
| F-IMS20 Document Register | Lists the documented information held within the management system, including version, owner and review status. |
Note - all the above files can be downloaded with an alphaZ subscription.
