ISO 14001:2026 for Auditors > Clause 7.5

Explained: Documented Information

Clause 7.5 of ISO 14001 is about documented information needed by the Environmental Management System. In plain English, this means the organisation should create, update, control and retain the EMS documents and records needed to support environmental management and demonstrate that the system is working.

What is ISO 14001 Clause 7.5 trying to achieve?

Clause 7.5 helps ensure the EMS has reliable documented information.

This includes information needed to:

• describe how the EMS works;
• communicate requirements;
• support consistent operations;
• retain evidence of activities and results;
• show conformity with ISO 14001;
• demonstrate environmental performance and compliance control;
• support audit, management review and improvement.

The purpose is not to create paperwork for its own sake. The purpose is to ensure the right information is available, suitable, current and protected.

What is documented information?

Documented information is the ISO term that covers both documents and records.

In practical terms:

• documents usually tell people what should happen;
• records usually show what did happen.

Both are documented information, but they need slightly different controls.

Why documented information matters in an EMS

Environmental management relies on clear and reliable information.

Without suitable documented information, an organisation may struggle to:

• explain its EMS scope;
• communicate environmental responsibilities;
• control significant environmental aspects;
• prove compliance obligations are being met;
• show that inspections and monitoring have taken place;
• demonstrate competence and awareness;
• track environmental objectives;
• retain audit findings and corrective actions;
• show evidence during certification, customer or regulatory audits.

Good documented information helps the EMS operate consistently and provides the evidence auditors need.

What does ISO 14001 expect?

ISO 14001 expects the EMS to include documented information required by the Standard and documented information the organisation determines is necessary for the effectiveness of the EMS.

The organisation should also ensure that documented information is:

• properly created and updated;
• identified and described suitably;
• reviewed and approved where appropriate;
• available where and when needed;
• protected from loss, damage or unintended changes;
• controlled in relation to distribution, access, retrieval, use, storage, retention and disposal.

The exact system can be simple or sophisticated. The key is that documented information supports the EMS and remains under control.

Clause 7.5.1 — General documented information requirements

Clause 7.5.1 sets the general expectation.

The EMS should include documented information required by ISO 14001 and any additional documented information the organisation needs for EMS effectiveness.

This means the organisation should not ask only, “What documents does ISO require?” It should also ask, “What information do we need to run our EMS properly?”

For example, a simple office-based organisation may need fewer procedures and records than a complex manufacturing site with permits, chemicals, emissions, waste streams and emergency response controls.

Clause 7.5.2 — Creating and updating documented information

Clause 7.5.2 is about making sure documented information is created and updated properly.

When creating or updating documented information, the organisation should consider matters such as:

• clear identification;
• title or description;
• date;
• author or owner;
• version or revision status;
• format and media;
• review and approval arrangements.

The goal is to avoid confusion. People should be able to tell what the document is, whether it is current, who owns it and whether it has been approved for use.

Clause 7.5.3 — Control of documented information

Clause 7.5.3 is about controlling documented information so it is available, suitable and protected.

The organisation should consider controls for:

• distribution;
• access;
• retrieval;
• use;
• storage;
• preservation;
• control of changes;
• retention;
• disposal.

This includes controlling documented information of external origin where it is needed for EMS planning or operation.

External documented information may include permits, licences, legal registers, customer requirements, supplier specifications, waste carrier documents, equipment manuals, safety data sheets, regulator guidance or contract requirements.

Examples of EMS documented information

EMS documented information may include:

• EMS scope;
• environmental policy;
• environmental objectives and plans;
• aspect and impact registers;
• compliance obligations registers;
• risk and opportunity records;
• operational control procedures;
• emergency response plans;
• training and competence records;
• communication records;
• monitoring and measurement records;
• inspection checklists;
• maintenance records;
• evaluation of compliance records;
• internal audit programme and reports;
• management review records;
• nonconformity and corrective action records.

The organisation should decide what is necessary based on its EMS scope, complexity, environmental aspects, compliance obligations and risks.

Documents versus records

It is useful for auditors to distinguish between documents and records.

Documents

Documents usually describe requirements, methods or expectations.

Examples include:

• procedures;
• work instructions;
• policies;
• process maps;
• forms and templates;
• emergency plans;
• communication plans;
• inspection checklists before completion.

Records

Records provide evidence that something happened.

Examples include:

• completed inspection checklists;
• training attendance records;
• audit reports;
• management review minutes;
• monitoring data;
• waste transfer records;
• incident reports;
• completed corrective action records;
• completed evaluation of compliance records.

Documents often need version control. Records often need retention control. Both need to be protected and retrievable.

Documented information should be proportionate

ISO 14001 does not require every organisation to have the same level of documentation.

The amount and detail of documented information may depend on:

• the size of the organisation;
• the complexity of activities, products and services;
• the competence of people involved;
• significant environmental aspects;
• compliance obligations;
• risks and opportunities;
• the need for consistent operational control;
• requirements from customers, regulators or certification bodies.

A simple system that works is better than a complicated system nobody follows.

Document control in practice

Document control helps make sure people use the right information.

Practical document control may involve:

• approved document owners;
• version numbers;
• review dates;
• change history;
• controlled access to current documents;
• removal or archiving of obsolete versions;
• clear file locations;
• controlled templates;
• approval before issue;
• backup arrangements;
• permissions for editing or viewing.

The method may be digital, paper-based or a mixture of both. What matters is that current information is available and obsolete information is not accidentally used.

Control of records in practice

Records must be retained and retrievable where they are needed as evidence.

Practical record control may include:

• defined retention periods;
• clear storage locations;
• protection from loss or damage;
• secure access where appropriate;
• clear naming conventions;
• backup arrangements for digital records;
• controlled disposal after retention periods expire;
• ability to retrieve records during audits or inspections.

Records are especially important where they provide evidence of compliance, monitoring, inspection, audit, management review or corrective action.

Externally controlled information

Some documented information comes from outside the organisation but is still needed by the EMS.

Examples include:

• environmental permits or licences;
• regulator correspondence;
• legal updates;
• customer environmental requirements;
• supplier specifications;
• safety data sheets;
• equipment manuals;
• waste contractor licences;
• standards and guidance documents;
• landlord or site rules.

The organisation should identify external information needed for EMS planning and operation, then control it so the right people can access reliable versions.

Practical implementation guidance

A practical EMS documented information process should answer:

• What documented information is required by ISO 14001?
• What additional documented information does the organisation need?
• Who owns each document or record type?
• How are documents created, reviewed and approved?
• How are current versions made available?
• How are obsolete versions removed or archived?
• Where are records stored?
• How long are records retained?
• How are documents and records protected?
• How is external documented information controlled?

The process should be practical enough that employees can follow it and auditors can trace evidence without detective work worthy of a crime drama.

What auditors typically look for

Auditors look for evidence that documented information is suitable, current, controlled and available where needed.

Evidence may include:

• documented information procedure or process;
• document register;
• records retention schedule;
• controlled templates;
• version-controlled procedures;
• approval records;
• change history;
• evidence obsolete documents are removed or archived;
• examples of completed records;
• evidence records are retrievable;
• control of external documents;
• interviews with people who use EMS documents and records.

Common weaknesses in Clause 7.5

• obsolete documents still available for use;
• procedures have no owner or approval status;
• documents are updated but users are not told;
• forms are completed inconsistently;
• records are missing or difficult to retrieve;
• retention periods are unclear;
• external documents are not controlled;
• paper copies conflict with digital versions;
• documented information does not match actual practice;
• records needed for compliance cannot be produced;
• people rely on informal knowledge rather than current controlled information.

Weak example

Better example

Real-world example: waste management records

A site generates several waste streams and must retain evidence of proper waste handling.

Relevant documented information may include:

• waste procedure;
• waste segregation instructions;
• approved waste contractor list;
• waste transfer or consignment records;
• contractor licences or approvals;
• inspection records for waste storage areas;
• training or awareness records for relevant workers;
• corrective actions for waste nonconformities.

An auditor could test control by checking whether the procedure is current, whether waste records are complete and retrievable, and whether people handling waste understand the documented arrangements.

Real-world example: emergency response plan

A manufacturing site has an emergency response plan for chemical spills.

Good documented information control would ensure:

• the plan is current and approved;
• spill-kit locations are accurate;
• emergency contact details are up to date;
• site drainage information is available where needed;
• workers and contractors can access relevant instructions;
• drill records are retained;
• lessons from drills or incidents lead to document updates.

This shows how documented information supports emergency preparedness, not just administration.

Auditor questions for ISO 14001 Clause 7.5

• What documented information is required for the EMS?
• What additional documented information has the organisation determined is necessary?
• How are documents created, reviewed and approved?
• How are documents identified and version controlled?
• How are current documents made available where needed?
• How is obsolete information removed or controlled?
• How are records stored, protected and retrieved?
• What retention periods apply to EMS records?
• How is external documented information controlled?
• How does the organisation ensure documented information matches actual practice?
• Can employees find the current information they need?
• Can the organisation retrieve records needed as audit evidence?

Related ISO 14001 clauses

• Clause 4.3 — EMS scope
• Clause 5.2 — Environmental policy
• Clause 6.1.2 — Environmental aspects
• Clause 6.1.3 — Compliance obligations
• Clause 6.2 — Environmental objectives
• Clause 7.2 — Competence
• Clause 7.3 — Awareness
• Clause 7.4 — Communication
• Clause 8.1 — Operational planning and control
• Clause 8.2 — Emergency preparedness and response
• Clause 9.1 — Monitoring, measurement, analysis and evaluation
• Clause 9.2 — Internal audit
• Clause 9.3 — Management review
• Clause 10.2 — Nonconformity and corrective action

Continue learning

This page is part of SQMC’s ISO 14001:2026 guidance library for auditors, managers and QHSE professionals.

• Return to ISO 14001:2026 for Auditors
• Clause 7 — Support
• Competence explained
• Awareness explained
• Communication explained
• Audit evidence in ISO 14001 audits

Ready to put ISO 14001 into practice?

SQMC’s ISO 14001 Internal Auditor course helps you move from understanding the Standard to auditing it with confidence. Over two practical days, you’ll learn how to plan EMS audits, gather evidence, ask better questions, write nonconformities and report findings clearly.

Learn from anywhere in our Virtual Classroom, attend one of our training centres, or arrange private in-company training for your team.

Find out more and get qualified!