search account download cart
static-aside-menu-toggler

Controlling Documented Information Under ISO 45001

ISO 45001 Clause 7.5

The standard does not tell you to drown in paperwork - it tells you to keep what's needed and keep it under control.

ISO 45001 Clause 7.5 - Documented Information for OH&S

ISO 45001 Clause 7.5 covers the documented information your OH&S management system needs to keep, how to create and update it, and how to keep it under control. It is split into 7.5.1 General, 7.5.2 Creating and updating, and 7.5.3 Control of documented information.

The clause replaces the older "documents and records" terminology with "documented information", which covers both. It applies to UK and international organisations equally, though UK organisations also have specific statutory record-keeping duties under HASAWA and various sets of regulations.

What Clause 7.5 Asks For

7.5.1 General - the OH&S management system must include the documented information required by the standard, plus whatever the organisation has determined is necessary for the system to be effective.

7.5.2 Creating and updating - when creating and updating documents, you must give appropriate attention to identification and description, format and media, and review and approval for suitability and adequacy. The standard gives examples (title, date, author, reference number) but does not list any of these as individually mandatory.

7.5.3 Control of documented information - documents required by the management system must be controlled so that they are available where and when needed, and adequately protected. Where applicable, you must address distribution, access, retrieval, use, storage, preservation, control of changes (such as version control), and retention and disposition. Documents of external origin that are needed for the system must also be identified and controlled.

Practical Compliance Guidance

alphaZ document How to use it
ISO 45001 Toolkit Complete document set for an ISO 45001 management system, supplied with the document register and document control procedure already populated.
F-IMS20 Document Register Lists every controlled document in the management system with reference number, title, owner, version and review date. Acts as the central index auditors use to navigate the system.
PP-1-08 Management Files Documents Records Policy Procedure The procedure for how documents are created, approved, distributed, stored, version-controlled, retained and disposed of. Reference this procedure in the document register so the rules and the index sit together.

For more on these documents see the ISO 45001 Toolkit.

The single most useful thing for this clause is a working document register. Once you have one, every other 7.5 question - what controls a document, who owns it, when was it last reviewed - has a one-line answer.

When I audit 7.5 I check that the clauses requiring documented information have actually been addressed - the OH&S policy, the legal register, risk assessments, training records, communications evidence, audit results, management review outputs, and so on. Then I sample a handful of those documents to check version control and approval. I will also ask to see how external documents are tracked - safety data sheets, contractor RAMS, ACoPs you rely on. Poor or absent document control is one of the more common findings I raise on this clause.

Two things to remember. The standard does not require version numbers, document owners or periodic reviews - those are good practice, not requirements.

What Documented Information Does ISO 45001 Specifically Require?

The standard names a number of items as required documented information across its clauses. The headline ones are the OH&S policy, the scope, OH&S objectives and plans to achieve them, evidence of competence, evidence of communications as appropriate, evidence of operational planning and control, evidence of monitoring and measurement results, evidence of internal audit programmes and results, evidence of management review outputs, and evidence of incidents, nonconformities and corrective action results. Your document register should track all of these as a minimum.

Documents of External Origin

Clause 7.5.3 specifically calls out documents of external origin that the organisation has determined to be necessary for the planning and operation of the OH&S management system. These include manufacturer instructions, safety data sheets, contractor RAMS that you rely on, statutory ACoPs, HSE guidance documents you have adopted, and standards or codes you reference. Identify them in the document register and apply the same control principles - but recognise you cannot version-control someone else's document, only the copy you hold.

Frequently Asked Questions

No. Clause 7.5.2 lists identification, description, format, media, review and approval as things to consider, with title, date, author and reference number given as examples. Version numbers are common practice for change control but are not individually required by the standard.
Yes. The standard refers to documented information regardless of media or format. Electronic documents are fine provided they are controlled, accessible to those who need them, protected, and have suitable backup arrangements where reliance on them is critical.
The standard does not give specific retention periods - it asks you to determine them. UK statutory retention periods apply for many OH&S records, for example LOLER thorough examination reports, RIDDOR records, asbestos records, and health surveillance. Build these into your retention schedule.
Clause 7.5.2 requires review and approval for suitability and adequacy, but does not specify who approves what. For documents that workers must follow - safe systems of work, procedures, RAMS - clear sign-off by the document owner is good practice and supports the worker consultation duty in Clause 5.4.

UK Legislation

UK organisations have specific record-keeping duties on top of ISO 45001.

Further Resources

payment logos