It is important that sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).
There are various ways confirming ones identity and we don't dictate exactly how this should be done for non-EV certificates. However there must be a clear path how the identity and organization validation are tied together so that there is reasonable assurance.
If public resources are used, then there should be a description of the public resources that are used, what data is retrieved from public resources, and how that data is used for verification of the entity referenced in the certificate.