Why Document Control Trips Up So Many Organisations
Document control is one of those areas where organisations either get it right or spend years firefighting the consequences. Walk into any certification audit and you will find that document control issues are among the most frequently raised nonconformities. Outdated procedures being used on the floor, forms without version numbers, approved documents that nobody can locate, records stored in three different places with no clear master. These are not exotic problems. They are everyday realities in organisations that have never properly understood what ISO 9001 document control requirements actually ask for.
On this page
ISO 9001:2015 replaced the old terminology of documents and records with a single term: documented information. That change was deliberate. The standard recognises that modern organisations manage information in many formats, from paper files to shared drives to cloud platforms, and it does not prescribe a particular system. What it does prescribe is that certain information must exist, must be controlled, and must remain fit for purpose. Getting that right is what this article is about.
Understanding What ISO 9001 Actually Requires
The document control requirements in ISO 9001:2015 sit primarily in Clause 7.5, which covers documented information. The clause has three sub-clauses, and each one addresses a different aspect of how your organisation creates, controls, and maintains the information it needs.
Before diving into each sub-clause, it is worth noting that ISO 9001 does not give you a list of required documents and tell you to produce them. Instead, it identifies certain documented information that the standard itself requires, and then adds that your organisation must also maintain and retain whatever documented information is necessary for the QMS to operate effectively. That second part is the one organisations often underestimate.
Clause 7.5.1: What Documented Information Must Your QMS Include?
Clause 7.5.1 establishes that the QMS must include documented information required by the standard itself, plus documented information that the organisation determines is necessary for the effectiveness of the QMS.
The standard explicitly requires documented information in a number of places. These include the scope of the QMS, the quality policy, quality objectives, and evidence of competence, among others. But the more interesting requirement is the second one: information the organisation determines is necessary. This is where judgement comes in.
A small construction company with five employees does not need the same volume of documented information as a 500-person manufacturer. The standard does not tell you to document everything. It tells you to document what you need to operate your processes consistently and to demonstrate conformity. If your team can consistently produce the right outcome without a written procedure, you may not need one. If variation keeps creeping in, that is a signal you need more documented information, not less.
Auditors will probe this. They will ask how you determined what documented information was necessary, and they will look at whether the information you have actually supports your processes. A gap between what is documented and what actually happens on the floor is a classic nonconformity waiting to be raised.
Clause 7.5.2: Creating and Updating Documented Information
Clause 7.5.2 addresses the mechanics of creating and updating documents. When documented information is created or updated, the organisation must ensure appropriate identification and description, appropriate format and media, and review and approval for suitability and adequacy.
In practice, this means every document needs to be identifiable. A document without a title, a version number, or a date is not controlled. It is just a piece of paper or a file sitting somewhere. You need to be able to tell, at a glance, which version of a document you are looking at and whether it has been approved.
Format and media sounds straightforward, but it trips people up. If your approved document is a PDF on a shared drive but the version being used on the floor is a printed copy from six months ago, you have a document control failure. The format and media must be appropriate for the use, and the controls must ensure people are using the current version regardless of the format.
Review and approval is not a rubber stamp exercise. The person approving a document must have the authority and the knowledge to judge whether it is suitable and adequate. An approval signature from someone who has not read the document is not meaningful approval, and an experienced auditor will find that out quickly by asking the approver a few questions about the content.
For a deeper look at what Clause 7.5.2 expects in practice, see our article on creating and updating documented information.
Clause 7.5.3: Control of Documented Information
Clause 7.5.3 is where the operational requirements of document control live. The standard requires that documented information required by the QMS and by ISO 9001 must be controlled to ensure it is available for use where and when it is needed, and in a suitable format. It must also be adequately protected from loss of confidentiality, improper use, or loss of integrity.
Beyond availability and protection, the standard identifies specific control activities that must be addressed. These include distribution, access, retrieval and use; storage and preservation, including preservation of legibility; control of changes, including version control; retention and disposition; and control of externally originated documented information.
That last point catches organisations off guard. Your quality system does not only rely on documents you have written. It also relies on external documents: customer specifications, supplier standards, regulatory requirements, technical standards. These need to be controlled too. The current version of a customer drawing or a referenced standard must be the one in use. Outdated external documents must be identified as such or removed from circulation.
Our dedicated article on control of documented information under Clause 7.5.3 goes into the specific evidence auditors look for when reviewing this requirement.
Documents vs Records: The Distinction That Matters
One of the most common sources of confusion in document control is the difference between documents and records. In ISO 9001 language, both are documented information, but they serve different purposes and require different controls.
A document is information that tells people how to do something or defines what is required. Procedures, work instructions, quality plans, and the quality policy are all documents. They are living information that can be revised when circumstances change.
A record is evidence that something was done. Inspection results, training records, audit reports, and management review minutes are records. They capture what happened at a specific point in time and must not be altered after the fact.
The controls you apply to each are different. Documents need version control, approval, and a mechanism to ensure people are using the current version. Records need to be legible, retrievable, and retained for an appropriate period. Applying document controls to records or record controls to documents creates confusion and nonconformities.
When an auditor asks to see your document control procedure, they will often use it as a starting point to test whether the distinction is understood and applied. They will pull a sample of documents and check version numbers. They will pull a sample of records and check that they are complete, legible, and retrievable. Inconsistency between what the procedure says and what actually happens is an immediate red flag.
Common Document Control Failures Auditors Find
After conducting hundreds of audits across a wide range of industries, certain document control failures appear again and again. Knowing what auditors look for helps you address the real gaps rather than producing paperwork for its own sake.
Obsolete Documents in Use
This is the most common finding. A procedure is updated, the new version is uploaded to the shared drive, but the old version is still sitting in a folder on someone's desktop or printed and pinned to a noticeboard. The person using it does not know it is outdated. The process they are following may no longer reflect what the organisation intends.
The fix is not just to update the document. It is to have a distribution and retrieval mechanism that ensures the old version is removed from use when the new one is released. Whether you do that through a document management system, a controlled distribution list, or a simple acknowledgement process, the mechanism must work in practice, not just in theory.
Documents Without Adequate Identification
A document titled Procedure with no version number, no date, and no author is not controlled. Neither is a document where the version number is buried in a footer that nobody reads. Identification must be clear enough that anyone picking up the document can immediately determine which version it is and whether it is current.
Approval Without Authority
Documents are approved by whoever happens to be available, rather than by someone with the authority and knowledge to judge whether the document is suitable. This is particularly common in smaller organisations where the quality manager approves everything regardless of whether they have the technical knowledge to assess the content.
No Control Over External Documents
Customer drawings, referenced standards, regulatory requirements, and supplier specifications are used in the process but are not included in the document control system. Nobody checks whether the customer drawing in use is the current revision. Nobody verifies that the referenced standard has not been superseded.
Records That Cannot Be Found
The procedure says records are retained for five years. The auditor asks to see records from two years ago. Nobody can find them. Whether they were stored on a system that was decommissioned, filed in a location nobody remembers, or simply never created in the first place, the result is the same: a nonconformity against the retention requirements of Clause 7.5.3.
Building a Document Control System That Actually Works
A document control system does not need to be complicated. It needs to be fit for the size and complexity of your organisation, and it needs to be consistently applied. Here is what a practical, functional system looks like.
A Document Register
Maintain a register of all controlled documents. This does not need to be sophisticated. A spreadsheet with document title, document number, current version, date of last review, and document owner is sufficient for most organisations. The register tells you at a glance what documents exist, what version is current, and when each document is due for review.
A Clear Versioning Convention
Decide on a versioning convention and apply it consistently. Whether you use version numbers (Version 1, Version 2), revision letters (Rev A, Rev B), or dates, the convention must make it obvious which version is the latest. Avoid conventions that require someone to interpret or calculate which version is current.
Controlled Access and Distribution
If you use a document management system or a shared drive, ensure that only the current version is accessible. Archive or password protect old versions so they cannot be accidentally retrieved and used. If you use printed copies, stamp them as controlled and maintain a distribution list so you know who has copies and can retrieve them when the document is updated.
A Review and Approval Workflow
Define who can create documents, who reviews them, and who approves them. The approver must have the authority and knowledge to make that judgement. Document the approval, whether through a signature, an electronic approval in a document management system, or another verifiable method.
A Retention Schedule for Records
Define how long each type of record must be retained, based on legal requirements, contractual requirements, and operational needs. Communicate the retention periods and ensure records are stored in a way that keeps them legible and retrievable for the full retention period. When the retention period expires, define how records are disposed of, particularly if they contain sensitive information.
A Process for External Documents
Identify which external documents are used in your QMS and assign someone responsibility for checking whether they remain current. For customer drawings, this might mean checking with the customer before each job. For referenced standards, it might mean an annual review. Whatever the mechanism, it must be documented and applied.
Document Control in the Context of an Audit
When a certification auditor or an internal auditor reviews your document control, they are not just checking whether you have a procedure. They are testing whether the system works. They will follow documents into the process and check whether the people using them are using the current version. They will ask workers to show them where they find the documents they need. They will request records and assess whether they are complete, legible, and retrievable.
The most revealing question an auditor can ask is simply: How do you know the document you are using is the current version? If the answer is confident and specific, the system is working. If the answer is hesitant or involves phrases like I think it is or someone would have told me if it changed, the system has a gap.
For quality managers preparing for a certification audit, document control is one area where the effort you put in before the audit genuinely pays off. A clean, consistent, well-maintained document control system gives an auditor confidence in the rest of your QMS. A chaotic one creates doubt that spreads to every other area they look at.
If you are preparing for an ISO 9001 certification audit and want to understand what auditors are looking for across all clauses, our article on what auditors look for in an ISO 9001 quality management system covers the broader picture.
Document Control for Internal Auditors
If you are an internal auditor, document control is one of the most productive areas to audit because the evidence is tangible and the gaps are often visible quickly. You do not need to spend hours interviewing people to find document control nonconformities. You can often find them in the first ten minutes by pulling a few documents and checking the basics.
A practical approach is to follow a process from start to finish and check the documented information at each step. Ask the person performing the task to show you the document they are working from. Check the version number against the register. Ask them how they would know if the document was updated. Then check the records they are generating and assess whether they are complete and legible.
When you find a gap, be specific in how you record it. Do not write document control is poor. Write exactly what you found: the document title, the version in use, the current version in the register, and where you found the discrepancy. Specific findings drive specific corrective actions. Vague findings drive vague responses that do not fix the underlying problem.
Our article on auditing document and record control provides a practical walkthrough of how to approach this as an internal auditor, including the questions to ask and the evidence to gather.
Practical Tips for Ongoing Document Control
Document control is not a one-time project. It requires ongoing attention. Here are some practical habits that keep a document control system healthy between audits.
- Assign document owners. Every controlled document should have a named owner who is responsible for keeping it current. When a process changes, the document owner is the first person who should know that a revision is needed.
- Set review dates and act on them. Decide how frequently each document should be reviewed, even if no changes are needed. A document that has not been reviewed in three years may still be current, but you need to be able to demonstrate that you checked.
- Make it easy to access current documents. If people have to navigate a complex folder structure or send an email to the quality manager every time they need a procedure, they will not bother. They will use whatever they have to hand, which may not be current. Make the current version the easiest version to find.
- Train people on the system. Document control only works if everyone who uses documents understands the system. A brief induction that covers where to find current documents, how to identify the version, and what to do if they think a document needs updating goes a long way.
- Review your document register regularly. Remove documents that are no longer needed. A document register full of obsolete documents that nobody has bothered to formally retire is a liability, not an asset.
When to Get Formal Training
If you are responsible for implementing or maintaining a QMS, understanding document control requirements thoroughly is not optional. It is foundational. The same applies if you are conducting internal audits. You cannot audit an area you do not understand, and document control has enough nuance to trip up even experienced practitioners.
At Audit Workshop, our ISO 9001 internal auditor and lead auditor courses cover document control in the context of real audit practice, not just clause-by-clause theory. You will learn how to audit documented information requirements, how to identify genuine nonconformities, and how to write findings that actually drive improvement. Whether you are just starting out or looking to sharpen your skills before a certification audit, our courses are built around the practical realities of auditing, not textbook scenarios.
