ISO 9001 is the world's most widely adopted quality management standard. Most organisations that operate under it believe their document control is in reasonable shape. But many find out during a surveillance audit that it isn't.
The problem is usually a misreading of what control means. Document control gets interpreted as centralised storage; one place where files live and can be found. ISO 9001 goes considerably further, requiring documents to be approved before use, versions controlled and enforced, access permissions defined and every change traceable.
Here, we cover ISO 9001 requirements for document control, which documents need to be controlled and how organisations are meeting obligations.
Table of contents
ISO 9001:2015 uses the term "documented information" to cover two things that need to be controlled quite differently.
The first is documents: procedures, policies, work instructions and SOPs. These define how work should be done. They need formal approval before anyone uses them, and a version history that shows how they've changed over time.
The second is records: audit logs, inspection results and training records. These are the evidence that work was done and can be retained, protected and retrieved when needed.
Under ISO 9001:2015 Clause 7.5, documents must be approved before use, reviewed when processes or regulations change, and kept current, with only the live version accessible to the people who need it.
Documented information must be available where the work is performed. It must also be protected against changes that haven't gone through the correct approval process.
This clause covers external documents such as supplier specifications, regulatory standards and third-party guidance. Organisations are responsible for keeping these current too.
|
ISO 9001 requirement |
What it means |
Example |
|---|---|---|
|
Approved before use |
Documents reviewed and signed off before release |
SOP approved by Quality Manager |
|
Reviewed and updated |
Documents updated after process or regulatory changes |
Updated procedure following audit finding |
|
Version control |
Only the current version is accessible |
Version 3 replaces Version 2 |
|
Availability |
Documents accessible where work is performed |
Operator retrieves correct work instruction on the floor |
|
Protection |
Documents cannot be edited without authorisation |
Read-only access for most users |
|
External documents |
External information kept current and distributed |
Updated ISO standard shared across relevant teams |
Policies, SOPs, work instructions and process documentation define how work gets done. Before any of them go into active use, they need formal sign-off. After that, they need a complete version history, so that when a process changes or an auditor asks questions, there’s an accurate record of what was approved and when.
Audit reports, inspection results, training records and non-conformance logs are all part of the paper trail that shows approved processes have been followed. You can't amend or delete them without documenting the reason why. When an auditor asks to see these documents, they need to be retrievable in full.
Standards, supplier specifications and regulatory guidance originate outside the organisation, which makes them easy to overlook. ISO 9001 document control requirements apply to them too, so someone needs to be responsible for update monitoring, distributing new versions and making sure internal procedures stay aligned.
|
Type |
Purpose |
Example |
Control requirement |
|---|---|---|---|
|
Document |
Defines how work should be done |
SOP, policy, work instruction |
Approval, version control, distribution |
|
Record |
Evidence that work was done |
Audit log, inspection result, training record |
Retention, integrity, traceability |
For every document currently in active use, there should be a clear record of who approved it and when. If that approval happened in passing, the evidence cannot always be recovered under audit pressure. Auditors follow the paper trail — and informal approvals tend not to leave one.
Ask any auditor what issues they see most often and version control comes up immediately. Outdated documents in circulation, two versions of the same procedure, and employees accessing files from personal drives or old email attachments. ISO 9001 demands obsolete versions be withdrawn from circulation.
When a document changes, the audit trail should show who made the change, when and why. Version history isn't just good practice; for ISO 9001 documented information, it's a requirement.
Auditors will ask how you manage external standards and supplier specifications. Who is responsible for monitoring updates? How does a new version get distributed internally? If the answer is "we check occasionally," that's not good enough.
Documented procedures need to reflect how people work day to day. Auditors compare written instructions with observed practice. A discrepancy between the two — even when the real process is perfectly sound — is a non-conformance.
Document lifecycle management and ISO 9001 document control cover much of the same ground. The difference is that under ISO 9001, each stage of the lifecycle carries formal requirements and organisations need to be able to demonstrate compliance at every point.
Every controlled document needs an owner: someone responsible for its accuracy, its review cycle and its approval. Standardised templates help to keep documents consistent and make them easier to manage as volumes grow.
A document moves through defined stages before it can be released. Those steps need to be traceable. Who reviewed it? Who approved it? When? The answers should be retrievable without having to reconstruct events from an email chain.
Once released, a document should be accessible from a single controlled source. Multiple copies on shared drives, local desktops or in email attachments undermine version control. Role-based access ensures only authorised users can edit or approve documents, while everyone else works from a read-only version.
When a process changes, the relevant document needs to change with it — and the update needs to go through the same approval process as the original document. Version history and change tracking keep that record intact over time.
Superseded documents shouldn't disappear without trace, as they may be needed for reference. However, they shouldn't remain accessible as working documents. Archiving with a clear “obsolete” status prevents them from being used unintentionally.
Most manual document control systems fall down in the same four places:
Without proper document management practices, these everyday issues are experienced by organisations that manage files across shared drives and email chains.
How a document management system supports ISO 9001 control
A document management system (DMS) doesn't replace the governance decisions your organisation needs to make — it makes them enforceable. Approval steps, version control, access permissions and retention rules stop being things people have to remember and become things the system applies automatically.
For organisations managing documents under ISO 9001, that means:
|
Area |
Manual approach |
System-supported approach |
|---|---|---|
|
Version control |
File naming conventions |
Automatic versioning |
|
Approvals |
Email chains |
Workflow with full audit trail |
|
Access |
Shared drives |
Role-based permissions |
|
Audit trail |
Fragmented |
Complete and retrievable |
"ISO 9001 document control usually becomes difficult when organisations focus on where documents are stored rather than how they move — how they get approved, updated and accessed. Getting ownership and approval rules defined before touching any system is the step that makes everything else easier to maintain."
— Andrew Barnett, DocuWare Solution Consultant
How to implement effective ISO 9001 document control
Before you do anything else, get a clear picture of what you're dealing with: which document types exist, who currently owns them, who approves them and how often they get reviewed. Policies, SOPs, work instructions, forms, externally sourced documents and records all have different control requirements. Any system you introduce without this overview will inherit the same problems.
How does a document get approved? Who triggers a review, and what sets the clock running? Who can edit documents and who should only read them? These are the process decisions that need to be made early, as automating a process that hasn't been defined won’t bring clarity.
Ad hoc update processes are an audit risk. Defined review cycles — annual for most controlled documents, triggered by process or regulatory changes — mean you always have a clear answer to when a document was last reviewed and why.
Shared drives, email attachments and locally saved files are where version control breaks down. Getting everything into one, centrally managed location is the prerequisite for meeting ISO 9001 standards.
When approval history, version tracking and access records are captured automatically as part of day-to-day document management, audit preparation becomes retrieval rather than reconstruction.
"The biggest mistake organisations make is automating document control before they've worked out how documents should move through the business. If ownership and approval rules aren't defined first, all you've done is make the same audit gaps run faster."
— Andrew Barnett, DocuWare Solution Consultant
Case study: Carebase
Before DocuWare, Carebase’s documents were held in paper files and spread across different systems. Version control across multiple sites was hard to maintain, staff couldn't always get to the documents they needed, and paper-based processes were slowing things down.
DocuWare brought document management at Carebase into a single system with structured workflows for access, approval and retrieval. Staff across its care home network can find what they need without going through the central office.
Now, records of what documents have been approved, when and by whom are something the organisation can easily produce.
Read the full Carebase customer story.
The organisations that handle ISO 9001 document control without constant firefighting have made document governance part of how they work, not a separate compliance layer that sits on top of other processes.
When approval workflows, version history and access records are captured automatically, nobody is hunting for files or untangling which version was signed off and when.
ISO 9001 document control covers how your organisation creates, approves, updates, distributes and protects documented information e.g. procedures, policies, work instructions and the records that show they were followed. Its goal is to ensure people use the right information and that organisations can demonstrate control during audits.
Any documented information that your quality management system or operations depend on. In most organisations this covers policies, SOPs, work instructions, forms and externally sourced documents such as standards or supplier specifications. Records — inspection results, training logs, audit reports — need controlling too, though the requirements are different from documents.
A document tells people how to do something. A record shows that it was done. The two need different controls: documents need approval, versioning and managed distribution; records need to be retained, kept intact and retrievable.
Formal approval before documents enter active use. Evidence that only current versions are accessible to staff. A traceable record of changes — who made them, when and why. Confirmation that external documents are being monitored and updated. And procedures that match what people in the organisation do.
No. The standard doesn't specify software. But manual document control (shared drives, email approvals, file naming conventions) is harder to maintain accurately as document volumes grow and more people are involved in approvals and reviews.
Most organisations reach a point where a document management system such as DocuWare makes the required controls easier to enforce.