Document control explained
The ISO management system standards use the term documented information to cover anything an organisation writes down or stores: policies, procedures, work instructions, forms, registers, records of what has been done. ISO 9001 Clause 7.5 sets out the document control requirements for a quality management system, and the equivalent clauses in ISO 14001, ISO 45001, ISO 27001 and ISO 22301 are all worded in essentially the same way. If documented information cannot be found when it is needed, has been changed without authority, or has been lost altogether, the management system stops being trustworthy.
In practice, document control is not an isolated administrative task - it is the framework that holds the management system together. Every other part of the system relies on it. Internal audits need to find the right version of the procedure being audited. Management review needs accurate records to evaluate. Legal compliance needs a current legal register. Worker competence relies on staff being trained on documents that match how the work is actually done.
Documents and records - the document control distinction
It is useful to keep two ideas separate, even though both fall under document control.
Documents are the templates, policies, procedures and forms that tell people how to do something. They are issue-controlled - each iteration is identified, reviewed and approved before release, and the current version replaces the previous one.
Records are the evidence created when those documents are used. A completed risk assessment, a signed training record, a delivery note, a meeting minute. Records are not version-controlled in the same way - they are protected against accidental change, retained for a defined period, and then disposed of. The same form template might generate hundreds of records over its life.
Both types need controlling, but the controls are different. A poorly worded policy can be reissued with a new version number. A record of who completed a calibration check three years ago cannot be reissued - if it has been lost or altered, the evidence is gone.
What ISO requires from document control
Stripped of the formal language, the standards expect five things.
Identification. Every controlled document is appropriately identified - ISO 9001 Clause 7.5.2a gives title, date, author and reference number as examples. The standard does not specify which to use; the test is whether the document can be reliably told apart from earlier or different versions of itself.
Format and accessibility. Documents are in a usable format - the right language, software that the team has access to, paper or electronic as appropriate. They are available where and when they are needed. A procedure that lives only on the IT manager's laptop is not under control even if the laptop is backed up.
Review and approval. Before a document is released, somebody competent has reviewed and approved it. That approver may not always be the most senior person in the organisation - the person responsible for the area being covered is usually the right approver.
Distribution and access. The right people can see and use current documents. The wrong people cannot edit, delete or share confidential ones. Old versions are removed from active use.
Retention and disposal. Records and documents are kept for as long as they are needed for legal, business or evidence purposes, then disposed of securely.
The standards do not prescribe how to do any of this. A small business with twenty staff can run effective document control on a shared drive with a sensible folder structure and a simple register. A large business with multiple sites usually needs document management software. Both can be compliant.
Common audit findings on document control
Auditors do not generally fail an organisation because a single document has the wrong version number on it. They look for whether document control works in practice. The findings that come up repeatedly are predictable.
Old policies still in circulation alongside the new ones. Procedures that reference legislation that was repealed years ago. A document register that lists files that no longer exist, or omits files that do. Training records dated before the policy they relate to. Multiple versions of the same procedure on different shared drives. Personal data kept for years after it should have been deleted, with no documented reason.
Most of these findings come from the same root cause - document control was set up once and then nobody owned it.
Document control in an integrated management system
For organisations running more than one ISO standard, there is no benefit to having separate document control systems for each. ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301 and ISO 37001 all expect the same things. One register, one set of controls and one approach across all standards is simpler to maintain and easier to audit.
ISO 27001 adds requirements that the other standards do not - specifically around information classification and protection of personal data - but those are additional layers on top of the same document control framework, not a separate system.
Document control is one of those things that sounds dry until you see what happens without it. I have walked into companies where the procedure on the wall was three versions out of date, the training records were for the old procedure, and nobody could tell me which version was actually being followed. That is not a paperwork problem - it is a problem with how the company is being run. You do not need software to do this well. A shared folder, a register, a habit of putting an issue number and a date on everything, and one person who notices when something is out of date. That is enough for most small companies.
When I audit document control I am usually picking documents at random and checking three things. Can it be identified and are the issue numbers correct? Is that the version people are actually using? Can the company show me how it was approved?
If the answer is yes to all three across a sample, I move on quickly. If the answer is patchy, I stay longer and dig further, because document control problems often point to bigger issues with how the management system is maintained.
Clients often ask whether they need a document management software package to comply with the ISO standards. The honest answer is no, not for most businesses. The standards are not interested in what tool you use, only in whether documents are identified, accessible, current and protected. A simple shared drive with a clear folder structure and a basic document register meets every requirement.
Where software does help is when the volume of documents grows, when external auditors and regulators need controlled access, or when several people are editing the same documents in parallel. Even then, the principles are the same - identification, approval, version control, retention, disposal.
Practical compliance guidance
IMS1 Section 1.5 Management of Documented Information and Data sets out the document control framework that runs across the integrated management system. It covers how documents are numbered and issue-controlled, how new documents are approved, how changes are logged, how records are retained and disposed of, and how electronic information is backed up and protected.
The toolkit includes a document register, a policy and procedure for managing documents and records, a guidance document explaining how to apply it, and a related toolbox talk for raising staff awareness.
| alphaZ document | How to use it |
|---|---|
| ISO 9001, 14001 and 45001 IMS Toolkit | The full integrated toolkit including the IMS1 manual, document register and supporting policies and procedures needed to set up document control across multiple ISO standards. |
| F-IMS20 Document Register | Central register that records key company documents, where they are stored, who is responsible and how long records are retained. |
| PP-1-08 Management of Files, Documents and Records Policy | Policy and procedure setting out how documents are created, approved, issued, reviewed and retired, and how records are protected and retained. |
| GG-1-08 Guidance on Files, Documents and Records | Plain-language guidance explaining the document control approach and how to apply it day to day. |
| Toolbox Talk - Files, Documents and Records | Short briefing to give staff awareness of the document control rules and their part in keeping documents and records under control. |
| A-C P02 Management of Documented Information Audit Checklist | Process audit checklist for evaluating how well document control is working, suitable for use during internal audits. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to document control
There is no single piece of UK legislation that mandates ISO-style document control, but several laws set retention or protection requirements that document control needs to meet. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
