Documents of External Origin

Documents of external origin

Most management system documentation is created and controlled by the organisation itself. But every organisation also depends on documents that come from outside - ISO standards, legislation, customer drawings, supplier specifications, regulatory guidance, industry codes of practice. These are documents of external origin, and ISO 9001 Clause 7.5.3.2 specifically requires them to be identified and controlled where the organisation has determined them to be necessary for the planning and operation of the management system.

The control objective is the same as for internal documents - the people who need them have access to the right version when they need it, and there is no risk of work being done against an out of date copy. The methods are usually different, because the organisation cannot issue version numbers to documents it does not own.

What counts as a document of external origin

Several common categories show up in most management systems.

ISO standards. The certified standard itself - ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2022, ISO 22301:2019 - and any related guidance documents the organisation relies on. These are bought from BSI or ISO and are typically subject to copyright restrictions on copying.

UK legislation and regulations. Statutes, regulations and approved codes of practice (ACoPs) that apply to the organisation's activities. These are freely available from legislation.gov.uk but the organisation still needs to know which apply, what version is current, and where to find them. The legal register is the usual answer.

Customer-supplied documents. Drawings, technical specifications, contractual requirements, customer quality manuals, customer-specific procedures. Any organisation supplying to larger customers will hold a substantial set of these.

Supplier and contractor documents. Material safety data sheets, calibration certificates, equipment manuals, contractor risk assessments and method statements, supplier quality manuals and certificates. The volume varies enormously by sector.

Industry codes and guidance. Sector-specific codes of practice, guidance from regulators (HSE, ICO, FSA), trade body guidance, audit standards (FORS, SafeContractor, Constructionline). Where the organisation has chosen to follow these voluntarily, they typically still count as external documents requiring control.

Regulatory submissions and approvals. Permits, licences, certificates, environmental consents. These usually have an expiry or review date that the management system needs to track.

Identifying which external documents need controlling

Not every external document the organisation receives needs to be brought into formal control. The standard requires control of those determined to be necessary for planning and operation of the management system. The judgement on what is necessary sits with the organisation.

The practical test usually comes down to two questions. First, would using an out of date version of this document cause a real problem - a quality failure, a safety incident, a contractual breach, a non-compliance? Second, is the organisation actually using this document as part of how it operates, rather than just having received a copy at some point?

If both answers are yes, the document needs controlling. If either is no, it can usually be filed for reference without formal control.

Common methods of control

Three control methods cover most documents of external origin.

Live access to the source. For legislation, ISO standards on subscription, online supplier portals and similar, the organisation can rely on accessing the source directly rather than holding a local copy. The control then becomes making sure staff know to access the source rather than working from old printouts. The legal register typically links to legislation.gov.uk for this reason.

Controlled local copies. For documents that need to be available offline, in the field, or where access to the source is not reliable, the organisation holds a copy and treats it as a controlled document. The register entry shows the source, the version held, when it was last checked against the source, and where it is filed. Customer drawings typically work this way.

Subscription update services. For legislation and standards that change regularly, a third-party update service can do the monitoring. The organisation receives notifications when something changes and updates the register accordingly. The isomanaged.com legal update service works this way for management system legislation.

The legal register and external documents

For most organisations the legal register is the largest single set of external documents they have to control. The register lists the legislation, regulations and codes that apply to the organisation, who is responsible for compliance, where the document can be accessed, and when compliance was last evaluated.

The legal register sits alongside the document register but covers a different scope - the document register covers the controlled documents and records held by the organisation, the legal register covers the external legal requirements that those documents need to comply with. Clause 7.5.3.2 applies to both, but the legal register is also driven by ISO 9001 Clause 8.4 on external providers and Clauses 9.1.2 on evaluation of compliance, so it usually has a structure of its own.

Customer documents - a particular case

Customer-supplied documents need particular attention because they often arrive informally - as email attachments, in shared folders, with contract paperwork - and they often update without explicit notification. A customer drawing may be revised three times during the life of a project, and using the wrong revision can cause real problems.

The standard control is a customer document register or log that records, for each customer, the documents currently held, their revision number and the date received. When a new revision arrives, the previous version is archived and the register is updated. Where customers operate their own document portals, the organisation may rely on the portal rather than holding local copies, but the responsibility still sits with the organisation to know which version is current.

Supplier and contractor documents

Suppliers and contractors generate documents the organisation needs to control - safety data sheets, method statements, certificates of conformity, calibration certificates, ISO certificates. These typically attach to the supplier or contractor record on the key supplier and contractor register, and the controls focus on currency rather than version numbering.

For each significant supplier or contractor, the organisation typically holds a copy of the documents needed for the relationship, with the date received and the date of next review. ISO certificates have expiry dates and need to be re-collected when they renew. Insurance certificates renew annually. Safety data sheets are reissued when products change. The supplier register flags these review points and is checked as part of the supplier appraisal cycle.

External documents are an audit area where I find genuine non-conformities more often than for internal documents. The internal stuff is usually well-controlled because the organisation owns it. The external stuff drifts because nobody owns the relationship to the source.

The most common findings are out of date legislation references in policies, customer drawings being used at the wrong revision, and supplier certificates that have expired without being collected. None of these are difficult to put right, but they need someone whose job it is to check.

The legal register and the customer document register are usually the two external document controls that need the most attention. The legal register because legislation changes and policies need to keep up. The customer document register because customer-supplied drawings and specifications are often the documents most directly tied to the work being done, and using the wrong revision causes real customer-facing problems.

Both work best when one person has clear responsibility for keeping them current, and when there is a regular rhythm of review rather than ad hoc updates.

You cannot control a document you do not own. What you can control is whether you have the right version of it. For legislation, link to the source. For customer drawings, log the revision and the date. For supplier certificates, set a review date and chase the renewal. None of this is complicated, but it does need somebody whose job it is.

Practical compliance guidance

IMS1 Section 1.5 Management of Documented Information and Data covers external documents at a summary level, with detail on legal requirements held on the legal register and supplier documents on the key supplier and contractor register.

The toolkit provides the registers and supporting policies needed to control external documents across the integrated management system.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Full toolkit including the registers and policies needed to control internal and external documents under ISO 9001.
F-IMS20 Document Register	Document register for capturing externally provided documents identified as necessary for the management system, alongside the controlled internal documents.
PP-1-08 Management of Files, Documents and Records Policy	Policy and procedure covering identification and control of documents of external origin, including review, currency and retention.
GG-1-08 Guidance on Files, Documents and Records	Plain-language guidance on day-to-day handling of external documents, including legislation, customer-supplied documents and supplier certificates.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What are documents of external origin?

Documents that the organisation depends on but does not produce itself - typically ISO standards, UK legislation, customer-supplied drawings and specifications, supplier and contractor documents, industry codes of practice and regulatory guidance. ISO 9001 Clause 7.5.3.2 requires these to be identified and controlled where they are necessary for the management system.

Do all external documents need to be on the document register?

Only those determined necessary for the planning and operation of the management system. The practical test is whether using an out of date version would cause a real problem, and whether the organisation is actually relying on the document. Documents that fail either test can be filed for reference without formal control.

How is legislation controlled if it cannot be version-numbered?

By linking to the source rather than holding local copies. The legal register typically links to legislation.gov.uk for each piece of applicable legislation, with a date the register was last reviewed and confirmation that current versions are still applicable. A subscription legal update service handles the monitoring of changes for most organisations.

How are customer drawings and specifications controlled?

Through a customer document log or register that records, for each customer, the documents held, the revision number and the date received. When a revision arrives, the old version is archived and the register is updated. Where customers operate their own portals, the organisation can rely on the portal but still needs to know which revision is current.

UK Legislation relevant to documents of external origin

UK legislation does not specifically require ISO-style control of external documents, but several laws require organisations to comply with current legal requirements - which depends on knowing which apply and which version is current. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources