Setting Up a Document Register

Setting up a document register

A document register is the practical answer to the question every external auditor will ask sooner or later: how do you know what controlled documents you have, where they are kept and who is responsible for them? Without a register, that question becomes a fishing expedition through shared drives. With one, it takes thirty seconds to answer.

The document register is not strictly required by name in ISO 9001 or the other management system standards, but the underlying control objectives in Clause 7.5 - identification, accessibility, protection, retention - are very difficult to demonstrate without one. Most certification auditors will look for it within the first hour of a surveillance visit.

Two halves of a useful document register

A well-designed document register has two distinct sections, and trying to merge them is one of the most common mistakes organisations make.

The first section lists controlled documents - the templates, policies, procedures and registers that the organisation creates and maintains. For each one, the register usually shows the filename, what the document is for, where it is filed, the current version and who owns it.

The second section lists records - completed paperwork retained as evidence. For records, the register does not name individual files (a CCTV recording, a single training record, an accident report). Instead it groups records by type and shows the description, the storage location with security arrangements, and the retention period. There may be hundreds of CCTV recordings in any given month, but they are all the same type of record managed the same way.

Why folder pointers beat exhaustive lists

The temptation when first setting up a document register is to list every individual file the organisation holds. This is rarely a good idea. Lists like this are out of date the moment they are created, and maintaining them becomes a chore that nobody wants to do.

The simpler and more sustainable approach is to point at folders rather than files. The register entry says all current form templates are stored in /IMS/2 - Forms, Policies and Procedures/Forms/ - and then the folder itself is the source of truth. Anyone who wants the current list of forms looks in that folder, where every file is named consistently and version-controlled.

The same principle applies to records. The register entry might read completed risk assessments are stored in /IMS/H&S Folder/Risk Assessments/, retained indefinitely. The register does not need to list each individual assessment - it identifies the type, the location, the retention rule and the responsibility, and the folder contains the actual records.

What to capture for each entry

For controlled documents, the minimum useful entry covers filename, description, location and current version. Adding a document owner is helpful where the company has more than one person creating or approving documents.

For records, the four columns that matter are type, description, storage location with security notes, and retention period. The retention period is where most organisations spend the most time, because some of it is dictated by law (financial records, employment records), some by contract or sector regulation, and some by business need. A separate article in this knowledge base covers retention in more detail.

Information classification on the register

Documents containing protected personal data or commercially confidential information should be flagged on the register, not least so that storage and access controls are obvious. A simple convention - marking confidential entries in a different colour, or adding a classification label - works well. The IMS1 manual uses three classifications across the integrated management system: [Confidential] for protected personal data and confidential information, [Business Use] as the default, and [Public] for documents that can be shared openly. The register itself usually carries one of these labels too.

Who owns the document register

One person needs to own the register. In small companies this is often the same person who owns the management system overall. In larger ones it can sit with quality, IT or office management. The owner does not have to update every entry personally - department heads can update their own sections - but somebody has to be accountable for the register being current and reviewed.

A practical rhythm is to review the register at least annually, with smaller updates whenever a significant document is created, retired, or moved. The annual review usually fits well into management review preparation, which surfaces any changes that have happened over the year.

Common mistakes when setting up a register

The most common pitfall is making the register too detailed. A register that lists every single record - every completed checklist, every training record, every accident report - is unmaintainable. By the time it is finished, it is wrong.

The opposite mistake is making it too vague. All quality records, kept in the office, retained as required is not useful to anyone. It does not tell you where to find anything, who is responsible, or how long retention actually is.

The third mistake is forgetting external sources. Customer drawings, supplier specifications, externally imposed standards and downloaded legislation are all documents the organisation depends on, and document control extends to them. They belong on the register too, with a note about how the organisation knows it has the current version.

We rebuilt our document register a couple of years ago because the previous one was three pages long and listed individual files. It looked thorough but it was wrong by lunchtime on the day we wrote it.

The new one is one page. It points at the folders, names the document owner, and gives the retention period for each type of record. New starters can find anything they need from it in a minute. The auditor goes through it, asks two or three follow-up questions, and moves on. That is how it should be.

The document register is one of the first things I look at when I audit a management system. Not because it is high risk in itself, but because it tells me how the organisation thinks about its documentation. A clear register usually means clear documents underneath it. A register that is missing, vague or full of out of date entries is a strong signal that I will find issues elsewhere.

Folder pointers, not file lists. That one principle saves more time than anything else. You are not trying to recreate Windows Explorer in a spreadsheet, you are explaining where your stuff lives and how long you keep it.

Practical compliance guidance

IMS1 Section 1.5 Management of Documented Information and Data describes the document register and how it fits within the integrated management system. The section sets out the two-section structure - records and controlled documents - and how each part is maintained.

The toolkit provides the F-IMS20 Document Register template along with a separate F-IMS201 Records Register where the records section is more substantial than the controlled documents list, and supporting policy and guidance documents.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Full toolkit including the IMS1 manual, document register and supporting policies for setting up document control under ISO 9001.
F-IMS20 Document Register	Two-section register template covering company records and controlled documents. Use the folder-pointer approach rather than listing every file.
F-IMS201 Records Register	Standalone records register for organisations that need a more detailed records-only register, separate from the controlled documents list.
PP-1-08 Management of Files, Documents and Records Policy	Policy and procedure setting out how the document register is structured, who maintains it and how it is reviewed.
GG-1-08 Guidance on Files, Documents and Records	Plain-language guidance on completing the register, with worked examples of typical entries.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the document register need to list every document?

No, and trying to do this usually makes the register unmaintainable. Point at folders rather than listing files. The register entry says where a category of documents lives - the folder itself is the source of truth for the current list. The same applies to records, which are grouped by type rather than listed individually.

How often should the document register be reviewed?

At least annually as a formal review, plus smaller updates whenever a significant document is created, retired or moved. The annual review fits well alongside management review preparation, which usually surfaces any changes from the year.

Do externally provided documents go on the register?

Yes, where the organisation relies on them as part of the management system. Examples include customer-supplied drawings, externally imposed standards, regulatory guidance and supplier specifications. The register entry shows where the document is held and how the organisation confirms it has the current version.

Can the document register be in any format?

Yes. A spreadsheet, a Word table or a section of a document management system are all acceptable. The format does not matter - what matters is that the register is current, owned by somebody, and accurately describes the documents and records the organisation holds.

UK Legislation relevant to document registers

The document register itself is not required by UK legislation, but it supports compliance with several laws that mandate retention or protection of specific records. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources