Version control and document approval
Two practical features distinguish a controlled document from any other file on a shared drive: a way to identify which iteration of the document this is, and evidence that it has been reviewed and approved before release. ISO 9001 Clause 7.5.2 requires both - identification (described as a title, date, author or reference number) and review and approval for suitability and adequacy. Most organisations use a version or issue number to handle the identification side, because once a document has been through more than one update, version numbers are the easiest way to tell at a glance which copy is current.
The other ISO management standards have equivalent requirements. None of them specify how to do version control - they specify only that the result has to be reliable.
How issue and revision numbers work
Most management systems use one of two numbering conventions. Both work, and the choice between them is mostly about how often documents change and how much history needs to be visible.
The simpler approach is a single integer issue number that increments each time the document is reissued: Issue 1, Issue 2, Issue 3. This works well when documents change infrequently and the organisation does not need to distinguish minor updates from major rewrites.
The more granular approach uses an issue number plus a revision number - typically as 1.0, 1.1, 1.2, 2.0. The integer increments for substantial changes, the decimal for minor updates and corrections. This is more useful where documents change often, where multiple drafts exist before a release, or where there are reasons to track minor revisions separately.
Whichever convention is used, the key rule is consistency. Every controlled document follows the same convention, the version appears clearly on every page (typically in the footer), and the document register reflects the current version. Mixing conventions across the management system makes audits awkward and increases the risk of errors.
Approval - who, when and how
Every controlled document needs to be approved before it is released for use. ISO 9001 Clause 7.5.2c requires review and approval for suitability and adequacy. The approver should be someone competent to evaluate the document - usually the person responsible for the area the document covers.
The approval does not have to be a wet signature. An approval field in the document footer (Approved by: J Smith, Quality Manager, 14 March 2026) is acceptable, as is a workflow record in document management software. What matters is that there is evidence the document has been authorised, by someone competent, before it was released.
Top management does not need to approve every controlled document. The quality policy is approved by top management because the standard requires it - other procedures and forms are usually approved by department heads or the management system owner. Spreading approval across competent people is more sustainable and better evidence than every signature coming from one director.
The draft and archive folder pattern
A practical way to manage document changes is the draft-and-archive folder pattern, which keeps the live folder clean and protects history.
While a document is being updated, the working copy lives in a Draft folder. Only the document owner and reviewers have access. The version number is incremented and the file is marked as draft.
Once approved, the new version replaces the live version. The previous live version moves to an Archive folder where it is preserved for historical reference but is clearly not in current use. The document register is updated to show the new current version, and the change is recorded on a change log.
This pattern prevents two common problems: drafts being mistaken for live documents, and old versions remaining in circulation alongside new ones.
The change log
For documents that change regularly, an update log records what changed and why. This can be a section at the start of the document itself (most policies and procedures use this) or a single change log on the document register covering changes across all controlled documents.
A useful change log entry has four parts: the date of change, the new version number, who approved it, and a one-line description of what changed. The aim is not an exhaustive audit trail but enough information that a reader, an auditor or a future reviewer can understand what was different about this version.
Auditors particularly look at change logs around the time of certification audits, surveillance audits and management reviews, because these often trigger document updates. A change log that shows real, considered updates is a strong indicator that the management system is being maintained, not just left to drift between certifications.
Periodic review
Even documents that have not been formally changed should be reviewed periodically to confirm they still reflect how the organisation actually operates. Annual review is the most common rhythm, often timed to align with management review preparation.
The simplest evidence of periodic review is a date and initial in the document footer or on the register: Reviewed: 14 March 2026 - JS. This shows that the document has been considered, even where no changes were needed. Documents that have not been reviewed for several years are a regular finding in surveillance audits.
Removing obsolete documents from use
When a document is replaced, the old version needs to be taken out of circulation. For electronic documents this usually means moving the old version to an archive folder or marking it as obsolete in document management software. For paper copies it means physically retrieving them - which is one reason most organisations have moved away from printed manuals where possible.
Where paper is still in use, a register of where controlled paper copies have been distributed is the only reliable way to make sure they are all retrieved when an update is issued. This is a common audit finding in industries that still rely on printed work instructions.
Version control is one of the easiest things to audit and one of the easiest to fail an audit on. I pick three or four controlled documents at random, look at the version on the document, look at the version on the register, look at the version people are actually using on their screens. If those three numbers do not match, I have a finding.
The most common cause is that the document was updated but the register was not. The fix is simple but it has to be a habit, not an afterthought.
We use a draft folder and an archive folder, and one person owns the move from one to the other. When something is being updated, it sits in draft. When it is approved, the old version goes to archive and the new one becomes the live document. The register gets updated at the same time.
It sounds basic, and it is, but the reason it works is that the rule is the same every time. Nobody is making decisions about where files live - they follow the pattern.
Issue 1, Issue 2, Issue 3 is fine. You do not need a complicated revision tracking system unless your documents are changing often enough to need one. What you do need is the version number on the document, the version number on the register, the version number that people are actually using - and all three the same.
Practical compliance guidance
IMS1 Section 1.5 Management of Documented Information and Data covers approval, review and version control of controlled documents, including the draft and archive folder approach and how significant changes are logged.
The toolkit provides a document register with a built-in update log section, a policy and procedure for managing documents and records, and an audit checklist for checking version control during internal audits.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Full toolkit with the policy and procedure framework for version control and document approval, supporting documents and templates. |
| F-IMS20 Document Register | Document register with an update log section for recording changes to controlled documents, current version numbers and approval status. |
| PP-1-08 Management of Files, Documents and Records Policy | Policy and procedure setting out approval workflow, version numbering convention, draft and archive handling and change log requirements. |
| GG-1-08 Guidance on Files, Documents and Records | Plain-language guidance on day-to-day version control, including how to handle drafts, approvals and reviews. |
| A-C P02 Management of Documented Information Audit Checklist | Process audit checklist for reviewing how well version control and approval are working, suitable for internal audits. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to version control and approval
Version control and approval are not directly mandated by UK legislation, but several laws require organisations to keep accurate, current records of policies and procedures - which in practice depends on effective version control. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
