What is the difference between a document and a record in ISO 9001?

In practical terms, a document tells people what to do or how to do it, such as a procedure, work instruction, or policy. A record is evidence that something was done, such as a completed inspection form, a signed approval, or an audit report. ISO 9001:2015 uses the term documented information to cover both, but the distinction still matters because they are controlled differently. Documents are updated when processes change, while records are retained as historical evidence and generally should not be altered after they are created.

Do I need a formal document control procedure to get ISO 9001 certified?

ISO 9001:2015 does not explicitly require a documented document control procedure, but in practice, most businesses find it necessary to have one. Without a written procedure, it is very difficult to demonstrate to an auditor that your document control process is consistent and understood by your team. The procedure itself becomes a controlled document and demonstrates that you have thought through how document control works in your organisation. Most consultants and auditors will recommend having one.

How do I handle external documents like customer specifications or regulatory requirements?

External documents that are relevant to your quality management system need to be identified and controlled just like your internal documents. This means including them in your document register, assigning an owner who is responsible for checking them for updates, and making sure the current version is accessible to the people who need it. When a customer sends you an updated specification, you need a process for reviewing it, updating your register, and communicating the change to affected staff. Many businesses miss this requirement until an auditor asks about it.

Can I use a shared drive or cloud storage for document control?

Yes, shared drives and cloud storage platforms like SharePoint, Google Drive, or OneDrive can work well for document control, provided you set them up correctly. The key requirements are that only current, approved versions are accessible to staff, that editing access is restricted to authorised people, and that old versions are archived or removed rather than left in circulation. The platform itself is not what matters to an auditor. What matters is that your system prevents people from accidentally using outdated documents and that you can demonstrate controlled access and version management.

How often do I need to review controlled documents?

ISO 9001 does not specify a mandatory review frequency, but most organisations set an annual review cycle as a minimum. Documents that relate to critical processes, high-risk activities, or areas subject to regulatory change may need more frequent review. The important thing is that you define a review frequency in your document control procedure and then actually follow it. An auditor will check whether documents have been reviewed within the timeframe your own system specifies, so make sure your schedule is realistic and that someone is accountable for keeping it on track.

What happens if an auditor finds that an obsolete document is still in use?

Finding an obsolete document in active use is a non-conformance against Clause 7.5.3 of ISO 9001:2015. Depending on the severity and how widespread the issue is, it could be raised as a minor or major non-conformance. A minor finding means you will need to provide a corrective action and evidence of resolution. A major finding could put your certification at risk if it is not resolved before your audit closes. The fix is straightforward: remove the obsolete document from circulation, update your document register, and put in place controls to prevent it happening again. The better approach is to prevent it in the first place by making obsolete document management a routine part of your process.

How to Control Documents in ISO 9001

Why Document Control Matters More Than Most Businesses Realise

Document control is one of those areas that sounds straightforward on paper but causes more audit findings than almost any other clause in ISO 9001. Businesses spend months preparing for certification, and then an auditor finds that the team has been working from a procedure that was updated six months ago but never formally approved. Or worse, two versions of the same work instruction are floating around the factory floor and nobody is sure which one is current.

On this page

If you are working through your ISO 9001 quality management system, understanding how to control documents properly is not optional. It is foundational. Get this right and the rest of your system becomes much easier to manage. Get it wrong and you will be dealing with non-conformances, confused staff, and inconsistent outputs.

This guide walks you through exactly what ISO 9001 requires, how to build a practical document control process, and the common mistakes you need to avoid. If you are new to the standard, it helps to start with a beginner's guide to ISO 9001:2015 before diving into the specifics of document control.

What ISO 9001 Actually Requires for Document Control

ISO 9001:2015 addresses documented information across two main areas. Clause 7.5 covers the general requirements for creating, updating, and controlling documented information. This is where the formal document control requirements live.

The standard uses the term documented information rather than documents and records, which is a deliberate change from the 2008 version. It covers everything from procedures and work instructions to forms, plans, specifications, and records. The distinction between a document (something that tells people what to do) and a record (evidence that something was done) still matters practically, but the standard treats them under one umbrella.

Clause 7.5.2: Creating and Updating

When you create or update documented information, ISO 9001 requires that it is appropriately identified and described. This means it needs a title, a date, an author, a reference number, or some other way to identify it clearly. It also needs to be in an appropriate format and reviewed and approved for suitability and adequacy before it is used.

That last point is where many businesses fall short. They create a document, save it on a shared drive, and start using it without any formal review or approval step. An auditor will look for evidence that someone with the right authority reviewed the document and confirmed it was suitable before it went into use.

Clause 7.5.3: Control of Documented Information

This clause covers the ongoing management of your documented information. It requires that documents are available where and when they are needed, adequately protected from loss of confidentiality or improper use, and controlled for distribution, access, retrieval, and use.

It also requires that you control changes, including version control, and that you manage the retention and disposition of documents. Obsolete documents need to be either removed from use or clearly identified so nobody accidentally uses them.

For a deeper look at how documented information fits into the broader quality management framework, the guide to Clause 4.4 on the quality management system and its processes provides useful context on how documents support your process approach.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Building a Practical Document Control Process

The standard tells you what to achieve but not exactly how to do it. That gives you flexibility, but it also means you need to think carefully about what will actually work in your organisation. Here is a step-by-step approach that works for most businesses, whether you have ten employees or five hundred.

Step 1: Define Your Document Types and Scope

Start by listing every type of documented information your quality management system requires and produces. This typically includes your quality manual or equivalent top-level document, policies, procedures, work instructions, forms, templates, plans, specifications, and records.

Not every document needs the same level of control. A work instruction for a critical manufacturing process needs more rigorous control than an internal meeting agenda. Decide early on which categories of documents fall under your formal document control process and which do not. Document this decision so your auditor understands your reasoning.

Step 2: Create a Document Register

A document register, sometimes called a master document list, is the backbone of any document control system. It is a central record of every controlled document in your system. At a minimum, it should capture the document title, unique reference number, version number, date of last review, document owner, and current status (active, under review, or obsolete).

The register does not need to be complicated. A well-maintained spreadsheet works perfectly for small to medium businesses. What matters is that it is kept current and that your team knows it exists and uses it to find the right version of any document.

Step 3: Establish a Naming and Numbering Convention

Consistent naming conventions make document management far easier. A simple system might use a prefix to indicate the document type, followed by a sequential number and version indicator. For example, QP-001-v2 might indicate Quality Procedure number one, version two.

Whatever system you choose, apply it consistently from the start. Changing your naming convention mid-implementation creates confusion and extra work. Keep it simple enough that any employee can understand it without needing a decoder ring.

Step 4: Set Up a Review and Approval Workflow

Every controlled document needs a defined path from draft to approved. This workflow should specify who can create a document, who reviews it for technical accuracy, and who has the authority to approve it for use. In a small business, these might all be the same person. In a larger organisation, you might have separate roles for each step.

The approval needs to be documented. This can be a wet signature on a printed document, an electronic approval in a document management system, or even a tracked email approval. What you cannot do is have documents in use with no evidence that anyone reviewed or approved them.

Step 5: Control Distribution and Access

Once a document is approved, you need to make sure the right people can access it and that they are working from the current version. If you are using a digital document management system, this is usually handled through access permissions and version locking. If you are using printed documents, you need a distribution list and a process for recalling outdated copies when a new version is issued.

The shift to digital systems has made this much easier for most businesses. Cloud-based platforms allow you to publish the current version, restrict editing to authorised users, and automatically archive old versions. Just make sure your system actually prevents people from accidentally opening and using an old file they saved to their desktop months ago.

Step 6: Manage Version Control and Changes

Every time a document is updated, the version number needs to change and the change needs to be documented. A change history section at the back of the document is a simple way to do this. It records what changed, why it changed, who made the change, and when it was approved.

Version control is one of the most common areas where businesses get caught out in audits. An auditor will often pick up a document and check whether the version in use matches the version in the document register. If they do not match, you have a finding. This is entirely preventable with a disciplined approach to updating your register every time a document changes.

Step 7: Handle Obsolete Documents Properly

When a document is superseded, you have two options. You can delete it entirely, or you can retain it with a clear marking that it is obsolete and must not be used. Retaining obsolete documents is sometimes necessary for legal or historical reasons, but if you do, they must be clearly segregated from active documents.

A common practice is to move obsolete documents to an archive folder clearly labelled as such, and to remove them from any location where staff might access them for day-to-day use. The goal is to make it impossible for someone to accidentally use an old version of a procedure.

Common Document Control Mistakes That Cause Audit Findings

Having worked through dozens of certification audits, the same mistakes come up repeatedly. Knowing what they are in advance can save you significant time and stress.

Using Shared Drives Without Version Control

Shared network drives are convenient but dangerous without proper controls. People save local copies, email documents around, and end up with multiple versions in circulation. If your team is using a shared drive, make sure there is only one authorised location for each document, that old versions are removed when new ones are published, and that staff are trained not to save local copies.

Approving Documents Verbally

Verbal approval is not documented approval. If your process says documents need to be reviewed and approved before use, that approval needs to leave a paper trail. An auditor asking to see evidence of approval for your quality policy cannot be answered with “yes, the manager approved it in a meeting last year.”

Forgetting External Documents

ISO 9001 also requires you to control external documents that are relevant to your quality management system. This includes things like customer specifications, regulatory requirements, industry standards, and supplier documents. These need to be identified, reviewed, and kept current, just like your internal documents. Many businesses overlook this entirely until an auditor asks about it.

Understanding what constitutes a controlled document in the first place is important before you build your system. The article on what controlled documents are and how to implement them covers this in detail and is worth reading alongside this guide.

Not Training Staff on the Document Control Process

Your document control procedure is itself a controlled document, but it only works if people actually follow it. Staff need to know where to find current documents, what to do if they think a document needs updating, and why it matters. This does not require a full training day. A short briefing and a clear reference point is usually enough for most teams.

Choosing the Right Tools for Document Control

The tools you use for document control should match the size and complexity of your business. There is no single right answer, but there are some practical options worth considering.

Spreadsheet-Based Systems

For small businesses with a limited number of documents, a well-structured spreadsheet register combined with a controlled folder structure on a shared drive or cloud storage can work effectively. The key is discipline. Someone needs to own the register and update it consistently.

Document Management Software

Purpose-built document management systems automate much of the version control and approval workflow. They typically include features like automated version numbering, approval routing, access controls, and audit trails. Popular options used by ISO-certified businesses include SharePoint, Confluence, and dedicated quality management platforms.

These systems reduce the risk of human error significantly, but they do require an upfront investment in setup and staff training. For businesses with more than twenty or thirty staff, or with a large volume of controlled documents, the investment is usually worthwhile.

Integrated Quality Management Systems

Some businesses use integrated quality management platforms that combine document control with other QMS functions like non-conformance management, audit scheduling, and corrective action tracking. These are particularly useful if you are managing multiple ISO standards simultaneously. For context on how integrated systems work across multiple standards, the auditor's guide to integrated management systems provides a practical overview.

What Auditors Actually Look For

When an external auditor reviews your document control, they are typically looking for a few key things. First, they want to see that you have a defined process for controlling documents. This is usually captured in a document control procedure. Second, they will sample your documents to check that they are identified, dated, and show evidence of approval. Third, they will check that your document register is current and matches what is actually in use.

Auditors will also often test your system by asking an employee to retrieve a specific procedure. If the employee struggles to find it, or finds an old version, that tells the auditor something important about whether your document control system is actually working in practice, not just on paper.

ISO 9001:2015 Clause 7.5 on documented information sets out the requirements directly, and reviewing the standard text alongside your own procedures is a useful exercise before any audit.

One thing auditors appreciate is simplicity. A clean, well-maintained document register and a straightforward approval process is far more impressive than an elaborate system that nobody actually follows. The goal is a system that works, not one that looks good in a presentation.

If you are preparing for your stage 1 or stage 2 audit, the article on 8 things to do before an ISO stage 1 readiness audit includes document control as one of the key areas to review before your auditor arrives.

Maintaining Document Control After Certification

Getting your document control system right for certification is one thing. Keeping it that way over the three-year certification cycle is another challenge entirely. Businesses that struggle with surveillance audits are often those that let their document register fall out of date, allow informal workarounds to creep in, or fail to update procedures when their processes change.

Build document review into your calendar. Set a schedule for reviewing each controlled document at least annually, or whenever a significant process change occurs. Assign clear ownership so that someone is accountable for each document. And make sure your internal audit program includes a check on document control every cycle.

Document control is not a one-time project. It is an ongoing discipline that reflects the maturity of your quality management system. Businesses that treat it that way tend to find their surveillance audits much smoother and their systems genuinely more useful to the people who work in them.

Getting Help With Your Document Control System

If you are building your quality management system from scratch and feeling uncertain about whether your document control approach will satisfy an auditor, working with an experienced ISO consultant can save you significant time and reduce the risk of getting it wrong. A good consultant will have seen what works across different industries and can help you build a system that is both compliant and practical for your team.

If you are looking for a consultant to help with your ISO 9001 implementation, CertBetter makes it straightforward. Submit one form and receive up to three quotes from verified ISO consultants and accredited certification bodies. The service is completely free for businesses seeking certification support, and it takes the guesswork out of finding someone you can actually trust.