ISO 9001 Document Control: Complete Guide to Documented Information

Introduction

Document control — called "control of documented information" under ISO 9001:2015 — is the process of ensuring all quality-related documents and records within a QMS are created, approved, distributed, and maintained under controlled conditions.

For quality managers, operations leaders, and organizations pursuing or maintaining ISO 9001 certification, this isn't administrative overhead. It's the infrastructure that keeps a QMS functional. Without it, processes drift, personnel work from outdated instructions, and auditors find gaps that derail certification — or kill it entirely.

That audit exposure is well-documented. The ISO/IAF Auditing Practices Group directs auditors to scrutinize exactly how organizations control electronic and physical documented information — review, approval, distribution, revision levels, access policies, and obsolete document handling. Every one of those elements is auditable, and every gap is a potential nonconformance.

What follows is a practical walkthrough of what Clause 7.5 actually requires, how to build a document control process that holds up under audit, and the specific mistakes organizations most often make before and during registration.

TL;DR

  • ISO 9001 Clause 7.5 requires control of all QMS documented information — both documents (maintained) and records (retained)
  • Six core controls apply: approval, version control, change identification, availability, external document handling, and obsolete document prevention
  • Controls apply to any format — paper, electronic, or digital — and scale to your organization's size
  • Uncontrolled or missing documented information triggers direct audit nonconformances
  • A well-structured document control system keeps your QMS audit-ready without creating administrative burden

What Is Documented Information in ISO 9001?

The 2015 Terminology Shift

ISO 9001:2015 replaced the older separate terms "documents" and "records" with a single term: documented information. According to ISO/TC 176 guidance, documented information is "information required to be controlled and maintained by an organization and the medium on which it is contained."

The scope is broader than it first appears. Documented information includes:

  • Quality policies and objectives
  • Procedures and work instructions
  • Process maps and flow charts
  • Forms, inspection checklists, and templates
  • Training records, audit reports, and corrective action logs
  • Supplier qualification records and approved supplier lists
  • Customer-supplied specifications and regulatory documents

The medium doesn't matter — paper, electronic files, photographs, and digital records all qualify.

Maintain vs. Retain: The Core Distinction

ISO 9001:2015 still distinguishes between two types of documented information, even under the unified term:

Type Control Action Examples
Documents Maintained — actively managed, updated, version-controlled Procedures, work instructions, quality policy
Records Retained — kept as evidence, protected from alteration Inspection results, training logs, audit reports

The control activities required for each type are different. Conflating them means applying the wrong processes to the wrong documents — a gap auditors routinely flag during Stage 2 registration audits.

ISO 9001 documents versus records maintain versus retain comparison infographic

What Does ISO 9001 Clause 7.5 Require? The Six Core Controls Explained

Clause 7.5.3 is the operative clause. It requires that documented information be available and suitable for use where and when it's needed, and adequately protected against improper use, loss of confidentiality, or loss of integrity.

Those requirements break down into six specific controls.

Control 1: Document Approval Before Use

Every document must pass through a defined review and approval process before anyone uses it operationally. This means identifying:

  • Who reviews the document
  • The approval sequence (drafter → reviewer → approver)
  • How approval is evidenced — signatures, electronic approvals, or timestamped system records

An unapproved document in active circulation is a direct audit finding. There's no gray area here.

Control 2: Updating and Re-Approval After Changes

Documents must be reviewed on a regular basis or when triggered by specific events — and any changes require re-approval through the same workflow used for initial approval. Trigger events include:

  • Process changes or equipment upgrades
  • New or revised customer requirements
  • Regulatory updates
  • Corrective action outputs that change how a process operates

ISO 9001 doesn't mandate a fixed review frequency. What it requires is that a review is triggered when something changes that affects the document's accuracy.

Control 3: Change Identification

Every revised document must show what changed, who changed it, and when. Revision numbers, dates, and change logs are the standard mechanisms.

The ISO/IAF Auditing Practices Group specifically flags this for electronic systems — because digital files can be modified without a visible paper trail, auditors pay close attention to whether revision levels and change records are consistently maintained.

Control 4: Availability and Distribution at the Point of Use

The correct version of each document must reach the people who need it, where they need it — not just sit in a central folder somewhere. This is especially critical for multi-site organizations.

Version drift happens when one site is working from Revision 4 of a work instruction while another site is still using Revision 2. The result: inconsistent outputs and a clear audit finding. A cloud-based QMS intranet solves this directly — all locations pull from a single, centrally managed document set with permission-based controls, so version drift becomes a non-issue. Synergistic Systems includes this intranet in every client engagement, pre-configured for document control from day one.

Controls 5 & 6: External Documents and Obsolete Document Management

External documents (Control 5): Any document from a customer, supplier, or regulatory body that affects your operations must be identified, tracked, and kept current under the same controls as your internal documents. Customer engineering drawings, supplier specifications, and applicable standards all qualify.

Obsolete documents (Control 6): Outdated versions must be removed from active use or clearly marked to prevent accidental use. If retained for reference, they must be visibly identified as obsolete and stored separately from active documents. A satisfactory answer to the auditor's inevitable question on this — "How do people know they're not using an old version?" — requires a specific, demonstrable mechanism: a naming convention, a locked archive folder, or a system that simply won't surface superseded documents in search results.

Six ISO 9001 Clause 7.5 document control requirements checklist infographic

How to Build a Document Control Process in ISO 9001

Clause 7.5 sets the requirements but doesn't prescribe a specific format or system. Organizations design their own document control procedure suited to their size, complexity, and industry. That flexibility is intentional — but it demands upfront planning to avoid gaps that auditors will find.

Step 1: Identify and Classify Your Documents

Start by cataloguing everything that affects quality. Assign each item:

  • A unique document identifier
  • A document owner (responsible for keeping it current)
  • A format and category (procedure, work instruction, form, record)
  • A classification indicating whether it's maintained or retained

A master document register is the typical tool for this — though ISO 9001 doesn't mandate one, it's the practical way to demonstrate you know what you have and where it is.

Step 2: Define Review, Approval, and Version Control Workflows

Write a procedure that specifies:

  • Who approves which document types, and in what sequence
  • What evidence of approval is required
  • How revision numbers are assigned and what triggers a new revision
  • Where revision history is archived

This is where many organizations lose significant time building from scratch. Synergistic Systems addresses this directly: their modular documentation framework, refined across hundreds of implementations, gives organizations a ready-to-adapt version control structure rather than an empty template. The result is a faster path from design to deployment, with fewer structural gaps to close before audit.

Step 3: Establish Access Controls and Distribution Rules

Not everyone needs edit rights. Access should be role-based:

  • Operational personnel receive read-only access to documents relevant to their role
  • Document owners and designated authors hold edit rights for their assigned documents
  • Managers or quality leadership hold final approval authority before any revision goes live

When a document is revised, the updated version must reach all relevant personnel automatically — and old versions must be systematically removed or archived. Manual distribution via email is a notoriously unreliable method and one of the common failure points auditors probe.

Step 4: Set Retention Schedules and Disposition Procedures

Controlling access is only part of the equation. Records also need defined retention periods, determined by:

  • The type of record (training record, calibration record, inspection record)
  • Contractual obligations with customers
  • Applicable regulatory or industry requirements

ISO 9001 doesn't prescribe specific retention periods. Organizations determine them based on context. What the standard does require is that those periods are documented, consistently applied, and that disposition — whether archiving, deletion, or destruction — is traceable.

Common Document Control Mistakes That Cause Audit Failures

Even organizations with solid processes make predictable document control errors. These are the patterns auditors find most often.

Using Uncontrolled Tools as a Document System

Shared drives, email folders, and uncontrolled spreadsheets lack version control, approval workflows, and access restrictions. None of them can demonstrate the controlled conditions Clause 7.5 requires. A folder on a network drive where anyone can edit files is a document storage location, not a document control system.

The Obsolete Document Trap

A production team running from a superseded work instruction is one of the most cited nonconformances in ISO 9001 certification audits. The old version was never formally removed, nobody flagged it as obsolete, and operators used what was familiar. The fix isn't complicated — but it requires a consistent process for retiring documents when new versions are approved, not just publishing the new version and hoping people find it.

Treating Document Control as a One-Time Setup

Documents must be reviewed and updated as processes change, products evolve, or regulations shift. Organizations that build a document control procedure, get certified, and then let it run on autopilot accumulate compliance gaps between surveillance audits. Current certification status doesn't guarantee current documents. Both need active attention.

Getting the Volume Wrong in Both Directions

ISO 9001:2015 explicitly states that the extent of documented information depends on organization size, process complexity, and personnel competence. Getting the balance wrong in either direction creates audit exposure:

  • Over-documenting creates a maintenance burden and increases the likelihood of outdated content circulating
  • Under-documenting leaves gaps in objective evidence that auditors expect to see

Over-documenting versus under-documenting ISO 9001 audit risk comparison infographic

Neglecting External Documents

Organizations often control internal documents well but fail to apply the same discipline to documents received from customers, suppliers, or standards bodies. A customer drawing that's been superseded but is still in the production folder is the same problem as an outdated internal work instruction — and it's subject to the same Clause 7.5 requirements.

Frequently Asked Questions

What does ISO 9001 require for document control under Clause 7.5?

Clause 7.5 requires organizations to control all documented information necessary for their QMS — ensuring it is available, suitable for use, and adequately protected. This includes six specific controls covering approval, updating and re-approval, change identification, distribution, external document control, and prevention of accidental use of obsolete documents.

What is the difference between documents and records in ISO 9001?

Documents (maintained information) provide guidance and instructions and must be actively controlled, versioned, and updated. Records (retained information) serve as evidence that activities were completed and must be protected from alteration and kept for defined periods.

What are the six mandatory document control requirements in ISO 9001?

Clause 7.5.3 specifies six controls:

  • Approval of documents before use
  • Updating and re-approval after changes
  • Identification of what changed and when
  • Availability at the point of use
  • Control of external-origin documents
  • Prevention of unintended use of obsolete documents

Does ISO 9001:2015 require a quality manual?

No. ISO 9001:2015 removed the quality manual requirement that existed in earlier versions. Organizations must still maintain documented information for QMS scope, quality policy, and quality objectives — but the format is flexible and a formal quality manual is not required.

What happens to obsolete documents under ISO 9001?

Obsolete documents must be removed from active circulation or clearly marked to prevent accidental use. If retained for reference or audit trail purposes, they must be visibly identified as obsolete and stored separately from active, current-version documents.

How long should ISO 9001 records be retained?

ISO 9001 does not mandate specific retention periods. Organizations define retention timelines based on document type, contractual obligations, and applicable industry or regulatory requirements.