ISO 9001 clause 7.5 (documented information) covers how you create, control, distribute and retain the documents your quality management system depends on — procedures, work instructions, specifications, forms, and the records they generate. "Document control" is the discipline that ensures the version someone is using on the shop floor is the current, approved one — not a printed copy from eighteen months ago.
Controlled documents vs. records — what's the difference?
- Documents (procedures, work instructions, specifications) describe how you do something. They change over time and need version control.
- Records (inspection results, training logs, completed forms) are evidence that something happened. They don't change once created — they're retained, not revised.
Both need control, but the control mechanisms differ: documents need a review/approval/revision cycle; records need retention, protection and retrievability.
What "controlled" actually means
A controlled document has an identifiable status at all times: who owns it, what revision it's on, when it was last reviewed, when it's next due for review, and who approved it. The moment a new revision is approved, the old one must be either withdrawn from use or clearly marked obsolete — the classic audit finding is a superseded procedure still taped to a workstation.
Uncontrolled copies: printed or exported copies are a real operational need (a laminated work instruction on the line), but they must be clearly marked "uncontrolled" or "printed copy — verify current revision before use," so nobody mistakes a snapshot for the live master.
The document lifecycle
- Draft — created or revised by the process owner, grounded in how the work actually happens (not written from a template and hoped to match reality).
- Review — checked by someone with the competence to judge technical accuracy, not just a formality signature.
- Approval — a named, authorized approver signs off before the document becomes effective. This is where a compliant electronic signature earns its keep — a tamper-evident record of who approved what, and when.
- Published / effective — the current controlled version, distributed to everyone who needs it, with the previous revision withdrawn.
- Periodic review — set a review frequency (annually is common for procedures) so documents don't silently drift out of date even without a triggering change.
- Controlled revision — back to draft when a change is needed, with the change history preserved.
Mapping documents to clauses and standards
Beyond version control, mature QMS documentation maps each controlled document to the standard(s) and clause(s) it satisfies — so when a standard changes, or an auditor asks "show me where you address clause X," you have a direct answer instead of a search.
Where document control usually breaks down
- Shadow copies — a document lives on a shared drive, in someone's email, and printed on the wall, and the three are three different revisions.
- No review trigger — a process changes, but the document describing it doesn't, because nothing forces a review.
- Approval without accountability — a status flip to "Approved" with no record of who actually reviewed the content or why.
The fix isn't more policy — it's a system where the document, its revision history, its clause mapping and its approval signature live in one place, so "what's the current version" and "who approved it" are never a question that needs investigating.
See Document Control in ISOXPERT Compliance360 →