ISOXPERT Compliance360 logo Open the app
Quality & Compliance Basics

Document Control 101: How to Manage Controlled Documents in a QMS

2026-07-01  ·  7 min read

Document control sounds like paperwork bureaucracy — but get it wrong and you can be manufacturing to an outdated spec without knowing it. Here’s what ISO 9001 actually requires.

ISO 9001 clause 7.5 (documented information) covers how you create, control, distribute and retain the documents your quality management system depends on — procedures, work instructions, specifications, forms, and the records they generate. "Document control" is the discipline that ensures the version someone is using on the shop floor is the current, approved one — not a printed copy from eighteen months ago.

Controlled documents vs. records — what's the difference?

Both need control, but the control mechanisms differ: documents need a review/approval/revision cycle; records need retention, protection and retrievability.

What "controlled" actually means

A controlled document has an identifiable status at all times: who owns it, what revision it's on, when it was last reviewed, when it's next due for review, and who approved it. The moment a new revision is approved, the old one must be either withdrawn from use or clearly marked obsolete — the classic audit finding is a superseded procedure still taped to a workstation.

Uncontrolled copies: printed or exported copies are a real operational need (a laminated work instruction on the line), but they must be clearly marked "uncontrolled" or "printed copy — verify current revision before use," so nobody mistakes a snapshot for the live master.

The document lifecycle

  1. Draft — created or revised by the process owner, grounded in how the work actually happens (not written from a template and hoped to match reality).
  2. Review — checked by someone with the competence to judge technical accuracy, not just a formality signature.
  3. Approval — a named, authorized approver signs off before the document becomes effective. This is where a compliant electronic signature earns its keep — a tamper-evident record of who approved what, and when.
  4. Published / effective — the current controlled version, distributed to everyone who needs it, with the previous revision withdrawn.
  5. Periodic review — set a review frequency (annually is common for procedures) so documents don't silently drift out of date even without a triggering change.
  6. Controlled revision — back to draft when a change is needed, with the change history preserved.

Mapping documents to clauses and standards

Beyond version control, mature QMS documentation maps each controlled document to the standard(s) and clause(s) it satisfies — so when a standard changes, or an auditor asks "show me where you address clause X," you have a direct answer instead of a search.

Where document control usually breaks down

The fix isn't more policy — it's a system where the document, its revision history, its clause mapping and its approval signature live in one place, so "what's the current version" and "who approved it" are never a question that needs investigating.

See Document Control in ISOXPERT Compliance360 →


Related reading

See it for yourself

Explore ISOXPERT Compliance360 in Guest Demo Mode — no account required.

Open ISOXPERT Compliance360