4.2.3 Document Control in ISO 9001:2008

By Scott Dawson
February 12, 2014

Keeping your QMS Current


A cornerstone of the quality management system (QMS) is the control of documents. While not a particularly glamorous activity, document control is an essential preventive measure ensuring that only approved, current documentation is used throughout the organization. Inadvertent use of out-of-date documents can have significant negative consequences on quality, costs and customer satisfaction.

Because of its importance, companies often invest heavily in dedicated staff, detailed procedures and specialized software programs to keep control of their QMS and other business documents. Auditors (internal and external) also pay particular attention to document control disciplines resulting in frequent audit nonconformances (it is commonly reported that document control generates the most nonconformances in and ISO9001 QMS). It behooves those responsible for managing their organization’s QMS to design a document control process that is simple to use, easy to monitor and effective to prevent the use of incorrect documentation.


Before reviewing the specific ISO9001 document control requirements, let’s briefly discuss essential design criteria for an effective document control process.

Less is often better than more.

While it may see obvious, it’s easier to control a smaller number of documents than a larger number of documents. Document control starts with document design. Encourage your document authors to be concise and make their documents multi-purpose when possible. An annual documentation review to spot redundancies, documents no longer needed, and opportunities to consolidate will help keep your QMS document set lean.

Navigation, hierarchy & structure

Developing a layered structure for your documents helps users find what they are looking for. An ISO9001 structure typically organizes itself into 4 levels:

Policy – the company’s position or intention for its operation

Procedure – responsibilities and processes for how the company operates to comply with its policies

Work Instruction – step-by-step instructions for a specific job or task

Forms and Records – recorded information demonstrating compliance with documented requirements

This logical arrangement clarifies the authority, scope and interrelationships of each document. Lower-level documents must agree with requirements of related higher-level documents. Higher-level documents generally reference lower-level documents for easy navigation.

The mixed blessing of cross-referencing

It is common for companies to add multiple references to related documents within the body of their documents. While this can help a reader quickly find additional information on a topic, the ability to maintain (update) all references to a document can be difficult. If you choose to use cross-references, be sure you have a way to comprehensively search for all instances of a specific document reference so they can be reviewed and updated if needed when a document is revised.

Alternatives to intra-document referencing might include:

Carefully designed document numbering systems

A document master list showing parent-child relationships between documents

The use of an electronic document management system that helps manage document interrelationships and provides for easy searching of document contents

Reviews & approvals

As a document is written, it is often helpful to solicit input from others before it is finalized. Circulating the document for review can include future users of the document, managers responsible for the activity, workers in areas affected by the activity and other interested individuals. Planning a “review cycle” into your document development procedure can help document authors improve the quality of the resulting documentation.

Document approvals are mandatory and must be kept as a record as well. When determining who should approve a particular document you must balance the desire for gaining buy-in and accountability by affected departments with the need for efficiency of the document control process. Often it is helpful to ask, “what value does each signature add to the document?” and limit approvals to those with direct knowledge or responsibility for the document.

Generally, the more signatures you require, the longer the approval process will take. An alternative to a long approval list would be to include more individuals in the review process, giving everyone a chance to comment on the document before it is released.


The ISO9001 standard includes specific document control requirements that will be subject to all internal and external audits (ref. 4.2.3).

Documents required by the quality management system shall be controlled.

This includes all policies, procedures, work instructions, forms, specifications, and other company documents affecting quality or customer satisfaction.

Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

A documented procedure Records often (though not exclusively) result from a form that is completed and filed. A separate ISO Explained article will cover the requirements of records in detail.

A documented procedure shall be established to define the controls needed

A document control procedure is one of six mandated procedures in the ISO 9001 standard ISO 9001 standard and it must include the company’s processes for the following requirements:

a) to approve documents for adequacy prior to issue,

Approval signatures must be recorded prior to the release and use of the document. Approvals may be in the form of a written signature or a password-protected electronic approval record. The date of all approvals must precede the document’s release date.

While not explicitly stated, this requirement also applies to temporary memos or postings that are used to communicate QMS or product-related requirements. Any temporary documents must be clearly identified, signed and dated. It is advisable to include an expiration date on temporary documents to ensure they are removed from use when intended.

b) to review and update as necessary and re-approve documents,

All documents must be reviewed periodically and updated and re-approved if needed. This review can be tied to a company’s internal audit process, management review or scheduled on some periodic (annual?) basis. A record of such reviews must be kept.

c) to ensure that changes and the current revision status of documents are identified,

When a document is updated, a record must be kept of the change (the reasons for and nature of the change). In addition, current revision status must be maintained. This includes the current development stage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the current version of the document.

d) to ensure that relevant versions of applicable documents are available at points of use,

The storage and access of documents must easily allow individuals to find the appropriate version of a document to use where needed. Note that older versions of a document that are still needed (e.g. specifications for an older product) may remain active if necessary, but the revision level must be made clear. You should consider where designated controlled locations of your documents will be established and whether short-term reference copies of controlled documents will be permitted. Typically, the easier it is for employees to access controlled copies when needed, the fewer times they will feel the need to use an uncontrolled copy of a document. Ensuring timely and convenient access to documents is frequently the source of high costs and repeated discrepancies.

e) to ensure that documents remain legible and readily identifiable,

The format and storage of your documents must protect a document from being rendered unreadable due to wear or damage and that every document can be clearly identified through a title, document number or other suitable identification.

f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and

Documents that do not originate within your organization, but are necessary for ensuring quality and meeting customer requirements must also be controlled. These can include customer, supplier or industry documents (including your copy of the ISO9001 standard). However, the extent of control is limited to clear identification and controlled distribution. A log or other record would suffice to track external documents.

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Out-of-date documents or older versions of revised documents must be protected from unintentional use. This usually requires segregation or disposal of obsolete documents. Any obsolete documents that are kept for reference or other purposes must be clearly identified through markings, separate storage areas, or other means.

Measuring Success

How can you measure the performance of your document control process? Here are some suggested metrics:

  1. User satisfaction – Periodically survey your employees regarding the usability of your documentation. Use the results to improve the format of your documents and training of your authors.
  2. Document errors – Track the number of document revisions due to information mistakes in your documentation. Results will often reveal weaknesses in your review and proofreading processes.
  3. Up-to-date – Count the number of document revisions or audit discrepancies stemming from a document that is out-of-date. This will tell you whether your periodic document reviews or obsolete document provisions are effective.
  4. Cycle time – Measure the time it takes a document to be developed or revised from initial draft to release. Work to improve the efficiency of your document control process as you would any other business process.
  5. Cost – Consider tracking the costs associated with your documentation including developing, revising, storing, retrieving, distributing, filing, auditing, reviewing, approving, etc. Of these potential costs, document retrieval is often an expensive hidden cost generated when individuals must search endlessly for a document because of inadequate indexing, organization, storage or training.

Results of the performance measures of your document control process can help you determine how to drive continual improvements into your entire QMS.

Related Articles:

What’s Really Required for a Small Company to Get ISO 9001 Certification?

What’s Really Required for a Small Company to Get ISO 9001 Certification?

ISO 9001 certification for small businesses can seem complex and difficult at first glance. But the standard’s ill-fitting reputation is simply a misunderstanding of the requirements of ISO 9001 compliance and certification. The practical use of a quality management system for small business simply uses what a company has already developed, documents it appropriately, and improves it if necessary.

ISO 9001 Clause 5.2 – The Quality Policy

ISO 9001 Clause 5.2 – The Quality Policy

Quality Policy Explained - 2023 Update ISO 9001 is a quality management system (QMS) standard. It helps you build a QMS that pushes your business toward continual improvement. And it all comes...

Smartlink Execution Complete Please note that the CORE Application window may have fallen behind this window and your Email client. Close this Message