Document Control requirements in ISO 9001:2015; what you need to know

Document control requirements ISO 9001:2015

Document control is a key part of any Quality Management System (QMS) and, therefore, a requirement of ISO 9001:2015. This blog post explores this requirement and how it can be implemented in an efficient and scalable way in your organisation.

What is Document Control in ISO 9001:2015?

ISO 9001:2015 mandates ‘control over documented information’ to guarantee the right people have access to a QMS where and when they need it - and to ensure that no unauthorised or unrecorded changes can be made to its required contents.

ISO 9001:2015, states the following:

“Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

  1. it is available and suitable for use, where and when it is needed;
  2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).”

While there are many myths about the standard, IS0 9001 aims to consistently apply standards throughout an organisation by requiring controls over the accessibility and distribution of information contained within a QMS.

These document control provisions aim to ensure a QMS is always a reliable means by which a company can define and share the details of their processes and best practice internally, as well as with external auditors when required.

11 myths about ISO 9001 - busted! 

The extent of QMS requirements in ISO 9001: 2015

When it comes to implementing a QMS solution, however, it’s worth noting that ISO 9001: 2015 also states:

“A QMS should maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned.

And its guidelines further point out:

“the extent of the QMS documented information can differ from one organisation to another due to :

  • the size of organisation and its type of activities, processes, products and services;
  • the complexity of processes and their interactions;
  • the competence of persons.”

But document control is still mandated

So, while having document controls in place (as outlined in Section 7.5.3) is still a vital and mandatory part of your ISO 9001:2015 obligations, the exact way those controls need to be implemented is unspecified. This can be commensurate with the size and scale of your operations - added to the complexity of the tasks your business needs to perform.

For some start-ups and SMEs, therefore, using a ‘heavy weight’ digital eQMS (one designed for a company with thousands of employees and a mature and complex product suite) may make daily operations far more complex than they need to be. At the same time, using a paper-based solution, or trying to structure a QMS using Windows File Server, Dropbox or Google Drive may prove inadequate to achieve the required levels of document control within a business.

Having an ISO certification will give your organisation a competitive edge. But, what are the ‘controls of documented information” required by the standard, and is your current QMS sufficient?

A closer look at Document Control for ISO 9001

Does your document control do the following? ISO 9001:2015 says it should

1. Can you approve documents for adequacy prior to issue?

Does your Quality Management System have a procedure for approving the documents contained in it and ensuring they are correct and adequate prior to issue (i.e. they serve the purpose for which they were designed)? Is approval by certain key stakeholders mandated before issue? Can you create workflows that guarantee the right people have seen and approved a document prior to release?

2. Can you identify the changes and control current document revision status?

Does your QMS track the changes made to quality documentation and record a version history of the document for auditing purposes?

3. Can you make relevant documents available at points of use?

Is your Quality Management System and the documents that comprise it accessible to your employees? Can your employees (and third party suppliers) who need to adhere to its principles and procedures access it when and how they need to?

4. Can you ensure the documents remain legible and readily identifiable?

Is your Quality Management system clearly presented, labelled and easily searchable? The requirement for legibility and searchability will be more easily adhered to if you use a digital, rather than a paper based QMS format.

5. Can you identify external documents and control their distribution?

If standards, instruction manuals and other operational information necessary to your quality processes are contained within external documentation, they should be accessible and controlled within your QMS. These documents should be labelled, dated and subject to the same approval and publication processes as the ones you author internally.

6. Can you prevent obsolete documents from unintended use?

Controls within a QMS should ensure that documents that have been superseded (previous drafts and iterations of quality documentation) are clearly labelled as such. A good QMS should show the difference between ‘issues’ and ‘drafts’ of documentation.

7. Can you apply suitable identification if obsolete documents are retained?

The document controls you embrace should ensure that version histories are labelled as such, with steps taken to ensure they cannot be mistaken for current issues. This might include automatic renaming or digital watermarking of obsolete documentation.


ISO 9001: 2015 clearly requires a QMS to have robust document controls. However, it is mindful that different types and sizes of organisation have distinct needs and resources available to them, but still need to be compliant.

There is scope to meet the demands of the standard by deploying more flexible and lightweight digital solutions than the kind of eQMS typically used by larger corporate entities.

In a world of smaller, more agile, digital business bringing extra value and innovation to a global market place, ISO 9001 allows companies to develop QMS solutions that help them focus on quality outcomes rather than prescribing particular quality processes and procedures that may inhibit their commercial flexibility.

The careful selection of a digital QMS powered by a process-driven intranet, can help a business achieve these standards in a scalable way, through better document control.

This, in turn, can lead to fewer operational errors, greater efficiencies and a company-wide focus on continual quality improvement.

Editor’s note: This post was originally published in 2019 and has been revamped and updated for accuracy and comprehensiveness. 

Value of DMS for Product Development

Tags: ISO 9001

Joe Byrne

Written by Joe Byrne

Joe Byrne is a process and quality expert who has spent his career in leadership positions in Medical Device and High Tech product development companies. He was originally a customer of Cognidox and then took over as CEO in 2017.