Document Control requirements in ISO 9001:2015; what you need to know

iso certification

Document control is a key part of any Quality Management System (QMS) and, therefore, a requirement of ISO 9001:2015. This blog post explores what the standard says and how controls can be imposed in the most efficient way for a scaling business.

What is document control in ISO 9001?

ISO 9001:2015 mandates 'control over documented information' to ensure the quality of your end products.  The standard requires document access and change control procedures to be in place to protect the integrity of the data you use to build products that can meet customer expectations.

What is the purpose of a document control procedure?

As it says in

“Documented information required by the quality management system and by this International Standard shall be controlled to ensure:
  1. it is available and suitable for use, where and when it is needed;
  2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).”

Download the FREE guide: Document management for high tech product developers

What are the 6 mandatory document controls in ISO 9001?

To this end ISO 9001:2015 defines six mandatory components needed for your document control procedure:

1. Document Approval

You must have a set process in place for how you approve new documents (such as procedures) before they are introduced. This approach ensures consistency and that every document is properly approved by relevant people, with a full audit trail, prior to use. You need to outline who will review it, the order of review, and who has approval rights. Ensure that you can evidence this, and use a document management system that automates the process as much as possible – such as by setting rules for who has to review specific documents, based on their content, deadlines for approval, and workflows around the order of reviewers.

2. Document updating and reapproval of amended documents

It is vital that you review documents regularly to make sure they are up-to-date, suitable, and still reflect your practices and current legislation. If how you operate has changed or is changing, you clearly then need to update relevant documents and go through the approval cycle again.

Again, using the right document management system can make this process seamless and easily auditable. Look for one that can automatically flag documents that require review (such as after a set period of time from approval), sends them to reviewers by email and then collates the updates, ready for re-approval. The document history should record all the staff involved in the document development including the timeline.

3. Identify changes

Simply retaining the final version of a document removes the audit trail around its creation and any changes that are made. The ISO 9001 standard, therefore, specifies that you need to be able to easily identify changes to documents, including who made them and when they were made. This can be achieved by adopting a specified numbering or date system for drafts of the same document, or by using different colours or fonts within the document itself. Back this up with an external record of the document history, stored in a spreadsheet, to make the change audit trail easy to follow.

4. Make documents available where they are needed

Document control is all about transferring documents to those that need them, in a clear, auditable way. This includes notifying relevant people (such as reviewers) of any changes – a process that your document management system should be able to assist with. Also look for a system that creates an online backup of Master documents and delivers transparent document ownership, to ensure that it is clear who is responsible for each one.

5. Control documents of external origin

Most organisations are likely to rely on some documents created, supplied, or updated by external partners – it is vital that document control is extended to cover these as well as homegrown ones. The best way to achieve this is through a document management system that offers a variety of user rights from admin to general user. This ensures accountability and puts limitations on external partner access, whether these are customers or suppliers. Documents can be accessed through an extranet which is restricted to external users whilst at the same time managing rights and permissions for in-house user access.

6. Prevent inadvertent use of obsolete documents

Staff accidentally using obsolete documents can be a major compliance issue, but removing old documents completely leaves gaps in audit trails. Equally, some documents may move from being obsolete to being current again if circumstances change. Therefore implement a system that allows you to mark documents as obsolete, and hides these from normal users so that only the latest, approved version is available to them. You can keep older versions and make those available to selected users, providing a visual indication (such as a line through the title), that makes it clear that they should no longer be used. Also include the ability to change document status from obsolete to current as required, avoiding the need to start the whole approval process again.

Ready to take control? Download our Document Control guide for semiconductor  companies

The extent of QMS requirements in ISO 9001: 2015

When it comes to implementing a QMS solution, however, it’s worth noting that ISO 9001: 2015 also states:

“A QMS should maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned.

And its guidelines further point out:

“the extent of the QMS documented information can differ from one organisation to another due to:

  • the size of organisation and its type of activities, processes, products, and services;
  • the complexity of processes and their interactions;
  • the competence of persons.”

But document control is still mandated

So, while having document controls in place (as outlined in Section 7.5.3) is still a vital and mandatory part of your ISO 9001:2015 obligations, the exact way those controls need to be implemented is unspecified. They can be scaled to the size of your operations and the complexity of the tasks your business needs to perform. 

For some SMEs, therefore, using a ‘heavy weight’ digital eQMS (one designed for a company with thousands of employees and a mature and complex product suite) may make daily operations far more complex than they need to be. 

But at the same time, using a paper-based solution, or trying to structure a QMS using Windows File Server, Dropbox or Google Drive will likely not meet the control.


ISO 9001: 2015 clearly requires a QMS to have robust document controls. However, it is mindful that different types and sizes of organisation have distinct needs and resources available to them, but still need to be compliant.

There is scope to meet the demands of the standard by deploying more flexible and lightweight digital solutions than the kind of eQMS typically used by larger corporate entities.

In a world of smaller, more agile, digital business bringing extra value and innovation to a global marketplace, ISO 9001 allows companies to develop QMS solutions that help them focus on quality outcomes rather than prescribing particular quality processes and procedures that may inhibit their commercial flexibility.

The careful selection of a digital QMS powered by a process-driven intranet, can help a business achieve these standards in a scalable way, through better document control.

This, in turn, can lead to fewer operational errors, greater efficiencies, and a company-wide focus on continual quality improvement.

New call-to-action

Last updated on 21/02/2023

Tags: ISO 9001:2015

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

What is a document control system and why is it important?

What does it mean to 'control documents'? And who needs a formal document control system to manage ...

8 tips for documenting your SOPs (Standard Operating Procedures)

There are many reasons why organisations need to document their SOPs. From ensuring uniformity in ...

Should you use Microsoft software to build your own digital QMS?

SMEs creating a digital Quality Management System (QMS) will often reach for the most familiar ...