← All posts

ISO 9001 Document Control: Requirements, Examples, and Common Pitfalls

Published 26 April 2026 · Last reviewed 10 May 2026

ISO 9001 document control trips up UK SMBs more than almost any other clause area. Not because Clause 7.5 is complicated — it's one of the shorter sections — but because poor document control creates a cascade of audit findings. If your auditor finds a procedure at version 2 while the quality manager has version 4, that's a nonconformity. If an operator follows an outdated work instruction, that's another.

This guide covers what Clause 7.5 requires, what "documented information" means, and the 4 pitfalls that generate the most nonconformities.

What "Documented Information" Means

ISO 9001:2015 replaced "documents" and "records" with one term: documented information. The distinction still matters:

  • Maintained = documents (procedures, policies, work instructions). Living documents that get updated.
  • Retained = records (completed forms, inspection results, training records). Evidence that something happened. Once created, they don't change.

The standard mandates documented information for specific items: QMS scope (Clause 4.3), quality policy (Clause 5.2), quality objectives (Clause 6.2), competence evidence (Clause 7.2), monitoring results (Clause 9.1.1), internal audit records (Clause 9.2), management review results (Clause 9.3), and nonconformity records (Clause 10.2). Beyond these, you document whatever your business needs to operate consistently. Your quality manual ties this all together — it's the top-level document that references every procedure and work instruction below it.

What Clause 7.5 Requires

7.5.2 — Creating and updating. Ensure appropriate identification (title, date, reference number), format, and review/approval for suitability.

7.5.3 — Control. Documented information must be available where needed, protected against loss or improper use, and controlled for distribution, access, version changes, retention, and disposition.

In practice, every QMS document needs: a unique identifier, version number and date, author and approver, defined distribution, and (for records) a retention period.

Document Control in Practice

You don't need specialist software. A shared drive (SharePoint, Google Drive, or a local server) plus a master document list works for most SMBs with 10–50 employees.

The master document list is your single source of truth — a register listing every controlled document with its ID, title, version, date, author, approver, location, and next review date. When an auditor asks "how do you know this is current?", you point here.

Version control: Use whole numbers for approved versions (1.0, 2.0, 3.0) and decimals for drafts. When a document changes: update content, increment the version, record what changed, get approval, update the master list, and replace the old version. Old versions go into a "superseded" folder or get deleted — the point is nobody accidentally uses them.

Distribution: For most SMBs, this means read-only access on a shared drive. If you use printed copies — common in workshops and on construction sites — maintain a controlled copy list recording which copies exist, where, and who swaps them when updates are issued.

The 4 Biggest ISO 9001 Document Control Pitfalls

Pitfall 1: Obsolete Documents Still in Circulation

This is the number-one finding at Stage 2 audits. A work instruction was updated, but the old version is still pinned to the workshop wall or saved in a forgotten subfolder.

Example: A fabrication company updated its welding procedure to require pre-heat treatment after a customer complaint about weld cracking. Version 4 was saved on the server — but version 3 (without the pre-heat requirement) was still in the workshop folder welders actually used. The auditor found the discrepancy and raised a major nonconformity. Corrective action took 3 weeks, including re-inspection of all welds completed since the change.

Fix: When you issue a new version, physically remove every instance of the old one. Check printed copies, desktop shortcuts, email attachments, and shared drive subfolders.

Pitfall 2: No Review Schedule

Clause 7.5 doesn't specify review frequency, but "never" isn't acceptable. A quality policy dated 2019 with no review record is a red flag.

Fix: Set an annual review cycle. Mark review dates on the master list. At each review, the document owner confirms accuracy and either updates or records "reviewed, no changes required" with a new date.

Pitfall 3: Records Without Retention Periods

How long do you keep training records? Inspection reports? Calibration certificates? Some periods are legally defined: HMRC requires financial records for at least 6 years. The Limitation Act 1980 suggests 6 years for contractual records (12 for deeds). UK GDPR requires that personal data isn't kept longer than necessary.

Fix: Add a retention period to your master list or create a separate schedule. For each record type, state how long it's kept and what happens at expiry (archived, deleted, destroyed).

Pitfall 4: Over-Controlling Everything

Not everything needs to be a controlled document. Meeting notes, informal emails, and project sketches don't need version numbers and approval signatures.

The test: If someone using the wrong version could affect product or service quality, control it. If it's a reference or a note, don't.

Example: A consultancy created controlled documents for everything — including social event planning notes and the Wi-Fi password sheet. Their master list had 280 entries. The quality manager spent 2 hours per week on the review cycle alone. Staff stopped updating documents. The auditor found 35 documents past their review date.

Fix: A 20-person company should have 15–30 controlled documents, not 200. Apply document control only to documents that affect QMS performance.

If you're preparing for certification, our ISO 9001 readiness quiz covers Clause 7.5 requirements and highlights specific gaps.

ISO 9001 Document Control Checklist

Before your audit, verify:

  • Master document list exists and is current
  • Every controlled document has a unique ID, version, date, author, and approver
  • No obsolete versions exist in any location (digital or physical)
  • Printed copies are listed and tracked
  • Every document has a review date, and none are overdue
  • Records have defined retention periods
  • Access is restricted to prevent unauthorised changes
  • Staff know where to find current versions of their procedures
  • Change history is recorded for each document
  • Only documents affecting QMS performance are under formal control

If you're not sure whether your documentation is proportionate, the gap analysis checklist covers Clause 7.5 alongside every other clause — it helps you identify what's missing without over-documenting.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

ISO 27001 Mandatory Documents: The Complete List for CertificationISO 27001 Statement of Applicability: A Plain-English GuideISO 9001 Work Instruction Template: How to Write Instructions That Actually Get Used