Document control is the system that keeps one approved, current version of each controlled document in the hands of the people doing the work, and pulls or marks the obsolete copies so no one follows them by mistake. It is the boring discipline that decides whether your written procedures are worth the paper, or the screen, they live on.
Every quality problem traced to "they were working to the old spec" is a document control failure. The point of the system is not a binder full of signatures. It is that the operator at the machine, the inspector at the bench, and the auditor in the conference room are all looking at the same version, and that when a document changes, the old one disappears from use. This guide covers what ISO 9001 actually requires, how paper and digital control differ, and how to build a system your team will follow.
What is document control in a QMS?
Document control is the set of rules that governs how controlled documents are created, approved, distributed, revised, and retired inside a quality management system. A controlled document is one whose version matters to quality: a work instruction, a specification, a standard operating procedure a control plan, an inspection method, a form. Control means that at any moment there is one authoritative version, its history is traceable, and everyone who needs it has it while no one is using a superseded copy.
It is easy to confuse document control with document storage. Storage is having the file. Control is knowing it is the right file, proving who approved it, and guaranteeing the last revision reached the floor. A shared drive full of PDFs is storage. It becomes control only when there is a single source of truth, a revision history, and a mechanism that removes old versions from circulation. That distinction is the whole discipline, and it runs through good QMS software as much as through a paper system.
What does ISO 9001 clause 7.5 require?
ISO 9001:2015 puts document control in clause 7.5, "Documented information," split into three parts. Clause 7.5.1 says the organization decides what documented information its QMS needs. Clause 7.5.2 covers creating and updating: each document needs suitable identification (title, date, author, reference number), a suitable format and medium, and appropriate review and approval before use. Clause 7.5.3 covers control: the information must be available where needed, protected, distributed with access managed, version-controlled, retained and disposed of on a schedule, and kept legible, with obsolete versions prevented from unintended use.
Two changes from the older standard trip people up. First, the 2015 revision merged the old separate ideas of "documents" and "records" into one term, documented information, so the same clause governs both a live procedure and a completed inspection log. Second, it dropped the previous requirement for six specific documented procedures and a formal quality manual. You still have to meet the outcomes of clause 7.5, but how you do it, paper, spreadsheet, or software, is your call. That freedom is real, but it is not an excuse to have no system; the outcomes still have to hold up when an auditor pulls a random work instruction and asks to see its approval and revision history.
The requirements above come straight from the standard:
- Document control lives in ISO 9001:2015 clause 7.5, "Documented information" covering general requirements (7.5.1), creating and updating (7.5.2), and control (7.5.3) (ISO 9001:2015, Quality management systems).
- Clause 7.5.2 requires review and approval for suitability before a document is used plus suitable identification and format.
- Clause 7.5.3 requires control of distribution, access, version, storage, retention, and disposition and requires that obsolete documented information be prevented from unintended use.
What information does a controlled document need?
A controlled document proves its own status on its face. The header or footer block is what separates a controlled copy from a stray printout, and it is the first thing an auditor reads. At minimum it carries a unique document number, a revision level, an effective date, the approver, and often a page-of-page count so no one works from a partial copy.
How do you set up document control?
A working system does not need to be complicated, but it does need every stage covered. Build it in this order and each controlled document inherits the same guarantees.
- Decide what is controlled. List the document types whose version affects quality. Not every file needs control; over-controlling drowns the real ones. Controlled means procedures, specs, work instructions, control plans, and forms.
- Define numbering and revision rules. Give every controlled document a unique ID and a revision scheme. Decide what triggers a new revision and how revisions are labeled, so history is unambiguous.
- Set review and approval. Name who reviews for technical correctness and who approves for release. Approval must happen before use, and the record of it must be retrievable, whether that is a signature, an email, or an electronic approval.
- Manage distribution and access. Decide who gets each document and how they get the current version. Restrict who can change it. In a digital system, point everyone to one link so there is nothing to redistribute.
- Control obsolete copies. On every revision, remove or mark the old version. Retain a read-only archive for traceability, but make it impossible to mistake for the live document. This is the step that fails most.
- Set retention and periodic review. Define how long each type is kept and schedule a periodic review so documents do not silently rot out of date while still marked current.
Paper versus digital: where does control break?
The hardest part of document control on paper is the obsolete copy. The moment a revision releases, every printed copy at every workstation is wrong, and someone has to physically walk the floor, pull them, and confirm the new one is posted. Miss one and an operator runs a superseded spec for weeks. Paper also makes approval slow and traceability manual: proving who approved revision C two years ago means finding a signed page in a binder.
Digital control solves the obsolete-copy problem by design, because there is one link to the current version and no printed copies to chase, but it introduces its own risks: uncontrolled local downloads, a shared drive with three folders that each claim to be current, and screenshots that outlive their revision. The fix in either medium is a single source of truth plus a live audit trail, so the current version is unambiguous and every approval and change is time-stamped. That is what strong QMS software provides, and it is why the record ties naturally into the same system that handles a non-conformance report or a CAPA so a corrective action that changes a procedure updates the controlled document in the same place.
How do you control documents from outside your company?
Some of the most important documents in your QMS are not yours. Customer drawings and specifications, industry standards, supplier certificates of analysis, and regulatory requirements all drive quality decisions, and clause 7.5.3 requires you to identify and control documented information of external origin the same way you control your own. The catch is that you do not own the revision, so control means knowing which external revision you are working to and having a way to learn when it changes.
In practice that means logging each external document with its source, its revision or date, and where it is used, then checking for updates on a schedule or through a customer portal. The failure mode is quiet and expensive: a customer releases a new drawing revision, your copy stays at the old revision, and you build hundreds of parts to a superseded print before anyone notices. Treat an external specification with the same rigor as an internal work instruction, because to the operator following it there is no difference, and a controlled register of external documents is often the first thing a customer auditor asks to see.
Why document control pays for itself
Document control looks like overhead until you price the failures it prevents. Working to an old spec produces scrap, rework, and returns, all of which land in your cost of quality. A missed obsolete copy is a classic audit finding that can threaten certification. And when tribal knowledge lives in someone's head instead of a controlled instruction, it walks out the door when they retire. A live, single-source system captures the current method, keeps its history, and makes the right version reachable from the floor, which is exactly the institutional record Harmony builds for manufacturers without a rip-and-replace of the systems they already run (see how CLS moved off paper logging).
Pair document control with a disciplined quality audit checklist and it stops being a scramble before the auditor arrives and becomes a standing state you can prove any day. When a controlled instruction is one click from where the work happens, and a new controlled instruction also feeds your dimensional inspection methods and gage procedures, the whole quality system runs off one version of the truth. See how connected quality records support it on our features overview.