Think about how many documents you and your employees work with, every single day. Documents are an essential part of running a business and contain the entire know-how of a company. The foundation of high-quality documents and efficient business processes lies in the way you manage documents. That’s why effective document control is a must.

Document control — or, to use the definition in ISO 9001:2015, ‘control over documented information’ — is one of the basic principles of quality management. It refers to the organization of every aspect of a document throughout its entire life cycle, from creation to archiving.

Documents and records: What’s the difference?

Documents contain requirements and instructions. They describe how things are done — like policies, work instructions, operating manuals, concepts and more.

The thing about documents is that they can be modified and so there can be multiple versions of a document that exist. Say for example, you change some steps of a particular workflow, you will also have to modify the corresponding process description, i.e. update the document.

This is not the case with records: Once created, they do not change. Records provide evidence of events, actions and outcomes. In audits, for instance, records document the procedure and outcome in the form of an audit report. In a meeting, the minutes provide a record of the meeting's contents.

In many cases, records take the form of filled-out templates which, in turn, started life as documents. For example, in an audit you might use a pre-prepared questionnaire. In and of itself, the questionnaire is a mutable document.

You can change it and add or remove questions at any time. However, once you fill out the questionnaire template as part of conducting and documenting an audit, it becomes a record. It is no longer mutable, since it provides evidence of a specific outcome — namely that of your audit.

The ISO 9001 standard does not distinguish between the two. It subsumes all documents and records under the term ‘documented information.’ However, it’s worth noting that the international standard for medical devices, ISO 13485, continues to separate the two terms.

The document control process covers seven steps:

1. Creation of the documented information
2. Review and approval of the documents, records and forms
3. Inclusion of the documents in a list of documented information, for example in a document management system (DMS)
4. Revisions and updates to the documents
5. Release
6. Archiving
7. Destruction (you are required to ensure compliance with the applicable retention periods.)

Create, update, validate, copy, disseminate, archive and delete — document control means you keep your documents properly organized throughout their life cycle. The primary purpose here is to ensure that all of your important company information is always reliably documented and stored.

Key aspects include:

• Information is quick and easy to find. This requires you to store your information in uniquely identifiable documents, with the current version always clearly identifiable.
• Information is always available. To work efficiently and productively, your employees must be able to access all the documents they need for their daily tasks.
• Information is protected against manipulation and deletion. This is important for several reasons, not least to stop just anyone within your company accessing and modifying work instructions. It requires a system of seamless documentation and audit-proof archiving, so you can always see who created or modified which document and when, and lock documents to prevent retrospective changes.

The ISO 9001 standard places an emphasis on customer satisfaction. Customers directly benefit from the rapid availability of information. If a customer approaches with a question about a product, it’s much simpler when the colleague in service can quickly provide the relevant operating instructions with minimal effort.

The ISO 9001:2015 international standard for quality management systems defines which documents and records must be controlled along with the applicable requirements.

1. Relevant documents

While ISO 9001 does not specify exactly which document types are subject to control, in principle the requirements for document control apply to all documents classed as important. Important documents within the meaning of the standard include process descriptions, standard operating procedures, work instructions, forms, reports and documentary evidence such as records of audits, meetings and management reviews.

2. Appropriate documentation

Information must always be documented appropriately, legibly and with unique identification. This means that you must choose a suitable format (e.g. image or text) and medium (e.g. paper or digital document) whenever you create or update documents. You must also clearly label all documents with details such as the title, date and author.

3. Information availability

You need to ensure the constant availability of all relevant information to your employees to use as and when they need it.

4. Document protection

Documents must be suitably protected. Key points here include:

• Safeguarding confidentiality
• Ensuring information integrity
• Safeguarding appropriate use
• Preventing accidental changes

5. Review

ISO 9001 requires you to evaluate, assess and approve documented information prior to publication or following an update.

6. Seamless documentation

Document control requires full transparency at all stages of the document’s life cycle. To help you, essential points to consider include:

• Change log: Documenting all changes ensures you can always see at a glance who changed what and when.
• Versioning: You can always see which is the most current version of a document.
• Defined release processes: Defined processes ensure the smooth release and cataloging of your documents.
• Archiving: Store all of your documents in line with legal requirements in an audit-proof digital archive.

The ISO standards do not specify who is authorized to create or publish documents. Neither do they prescribe a mandatory time frame for validating documents. Nonetheless, a company should define these aspects internally as part of proper document control.

Ideally, you will define the entire workflow, mapping out the life cycle of documents in your company, specifying the storage location and the individuals who are responsible for or authorized to create, review and release which documents.

Document control forms part of the broader scope of document management and can be best implemented using a document management system.

Having a DMS solution can transform the way you manage your documents: 

• You benefit from a digital, paper-free solution.
• You can transparently control even large volumes of documents.
• You save resources such as paper but especially time and money.
• You can define customized workflows and use the power of AI to automate functions such as your release processes.
• You ensure complete versioning with changes apparent directly on the document itself.
• You control your documents seamlessly across different systems courtesy of diverse interfaces.

DMS helps you to digitize your documents and records over their entire life cycle and fulfill the document control requirements in ISO 9001.