Document control procedures 4.2.3 and 4.2.4

The document control procedure (4.2.3) and record control procedure (4.2.4) are usually the first of the six mandatory procedures to be initiated when implementing an ISO 9001:2008 quality management system.

A robust document control process invariably lies at the heart of any compliant quality management system because almost every aspect of auditing and compliance verification is determined through the scrutiny of documented evidence. With this in mind, it becomes apparent that the ongoing maintenance of an efficient document management system must not be overlooked. 

Difference between Documents and Records

What does ISO 9000:2005 tell us about the difference between documents and records? Why should it matter?

The standard tells us that documents are considered as being information (e.g. specifications or procedures) and its supporting medium (e.g. paper or electronic). The standard implies that over time these documents will evolve as new information supersedes old and that change must be managed. Documents are active and dynamic.

Records, on the other hand, are more static since they are historical in nature. They are the documents that state the results of activities undertaken in accordance with the product realization, measurement, analysis and improvement processes (e.g. calibration logs and non-conformance or corrective action reports). They also provide evidence that an activity was performed in the manner specified (e.g. inspection records).


Requirements for Controlling Documents and Records

What does ISO 9001:2008 tell us about ensuring compliance with the principal requirements of document control procedures?

Clause 4.2.3 tells us that an organisation must control the documentation required by the quality management system and that a suitable document control procedure must be implemented to define the controls needed to; approve, review, update, identify changes, identify revision status and provide access. The document control procedure must clearly define the scope, purpose, method and responsibilities required to implement these parameters.

ISO 9001:2008 does not define how an organisation should format its documentation, since most organisations maintain a consistent corporate image, it is expected that any corporate format will suffice.    

Similarly; Clause 4.2.4 demands that an organisation must implement a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records and that these records must remain legible and identifiable throughout their retention period.

It is acceptable to combine the control of records procedure with the document control procedure but care should be taken not to obscure the differences between records and documents.

What’s so important about Records?

Records are an important organisational asset; they provide the primary route for evidence based verification and traceability, and are able to demonstrate compliance with customer requirements. Records also prove the efficacy of the quality management system.

Delivery of such records to a client is often a contractual and legal requirement. In certain industries, such as civil engineering, assurance records become a fundamental point of reference when determining compliance with the intended design as well as helping to satisfy the requirements prescribed by building control authorities and the health and safety executive. These records are demonstrative of a contractor’s duty of care and that the end product is fit for purpose.

The Document Control Function

The document control function is an administrative management activity and operates on the frontline by ensuring compliance with Clause 4.2 and the associated document control procedures and record control procedures. Generally, the document control function should have a direct report to the Quality Representative.


Remember; keep it simple and allow the process owners to write or revise the documents they need. Use the document control function to apply formatting and revision changes as well as distribution and retention. It is best to interpret the requirements as they apply to your company; there is no hard and fast method.