Guides
How to write a document control procedure (with a free template)
A document control procedure is the written rulebook for how your organisation creates, names, reviews, approves, distributes, and retires its controlled documents. Get it right and anyone can tell at a glance which version is current and who signed it off; get it wrong and you are back to guessing between Invoice_FINAL_v7.xlsx and its four near-identical siblings.
This guide walks through what the procedure needs to cover, what ISO 9001:2015 expects of it, and how to write yours in seven steps. At the end you will find a complete, copy-paste template you can adapt today — no email gate, no download form. If you are still mapping the basics, start with what document control actually is, then come back here to write the procedure that runs it.
What is a document control procedure?
A document control procedure is a short, formal document that defines how controlled documents are handled across their whole life — from creation and approval through updates and eventual retirement. It converts informal habits, like renaming files or emailing revisions around, into one repeatable process that everyone follows.
The point is not bureaucracy for its own sake. The procedure exists so that three questions always have a clear answer: which version is current, who approved it, and who is allowed to change it. A document that anyone can quietly overwrite isn't controlled — it's just stored. The procedure is what turns storage into control.
What ISO 9001 expects
ISO 9001:2015 handles document control under clause 7.5, "documented information" — the term the standard uses in place of the older "documents and records." The standard does not prescribe a specific tool or format; instead it sets out what the control has to achieve.
In factual terms, clause 7.5 expects documented information to be:
- ·Identified and described — with a title, date, author or reference, so each document is unambiguously distinguishable.
- ·Reviewed and approved for suitability and adequacy before it is issued or used.
- ·Version-controlled — with changes and the current revision status clearly identifiable.
- ·Available and suitable where and when it is needed by the people who rely on it.
- ·Protected from unintended alteration, loss of integrity, or loss of confidentiality.
- ·Retained as evidence where the information proves something happened — kept legible and retrievable for as long as the organisation says it should be.
A document control procedure is how most organisations show, in one place, that they meet these expectations. Writing the procedure well is therefore the fastest route to a clean audit finding on 7.5. (PaperTight is a workflow tool, not a certification body — meeting ISO 9001 is about your organisation's process, not any single product.)
How to write yours in 7 steps
Work through these seven decisions in order. Each one becomes a numbered section of the finished procedure, so by the time you reach step seven you have written the document itself.
1. Define the scope.
State exactly which documents the procedure covers and which it does not. Name the categories — policies, work instructions, forms, external documents, client-facing records — and note any deliberate exclusions such as personal drafts or marketing collateral. A tight scope is what keeps the procedure enforceable.
2. Assign responsibilities.
Decide who owns each activity: who may create a document, who reviews it, who has authority to approve it, and who maintains the master list. Write these as roles, not names, so the procedure survives staff changes. A one-line responsibility matrix here prevents the most common audit gap — approval by someone with no authority to approve.
3. Set naming and versioning rules.
Define a document numbering convention and a version scheme, and apply them without exception. Decide when a change bumps the version (any approved change) versus a minor edit, and whether drafts and approved revisions use different markers. This is the rule that kills the FINAL_v7 problem at the source.
4. Define the review and approval flow.
Specify the path a document takes from draft to approved: who reviews, who approves, and what "approved" evidence looks like. Make it explicit that no document is in force until it has cleared this flow — an unapproved document has no more authority than a sticky note.
5. Set distribution and access rules.
State where approved documents live, how people get the current version, and who is allowed to read or edit each category. The goal is that the right people can always reach the current document, and no one can quietly alter it. If people keep private copies, name that as a risk and rule it out.
6. Handle obsolete documents.
Define what happens when a document is superseded or withdrawn: how the old version is removed from circulation, whether a copy is retained for the record, and how it is marked so no one uses it by mistake. Uncontrolled obsolete copies are a leading cause of costly errors, so this step earns its place.
7. Set the review cadence and audit evidence.
Decide how often the procedure and its controlled documents are reviewed (an annual cadence is common) and what evidence you keep to prove control is working — approval records, a maintained document register, and a revision history. This is what you hand an auditor, so decide it deliberately rather than reconstructing it later. For a deeper checklist, see our guide to running a document control audit.
Free document control procedure template
Here is a complete skeleton you can copy straight into your own document and adapt. Replace the bracketed placeholders with your own roles, systems, and cadences. The structure follows the seven steps above and lines up with what ISO 9001:2015 clause 7.5 expects.
Document Control Procedure
Document no. [QP-001] · Version [1.0] · Owner [Quality Manager]
1. Purpose
This procedure defines how [Organisation Name] controls documented information so that current, approved versions are available where needed and obsolete versions are removed from use.
2. Scope
This procedure applies to all controlled documents used by [Organisation Name], including [policies, procedures, work instructions, forms, and external documents]. It excludes [personal drafts and uncontrolled reference copies].
3. Definitions
Controlled document — a document whose creation, approval, and revision are governed by this procedure.Obsolete document — a superseded or withdrawn version no longer authorised for use.Master list / register — the record identifying every controlled document and its current version.
4. Responsibilities
- · Document owner — drafts and maintains the document.
- · Reviewer — checks the document for accuracy and adequacy.
- · Approver — [role] authorises the document for use.
- · Document controller — maintains the register and manages distribution.
5. Procedure
5.1 Identification & numbering. Each document is assigned a unique number in the format [PREFIX-NNN] and carries a title, owner, version, and date.
5.2 Versioning. Draft versions are numbered [0.x]; approved versions [1.0, 2.0, …]. Any approved change increments the version. The register always shows the current version.
5.3 Review & approval. Before use, each document is reviewed by [reviewer role] and approved by [approver role]. Approval is recorded [in the document control system / on the approval record]. No document is in force until approved.
5.4 Distribution & access. Approved documents are stored in [system / location]. Users access the current version from that single source. Edit rights are limited to [roles]; all other users have read-only access.
5.5 Obsolete documents. When a document is superseded, the previous version is withdrawn from active use and marked [Obsolete]. One copy is retained for the record for [retention period].
6. Records
This procedure produces the following records: the document register, approval records, and revision histories. Records are retained for [retention period] and kept legible and retrievable.
7. Revision history
- · v1.0 — [Date] — Initial issue — Approved by [role].
- · v[x.0] — [Date] — [Summary of change] — Approved by [role].
Putting the procedure into practice
A written procedure sets the rules; the hard part is enforcing them every day. Paper and shared drives rely on discipline — someone has to remember to bump the version, chase the approval, and pull the obsolete copy. When that discipline slips, so does control.
This is the gap a document-control tool is built to close. PaperTight keeps your Excel, Word, and PDF files exactly as they are and adds the control layer your procedure describes:
- ·Version control per document slot, so "current" is a fact the system holds, not a filename convention people have to remember.
- ·An approval workflow — Approve, Reject, or request revision with a comment — so nothing counts as in force until the right person signs off.
- ·An Activity Log that records who did what and when, giving you the audit trail your review cadence needs without reconstructing it by hand.
In other words, the tool enforces steps three through seven of your procedure automatically. See how the control layer wraps your existing files on the product overview, or walk the workflow screen by screen on the guided tour.
Turn the procedure into practice.
See versioning, approvals, and an audit trail enforced on the files you already use.
Questions & answers
How do you write a document control procedure?+
Write a document control procedure in seven steps: define its scope (which documents it covers), assign responsibilities (who owns, reviews, and approves), set naming and versioning rules, define the review and approval flow, set distribution and access rules, decide how obsolete documents are removed, and set a review cadence with the audit evidence you will keep. Capture each of those as a numbered section in a single short document, then have it reviewed and approved before it takes effect.
What should a document control procedure include?+
A complete document control procedure includes a purpose, a scope, definitions of key terms, a responsibilities matrix, and the core procedure itself — covering document identification and numbering, version control, the review-and-approval flow, distribution and access, and how obsolete documents are handled. It should also list the records the process produces (approval evidence, revision history) and carry its own revision history table so the procedure is controlled the same way it asks other documents to be.
What is a document control procedure?+
A document control procedure is a written rulebook that defines how an organisation creates, identifies, reviews, approves, distributes, updates, and retires its controlled documents. It turns informal habits — renaming files, emailing versions around — into a repeatable process so that everyone can tell which version is current and who approved it. It is one of the foundational procedures behind any quality management system.
What are the ISO 9001 document control requirements?+
ISO 9001:2015 addresses document control in clause 7.5 on documented information. It expects documents to be identified and described, reviewed and approved for suitability and adequacy before use, kept version-controlled and available where needed, and protected from unintended alteration or loss. Where documented information serves as evidence, the standard also expects that evidence to be retained and legible. A document control procedure is how most organisations demonstrate they meet these expectations.