Skip to content
PolicyBoard
← All posts

Control of Documentation: A UK Compliance Guide Beyond ISO

Published 19 April 2026 · Last reviewed 15 March 2026

"Control of documentation" means different things depending on who is asking. In ISO 9001, it refers to a formal quality management system requirement — clause 7.5, documented information. In a manufacturing or engineering context, it means drawing control, change management, and revision tracking.

But if you run a school, GP practice, charity, or council in the UK, document control means something more specific: can you prove to your regulator that your policies, procedures, and records are current, approved, and accessible?

This guide covers document control from the perspective of UK regulated organisations — not ISO certification, not manufacturing quality systems, but the practical governance requirements that CQC, Ofsted, the Charity Commission, and auditors expect to see. For the underlying argument on why document control matters in regulated UK organisations, start there and come back.

Document Control in Regulated UK Organisations

For most regulated UK organisations, document control applies primarily to:

  • Policies and procedures — safeguarding, health and safety, data protection, complaints, clinical governance, financial regulations
  • Registers and records — risk registers, asset registers, training records, DBS check records, accident logs
  • Governance documents — minutes, terms of reference, schemes of delegation, standing orders
  • Compliance evidence — audit reports, inspection action plans, incident records, complaints logs

The common requirement across all regulators: these documents must be current, approved, accessible, and traceable. An outdated policy is not just a paperwork problem — it is evidence that your governance systems are not working.

What Each Regulator Expects

CQC (GP practices, dental practices, health services)

Regulation 17 requires records that are "accurate, complete and contemporaneous." For document control, this means:

  • Every clinical and governance policy has a named owner and a review date
  • Previous versions are retained (regulators may need to see what a policy said at a specific point in time)
  • Changes are traceable — who updated it, when, and why
  • Staff can locate and follow current procedures

CQC inspectors follow threads: they ask a receptionist about a procedure, then check whether the documented policy matches. If the policy is version 2 but the practice is following version 1's procedures, that is a Regulation 17 concern.

Ofsted (schools, academies, MATs)

Schools must maintain statutory policies that are current and — for many — published on the school website. Ofsted checks:

  • Statutory policies are in place and have been reviewed within required timeframes
  • The safeguarding policy reflects the latest Keeping Children Safe in Education guidance
  • Governing body minutes reference policy approvals
  • Published website policies match the internal current versions

For schools in MATs, document control is more complex. Some policies are trust-level (standardised across all schools), others are school-level. Without clear version control, individual schools may be operating under outdated trust policies.

Charity Commission

The Charity Governance Code expects trustees to review governance arrangements regularly. Document control evidence includes:

  • Board minutes showing policy approval decisions
  • A register of policies with review dates
  • Version history for key policies
  • Evidence that policies are distributed to staff and volunteers

Local authority audit

Parish, town, and district councils are audited annually. Auditors check:

  • Standing orders and financial regulations have been formally adopted at a council meeting
  • Governance documents are dated and signed
  • Risk management policies are current
  • Previous versions are archived (not overwritten)

The Five Elements of Document Control

Regardless of your regulator, effective document control covers the same five areas:

1. Identification

Every controlled document has:

  • A unique title
  • A version number (v1.0, v2.0, v2.1)
  • A date
  • A document owner

Without identification, you cannot answer: "Which version is current?" If your safeguarding policy is stored as "Safeguarding Policy FINAL (2).docx" with no date or version number, it is not controlled.

2. Approval

Every document goes through a formal approval process before it becomes the current version. The approval record includes:

  • Who approved it (governing body, trustees, practice manager)
  • When it was approved
  • Which version was approved

Verbal approval is not an audit trail. You need written evidence — ideally timestamped in a system, or at minimum recorded in meeting minutes.

3. Distribution

Controlled documents must be accessible to the people who need them. For policies, this means:

  • Staff know where to find current policies
  • Outdated versions are not accessible (or are clearly marked as superseded)
  • For critical policies, there is evidence staff have read them (training records, sign-off sheets)

4. Review and Revision

Every document has a scheduled review and a process for updating it when circumstances change. The review cycle includes:

  • Checking content against current legislation and guidance
  • Updating the version number and date
  • Routing through the approval process
  • Replacing the previous version in all distribution locations

5. Retention and Archiving

Previous versions are not deleted — they are archived. Regulators may need to see what a policy said at a specific point in time (for example, during an investigation into a historic safeguarding concern). Archived versions should be clearly labelled and inaccessible to general staff to prevent confusion.

Common Document Control Failures

The shared drive problem. Policies live in a folder structure with no version control. Staff save working copies to their desktop. Three versions exist with different dates. Nobody is sure which is current.

The website lag. The internal policy is updated but the version published on the school website is not. An inspector or parent reads an outdated version.

The email approval. A policy is sent for approval via email. The practice manager replies "looks fine." Six months later, nobody can find the email, and there is no formal record of approval.

The single point of failure. One person maintains the policy register, knows where everything is, and manages the review schedule. When they are on leave or leave the organisation, the system stops.

The annual scramble. Policies are not reviewed on schedule. Instead, all reviews happen in a two-week panic before an inspection. The resulting reviews are superficial because there is no time to do them properly.

Building Better Document Control

Start with a register

You cannot control documents you have not catalogued. Build a policy register that lists every policy, its owner, version, and review date. Our free Policy Register Template does this in minutes.

Set up automated reminders

Manual tracking fails at scale. Use our Policy Review Schedule Generator to calculate review dates and import them into your calendar. Better still, use a system that sends reminders automatically.

Separate the document from the tracking

The policy document itself (a Word file, PDF, or web page) is not the same as the document control record (who approved it, when, which version). Keeping these separate means you can update tracking information without opening every document.

Standardise naming and versioning

Adopt a consistent format: "Policy Name v[version] [date]". For example: "Safeguarding Policy v3.0 2026-01-15". Avoid dates in filenames that do not match the actual review date, and never use "FINAL" or "LATEST" — these become meaningless after the second revision.

Document Control Is Not ISO

If you searched for "control of documentation" expecting ISO 9001 guidance, you may be wondering why this article has not mentioned clause 7.5. The reason: most small UK regulated organisations do not hold ISO certification and do not need to. The document control requirements from CQC, Ofsted, and the Charity Commission overlap with ISO principles but are specific to the regulatory context.

That said, if your organisation does hold ISO 9001 or is working toward it (some councils and NHS organisations require it), the document control framework described here aligns with clause 7.5 — you would simply add ISO-specific elements like documented information scope and external document control.

PolicyBoard is designed to automate the document control that UK regulators expect — version tracking, approval workflows, review reminders, and a compliance dashboard. Join the waitlist to be notified when it launches.

Sources

  • CQC Regulation 17: Good Governance
  • DfE: Keeping Children Safe in Education
  • Charity Governance Code

This article covers document control principles for UK regulated organisations. It is not legal advice.

Stop tracking policy reviews in spreadsheets

PolicyBoard automates review reminders, approval workflows, and compliance dashboards for UK regulated organisations.

No spam. Unsubscribe any time. Privacy policy

Related articles

Why Document Control Matters in Regulated UK Organisations

Document control for schools, GP practices, charities, and councils — what regulators expect, what goes wrong without it, and how to get it right.

Policy Lifecycle Management: From Creation to Retirement

The six stages of policy lifecycle management for UK schools, GP practices, charities, and councils — from drafting through approval, distribution, review, and retirement.

Policy Document Management Software: What Small UK Organisations Actually Need

Most policy management software is built for enterprises. Here is what small UK schools, GP practices, charities, and councils actually need — and what they can skip.