Skip to content
PolicyBoard
← All posts

Document Controlling: A Practical Guide for UK Compliance Officers

Published 13 May 2026

A practice manager opens the shared drive looking for the current data protection policy. There are six files. Three are dated. Two have "FINAL" in the filename. One is called "DPpolicy_v3_AMENDED_REAL_FINAL.docx". She opens the most recent and is not sure whether it has been approved.

That is the absence of document controlling — and it is the daily working reality of most small UK regulated organisations. The phrase "document controlling" sounds technical, ISO-flavoured, and somebody else's problem. In practice, for any organisation that has to evidence governance to a regulator or auditor, it is the difference between a controlled record and a guess.

This guide covers document controlling as a working compliance practice — what it means, why it matters in UK regulated organisations, and how to do it without an ISO 9001 certification programme. It is written for the people who actually have to do the work: school business managers, practice managers, council clerks, charity governance leads, and anyone whose job description includes "make sure the policies and procedures are current".

What "Document Controlling" Actually Means

The term comes from quality management — specifically ISO 9001, which sets out documented information requirements as part of a quality management system. In that context, document controlling is a formal process: every controlled document has a unique identifier, an owner, an approval record, a review cycle, and a controlled distribution list.

Outside ISO certification, document controlling means the same five things in plain language:

  1. You can find the current version. Not three versions, not last year's version, not "the one in Sarah's email" — the current version, in a known place, in under a minute.
  2. You know who owns it. A named person responsible for keeping the document accurate. Not a generic "shared drive owner" or a job role no one currently holds.
  3. You know who approved it. A documented approval — name, date, and ideally what they approved (a version, a change). Without this, the document has no governance authority.
  4. You know when it was last reviewed and when it is next due. Not a date in the footer that no one checks. A live review schedule that surfaces what is due, what is overdue, and what is current.
  5. You can see what changed. A version history showing what was different in the previous version. This is the audit trail an inspector or auditor will ask about.

If your organisation cannot answer all five for any given policy, procedure, or governance document, it is not under document control. It is under document storage — which is a different thing.

Document Controlling vs Document Storage

The distinction is not academic. It is the difference between two organisations sitting through the same inspection:

Organisation A has a SharePoint site with 200 files in a folder hierarchy. Files are named informally. Some have approval dates in the footer; most do not. The practice manager knows where most of them are. When the inspector asks for the current safeguarding policy, the manager opens four files before finding the one that looks most current.

Organisation B has the same 200 documents in a register. Each shows owner, status, last review date, next review date, and a clear "current version" marker. When the inspector asks for the safeguarding policy, the manager opens the register, exports the current document, and shows the audit trail of approvals.

Both organisations have the same documents. Only one is under document control. The first is taking notes during the inspection; the second is answering questions.

Why It Matters in UK Regulated Organisations

Every UK regulator that conducts inspections or audits expects evidence that documents are controlled — even when they do not use the phrase. Specifically:

CQC (GP practices, dental practices, primary care)

Regulation 17 requires records to be "accurate, complete and contemporaneous" and that systems "assess, monitor and improve" service quality. In practice, inspectors check whether policies are dated, approved, reviewed within stated timeframes, and known to the staff who follow them. An undated or unsigned policy fails Regulation 17 even if its content is good.

For CQC-specific policy expectations, the CQC policy requirements guide covers the categories inspectors expect to find at a GP practice.

Ofsted (schools, MATs, early years)

The DfE's Keeping Children Safe in Education is updated regularly. Schools must show their safeguarding policy reflects the current version of the guidance — and that staff have been notified of changes. An out-of-date safeguarding policy contributes directly to a "safeguarding is not effective" judgement, one of the most serious findings a school can receive. Document controlling is what makes "current and notified" auditable.

Charity Commission

Trustees are accountable for ensuring the charity is well-run. Outdated policies are evidence of poor governance. The Commission's annual return asks whether the charity has reviewed its governing document — a "no" answer invites scrutiny. For charities working with children or adults at risk, safeguarding documentation is checked against the documented review cycle.

ICO (data protection — all sectors)

The UK GDPR's accountability principle requires organisations to demonstrate compliance — not just be compliant. The ICO accountability and governance guidance sets out the documentation expected: data protection policy, records-of-processing register, breach response procedure, subject access request procedure. After a breach, the ICO will ask for evidence the documents were current at the time of the incident. Document controlling provides that evidence.

Internal and external audit

For councils, NHS organisations, and audited bodies, internal auditors check governance documents are reviewed within stated timeframes. External auditors will note governance weaknesses where document review schedules have slipped. Persistent issues can lead to a qualified audit opinion.

The common thread: every regulator checks both the content and the control. A well-written policy that is not under document control is evidence the system is not working.

What Document Controlling Looks Like Day-to-Day

Theory is one thing. The day-to-day practice of document controlling at a small UK regulated organisation looks like this:

A central register

One list of every controlled document — policies, procedures, SOPs, protocols, terms of reference, code of conduct, scheme of delegation. Each entry shows:

  • Document name and category
  • Document type (policy, procedure, register, etc.)
  • Owner (named person)
  • Last review date
  • Next review date
  • Approval status (approved, draft, under review)
  • Current version
  • Where the actual document lives

If you are starting from scratch, our free Policy Register Template is a working example of the columns this register needs. The same structure works for procedures with one extra column for "parent policy".

A review schedule

Different document types have different review cadences. A safeguarding policy is reviewed annually (more often when guidance changes). A medication-administration procedure is reviewed annually or when the prescribing system changes. A schedule of delegation is reviewed when governance arrangements change.

The schedule should surface what is due in the next 30, 60, and 90 days — not require someone to manually scan the register each month. Our free Policy Review Schedule Generator builds this calendar from a list of policies.

For regulator-specific cadences, the policy review frequency guide covers what each regulator expects across CQC, Ofsted, the Charity Commission, and audit cycles.

An approval record

Every controlled document needs an approval record showing who approved which version, when. The approval record sits alongside the document, not inside it — so updating the record does not require reopening the document.

For policies, the approval body is typically formal (governing body, trustees, partners, full council). For procedures, the approval body is often just a line manager or department head. The approval workflow should match the document type.

A version history

Previous versions preserved (not overwritten) and accessible. Each version dated and labelled. When an auditor asks "was this policy current at the time of the incident on 14 March?", you can show the version that was in force on that date.

Distribution and acknowledgement

For critical documents (safeguarding, data protection, health and safety, infection control, medicines management), staff need to know about updates. At small scale, distribution is usually by email with an acknowledgement reply. Larger organisations may use formal attestation. The principle is the same: there is evidence staff know about the current version.

An audit trail

Every change recorded — who edited what, when, and what the change was. This is the difference between document storage (which most organisations already have) and document controlling (which most do not).

Common Document Controlling Failures

The same patterns appear in inspection reports and audit findings across sectors:

Policies in document footers, not in a register. The "next review" date is in the footer of the Word document. To find what is overdue, someone has to open every file. So no one does, and policies drift past their review dates without anyone noticing.

Multiple versions of the same document. "Safeguarding Policy v3", "Safeguarding Policy v3 AMENDED", "Safeguarding Policy v3 FINAL", "Safeguarding Policy 2024". No clear current version. Staff working from different files.

No approval record. The policy exists. There is no record of who approved it or when. Governing body minutes do not reference the policy review. From a governance perspective, the document is not controlled — it is just a file.

Owners who left the organisation. The policy register lists owners who left 18 months ago. Reviews are not happening because the named owner is no longer there to do them.

Updated procedures, unchanged policies. Operational procedures get updated when systems change. The underlying policy still references the old procedure. Inspectors find the mismatch.

Filing-cabinet documents. Still common in small GP practices, parish councils, and charity offices. Printed, signed, filed. No search, no version control, no reminders. When asked for a specific document, someone rummages through a cabinet.

All of these are document controlling failures. None of them are about the content of the documents — every example assumes the policies and procedures themselves are well-written. The failure is in the controlling.

Document Controlling Without ISO Certification

Most small UK regulated organisations do not hold ISO 9001 and do not need to. The full ISO documented-information apparatus — controlled distribution lists, formal change management procedures, mandatory training records — is overkill for a 30-person council or a five-trustee charity.

What they need is the practical principles of document control, applied at the right scale:

  • A central register, not a quality manual. One spreadsheet or one tool, not a stack of binders.
  • Lightweight version control, not formal change management. Previous versions accessible, dated, labelled. Not a 12-step change process for every typo correction.
  • Practical approval workflows, not committee structures. Policies route to the approving body that already exists (trustees, governors, partners). Procedures route to the line manager who already approves operational changes.
  • Reasonable review cadences, not annual full audits. Annual minimum for policies, more frequent for procedures and operationally critical documents. Triggered reviews when systems or staff change.
  • Inspection-ready, not certification-ready. The output is evidence for inspectors and auditors — not a recertification audit by a third party.

For organisations that want a deeper read on the document-control framework that applies in regulated UK contexts (rather than ISO/manufacturing contexts), the control of documentation guide covers the regulator-by-regulator picture.

A Practical Checklist for Compliance Officers

If you are responsible for documents in a small UK regulated organisation and want to know whether you are under document control, work through these:

  1. Can I list every controlled document in under five minutes? If the list is in someone's head or scattered across folders, it is not a register.
  2. For each document, do I know the current version, owner, last review date, and next review date? Without all four, you have document storage, not document control.
  3. Can I produce evidence of approval for every policy and procedure? Name, date, version. Not "we discussed it at trustees in March 2023."
  4. Do I know what is due for review in the next 90 days? If the answer is "I would need to check each file", the schedule is not working.
  5. Can I show what changed between the current version and the previous version of any document? Version history matters when an inspector asks about the policy at the time of an incident.
  6. Do staff know about updates to critical documents? Distribution and acknowledgement, not just "it is on the shared drive."
  7. Could I evidence document control to an external auditor without preparation? If an auditor walking in tomorrow would catch you scrambling, the system is not yet working.

If you cannot answer "yes" to all seven, the gap is not in your policies — it is in your document control.

Connecting It to Policy Management

Document controlling sits at the centre of policy management. A policy without document control is a statement of intent without evidence the organisation is following its own commitments. The five principles above — current version known, owner known, approval recorded, review cycle live, change history kept — are the working definition of policy management at small-organisation scale.

Most small UK regulated organisations already have the policies. They have the procedures. They have the people who care about getting it right. The gap is the controlling layer — the register, the schedule, the approval record, the version history. Once that is in place, inspections become an evidence-gathering exercise, not a panic.

PolicyBoard is designed to be that controlling layer for small UK councils, MATs, GP practices, and charities — a central register of policies and procedures, automated review reminders, lightweight approval workflows, version history, and inspection-ready exports. Join the waitlist to be notified when it launches.

Sources

  • ISO 9001:2015 — Quality Management Systems Requirements
  • CQC Regulation 17: Good Governance
  • DfE: Keeping Children Safe in Education
  • ICO: Accountability and Governance

This guide covers general principles of document controlling for small UK regulated organisations. It is not legal, audit, or ISO certification advice. Always check the specific requirements of your regulator and seek professional advice where needed.

Stop tracking policy reviews in spreadsheets

PolicyBoard automates review reminders, approval workflows, and compliance dashboards for UK regulated organisations.

No spam. Unsubscribe any time. Privacy policy

Related articles

Control of Documentation: A UK Compliance Guide Beyond ISO

Document control for UK regulated organisations — what CQC, Ofsted, and the Charity Commission expect, how it differs from ISO quality management, and how to get it right.

Why Document Control Matters in Regulated UK Organisations

Document control for schools, GP practices, charities, and councils — what regulators expect, what goes wrong without it, and how to get it right.

Statutory Policies for Schools: The Complete UK Guide for 2026

What policies UK schools must have by law, what must be on the website, and how to keep them current — practical guidance for school business managers, MAT clerks, and governors.