Documented Information

What Is the Difference Between Document Control and Record Control?

The ISO 9001:2015 quality standard has a number of documentation requirements and specifically calls out 7.5 Documented information, which replaces 4.2.3 Control of Documents and 4.2.4 Control of Records in the previous ISO 9001:2008. To understand the difference, first let’s clarify the difference between documents and records.

Difference Between a Document and a Record

Documents and records may sound alike but there is a big difference between the two. Documents are created by planning what needs to be done and records are created when something is done and record the event. Documents can be revised and change, where as records don’t (must not) change.

Document Definition

Document: Information used to support an effective and efficient organizational operation.

A document consists of any information you use to run your company. Documents originate in the planning phase of the Plan, Do, Check, Act, cycle of the process approach.

Since documents are planning material, they are subject to change (under the Act phase) as we obtain more information (Do phase) and compare those informational or data records (Check phase) to our original plan. Common examples of (QMS) quality management system documents include:

Required ISO 9001:2015 Documents

The ISO Standard requires a few documents: Quality policy, Scope, Process support, and Quality objectives, but the latest standard no longer requires a Quality Manual, or the minimum of six procedures, these are now optional.

The required (now optional) ISO procedures were:

Clause 4 Documents (2 old procedures)

ISO Auditor Class, St. Louis, MO

1) 4.2.3 Document Control (now part of 7.5)

2) 4.2.4 Record Control (now part of 7.5)

Clause 8 CAPA (4 old procedures)

3) 8.2.2 Internal Audit (required activity under 9.2)

4) 8.3 Nonconforming Product Control (required activity under 8.7)

5) 8.5.2 Corrective Action (required activity under 10.2)

6) 8.5.3 Preventive Action (required activity under 6.1 renamed “risk”)

Record Definition

Record: Evidence about a past event.

A record is generated in the “do” phase of PDCA. Records consist of any data you collect during the operation of your business QMS. Records are facts and should not change. If new facts arise that contradict the old facts (an error), then you should strike through the old fact and record the new fact.

There are 21 required records within ISO 9001:2016

The ISO Standard requires 21 records with most (14) coming from clause 8 product realization. Two records have been merged into other clause: 7.6 Validity of results investigation is now a part of 8.3.4 design controls and 8.5.3 Results of preventive actions is now part of 6.1.

What are the 21 records now?

Clause 7 Resources (3 records)

1)  7.1.5.1 Evidence of fitness for purpose of monitoring and measurement resources. (similar to old 7.6)

2) 7.1.5.2 Basis used for calibration or verification, where measurement traceability is a requirement and standards don’t exist. (similar to old 7.6)

3) 7.2 Evidence of competence (similar to old 6.2.2)

Clause 8 Product Realization (14 records)

1) 8.1 confidence that the processes have been carried out as planned and to demonstrate conformity of products and services to requirements. (similar to 7.1d)

2) 8.2.3.2 Results of the review of requirements related to products and services. (similar to old 7.2.2)

3) 8.3.2 Confirm that design and development requirements have been met. (similar to old 7.3.1)

4) 8.3.3 Design and development Inputs (similar to old 7.3.2)

5) 8.3.4 Design and development controls (similar to old 7.3.5, 7.3.6)

6) 8.3.5 Design and development process outputs. (similar to old 7.3.3)

7) 8.3.6 Design and development changes. (same as to old 7.3.7)

8) 8.4.1 Results of external provider evaluations, performance, and re-evaluations. (same as old 7.4.1)

9) 8.5.1 Characteristics of the products and services, Activities to be performed and the results to be achieved (similar as old 7.5.1)

10) 8.5.2 Unique identification of process outputs, where traceability is a requirement. (same as to old 7.5.3)

11) 8.5.3 Customer property damage notice. (same as to old 7.5.4)

12) 8.5.6 Results of the review of production changes, the personnel authorizing the change, and any necessary actions. (NEW)

13) 8.6 person(s) authorizing release of products and services for delivery. (same as to old 8.2.4)

14) 8.7.2 Actions taken on nonconforming process outputs, products and services, including concessions obtained and the person or authority that made the decision dealing with the nonconformity. (same as to old 8.3)

Clause 9 Management Responsibility (3 records)

1) 9.1.1 Evidence of results that ensure monitoring and measurement activities are implemented in accordance with the determined requirements. (NEW)

2) 9.2.2 Evidence of the audit program and audit results. (same as to old 8.2.2)

3) 9.3.3 Evidence of the results of management reviews. (same as to old 5.6.3)

Clause 10 Management Responsibility (1 records)

1) 10.2.2 Nonconformities, subsequent actions taken, and results of corrective action. (similar to old 8.5.2)

Difference Between Document Control and Record Control

Now, with a better understanding of what documents and records are, we can look closer at what is required for documented information. The ISO clause require that documented information be controlled, but what does that mean?

ISO 7.5.2 Creating and Updating

Documents are created as a part of your organizations planning. Therefore, ISO requires that these planning documents are approved prior to use to ensure they are adequate (appropriate). Documents need to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning documents.

Users need legible, up-to-date, and readily available documents to do their job. The bottom line, documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. That is what ISO wants from the control of your documents.

ISO 7.5.3 Control of Information

Records are not the plan, records are created by plans. Records are data collected by operating the quality management system, but data is not information. Data must be converted into information through the use of charting or trend analysis. So the requirements for records are different. Records need to be identifiable (labeled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.

Documents are created by planning what needs to be done and records are created when something is done. Documents can change and records don’t change. Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. Records need to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete. That is what ISO means by documented information, it is the same as the old control of documents and control of records. It is now referred to as documented information control and technically we do not refer to them as documents and records, although I still think that it makes a lot more sense to use the old terminology when describing the difference between document control and record control.

Download  free ISO 9001 2015 procedures examples from the ISO 9001 Manual now.

42 thoughts on “What Is the Difference Between Document Control and Record Control?”

    1. Records are not really approved, they are created by the originator as a record of fact. If you record the temperature outside, on a form, then that is the temperature you saw on the gauge at the time you read it. Some events are recorded and then validated that they are effective, like a corrective action record. But that is not approval. Someone is validating the the event is complete and the corrective action is effective. The record itself is not approved.

      1. Record review and approval is an authentication and verification process, which is not the same as review and approval of controlled documents.

      1. Basically, records are reviewed and the data is used as evidence of an event. Documents are like directives and consists of things like the quality manual, plans, procedures, or forms and these need to be approved prior to use so that the people using these documents know they are using the right versions.

        1. I would say that sometimes records may be approved as well because that may be the requirement of internal procedures.

          Let’s have an example: a purchase order is a record (which documents the fact that someone in the company wants to purchase some goods) but it is not vaild until approved by CEO or purchasing department manager.

          1. I would call a purchase order a document because it can be changed. Records do not or should not change. A purchase order is a request. Documents are approved, records record data of what has happened in the past. Since the purchase order has not been filled, it has not happened and does not record any data of an event. At any time you can cancel or revise a purchase order and it requires approval. Therefor, it is a document.

        2. hello all, i am working in an government educational institution. How about Memoranda, Circulars from other government agencies/offices, are they considered document (at our end), since they were approved prior to issuance? How about letters various types of documents from other offices (letters, notices, travel orders, certifications…) within the university, can they become a record in my office?

          1. To keep it simple, documents are approved. Records are signed or authenticated. In a government, everything is a record of what was done while in office. The new ISO 9001:2015 standard eliminates the distinction and introduces the term “documented information” which now includes documents, forms, procedures, records, work instructions, or anything used by the organization to demonstrate effectiveness. Maybe this will simplify it for everyone…

    1. Some records are approved. A record of compliance should be approved before sending to Government. Technical reports are records and should be approved before release. An approval in this case is signing off that the data is accurate and/or can be released.

      An issued or approved purchase order is clearly a company record. Financial auditors would certainly see it as such.

      1. Record are reviewed its content but remain unaltered while document approved its validity and sometime may be altered if necessary

    1. A Document is a draft that varies ideally. A Record is a done/completed action unchangeable. What you mean above can happen as referring to the completed acts to set new plan. By that time you will be drafting. At its final decision/completion a Document gives birth to a record. Record is born at document’s completion. Through Record you will set policy for conservation this happens in temporary view. Finally it becomes an Archive which pursues permanent policy of conservation. See the: Document-Record-Archive.

    1. Specification limits should be documented but control ranges are a function of the process. As you improve control over your process they will narrow. They could be documented in an improvement plan, in work instructions as expected output, or recorded on a record showing what the process results were. Many machines today record the output’s in real time control charts, which are records of the process performance. The method of documentation depends on your usage.

  1. If a print out of Electronic Medical record is taken and provided to the patient without signing on it. Are those papers documents or records ?

    1. A record consists of data that can not be changed. Think of test results or a medical history. It can be paper or electronic. The signature adds traceability and improves authenticity, but so does a date on a printout. The signature may or may not be required.

      1. i think if project is still ongoing and activities still implementing with data that is called document control, and after complete the project or complete of documents in the middle of project all that data will become record control

        1. Somewhat correct, Haneef — the changeable documents during a project require document control. After the project is complete, the documents become *records* of the project and then require *records management* (not control).

          However, during the project, there can also be records created, such as measurements, test results, etc. These types of documents are *records* — they do not change. Procedures, site plans, engineering drawings, etc. change many times throughout a project, and therefore they require *document control*. The records that are also part of the project are handled via the document control system while the project is ongoing, but they are still records (e.g. the electrical output readings of a generator on a particular day do not change; they are not subject to revision. Readings taken on another day would be a *record* of the output on *that* day, etc.).

          Again, once the project has ended, *all* documents used on the project become records, as they are no longer subject to revision. They are records of what was done on the project.

          Hope this helps. 🙂

  2. Thank you so much.This gives a very good definition about what is a document ,what is a record & how the document & record control is done.

  3. Sir, We wrote a procedure for incoming material and stated that the checked Quantity to be labeled by putting a sticker containing certain information about the inspection. Now do we need to put a control number on the sticker? if yes why and if no then why?
    Regards
    Javed

    1. Form documents need to be controlled so it is clear you have the latest authorized revision of the form. Form records need to be protected from alteration. A control ID and date should be sufficient.

  4. A situation about controlled documents under ISO 9001:2015 – we are having issues defining when a form becomes a record and when ‘the most recent version’ is applied.
    The example – when a project is started in our organization, the coordinator takes the latest controlled form (in this example I’ll call it an inspection checklist), populates only certain fields in the form and then stores it in a project folder so that it is available when needed (point of use). The problem lies when the inspection checklist is completed and made into a record, which can sometime occur after a new revision has been done to the controlled form (weeks, months and sometimes years). So, if the form is only partially populated does it become a record? I would say no because records should not be modified but would like your opinion on that. Also, if a new version of a controlled form is released, should those partially populated incomplete documents be redone using the last version? Your thoughts on solving this dilemma would be most appreciated. Thank you,

    1. As soon as you add data to the form it become a record on that date by that person. What makes it a record is the data, date, and person, not the paper form. The fact that you add more information to the record on another date, maybe with a different person is fine, it just makes it a journal or notebook record. Records can by many things: database, email, notebook, journal, pictures, video, forms, etc. Now if you change the form in the middle, just cross out the places in the new form where previous data was captured and attach the old form/record to it. What can’t be modified is the data on the record.

  5. Sir , We ussualy take Minute of Meeting (MoM) during a formal meeting or any managemnt meeting in our company and we use the MoM form to capture what was important during the meeting. after the form is fillid up, shall we call the form a Record or still a Document ?

  6. I am confused regarding the following example. Is an email that provides financial or statistical data, or approval of a plan change of direction from a Manager a record? The final plan will reflect the details contained in the email and so the plan is a record. However I am unsure as to whether the email would be considered in the planning (a document) or doing (record) stage, and whether it is a record in itself? If it is not a record, is its only purpose advice and approval?

    1. Plans can change, and they do change often, so a plan is always a document. The approval of a plan is a record of who approved it and when it was approved. This discussion of documents and records is mute now that ISO 9001:2015 calls all documents and records “Documented Information”.

  7. Hi
    Hope you can help.
    If a record of results has not been changed only a spelling mistake crossed out fix up and initial. Does this comply with iso9001-2016?

    1. ISO 9001 is not specific on how to change documented information, but 7.5.3.2.b control states that “it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity)” which I read as cross out, fix up, and initial.

      The ISO/IEC 17025​ Clause 4.13.2.3, standard does address this, it says: “When mistakes occur in records, each mistake shall be crossed out, not erased, made illegible or deleted, and the correct value entered alongside. All such alterations to records shall be signed or initialed by the person making the correction. In the case of records stored electronically, equivalent measures shall be taken to avoid loss or change of original data.”

  8. Many of the design and development documents seem like they would act both as a document and as a record. Like an internally generated design specification would be developed and approved, and could be revised, so this seems to act like a record. But at the same time it seems to be a record in that records the act of creating the design inputs. Many sources I see discuss design specifications as records rather than documents.

    Similarly design drawings are the record of the design, but must also be approved and can be revised.

    I think a design review report is squarely a record, as the documents a specific event. Similarly a change control review report would be a record… although that is less clear as the change itself needs to be approved.

  9. Would you consider an approved company Policy or Standard a Record or a Document? We consider an approved Policy/Standard that is posted a ‘record’ and the versions or drafts leading up to the final version ‘documents’. Are we on the right track?

    1. Technically, if it can be changed, then it is a document. Policies can change, so policies are documents. But it really does not matter for ISO because now everything is documented information.

  10. Thank you for providing more explaination to the new version ISO 9001:2015, clause by clause. I can now document the quality manual.

  11. Hi, I found this explanation very useful. Our company is still using the old Documents and Records Control practice and we retained this practice since the term Documented Information still covers Documents and Records.

    However, there is one thing that confuses me. Documents can be classified as Internal Documents (originates or completed, and maintained internally) or External Documents (originates externally and maintained by the document source, just like the supplier’s equipment manual).

    I would like to ask about Safety Data Sheet (SDS) and the Certificate of Analysis (CoA) coming with the supplies that we bought. SDS, I think, can be considered as a Document, since it can be changed but by the document source like by our supplier, of course depending on the characteristic of the material, should there be changes to it.

    On the other hand, CoA for the specific lot of materials delivered to us, I think can be considered as a Record, since it should not change and can’t be updated, only corrected should there be errors in the CoA.

    Your thoughts on this is highly appreciated.

    1. The SDS contains product identification, hazard statements, first-aid measures, accident handling and other precautionary procedures about the product. All of this metadata is descriptive material and can be changed by the supplier so it is a document. The CoA contains testing results or specific lot or batch characteristics that cannot be changed (except in error) so it is a record of the purchased lot. Documents and records refer to the method of change/revision and preservation. They are independent of the internal or external origination. I liked the old document/record classification. This new documented information designation confuses people.

Leave a Reply

Your email address will not be published. Required fields are marked *