Document and Record Control Policy¶

Owner	Classification	Review Date	Status
CDO Office	Internal	April 2027	Active

|
---|---
Document Type| Policy
Document #| SP-DRCP-010
Owner| CISO
Classification| Confidential (Class 2 — Private Data)
Version| V1.2
Issue Date| 05/09/2025
Review Cycle| Annual
Authorised By| Yassir Pasha

Document Information¶

Field	Details
Document #	SP-DRCP-010
Document Title	Document and Record Control Policy
Version	V1.2
Confidentiality Level	Class 2 (Private Data / Confidential)
Date Created	26/03/2021
Issue Date	05/09/2025
Document Owner	CISO
Author(s)	Simpaisa
Purpose	To ensure that any Data Retention and Protection is controlled as per policy
Authorised By	Yassir Pasha

Reviewed By Steering Committee¶

Name	Role
Yassir Pasha	Chief Executive Officer
Kamil Shaikh	Chief Operating Officer
Osama Hashmi	Chief Financial Officer
Bachir Njeim	Chief Strategy and Operations Officer
Saqlain Raza	Acting Chief Technology Office
Rizwan Zafar	Chief Product Officer
Ahsan Hussain	Payment Channel Partnerships
Danish Abdul Hameed	Chief Information Security Officer
Shahroze Khan	Head of International Merchant Sales and Strategic Alliances
Noor Ali	Country Head Pakistan
Shoukat Bizinjo	Global Head of Regulatory Affairs · Regulatory

Change Control¶

Version	Date of Issue	Author(s)	Brief Description of Changes	Approved By
V1.0	08/10/2021	Rizwan Zafar	Initial release	Salim Karim
V1.0	08/10/2024	Rizwan Zafar	Annual Review	Salim Karim
V1.1	08/10/2024	Syed Zubair Ahmed	Annual Review	Salim Karim
V1.2	05/09/2025	Simpaisa	Organisation name updated Simpaisa to Simpaisa	Yassir Pasha

1 Introduction¶

This procedure is applicable to all sections and covers all activities related to the control of documents being carried out at Simpaisa. To establish and maintain documented system to control all documents and data that relates to the requirements of ISO 27001 standards. Ensure that only the most recent version of documents is available to all concerned. Documents requiring changes are revised and approved by the competent authority. Define the method for establishing personnel, approving, changing, maintaining, replacing, and distributing documents pertaining to the company's quality system. Establish and maintain documented system for identification, collection, indexing, access, filling, storage, maintenance, and disposal of records.

2 Responsibilities¶

Administration
Governance
Human Resource
Compliance
Project and Product Management Office

3 Procedure¶

3.1 Document Identification¶

3.1.1 Document Name¶

The entire documents are given a unique name which helps in readily identification of the documents. Usually, the name of the document shall be written on the top of the document. For register (printed / handwritten) the document name can also be mentioned on the outside instead of the top of the page.

The Chief Executive Office approves all documents of the organisation system. The Project & Product Management Office is responsible for controlling all the documents.

All concerned Department / Section Heads are responsible to intimate the changes if needed in the provided approved documents to Project & Product Management Office.

All respective departments establish and maintain a system for ensuring that all relevant quality records within the quality system are maintained to demonstrate that the requirements of management system have been effectively implemented. Other document controlling tools i.e., Confluence is not liable to follow this process.

Department Heads are responsible for the disposal of records after their retention period.

3.1.2 Page Number¶

The current page number is indicated in the header or footer, along with a document name for easy identification. The total number of pages is not displayed.

3.1.3 Document Coding¶

The documents and formats are allotted a Document / Format Number for unique identification and readily identifiable as explained below:

AAA — Where AAA stands for the Organisation and is mandatory to be labelled before all documents belonging to Simpaisa.

PEX : SIMPAISA

& others as required but not mandatory can be followed by BBB

Where BBB stands for the Department / Functions i.e.:

CO : Compliance officer
ADM : Admin
HR : Human Resource
RECP : Reception
IT : Information technology
PMO : Project and product management office

After "/" or "-" define type of document:

Q.P, Obj, QMS : i.e. Quality Policy, Objectives & Manual
Sop, System, Procd : i.e. Standard Operating Procedure, System Procedure
W.I, A.I, Inst : i.e. Work Instruction, Area Instructions, Instructions SOPs
F, FM : Forms / Formats/Registers etc.
OC : Organisational Chart
CP : Company Profile; NN = Identification Number as 01, 02, 03, etc.

More generically PEX-{Document title abbreviation}-{Number in Master list} (if maintained) can be used to label the documents.

3.1.2 Version Controlling¶

The revision status of the documents is indicated by giving it a:

Version number — Revision "0" for documents approved for the first time and 1 for the first change and so on. For any minor change you can add Sub version number like Version V1.1.1 or V1.1.i
Issue date i.e. the date on which the document was approved — this date is changed with each new revision.

3.1.3 Documents Review, Approval & Issuance¶

The documents are prepared by the Project and product management office on the basis of the feedback given by the related departmental head and are reviewed with them before finalisation. Prior to issue and release, documents are reviewed for adequacy, correctness and conformity to Policies and the ISO 27001 and other relevance standard. After the review is done approval is given by signing on the first page of the document by the designated authorities as mentioned on it.

To ensure that all documents related to the ISO 9001, ISO 27001 are properly controlled, updated and authorised, Master List of Documents for MS may be maintained by the Project and product management office or compliance. The Master List of Documents can be used to monitor the revision status of all the documents.

4 Document Controlling¶

Controlled Copies are indicated by 'CONTROLLED DOCUMENT' stamp. Where required the documents related to the security system can be given to outside parties like customers, contractors etc. Any such documents are given with the consent of the C-Suite / Head of department / Compliance.

Uncontrolled copies are indicated by 'UNCONTROLLED DOCUMENT' stamp.

4.1 Documents Distribution¶

Compliance is responsible for the distribution and retention of all the Management System documents including the External Origin Document to the concerned personnel.

The Compliance Representative is responsible for distribution of the approved documents to the related departments where the activities and processes are being performed. Compliance Representative also ensures that the distributed documents are in legible form.

The documents to be issued are listed on the Distribution Record Sheet and the receiving designation signs on this sheet along with the date of receiving the document.

To easily trace the distribution of all documents, a Document Distribution is prepared by the Compliance representative, which records all documents and the corresponding personnel who receive and hold the copies of those documents.

4.2 Controlling Document Changes¶

Document changes are reviewed and approved by the same authority that issued the original document. Revisions / changes in the documents are necessitated under the following circumstances:

Changes proposed by the work centres to improve the services / processes.
Changes necessitated by the induction of new processes.
Revisions required due to change in review meetings on the basis of internal audits and / or trend analysis.

Whenever any change is to be made, the concerned authorities can request for the change through Document Change Request Form. The Compliance is responsible to produce a draft copy of the preliminary revised document after incorporating the changes and issues it to the concerned along with the Document Change Request form. After the review and approval from all the concerned an original document with a new revision number is sent to the respective reviewing and approving authorities as per the Master List of Documents.

After the formal / final review and approval on the original document, the document is distributed as per the procedure mentioned above.

4.2.1 Minor Changes¶

Minor changes like typographical errors, spelling mistakes or grammatical mistakes are allowed provided that the changes initiated by any of the designated authority. After incorporation the minor changes, this must be acknowledged and communicated to all concerned through emails or verbally.

4.2.2 Obsolete Copies¶

Revised copies of documents are distributed to all concerned. The compliance officer withdraws obsolete copies. Where necessary, obsolete documents may be retained for legal reasons and / or for knowledge preservation purposes by marking it 'OBSOLETE & RETAINED'.

4.2.3 Change Record¶

A record of changes is kept on the Document Change Record Table attached with each procedure. Minor changes are not likely to be recorded.

5 Control of Management System Records¶

The same department that initially establishes the records normally stores records. Records are stored in dry and clean rooms. Either the cabinets containing records are clearly labelled to display their contents or cabinets are indexed / numbered and a department wise list of record is maintained.

Records and other documents may not be stored in private desk drawers or other obscure locations that are not generally known. All quality records are archived for a prescribed time period within the system. Retention period for records may be altered on the basis of contractual obligations and legal considerations.

A List of the Quality Records will also be maintained stating the description of record, location and its retention period. The compliance is responsible to provide this list to all concerned departments. Compliance Representative / Department Heads are responsible to dispose of their records, after their specified retention times.

5.1 File Identification and Traceability¶

Files, Folders, and Registers are identified through following information written on pasted labels:

Department / section
File / Case number
Description of Record
Period
Unique Identifiers
DocuSign

5.2 Disposition of Expired/Old Records¶

After the expiry of retention period of records, concerned sectional head reviews the validity and usefulness of records then decides whether to:

Destroy and scrap the record with the help of Archival Record.
Shift the records to the archives / Record Room, for reference purposes in case of any requirements in the future.

6 Mailing Control System¶

Admin Department is responsible to handle all incoming and outgoing mails as per following steps:

Handling of Incoming Mails:
- Admin Department concerns receive mails from courier service.
- Mails are forwarded to the staff members addressed.
Handling of Out Going Mails: Outgoing mails are hand over to admin department with delivery details. Admin services need to maintain courier services and slips are filed properly. If ever external mail will be sent.

6.1 Handling of E-Data¶

The back up of documents related to the ISO and management System in the computers is taken on as per backup policy by IT Department and the record is maintained on Data Backup Record. Back up is also taken by other key personnel outside the premises to prevent or to secure in any type of disasters and emergency situations.

The documents relating to management system are controlled by assigning a password to the computer as per password policy.

6.2 Retention of Soft Record¶

Soft record can be retained for maximum 5 years or longer. Reference Data Retention and Protection Policy.

6.3 Controlling Externally Originated Documents¶

All External Documents or Data i.e., Standards / Manuals / Technical Document / Specifications either on Documents or CDs are controlled by maintaining external origin document list. All the externally originated documents/data are distributed through distribution record sheet by person who is receiving that document.