Maintaining Objective Evidence of Compliance

Record keeping is one of the most painstaking, and important requirements in the ISO 9000 standard. Painstaking, because records must be identified, filed, protected and controlled throughout their lifecycle. Important, because they contain the history of how your quality management system (QMS) is functioning. The energy, effort and expense of keeping up your quality records are ongoing investments in building a reference-base for analysis, compliance and improvement.


The discipline of maintaining your QMS records ensures that you will have an objective means of assessing QMS effectiveness. With this historical evidence you can:

Understand how well your QMS is performing

Trace back to the source of problems

Demonstrate compliance to requirements

Evaluate trends in QMS performance

Monitor improvements

With your quality records you can answer questions such as “why did this happen?”, “when did this problem first appear?” and “is the problem gone?”. With such valuable information at your fingertips, your records should be treated as invaluable.

Additionally, your quality records are a primary reference for your internal and external auditors to assess your compliance to requirements. As each record is filed, keep in mind that an auditor may want to retrieve it in order to evaluate the effectiveness of the QMS.


The ISO 9000 standard has a built-in reference to all required records wherever the phrase “see 4.2.4″ is found (4.2.4 is the paragraph dealing with Control of Records). The 20 mandated ISO9000 records are:

  1. Document Control (4.2.3)
  2. Management Review (5.6.1)
  3. Education, Training, Skills and Experience (6.2.2)
  4. Product Realization (7.1)
  5. Customer Requirements Review (7.2.2)
  6. Design and Development Inputs (7.3.2)
  7. Design and Development Review (7.3.4)
  8. Design and Development Verification (7.3.5)
  9. Design and Development Validation (7.3.6)
  10. Design and Development Changes (7.3.7)
  11. Supplier Evaluations (7.4.1)
  12. Production/Service Processes (7.5.2)
  13. Identification and Traceability (7.5.3)
  14. Damaged/Lost Customer Property (7.5.4)
  15. Calibration (7.6)
  16. Internal Audit (8.2.2)
  17. Product Conformity (8.2.4)
  18. Nonconforming Product (8.3)
  19. Corrective Action (8.5.2)
  20. Preventive Action (8.5.3)

In addition, you might give careful consideration to other records you might need to include in your QMS that would give you an important historical reference for critical areas. You may want to include records for maintenance (6.3) and customer satisfaction (8.2.1), for example.


All 20 required quality records that are applicable to your organization’s processes, and any additional records you decide are important to maintain, must be kept according to the “Control of Records” requirements in the ISO 9000 standard:

Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled. The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records. Records shall remain legible, readily identifiable and retrievable. (ref. 4.2.4)

Let’s briefly clarify each requirement:

Legible – You must ensure handwritten records can be easily read and that you protect paper records from deterioration that might affect their readability.

Readily Identifiable – Each record should be uniquely identified through a number, code, title, date, storage location or other appropriate method. Anyone looking at the records should be able to easily tell what they are looking at.

Retrievable – Every record should be filed and stored in such as way as to be easy to find and access when needed.

In addition, you must have a documented procedure for controlling records. In the procedure you must address how your organization handles the following:

Identification – What minimum information must be added to every record for identification (see “Readily Identifiable” above).

Storage – How hardcopy and electronic records are stored to protect them.

Protection – What methods must be used to preserve records from loss or deterioration? For hardcopy records, you may want to include where files are kept, in what types of storage containers and any environmental concerns (moisture, temperature, etc.). For electronic records, be sure to include how the data is backed-up regularly.

Retrieval – Describe how records are indexed or otherwise organized to facilitate easy access (see “Retrievable” above).

Retention Time – Specify minimum and/or maximum retention requirements for each type of record. Be sure to establish a schedule to review your records according to your requirements.

Disposition – Determine how you will dispose of records when scheduled. For confidential records, be sure you are explicit about how you intend to destroy the records.


With at least 20 types of quality records to maintain according to the ISO 9000 requirements, organizations are often seeking to simplify their approach to record keeping. Here are some suggestions:

Assign clear responsibility for filing, maintaining and disposing of each record.

Provide adequate storage capacity so filing can be maintained.

Keep your records only as long as necessary, then dispose of them.

Develop a records retention matrix that shows who is responsible, storage locations, protections, security, retention requirements and disposal methods.

Move as many records as possible to a searchable, electronic format to keep storage costs down and make them easy to retrieve when needed.


By keeping your record keeping as simple as possible, you’ll keep your costs down, prepare for seamless audits and keep your ISO-life somewhat manageable.