ISO 9001 Quality Management System Requirements says you must have 21 records. For example the Standard says “Records from management reviews shall be maintained” and “Records of the audits and their results shall be maintained.” The important word is “shall” because in ISO speak shall means must. Why don’t they just say “must”? I don’t know, but the quote “Ours not to reason why, ours but to do and die” springs to mind.

Please note though, that although the quality records listed below are mandatory, if the scope of your Quality Management System does not include a particular section, these records can of course be excluded. For example, if you don’t design products or services then you don’t need to keep the records in section 7.3 of the Standard. But that is pretty obvious.

What many people don’t find obvious is the definition of a record. In ISO management systems a record provides evidence that a task has been completed or results achieved. So I can prove that I completed the task of performing an internal audit because I “wrote” (could be an electronic record and may include pictures to support your findings) an audit report (and I can find it and show it to the external auditor!). Another example is that I can prove the required result was achieved because I have a record of the weights of finished products or I have a checklist that shows that all the activities were completed.

Records are the best way of proving that your quality management system, OHS management system, environmental management system, or food safety (HACCP) system works. More importantly though, as far as I’m concerned, is the fact that records enable you to:

  • Communicate information from one part of your business to another.
  • Support accountability and transparency.
  • Support decision making.
  • Preserve the memory of your organisation.
  • Show compliance with legal and regulatory obligations thus avoiding expensive fines, litigation and damage to your company’s reputation.Establish normal operations soon after an emergency or disaster.
  • Reduce business risk.

Here is a list of the records ISO 9001 says you “shall” have. The examples use typical names for such records. You can call them anything you like.

Mandatory RecordsExamples
5.6.1 Management ReviewManagement review minutes
6.2.2 Education, training, skills and experienceTraining records/matrix, certificates
7.1 Evidence of realization processProject quality plan
7.2.2 Results of the review of requirements related to the product and actions arising from the reviewChange review
7.3.2 Design and development inputs relating to product requirementsCustomer specifications
7.3.4 Results of design and development reviews and any necessary actionsDesign development minutes
7.3.5 Results of design and development verification and any necessary actionsDesign plans, test plans
7.3.6 Results of design and development validation and any necessary actionsUser acceptance test plans, acceptance records
7.3.7 Results of the review of design and development changes and any necessary actionsDesign review minutes, change requests
7.4.1 Results of supplier evaluations and any necessary actions arising from the evaluationsSupplier evaluation, approved suppliers list
7.5.2 Demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurementSchedule of achieved results
7.5.3 The unique identification of the product, where traceability is a requirementBatch codes, serial numbers, use-by dates
7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable for useDelivery notes, site visits, defective materials report
7.6 Results of calibration and verification of measuring equipmentCalibration certificates
7.6 Validity of the previous measuring results when the measuring equipment is found not to conform to requirementsTest results
7.6 Basis used for calibration or verification of measuring equipment where no international or national measurement standards existCustomer specification, manufacturers guidelines
8.2.2 Internal audit results and follow-up actionInternal audit reports
8.2.4 Indication of the person(s) authorising release of productProduct approval checklist, release report
8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtainedNon conformance report, concession report
8.5.2 Results of corrective actionCorrective action report
8.5.3 Results of preventative actionPreventative action report

For more information, straight from the horses mouth read the ISO publication Guidance on the Documentation Requirements of ISO 9001:2008.

Alternatively, if you’d like some guidance or just need a sounding board please email me at

All the best – Liz