ISO 9001 Quality Management System Requirements says you must have 21 records. For example the Standard says “Records from management reviews shall be maintained” and “Records of the audits and their results shall be maintained.” The important word is “shall” because in ISO speak shall means must. Why don’t they just say “must”? I don’t know, but the quote “Ours not to reason why, ours but to do and die” springs to mind.

Please note though, that although the quality records listed below are mandatory, if the scope of your Quality Management System does not include a particular section, these records can of course be excluded. For example, if you don’t design products or services then you don’t need to keep the records in section 7.3 of the Standard. But that is pretty obvious.

What many people don’t find obvious is the definition of a record. In ISO management systems a record provides evidence that a task has been completed or results achieved. So I can prove that I completed the task of performing an internal audit because I “wrote” (could be an electronic record and may include pictures to support your findings) an audit report (and I can find it and show it to the external auditor!). Another example is that I can prove the required result was achieved because I have a record of the weights of finished products or I have a checklist that shows that all the activities were completed.

Records are the best way of proving that your quality management system, OHS management system, environmental management system, or food safety (HACCP) system works. More importantly though, as far as I’m concerned, is the fact that records enable you to:

  • Communicate information from one part of your business to another.
  • Support accountability and transparency.
  • Support decision making.
  • Preserve the memory of your organisation.
  • Show compliance with legal and regulatory obligations thus avoiding expensive fines, litigation and damage to your company’s reputation.Establish normal operations soon after an emergency or disaster.
  • Reduce business risk.

Here is a list of the records ISO 9001 says you “shall” have. The examples use typical names for such records. You can call them anything you like.

Mandatory Records Examples
5.6.1 Management Review Management review minutes
6.2.2 Education, training, skills and experience Training records/matrix, certificates
7.1 Evidence of realization process Project quality plan
7.2.2 Results of the review of requirements related to the product and actions arising from the review Change review
7.3.2 Design and development inputs relating to product requirements Customer specifications
7.3.4 Results of design and development reviews and any necessary actions Design development minutes
7.3.5 Results of design and development verification and any necessary actions Design plans, test plans
7.3.6 Results of design and development validation and any necessary actions User acceptance test plans, acceptance records
7.3.7 Results of the review of design and development changes and any necessary actions Design review minutes, change requests
7.4.1 Results of supplier evaluations and any necessary actions arising from the evaluations Supplier evaluation, approved suppliers list
7.5.2 Demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement Schedule of achieved results
7.5.3 The unique identification of the product, where traceability is a requirement Batch codes, serial numbers, use-by dates
7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable for use Delivery notes, site visits, defective materials report
7.6 Results of calibration and verification of measuring equipment Calibration certificates
7.6 Validity of the previous measuring results when the measuring equipment is found not to conform to requirements Test results
7.6 Basis used for calibration or verification of measuring equipment where no international or national measurement standards exist Customer specification, manufacturers guidelines
8.2.2 Internal audit results and follow-up action Internal audit reports
8.2.4 Indication of the person(s) authorising release of product Product approval checklist, release report
8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtained Non conformance report, concession report
8.5.2 Results of corrective action Corrective action report
8.5.3 Results of preventative action Preventative action report

For more information, straight from the horses mouth read the ISO publication Guidance on the Documentation Requirements of ISO 9001:2008.

Alternatively, if you’d like some guidance or just need a sounding board please email me at

All the best – Liz