\n\n","wordCount":3056,"timeToRead":"PT8M","keywords":["iso 9001 mandatory documents","iso 9001 clause 7","iso 9001 documented information","iso 9001 records list","industria","blog","RAG","IA","inteligencia artificial"]}
Industry

ISO 9001 Clause 7: the complete list of mandatory documented information

IgeraIndustria Quality Team
July 7, 2026
8 min read
Quality management system documentation folders and digital records for ISO 9001 Clause 7 compliance

IgeraIndustria Quality Team  ·  Updated 2026-07-07  ·  8 min read

Part 5 of the ISO 9001:2015 Step by Step series  ·  ← Article 4: Clause 6

What "documented information" means in ISO 9001:2015

ISO 9001:2015 replaced the old terminology of "documents" and "records" with the unified term "documented information". Information that must be maintained (kept current and available) corresponds to what were formerly called documents or procedures. Information that must be retained (kept as evidence of what happened) corresponds to what were formerly called records. Understanding this distinction is fundamental to document control under Clause 7.5.

78%

of SMEs still write a formal quality manual — despite ISO 9001:2015 removing the requirement entirely in 2015

Source: IgeraIndustria survey of 140 SME manufacturers undergoing initial ISO 9001:2015 certification, 2025

This article provides the definitive reference list for ISO 9001:2015 documented information requirements. Bookmark it — it is the resource quality managers search for most before certification audits and Stage 1 document reviews.

The definitive list: all 24 mandatory documented information items

The following table covers all documented information explicitly required by ISO 9001:2015. Items marked Maintain are living documents that must be kept current. Items marked Retain are records that provide evidence of conformance and must be preserved for defined periods.

# Documented information Type Clause Practical example Typical retention
1 QMS scope Maintain 4.3 Scope statement in QMS manual or standalone document Current version only
2 Quality policy Maintain 5.2.2 Signed policy document, published on intranet Current; archive superseded versions
3 Quality objectives Maintain 6.2.1 Quality objectives register with targets, owners, review dates 3 years minimum
4 Monitoring and measuring resources (calibration records) Retain 7.1.5.1 Calibration certificates for gauges, CMMs, thermometers Life of equipment + 2 years
5 Basis of calibration (when no international standard exists) Retain 7.1.5.2 Documented comparison method for custom measurement tools Life of equipment
6 Competence evidence Retain 7.2 Training records, qualifications, skills matrices Duration of employment + GDPR retention limit
7 Documented information determined by the organisation as necessary for QMS effectiveness Maintain 7.5.1(b) Procedures, work instructions, forms (org-determined) Current version; archive superseded
8 Operational planning and control Maintain 8.1 Process plans, control plans, production routings Current version
9 Customer requirements review results Retain 8.2.3.2 Order review forms, contract review records, RFQ responses Product life + 5 years minimum
10 Design and development inputs Retain 8.3.3 Design briefs, specifications, regulatory requirements (if Clause 8.3 applies) Product life + 10 years (regulatory)
11 Design and development controls Retain 8.3.4 Design review minutes, verification test results, approval records Product life + 10 years
12 Design and development outputs Retain 8.3.5 Released drawings, specifications, approved prototypes Product life + 10 years
13 Design and development changes Retain 8.3.6 Engineering change notices (ECNs), change authorisation records Product life + 10 years
14 Externally provided processes, products, services criteria and evaluation Retain 8.4.1 Approved supplier list, supplier evaluations, audit results 3 years minimum
15 Property of customers or external providers (unique items) Retain 8.5.3 Records of customer-supplied tooling, materials, IP received and returned Duration of custody + 3 years
16 Changes to production/service provision Retain 8.5.6 Process change records, authorisation, review of consequences 3 years minimum
17 Release of products and services Retain 8.6 Inspection and test records, certificates of conformance, despatch notes Product life + 5 years (or regulatory minimum)
18 Nonconforming outputs Retain 8.7.2 NCRs, concession requests, scrap records, rework authorisations 3 years minimum
19 Monitoring, measurement, analysis, and evaluation results Retain 9.1.1 KPI trend charts, customer satisfaction survey results, process metrics 3 years minimum
20 Internal audit programme and results Retain 9.2.2 Audit programme, audit reports, nonconformity findings, follow-up records 3 certification cycles (9 years)
21 Management review results Retain 9.3.3 Management review minutes, decisions, action items, resource approvals 3 certification cycles (9 years)
22 Nonconformities and corrective actions Retain 10.2.2 CARs (Corrective Action Requests) with root cause analysis and effectiveness review 3 years minimum
23 Traceability — unique identification of outputs (when required) Retain 8.5.2 Batch/lot records, serial numbers, material traceability certificates Product liability period (min 10 years for safety-critical)
24 Customer satisfaction data Retain 9.1.2 Customer surveys, complaint logs, compliment records, NPS trend data 3 years minimum

Maintain vs Retain — the distinction that trips up every first-timer

The maintain/retain distinction is the single most common area of confusion in ISO 9001:2015 document control. Here is the clearest way to understand it:

  • Maintain = a living document that must exist in a current, approved version. When you update it, you replace the old version. Examples: quality policy, procedures, work instructions, control plans. These are the "how we do things" documents.
  • Retain = a record of something that happened. Records are never modified after the fact — they are kept as evidence. Examples: calibration certificates, inspection records, training completion records, audit reports. These are the "evidence that we did it" documents.

A concrete example: your calibration procedure (how to calibrate gauges) is maintained documented information — it should always be the current approved version. The calibration certificate for a specific gauge calibrated on a specific date is retained documented information — it is an historical record that cannot be changed.

GDPR consideration for retained records: UK GDPR (the retained EU law version post-Brexit) applies wherever records contain personal data about identifiable individuals. Competence records (training certificates, personal qualifications), customer contact records, and supplier contact records all contain personal data. Retention periods must balance ISO 9001 evidence requirements against UK GDPR's storage limitation principle. The recommended approach: define a retention schedule that satisfies both — typically employment duration plus 2–6 years for competence records, with documented justification for the period chosen.

Document control in the cloud — what ISO 9001 actually allows

Clause 7.5.3 requires documented information to be available and suitable for use, adequately protected, distributed and accessed appropriately, stored and preserved, controlled for changes, and retained and disposed of appropriately. Critically, the standard is media-neutral — it makes no distinction between paper and electronic documents. Cloud-based document management systems fully satisfy Clause 7.5.3 provided they deliver the required controls.

Minimum cloud document control requirements for ISO 9001 compliance:

  • Version control with audit trail (who changed what, when, and why)
  • Approval workflow before publication (electronic signatures are acceptable)
  • Access controls to prevent unauthorised modification
  • Availability guarantee — documents accessible when and where needed (including offline capability for production environments)
  • Obsolete document control — superseded versions clearly identified and prevented from unintended use
  • Backup and disaster recovery — for retained records especially

Major platforms used by UK manufacturers: SharePoint Online with version control enabled, Google Workspace with document approval workflows, Qualio (purpose-built for regulated industries), Ideagen Quality Management, and Minitab Workspace. IgeraIndustria integrates with all of these to provide instant natural-language search across all your controlled documents and records.

Where IgeraIndustria fits — any document in 3 seconds

The average quality manager spends over 45 minutes searching for documentation before each auditor visit (IgeraIndustria 2025 data). Multiply that across a team of five quality engineers and a three-day Stage 2 audit, and document retrieval alone consumes dozens of person-hours. IgeraIndustria indexes your entire QMS — all 24 mandatory documented information items plus everything your organisation has determined is necessary — and makes every document retrievable in under 3 seconds via natural-language query.

// IgeraIndustria RAG demo — Clause 7.5 document retrieval

Auditor: Can you show me the records demonstrating that you have evaluated your key suppliers against your selection criteria in the last 12 months, as required by Clause 8.4.1?

Quality Manager (via IgeraIndustria): Supplier evaluations for the last 12 months are in the Approved Supplier Register (ASR-2026, Rev 4, last updated 2026-06-30). 18 active suppliers evaluated. Of these: 14 rated Green (approved), 3 rated Amber (conditional approval — improvement plans ASR-IP-2026-04, 05, 07 on file), 1 rated Red (suspended — see NCR-SUPP-2026-032). Annual evaluation procedure is SP-PURCH-003 Rev 6. Next supplier review cycle: Q3 2026. Shall I pull the individual evaluation records for any specific supplier?

// Response generated in 2.8 seconds from 847 indexed QMS documents

Frequently asked questions

Is a quality manual required by ISO 9001:2015?

No. ISO 9001:2015 explicitly removed the quality manual requirement that existed in the 2008 version. The scope statement (Clause 4.3) is the only structural document the standard now mandates. However, many organisations maintain a quality manual voluntarily because it provides a useful orientation document for new employees, customers, and auditors — just be aware it is not a requirement and creating one solely for compliance purposes is unnecessary overhead.

Do we need documented procedures for every process?

No. ISO 9001:2015 does not prescribe documented procedures for specific processes. The organisation determines which documented information is necessary for QMS effectiveness (Clause 7.5.1(b)). In practice, documented procedures are appropriate where: the absence of documentation could adversely affect quality (complex or critical processes), consistency across shifts or sites is required, legal or regulatory requirements mandate documentation, or training new staff requires a consistent reference. Simple, well-understood processes performed by experienced staff may not need documented procedures.

What are the minimum retention periods for ISO 9001 records?

ISO 9001 does not specify retention periods — it requires the organisation to determine them based on applicable legal, regulatory, contractual, and organisational requirements. In practice: calibration records should be retained for the life of the equipment plus a buffer; customer order and delivery records for the duration of any applicable product liability period (often 10–15 years for safety-critical goods); audit and management review records for at least three certification cycles (nine years) to demonstrate continuous operation; competence records for employment duration plus applicable statutory period (typically six years in the UK). Always document your retention schedule and its justification.

Can electronic signatures satisfy ISO 9001 document approval requirements?

Yes. ISO 9001:2015 is media-neutral and does not require wet (physical) signatures. Electronic signatures — from simple email approval audit trails to qualified electronic signatures under eIDAS/UK equivalent — are fully acceptable for document approval. What matters is that the approval is traceable (who approved, when, in what capacity) and that the record cannot be retrospectively altered. Most document control systems provide compliant electronic approval workflows.

What happens to documented information when we change document control software?

This is a Clause 6.3 change that must be planned. Key considerations: all retained records must be migrated in a way that preserves their integrity and the audit trail of when they were created and by whom; access controls must be replicated in the new system; obsolete document controls must remain effective during the transition; and you must be able to demonstrate to an auditor that no records were lost or altered during migration. A documented migration plan with verification checksum or record count is advisable.

Does the 24-item list cover everything we need to document?

The 24 items in this article cover all documented information explicitly required by the text of ISO 9001:2015. However, Clause 7.5.1(b) also requires documented information that the organisation determines is necessary for QMS effectiveness — meaning your own assessment of what documentation is needed to control your specific processes. Sector-specific requirements (IATF 16949, AS9100, ISO 13485) and customer-specific requirements may mandate additional documentation beyond what ISO 9001 alone requires.

Get any of your 24 mandatory ISO 9001 documents in under 3 seconds — IgeraIndustria indexes your entire QMS so your team never loses an audit again.

Start free trial — IgeraIndustria

Article reviewed by IgeraIndustria Quality Team, updated 2026-07-07. References: ISO 9001:2015 Clauses 7.1–7.5 and Annex A.6; UK GDPR (Data Protection Act 2018); Product Liability Act 1987; ISO/TC 176/SC 2 N1286 guidance on documented information. This article does not constitute legal advice — consult your legal counsel for jurisdiction-specific retention period requirements.

#iso 9001 mandatory documents#iso 9001 clause 7#iso 9001 documented information#iso 9001 records list

COMPARTIR

Comparte el conocimiento con tu red