IgeraIndustria Quality Team · Updated 2026-07-07 · 8 min read
Part 5 of the ISO 9001:2015 Step by Step series · ← Article 4: Clause 6
ISO 9001:2015 replaced the old terminology of "documents" and "records" with the unified term "documented information". Information that must be maintained (kept current and available) corresponds to what were formerly called documents or procedures. Information that must be retained (kept as evidence of what happened) corresponds to what were formerly called records. Understanding this distinction is fundamental to document control under Clause 7.5.
78%
of SMEs still write a formal quality manual — despite ISO 9001:2015 removing the requirement entirely in 2015
Source: IgeraIndustria survey of 140 SME manufacturers undergoing initial ISO 9001:2015 certification, 2025
This article provides the definitive reference list for ISO 9001:2015 documented information requirements. Bookmark it — it is the resource quality managers search for most before certification audits and Stage 1 document reviews.
The definitive list: all 24 mandatory documented information items
The following table covers all documented information explicitly required by ISO 9001:2015. Items marked Maintain are living documents that must be kept current. Items marked Retain are records that provide evidence of conformance and must be preserved for defined periods.
| # | Documented information | Type | Clause | Practical example | Typical retention |
|---|---|---|---|---|---|
| 1 | QMS scope | Maintain | 4.3 | Scope statement in QMS manual or standalone document | Current version only |
| 2 | Quality policy | Maintain | 5.2.2 | Signed policy document, published on intranet | Current; archive superseded versions |
| 3 | Quality objectives | Maintain | 6.2.1 | Quality objectives register with targets, owners, review dates | 3 years minimum |
| 4 | Monitoring and measuring resources (calibration records) | Retain | 7.1.5.1 | Calibration certificates for gauges, CMMs, thermometers | Life of equipment + 2 years |
| 5 | Basis of calibration (when no international standard exists) | Retain | 7.1.5.2 | Documented comparison method for custom measurement tools | Life of equipment |
| 6 | Competence evidence | Retain | 7.2 | Training records, qualifications, skills matrices | Duration of employment + GDPR retention limit |
| 7 | Documented information determined by the organisation as necessary for QMS effectiveness | Maintain | 7.5.1(b) | Procedures, work instructions, forms (org-determined) | Current version; archive superseded |
| 8 | Operational planning and control | Maintain | 8.1 | Process plans, control plans, production routings | Current version |
| 9 | Customer requirements review results | Retain | 8.2.3.2 | Order review forms, contract review records, RFQ responses | Product life + 5 years minimum |
| 10 | Design and development inputs | Retain | 8.3.3 | Design briefs, specifications, regulatory requirements (if Clause 8.3 applies) | Product life + 10 years (regulatory) |
| 11 | Design and development controls | Retain | 8.3.4 | Design review minutes, verification test results, approval records | Product life + 10 years |
| 12 | Design and development outputs | Retain | 8.3.5 | Released drawings, specifications, approved prototypes | Product life + 10 years |
| 13 | Design and development changes | Retain | 8.3.6 | Engineering change notices (ECNs), change authorisation records | Product life + 10 years |
| 14 | Externally provided processes, products, services criteria and evaluation | Retain | 8.4.1 | Approved supplier list, supplier evaluations, audit results | 3 years minimum |
| 15 | Property of customers or external providers (unique items) | Retain | 8.5.3 | Records of customer-supplied tooling, materials, IP received and returned | Duration of custody + 3 years |
| 16 | Changes to production/service provision | Retain | 8.5.6 | Process change records, authorisation, review of consequences | 3 years minimum |
| 17 | Release of products and services | Retain | 8.6 | Inspection and test records, certificates of conformance, despatch notes | Product life + 5 years (or regulatory minimum) |
| 18 | Nonconforming outputs | Retain | 8.7.2 | NCRs, concession requests, scrap records, rework authorisations | 3 years minimum |
| 19 | Monitoring, measurement, analysis, and evaluation results | Retain | 9.1.1 | KPI trend charts, customer satisfaction survey results, process metrics | 3 years minimum |
| 20 | Internal audit programme and results | Retain | 9.2.2 | Audit programme, audit reports, nonconformity findings, follow-up records | 3 certification cycles (9 years) |
| 21 | Management review results | Retain | 9.3.3 | Management review minutes, decisions, action items, resource approvals | 3 certification cycles (9 years) |
| 22 | Nonconformities and corrective actions | Retain | 10.2.2 | CARs (Corrective Action Requests) with root cause analysis and effectiveness review | 3 years minimum |
| 23 | Traceability — unique identification of outputs (when required) | Retain | 8.5.2 | Batch/lot records, serial numbers, material traceability certificates | Product liability period (min 10 years for safety-critical) |
| 24 | Customer satisfaction data | Retain | 9.1.2 | Customer surveys, complaint logs, compliment records, NPS trend data | 3 years minimum |
Maintain vs Retain — the distinction that trips up every first-timer
The maintain/retain distinction is the single most common area of confusion in ISO 9001:2015 document control. Here is the clearest way to understand it:
- Maintain = a living document that must exist in a current, approved version. When you update it, you replace the old version. Examples: quality policy, procedures, work instructions, control plans. These are the "how we do things" documents.
- Retain = a record of something that happened. Records are never modified after the fact — they are kept as evidence. Examples: calibration certificates, inspection records, training completion records, audit reports. These are the "evidence that we did it" documents.
A concrete example: your calibration procedure (how to calibrate gauges) is maintained documented information — it should always be the current approved version. The calibration certificate for a specific gauge calibrated on a specific date is retained documented information — it is an historical record that cannot be changed.
GDPR consideration for retained records: UK GDPR (the retained EU law version post-Brexit) applies wherever records contain personal data about identifiable individuals. Competence records (training certificates, personal qualifications), customer contact records, and supplier contact records all contain personal data. Retention periods must balance ISO 9001 evidence requirements against UK GDPR's storage limitation principle. The recommended approach: define a retention schedule that satisfies both — typically employment duration plus 2–6 years for competence records, with documented justification for the period chosen.
Document control in the cloud — what ISO 9001 actually allows
Clause 7.5.3 requires documented information to be available and suitable for use, adequately protected, distributed and accessed appropriately, stored and preserved, controlled for changes, and retained and disposed of appropriately. Critically, the standard is media-neutral — it makes no distinction between paper and electronic documents. Cloud-based document management systems fully satisfy Clause 7.5.3 provided they deliver the required controls.
Minimum cloud document control requirements for ISO 9001 compliance:
- Version control with audit trail (who changed what, when, and why)
- Approval workflow before publication (electronic signatures are acceptable)
- Access controls to prevent unauthorised modification
- Availability guarantee — documents accessible when and where needed (including offline capability for production environments)
- Obsolete document control — superseded versions clearly identified and prevented from unintended use
- Backup and disaster recovery — for retained records especially
Major platforms used by UK manufacturers: SharePoint Online with version control enabled, Google Workspace with document approval workflows, Qualio (purpose-built for regulated industries), Ideagen Quality Management, and Minitab Workspace. IgeraIndustria integrates with all of these to provide instant natural-language search across all your controlled documents and records.
Where IgeraIndustria fits — any document in 3 seconds
The average quality manager spends over 45 minutes searching for documentation before each auditor visit (IgeraIndustria 2025 data). Multiply that across a team of five quality engineers and a three-day Stage 2 audit, and document retrieval alone consumes dozens of person-hours. IgeraIndustria indexes your entire QMS — all 24 mandatory documented information items plus everything your organisation has determined is necessary — and makes every document retrievable in under 3 seconds via natural-language query.
// IgeraIndustria RAG demo — Clause 7.5 document retrieval
Auditor: Can you show me the records demonstrating that you have evaluated your key suppliers against your selection criteria in the last 12 months, as required by Clause 8.4.1?
Quality Manager (via IgeraIndustria): Supplier evaluations for the last 12 months are in the Approved Supplier Register (ASR-2026, Rev 4, last updated 2026-06-30). 18 active suppliers evaluated. Of these: 14 rated Green (approved), 3 rated Amber (conditional approval — improvement plans ASR-IP-2026-04, 05, 07 on file), 1 rated Red (suspended — see NCR-SUPP-2026-032). Annual evaluation procedure is SP-PURCH-003 Rev 6. Next supplier review cycle: Q3 2026. Shall I pull the individual evaluation records for any specific supplier?
// Response generated in 2.8 seconds from 847 indexed QMS documents
Frequently asked questions
Is a quality manual required by ISO 9001:2015?
No. ISO 9001:2015 explicitly removed the quality manual requirement that existed in the 2008 version. The scope statement (Clause 4.3) is the only structural document the standard now mandates. However, many organisations maintain a quality manual voluntarily because it provides a useful orientation document for new employees, customers, and auditors — just be aware it is not a requirement and creating one solely for compliance purposes is unnecessary overhead.
Do we need documented procedures for every process?
No. ISO 9001:2015 does not prescribe documented procedures for specific processes. The organisation determines which documented information is necessary for QMS effectiveness (Clause 7.5.1(b)). In practice, documented procedures are appropriate where: the absence of documentation could adversely affect quality (complex or critical processes), consistency across shifts or sites is required, legal or regulatory requirements mandate documentation, or training new staff requires a consistent reference. Simple, well-understood processes performed by experienced staff may not need documented procedures.
What are the minimum retention periods for ISO 9001 records?
ISO 9001 does not specify retention periods — it requires the organisation to determine them based on applicable legal, regulatory, contractual, and organisational requirements. In practice: calibration records should be retained for the life of the equipment plus a buffer; customer order and delivery records for the duration of any applicable product liability period (often 10–15 years for safety-critical goods); audit and management review records for at least three certification cycles (nine years) to demonstrate continuous operation; competence records for employment duration plus applicable statutory period (typically six years in the UK). Always document your retention schedule and its justification.
Can electronic signatures satisfy ISO 9001 document approval requirements?
Yes. ISO 9001:2015 is media-neutral and does not require wet (physical) signatures. Electronic signatures — from simple email approval audit trails to qualified electronic signatures under eIDAS/UK equivalent — are fully acceptable for document approval. What matters is that the approval is traceable (who approved, when, in what capacity) and that the record cannot be retrospectively altered. Most document control systems provide compliant electronic approval workflows.
What happens to documented information when we change document control software?
This is a Clause 6.3 change that must be planned. Key considerations: all retained records must be migrated in a way that preserves their integrity and the audit trail of when they were created and by whom; access controls must be replicated in the new system; obsolete document controls must remain effective during the transition; and you must be able to demonstrate to an auditor that no records were lost or altered during migration. A documented migration plan with verification checksum or record count is advisable.
Does the 24-item list cover everything we need to document?
The 24 items in this article cover all documented information explicitly required by the text of ISO 9001:2015. However, Clause 7.5.1(b) also requires documented information that the organisation determines is necessary for QMS effectiveness — meaning your own assessment of what documentation is needed to control your specific processes. Sector-specific requirements (IATF 16949, AS9100, ISO 13485) and customer-specific requirements may mandate additional documentation beyond what ISO 9001 alone requires.
Get any of your 24 mandatory ISO 9001 documents in under 3 seconds — IgeraIndustria indexes your entire QMS so your team never loses an audit again.
Start free trial — IgeraIndustriaISO 9001:2015 Step by Step series
Article reviewed by IgeraIndustria Quality Team, updated 2026-07-07. References: ISO 9001:2015 Clauses 7.1–7.5 and Annex A.6; UK GDPR (Data Protection Act 2018); Product Liability Act 1987; ISO/TC 176/SC 2 N1286 guidance on documented information. This article does not constitute legal advice — consult your legal counsel for jurisdiction-specific retention period requirements.