ISO Records

Many people get confused by records versus documents. In general:

  • Documents are the future they tell you what to do or how something is done. Documents can be changed and updated.
  • Records are history of what you have done. Records are the proof you need to show that you follow your quality system. Records do not change.

Records need to be legible. As a result you should consider things like the use of white correction fluid, erasing and crossing out. Use of these change habits can invalidate the record credibility or affect the legality of your records. A common best practice is to put a single line through something you are changing along with initials and date. If it is a significant change a note may be necessary to indicate why the change was made.

Many registrars like to have a “records table”. This is a table that tells them which records are available for the different clauses of the management system standard.

The ISO based standards typically require records for the following items. Each specific standard will require additional records.

  • Management reviews
  • Education, training, skills and experience
  • Evidence that processes and product or service meet requirements
  • Review of customer requirements and any related actions
  • Design and development including: inputs, reviews, verification, validation and changes
  • Results of supplier evaluations
  • Traceability where it is an industry requirement
  • Notification to customer of damaged or lost property
  • Calibration
  • Internal audit
  • Product testing results
  • Nonconforming product and actions taken
  • Corrective action
  • Preventive action
  • Records you need to provide evidence of following your processes.

Record retention and disposition are up to you. You make keep records a day or forever with some exceptions. There may be regulatory requirements for keeping records. Also registrars generally like to see three to six months of records at the surveillance audits and they like three years of records for corrective action, preventive action, management review and internal audits. Check with your registrar for specific requirements.