Is there a specific retention period for corrective action records stated in ISO 9001?

No. ISO 9001:2015 requires organizations to retain documented information as evidence of corrective actions but does not specify a minimum retention period. The organization is expected to determine an appropriate retention period based on its context, including regulatory requirements, contractual obligations, and the nature of the risks involved. Most auditors consider three years, covering one full certification cycle, to be a reasonable baseline for organizations without more specific external requirements.

What happens if we delete corrective action records before an auditor asks for them?

If records have been deleted in accordance with a documented retention policy, an auditor will generally accept that as a reasonable approach, provided the policy is appropriate for your context. If records have been deleted without a policy, or before the retention period has expired, you are likely to receive a nonconformity. In regulated industries, premature deletion of records can also trigger regulatory consequences that are separate from and potentially more serious than the ISO audit finding.

Do we need to keep corrective action evidence for minor nonconformities as well as major ones?

Yes. ISO standards do not distinguish between major and minor nonconformities when it comes to the requirement to retain evidence of corrective actions. Both require documented evidence of the nature of the issue, the actions taken, and the results. You may choose to apply longer retention periods to records associated with higher-risk or more significant nonconformities, but all corrective action records need to be retained for at least your documented minimum period.

Can we store corrective action evidence electronically, or does it need to be in paper form?

Electronic storage is entirely acceptable and is now the norm for most organizations. ISO standards refer to documented information rather than documents or records, and this terminology is deliberately format-neutral. Whether you store records in a quality management software system, a shared drive, or a cloud platform, the key requirements are that records are protected from unauthorized alteration or deletion, are retrievable when needed, and are backed up appropriately. Make sure your electronic storage includes version history and audit trails where relevant.

Our industry has a regulatory requirement to keep records for seven years. Does that mean our corrective action records also need to be kept for seven years?

If your regulatory requirement applies to quality or management system records broadly, then yes, your corrective action records should be retained for seven years to meet that requirement. Always apply whichever retention period is most stringent across your regulatory, contractual, and ISO obligations. Your retention schedule should document the source of the requirement so that the rationale is clear to an auditor and to anyone in your organization responsible for records management.

Should the retention period be calculated from when the nonconformity was raised or when the corrective action was closed?

The retention period should be calculated from the date the corrective action was formally closed and verified as effective. This is the point at which the record is complete, and it is the most logical starting point for a retention period. Calculating from the date the nonconformity was raised could result in records being deleted before the corrective action is even fully implemented, which would defeat the purpose of retaining them. Make sure your corrective action records include an explicit closure date so this calculation is straightforward.

How Long to Keep Corrective Action Evidence

The Question Nobody Asks Until an Auditor Does

You close out a nonconformity, file the corrective action report, and move on. The problem is fixed, the auditor signed it off, and life continues. Then, two years later, a new auditor asks to see evidence of a corrective action that was raised and closed eighteen months ago. You dig through your folders, find half the documents, and spend an uncomfortable hour explaining what happened to the other half.

On this page

This scenario plays out constantly in ISO audits across every industry. The question of how long corrective action evidence needs to be kept is one that most businesses never think about until they are sitting across from an auditor who is asking for records they no longer have. Getting this wrong does not just cause audit stress. It can result in a major nonconformity against your management system, raise questions about the integrity of your corrective action process, and in some industries, create serious legal or regulatory exposure.

This article gives you a clear, practical answer to the retention question, explains what the ISO standards actually require, and walks you through how to build a records management approach that will hold up under scrutiny.

What ISO Standards Actually Say About Record Retention

Most ISO management system standards, including ISO 9001, ISO 14001, ISO 45001, and ISO 27001, require organizations to retain documented information as evidence of the results of corrective actions. The exact clause varies by standard, but the requirement is consistent across the family of standards built on Annex SL, the common high-level structure used by most modern ISO standards.

In ISO 9001:2015, for example, Clause 10.2.2 states that the organization shall retain documented information as evidence of the nature of the nonconformities, the actions taken, and the results of any corrective action. What the standard does not do is tell you exactly how long to keep it. That part is left to the organization to determine, and this is where most businesses get confused.

The standard uses the phrase “retain documented information” without attaching a specific timeframe. This is intentional. ISO standards are designed to be applicable across many different industries, regulatory environments, and organizational contexts. A construction company operating under strict contractual obligations has very different retention needs than a small marketing agency. The standard expects you to think about your specific context and make a sensible decision.

The practical implication is that you need a documented retention schedule, and corrective action records need to be explicitly included in it. If you cannot show an auditor your retention policy and demonstrate that corrective action evidence is covered, that is itself a gap in your documented information management.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

The Minimum Baseline Most Auditors Expect

Even though ISO standards do not mandate a specific timeframe, there is a practical baseline that experienced auditors look for. Understanding this baseline helps you make a defensible decision for your own organization.

One Full Certification Cycle as the Starting Point

The most common guidance from experienced auditors and consultants is to retain corrective action evidence for at least one full certification cycle, which is three years. This covers the initial certification and two surveillance audits, meaning any corrective action raised during that period can be reviewed and verified at any subsequent audit. If a corrective action was raised in year one, the auditor conducting your recertification audit in year three should be able to pull it up and confirm the issue was genuinely resolved and has not recurred.

Three years is a reasonable floor for most businesses. It is not a guarantee of compliance, but if an auditor challenges your retention period and you can point to a documented policy that specifies three years with a clear rationale, you are in a much stronger position than an organization that has no policy at all.

Why Some Organizations Need Longer

Three years is a starting point, not a universal answer. Several factors push that timeframe out significantly.

Regulatory requirements in your industry. If you operate in a regulated sector such as food manufacturing, pharmaceuticals, medical devices, or construction, your industry regulator may specify minimum record retention periods that are longer than three years. In some cases, much longer. These regulatory requirements override the ISO baseline, and your retention policy must reflect whichever requirement is more stringent.
Contractual obligations. Government contracts, major client agreements, and supply chain requirements often include specific record retention clauses. If your contract says records must be kept for seven years, your corrective action evidence needs to be kept for seven years, regardless of what your internal ISO policy says.
Product or service liability exposure. If your products or services carry long-term liability risk, such as structural components, safety equipment, or professional advice, retaining corrective action records for the life of that liability exposure is a sensible risk management decision. A corrective action raised about a manufacturing defect in a product that has a ten-year warranty should probably be retained for at least that long.
Legal proceedings or disputes. If a corrective action was raised in connection with an incident that resulted in or could result in legal action, those records should be treated as legal documents and retained accordingly. Deleting them on schedule while litigation is ongoing or foreseeable is a serious mistake.

What Counts as Corrective Action Evidence?

Before you can decide how long to keep it, you need to be clear about what actually constitutes corrective action evidence. Many organizations keep the corrective action report itself but discard the supporting documents that give it meaning. An auditor looking at a corrective action report that says “root cause identified and process updated” without any supporting evidence will not be satisfied.

The Core Documents You Must Keep

At a minimum, your corrective action records should include the original nonconformity report or finding, the root cause analysis documentation, the action plan with assigned responsibilities and target dates, evidence that the actions were actually completed, and the verification or effectiveness review confirming the issue did not recur. Each of these components serves a different purpose in an audit, and missing any one of them creates a gap.

Supporting evidence matters just as much as the report itself. If the corrective action involved retraining staff, keep the training records. If it involved updating a procedure, keep both the old version and the revised version with the change history. If it involved a supplier audit or a change in supplier, keep the correspondence and assessment records. The corrective action report is just a summary. The supporting documents are what prove the action was real.

This connects directly to how to run ISO internal audits that actually find problems. Auditors who know what they are doing will always go behind the report and ask for the underlying evidence. If you have the report but not the evidence, the corrective action may as well not exist from an audit perspective.

Building a Retention Schedule That Works

A retention schedule is a documented list of the types of records your organization creates and how long each type must be kept. If you do not have one, creating one is a straightforward process that will save you significant pain at future audits.

How to Determine the Right Retention Period for Your Organization

Start by identifying all the external requirements that apply to your business. Check your industry regulations, your contractual obligations, and any applicable legislation in your jurisdiction. In Australia, for example, various state and federal laws impose record-keeping obligations on businesses across different sectors, and these must be factored into your retention decisions. In the UK, similar obligations exist under sector-specific regulations alongside general company law requirements.

Once you have identified the external floor, assess your internal risk. Consider the nature of the nonconformities your organization typically raises. A corrective action addressing a minor documentation error carries different risk than one addressing a product safety issue or a data breach. Higher-risk corrective actions warrant longer retention periods, and your policy can reflect this with tiered retention periods based on the severity or category of the issue.

Document your rationale. When an auditor asks why you chose a particular retention period, you should be able to explain it clearly. “We retain corrective action records for five years because our contracts require four years and we added one year as a buffer” is a perfectly acceptable answer. “We just delete things after two years” is not.

Practical Tips for Managing Corrective Action Records

Whether you use a dedicated quality management software platform or a shared drive with a folder structure, the principles are the same. Records need to be findable, protected from unauthorized deletion, and retained for the right period.

Use a consistent naming convention for corrective action files so they can be retrieved by date, reference number, or type of nonconformity.
Set up a review trigger so that records approaching their deletion date are reviewed before being destroyed. This prevents accidental deletion of records that should be retained longer due to ongoing issues.
Back up corrective action records separately from general operational files. They are evidence documents and should be treated accordingly.
When a corrective action is closed, record the closure date explicitly. This is the date from which your retention period is calculated.
For electronic records, ensure that the version history and audit trail are retained alongside the document itself. Metadata matters in an audit.

If you are still figuring out how your broader document control system should work, the article on what are controlled documents and how to implement them gives a solid foundation that applies directly to corrective action records.

Industry-Specific Considerations

The general principles above apply across all ISO standards, but certain industries have specific requirements worth knowing about.

Manufacturing and Product Safety

In manufacturing, particularly where products carry safety implications, corrective action records related to product nonconformities should be retained for at least the product lifecycle plus any applicable warranty or liability period. For automotive suppliers operating under IATF 16949, the requirements are even more prescriptive, and corrective action records tied to customer complaints or field failures are often subject to extended retention requirements specified by the customer.

Food and Beverage

Food businesses certified under ISO 22000 or similar food safety standards face regulatory requirements from food safety authorities that typically specify minimum record retention periods. In Australia, for example, food safety regulations require records to be kept for defined periods depending on the nature of the record. Corrective actions tied to food safety incidents, contamination events, or regulatory findings should be retained for the maximum period required by any applicable regulation.

Information Security

For organizations certified under ISO 27001, corrective actions related to security incidents or data breaches carry particular sensitivity. ISO 27001 requires documented evidence of corrective actions, and where those actions relate to a notifiable data breach, the records may also need to be retained in accordance with privacy legislation in your jurisdiction. In Australia, the Privacy Act and the Notifiable Data Breaches scheme create obligations that sit alongside your ISO requirements.

Occupational Health and Safety

Corrective actions arising from workplace incidents under ISO 45001 intersect with work health and safety legislation in most jurisdictions. Records related to incident investigations, near misses, and corrective actions taken in response to safety findings should be retained for the period specified by your applicable WHS or OHS legislation, which in many Australian states is five years or longer for serious incidents. Do not rely on your ISO retention policy alone for these records.

What Happens When Records Are Missing

If an auditor requests corrective action evidence and you cannot produce it, the consequences depend on the circumstances. At a minimum, you are likely to receive a nonconformity against your documented information requirements. If the missing records relate to a previously identified nonconformity that was supposedly closed, the auditor may question whether the corrective action was actually completed, which could result in that nonconformity being reopened or a new major finding being raised.

In regulated industries, missing records can trigger regulatory consequences that go well beyond the ISO audit. A food safety regulator or a workplace safety authority that finds corrective action records have been deleted prematurely will not be satisfied with an explanation about ISO retention policies. The regulatory obligation takes precedence, and the consequences of noncompliance with regulatory record-keeping requirements can be significant.

The broader point is that corrective action records are not administrative overhead. They are evidence that your management system is functioning as intended. Treating them as something to be deleted as soon as possible misunderstands their purpose. As the difference between ISO compliance and conformance makes clear, having a policy is not the same as actually following it. Your retention policy only protects you if you actually implement it.

ISO 9001:2015 Clause 10.2 on corrective action is publicly referenced in the standard's structure, and understanding what the clause actually requires is the starting point for getting your retention approach right.

Practical Recommendations by Organization Size

Small businesses often struggle with records management because they do not have dedicated quality managers or document control systems. The good news is that the requirements are scalable. A small business with a simple quality management system does not need a complex records management platform. It needs a clear, documented policy and consistent implementation.

For small organizations, a one-page retention schedule that covers all the main categories of documented information, including corrective actions, is entirely sufficient. Review it annually, make sure everyone who handles records knows the policy, and apply it consistently. That is genuinely all that most small businesses need to satisfy an auditor on this point.

Larger organizations with more complex operations, multiple sites, or significant regulatory exposure need a more formal approach. A dedicated records management policy, a software system that enforces retention rules automatically, and regular internal audits of records compliance are appropriate at this scale. The article on checking whether your ISO management system is actually working covers the kinds of internal checks that will catch records management gaps before an external auditor does.

A Quick Summary of What to Do

If you take nothing else from this article, take these practical steps.

Document a retention schedule that explicitly covers corrective action records. Do not leave it implied.
Set a minimum retention period of three years as your baseline, then extend it based on regulatory requirements, contractual obligations, and risk.
Keep not just the corrective action report but all supporting evidence, including root cause analysis, action verification, and effectiveness review records.
Calculate retention periods from the date of closure, not the date the nonconformity was raised.
Review records before deletion to confirm no ongoing issues, legal proceedings, or regulatory obligations require extended retention.
Apply the same retention rules to electronic records as to paper records, including version history and audit trails.

Getting Help With Your Records Management Approach

If you are unsure whether your current corrective action records management meets the requirements of your ISO standard, or if you are preparing for a certification or recertification audit and want to make sure your documented information is in order, working with an experienced ISO consultant is the most efficient way to close any gaps quickly.

CertBetter connects businesses with verified ISO consultants who can review your corrective action process, your retention schedule, and your broader documented information management to make sure everything holds up under audit scrutiny. The service is free for businesses, and you receive up to three competing quotes from vetted providers so you can compare experience, approach, and price before committing to anyone. If records management is keeping you up before an audit, it is worth getting a second opinion from someone who has seen how auditors actually approach this issue.

How Long Does Corrective Action Evidence Need to Be Kept?