Does ISO 9001 require a quality manual?

No. ISO 9001:2015 does not require a quality manual. The 2008 version did, but the current standard removed that requirement. You still need documented information covering the scope, quality policy, quality objectives, and the various procedures and records specified throughout the standard, but you are free to organise that information in whatever format works for your organisation. Many businesses still choose to create a quality manual because it provides a useful overview of the system, but it is not a certification requirement.

Can documented information be stored digitally?

Yes. ISO 9001:2015 explicitly recognises that documented information can exist in any format and on any medium. Digital storage, cloud-based systems, shared drives, and document management software all satisfy the standard's requirements, provided the information is adequately controlled, protected, and accessible when needed. What matters is that the controls described in Clause 7.5 are in place, regardless of whether the documents are paper or digital.

How long do I need to keep ISO 9001 records?

ISO 9001 does not specify retention periods for most records. You are required to determine appropriate retention periods yourself, taking into account any legal or regulatory requirements that apply to your industry, contractual obligations, and your own risk assessment. Most organisations set a minimum of three years for general quality records, with longer periods for specific categories such as design records, calibration histories, or records related to safety-critical products. Whatever periods you choose, document them in your system and apply them consistently.

What happens if I cannot produce documented information during an audit?

If you cannot produce documented information that the standard specifically requires you to retain, the auditor will raise a nonconformance. Depending on how many nonconformances are raised and their severity, this may delay your certification or require a follow-up audit to verify that the gaps have been closed. For maintained documents, not having a required procedure in place is typically a major nonconformance. For retained records, the absence of evidence for a process that should have been happening is also treated seriously. The practical solution is to build your record-keeping habits before the audit, not during it.

Do I need to document every process in my business for ISO 9001?

No. ISO 9001 requires documented information to the extent necessary to support the operation of your processes and to have confidence they are being carried out as planned. For straightforward, low-risk activities performed by experienced staff, a written procedure may not be necessary. For complex, high-risk, or infrequently performed processes where the absence of documentation could lead to errors, documentation is clearly warranted. The standard leaves this judgement to you, and auditors generally accept a reasoned explanation for why certain processes are not documented, provided the outcomes are consistently achieved.

What Is Documented Information in ISO 9001?

Q: What is the difference between maintained and retained documented information in ISO 9001?

Maintained documented information refers to documents that describe how your processes and system work, such as procedures, policies, and work instructions. These are living documents that get updated when things change. Retained documented information refers to records that prove something happened, such as completed inspection forms, audit reports, and training records. You keep records as they were created and do not update them after the fact. Both types are required by ISO 9001, and confusing them is one of the most common audit findings.

The Old Language Is Gone, But the Confusion Remains

If you have ever worked with an older version of ISO 9001, you will remember the terms documents and records. They were separate concepts with separate controls. ISO 9001:2015 replaced both of those terms with a single phrase: documented information. On paper, this simplification made sense. In practice, it has caused more confusion than the original terminology ever did.

On this page

Business owners preparing for certification often ask the same question: what exactly counts as documented information, and how much of it do I actually need? This article answers that question directly. We will cover what the standard means by documented information, the difference between the two types, what ISO 9001 specifically requires you to maintain and retain, and how to build a practical approach that satisfies auditors without burying your team in paperwork.

If you are just starting out with the standard, it helps to first read A Beginner's Guide to ISO 9001:2015 before diving into the clause-level detail here.

What Does Documented Information Actually Mean?

The ISO 9000:2015 standard, which defines terms used across the ISO 9001 family, defines documented information as information required to be controlled and maintained by an organisation and the medium on which it is contained. That definition sounds straightforward until you realise it covers everything from a single-page procedure to a completed inspection form saved in a cloud folder.

The key insight is this: documented information is not just about paper. It includes digital files, spreadsheets, emails saved as evidence, photos, videos, database records, and anything else that captures or communicates information your quality management system relies on. The medium does not matter. What matters is that the information exists in a retrievable, controlled form.

Two Types of Documented Information

ISO 9001:2015 uses two specific verbs to distinguish between the two types of documented information, and understanding this distinction is critical before your audit.

Maintained documented information refers to documents that define how things should be done. These are your procedures, policies, work instructions, plans, and frameworks. They describe your system. You update them when processes change, and they are living documents that guide behaviour.

Retained documented information refers to records that prove something happened. These are your completed forms, audit reports, test results, training records, and corrective action logs. They are evidence of what was done. You do not update them after the fact. You keep them as they were created.

When an auditor asks to see documented information, they are usually asking for one or both of these types. If they ask how you control nonconforming outputs, they want to see the procedure (maintained). If they ask for evidence that you actually controlled a nonconforming output last month, they want to see the record (retained). These are not interchangeable.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

What ISO 9001 Requires You to Maintain

The standard specifies a number of places where you must maintain documented information. These are the documents your system needs to function. Below is a practical summary of the key requirements.

Scope of the Quality Management System

Clause 4.3 requires you to document the scope of your QMS. This does not need to be a lengthy document. A clear, one-page scope statement that identifies what products and services are covered, which sites are included, and any exclusions you have applied is sufficient. If you want to understand how to approach this correctly, this guide to Clause 4.3 on determining scope covers the practical steps in detail.

Quality Policy

Clause 5.2.2 requires the quality policy to be available as documented information. It must be communicated within the organisation and available to relevant interested parties. A policy stuck in a folder that nobody has read does not satisfy this requirement. Auditors will ask staff if they are aware of it and whether they understand what it means for their work.

Quality Objectives

Clause 6.2 requires objectives to be documented. This means writing them down with measurable targets, assigned responsibilities, and a timeframe. A vague statement about improving customer satisfaction is not an objective. A statement that says you will reduce customer complaints by 15 per cent before the end of the financial year, with the customer service manager responsible, is an objective.

Processes and Their Controls

Clause 4.4.2 requires you to maintain documented information to support the operation of your processes and to have confidence that the processes are being carried out as planned. This does not mean you need a written procedure for every single activity. It means that for processes where the absence of documentation would genuinely create a risk of things going wrong, you need to document them. Use your judgement here, and think about what a new employee would need to understand in order to do the job correctly.

Other Specific Requirements

Several other clauses require maintained documented information, including monitoring and measurement resources (Clause 7.1.5), competence (Clause 7.2), and the results of the design and development process if design is within your scope (Clause 8.3). Each of these has a specific purpose, and the documentation should reflect actual practice rather than an idealised version of how things work.

What ISO 9001 Requires You to Retain

Retained documented information is your evidence trail. Without it, an auditor has no way to verify that your system is actually working. Below are the key records the standard requires.

Evidence of Fitness for Purpose of Monitoring and Measurement Resources

If you use equipment to verify that products or services meet requirements, Clause 7.1.5 requires you to retain evidence that the equipment is calibrated or verified. This could be calibration certificates, internal verification records, or test equipment logs.

Evidence of Competence

Clause 7.2 requires you to retain documented information as evidence of competence. This means training records, qualifications, licences, or any other evidence that demonstrates people doing quality-affecting work are capable of doing it. A spreadsheet listing staff names and completed training courses, with dates, satisfies this requirement for most businesses.

Results of the Planning Process

Clause 8.1 requires you to retain documented information to demonstrate that processes have been carried out as planned and that products and services conform to requirements. This is a broad requirement that captures job records, production logs, service delivery records, and similar evidence.

Customer Requirements

Clause 8.2.3.2 requires you to retain documented information on the results of the review of customer requirements. This could be a signed contract, a completed order form, an email thread confirming scope, or a quote that the customer accepted. The point is that you have something that shows you reviewed what the customer needed before you committed to delivering it.

Design and Development Records

If design and development is within your scope, Clause 8.3 requires a series of records covering inputs, outputs, reviews, verification, validation, and changes. This is one of the more document-intensive areas of the standard, and organisations that design products or services need to plan their record-keeping carefully from the start.

Supplier Evaluation Records

Clause 8.4.1 requires you to retain documented information of the results of supplier evaluations. This means keeping records of how you assessed suppliers before using them, and how you monitor them on an ongoing basis. A completed supplier assessment form, a record of a site visit, or a history of performance scores all satisfy this requirement.

Nonconforming Outputs

Clause 8.7.2 requires you to retain documented information that describes the nonconformity, the actions taken, any concessions obtained, and the authority that decided on the action. This is one of the records auditors look at closely. If you have had product or service failures and there are no records, that is a significant gap.

Internal Audit Results

Clause 9.2.2 requires you to retain documented information as evidence of the audit programme and audit results. This means keeping your audit schedule, your audit reports, and any findings or observations. If you want to understand how to run internal audits that actually add value, this guide on running ISO internal audits that find real problems is worth reading before your next cycle.

Management Review Results

Clause 9.3.3 requires you to retain documented information as evidence of the results of management reviews. Minutes of the meeting, action items, and decisions made are the typical format. The record needs to show that the inputs required by Clause 9.3.2 were actually discussed.

Corrective Actions

Clause 10.2.2 requires you to retain documented information as evidence of the nature of nonconformities, the actions taken, and the results of any corrective action. This is distinct from the nonconforming output record. Corrective action records deal with the root cause investigation and the systemic fix, not just the immediate containment of the problem.

How to Control Documented Information

Clause 7.5 sets out the requirements for controlling documented information. This is where many businesses either over-engineer things or leave dangerous gaps. The standard requires you to ensure documented information is available and suitable for use where and when it is needed, and that it is adequately protected from loss of confidentiality, improper use, or loss of integrity.

For most small to medium businesses, a practical control system looks like this. You have a shared drive or document management system where current versions of procedures and policies are stored. Documents have a version number and a review date. When a document is updated, the old version is either archived or deleted so staff are not working from outdated instructions. Records are stored in a way that protects them from accidental deletion or modification, and they are kept for a defined period before being disposed of.

You do not need expensive software to achieve this. A well-organised SharePoint folder structure with clear naming conventions and a simple document register can satisfy Clause 7.5 for most organisations. What you do need is consistency. The system you describe in your procedures must match how people actually work.

Retention Periods

The standard does not specify how long you must keep records. That is left to you, taking into account legal requirements, contractual obligations, and your own risk assessment. As a general guide, most organisations keep quality records for a minimum of three years, with some categories such as design records or calibration histories kept for longer. Whatever periods you choose, document them and apply them consistently. If you want more detail on this specific question, this article on how long corrective action evidence needs to be kept provides practical guidance.

External and Internal Origin

Clause 7.5.3 also requires you to identify and control documented information of external origin that you have determined is necessary for the planning and operation of the QMS. This includes customer specifications, regulatory requirements, Australian Standards referenced in your procedures, supplier data sheets, and similar documents. These need to be controlled just like your own documents, meaning you need to ensure you are working from current versions and that outdated external documents are not in circulation.

Common Mistakes Businesses Make With Documented Information

After years of auditing and consulting, the same mistakes come up repeatedly. Knowing them in advance saves a lot of rework.

Creating Documents Nobody Uses

This is the most common problem. Businesses create elaborate procedure manuals to satisfy an auditor, and then staff continue doing things the way they always have. The document says one thing, reality is something else entirely. An auditor will find this gap quickly by asking staff to walk them through a process and comparing what they describe to what the procedure says. Write procedures that reflect actual practice, not aspirational practice.

Confusing Maintained and Retained

Updating a completed record after the fact is a serious issue. Records must reflect what happened at the time. If a quality check was not completed and the form was filled in later to cover it up, that is not just a nonconformance, it is a integrity problem that can result in certification being suspended. Keep these two types of documented information clearly separated in your system.

No Version Control

Finding multiple versions of the same procedure in circulation is a common audit finding. Staff working from version 1 of a procedure when version 3 is the current version creates real operational risk, not just a compliance gap. A simple version number on every document and a clear process for removing obsolete versions from circulation solves this.

Treating the Document Register as a Tick-Box Exercise

A document register that lists everything you have is useful. A document register that lists documents that no longer exist, or that has not been updated in two years, is worse than having no register at all. Keep it current or do not bother with it.

How Much Documented Information Is Enough?

This is the question every business owner asks, and the honest answer is: it depends on your organisation. The standard deliberately avoids prescribing a specific set of documents beyond the ones explicitly required. The amount of documented information that is appropriate depends on the size of your organisation, the complexity of your processes, the competence of your people, and the nature of your products or services.

A ten-person professional services firm with experienced staff and straightforward processes needs far less documentation than a 200-person manufacturer producing safety-critical components. What matters is not the volume of documents but whether the documentation you have actually supports consistent, effective operation of your QMS.

If you are building your documented information from scratch and want to understand how controlled documents fit into the broader picture of your management system, this guide on controlled documents and how to implement them is a practical starting point.

Getting Help With Your Documented Information

Getting the documented information framework right from the start saves significant rework later. Many businesses that struggle at their Stage 1 audit do so because their documented information does not reflect their actual system, or because required records simply do not exist yet.

If you are preparing for ISO 9001 certification and want guidance from someone who understands both the standard and your industry, CertBetter can connect you with verified ISO consultants and accredited certification bodies. You submit one form and receive up to three competing quotes from vetted providers. It is free for businesses, and it removes the guesswork from finding someone you can actually trust.