Every document your QMS must have, what auditors check first, and why the gaps between your procedures and your records are where most findings live.
Last Updated: May 2026
Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items covering ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
The Binder on the Shelf Is Not a QMS
Years ago, working in a nuclear component facility, I watched a certification audit go sideways in the first thirty minutes. The quality manager had spent six months building what looked like a complete quality management system — binders, procedures, forms, the works. The auditor asked to see the document register. The quality manager pointed to the binder. The auditor asked how documents were controlled at the point of use. The quality manager pointed to the binder again.
The binder was the system. It sat on a shelf in the quality office. The machinists on the floor had printed copies of procedures from three years prior. Nobody had a current revision of anything. The audit did not go well.
ISO 13485 documentation is not about having paperwork. It is about having the right documents, in the right format, accessible to the right people, at the right time — and being able to prove all of that during an audit. The standard is specific about what must be documented, what must be retained as records, and what that documentation must demonstrate.
Under QMSR, which took effect February 2, 2026, FDA now evaluates ISO 13485 documentation requirements against the framework directly. Organizations that treat documentation as a filing exercise rather than a quality system function are finding that gap at inspection.
This article covers every documentation requirement ISO 13485 imposes, where auditors look first, and what a compliant documentation system actually looks like in practice.
In This Guide
- The difference between documents and records under ISO 13485 — and why it matters for audits
- Every mandatory document the standard requires
- Every mandatory record the standard requires
- Document control requirements under Section 4.2
- Record retention rules under Section 4.2.5
- The most common documentation gaps auditors find
- How QMSR changed the documentation landscape for U.S. medical device manufacturers
- Decision-stage guidance for organizations at different points in their documentation journey
Table of Contents
Start Here (Top Resources)
🔖 Get ISO 13485:2016 → ANSI Webstore — ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.
🔖 Build compliant QMS documentation → 9001Simplified — 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.
🔖 Train your team on ISO 13485 documentation requirements → BSI Group — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.
🔖 Pursue or maintain ISO 13485 certification → ISOQAR — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.
Browse the What Is ISO 13485? pillar article for full clause context, or use the ISO 13485 Gap Assessment Checklist to identify your specific documentation gaps before your next audit.
Documents vs. Records: The Distinction That Drives Compliance
ISO 13485 treats documents and records as separate categories with different requirements. Confusing them is one of the most consistent sources of documentation findings in surveillance audits.
Documents are instructions, procedures, specifications, and plans — the things that tell people what to do. They are living documents: they can be revised, updated, and superseded. Section 4.2.4 governs their control.
Records are evidence that something was done — completed forms, test results, inspection reports, calibration data, training sign-offs. They are fixed in time: once a record is created, it cannot be altered without creating a documented amendment. Section 4.2.5 governs their control.
The practical distinction matters for two reasons. First, the control requirements differ. Documents need revision control, approval, distribution, and obsolescence management. Records need legibility, identification, storage protection, retrieval, and defined retention periods. A documentation system that applies the same controls to both will have gaps in one or the other.
Second, auditors evaluate them separately. When an auditor asks for a procedure, they are asking for a document. When they ask for evidence, they are asking for a record. Handing an auditor a completed form when they asked for a procedure — or a procedure when they asked for evidence — signals a documentation system that does not understand its own structure.
At this point, most quality managers building or auditing a documentation system should: → Map your document inventory against your record inventory separately. If your document register includes completed forms alongside controlled procedures, your system architecture has a structural problem. 9001Simplified’s documentation kits include pre-structured document and record registers built for ISO 13485 compliance. 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.
Mandatory Documents Under ISO 13485
ISO 13485 requires specific documented procedures and plans across multiple clauses. These are not optional — certification bodies audit for their existence and their content.

| Document | Clause | What It Must Cover |
|---|---|---|
| Quality Manual | 4.2.2 | Scope of the QMS, exclusions with justification, documented procedures or references, description of QMS process interactions |
| Document Control Procedure | 4.2.4 | Approval, review, revision control, distribution, obsolescence management, external documents |
| Records Control Procedure | 4.2.5 | Identification, storage, protection, retrieval, retention periods, disposition |
| Management Review Procedure | 5.6 | Inputs, outputs, frequency, documentation requirements |
| Competence, Training & Awareness Procedure | 6.2 | How competence is determined, how training is delivered, how competence is evaluated and recorded |
| Infrastructure Procedure | 6.3 | Maintenance of buildings, equipment, and supporting services affecting product quality |
| Work Environment Procedure | 6.4 | Control of work environment conditions where required for product conformity |
| Risk Management Procedure | 7.1 | Risk management process across the product lifecycle, per ISO 14971 |
| Customer-Related Processes Procedure | 7.2 | Requirements determination, review, and customer communication |
| Design & Development Procedure | 7.3 | Planning, inputs, outputs, review, verification, validation, transfer, changes (if design is not excluded) |
| Purchasing Procedure | 7.4 | Supplier evaluation, selection, monitoring, and purchasing information |
| Production & Service Controls Procedure | 7.5 | Control of production and service provision, cleanliness, installation, and servicing |
| Identification & Traceability Procedure | 7.5.3 | Product identification throughout realization and traceability requirements |
| Customer Property Procedure | 7.5.4 | Control and safeguarding of customer-supplied product or data |
| Preservation Procedure | 7.5.5 | Preservation of product during processing and delivery |
| Monitoring & Measurement Equipment Procedure | 7.6 | Calibration, verification, and control of measuring equipment |
| Feedback Procedure | 8.2.1 | Post-market surveillance and feedback collection |
| Complaint Handling Procedure | 8.2.2 | Complaint receipt, investigation, and regulatory reporting decisions |
| Internal Audit Procedure | 8.2.4 | Audit planning, conduct, reporting, and follow-up |
| Nonconforming Product Procedure | 8.3 | Identification, segregation, evaluation, and disposition |
| CAPA Procedure | 8.5.2 / 8.5.3 | Corrective and preventive action process, including root cause analysis and effectiveness verification |
⚠️ If your organization excludes design and development under Clause 7.3, that exclusion must be justified in the Quality Manual and documented. Exclusions without documented justification are a consistent finding in initial certification audits.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items covering ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
Mandatory Records Under ISO 13485
Records are the evidence your QMS operated as documented. The standard specifies which records must be maintained — these are the minimum. Your procedures may require additional records.
| Record | Clause | What It Must Demonstrate |
|---|---|---|
| Management Review Minutes | 5.6.3 | Inputs reviewed, decisions made, actions assigned with owners and timelines |
| Education, Training, Skills & Experience | 6.2 | Competence evaluated, training completed, results recorded |
| Infrastructure Maintenance | 6.3 | Maintenance activities and results for quality-critical equipment |
| Risk Management Records | 7.1 | Risk analysis, risk evaluation, risk control, residual risk assessment, post-production monitoring |
| Customer Requirements Review | 7.2.2 | Requirements determined and confirmed before commitment |
| Design & Development Records | 7.3 | Inputs, outputs, reviews, verifications, validations, transfer, and changes (if not excluded) |
| Design & Development Changes | 7.3.9 | Change description, evaluation, verification, validation, approval |
| Supplier Evaluation Records | 7.4.1 | Evaluation criteria, results, and re-evaluation decisions |
| Production Process Validation | 7.5.2 | Validation protocols, results, equipment qualifications |
| Traceability Records | 7.5.3.2 | Unique device identification and traceability through production |
| Customer Property Records | 7.5.4 | Receipt, condition assessment, and disposition of customer property |
| Calibration Records | 7.6 | Equipment identification, calibration standard, results, next due date |
| Internal Audit Records | 8.2.4 | Audit plans, findings, nonconformances, corrective actions, follow-up |
| Product Monitoring & Measurement | 8.2.6 | Evidence of conformity and identification of release authority |
| Nonconforming Product Records | 8.3 | Nature of nonconformity, disposition decision, concession records if applicable |
| CAPA Records | 8.5.2 / 8.5.3 | Root cause analysis, action taken, effectiveness verification with criteria and evidence |
➡️ 9001Simplified Documentation Kits — Pre-built ISO 13485 procedures, forms, and record templates covering every mandatory document and record listed above. 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.
Document Control: What Section 4.2.4 Actually Requires
Section 4.2.4 sets out seven specific requirements for document control. Each one has a practical implementation implication — and each one is evaluated individually during audits.
1. Documents must be approved before use. Approval must be by authorized personnel. Your document control procedure must define who has approval authority for each document type. A document approved by someone outside that authority — or with no documented approval at all — is a nonconformance.
2. Documents must be reviewed, updated as necessary, and re-approved. Review frequency should be defined in your procedure. Documents that have never been reviewed since initial creation are a finding in surveillance audits — particularly if the regulatory environment or production process has changed.
3. Changes and current revision status must be identified. Every controlled document needs a revision identifier — a number, letter, or date — and your document register needs to reflect current revision status. Auditors check this against what is in use.
4. Relevant versions must be available at points of use. This is the binder-on-the-shelf failure. Current controlled versions must be accessible where work is performed. If people work from printed copies, you need a controlled printing process. If work is performed on a production floor, current procedures must be accessible there — not only in the quality office.
5. Documents must be legible and identifiable. This sounds obvious. It is consistently violated by organizations that allow handwritten annotations, informal updates, or degraded printed copies to remain in service.
6. External documents must be identified and controlled. This includes customer drawings, regulatory guidance documents, referenced standards, and supplier specifications. External documents that affect product quality must be listed in your document control system and their current version verified.
7. Obsolete documents must be prevented from unintended use. Obsolete documents must either be removed from all points of use or clearly marked as obsolete. Finding an active workstation with a superseded procedure is a major nonconformance — regardless of whether anyone was actually using it.
If you are under active FDA inspection pressure → BSI Group ISO 13485 Training covers document control implementation and audit preparation in depth. BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.
Record Retention: What Section 4.2.5 Actually Requires
Section 4.2.5 requires that records be retained for a period at least equal to the lifetime of the medical device, but not less than two years from the date of product release by the organization.
That two-year floor is the minimum. In practice, most medical device records should be retained significantly longer:
- Implantable devices — the device lifetime may span decades. Records need to match.
- Devices with long service lives — the same logic applies.
- FDA QMSR requirements — align with ISO 13485 on the two-year minimum but your complaint handling procedure may require longer retention for MDR-related records.
- Customer contractual requirements — OEM customers increasingly specify record retention periods in their supplier quality agreements. These requirements take precedence where they are more stringent than the standard’s minimum.
Your records control procedure must define retention periods for each record type. A blanket “two years” policy applied to all records — including design history files and risk management records for long-life devices — is not compliant.
| Provider | What You Get | Best For |
|---|---|---|
| ANSI Webstore | ISO 13485:2016 official standard | Any organization needing the controlled, compliant version of the standard |
| 9001Simplified | QMS documentation kits with record templates | Organizations building documentation from scratch or rebuilding after a major finding |
| BSI Group | ISO 13485 training courses | Teams implementing documentation systems or preparing for initial certification |
| ISOQAR | ISO 13485 certification | Organizations ready to pursue or maintain certification |
Most organizations building documentation systems from scratch need all three:
- The standard from ANSI Webstore (use CC2026 for 5% off)
- Lead implementer training from BSI Group
- A documentation kit from 9001Simplified
This combination covers the standard, the knowledge, and the implementation infrastructure.
The Most Common Documentation Gaps

These are the findings that appear most consistently in ISO 13485 surveillance audits and QMSR inspections. Each one points to a specific procedure or record requirement.
The Quality Manual references procedures that don’t exist. A common initial certification shortcut is writing a Quality Manual that references a full set of documented procedures — then discovering during the surveillance audit that several of those procedures were never finalized. The Quality Manual and the document register must be synchronized.
The document register is not current. Document registers that haven’t been updated in months, that show revision numbers inconsistent with what is in use, or that are missing entire document categories are a consistent finding. The register is the first thing many auditors check.
Risk management records stop at design transfer. ISO 14971 requires risk management across the product lifecycle. Design-phase risk files with no post-production updates — no connection to complaint data, service reports, or CAPA findings — are incomplete regardless of how thorough the original analysis was. See ISO 14971 vs ISO 13485 for the full lifecycle requirement.
CAPA records close without effectiveness verification evidence. A CAPA record that reads “action implemented — problem resolved” with no supporting data is not a closed CAPA — it is an open finding waiting to be issued. For the complete breakdown of what effectiveness verification requires, see CAPA Requirements in ISO 13485.
Supplier qualification records are incomplete or outdated. An approved supplier list without corresponding qualification evidence, or qualification records for suppliers whose scope has changed without requalification, are consistently cited findings under Clause 7.4.
Training records prove attendance, not competence. Sign-off sheets showing who attended a training session are not competence records. The record must show what competence was evaluated, by what method, and what the result was. See Common Mistakes in ISO 13485 QMS for the full breakdown of this finding.
Management review minutes record presentations, not decisions. Minutes that describe what was presented in management review without documenting what was decided are a major finding under Section 5.6.3. Every input reviewed must produce a documented output — a decision, an action, or a rationale for no action.
How QMSR Changed the Documentation Landscape
FDA’s Quality Management System Regulation, effective February 2, 2026, aligns U.S. medical device QMS requirements with ISO 13485:2016. For documentation, the practical changes are significant.
The Device Master Record (DMR) structure is now explicitly required. Under QMSR, the DMR — which must include device specifications, production process specifications, quality assurance procedures, packaging and labeling specifications, and installation and maintenance procedures — is a specific documentation requirement that ISO 13485 certification alone does not fully address.
Complaint files under 21 CFR 820.198 remain a separate requirement. ISO 13485 requires a complaint handling procedure. QMSR additionally requires that complaint files contain specific elements — including the decision on whether the complaint required investigation and, if so, the results of that investigation — that go beyond what most ISO 13485 complaint procedures specify.
MDR procedures must be documented separately. Medical Device Reporting obligations are a regulatory requirement that sits outside ISO 13485 but must be addressed in your QMS documentation under QMSR.
⚠️ FDA QMSR compliance date was February 2, 2026. If your documentation system has not been reviewed against the four QMSR-specific bridge requirements since that date, that review is overdue. The ISO 13485 Gap Assessment Checklist covers all four QMSR bridge requirements explicitly alongside the standard ISO 13485 clause requirements.
For the full regulatory alignment picture, see FDA QSR vs ISO 13485.

Why Organizations Delay Getting Documentation Right
“We’ll clean it up before the surveillance audit.”
This is the most common delay rationalization — and it consistently produces the worst outcomes. Documentation gaps that accumulate over 11 months cannot be credibly remediated in the 30 days before a surveillance visit. Auditors can identify recently created records. A CAPA file dated three weeks before the audit for a problem that complaint data shows has existed for eight months is not evidence of a functioning QMS — it is evidence of audit preparation, which auditors treat as a different category of finding.
“Our documentation was good enough for initial certification.”
Initial certification evaluates documentation at a point in time against a system that was built to be audited. Surveillance audits evaluate whether that system has been maintained — which means they look at records created since the last audit, not at procedures written before it. Organizations that passed initial certification and then stopped maintaining their documentation systems often face multiple major nonconformances at the first surveillance visit.
“We don’t have the internal resources to build this properly.”
This objection is real — but the cost of building documentation properly before certification is substantially lower than the cost of remediation after a major nonconformance. A documentation kit from 9001Simplified covers every mandatory document and record template in a ready-to-use format. 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch. The internal labor required to customize a pre-built kit is a fraction of what is required to build from scratch — and a fraction of what remediation costs after a finding.
Frequently Asked Questions
What documents are required by ISO 13485?
ISO 13485 requires documented procedures covering quality manual, document control, records control, management review, training and competence, risk management, customer requirements, purchasing, production controls, identification and traceability, calibration, feedback, complaint handling, internal audit, nonconforming product, and CAPA. The full list with clause references is in the Mandatory Documents table above.
What records are required by ISO 13485?
ISO 13485 requires records covering management reviews, training and competence evaluations, risk management activities, design and development (if not excluded), supplier evaluations, calibration, internal audits, product monitoring, nonconforming product dispositions, and CAPA activities. The full list with clause references is in the Mandatory Records table above.
How long must ISO 13485 records be retained?
The standard requires retention for at least the lifetime of the device, with a minimum of two years from product release. For implantable devices and devices with long service lives, the retention period is typically longer and should be defined in your records control procedure. FDA QMSR aligns with this minimum but specific record types — particularly MDR-related records — may require longer retention.
Does ISO 13485 require a Quality Manual?
Yes. Section 4.2.2 requires a Quality Manual that defines the scope of the QMS, documents or references procedures, and describes the interactions between QMS processes. The Quality Manual is one of the first documents an auditor requests.
Can we use electronic records to meet ISO 13485 requirements?
Yes — electronic records are acceptable provided your document control system ensures they are controlled, legible, retrievable, and protected from unauthorized modification. Electronic systems used to manage controlled documents must themselves be validated if they affect product quality.
What is the difference between a controlled document and a record under ISO 13485?
A controlled document is an instruction, procedure, or specification that tells people what to do — it can be revised and must be version-controlled. A record is evidence that something was done — it is fixed in time and must be retained according to your records control procedure. Section 4.2.4 governs controlled documents; Section 4.2.5 governs records. The distinction is fundamental to building a compliant documentation system.
Does design and development documentation apply to all medical device manufacturers?
Only if the manufacturer performs design and development activities. If your organization manufactures to customer specifications and does not perform design activities, you may be eligible to exclude Clause 7.3 — but that exclusion must be documented and justified in your Quality Manual. Contract manufacturers who claim a 7.3 exclusion without justification are consistently cited at initial certification.
How do FDA QMSR documentation requirements differ from ISO 13485?
QMSR aligns with ISO 13485 but adds four specific requirements: the Device Master Record structure, complaint files under 21 CFR 820.198, Medical Device Reporting procedures, and corrections and removals procedures. ISO 13485 certification alone does not cover these four requirements. The ISO 13485 Gap Assessment Checklist addresses all four explicitly.
What is the first thing an auditor looks at for ISO 13485 documentation?
Most auditors start with the document register — to verify that controlled documents are listed, revision levels are current, and the register reflects what is actually in use. From there they move to the Quality Manual to verify scope and procedure references. Gaps in either of those two items typically expand the audit’s scope significantly.
Free Resources
📋 Free Download: Manufacturing Compliance Checklist — ISO 9001, 14001, 45001 & OSHA — 50 items with gap scoring across all systems.
📋 Free Download: Supplier Quality Checklist — ISO 9001 Clause 8.4 — all supplier controls auditors evaluate, 45 items with scoring.
📋 Free Download: ISO 9001 Implementation Roadmap — The exact 5-phase process from gap assessment to Stage 2 audit clearance.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items — ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
Not Sure What to Do Next?
→ You need the official ISO 13485:2016 standard → ANSI Webstore — Use CC2026 for 5% off. ANSI is the official U.S. distributor of ISO standards.
→ You need to build ISO 13485 documentation from scratch → 9001Simplified Documentation Kits — ready-to-use procedures, forms, and record templates for every mandatory document.
→ You need to train your team on documentation requirements → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses.
→ You are ready to pursue ISO 13485 certification → ISOQAR — UKAS-accredited, one of the most recognized certification bodies in the industry.
→ You need to assess your documentation gaps before your next audit → ISO 13485 Gap Assessment Checklist — free, 64 items.
→ You need to understand how QMSR changed your documentation obligations → FDA QSR vs ISO 13485
→ You need to understand CAPA record requirements in depth → CAPA Requirements in ISO 13485
→ You need to understand the most common documentation audit findings → Common Mistakes in ISO 13485 QMS
→ You need to understand how risk management documentation connects to your QMS → ISO 14971 vs ISO 13485
→ You need to understand the full ISO 13485 clause structure → What Is ISO 13485?
→ You want to buy ISO 13485 → Buy ISO 13485
→ You want to browse all medical device standards → explore standards by compliance area
Still figuring out where to start?
If you are not ready to commit to a documentation build yet — that is normal. Most organizations spend several weeks between identifying gaps and starting remediation.
The best next step: → Download the free ISO 13485 Gap Assessment Checklist — it takes 20 minutes and tells you exactly which documents and records you are missing before you spend anything.

📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items — ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
The Binder Is Not the System
Documentation is not ISO 13485’s most technically demanding requirement. But it is the foundation every other requirement rests on. Without controlled documents, procedures cannot be consistently followed. Without records, there is no evidence that procedures were followed at all. Without a document control system that connects what is written to what people actually use, the gap between those two things grows quietly — until an auditor measures it.
The organizations that handle documentation audits well are not the ones with the most sophisticated quality management software or the thickest procedure binders. They are the ones whose documentation reflects how work actually gets done — current, accessible, and connected to the records that prove it.
That alignment takes discipline to build and discipline to maintain. It does not take complexity.
At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.
Subscribe below to stay ahead.













