Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Why Record Retention & Control Matters

One of the first things auditors ask for in an ISO 13485 audit is, “Show me the record.” And here’s the kicker—if you can’t produce it, it’s as if it never happened. It doesn’t matter how well you trained your staff, calibrated your equipment, or handled complaints. Without records, there’s no proof, and without proof, your QMS fails the test.

In my experience, record retention and control is one of the most overlooked areas of ISO 13485. Companies either keep everything forever (and drown in paper or data) or they purge too early and end up with major nonconformities. Neither works.

Here’s what I’ve noticed: once organizations get clarity on how long to keep different records and how to control them properly, audits become a lot smoother. Employees stop panicking when auditors request a file from 7 years ago, and management gains confidence that nothing critical will fall through the cracks.

So in this guide, I’ll break down:

• What ISO 13485 really requires for record retention and control.

• How long you need to keep different types of records.

• Practical tips to organize, store, and retrieve records without turning your QMS into a filing nightmare.

By the end, you’ll know exactly what auditors expect—and how to make record retention work for your business instead of against it.

What ISO 13485 Requires for Records

Let’s start with the basics. ISO 13485 makes it crystal clear in Clause 4.2.5 – Control of Records: you need a documented procedure that explains how records are identified, stored, protected, retrieved, retained, and disposed of.

Here’s what that really means in practice:

• Legible: Records have to be readable for as long as you keep them. That means no smudged training forms, no corrupted digital files.

• Retrievable: If an auditor asks for a complaint record from five years ago, you should be able to pull it up in minutes—not days.

• Traceable: Every record should link back to the activity it’s documenting. A calibration record, for example, should clearly show which piece of equipment it belongs to.

• Controlled: You need to protect records from damage, loss, or unauthorized changes.

Pro Tip: Auditors don’t care if your records are in a binder or in a fancy eQMS. What they do care about is whether you can show them, on the spot, that your procedure works.

Common pitfall: I’ve seen companies confuse “document control” with “record control.” Documents tell you how to do something (like a procedure), while records prove you actually did it (like a signed training sheet). Auditors expect both—and they’ll quickly spot if you mix them up.

Bottom line: your record control procedure isn’t just paperwork—it’s your safety net. It proves that every critical step in your QMS happened exactly as required.

Now that we’ve covered the rules, let’s tackle the part that usually causes the most headaches: how long you actually need to keep different records.

ISO 13485 Record Retention Rules – How Long to Keep What

Here’s where most companies trip up: how long do we actually have to keep each type of record? ISO 13485 itself doesn’t give you a one-size-fits-all number. Instead, it expects you to define retention periods in your procedure—and align them with regulatory requirements (FDA, EU MDR, Health Canada, etc.).

Here’s a breakdown of the most common record types and how long they should typically be kept:

1. Design & Development Records

• Usually kept for the lifetime of the product + regulatory minimum.

• Example: EU MDR requires at least 10 years after the last product was placed on the market (15 years for implantables).

• Pro Tip: Store these electronically—paper archives over 10 years can become unreadable.

2. Production & Device History Records

• FDA 21 CFR 820 requires keeping them for at least the product’s expected life, but not less than 2 years from distribution.

• EU MDR is stricter: 5–10 years depending on device class.

• Common pitfall: purging device history records as soon as production batches expire. Auditors will flag this fast.

3. Training Records

• Keep for the duration of employment + a set number of years after (commonly 2–5 years).

• Why? Auditors want to confirm that at the time an activity was performed, the employee was properly trained.

4. Complaint & CAPA Records

• Retain for the life of the product + 2 years (FDA minimum).

• EU MDR pushes this further: often 10–15 years after last product release.

• Real-world story: I worked with a company that destroyed old complaint files after 5 years, thinking they were “safe.” Their EU auditor flagged it as a major nonconformity. Costly mistake.

5. Supplier Records

• Depends on risk level and product lifecycle.

• High-risk suppliers (sterilization, critical components) → keep as long as the product is on the market + retention buffer.

• Low-risk suppliers (office supplies) → shorter periods may be justified.

Pro Tip: Build a retention matrix (record type vs. retention period) into your procedure. Auditors love it because it shows you’ve thought this through and aligned with regulations.

Bottom line: don’t just guess how long to keep records. Tie retention to both product lifecycle and regulatory minimums—and always take the longer requirement when in doubt.

Next, let’s talk about how to actually control these records so they’re always audit-ready and retrievable.

Record Control Rules – How to Manage Them Effectively

It’s one thing to know how long to keep records. It’s another to actually manage them day-to-day so they’re secure, retrievable, and reliable. This is where a lot of companies stumble—records exist, but they’re scattered across folders, old binders, or someone’s personal laptop. Auditors will pick up on that instantly.

Here’s what ISO 13485 expects when it comes to control:

1. Legibility

Records must stay readable for the entire retention period. That means no faded photocopies, no files in formats that no one can open 10 years later.
Pro Tip: Use PDF/A or another long-term file format for electronic records.

2. Retrieval

If an auditor asks for a record, you should be able to find it in minutes. Not hours, not “we’ll email it tomorrow.”
Real-world example: I once sat in an audit where the team found a 7-year-old training record in under 3 minutes using a simple indexed archive. The auditor literally smiled and said, “That’s how it’s done.”

3. Traceability

Records need to clearly connect to the activity or product they belong to. A calibration record, for example, must show exactly which instrument it applies to—serial number and all.

4. Protection

Protect records from loss, damage, and unauthorized changes.

• For paper: fireproof cabinets, controlled access.

• For electronic: backups, access rights, audit trails.
  Common pitfall: Over-relying on cloud storage without verifying access controls or backup reliability.

5. Disposal

When retention ends, records should be disposed of securely. That means shredding physical copies or using certified digital deletion—not just dragging files to the recycle bin.

Pro Tip: Create a simple indexing system (by product, year, or department). It saves time, reduces stress, and shows auditors you’ve thought about organization.

Bottom line: controlled records prove your QMS is real, not just theory. If they’re consistent, accessible, and protected, you’ve already won half the audit battle.

Next, let’s pull this together with best practices for record retention and control that make compliance much easier to maintain.

Best Practices for Record Retention & Control

Now that we’ve covered the rules, let’s get into the part that actually makes your life easier: best practices. These are the habits I’ve seen successful companies use to keep records compliant without drowning in paperwork.

1. Use a Retention Matrix

Create a simple table listing record type vs. retention period vs. regulatory reference. Not only does this guide your team, but it also impresses auditors because it shows you’ve tied retention to actual requirements—not random guesses.

2. Build Retention Into SOPs

Don’t treat record retention as an afterthought. Bake it right into your procedures (e.g., your training SOP should say how long training records are kept). This avoids gaps when auditors cross-check.

3. Automate Where You Can

If you’re using an electronic QMS or cloud system, set rules for auto-archiving and retention. That way, you’re not relying on someone’s memory to purge or move files.
Pro Tip: Set reminders for retention deadlines—nothing looks worse than records “disappearing” mid-audit because they were purged early.

4. Keep It Simple to Retrieve

Design your system so anyone—not just the quality manager—can find records fast. Use consistent file naming, indexing, and labeling.

5. Review Regularly

Include record retention in your management review. Regulations evolve, product lifecycles change, and your retention rules should keep up.
Common pitfall: sticking with outdated rules even after MDR or FDA changes. That’s a quick way to earn a nonconformity.

6. Think Global

If you’re selling in multiple markets, always adopt the strictest retention rule across the board. That way you don’t risk falling short in any region.

Bottom line: record retention doesn’t have to be a headache. With the right structure—matrix, SOP integration, automation, and regular review—you’ll always be a step ahead of auditors and regulators.

FAQs – ISO 13485 Record Retention & Control

Q1. How long do we need to keep medical device records under ISO 13485?

ISO 13485 doesn’t give exact numbers—it requires you to define and follow retention rules. The actual timeframe depends on regulatory bodies: FDA (life of device + 2 years), EU MDR (10–15 years), etc. The safe bet? Always go with the strictest requirement that applies to your market.

Q2. Can electronic records fully replace paper records?

Yes, as long as they’re legible, secure, backed up, and retrievable. Most companies are moving digital, but remember: you need access controls and audit trails. A scanned PDF can work just as well as paper, provided it’s controlled.

Q3. What happens if records are missing or illegible during an audit?

Best case: you’ll get a nonconformity and extra scrutiny. Worst case: it could block your certification or trigger regulatory action. Auditors work on evidence—if you can’t show a record, it’s as if the activity never happened.

Conclusion: Make Record Retention Work for You

At the end of the day, record retention and control isn’t about filing cabinets or cloud folders—it’s about proving your QMS works. Without records, there’s no evidence, and without evidence, your audit will fall apart.

In my experience, the companies that handle this well don’t just follow ISO 13485—they build retention and control into their daily processes. Their records are easy to find, clearly organized, and securely stored. When the auditor asks for something, they can pull it up in minutes. That confidence changes the whole tone of an audit.

Here’s the takeaway:

• Know what ISO 13485 requires.

• Set clear retention timelines that match regulatory rules.

• Control your records so they stay legible, retrievable, and secure.

• Keep the system simple enough that anyone in your team can use it.

Next step: Download our free Record Retention Matrix Template to map out your own timelines and avoid costly mistakes. It’ll save you time, stress, and make your next audit a lot smoother.