ISO/IEC 17043:2023 Record Retention and Access Control Guide
ISO/IEC 17043:2023 Record Retention and Access Control Guide
Last Updated on September 25, 2025 by Melissa Lazaro
ISO/IEC 17043:2023 Record Retention and Access Control Guide
Let’s be honest—record control isn’t the flashiest part of your management system. But if you’re working toward compliance with ISO/IEC 17043:2023, your records—and how you manage them—can make or break your audit.
In my experience supporting PT providers, I’ve seen too many labs stumble because they didn’t define how long to keep records, had unclear access rights, or lost traceability between procedures and supporting evidence. That’s avoidable.
In this guide, I’ll walk you through what records you need to retain, for how long, and how to ensure controlled access—all in line with ISO/IEC 17043:2023.
What ISO/IEC 17043:2023 Expects Regarding Records
The updated standard doesn’t hand you a list of record types or retention periods. Instead, it uses key phrases like:
- “Retain documented information…”
- “Maintain records of…”
- “Access shall be controlled…”
What this means: you are expected to define, document, and control how records are created, maintained, accessed, and eventually disposed of. This includes both paper and electronic formats.
Clause 8.5 in particular outlines the expectations around management system documentation, including documented information required to demonstrate conformance and the effectiveness of your QMS.
Types of Records You Must Retain
Let’s break this down into the main categories of records expected under ISO/IEC 17043:2023.
a) Management System Records
These show how your overall system operates and improves:
- Internal audit reports and checklists
- Management review minutes and action items
- Risk assessments and mitigation plans
- Records of nonconformities and corrective actions
- Complaints and appeals logs
b) PT Scheme Records
This is your core technical evidence:
- PT scheme design and planning documents
- Homogeneity and stability testing results
- Sample production and distribution tracking
- Participant communications and instructions
- Submitted results and statistical analysis
- Final performance evaluation reports
- Participant feedback and any follow-up actions
c) Personnel and Competence Records
Evidence that your team is qualified and up to date:
- Job descriptions and responsibilities
- Training attendance and course materials
- Competency evaluations
- Authorization to perform specific tasks
d) Technical and Equipment Records
These are often overlooked, but crucial:
- Equipment calibration and maintenance logs
- Environmental monitoring (if applicable)
- Software validation documentation
- Subcontractor approval records
Each of these categories supports a different clause in ISO/IEC 17043:2023—and you’ll need to be able to show records for each.
How Long to Retain Each Type of Record
ISO/IEC 17043:2023 doesn’t prescribe retention periods. That’s up to you—but you must be consistent and able to justify them.
Here’s a practical starting point based on industry norms:
| Record Type | Suggested Retention Period |
|---|---|
| PT Scheme Results & Evaluation | 5–7 years |
| Management Review & Internal Audits | 3–5 years |
| Corrective Actions & Complaints | Minimum 3 years |
| Training & Competency | Duration of employment + 2 years |
| Calibration & Maintenance Logs | 3–5 years |
The key is to document these retention times in a policy or matrix. This way, you’re not only compliant—you’re consistent.
Building an Effective Access Control System
Now that you’ve got records, you need to protect them. Access control isn’t just about preventing tampering—it’s also about ensuring authorized users can find and use the records they need.
Here’s what works:
- Role-based access: Define access by job function (e.g., only the Quality Manager can approve audit records).
- Electronic systems: Use permission levels, logins, and audit trails.
- Paper systems: Store records in locked cabinets or secured rooms, and maintain access logs if needed.
- Access control procedure: Yes—you need one. It should define who can create, review, approve, view, and delete records.
Auditors will often ask:
“Who has access to this record?”
“Is that access documented and traceable?”
Be ready to answer.
Linking Records to Your Document Control System
One of the most common issues I see during audits is poor linkage between procedures and the records that support them.
Here’s how to avoid that:
- Use a master record index that lists each procedure and the records it generates.
- Use reference numbers or codes for traceability.
- Keep outdated records separate or clearly marked as “archived”.
- Records don’t need version control like procedures do, but you do need to ensure they’re accurate, complete, and protected from unauthorized changes.
Pro Tips
- Pro Tip: Build a “Master Record Table” that lists each record type, owner, location, format, retention period, and access level. Auditors love it—and so will your team.
- Pro Tip: Schedule routine checks to ensure records haven’t been modified, lost, or stored in the wrong place.
- Pro Tip: Teach your team what a “record” actually is. Often, things like emails, spreadsheets, or meeting notes are records—and need retention.
Common Mistakes to Avoid
Mistake #1: No Written Retention Policy
Verbal agreements or informal practices don’t cut it. You need a documented, approved policy.
Mistake #2: Keeping Everything Forever
Not only does this create clutter, it increases the risk of data breaches and makes audits harder. Define disposal timelines.
Mistake #3: Uncontrolled Access
If everyone in the lab has full access to delete or edit files, you’re at risk—especially if something goes wrong and no audit trail exists.
Mistake #4: Losing the Link
If auditors can’t see how your records support your procedures, your system will appear disconnected—even if it’s functioning.
FAQs
Q: Can we store records in the cloud?
Yes—provided it’s secure, access-controlled, and you can demonstrate retrieval during audits.
Q: Do we have to print electronic records for audits?
No. Electronic access is fine as long as they are clearly organized, traceable, and protected.
Q: How do we know what counts as a “record”?
If it provides objective evidence that a process was carried out, it’s a record. That includes filled-out forms, results, reports, emails, and even screenshots in some cases.
Make Records Work for You, Not Against You
Strong record retention and access control aren’t just about compliance—they protect your operation, your data, and your reputation.
Labs that take time to define retention rules, lock down access, and link records clearly to their management system always come out ahead during audits. And when something goes wrong? Good records make it easier to fix—and prove you did.
Want help getting started? I can send you a retention matrix template and a sample access control policy—just say the word.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
