ISO/IEC 17043:2023 Record Retention and Access Control Guide
ISO/IEC 17043:2023 Record Retention and Access Control Guide
Last Updated on September 25, 2025 by
ISO/IEC 17043:2023 Record Retention and Access Control Guide
Let’s be honest—record control isn’t the flashiest part of your management system. But if you’re working toward compliance with ISO/IEC 17043:2023, your records—and how you manage them—can make or break your audit.
In my experience supporting PT providers, I’ve seen too many labs stumble because they didn’t define how long to keep records, had unclear access rights, or lost traceability between procedures and supporting evidence. That’s avoidable.
In this guide, I’ll walk you through what records you need to retain, for how long, and how to ensure controlled access—all in line with ISO/IEC 17043:2023.
What ISO/IEC 17043:2023 Expects Regarding Records
The updated standard doesn’t hand you a list of record types or retention periods. Instead, it uses key phrases like:
- “Retain documented information…”
- “Maintain records of…”
- “Access shall be controlled…”
What this means: you are expected to define, document, and control how records are created, maintained, accessed, and eventually disposed of. This includes both paper and electronic formats.
Clause 8.5 in particular outlines the expectations around management system documentation, including documented information required to demonstrate conformance and the effectiveness of your QMS.
Types of Records You Must Retain
Let’s break this down into the main categories of records expected under ISO/IEC 17043:2023.
a) Management System Records
These show how your overall system operates and improves:
- Internal audit reports and checklists
- Management review minutes and action items
- Risk assessments and mitigation plans
- Records of nonconformities and corrective actions
- Complaints and appeals logs
b) PT Scheme Records
This is your core technical evidence:
- PT scheme design and planning documents
- Homogeneity and stability testing results
- Sample production and distribution tracking
- Participant communications and instructions
- Submitted results and statistical analysis
- Final performance evaluation reports
- Participant feedback and any follow-up actions
c) Personnel and Competence Records
Evidence that your team is qualified and up to date:
- Job descriptions and responsibilities
- Training attendance and course materials
- Competency evaluations
- Authorization to perform specific tasks
d) Technical and Equipment Records
These are often overlooked, but crucial:
- Equipment calibration and maintenance logs
- Environmental monitoring (if applicable)
- Software validation documentation
- Subcontractor approval records
Each of these categories supports a different clause in ISO/IEC 17043:2023—and you’ll need to be able to show records for each.
How Long to Retain Each Type of Record
ISO/IEC 17043:2023 doesn’t prescribe retention periods. That’s up to you—but you must be consistent and able to justify them.
Here’s a practical starting point based on industry norms:
| Record Type | Suggested Retention Period |
|---|---|
| PT Scheme Results & Evaluation | 5–7 years |
| Management Review & Internal Audits | 3–5 years |
| Corrective Actions & Complaints | Minimum 3 years |
| Training & Competency | Duration of employment + 2 years |
| Calibration & Maintenance Logs | 3–5 years |
The key is to document these retention times in a policy or matrix. This way, you’re not only compliant—you’re consistent.
Building an Effective Access Control System
Now that you’ve got records, you need to protect them. Access control isn’t just about preventing tampering—it’s also about ensuring authorized users can find and use the records they need.
Here’s what works:
- Role-based access: Define access by job function (e.g., only the Quality Manager can approve audit records).
- Electronic systems: Use permission levels, logins, and audit trails.
- Paper systems: Store records in locked cabinets or secured rooms, and maintain access logs if needed.
- Access control procedure: Yes—you need one. It should define who can create, review, approve, view, and delete records.
Auditors will often ask:
“Who has access to this record?”
“Is that access documented and traceable?”
Be ready to answer.
Linking Records to Your Document Control System
One of the most common issues I see during audits is poor linkage between procedures and the records that support them.
Here’s how to avoid that:
- Use a master record index that lists each procedure and the records it generates.
- Use reference numbers or codes for traceability.
- Keep outdated records separate or clearly marked as “archived”.
- Records don’t need version control like procedures do, but you do need to ensure they’re accurate, complete, and protected from unauthorized changes.
Pro Tips
- Pro Tip: Build a “Master Record Table” that lists each record type, owner, location, format, retention period, and access level. Auditors love it—and so will your team.
- Pro Tip: Schedule routine checks to ensure records haven’t been modified, lost, or stored in the wrong place.
- Pro Tip: Teach your team what a “record” actually is. Often, things like emails, spreadsheets, or meeting notes are records—and need retention.
Common Mistakes to Avoid
Mistake #1: No Written Retention Policy
Verbal agreements or informal practices don’t cut it. You need a documented, approved policy.
Mistake #2: Keeping Everything Forever
Not only does this create clutter, it increases the risk of data breaches and makes audits harder. Define disposal timelines.
Mistake #3: Uncontrolled Access
If everyone in the lab has full access to delete or edit files, you’re at risk—especially if something goes wrong and no audit trail exists.
Mistake #4: Losing the Link
If auditors can’t see how your records support your procedures, your system will appear disconnected—even if it’s functioning.
FAQs
Q: Can we store records in the cloud?
Yes—provided it’s secure, access-controlled, and you can demonstrate retrieval during audits.
Q: Do we have to print electronic records for audits?
No. Electronic access is fine as long as they are clearly organized, traceable, and protected.
Q: How do we know what counts as a “record”?
If it provides objective evidence that a process was carried out, it’s a record. That includes filled-out forms, results, reports, emails, and even screenshots in some cases.
Make Records Work for You, Not Against You
Strong record retention and access control aren’t just about compliance—they protect your operation, your data, and your reputation.
Labs that take time to define retention rules, lock down access, and link records clearly to their management system always come out ahead during audits. And when something goes wrong? Good records make it easier to fix—and prove you did.
Want help getting started? I can send you a retention matrix template and a sample access control policy—just say the word.
Whether it’s ISO 9001, ISO 22000, or the cosmetics-focused ISO 22716, I’ve spent my career I’m not here to call myself an expert—I prefer “enthusiast” because I truly love what I do. When I’m not writing about standards, you’ll probably find me playing Piano 🎹, connecting with people, or diving into my next big project💫. I’m an engineer specialized in the food and agricultural industry
make ISO standards less intimidating and more approachable for everyone.
turning complex jargon into clear, actionable steps that businesses can actually use.
There’s something incredibly rewarding about helping people navigate food safety and quality management systems
in a way that feels simple, practical, and even enjoyable.
I have a Master’s in QHSE management and over 12 years of experience as a Quality Manager
I’ve helped more than 15 companies implement ISO 9001, ISO 22000, ISO 22716, GMP, and other standards
My clients include food producers, cosmetics manufacturers, laboratories, and service companies
I believe quality systems should be simple, useful, and efficient.
Related Posts
