Certification Records and Documentation Requirements

Certification records form the evidentiary backbone of any conformity assessment system, documenting that a product, management system, or individual has met defined requirements at a specific point in time. This page covers the types of records generated across the certification lifecycle, the mechanisms governing their creation and retention, and the regulatory frameworks that define minimum standards. Understanding these requirements is essential for certification bodies, accredited auditors, and organizations seeking to maintain or transfer certifications without compliance gaps.

Definition and scope

Certification records are the documented evidence — in physical or electronic form — that a conformity assessment process was conducted, evaluated, and decided upon according to applicable scheme rules or regulatory requirements. The scope of "certification records" extends beyond the certificate itself to include audit plans, audit reports, nonconformity records, corrective action evidence, surveillance visit summaries, and certification decision rationale.

ISO/IEC 17021-1, the internationally recognized standard for bodies providing audit and certification of management systems, defines specific record-keeping obligations in Section 9. These include requirements that records demonstrate competence of audit team members, document the basis for certification decisions, and capture any client-supplied information used in the assessment. Organizations pursuing management system certification under ISO 9001, ISO 14001, or ISO 45001 must expect their certification body to maintain this evidence portfolio independently of — and in addition to — the organization's own internal records.

The distinction between the organization's records and the certification body's records is operationally important. The certification body holds audit reports, decision records, and complaint files as its own controlled documents. The certified organization maintains its internal quality management documentation, corrective action logs, and evidence of continued conformance. Both sets are subject to retention requirements, but under separate authorities.

For product certification, the scope typically includes test reports, sample handling records, product specifications at time of testing, and decision letters — all governed by ISO/IEC 17065, the standard for bodies certifying products, processes, and services.

How it works

The documentation cycle in certification follows discrete phases aligned with the compliance certification lifecycle:

  1. Application stage: The certification body records the client's application, scope request, and any pre-application communications. These establish the defined scope boundary against which all subsequent records are evaluated.
  2. Stage 1 audit documentation: For management system certification, a Stage 1 (document review) audit generates records confirming that the organization's documented system is sufficiently developed to proceed to Stage 2. Deficiencies noted at Stage 1 are recorded and tracked.
  3. Stage 2 audit records: Field audit records capture objective evidence — interviews, observations, document reviews — mapped against each applicable clause or requirement. Nonconformities are recorded with reference to specific clause numbers and supporting evidence.
  4. Certification decision file: A formally designated certification decision-maker reviews the audit record and documents the decision rationale. ISO/IEC 17021-1 §9.5 requires that the decision be made by a person different from those who conducted the audit, and this separation must be documented.
  5. Certificate issuance record: The certificate number, scope, validity period, and issued-to entity are logged in the certification body's directory. For accredited bodies recognized by ANAB or A2LA, these records feed into publicly searchable accreditation databases.
  6. Surveillance and recertification records: Ongoing surveillance audits and recertification generate their own record sets, each linked to the original certification record by a unique certificate number or client identifier.

Retention periods are not universally standardized, but ISO/IEC 17021-1 requires that records be retained for a period covering at least one full certification cycle — typically 3 years for management system certifications on a 3-year cycle — plus any post-certification dispute resolution period.

Common scenarios

Transfer of certification between bodies: When an organization moves from one certification body to another, the receiving body must obtain and evaluate the transferring body's audit records. The certification transfer between bodies process requires the receiving body to document its review of prior audit history, any open nonconformities, and the basis for accepting or rejecting continuity of certification.

Regulatory audits of certification body records: In sectors governed by federal requirements — such as FDA-regulated medical device manufacturers operating under 21 CFR Part 820, or food safety programs referencing FSMA — regulatory inspectors may request access to certification records as supporting evidence. The certification body's records do not substitute for regulatory compliance records, but they may be reviewed as corroborating documentation.

Lapsed or suspended certification: When a certificate is suspended or withdrawn, the record of that action — including the triggering nonconformity and the notification date — must be maintained and, for accredited bodies, reported to the accreditation body. Per ISO/IEC 17021-1 §9.6, the certification body must have documented procedures for these actions and maintain the associated records.

Personnel certification programs: Unlike management system records, personnel certification programs generate records tied to individuals — exam scores, competency assessments, continuing education logs — and these carry their own retention rules under schemes governed by ISO/IEC 17024.

Decision boundaries

A critical distinction governs which records must be publicly accessible versus which are confidential. Certification bodies accredited under ANAB or A2LA are required to make certification status — including scope, issue date, and suspension status — publicly searchable. The underlying audit evidence, nonconformity details, and client-specific documentation remain confidential under ISO/IEC 17021-1 §8.5.

A second boundary separates mandatory retention from discretionary retention. Records that directly support a current certification decision are mandatory. Supporting communications, draft reports, and informal site notes may fall under discretionary retention, subject to the certification body's own documented information management procedures.

For organizations evaluating certification options, the regulatory vs. voluntary certification distinction affects record obligations significantly: regulatory certification schemes imposed by agencies such as OSHA, EPA, or FDA carry statutory record retention requirements that override or supplement voluntary scheme rules.

References

Read Next

Compliance Certification Lifecycle Understanding this lifecycle is essential for quality managers, compliance officers, and operational teams because failure at... ANAB and A2LA: US Accreditation Bodies for Certification Their decisions directly affect whether a certification carries regulatory weight, market access, or government recognition. Surveillance Audits and Recertification Without these ongoing verification activities, a certificate issued at one point in time would carry no assurance beyond that...