Documents you must maintain (living documents)
- Scope of the QMS (clause 4.3), including justification for any requirement you deem not applicable.
- Quality policy (clause 5.2).
- Quality objectives (clause 6.2).
- Any documents you determine necessary for your processes to run effectively (clause 4.4 and 7.5). This is deliberately in your hands.
Records you must retain (evidence)
- Fitness of monitoring and measuring resources, including calibration basis where traceability matters (7.1.5).
- Evidence of competence (7.2).
- Evidence that operational processes ran as planned and outputs met requirements (8.1, 8.5, 8.6), including release authorization and traceability where required.
- Review of customer requirements, including changes (8.2).
- Design and development inputs, controls, outputs, and changes, where design is in scope (8.3).
- Evaluation, selection, and monitoring of external providers (8.4).
- Control of nonconforming outputs and actions taken (8.7).
- Monitoring and measurement results (9.1), internal audit program and results (9.2), management review outputs (9.3).
- Nonconformities and corrective action results (10.2).
The mistake to avoid in both directions
Under-documenters fail audits on missing evidence: the work happened but nobody can prove it. Over-documenters build procedure libraries no one reads, which then contradict actual practice, which is itself a nonconformity (your system must match reality). The auditor's test is simple: does the documentation you chose let your processes run consistently and prove they did. My field advice after hundreds of audits: document what a competent new hire would need to do the job right, retain what a skeptical customer would need to trust the result, and stop there.