Resources — Infrastructure

ISO 9001 Clause 7.1.3 requires you to identify the infrastructure your processes need, provide it, and keep it maintained so products and services consistently meet requirements ¹. To operationalize it, map infrastructure to each core process, define ownership and maintenance controls, and retain objective evidence that infrastructure is fit-for-purpose and controlled.

Key takeaways:

• Tie infrastructure requirements to process requirements, not to a generic “IT and facilities” checklist ¹.
• Prove “maintained” with work orders, preventive maintenance, calibration/verification linkages, and change control evidence ¹.
• Auditors look for gaps at interfaces: third-party infrastructure, shared tools, temporary facilities, and cloud services.

A lot of ISO 9001 programs fail Clause 7.1.3 for a simple reason: teams treat “infrastructure” as a facilities ticketing problem, while auditors assess it as a product/service conformity control ¹. Clause 7.1.3 is short, but it reaches across operations, engineering, IT, production/service delivery, and procurement. “Infrastructure” is broader than buildings and machines. It includes information technology, transportation, and any environment that must work reliably for your processes to produce conforming outputs ¹.

As a Compliance Officer, CCO, or GRC lead, your job is to make the requirement auditable: clear criteria for what infrastructure is needed, accountable owners, documented maintenance and change controls, and evidence that breakdowns are found and corrected before they become quality escapes. This page gives you a fast path: determine scope, document infrastructure needs by process, implement maintenance and monitoring controls, and build an evidence pack that stands up in certification and surveillance audits.

Regulatory text

ISO 9001:2015 Clause 7.1.3: “The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services.” ¹

What the operator must do:
You must (1) decide what infrastructure is necessary for each process that affects product/service conformity, (2) ensure it exists and is available when needed, and (3) keep it in a controlled, working state through maintenance, monitoring, and timely repair/replacement ¹.

Plain-English interpretation (what “good” looks like)

• You can point to each core process (design, purchasing, production/service delivery, testing, shipping, customer support) and name the infrastructure that must function for that process to meet requirements.
• You have owners and controls for that infrastructure (preventive maintenance, access control, backups, spares, environmental monitoring, service contracts).
• You can show evidence the controls run as designed and that failures trigger corrective action.

ISO 9001 is intentionally technology-neutral. Auditors won’t require a specific tool, but they will require objective evidence that your infrastructure decisions are deliberate and maintained ¹.

Who it applies to (entity and operational context)

Entity scope: Any organization operating a quality management system certified or aligned to ISO 9001 ¹.

Operational contexts where Clause 7.1.3 becomes audit-critical:

• Manufacturing: production lines, utilities, tooling, metrology equipment interfaces, warehouse systems.
• Service delivery: call center platforms, ticketing systems, secure workstations, knowledge bases.
• Software/digital products: CI/CD tooling, cloud hosting, monitoring, build environments, incident response tooling.
• Regulated or high-reliability operations: where downtime, data integrity issues, or equipment drift can cause nonconforming output.
• Outsourced or shared operations: third-party logistics, contract manufacturers, cloud providers, managed service providers.

Boundary rule auditors test: If a process affects conformity, the infrastructure it depends on is in scope, even if owned by a third party or shared across business units ¹.

What you actually need to do (step-by-step)

1) Define “infrastructure” for your QMS scope

Create a one-page definition aligned to your operations. Include, at minimum:

• Facilities and utilities (sites, clean rooms, HVAC critical to specs).
• Equipment and tools (production, test, inspection, measurement-supporting equipment).
• Transportation and logistics assets (shipping systems, cold chain equipment where applicable).
• Information technology (networks, servers/cloud, applications, endpoints, monitoring) ¹.

This becomes your audit anchor: you are showing you “determined” what infrastructure means in your context.

2) Build a process-to-infrastructure matrix (the fastest way to be audit-ready)

Create a table mapping:

• Process (from your process map)
• Required infrastructure
• Conformity impact (what fails if this breaks)
• Owner (role, not name)
• Control method (PM schedule, service contract, monitoring, backup)
• Evidence location (CMMS, ticketing, asset register, SOP repository)

Example rows auditors love because they show traceability:

• “Final inspection” → “Optical comparator + lighting + workstation PC” → “Incorrect accept/reject decisions” → “Quality Engineering” → “Calibration program + maintenance tickets” → “Calibration records folder / CMMS.”

3) Establish minimum control set (do this before writing long procedures)

You need controls that cover the lifecycle: acquisition, operation, maintenance, and replacement.

Core controls to implement:

• Asset inventory: A controlled list of in-scope infrastructure with unique IDs where practical.
• Maintenance management: Preventive maintenance criteria, trigger-based maintenance, work order tracking, and closeout verification.
• Availability controls: Capacity planning for bottlenecks, spares strategy for high-impact components, failover where needed.
• Change control: Review and approval for infrastructure changes that can affect conformity (equipment moves, major upgrades, cloud changes, network segmentation changes).
• Supplier/third-party controls: Contracts/SOWs defining service expectations, escalation, and access; oversight for outsourced maintenance or hosted systems.

Keep procedures short. Auditors prefer clear criteria and evidence over lengthy narratives.

4) Set “fit for purpose” acceptance criteria for critical infrastructure

For each critical infrastructure item/category, define acceptance criteria such as:

• Performance/accuracy parameters (where applicable).
• Environmental constraints (temperature/humidity limits if relevant to output).
• System availability needs (business-defined).
• Data integrity requirements for IT systems supporting quality records.

You are building a defensible argument that infrastructure supports conformity ¹.

5) Integrate incident, nonconformance, and corrective action flows

A mature implementation links infrastructure failures to your QMS:

• If infrastructure failure causes or could cause nonconforming output, it must feed your nonconformance/CAPA process.
• Add a simple decision tree to your incident process: “Could this impact product/service conformity?” If yes, route to Quality for disposition and containment.

6) Test the system with a “walkthrough audit” before the real audit

Pick one product/service line. Walk end-to-end:

• Identify each infrastructure dependency.
• Pull maintenance evidence for the last period.
• Verify change control evidence for recent changes.
• Confirm issues were tracked and closed with verification.

This finds the typical gaps: undocumented “shadow” tools, informal maintenance, and third-party dependencies with no evidence trail.

Required evidence and artifacts to retain

Auditors will ask for objective evidence that you determined, provided, and maintained infrastructure ¹. Build an evidence pack with:

Determined

• Process map and process-to-infrastructure matrix
• Risk/impact rationale for what is considered “critical” infrastructure
• Infrastructure requirements/standards for key areas (IT baseline, facilities specs where relevant)

Provided

• Asset register (owned and third-party where relevant)
• Procurement and acceptance records for critical equipment (installation qualification notes where used)
• Access provisioning evidence for IT systems supporting delivery/quality records

Maintained

• Preventive maintenance schedules and completion records
• Work orders/tickets with closeout notes and verification
• Service reports from third parties performing maintenance
• Change requests/approvals for significant upgrades/moves
• Monitoring logs/alerts for critical IT and utilities (where used)
• CAPA records tied to infrastructure-related incidents

Practical tip: if evidence lives in multiple systems (CMMS, Jira/ServiceNow, spreadsheets), document the “system of record” for each artifact type so the auditor does not chase links.

Common exam/audit questions and hangups

Auditors tend to probe these areas because they reveal whether “maintain” is real:

1. “Show me how you decided what infrastructure is necessary.”
   They want traceability to processes and conformity risks, not a list of buildings.

2. “How do you know preventive maintenance is done on time and effective?”
   Expect to show completion records and some form of review/oversight.

3. “What happens when infrastructure fails during production/service delivery?”
   They want containment, disposition, and a CAPA route when conformity is at risk.

4. “Which infrastructure is owned/managed by third parties?”
   They will test whether you have oversight evidence, not just a contract.

5. “How do you control IT infrastructure that stores quality records?”
   They look for access control, backup/restore practices, and change controls aligned to conformity impact.

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating Clause 7.1.3 as “Facilities owns it”

Avoidance: Make infrastructure a cross-functional control with Quality-defined criteria and Operations/IT execution. Use the process-to-infrastructure matrix to assign owners.

Mistake 2: No definition of “critical infrastructure”

Avoidance: Tag infrastructure by conformity impact. Auditors accept prioritization if it is consistent and risk-based ¹.

Mistake 3: Maintenance exists, but evidence is scattered or unauditable

Avoidance: Standardize closeout requirements (what must be recorded), and define the system of record. Require attachments for third-party service reports.

Mistake 4: Ignoring third-party infrastructure

Avoidance: Treat key third-party dependencies (cloud hosting, contract manufacturing equipment, outsourced calibration) as in-scope infrastructure. Require service evidence and escalation paths.

Mistake 5: Change control only covers product design, not supporting systems

Avoidance: Expand change control triggers to include infrastructure changes that can affect conformity (equipment relocation, firmware upgrades, network changes, major SaaS configuration changes).

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the source catalog. Operationally, the risk is straightforward: poorly controlled infrastructure becomes a root cause of nonconforming product/service output, late delivery, loss of traceability, and audit nonconformities against ISO 9001:2015 Clause 7.1.3 ¹.

In practice, certification bodies often grade these findings as systemic if you cannot show a consistent method to determine and maintain infrastructure across processes. That increases surveillance scrutiny and drives repeat findings.

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Confirm QMS scope and list core processes that affect conformity.
• Publish your infrastructure definition for QMS purposes (facilities, equipment, transportation, IT) ¹.
• Create the first version of the process-to-infrastructure matrix for one high-impact value stream.
• Identify obvious gaps: missing PM records, unmanaged tools, undocumented third-party dependencies.
• Decide your systems of record (CMMS/ticketing/asset inventory) and minimum evidence requirements.

By 60 days (control the highest-risk infrastructure)

• Expand the matrix to cover all core processes in scope.
• Tag critical infrastructure and set acceptance/maintenance criteria by category.
• Implement or tighten PM scheduling, work order closeout standards, and oversight review.
• Add change control triggers for infrastructure changes.
• Formalize third-party oversight for outsourced infrastructure: service reports, escalation, and periodic performance review.

By 90 days (make it auditable and repeatable)

• Run an internal walkthrough audit on two process lines and close gaps.
• Link infrastructure incidents to nonconformance/CAPA decisioning.
• Produce a single “Clause 7.1.3 evidence pack” index: where each artifact lives and who owns it.
• If you manage many third parties and shared systems, consider using Daydream to centralize third-party evidence requests and renewals so infrastructure-related attestations and service reports don’t disappear in email threads.

Frequently Asked Questions

What counts as “infrastructure” under ISO 9001 Clause 7.1.3?

Infrastructure includes the physical and digital foundations your processes need to run and produce conforming outputs: buildings, equipment, transportation, and information technology ¹. Define it for your QMS scope and map it to your processes.

Do cloud services and SaaS tools count as infrastructure?

Yes if they are necessary for process operation or conformity, such as systems that run service delivery, store quality records, or support testing/release workflows ¹. Treat the provider as a third party dependency and retain service and change evidence.

How detailed does the maintenance program need to be?

It needs to be detailed enough to show you maintain infrastructure in a controlled way: schedules or triggers, completion evidence, and verification/closeout notes ¹. Prioritize detail for infrastructure with the highest conformity impact.

What evidence is most persuasive to an ISO auditor?

A process-to-infrastructure matrix plus objective records that maintenance and changes were executed (work orders, service reports, change approvals) ¹. Auditors respond well to traceability from process requirement to infrastructure control to evidence.

How do we handle infrastructure owned by a third party (contract manufacturer, 3PL, MSP)?

Treat it as required infrastructure and document how you oversee it through contracts, defined service expectations, and retained service/maintenance reports ¹. Your audit exposure remains even if the asset is not on your balance sheet.

Can we pass Clause 7.1.3 without a formal asset register?

ISO 9001 does not prescribe an “asset register,” but you must be able to show you determined what infrastructure is necessary and that it is maintained ¹. An inventory is the most efficient way to make that proof repeatable.

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements