Is it true that once a records system is certified to a standard it stays compliant no matter how we configure or use it later?
No. This is one of the most common and costly misconceptions in records management. Certifying a system against a standard is not a permanent stamp that survives whatever you do next. It is a snapshot, and compliance is something you maintain, not something you bank.
What certification actually means
When a records system is tested or certified against a standard, the assessment looks at a particular version of the software, configured in a particular way, evaluated at a particular moment. The result tells you that the product is capable of meeting the standard’s requirements when set up and operated correctly. It does not guarantee that any given deployment is configured to use those capabilities, nor that it will stay that way.
A standard describes outcomes, such as records being authentic, reliable, usable, and retained for their full retention period. Whether your live system delivers those outcomes depends on how you implement and run it day to day.
Why compliance can drift after certification
Several ordinary changes can quietly move a certified system out of compliance:
- Configuration changes — disabling audit logging, relaxing access controls, or changing how disposition holds work.
- Misuse or workarounds — staff storing official records outside the system, in email, or on shared drives.
- Retention and disposition gaps — schedules not loaded, not updated, or not actually enforced.
- Upgrades, migrations, and integrations — new versions or connected systems that alter behavior the certification never examined.
- Neglect — metadata, indexes, or preservation routines that degrade over time.
In short, a feature that exists but is switched off, bypassed, or misapplied does not keep you compliant.
How to stay compliant over time
Treat compliance as an ongoing program rather than a one-time event. Document your approved configuration, control changes through governance, audit access and disposition activity, train users on proper recordkeeping, and reassess after major upgrades or migrations. Map your actual practices back to the standard’s requirements periodically so gaps surface before an audit or legal challenge does.
A certified product gives you a strong foundation, but the responsibility for a compliant system stays with the organization that operates it.
Explore related guidance on the compliance and standards topic hub.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Is it true that once a records system is certified to a standard it stays compliant no matter how we configure or use it later?. Records Management University. https://www.recordsmgmt.org/questions/does-certification-stay-valid-after-configuration-changes/
MLA
RM University Editorial. "Is it true that once a records system is certified to a standard it stays compliant no matter how we configure or use it later?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/does-certification-stay-valid-after-configuration-changes/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?