Some of the ISO9001:2008 standard requirements are phrased in a way that may require you to do a lot of work. Or you may think so. A thorough review of each element of the standard may make a same requirement demand significantly different amount of effort in order to comply with the standard. Let's look at different type of companies and see how the same standard requirement would be applied.
Company A is an insurance company that evaluates medical claims for their customers and pays out the bills. All information is computerized there is no paper handled, all transactions are electronic. Quality Records for this company need protection in the form of hardware/software protection. Protecting the system from power failure, viruses, computer hackers, and protection of patient confidentiality are some of the issues that you need to be concerned with when you are addressing the issue of quality record protection.
Company B is a metal fabricator of parts that will be used in an airplane. Company B will maintain certificates of conformance for the raw metal that was purchased. These need to be physically protected from fire, water, etc. A fireproof safe may be important to maintain this type of records. If you scan these records in the computer, quality records issues may again involve software/hardware.
Company C, a chemical company may retain samples of their product for future reference. The chemical properties will need to be maintained over time. They may need to be refrigerated or kept at a defined temperature and humidity. They will also most likely have records of the actual tests that were taken: certificates of analysis or conformance, records of standards used when determining the results, training records of those who did analysis, test equipment records, etc.
Each company A, B, and C will need to do things differently to protect their records. Each may need different storage capabilities to maintain their record. Depending on the properties of the record that would cause it to loose it's original quality you will need to use different method of protection. Depending on the level of confidentiality of the records the access level may need to be controlled. The amount of resources you may want to spend to protect these records will depend on the risk of not them and the potential of the risk your product presents. For example: your records for producing a toothpick will not be critical as records for a bolt that is used in a construction of a space shuttle.
One requirement could result in purchasing of a decent fireproof safe or maintenance of a copy of the record at a different location. The same requirement could require another company to build a facility that is humidity and temperature controlled. That is why it is very important that you look at each aspect of the standard and determine what impact it can have on your organization. You could potentially spend a lot of resources for compliance to a requirement that is totally unnecessary.
This is what makes the standard so fascinating, the flexibility to apply the same requirement across countries and across industries. Services, schools, hospitals, banks or a manufacturers all need to satisfy the same requirements of the standard in order to get registered.
At the same time though, that is also what makes the implementation of ISO9001:2008 so frustrating, because you can't go to another company that is registered and say give me the stuff so that I can duplicate it in my place and get certified. This is why the "boiler plate" documentation does not work for users. Everything needs to be customized to your needs. It's your system, you're the one who can make it work for you.