See how we passed ISO 9001 and 27001 audits with no findings—using fully digital documentation and our own product to manage QMS and ISMS.

At Yonder, we are in the unsexy, no-nonsense, but relevant business of electronic documentation. And we have customers who expect us to be ISO 9001 and ISO 27001 certified.

So what could be better than using our own software product to set up and manage our ISO 9001 / 27001 documentation?

We’ve been following this approach for more than 3 years, and have successfully achieved ISO 9001 and 27001 certification.

Without help from expensive consultants.

Without a single paper folder.

However, setting up your QMS and ISMS for ISO 9001 and 27001 certification is only part of the journey. The real journey starts after the certification audit when the newly established processes need to be lived in everyday life.

That’s why there are maintenance and recertification audits after the initial certification audit. And for all those who think you can just set ISO 9001 and 27001 aside after the certification audit and not continuously update and improve your processes, let me tell you one thing: have fun with your recertification audit.

We just had our ISO 9001 recertification audit this week, after being ISO 9001 certified for three years.

At the same time, we also had our ISO 27001 maintenance audit, after being ISO 27001 certified for two years.

The Auditor’s Feedback

We passed this week’s audit with just some remarks and recommendations, but no findings. These remarks and recommendations cover various aspects of making our QMS and ISMS better — an external audit is not a threat, it is an opportunity to reduce your blind spot.

(Of course, that’s only true if you’ve covered the basics and the audit doesn’t uncover huge gaps and major findings).

Besides the remarks and recommendations, our auditor commended us for two things:

  • First, we have continuously developed our QMS and ISMS over the years
  • Second, all the changes over the years are visible at a glance and without much search-and-find

How did we do this, considering that ISO 9001 and 27001 are not our primary activities in daily life?

The Short Answer: Eat Your Own Dog Food

In short, we eat our own dog food. Our QMS and ISMS are documented in our own documentation tool, and all the work-related instructions are documented and maintained in yo.yo, as we call our internal documentation.

In this way, our team can use our own product to find all relevant work instructions in their daily work. And because all changes are made directly in yo.yo, it’s easy for an auditor to see all the changes we made to our documentation over time.

The Long Answer: How Our Product Works for QMS/ISMS Documentation

Our product is made for controlled documents — norms, regulations, work instructions, and operations manuals. So it comes naturally to use it for QMS and ISMS documentation.

Document Versioning

Here is an excerpt from one of our process documents, showing the recently updated expense process:

Yonder screenshot
Example process description, showing the changes through the change bar on the right side (source: author)

The change bar on the right side shows immediately where changes were made to the process documentation. If an auditor asks you to show the changes to a process since the last audit, you can simply navigate back to past versions, selecting the version that was valid at the time of the last audit:

Yonder screenshot
Selecting a different version of a document (source: author)
Yonder screenshot
A previous version of the sample process description (source: author)

At a glance, it becomes visible that we have introduced work instructions between last year’s maintenance audit and this year’s recertification audit.

Change Request Handling

Continuously developing a QMS and ISMS is hard when you don’t do anything until a few days before the auditor arrives. That’s why we raise change requests directly in yo.yo. Everybody in the company has the right to raise a change request, whenever he or she thinks a certain section of a document needs to be changed.

Using the same behavior, our CISO raised all the auditor’s remarks and observations as change requests, directly at the right place in the ISMS, and directly during the audit:

Yonder screenshot
The change requests for the next ISMS revision, raised during the maintenance audit (source: author)

Once a new revision of the ISMS document is initialized, the change requests are pulled into the revision automatically, and they can be edited and approved by using the built-in, configurable workflow.

So far, so good. Raising change requests manually is one thing, but how can we handle change requests triggered from the outside? For example, when the ISO 9001 norm is updated, wouldn’t it be nice to have a system that raises change requests automatically?

Our product allows linking a certain section of a document with a 3rd party regulation. For example, we linked Chapter 2 “Scope” of our QMS, with Section 4.3 “Determining the scope of the quality management system” in the ISO 9001 norm. This means that QMS Chapter 2 implements section 4.3 from the ISO 9001 norm.

Now whenever section 4.3 in that ISO 9001 norm is updated, a change request is triggered automatically on my chapter 2 “scope”. We still have to put in thought and effort to change the content, but we don’t need to go through lists of changes, or even worse, find out during an audit that we missed a norm update.

All this requires a one-time effort by using an interface to a 3rd party compliance database and linking all the imported norm paragraphs to our QMS and ISMS:

Yonder screenshot
Legal references: linking a norm paragraph to the QMS (source: author)

The beauty of this setup is that the linking work has to be done only once: Whenever our QMS and ISMS are updated, the legal references to norm paragraphs stay.

Change Communication

With all those change requests being easily created or automatically raised, we need an efficient way to communicate the approved and released changes to our team. Remember, not all the changes will be relevant for all the teams: For example, an update in the sales process will most probably not affect the development team, and the replacement of the QA tool will most probably not affect the sales team.

That’s why we implemented a change notification mechanism, where each change can be sent to certain user groups, and each change gets a change summary.

Using the same example process as above, here is what it looks like.

On my dashboard, I see that I have two changes to read in the leadership processes work instructions document:

Yonder screenshot
I have two changes to read in the leadership process work instructions (source: author)

When opening the document, I can work through the changes one by one. Once they are read, they are automatically moved into the “done” tab. In this way, they are not lost, but not at the top of my attention anymore.

Yonder screenshot
Two changes remaining (source: author)
Yonder screenshot
One change remaining (source: author)
Yonder screenshot
All changes read (source: author)

Going back to the dashboard, the changes don’t show anymore, as I have read them all:

Yonder screenshot
The changes in the leadership process work instructions don’t show anymore, as I have read them (source: author)

This makes it easy to communicate changes to our team, and it makes it easy for our team to stay on top of things.

And that’s all there is to explain the positive feedback from our auditor that we have continuously developed our QMS and ISMS over the years.