The price you pay to track your norms effectively is a one-off effort when setting up your ISO 9001 27001 tools.

At Yonder, we are in the unsexy, no-nonsense, but relevant business of electronic documentation. And we have customers who expect us to be ISO 9001 and ISO 27001 certified.

So what could be better than using our own software product to set up and manage our ISO 9001 / 27001 documentation?

We’ve been following this approach for more than 3 years, and have successfully achieved ISO 9001 and 27001 certification.

Without help from expensive consultants.

Without a single paper folder.

However, setting up your QMS and ISMS for ISO 9001 and 27001 certification is only part of the journey. The real journey starts after the certification audit when the newly established processes need to be lived in everyday life.

That’s why there are maintenance and recertification audits after the initial certification audit. We follow an eat-your-own-dogfood approach and use our own product to document our QMS and ISMS.

If you are interested in knowing how our product works for QMS/ISMS documentation in general, I suggest you read this article.

If you are interested in knowing how you can track changes in the ISO norms easily, read on.

The Problem with Normative References

Do you know what the term “normative reference” exactly means? Most people don’t, and they can’t be blamed for it.

A normative reference is a reference to a paragraph in a norm or a standard, which you can use in your documentation to show that you implemented all the requirements in the corresponding norm or standard paragraph. So in essence, a normative reference is a link from your documentation to a paragraph in a norm or a standard.

Typically, normative references are placed directly in the text of a documentation, for all the readers to be visible.

In the ISO 9001/27001 world, normative references have simple formats such as “4.2”, “A.12” or the like.

In aviation, normative references can be much more complicated, looking anything like “ORO.GEN.200” or “ORO.FTL.120”.

And now, because people don’t have the right tools, they stick those normative references all over your documentation, just to be sure to be prepared for an audit.

And 99% of your workforce look at those normative references, with puzzled faces. That’s because normative references only matter to your compliance and quality teams.

Isn’t There A Better Way?

Of course, there is a better way, for both the compliance and quality teams and for the large majority of the workforce.

There are many compliance database providers out there, who provide updated norms and standards as a service. We collaborate with ASQS, which covers both ISO norms and aviation standards.

Now the magic word is called an interface. When a compliance database provider and a documentation software provider interface their solutions, updated norms and standards are shared between the tools.

How Exactly Does It Work?

If you don’t think of your QMS and ISMS as a single document, but as a collection of individual modules or blocks, you can start linking each block to any other block — irrespective if this is a link within your documentation, or if this is a link to a paragraph in a norm or standard.

The nice thing about software is that you don’t have to show the link to everyone if it doesn’t apply to everyone. That’s exactly what we are doing in our software.

Let’s look at an example. Here is a screenshot of our ISMS, where the chapter on Human Resource Security is depicted:

Yonder screenshot
Our ISMS, Human Resource Security chapter (source: author)

It looks like a document, but every section is one of the mentioned modules or blocks. In blue, you can see the links pointing to other sections in the ISMS or other documents of our management system. You can see those links because those links are useful to the entire workforce.

What you can’t see at first sight, however, are the links to the underlying normative references. This is because they only matter to our QM and our CISO. So where are those normative reference links?

Let’s use the section on “Screening” as an example. Clicking on the little chevron at the top right of the block will lead to a detailed view, showing more meta info than is visible when reading the document in its entirety:

Yonder screenshot
Click for more details… (source: author)

In the links tab, we now see our normative references that were placed there by our CISO. You can see that we linked both the English and German versions of the ISO 27001 norm, as we are based in Switzerland and use both language versions.

Yonder screenshot
Normative references, the fully digital way (source: author)

Great. Now we have successfully hidden the normative references from the standard user, and now what?

The key thing is that your quality and compliance teams are triggered whenever there are updates to the linked normative references. Only then can you update your documentation in due time for your next maintenance audit. That’s why our software fires change requests automatically, whenever a normative reference has been updated with a new version. It fires that change request exactly at the right place, i.e. for the block that holds the updated normative reference. In this way, your quality and compliance teams cannot miss an updated normative reference, and they can start working on updating your documentation easily and directly at the right spot of your documentation.

So much for the updated normative reference. What about new normative references, or knowing whether you’ve covered them all? Our product features a link report, where you can generate reports that answer the following questions:

  • “For a certain norm or standard, show me in which document I can find all the normative references.”

In this way, you can easily find out if you missed one single normative reference in your documentation, or if a new version of a norm or standard has received additional normative references.

  • “For a certain document of my documentation, show me all the normative references I am referring to.”

In this way, you find out immediately which norms or standards govern your internal documentation.

The Price You Pay

You are paying for such a setup with a one-off effort on your side: Placing all those normative references in your documentation. That’s a job no provider can relieve you from, as norms and standards are applied in different ways at each company.

Once done, however, you will enjoy greatly increased efficiency and completeness in your documentation.