What’s the Best Tool to Document ISO 9001 and ISO 27001 Certification?

Before you start documenting your QMS and ISMS, spare some time to think about the best tool to do so. Just as there isn’t a single best way to run a company, there isn’t a single best way to document your QMS and?ISMS.

More and more customers demand their suppliers to be ISO 9001 and/or ISO 27001 certified. While that might be easy for large corporations, it isn’t so for startups and mid-sized companies.

Nevertheless, as a startup or SME serving enterprise customers, there is no way you can choose. If you want those contracts to materialize, you will have to find a way to comply with all the clauses suggested by the legal department of your new customer.

Because no company’s core business is getting ISO 9001 or 27001 certified, startups and SMEs need to find a way to deal with ISO 9001 and 27001 in a lean and modern way.

Before you start documenting your QMS and ISMS, spare some time to think about the best tool to do so. Just as there isn’t a single best way to run a company, there isn’t a single best way to document your QMS and ISMS.

Here are some thoughts to consider before selecting a tool:

• You want to be sure that only authorized persons in your organization can change or update your QMS and ISMS. So, therefore, having a tool for controlling the ISMS documents through a workflow should be considered.
• Whenever changes to your QMS and ISMS are made and approved, you want to be able to notify your team about the important changes. So, therefore, having a tool with an effective notification mechanism should be considered.
• Fast forward to your first annual maintenance audit even before your certification audit. From my personal experience, the auditor will ask questions such as: “What has changed in your QMS/ISMS since the last audit?” So, therefore, having a tool to manage revisions and changes on a block level within a document should be considered.
• Because you will need to cover both QMS and ISMS in a single documentation tool, you will need a tool that allows efficient linking?—?both within the tool itself, and as well to other IT tools such as Google Drive and JIRA. Furthermore, Annex A of the ISO 27001 norm has some overlapping chapters, so you want to make sure you can link and reuse content. In this way, you can save lots of time and effort.

From the thoughts above, you see that I would advocate using a more modular documentation format rather than documents and spreadsheets. But that doesn’t mean that my experience is the single best way for all the startups and SMEs out there.

Some Documentation Tools You Might?Consider

Below is an overview of some documentation tools you might consider. The list is not complete of course, but covers what I have seen in different startups and SMEs. I will deliberately not make a recommendation, as the choice depends entirely on your specific business.

Microsoft Word / Google?Docs

These tools are cheap and omnipresent in all startups and SMEs, and therefore they might be your first thought for documenting your QMS and ISMS.

However, the core disadvantage these tools have for QMS and ISMS documentation is that they are based on documentsinstead of modules or blocks. This means that managing links between documents is super hard, especially after a few updates when a new document version is created for every update. Also, searching for a certain keyword is difficult if your QMS and ISMS consist of a set of Word files somewhere on a storage drive.

While it is possible to use track change to see who suggested what changes, applying an approval workflow is more difficult than in other tools. In this way, your QM and your CISO can never be sure who changed and approved what, which might lead to nasty questions in your next maintenance audit. I know of startups who have overcome this by exporting their QMS and ISMS documents as markdown and checking it into Gitlab to properly version it. Whilst this fulfills the audit trail requirement, it doesn’t encourage regular usage of your QMS and ISMS by all your colleagues.

Confluence

Like Microsoft Word and Google Docs, Confluence is still based on pages instead of modules or blocks. However, in contrast to Microsoft Word and Google Docs, linking between pages is significantly easier than in Word and Google Docs, and the same is true for searching (although the Confluence search does have its limitations).

Confluence makes it possible to mark pages as read-only for certain groups or users, so your QM and your CISO can make sure that nobody accidentally changes the QMS and ISMS documentation. Nevertheless, this is still some sort of workaround to control contributions and approvals of changes. Confluence is better suited to document uncontrolled information such as technical specifications, rather than controlled information such as the QMS and ISMS.

What I like in Confluence are the notification settings. Both individual users and admins can define how users get notified about changed pages, making sure your team knows when you made important changes in your QMS and ISMS.

Notion

In contrast to Microsoft Word, Google Docs, and Confluence, Notion is based on blocks rather than pages or documents. Together with the linking options, it makes it possible to reuse information that needs to appear in different places. This is a core advantage of the block design over the document design. From my experience, this is essential to cover the two ISO norms in one tool, as there are quite a few overlaps between ISO 9001 and ISO 27001.

Similar to Confluence, Notion is more geared towards collaboration rather than controlling documentation. However, just like Confluence, Notion offers possibilities to restrict editing rights for certain team spaces.

Yonder

Full disclosure: I am the Co-Founder & CEO of Yonder, a company that provides a documentation solution for controlled documents such as operations manuals, norms, regulations, etc. Living by the eat-your-own-dogfood principle, we use our own product internally to document our QMS and ISMS.

Like Notion, Yonder is based on modules rather than pages or documents. Like Notion, this makes it possible to reuse information that needs to appear in different places. Unlike Notion, however, each module can hold regulation references, for example linking certain paragraphs from the ISO 9001 or 27001 norms. Instead of maintaining norm updates yourself, you can buy norm updates from regulation and compliance database providers such as ASQS. Once those norms are linked to your QMS or ISMS, change requests on the affected modules are generated automatically whenever there is an update to a norm that is linked.

In contrast to all the other tools, Yonder is a tool specifically designed to manage controlled information. That’s why every change request goes through an approval workflow, and changes are notified to users and groups only after the QM or CISO has approved the changes.

Next Steps

Once you have selected a suitable documentation tool for your business, you can start documenting your QMS and ISMS. I summarized my experience in the articles linked below.

How to Achieve ISO 9001 Certification Without Paper Folders and Excel Lists

A Step-by-Step Guide to Creating an ISO 27001 Compatible ISMS

Growing a company ?? in troubled times ???? is a marathon.

As a tech entrepreneur ??, active reserve officer ??, and father of three ??????, I can help you with ?? practical entrepreneurship and resilience advice for all aspects of life. To the point ??, no fluff, because entrepreneurs are busy.

When I’m not busy, I get my rest and inspiration in the beautiful mountains ??? around Zermatt ????.

Join 100+ subscribers to receive my weekly newsletter for resilient entrepreneurs each Friday afternoon!

Get my eBook on mastering your own ISO 27001 certification without consultants!