ISO 9001 is the world’s most widely adopted standard for quality management. It describes how organisations should manage, document and improve processes to ensure consistent delivery and continual improvement.

In practice, quality is about delivering products and services that meet agreed requirements and expectations — consistently over time. When expectations exceed experience, dissatisfaction arises regardless of what is “believed” internally. Customer satisfaction, stakeholder requirements and the ability to improve systematically therefore become central elements of a certifiable quality management system.

Certain QMS has been developed to operationalise this thinking. The system brings together the key tools for quality management on a single platform and gives organisations a structured way to establish, use and maintain a quality management system in line with ISO 9001.

Below, we show how the requirements of ISO 9001 are supported by the functionality of Certain QMS.

ISO 9001 is built on a process-based approach and the PDCA cycle (Plan–Do–Check–Act). In practice, this means describing how the organisation works, planning and carrying out activities, evaluating results and making improvements in small, continuous steps. A quality management system is never ‘finished’ — it is maintained and improved in step with changes in requirements, risk and expectations.

Certain QMS is structured around the same logic, with modules for processes, documents, risk, non-conformities, planners, checklists and compliance registers. The interplay makes it easier to document the connection between requirements, processes, responsibilities and follow-up — which is often precisely what auditors look for.

ISO 9001 requires the organisation to understand its context, identify stakeholders and establish the necessary processes for quality management. In practice, this means having an overview of internal factors (culture, competence, technology) and external factors (regulations, market and operating conditions), and assessing what genuinely affects the ability to deliver. For many organisations, consideration of climate- and weather-related factors is also relevant, as these can affect operations, delivery capability and risk.

The organisation’s core and support processes are modelled and organised within the system, making the relationship between processes clear and accessible to the organisation. This provides a shared ‘map’ of how value creation and management fit together, and reduces the risk of practice becoming dependent on specific individuals. At the point of certification, it is often an advantage that process descriptions are practical and recognisable to those who actually carry out the work.

Top-level governing documents such as stakeholder analyses, scope, quality manuals and principles for process management are established as version-controlled documents. This provides an audit-ready history and makes it easier to demonstrate that the system has been maintained over time — not just ‘created once’.

The document management module can also be used to establish standardised document structures and content templates, ensuring a consistent format for key governing documents. This enables faster setup and more uniform practice across departments.

The standard places requirements on management commitment, quality policy, responsibility and authority. In practice, this means that top management must own the system, set direction and ensure that governance actually takes place — not merely that documents exist.

Quality policy, strategic guidelines and top-level responsibility descriptions are established as controlled documents with version management. This makes it easier to ensure that policy provides clear direction, and that it is more long-term than individual objectives that are often adjusted annually.

The document management module can also be used to consolidate and structure documentation relating to the management review, such as terms of reference, standing agenda items and decision-making material. This supports more consistent reviews over time and makes it easier to demonstrate that the requirements of the standard have been met.

In Certain QMS, roles and access are assigned directly in the administration interface, so that responsibility and authority are also reflected in the system’s workflow. When responsibility is delegated, it is important that the role configuration actually enables tasks to be completed and followed up. This improves compliance and makes quality work more robust in the event of absence, turnover or organisational change.

Management reviews, internal milestones and other governance activities are created as activities with tasks, responsible parties and deadlines, visualised in the annual planner. This supports the requirement for planned follow-up and documentation of decisions and actions. It also makes it easier to consolidate relevant decision-making material — such as status on objectives, non-conformities, trends and resource needs — and to ensure that follow-up actually takes place.

ISO 9001 requires the organisation to identify risks and opportunities, plan actions and manage changes in a controlled manner. The standard also expects quality objectives to be measurable, with clarity on what is to be measured, who is responsible for follow-up and how the effect is evaluated.

The organisation can identify, analyse and evaluate risks that affect the achievement of objectives and process performance, with actions assigned to responsible parties and followed up. This makes it easier to work in a risk-based way in practice — not just as an annual exercise. Actions can be integrated into operations and improvement activities, and provide traceability on what has been done and why.

In the administration interface, compliance registers can be established in which ISO 9001 requirements are recorded as individual compliance obligations. Requirements can be linked to relevant documents, processes and checklists, as well as to non-conformity categories, risk events from risk analyses and external links. In addition, requirements can be assigned responsible parties and review intervals.

This provides clear traceability between ‘requirements’ and ‘how we comply’, and makes compliance verification more systematic and less dependent on specific individuals.

The standard requires controlled documentation, accessible information and support for implementation. In practice, this means ensuring that employees have the right foundations, the right competence and access to up-to-date practices.

Governing documents, procedures and work instructions are stored as version-controlled documentation with access management and full history. This makes it easier to demonstrate that information has been maintained and that employees are working in accordance with current requirements. The documentation can also be used as evidence during audits and internal follow-up.

Checklists are used to support consistent execution and document compliance where it is important that ‘things are done the same way’. They can be linked to processes and compliance requirements, and contribute to stable delivery quality — particularly in operational environments with variation, shift work or many people involved.

Employees can carry out key quality activities directly in SharePoint, lowering the threshold for use and strengthening adoption. When quality work is accessible within everyday working environments, it also becomes easier to build awareness over time — not least for new employees. Traceability and documentation are maintained in the specialist system throughout.

ISO 9001 places requirements on the planning and control of operational activities, so that products and services are delivered in line with defined requirements.

Operational processes are described and made accessible, typically linked to relevant documents and checklists. This provides clarity on how work should be carried out and reduces the risk of delivery varying between individuals or teams. The processes become a practical reference tool, not just ‘diagrams for certification’.

Execution is supported by checklists, and non-conformities are recorded when something does not go as planned. Non-conformities are handled systematically, making it clear what was done immediately and what needs to be followed up further. This strengthens control over delivery and reduces the risk of recurrence.

The standard requires monitoring, internal audits and management review, so that the organisation can assess whether the system is working and whether it is delivering the desired effect.

Internal audits, reviews and management reviews are planned as activities with fixed intervals, responsible parties and documented completion. This provides structure to follow-up work and makes it easier to take a risk-based approach to audits and evaluations. The history of completed activities helps to document continuity over time, including at recertification.

Non-conformities are used as a data source for analysing trends, recurrences and areas for improvement. This supports evidence-based decision-making and makes management assessments more fact-based. Combined with customer feedback — such as complaints, meetings, surveys and ongoing dialogue — this provides a comprehensive picture of the system’s impact.

The completion of activities and non-conformity handling are recorded with responsibility and status, providing a consolidated decision-making and follow-up trail over time. This makes it easier to verify ‘what was done’ and ‘what was decided’, and contributes to audit-ready documentation. Traceability is often crucial for demonstrating maturity and stability in the quality management system.

ISO 9001 requires non-conformity management, corrective actions and continual improvement. The aim is to reduce errors, strengthen processes and increase customer satisfaction over time.

Non-conformities are recorded, assessed and followed up with actions, responsible parties and deadlines. It is useful to distinguish between immediate actions (correction) and full non-conformity handling with root cause analysis and corrective actions, so that the situation is both addressed and recurrence prevented. A simple and systematic approach to root cause analysis — for example, ‘5 Whys’ — makes actions more targeted.

The interplay between risk, planning, operations, non-conformities and management follow-up creates a continual improvement loop. When information is gathered on the same platform, it becomes easier to extract insights and translate them into concrete changes to processes, documentation and practice. This is often what distinguishes a certifiable system from one that is merely documented.

Certain QMS gives organisations a framework for establishing a quality management system in line with ISO 9001, with structured documentation, process-based management, risk-based planning and traceable follow-up. Once the ISO 9001 structure is in place, much of the foundation is also laid for further work with other management standards, such as ISO 27001 and ISO 14001.

Example of the Certain QMS homepage.

ISO 9001 is about good habits for management and improvement — and about making it easy to do the right thing. Certain QMS supports this by bringing together processes, documentation, follow-up and improvement in one cohesive solution with clear roles, planned activities and traceable history.

The result is a quality management system that not only satisfies certification requirements, but also delivers real value in the organisation’s day-to-day operations.

The terms document collection, document storage and document management are often used interchangeably. In practice, they describe very different ways of managing an organisation’s documentation. The difference is not primarily about technology, but about governance, responsibility and trust.

A document collection is exactly what it sounds like: documents gathered in one or more locations, organised in folders or libraries. The purpose is storage and sharing.

Document storage provides a common place to find files, easy access and flexibility in how content is organised. However, few requirements are placed on who owns the content, how changes should be handled, when documents should be reviewed, or which document actually applies.

This works well as an archive and a sharing platform — but provides limited support for managing the organisation’s practices over time.

Document management is the systematic management of governing documentation throughout its entire lifecycle — from creation through use, review and eventual withdrawal.

The core is not where documents are stored, but how they are governed. This requires clear frameworks for ownership and responsibility, review and approval, versioning and change history, access and availability, and compliance in practice.

Where document storage answers the question of where documents can be found, document management answers the question of how the organisation ensures that documentation is correct, up to date and actually used.

Document management is not merely good practice — it is an explicit requirement in the most widely adopted management system standards. ISO 9001, ISO 14001, ISO 45001 and ISO 27001 all place requirements on document management — that is, control of documented information: ensuring that documents are available where needed, that they are fit for purpose, and that they are adequately protected against unintended alteration or loss.

For organisations that are certified — or working towards certification — document management is therefore not optional. It is a prerequisite for meeting the requirements of the standards and for being able to demonstrate this to an external auditor.

The gap between storage and control typically becomes apparent when someone questions the documentation. Employees are uncertain about which version applies. Multiple versions are circulating simultaneously. Practice varies between departments. An audit demands traceability.

In these situations, it is rarely a lack of documents that is the problem. It is a lack of governance around them.

The consequences can be more serious than they first appear. Employees following outdated procedures increase the risk of errors and non-conformities. Internal audits uncover gaps that require resource-intensive remediation. External inspections can, in the worst case, result in non-conformities against the standard — with loss of certification as a possible outcome. And in organisations experiencing high turnover or growth, inadequate document management is often what causes knowledge to disappear when experienced employees leave.

What actually makes us trust a document? The question is rarely asked explicitly, but the answer is crucial.

Trust is not about the title or the location. It is built on certainty that this is the last approved version, that someone has held clear responsibility for the content, that changes have been made in a controlled and deliberate manner — and that what you are reading is what currently applies.

When this confidence is absent, informal workarounds emerge: local copies, personal notes, ‘the way we usually do it’. Over time, this undermines shared practice and genuine governance.

One dimension of document management that is often underestimated is the role it plays when people leave or new employees join. In organisations without effective document management, much of the practice is bound up in individuals — in experience, memory and informal routines that have never been written down, or that have been written down but never maintained.

When an experienced employee leaves, this knowledge often goes with them. Good document management is what prevents the organisation from starting from scratch each time — enabling a new employee to find out how things are actually done, and ensuring that training is built on something more solid than colleagues’ personal notes.

A central but often overlooked aspect of document management is visibility of changes. It is not enough to know that a document has been updated. Equally important is knowing who made the changes, when they were made, and what specifically has changed since the previous version.

When changes are clear and traceable, trust in the documentation increases. Employees no longer need to re-read entire documents to find out what is new. Management gains better oversight of how practice is actually developing over time.

This is one of the clearest distinctions between document management and simple document storage — and a core principle of document management as understood in the ISO standards.

Document management only becomes valuable when documentation is used actively in day-to-day work — not merely as a reference, but as a governing framework for how work is carried out.

Organisations that succeed in this are typically characterised by employees having a single, clear source of current practice, roles and responsibilities being clearly defined, documentation being perceived as relevant and trustworthy, and review and follow-up being a natural part of operations — not a last-minute effort.

Most organisations working on change management and quality management introduce new procedures with the best of intentions. The procedures are well thought through, the documentation is in place, and the quality management system is accessible to everyone. Yet nothing changes. People carry on as before. The change quietly dies out, and after a while no one remembers that things were supposed to be different.

This is not a technical problem. It is a problem of change management in quality management — and it is far more common than most are willing to admit.

It is tempting to explain failed changes through resistance. Employees don’t want to change. They’re used to doing things their way. They don’t understand the importance of the quality management system.

But resistance is rarely the cause. It is the symptom.

When people don’t follow new procedures, it is most often because they never understood why the change was introduced. No one explained the connection. No one showed what would actually improve. The change arrived as a top-down directive — a new document in the quality management system, an email saying ‘from Monday, the following applies’ — and then it was up to each individual to find the meaning themselves.

It is rarely the employees who fail. It is the process surrounding the change that fails.

One of the most recognisable situations in larger organisations is the change that appears to succeed on the surface, but never quite reaches the front line. Leadership has decided. The quality manager has documented. The system is updated. And then, three months later, people on the floor are still working as before.

The reason is almost always the same: middle managers were not brought along.

Middle managers are the link between decision and practice. If they do not understand the change, have not had the time to communicate it, or are themselves uncertain whether it is right, they will not convey it with credibility. And employees follow their immediate manager, not a document in a quality management system.

John Kotter highlights precisely this in his work on change management: changes do not fail because they are poor, but because organisations skip the critical steps of building buy-in and communicating meaning. A decision is not the same as an implementation. A procedure is not the same as a practice.

Here is an uncomfortable truth for many working in quality management: a well-documented system can actually make the problem worse.

Once the documentation is in place, it is easy to assume the job is done. The system is updated. The procedure has been approved and published. Employees have access. But that does not mean the system is being used.

The ADKAR model, developed by Prosci, describes five prerequisites for change to actually happen at the individual level: awareness, desire, knowledge, ability and reinforcement.

Most organisations focus almost exclusively on knowledge — that is, what employees should do. But if awareness and desire are not in place, knowledge will not lead to changed behaviour. People know what they should do, but do not do it.

Much of the resistance to quality management systems is not about laziness or reluctance. It is about perceived value.

When employees feel that quality management is primarily there to satisfy the auditor, to document for documentation’s sake, or to protect management, they will respond accordingly. They do what is required — nothing more.

This is not a problem with the employees. It is a sign that the quality management system is not embedded in everyday working life.

A quality management system that works in practice is characterised by the fact that it genuinely helps people in their work. The procedures are written for the user. The non-conformity system solves real problems. Management uses the system actively — not only at audit time.

When employees see that the system works, attitudes shift. Not because they are persuaded, but because they experience value.

Change management in quality management cannot be delegated away. It is not a project — it is an ongoing leadership responsibility.

Leaders who succeed in embedding quality management systems do certain things consistently. They use the system themselves. They refer to it in decisions. They follow up on non-conformities and improvements. And they give middle managers both the time and the responsibility to drive the change forward.

When leadership treats the quality management system as an administrative requirement, the rest of the organisation will do the same. When it is treated as a management tool, the way it is used changes too.

The difference rarely lies in the system — but in how it is introduced and followed up.

An organisation introduces a new non-conformity system. An email is sent out with a link to the procedure. Two weeks later, three non-conformities have been logged, all from the same department. Six months later, the system has effectively been abandoned.

Another organisation introduces the same system. Middle managers are involved early. The first non-conformities are followed up promptly. Results are communicated back. Leadership uses the data actively in meetings. After a few months, the system is in use across the organisation.

The same system. Completely different outcomes. The difference is not the technology or the documentation. The difference is the change management surrounding the quality management.