ISO9001 is one of the most widely used Quality Management System globally. It provides a framework for creating and managing Quality Systems (QMS) and the auditing requirements and is applicable to many industries. The most recent version is ISO9001:2015

In this video I demonstrate how to create a basic Quality System in SharePoint, that can serve as the building blocks for a complete system.

To meet the requirements for ISO9001, SharePoint must be configured to meet the document management requirements specified in the standard. The document management requirement is detailed in section 7.5 of the standard. Here are some of the key requirements:

#	Requirement	Description	Key Controls / What Auditors Look For	Practical Implementation Example
1	Identification & Version Control	Documents must be uniquely identifiable and clearly versioned.	Title, document ID, revision number, issue date, author; prevention of using obsolete versions.	SharePoint metadata (Document ID, Version column), enforced check-in/out and version history
2	Review & Approval Process	Documents must be reviewed and approved for suitability before release or use.	Defined approval workflow; authorised approvers; evidence of review prior to publication.	Power Automate approval workflow before publishing to a “controlled” library
3	Access, Distribution & Availability	Documents must be available where and when needed, with controlled access.	Role-based access; ensuring correct users can view/use documents; correct distribution.	SharePoint permissions, Teams integration, and controlled publishing locations
4	Change Control (Update & Integrity)	Changes must be controlled to ensure integrity and prevent unintended use of outdated information.	Version control, change tracking, audit trail, periodic review of documents.	Version history, approval gates for edits, audit logs, document review reminders
5	Storage, Retention & Protection	Documents must be stored securely, preserved, and retained/disposed of appropriately.	Secure storage, protection from loss or unauthorised changes; defined retention/disposal rules; retrievability.	Retention labels, backup policies, archive libraries, sensitivity labels

Important Document Management requirements include having places for the following document types:

Library	Purpose	ISO Alignment
Policies	High-level governance documents	Maintain documented information
Procedures	Process definitions	Operational control
Work Instructions	Detailed task-level guidance	Standardisation
Forms & Templates	Controlled templates	Consistency
Records	Evidence (audit, approvals, outputs)	Retained documentation for each instance of the procedure e.g. production run

The minimum metadata required to meet the ISO9001 standard

Metadata Field	Purpose
Document ID	Unique identification
Version / Revision	Version control
Status (Draft / Approved / Obsolete)	Lifecycle control
Owner	Accountability
Reviewer / Approver	Governance
Effective Date	Compliance
Review Date	Mandatory periodic review
Department / Process	Classification
ISO Clause	Audit traceability

In addition to meeting the requirements for ISO9001, it is also important to think about how people actually work in practice. This is where designing the system to meet your unique requirements gives SharePoint and Power Automate an advantage over off the shelf systems that are often full featured, but require you to work the way the system wants, without the ability to customise and take advantage of SharePoint’s collaboration capabilities.

Another good reason to consider using SharePoint is licensing and operating costs. If you are using Microsoft 365 you already have the licensing required. There is no need for addition servers or licensing.

In an earlier blog post, I shared 10 lessons learnt from Controlled Document Systems.

Your Quality System contains the secret sauce of your organisations processes. To prevent information leakage, consider implementing Purview Sensitive Labels to control what people can do with documents.