Sigma Archive Data SRL
Book a discovery call
CASE STORY · ISO

New trends in standardization: ISO moves from the binder into the system

Auditors no longer want fat binders — they want coherence between procedure and reality, and the standard becomes code in your software, not paper on a shelf.

May 28, 2026 · 7 min read · ISO

Standardization has changed fundamentally over the past decade, yet many SME managers still treat it like it's 2010: a stack of printed procedures, a thick binder placed on a shelf for the auditor, and a sense of relief after certification — until the next surveillance audit. The real trend is the exact opposite. ISO is moving from the binder into the system, and the firms that get this receive certification as a formality, not as a six-month project.

Illustration: ISO standardization

From paper volume to risk-based thinking

Since the 2015 edition of ISO 9001, the standard abandoned its obsession with documentation and introduced risk-based thinking. In practice, nobody asks you for the 120-page "quality manual" anymore. A good auditor does not count your procedures — they check whether what the procedure says actually happens inside the firm.

That means less bureaucracy, but more real rigor:

  • Document only what reduces a concrete risk. A procedure that changes no one's behavior is just paper waiting to be thrown out.
  • Coherence beats volume. A 2-page workflow your team applies daily is worth more than 50 pages no one has ever read.
  • Evidence matters, not declarations. The auditor asks for records: who, what, when, based on which data. If your system generates them automatically, you've already won.

ISO/IEC 42001 — the first standard for AI management

Published in December 2023, ISO/IEC 42001 is the first international standard for an artificial intelligence management system (AIMS). Its arrival is no academic whim: more and more firms — SMEs included — already use chatbots, scoring models, decision automation, or generative assistants in their daily workflows, often with no governance whatsoever.

42001 asks what all modern standards ask, but applied to AI:

  • An inventory of AI systems — which models you use, for what purpose, with what data.
  • Impact assessment — what happens if the model gets it wrong? Who is accountable?
  • Traceability and human oversight — automated decisions must be explainable and contestable.
  • Data management — where data comes from, who accesses it, how it is protected.

For a firm just starting to introduce automation, 42001 is not a burden — it's a map. And if you work with the public sector or with corporate clients, the question "how do you govern your AI?" will show up in the tender requirements sooner than you think.

Integrated audits through the Annex SL structure

The third major trend is harmonization. All modern ISO management standards — 9001 (quality), 14001 (environment), 45001 (occupational health and safety), and now 42001 — share the same backbone: Annex SL, an identical chapter structure (context, leadership, planning, support, operation, performance evaluation, improvement).

The practical consequence is enormous for an SME:

  • One single management system, not three parallel systems that contradict each other.
  • One single set of framework procedures (document control, internal audit, corrective actions, management review) reused across every standard.
  • One single integrated audit, instead of three separate visits with three separate invoices.

Instead of maintaining binder after binder, you build one "skeleton" and hang the specific requirements of each standard off it. Less effort, less cost, less internal contradiction.

Compliance-by-design — when the standard lives in the software

This is the difference we bring. Most firms treat software and compliance as two separate worlds: the ERP does its job, while ISO compliance is a parallel binder maintained by hand right before the audit.

Wrong. The best ISO requirements are, by their very nature, already software system requirements:

  • Traceability → the history of every order, every batch, every decision, recorded automatically.
  • Audit log → who changed what and when, without anyone keeping a hand-written register.
  • Access control → roles and permissions that mirror the responsibilities in the procedure, not one shared password on a spreadsheet.
  • Document versioning → a single source of truth, not "procedure_v3_final_FINAL2.docx".

When these requirements are embedded in the software from the start — compliance-by-design — certification becomes a formality. The auditor asks for evidence, you press a button, and the report comes straight out of the system. There is no more six-month "audit preparation," because the system produces the evidence every single day, as a side effect of normal operation.

Practical advice for an SME

If you're setting out now, the right order is:

  1. Start with the real workflow, not the template. Map how the team actually works, then write short procedures (1-2 pages) that describe the truth.
  2. Pick a single Annex SL skeleton if you target multiple standards. Build it once, reuse it for 9001, 14001, 45001.
  3. Demand traceability from the software, not from people. Any evidence the system produces automatically is evidence you won't be forging under pressure the week before the audit.
  4. Inventory your AI early. If you already use automation or models, write them down now — 42001 will become relevant faster than you expect.
  5. Do NOT overcomplicate. Volume impresses no competent auditor. Coherence does.

Practical takeaway: the ISO standard is no longer a binder you pull off the shelf once a year — it's the way your system runs every single day. Build compliance into the software from the start, and certification stops being a project; it becomes a consequence.