Why SharePoint fails as an ISO document control system

Summary:

SharePoint is one of the most widely used document management platforms in manufacturing. It's also one of the most common sources of ISO 9001 non-conformances. Not because it's a bad product - it's excellent at what it was built for. The problem is that what it was built for is document storage. ISO 9001 requires document control. Those aren't the same thing, and no amount of configuration, folder discipline, or SharePoint governance policy closes the gap between them.

​

The difference between storage and control

Document storage is what SharePoint does well. You can organise files, set access permissions, version documents, and search across a large library. For most business purposes, that's sufficient.

Document control - as required by ISO 9001 Clause 7.5 - requires something additional: governance that cannot be bypassed. The standard requires that documented information be approved before use, that only the current approved version is available at point of use, that obsolete versions are prevented from unintended use, and that approval trails are traceable and verifiable under audit.

The critical word is 'prevented.' Not discouraged. Not managed by convention. Prevented. ISO compliance requires that control be architectural - that the system itself enforces the rules - not that people remember to follow them.

SharePoint is not built to provide that kind of architectural control. The platform has no native publishing gate that blocks unapproved content from being accessed. It has no built-in approval workflow that prevents distribution of content until sign-off is complete. And its version management, while functional, relies on human discipline to ensure old versions aren't in use.

​

The five ISO requirements SharePoint can't satisfy architecturally

There are five specific ISO 9001 Clause 7.5 requirements that SharePoint cannot satisfy through configuration alone.

The first is a traceable approval trail linked to each document version. SharePoint doesn't have a native approval workflow that records who approved, in what role, when, against which specific version, inside the system alongside the document. Organisations typically route approvals via email. Those email approvals exist outside SharePoint, in inboxes that may be archived or inaccessible by the time an auditor asks for them.

The second is version control at point of use. SharePoint manages multiple versions of a file, but it doesn't control which version operators, technicians, or staff members access at their specific location. If a shared drive has an older version cached, or if someone bookmarked a direct link to an older version, they may be working from superseded content without knowing it.

The third is obsolete version prevention. ISO 9001 requires organisations to protect against unintended use of outdated documented information. In SharePoint, older versions of files remain accessible through version history - and files that have been superseded can still be found through search if they haven't been manually moved or marked. That's a Clause 7.5 finding waiting to happen.

The fourth is external document control. Supplier specifications, regulatory standards, and other external sources that inform your QMS must be identified and tracked. SharePoint provides no native mechanism for tracking external documents, monitoring them for changes, or flagging when internal documentation needs to be updated as a result.

The fifth is multi-format controlled publishing. ISO compliance increasingly requires documentation in multiple formats - PDF for print, HTML for portals, structured data for AI systems. SharePoint stores the source document; it doesn't publish controlled outputs in multiple formats from a single approved source. That means multiple manual steps between an approved change and distribution, each one an opportunity for error.

​

Why SharePoint governance policies don't fix this

Most ISO-certified organisations using SharePoint have substantial governance policies in place. Naming conventions, folder structures, version control rules, approval routing procedures. These policies are well-intentioned. They also don't close the fundamental gap.

A governance policy is a rule that people can forget to follow. An auditor checking for Clause 7.5 compliance isn't looking for your governance policy - they're looking for evidence that the requirements were actually met, for every document, every revision, every time. When an auditor finds a document that was approved by email three years ago and the approver has since left the company, the policy that said approvals should be done through SharePoint's workflow doesn't help you. The evidence has to exist and be retrievable.

This is the architectural gap. SharePoint can be governed by policy. Author-it enforces compliance by design - the publishing gate means unapproved content physically cannot be published to any output. There's no policy to forget. There's no workflow step that can be skipped under time pressure.

​

When SharePoint works and when it doesn't

SharePoint works well as a document store for content that doesn't need to satisfy ISO Clause 7.5 requirements - HR documentation, project files, general business content. Many organisations use it effectively for that purpose.

It starts to fail when the organisation grows in complexity. More sites mean more potential for version drift. More product lines mean more documents to track. More staff turnover means more approval trails that exist only in email archives. Each of these increases the probability of an audit finding.

The organisations that move to a CCMS for ISO document control aren't doing it because SharePoint stopped working. They're doing it because SharePoint never provided the architectural controls that ISO compliance requires - and as they grew, the gap became visible in audit findings. Use the Structured Content Challenge to assess where your current approach is leaving you exposed.

​

What the migration looks like

Moving from SharePoint to a CCMS for ISO-controlled content doesn't require abandoning SharePoint entirely. Many organisations continue to use SharePoint for non-controlled content while migrating their ISO-scope documentation to Author-it. The migration follows a structured process that maintains certification continuity throughout. The ROI calculator helps quantify the cost of continuing to manage ISO compliance through manual SharePoint governance against the cost of a system that closes the gap architecturally.

SharePoint and ISO document control FAQ

Q: Can SharePoint be used for ISO 9001 document control?

A: SharePoint can be used as a document store that supports parts of ISO 9001 document control, but it cannot satisfy all of the architectural requirements of Clause 7.5 without significant manual process to compensate for its limitations. The specific gaps are: no built-in approval trail linked to each document version in the system, no publishing gate that prevents unapproved content from being accessed, no native mechanism for external document control, and no multi-format publishing from a single approved source. Organisations using SharePoint for ISO document control typically find these gaps surfacing as audit findings as they grow in complexity.

​

Q: What are the most common ISO 9001 findings in organisations using SharePoint?

A: The most common ISO 9001 findings in SharePoint-based document management are: approval trails that exist only in email and cannot be located under audit (especially when approvers have left the organisation); obsolete versions of documents accessible through version history or search that operators may be using; current versions distributed inconsistently across sites or departments; and external documents - supplier specs, regulatory standards - that are not formally identified or tracked for changes. All of these trace back to SharePoint's fundamental nature as a storage system rather than a control system.

​

Q: What is a publishing gate and why does SharePoint not have one?

A: A publishing gate is an architectural control that prevents content from reaching any published output unless it has completed a defined approval workflow. In Author-it, this means unapproved content cannot be published to PDF, HTML, or AI-ready JSON via AION - not because of a policy rule, but because the system architecture makes it impossible. SharePoint does not have a native publishing gate. It has version management and workflow tools, but these can be bypassed, and they don't prevent content that hasn't been formally approved from being accessed or downloaded by anyone with the appropriate permissions.

​

Q: Does ISO 9001 require a specific document management system?

A: No. ISO 9001 does not prescribe specific tools or systems. The standard requires that documented information be controlled to meet the requirements of Clause 7.5 - approval, version control, point-of-use availability, obsolete version prevention, and external document tracking. Organisations can use any system, including paper-based systems, as long as they can demonstrate compliance under audit. The question isn't whether you use SharePoint or a CCMS - it's whether your system can produce the evidence of control that an auditor requires. Many systems can be made to work; the question is how much ongoing effort that requires and where the residual risk lies.

​

Q: How is a CCMS different from SharePoint for document control?

A: A CCMS differs from SharePoint in that it provides document control as an architectural property rather than as a governance policy. Key differences: approval workflows are built into the content lifecycle, not managed by email; approval trails are recorded in the system alongside the content, not in separate inboxes; a publishing gate prevents any unapproved content from reaching any output format; single-source publishing produces all required outputs from one approved source, eliminating distribution errors; and translation workflows keep multilingual content synchronised with source updates. A CCMS is designed for regulated environments where control isn't optional. SharePoint is designed for general business document management.

​

Q: Can an organisation use both SharePoint and a CCMS?

A: Yes, and many do. The typical approach is to use SharePoint for non-controlled business content - HR files, project documentation, general business materials - while migrating ISO-scope documentation to a CCMS. Author-it integrates with Microsoft 365 environments, so the two systems can coexist. The ISO-controlled content moves to Author-it where it receives architectural control; the general business content remains in SharePoint where SharePoint's capabilities are appropriate. This avoids a wholesale systems replacement while closing the specific gap that ISO compliance requires.