How BPA achieved ISO/IEC 27001:2022 using its own eQMS
A practical return of experience for quality and regulatory affairs leaders
Achieving ISO/IEC 27001:2022 certification is often perceived as complex, time-consuming, and resource-intensive. At BPA Solutions, we decided to approach this challenge not only as a compliance requirement, but also as a real-life validation of our own eQMS software. This article shares our concrete return of experience in implementing an Information Security Management System aligned with ISO 27001 using BPA eQMS, fully integrated with the Microsoft 365 ecosystem. Our objective is to provide quality and regulatory affairs managers with practical guidance based on what actually worked in the field.
Why we launched the ISO 27001 project
The ISO 27001 initiative had three clear objectives:
- Introduce an integrated management system capable of piloting the company through governance, risk, performance, and continuous improvement.
- Validate in real conditions that BPA eQMS effectively supports ISO 27001 requirements, not only on paper but operationally.
- Reinforce trust with our customers by demonstrating that the solution they use is itself certified and audited against international standards.
The entire certification journey was completed in 9 months, from initial gap analysis to successful audit readiness.
Structuring the project for success
Project management and digital foundations
- BPA eQMS was selected as the digital backbone of our ISMS. Microsoft Planner was used for project management, enabling clear task ownership, deadlines, and automated reminders. Collaboration with our external ISO 27001 partner was straightforward thanks to controlled access through Microsoft security policies, including Multi Factor Authentication and Azure Active Directory. This combination ensured secure collaboration, traceability, and consistent execution across all project phases.
Governance and organizational context
- We began by clearly defining our organizational structure, processes, and responsibilities, with a strong emphasis on information security governance. Using BPA eQMS prebuilt modules, we rapidly imported and structured master data, including organization charts, business units, collaborators, job roles, processes, and ISO 27001 clauses and controls. Visual process mapping helped align operational activities with information security objectives. This step created a solid foundation for traceability and accountability across the ISMS.
Building a compliant document management system
At project start, only a limited number of procedures were available. Most ISMS documentation was created during the implementation phase. Our external partner provided ISO 27001 policy templates, which we adapted and enriched within BPA eQMS. Thanks to the native integration with SharePoint, Teams, and Microsoft Office, document collaboration was efficient and familiar to users.
Preconfigured workflows managed approvals, electronic signatures, training, controlled publication, and revision cycles. Documents were systematically linked to processes, job roles, departments, and ISO 27001 controls, ensuring full traceability. AI-driven features played a key role by automatically generating training questionnaires and verifying that documentation covered all required controls. This alone saved several weeks of manual effort.
Asset management and classification
We established a structured inventory of primary and secondary information security assets using the prebuilt asset register. Primary assets represented critical business elements such as company knowledge and customer support. Secondary assets included supporting technologies like the eQMS, CRM, and IT infrastructure. For each asset, we defined ownership, classification, and confidentiality, integrity, and availability values. Assets were then linked to risks and vendors, enabling consistent risk-based decision-making and compliance alignment.
Vendor management and security assessment
Service providers and software vendors impacting information security were managed within the stakeholder module. We attached security certifications such as ISO or SOC reports, assessed vendor risks using predefined questions, and automatically calculated vendor risk scores. Vendor criticality, ownership, and asset relationships were clearly documented, supporting ISO 27001 supplier security requirements.
Risk assessment and treatment in practice
Risk management was handled using the preconfigured risk register in BPA eQMS. Risks were assessed based on objective impact criteria such as financial, legal, service, and operational impact, as well as defined probability scales. We evaluated inherent, current, and target risks, selected treatment options, and linked risks directly to ISO 27001 controls. Corrective actions were created where additional mitigation was required, ensuring that risk treatment was not theoretical but operational and measurable.
Incident management and continuous improvement
Security incidents, observations, and opportunities for improvement were managed using the nonconformity module. An 8D problem-solving approach guided investigation, root cause analysis, and corrective actions. Automated workflows ensured timely notifications and follow-up, while Planner tasks and discussion flows supported collaboration. Corrective actions became a central driver of continuous improvement and were monitored through Power BI dashboards.
Training and awareness without manual burden
Training and awareness are critical ISO 27001 requirements and often a major administrative burden. Using BPA eQMS, training workflows were fully automated. An ISO 27001 awareness presentation was created, and AI automatically generated training questionnaires. Training evidence was collected for all collaborators and contracted personnel without manual tracking. This approach ensured consistent awareness while significantly reducing administrative workload.
Operational planning and performance monitoring
Recurring ISMS activities such as management reviews, audits, and asset reviews were planned using Microsoft Planner and integrated with BPA eQMS. Objectives and key performance indicators were defined to pilot both information security and company performance. Interactive Power BI dashboards provided real-time visibility into metrics such as control coverage, training completion, and corrective action effectiveness.
Management reviews and internal audits
The annual management review was conducted with our external partner and documented directly in BPA eQMS. Findings and improvement actions were linked and tracked. Internal and external audits were planned for the next three years using the audit module. Preparation audits confirmed readiness, and corrective actions were documented and closed within the system. This structured approach ensured audit readiness and long-term compliance sustainability.
Key takeaways for Quality and Regulatory Affairs Managers
Our experience shows that ISO 27001 certification can be achieved efficiently when supported by a structured, integrated eQMS aligned with everyday working tools. Key success factors included:
- centralized governance,
- automation of repetitive tasks,
- strong traceability,
- AI-assisted documentation and training,
- seamless integration with Microsoft 365.
Most importantly, BPA eQMS proved to be not just a compliance tool, but a true management system supporting continuous improvement.
Go Further with BPA eQMS
If you are planning or preparing your ISO/IEC 27001 certification, our experience can serve as a practical reference. Download our guidebook to learn how to approach ISO 27001 certification step by step using BPA eQMS and the Microsoft 365 ecosystem.
