Skip to contentAbout Fig Group

Quality Management

ISO 9001 QMS with CAPA, process mapping, internal audits, and management review.

Request a demoAll solutions

The challenge

Does this sound familiar?

Quality management lives in a separate system from information security. ISO 9001 and ISO 27001 audits run independently with duplicated evidence collection. CAPA processes are manual and findings go untracked.

How Fig helps

Quality Management with Fig

QMS Framework

ISO 9001:2015 clause applicability mapping with scope definition, interested parties register, and process documentation. Quality objectives tracked alongside security controls.

CAPA Management

Corrective and Preventive Actions with root cause analysis, corrective action tracking, effectiveness review, and closure verification. Linked to audit findings and incident outcomes.

Internal Audit Programme

QMS audit scheduling, execution, and findings management using the same audit infrastructure as ISO 27001 assessments. One audit engine for both quality and security.

Management Review

Structured management review with inputs from audits, CAPA, customer feedback, process metrics, and KPIs. Output actions tracked through to completion with board-ready reporting.

Core Capability

Fig implements ISO 9001:2015 natively with 80+ controls mapped to clauses 4-10, a full CAPA workflow with root cause analysis and effectiveness verification, process mapping with KPI tracking, and management review scheduling with structured inputs and outputs.

Audit-ready workflow

How Quality Management becomes evidence

Quality Management should not be treated as a standalone tool surface. In Fig it is part of a governed workflow: a signal is captured, an owner is assigned, a control or risk is updated, and evidence is retained so the organisation can prove what happened later.

Lifecycle

Where it sits in the operating model

The Prove phase is where this capability sits in the wider Fig operating model. Quality management lives in a separate system from information security. ISO 9001 and ISO 27001 audits run independently with duplicated evidence collection. CAPA processes are manual and findings go untracked. Fig turns that problem into a repeatable lifecycle so MSPs, risk teams, and auditors are not relying on static spreadsheets or ad hoc screenshots when a buyer asks for proof.

Evidence captured

What auditors and buyers see

For quality management, useful evidence normally includes the triggering record, the affected asset or supplier, the control requirement, the assigned owner, the decision made, the timestamp, and the outcome. That evidence is mapped back to frameworks such as Cyber Essentials, ISO 27001, NIS2, DORA, GDPR, CMMC, and internal policy requirements where relevant.

Implementation checks

Four steps to roll this out

  • 01Define who owns quality management and what events should trigger review.
  • 02Connect the relevant source systems so evidence is collected continuously.
  • 03Map outputs to the frameworks and policies that matter to the organisation.
  • 04Review exceptions, accepted risks, and overdue actions before audit or renewal.

Useful references

Independent sources buyers and auditors recognise

The exact evidence required still depends on your scope, risk profile, sector, and framework obligations.

External source
NCSC guidance for organisations
External source
NCSC Cyber Essentials overview
External source
ICO accountability framework
Fig Group
Fig platform overview
Fig Group
All Fig solutions
Fig Group
Discuss your framework scope

Built for you

Who uses this?

MSPs & MSSPs

Deliver ISO 9001 and ISO 27001 certification support as a combined service. Shared audit infrastructure reduces delivery cost per client.

Learn more

Security & risk teams

Organisations pursuing dual certification (ISO 9001 + ISO 27001) no longer need two separate platforms. One system, one audit engine, one evidence library.

Learn more

Compliance & audit

Shared evidence management across quality and security audits. CAPA tracking, management review records, and process metrics all available in one audit-ready system.

Learn more

Prove

Related solutions

Compliance Automation

Map controls to 65+ frameworks. Collect evidence automatically. Stay audit-ready.

Policy Management

Automate policy lifecycle from drafting through approval, distribution, and attestation.

Audit Management

Plan, execute, and report on audits with structured evidence packs and findings tracking.

Common questions

Frequently asked questions

Can we run ISO 9001 and ISO 27001 from the same platform?

Yes. Fig provides both QMS and ISMS capabilities with shared audit infrastructure, shared evidence management, and a single Control Evaluation Engine assessing both quality and security controls. This eliminates duplicate effort for dual-certification organisations.

How does CAPA management work?

CAPAs are raised from audit findings, incidents, or manual entry. Each CAPA follows a structured workflow: root cause analysis, corrective action definition, implementation tracking, effectiveness review, and closure verification. All linked to the originating finding.

Does this cover the full ISO 9001 clause structure?

Yes. Fig maps to all ISO 9001:2015 clauses including context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. Clause applicability is configurable per organisation.

Can we track quality metrics and KPIs?

Yes. QMS metrics and KPI tracking is built in, feeding into management review inputs. Process performance, customer satisfaction indicators, and quality objectives are all tracked with trend analysis.

Is the audit programme shared between QMS and ISMS?

Yes. The same audit infrastructure handles both quality and security audits. Audit planning, evidence curation, finding management, and remediation tracking work identically across both management systems.

Next step

See Quality Management in action.

Book a walkthrough tailored to your frameworks and tooling.

Request a demoAll solutions