What ISO Actually Asks For (And What Most Organisations Actually Do)
The language across ISO management system standards is remarkably consistent when it comes to people. Whether you're looking at ISO 9001 (Quality), ISO 27001 (Information Security), ISO 45001 (Health and Safety), or ISO 14001 (Environmental Management), the requirements converge around three pillars: competence, awareness, and evidence-based decision making.
Take competence. ISO 9001 Clause 7.2 doesn't simply ask whether someone has attended a training course. It requires organisations to determine the competence needed for each role, ensure that people are competent based on education, training, or experience, take action where gaps exist, and, critically, evaluate whether those actions were effective. That last part is where most organisations fall short. Training completion is treated as proof of competence. It isn't. A certificate proves attendance. It says nothing about whether the person understood the material, changed their behaviour, or can apply what they learned under pressure.
The same pattern repeats with awareness. ISO 9001 Clause 7.3 requires personnel to understand the quality management system, their contribution to it, and the consequences of not conforming. ISO 27001 mirrors this with Annex A.6.3, requiring not just security awareness training but evidence that it was effective. ISO 45001 Clause 7.3 asks the same for health and safety. In each case, the standard asks for demonstrable understanding, not a tick-box confirming an email was sent.
Then there's Clause 9.1 of ISO 9001, which operationalises one of the seven core principles of quality management: evidence-based decision making. Organisations must define what needs monitoring and measuring, establish the methods, determine when it should happen, and analyse the results to inform decisions. This isn't a suggestion. It's a requirement. And it applies directly to how organisations manage, develop, and evaluate their people.
Yet what do most organisations actually do? They rely on annual performance reviews coloured by recency bias. They use manager assessments that reflect personal relationships more than objective performance. They track training delivery without measuring training impact. They collect data without analysing it, and when they do analyse it, the analysis rarely drives decisions.
The Subjective Data Problem
There is a term that surfaces repeatedly in ISO audit guidance: objective evidence. Auditors are trained to seek it out, looking for tangible, verifiable proof that requirements are being met. When it comes to technical controls, this is relatively straightforward. You can demonstrate that a firewall is configured correctly, that a calibration record is current, or that an environmental monitoring system is operational.
People are different. Competence, awareness, behaviour, culture: these are inherently harder to measure. And because they're harder to measure, organisations default to subjective proxies. A manager says an employee is competent. A team lead confirms that everyone understands the policy. A senior leader asserts that the culture is strong. None of this constitutes objective evidence.
The consequences are real. Research consistently shows that nearly half of organisations encounter documentation issues during ISO audits, with a significant proportion lacking evidence of training effectiveness. Common non-conformities include statements like "no evidence of competency records for the employee performing this role," "training records present but no evidence of competence evaluation," and "no documented awareness assessment or confirmation."
In information security, the stakes are even higher. Studies indicate that the vast majority of security breaches involve human error, a reality that ISO 27001's people controls are specifically designed to address. Yet many organisations treat security awareness training as a one-off induction exercise rather than an ongoing behavioural programme. They can prove they delivered the training. They cannot prove it changed anything.
This is the fundamental disconnect. ISO standards are built on the premise that what gets measured gets managed. But when it comes to people, most organisations are still managing by instinct.
The Founder's Dilemma: Structure Without Bureaucracy
The challenge is particularly acute for growing businesses. Primary research conducted with founders of scaling SMBs reveals a pattern that will be familiar to anyone who has navigated the transition from a small team to a structured organisation.
When a company has five people, management happens by osmosis. The founder knows everyone, sees everything, and can course-correct in real time. But somewhere between six and fifteen employees, this model breaks down. Communication fragments. Assumptions about shared understanding prove wrong. The informal feedback loops that once kept everyone aligned start to fail.
One founder described it bluntly: the transition from six to thirteen employees "felt so hard" because the assumption that direct, informal management would scale simply didn't hold. Another admitted to having "no way of actually holding people accountable" despite wanting accountability. A third acknowledged that annual appraisals were really just a recollection of the most recent quarter's events: subjective, incomplete, and unreliable.
What makes this relevant to ISO compliance is that these same organisations are simultaneously pursuing or maintaining certifications that demand exactly the kind of objective people data they don't have. They want the credibility and market access that ISO certification provides. They recognise the value of structured processes. But they resist the bureaucratic overhead of traditional HR systems, viewing formal KPIs as "dysfunctional" while simultaneously complaining about a lack of visibility into performance and productivity.
The result is a gap between aspiration and evidence. The organisation has an ISO certificate on the wall, but behind it, people decisions are still driven by gut feel, personal relationships, and the most recent memorable interaction.
Why Document-Based Compliance Isn't Enough
Traditional approaches to ISO compliance focus heavily on documentation. Stage 1 audits are essentially document reviews. The logic is sound in principle: if you've documented your processes, trained your people against them, and recorded the training, you should have a functioning management system.
But documentation is a lagging indicator. It tells you what was supposed to happen, not what actually happened. A training record shows that a course was delivered in March. It doesn't show whether the attendee applied the learning in April, or whether their behaviour changed at all. A competence matrix shows that someone has been assessed as competent. It doesn't show whether that assessment was rigorous or perfunctory, whether it reflected actual performance or a manager's unwillingness to have a difficult conversation.
This is the shift that forward-thinking organisations are beginning to make: from document-based compliance to data-driven compliance. Rather than relying on periodic snapshots captured in forms and spreadsheets, they're building systems that continuously monitor the indicators that matter. Not just whether training was delivered, but whether it was effective. Not just whether policies exist, but whether they're being followed. Not just whether people are employed in their roles, but whether they're demonstrating the competence, awareness, and behaviours those roles require.
The emergence of ISO 30414, the international standard for human capital reporting, signals that this shift is gaining institutional momentum. Updated in 2025, the standard now defines fifty-eight metrics across eleven core areas including productivity, leadership capabilities, organisational culture, and skills development. It's effectively the measurement infrastructure for everything the other ISO standards require but struggle to verify: that people are competent, engaged, aware, and performing.
Behavioural Data: The Missing Layer
If subjective assessment is the problem and document-based compliance is an insufficient solution, what fills the gap?
The answer lies in behavioural data: the patterns embedded in how people actually work, communicate, and collaborate every day. Not what they say in an annual review or a compliance survey, but what they demonstrably do across hundreds of interactions, decisions, and outputs.
Consider what behavioural analytics can tell you about the people requirements in ISO standards. For competence verification under ISO 9001 Clause 7.2, performance data can show whether trained knowledge is being applied in practice. For awareness measurement under ISO 27001 Annex A.6.3, behaviour change tracking can demonstrate whether security training actually reduced risky behaviours. For worker participation under ISO 45001 Clause 5.4, collaboration and communication patterns can reveal whether employees are genuinely involved in safety processes or merely present for them.
This isn't about surveillance. It's about replacing anecdotal evidence with observable patterns. Instead of a manager asserting that their team is competent, the organisation can point to data showing how that competence manifests in daily work. Instead of claiming a strong safety culture, they can demonstrate it through measurable engagement in safety processes. Instead of assuming that training was effective because no one complained, they can track whether the behaviours the training was designed to change actually changed.
This is where platforms like Solas OS enter the picture. As an AI-driven talent operating system, Solas OS analyses everyday workplace signals, from communication patterns and collaboration networks to the texture of how work gets done, and surfaces the behavioural insights that traditional compliance approaches miss. The platform turns the abstract requirements of ISO standards into concrete, measurable indicators: competence demonstrated through performance, not just credentials. Awareness evidenced by behaviour, not just attendance. Culture measured by interaction patterns, not just survey responses.
For organisations pursuing or maintaining ISO certifications, this means moving from a defensive posture, scrambling to assemble evidence before an audit, to a continuous state of readiness where the data that demonstrates compliance is generated as a natural byproduct of daily operations.
Bridging the Gap Across Standards
The power of this approach becomes clearer when you consider how many ISO standards share the same people requirements. An organisation certified to ISO 9001, ISO 27001, and ISO 45001, a common combination in sectors like technology, manufacturing, and professional services, is answering fundamentally the same questions three times over: Are your people competent? Are they aware of their responsibilities? Can you prove it?
Currently, most organisations address each standard in isolation, maintaining separate training records, separate competence matrices, and separate awareness programmes. This is inefficient and creates inconsistency. A unified behavioural data platform can serve all three simultaneously, providing a single source of evidence that people are competent, aware, and engaged across quality, security, and safety domains.
ISO 30414 sits naturally above these operational standards as the reporting layer. Its fifty-eight metrics, spanning productivity, culture, leadership, skills, and well-being — provide the framework for aggregating and presenting the people data that ISO 9001, 27001, and 45001 all require. Organisations that align their people analytics with ISO 30414 aren't just meeting one standard. They're building the measurement infrastructure that supports compliance across their entire management system.
Beyond the traditional management system standards, this data-driven approach also supports alignment with broader frameworks. ISO 30415 on diversity and inclusion management, ISO 45003 on psychological health and safety at work, and ISO 10667 on assessment of people in work settings all share the same underlying need: objective, reliable, continuous evidence of how people are being managed, developed, and supported.
From Compliance Theatre to Genuine Capability
There's a phrase that circulates in compliance circles: compliance theatre. It describes the phenomenon of organisations maintaining the appearance of compliance, the policies, the documentation, the training logs, without the substance. Everything looks right on paper. The management review minutes are complete. The training matrix is populated. The risk register is current. But behind the documentation, decisions are still being made on instinct, competence is still being assumed rather than verified, and cultural issues are still going undetected until they become crises.
The shift from compliance theatre to genuine capability requires organisations to confront an uncomfortable truth: the people side of ISO compliance cannot be solved with documents alone. It requires data. Not just any data, but behavioural data that reflects how people actually work, not how they report they work.
This doesn't mean abandoning documentation. Policies, procedures, and records remain essential. But they need to be supplemented by continuous, objective evidence that the management system is working as intended, that people are genuinely competent, genuinely aware, and genuinely engaged. Without that evidence, the certificate on the wall is just a piece of paper.
The organisations that will thrive in an increasingly data-driven compliance landscape are those that recognise this now. They'll stop relying on gut feel for people decisions. They'll stop treating training records as proof of competence. They'll start measuring what matters, behaviour, performance, engagement, awareness, and they'll use that data not just to pass audits, but to build genuinely capable, resilient workforces.
The standards already require it. The question is whether your organisation is ready to deliver it.