What We Did After Failing With an ISO Excel Template

A few years ago, WorkingMouse did what many organisations do.

We bought a governance pack.
We used spreadsheets.
We tried to assemble an ISO 27001 management system.

And it failed. Twice.

Not because of lack of effort.
Not because of lack of intent.

But because the system became bloated and disconnected from the actual business.

Registers expanded.
Templates multiplied.
Controls became layered with interpretation.
The work of “managing ISO” began to outweigh the work of running the business.

This is common.

Many organisations, especially SMEs, begin their ISO journey in Excel. It feels accessible. Familiar. Cost-effective.

And at first, it works.

But over time:

Version control becomes fragile
Audit trails are difficult to demonstrate
Manual errors creep in
Registers duplicate effort
Collaboration becomes messy
Security becomes a concern

Spreadsheets are powerful.

But they are not a governance system.

We learned that the hard way.

The Turning Point: Going Back to the Standard

After failing twice to establish a sustainable ISO 27001 system, we made a different decision.

Instead of adding more templates, we went back to the source.

The actual ISO 27001 standard.

Not interpretation packs.
Not pre-filled governance kits.

The standard itself.

We read it carefully.

And something became clear.

There was far less required than most governance packs suggested.

Over time, organisations add layers.
Consultants add structure.
Templates add repetition.

The result becomes heavier than the standard demands.

So we stripped it back to its meta level and modelled it directly from the clauses.

We achieved certification! 🥳

And then something else became clear.

We had overshot.

The risk management framework was stronger than the business actually needed.

At the same time, we wanted to achieve ISO 9001 for Quality and ISO 14001 for Environmental Management.

So instead of adding more weight, we rebalanced.

We scaled back unnecessary auditing policies.
We lightened the operational burden.
We expanded the core model to cover all three standards.

We aligned it to operational reality.

That insight mattered.

ISO should strengthen a business.

Not overwhelm it.

From Documents to Models

The real breakthrough came when we stopped managing ISO as documents and started modelling it as a system.

Instead of maintaining static files, we built a core ISO model.

That model spans:

ISO 27001 (Information Security)
ISO 9001 (Quality)
ISO 14001 (Environmental Management)

Around that core, we built supporting models:

Risks and registers
Audits
Checklists
Roles
Documents
Teams
Terminology
Assets
Governance structures

Each concept exists once.

Relationships are defined structurally.

From there, artefacts are generated:

Risk registers
Audit plans
Incident checklists
Governance views

The system became multi-layered.

Controls sit at one level.
Risks at another.
Checklists at another.

Work published into Git.
Tickets were created in GitLab to carry actions forward.

If a team is less technical, we published the same structure into a user-facing application.

The principle remained the same.

The management system became model-driven.

Not spreadsheet-driven.

The Big Difference

The difference was not automation alone.

The difference was control over scale.

With a model-driven system, an organisation can now:

Make the system as lean or as comprehensive as needed
Avoid repeating the same information across registers
Regenerate structure as standards evolve
Maintain traceability between risks, controls, and audits
Reduce manual reconciliation

The system grows.

Or it contracts.

It does not accumulate accidental complexity.

That is what we learned through experience.

Now We’ve Published It

Today, we package this approach into ISOBot.

It is available publicly via the Codebots Marketplace.

This is the same structural foundation we use internally.

It includes the ISO core model and the supporting models required to operate across:

27001
9001
14001

You can install it.
Tailor it.
Scale it up or down.

Or WorkingMouse can help model your system properly from the start.

Why This Matters Now

The trend is moving away from manual spreadsheets and toward structured, automated GRC platforms.

But many platforms still centre on documents.
The deeper shift is from documents to models.
When ISO lives in spreadsheets, it fragments.
When ISO lives in templates, it bloats.
When ISO lives in structured models, it becomes disciplined and scalable.

We learned this through failure.
Then through certification.
Then through refinement.

Now that learning is available to others.

Two Ways Forward

If you are currently managing ISO in Excel or a governance pack and feeling the strain, there are options.

1. Explore it yourself.
Install ISOBot.
Model a small part of your system.
See how it feels when structure replaces duplication.

Or,

2. Invite WorkingMouse to help.
We model your existing ISO framework.
Remove unnecessary complexity.
Align risk management to business reality.
Design a scalable governance foundation.

ISO does not need to be heavy.

It needs to be structured.