ISO 10007: Configuration Management in Projects, Full Guide

Pacific Certifications
12 min read

Post by Alina Ansari | June, 2026

ISO 10007: Configuration Management in Projects, Full Guide

What Is ISO 10007?

ISO 10007:2017 is the international standard that provides guidelines for configuration management within organizations. Published by ISO under the technical management of ISO/TC 176/SC 2 - the subcommittee responsible for quality systems within ISO's technical committee for quality management and quality assurance.

It defines the principles, activities and processes of configuration management and describes how configuration management supports the achievement of product and project requirements throughout the lifecycle of a product, service, or system.

Configuration management is the discipline of identifying, documenting, controlling and accounting for the functional and physical characteristics of a product or system - ensuring that the defined configuration of a product is known, controlled and consistent with its requirements at every point in its lifecycle, from initial design through manufacture, delivery, operation and disposal. It is explicitly designed to be used in conjunction with ISO 9001 - providing the configuration management guidance that complements and supports the quality management system requirements of ISO 9001 in any product development or project delivery context where configuration control is critical to quality and compliance outcomes.

ISO 10007 helps project and product teams keep requirements, design changes, versions and delivered configurations controlled throughout the lifecycle - Pacific Certifications

Configuration Management Principles

ISO 10007 is built on a set of foundational principles that define what configuration management is, why it is necessary and what it must achieve in any organizational context.

Understanding these principles is the starting point for any implementation program.

Configuration Item (CI)

A configuration item is any hardware, software, service, or combination thereof that is designated for configuration management and treated as a single entity in the configuration management process. Configuration items may range in scope from a single component - a circuit board, a software module, a document - to an entire system. The identification of configuration items is the first and most critical decision in any configuration management implementation - defining the scope and granularity of configuration control across the product or system.

Configuration Baseline

A configuration baseline is a formally approved and documented description of the configuration of a product or system at a specific point in its lifecycle - capturing the configuration item identifiers, versions and relationships that define the product at that moment. Baselines serve as the reference point for change control - any proposed change to the product is evaluated against the current baseline and approved changes result in the establishment of a new baseline.

Configuration Documentation

Configuration documentation is the body of documents that defines the requirements, design and verification status of each configuration item. It includes specifications, drawings, parts lists, software code, test procedures and acceptance records - all of which must be controlled, version-managed and traceable to each other and to the applicable baseline.

Traceability

Configuration management must provide bidirectional traceability throughout the product lifecycle - from requirements through design, manufacturing, testing and delivered product. Traceability ensures that every design decision can be traced to a requirement, every product can be traced to its design and every change can be traced to its originating requirement or defect.

A Practical Tip from Pacific Certifications: Treat every configuration item, baseline, document and change record as evidence that the product or system remains controlled and traceable.

Configuration Management Planning

ISO 10007 requires that configuration management activities are planned - and that the plan is documented, approved and communicated before configuration management activities begin.

The Configuration Management Plan must address:

  • Scope: Which products, systems and components are subject to configuration management - defining the configuration item hierarchy and the level of configuration control applied to each item

  • Roles and responsibilities: Who is responsible for each configuration management activity - including the configuration manager, configuration control board members and the individuals responsible for configuration item identification, change processing, status accounting and audits

  • Applicable procedures: The documented procedures governing each configuration management activity - identification, change control, status accounting and audit

  • Tools and systems: The configuration management tools, document management systems and data management environments used to implement configuration management across the program

  • Interface management: How configuration management interfaces are handled across organizational boundaries - between the prime contractor and subcontractors, between development and manufacturing and between the project and the customer

  • Schedule: The planned timing of baseline establishment events, configuration audits and major

Choosing the right configuration items is the foundation of effective configuration management because it defines what must be identified, controlled and audited.

Configuration Identification

Configuration identification is the process of selecting configuration items, documenting their functional and physical characteristics and establishing the structure that defines the relationships between them.

ISO 10007 defines the key activities of configuration identification as:

  • Configuration Item Selection: The selection of configuration items requires judgment about the appropriate level of granularity for configuration control - balancing the overhead of managing large numbers of configuration items against the risk of losing traceability and control in a coarser structure. Selection criteria typically include the significance of the item to overall system performance or safety, whether the item is subject to separate delivery or contractual requirements, whether the item interfaces with other systems or organizations and whether independent change control of the item is operationally necessary.

  • Configuration Item Naming and Numbering: Each configuration item must be assigned a unique identifier - a part number, document number, or other identifier that unambiguously distinguishes it from all other configuration items and supports retrieval, cross-referencing and traceability throughout the product lifecycle.

  • Version Control: Each version of a configuration item must be uniquely identified - enabling the configuration of the product at any point in its history to be reconstructed from the version-controlled configuration item records. Version control applies to all forms of configuration documentation - drawings, specifications, software source code, test procedures and acceptance records.

  • Product Structure and Bill of Materials: Configuration identification includes the definition and maintenance of the product structure - the hierarchical breakdown of the product into its constituent assemblies, subassemblies and components - and the Bill of Materials (BOM) that defines the composition of each assembly in terms of its component parts, versions and quantities.

Practical Tip: Configuration identification works best when item selection, naming, numbering, version control and product structure are clear from the start.

Change Control

Change control is the core operational process of configuration management - governing how proposed changes to configuration items and their documentation are identified, evaluated, approved or rejected, implemented and verified. ISO 10007 defines change control as a structured process that must be applied to any proposed change to a baselined configuration item.

The change control process defined in ISO 10007 covers the following activities:

  • Change Request: Any proposed change to a baselined configuration item is initiated through a formal change request - documenting the nature of the proposed change, the reason for the change, the configuration items and documentation affected and a preliminary assessment of the impact on product performance, schedule, cost and compliance.

  • Impact Assessment: Before a change is approved, a thorough impact assessment must be conducted - evaluating the effect of the proposed change on all related configuration items, interfaces, performance requirements, verification status, applicable regulatory approvals and downstream delivery obligations.

  • Configuration Control Board: ISO 10007 requires that change approval authority is vested in a Configuration Control Board (CCB) - a formally constituted governance body with defined membership, authority and decision criteria for approving, rejecting, or deferring change requests.

  • Change Implementation and Verification: Approved changes must be implemented in a controlled manner - updating all affected configuration documentation, ensuring that the change is incorporated in production or development at the correct point and verifying that the implemented change achieves its intended effect without introducing unintended consequences.

  • Change Record: A complete record must be maintained for every change - documenting the original change request, the impact assessment findings, the CCB decision, the implementation activities and the verification results. The change record provides the audit trail that links every change to its basis, its approval and its verified implementation.

Change control is the discipline that prevents uncontrolled modifications from affecting quality, schedule, cost, compliance or customer commitments.

Status Accounting

Configuration status accounting is the process of recording and reporting the configuration status of all configuration items throughout the product lifecycle - providing the organization and its stakeholders with accurate, current information about what has been defined, what has been built, what has changed and what is approved at any point in time.

ISO 10007 defines status accounting as encompassing:

  • Recording the identification of all configuration items and their current approved versions

  • Recording the current status of all change requests - whether submitted, under review, approved, rejected, or implemented

  • Recording the incorporation status of approved changes - at what point in production or in the deployed product population each change has been incorporated

  • Reporting the difference between the currently approved configuration documentation and the actual configuration of products in production or in the field - identifying any known deviations or waivers that affect specific product serial numbers or lots

  • Producing configuration status accounting reports that enable management, customers and auditors to understand the current configuration state of the product and the history of changes that have brought it to that state

Writer’s view: Status accounting should always show what is approved, what has changed, what is pending and where each change has been incorporated.

Configuration Audits

Configuration audits are the verification mechanism of configuration management - providing independent confirmation that the product has been built as designed and documented and that the configuration management process has been applied as planned.

ISO 10007 defines two types of configuration audit:

  • Functional Configuration Audit (FCA): The Functional Configuration Audit verifies that the functional characteristics of a configuration item have been achieved - confirming that the product performs to its approved functional and performance specification. The FCA examines test results, analysis records and acceptance data to verify that all specified functional requirements have been demonstrated and accepted.

  • Physical Configuration Audit (PCA): The Physical Configuration Audit verifies that the physical characteristics of a configuration item - as documented in its design documentation, drawings, parts lists and specifications - are consistent with the actual physical configuration of the product as manufactured. The PCA involves a detailed comparison between the approved configuration documentation and the physical product - verifying that every component, assembly, material and process is as documented.

  • Configuration Management Process Audits: In addition to FCA and PCA, ISO 10007 supports the conduct of configuration management process audits - assessing whether the configuration management activities defined in the Configuration Management Plan are being performed as specified, whether the procedures are adequate and whether the tools and systems support effective configuration management across the program.

Configuration audits confirm whether the product was built as designed and whether the configuration management process was followed in practice.

ISO 10007 with ISO 9001

ISO 10007 and ISO 9001 are closely aligned standards designed to be used together - ISO 10007 is explicitly referenced as a supporting guideline standard within the ISO 9001 quality management system framework.

Dimension

ISO 9001:2015

ISO 10007:2017

Type

Certifiable management system standard

Guideline standard - no standalone certification

Scope

All quality management system requirements

Configuration management specifically

Certification

Third-party certification available

No - implemented within ISO 9001 ISMS

Key clause alignment

Clause 7.5 - Documented information; Clause 8.5 - Production control

Directly supports Clause 7.5 version control and Clause 8.5.6 change control

Relationship

Framework within which ISO 10007 is applied

Configuration management guidance used within the QMS

Final Remark: ISO 10007 supports ISO 9001 by strengthening documented information control, production control, change control and product traceability

ISO 10007 Implementation Examples

Aerospace Component Manufacturer

An aerospace component manufacturer implementing ISO 10007 alongside ISO 9001 establishes a configuration management system covering all design documentation, manufacturing drawings, material specifications and test procedures for each part number in its product range. Each part number is treated as a configuration item with a defined revision history. A Configuration Control Board - comprising engineering, quality, production and customer interface representatives - reviews and approves all design changes before implementation.

Software and IT Systems Integrator

A software development organization implementing ISO 10007 applies configuration management to its software product baseline - treating source code repositories, build configurations, third-party library versions, deployment configurations and release documentation as configuration items governed by a formal change control process. All changes to the software baseline are processed through a change request and CCB approval process before implementation. Release baselines are formally established at each product release, with status accounting records documenting the approved change set incorporated in each release version.

Defense Systems Prime Contractor

A defense prime contractor implementing ISO 10007 on a complex systems integration program establishes a hierarchical configuration item structure - from system level through subsystem, equipment and component levels - with configuration baselines established at the completion of each major design review milestone. The Configuration Management Plan defines the interface with subcontractors - specifying the configuration management data deliverables required from each subcontractor and the change control procedures that govern interface changes between subsystems.

Use implementation examples to show how ISO 10007 works in real projects, from product design and document control to software releases, engineering changes and final delivery.

ISO 10007 Certification Cost

ISO 10007 is a guideline standard and does not carry a standalone certification body audit fee.

The cost of implementing an ISO 10007-aligned configuration management program depends on the complexity of the products or systems under configuration management, the number of configuration items in scope, the scale of the project or product development organization and whether configuration management tools and infrastructure need to be established from scratch or built upon an existing product data management or document management foundation.

Cost planning should consider product complexity, number of configuration items, project scale, tool maturity and whether ISO 9001 certification is included.

ISO 10007 Certification Timeline

Implementing an ISO 10007-aligned configuration management program - from Configuration Management Plan development through configuration item identification, procedure documentation, CCB establishment, tool configuration and staff training - typically takes 2 to 4 months for an engineering organization with an existing product development function and a defined product or project scope.

This includes 2 to 4 weeks for gap analysis and Configuration Management Plan development, 4 to 8 weeks for configuration item identification, procedure documentation, CCB charter development and status accounting system setup and 2 to 4 weeks for staff training, CCB member familiarization and a trial change control cycle before the system is formally activated.

Organizations in regulated sectors - aerospace, defense, medical devices - should plan for the longer end of this range, as the depth of configuration management implementation required to satisfy sector-specific customer and regulatory expectations typically exceeds the minimum level required for ISO 9001 certification alone. Assigning a dedicated configuration manager, establishing the Configuration Management Plan before commencing other implementation activities and conducting a full configuration management process audit before the Stage 2 certification assessment are the most effective ways to keep the combined program on track.

A Practical Tip from Pacific Certifications: Organizations can avoid delays by completing the Configuration Management Plan, CI identification, CCB setup and trial change cycle early.

How Pacific Certifications Can Help?

Pacific Certifications is an independent certification body providing ISO certification services to product development organizations, engineering companies, defense contractors, software developers, medical device manufacturers and project-based organizations implementing configuration management programs globally.

Accredited by ABIS, Pacific Certifications conducts impartial, evidence-based audits against applicable ISO standards in full conformance with ISO/IEC 17021. Our services for organizations implementing ISO 10007-aligned programs include:

  • Independent certification audits for ISO 9001, ISO/IEC 27001, ISO 13485, ISO 22301 and related standards

  • Integrated management system audits covering multiple standards in coordinated, efficient audit visits

  • Stage 1 and Stage 2 audit execution across single and multi-site engineering and project organizations

  • Clear, transparent audit reports with conformity findings and certification decisions

  • Issuance of internationally recognized ISO certificates upon successful audit completion

  • Annual surveillance and triennial recertification audits to maintain certificate validity

Pacific Certifications does not provide consultancy - our role is strictly that of an independent auditor, ensuring your certificate carries full credibility with prime contractors, regulatory authorities and customer procurement bodies in every sector you operate in.

Contact Us

To get started with your configuration management certification program or initiate your audit, contact us at support@pacificcert.com or +91-8595603096.

For training programs, contact us at trainings@pacificcert.com. Visit www.pacificcert.com for more information.

Read more: EN 13814: Safety Requirements for Amusement Park

Prepare for ISO 10007 Configuration Management
Improve project control, traceability and change management by aligning your configuration planning, identification, status accounting and audits with ISO 10007 guidance.
Apply for ISO 10007 Certification
Pacific Certifications
ISO 10007: Configuration Management in Projects, Full Guide
ISO 10007:2017
CONFIGURATION MANAGEMENT ISO
ISO 10007 GUIDE
ISO 10007 CONFIGURATION

Frequently Asked Questions

Is ISO 10007 a certifiable standard?
No, ISO 10007 is a guideline standard for configuration management. It is usually implemented to support ISO 9001, ISO 13485, ISO/IEC 27001, or other certifiable management systems.
What is ISO 10007 used for?
ISO 10007 helps organizations control product, system, software, and project configurations. It supports identification, version control, change control, status accounting, and configuration audits throughout the lifecycle.
Who should implement ISO 10007?
ISO 10007 is useful for engineering firms, manufacturers, software developers, aerospace suppliers, defense contractors, medical device companies, and project-based organizations. It is most relevant where design changes, versions, baselines, and traceability must be controlled.
How does ISO 10007 support ISO 9001?
ISO 10007 supports ISO 9001 by strengthening document control, production control, and change management. It helps organizations prove that approved versions, records, drawings, specifications, and changes are properly managed.
What is a configuration item in ISO 10007?
A configuration item is any product, component, document, software module, system, or service placed under configuration control. Each item should be identified, versioned, documented, and traceable throughout its lifecycle.
What should a configuration management plan include?
A configuration management plan should define scope, roles, responsibilities, procedures, tools, interfaces, schedules, and control methods. It explains how configuration items, changes, baselines, records, and audits will be managed.
What is change control in ISO 10007?
Change control is the formal process for requesting, reviewing, approving, implementing, and verifying changes to configuration items. It helps prevent uncontrolled modifications that can affect quality, cost, safety, delivery, or compliance.
How long does ISO 10007 implementation take?
Implementation usually takes 2 to 4 months for organizations with an existing product or project structure. Regulated sectors such as aerospace, defense, and medical devices may need more time due to deeper traceability requirements.
How much does ISO 10007 certification cost?
ISO 10007 does not have a standalone certification fee because it is not independently certifiable. Costs usually relate to implementation work, configuration tools, staff training, process setup, and audits for related certifiable ISO standards.
What are configuration audits under ISO 10007?
Configuration audits verify that a product, system, or software release matches approved documentation and requirements. Functional audits check performance, while physical audits check whether the actual build matches drawings, specifications, and records.
Pacific Certifications

Pacific Certifications

Looking for ISO Certification? Get in touch now!

Pacific Certifications

Pacific Certifications is an independent, internationally recognized certification body providing third-party audit and certification services for management system standards such as ISO 9001, ISO 14001, ISO/IEC 27001, ISO 45001, and other ISO standards. We also provide product certification services and training and personnel certification programs designed to support organizational and professional competence.

Visit Site

Previous Post

EN 13814: Safety Requirements for Fairground & Amusement Park Equipment

Next Post

ISO 14020: Environmental Labels & Declarations, Types & Certification
Pacific Certifications

Pacific Certifications

Looking for ISO Certifications? Get in touch now!