Overview to a management system

What is a management system

A management system is the way in which an organization manages the interrelated parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, information security, health and safety in the workplace and many more.


The level of complexity of the system will depend on each organization’s specific context. For some organizations, especially smaller ones, it may simply mean having strong leadership from the business owner, providing a clear definition of what is expected from each individual employee and how they contribute to the organization’s overall objectives, without the need for extensive documentation. More complex businesses operating, for example, in highly regulated sectors, may need extensive documentation and controls in order to fulfil their legal obligations and meet their organizational objectives.


The ISO model: agreed by experts

ISO management system standards (MSS) help organizations improve their performance by specifying repeatable steps that organizations consciously implement to achieve their goals and objectives, and to create an organizational culture that reflexively engages in a continual cycle of self-evaluation, correction and improvement of operations and processes through heightened employee awareness and management leadership and commitment.


The benefits of an effective management system to an organization include:


  • More efficient use of resources and improved financial performance


  • Improved risk management and protection of people and the environment


  • Increased capability to deliver consistent and improved services and products, thereby increasing value to customers and all other stakeholders


MSS are the result of consensus among international experts with expertise in global management, leadership strategies, and efficient and effective processes and practices. MSS standards can be implemented by any organization, large or small.


ISO management standards and the concept of a harmonized structure 

ISO’s management system standards (MSS) are among the most widely used and recognized documents that we publish. They include standards such as ISO 9001, ISO 14001, ISO/IEC 27001 and ISO 50001, which apply to quality management, environmental management, information security manageent and energy management respectively. In fact, there are more than 80 MSS. There’s a lot to know, and even experienced standards users might want to consult the complete list or find out more about how MSS work. 


One of the fundamental principles is that all the standards can work together. Those who already use an MSS in one part of their business, and are considering implementing additional ones in another area, will find that the process has been made as intuitive as possible. That’s thanks to the Harmonized Structure (HS). The concept of HS is that management standards are structured in the same way, regardless of the domain of application. Users who are familiar with one MSS will immediately feel at ease with another, even when using if for the first time. 


Annex SL: more than a shared structure

In addition to being laid out in the same way, there are some parts of a standard where identical text can be used. This improves coherence and recognition, simplifies use, and is defined in something called “Annex SL”. It means that in addition to having the same structure, MSS can contain many of the same terms and definitions. This is particularly useful for those organizations that choose to operate a single (sometimes called “integrated”) management system that can meet the requirements of two or more MSS being used simultaneously. 


Annex SL plays a key role in the interoperability and user friendliness of standards for countless users of ISO management standards around the world. You can find comprehensive information about the current Annex SL here.  




MSS harmonized structure (HS)
(normative)
Guidance for MSS readers
(informative)


Throughout this document:

  • MS = Management System 
  • MSS = Management System Standard 
  • MSS readers = who interested or implement the discipline-specific MSS. 
  • HS = Harmonized high-level structure (HLS) - that part of the Harmonized Approach that defines the 
    1. identical clause numbers, 
    2. identical clause titles, 
    3. identical text; and 
    4. common terms and core definitions.

  • XXX = a Management System Standard (MSS) discipline-specific qualifier, e.g. 
    • energy, 
    • road traffic safety, 
    • information security, 
    • food safety, 
    • environment, 
    • quality...etc.

General
a)  This guidance is intended for MSS readers. It does not add to or change any requirement of the ISO/IEC Directives, Part 1 or Part 2 (including the HS). The objectives of the guidance are to promote a common understanding of the HS, reduce the need for deviations, and indicate opportunities for further alignment between the various discipline-specific requirements that an MSS committee may choose to add.

b)  MSS readers should be aware that an organization may address the requirements of several MSS within a single MS. They should therefore aim to ensure that any additional discipline-specific requirements can be integrated into such a system.

c)  If MSS readers are considering additional discipline-specific requirements, they can consult other MSS to verify if similar additions have been made and, wherever possible, use identical or similar text and positioning to ensure ongoing alignment of these additional requirements. A complete list of MSS can be found.  

d)  Where references are made in this guidance to other documents, or where examples are provided, these references are offered to provide MSS readers with a better understanding and context of the use of discipline-specific elements of an MSS. The references and examples are not intended for inclusion in discipline-specific MSS. MSS readers can consult these standards and consider them as potential inputs when drafting their own MSS.

e)  There are many requirements in the HS that use the verb “determine”. MSS readers should be aware that this does not specifically require documented information to be available as evidence of conformity.

f) For clauses where no additional guidance is deemed necessary, this column is marked as “No additional guidance”.

Introduction
Drafting instruction: Specific to the discipline.

This text has been prepared using the harmonized structure (i.e. identical clause numbers, clause titles, text and common terms and core definitions) intended to enhance alignment among MSS and to facilitate their implementation for organizations that need to meet the requirements of two or more such standards.

The following verbal forms are used in International Standards:
  • shall” indicates a requirement; ---> specifically for "management system - requirements"
  • should” indicates a recommendation;
  • may” indicates a permission;
  • can” indicates a possibility or a capability.

The "Notes to entry" may be added to serve the purpose of a discipline-specific MSS provided for guidance in understanding or clarifying the associated requirement, they do not contradict, or deviate from, the defined concept. 

No additional guidance


1. Scope

Drafting instruction: Specific to the discipline.

Drafting instruction: The scope of the document shall address the intended result(s) of the management system.


The “intended results” refer to the results that are expected to be achieved by implementing the MSS.

MSS readers should be aware that throughout the HS, references to the “intended results of the MS" include, but are not limited to, those mentioned in Clause 1, within the scope of the MS as defined by the organization (see 4.3).



2. Normative references

Drafting instruction: Specific to the discipline.
Include generic text specified in ISO/IEC Directives, Part 2.

See guidance on Normative references in ISO/IEC Directives, Part 2.



3. Terms and definitions

Drafting instruction 1: Common terms and core definitions shall be included in the MSS and they may also be included in a separate vocabulary standard.

In Clause 3, discipline specific terms and definitions may also be included.

Include generic text specified in ISO/IEC Directives, Part 2.

The arrangement of terms and definitions should preferably be in systematic order, but may differ from the order given below in Clause 3. Alphabetical order is the least preferred order.

Drafting instruction 2: The following terms and definitions constitute an integral part of the harmonized structure for management systems standards. Additional terms and definitions may be added as needed. Notes to entry may be added to serve the purpose of each standard.

When drafting terms and definitions, MSS readers are advised to make use of the flowcharts given in Annex SL Appendix 3.

Drafting instruction 3: Italic type in a definition indicates a cross-reference to another term defined in this clause, and the number reference for the term is given in parentheses.

Drafting instruction 4: Where the text “XXX” appears throughout this clause, the appropriate reference should be inserted depending on the context in which these terms and definitions are being applied. For example: “an XXX objective” could be substituted as “an information security objective”.

See guidance on Normative references in ISO/IEC Directives, Part 2.



3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.6)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger entity that is within the scope of the XXX management system (3.4). MSS readers should ensure that any use of the term “organization” with a different intent from that described in Note 2 to entry is clearly distinguished.

No additional guidance
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision or activity


No additional guidance
3.3
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top management refers to those who direct and control that part of the organization. 

No additional guidance
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and objectives (3.6), as well as processes (3.8) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities, planning and operation.

The scope of an MS may include
  • the whole of the organization, 
  • specific and identified functions or activities of the organization, 
  • specific and identified sections of the organization, or 
  • one or more functions across a group of organizations.

MSS readers should take care not to confuse the scope of the MSS, the scope of the MS, and the scope of any eventual certification of the MS.
3.5
policy

intentions and direction of an organization (3.1) as formally expressed by its top management (3.3)

No additional guidance
3.6
objective

result to be achieved

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment). They can be, for example, organization-wide or specific to a project, product or process (3.8).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational criterion, as an XXX objective or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of XXX management systems (3.4), XXX objectives are set by the organization (3.1), consistent with the XXX policy (3.5), to achieve specific results.

No additional guidance
3.7
risk

effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected -  positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73) and consequences (as defined in ISO Guide 73), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73) of occurrence.

It is recognized that some MSS disciplines have their own understanding of risk, which is not exactly aligned with that of others, but which has been adopted over many years.

MSS readers need to be aware that the main advantage of the HS is to make it easier for an organization to incorporate the requirements of multiple MSS into its management system. They should therefore be aware of the need to maintain alignment wherever possible when introducing discipline-specific term entries or requirements related to risk.

If MSS readers (due to discipline-specific or sector-specific requirements) need to address a particular risk group, category or type for their users, in addition to the general concept specified here, they should consult Annex SL 8.3.8.

For further information, MSS readers can refer to ISO 31000, Risk management – Guidelines.

3.8
process

set of interrelated or interacting activities that uses or transforms inputs to deliver a result

Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context of the reference.

No additional guidance
3.9
competence

ability to apply knowledge and skills to achieve intended results

No additional guidance
3.10
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to:

  • the management system (3.4), including related processes (3.8); 
  • information created in order for the organization to operate (documentation); 
  • evidence of results achieved (records).

MSS readers need to be aware that “documented information” is a term to represent any information that needs to be documented for the effective implementation of the MS, and to demonstrate conformity to the MS requirements. This includes requirements specified by the relevant MSS as well as requirements that the organization has to, or chooses to, comply with. 

The term “documented information” is used to convey the fact that the focus should be primarily on the delivery of information rather than the medium used to convey it.

“Documented information” replaces the nouns “documentation”, “documents” “records” and “documented procedures” used in previous editions of some MSS.

MSS readers need to be aware that whenever reference is made to “documented information” throughout the HS, the requirements specified in 7.5 apply.
3.11
performance

measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or organizations (3.1).

No additional guidance
3.12
continual improvement

recurring activity to enhance performance (3.11)

No additional guidance
3.13
effectiveness

extent to which planned activities are realized and planned results are achieved

MSS readers should only use the terms "effectiveness" and "effective" when referring to the ability to deliver intended results. It is important not to confuse the concept of "effectiveness" with that of "efficiency", which relates the result achieved compared to the resources used.

3.14
requirement

need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and interested parties (3.2) that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10).

No additional guidance
3.15
conformity

fulfilment of a requirement (3.14)

The term “conformity” applies to all requirements, including those specified in the relevant MSS.

The term “compliance” can have a different meaning from the term “conformity” and is not used in the HS.

MSS readers who want to introduce the term “compliance” should provide appropriate guidance on how to interpret it with respect to “conformity” in their specific discipline.

MSS readers should consult ISO 37301 (Compliance management systems – Requirements with guidance for use) for more information if they need to include discipline-specific requirements relating to compliance.

3.16
nonconformity

non-fulfilment of a requirement (3.14)

Nonconformity relates to the non-fulfilment of requirements (see 3.14) including those specified by the MSS or adopted by the organization as an integral part of its MS (e.g. for products, processes, agreements with interested parties).
3.17
corrective action

action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence

No additional guidance
3.18
audit

systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

If MSS readers need to include additional discipline-specific definitions related to audit, they should consult ISO 19011 - Vocabulary.
3.19
measurement

process (3.8) to determine a value

Measurement consists of determining a value (e.g. physical quantity, property) using measurement resources such as a measuring instrument, equipment, system or surveys.

3.20
monitoring

determining the status of a system, a process (3.8) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

MSS readers need to be aware of the difference between monitoring and measurement. Monitoring can, but does not necessarily, involve measurement (see 3.19) at intervals, especially for the purpose of regulation or control.

Useful clarifications of these differences can be found in the ISO 9001 Auditing Practices Group Guidance on “Monitoring and measuring resources”. 

4. Context of the organization


4.1 Understanding the organization and its context 

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its XXX management system.

Intent of the requirement(s)
To make sure the organization has an understanding of the issues that can affect, either positively or negatively, the organization and its ability to achieve the intended results of its XXX MS. The knowledge gained is then used to guide the planning, implementation, operation, evaluation and improvement of the MS.

The determined issues represent the main inputs for several other requirements of the MSS, including determination of the scope, risks and opportunities and inputs to management review, among others.

Guidance for MSS readers
MSS readers should be aware that the word “issue” means “an important topic or problem for debate or discussion”. It can have a positive or negative impact on the organization.

MSS readers may prescribe additional requirements related to understanding the organization and its context that are specific to their discipline.

Examples of issues that MSS readers may need to consider for their specific discipline include:

  • external issues: 
cultural, social, environmental, political, legal, regulatory, financial, technological, economic, natural and competitive factors, whether international, national, regional or local 

  • internal issues: 
organizational identity (including its vision, mission, values and culture), governance, structure, policies, resources, capabilities, people and finance.

4.2 Understanding the needs and expectations of interested parties

The organization shall determine:

    • the interested parties that are relevant to the XXX management system; 

    • the relevant requirements of these interested parties; 

    • which of these requirements will be addressed through the XXX management system.

Intent of the requirement(s)
To specify the requirements for an understanding of the needs and expectations of relevant interested parties that are applicable to the MS.

The relevant interested parties and their relevant requirements represent important inputs for several other requirements of the MSS, including determination of the scope, risks and opportunities and inputs to management review, among others.

Guidance for MSS readers
MSS readers may prescribe additional requirements related to understanding the needs and expectations of interested parties in their discipline-specific MSS. They may also clarify whose and what needs and expectations should be addressed for the specific MSS.

For example,
  • ISO 9001 considers “customers” to be the main (but not the only) interested party for the Quality Management System. 
  • ISO 45001 considers “workers” to be the main (but not the only) interested party for the Occupational Health and Safety Management System. 

MSS readers should also be aware that not all interested party requirements necessarily become requirements for the organization.
  • Some may not be applicable to the organization or relevant to the MS. Others are “mandatory” because they have been incorporated into laws, regulations, permits and licences by governmental or court action, or because they have been specified by a higher level of the corporate entity to which the organization belongs. 
  • There can be others that an organization may decide to adopt voluntarily or by entering into an agreement or contract. Once adopted or agreed to, these become requirements for the organization (see 4.3). Some MSS (such as ISO 14001) refer to these as “compliance obligations” (see 3.15) 

Examples of potential interested parties that MSS readers may need to consider when formulating any discipline-specific requirements can include:
  • regulators (local, regional, national or international); 
  • parent or subsidiary organizations; 
  • customers; 
  • trade and professional associations; 
  • community groups; 
  • non-governmental organizations; 
  • suppliers; 
  • neighbours; 
  • partners; 
  • workers, their representatives, apprentices and other persons working on behalf of the organization; 
  • owners/investors; 
  • competitors;
  • academia and researchers;
  • nongovernmental organizations. 

Examples of interested party requirements that MSS readers may need to consider can include:
  • applicable laws
  • permits, licences or other forms of authorization; 
  • government regulations
  • judgments of courts or administrative tribunals; 
  • requirements of a larger entity to which the organization belongs; 
  • treaties, conventions and protocols; 
  • relevant industry codes of conduct and standards
  • contracts which have been entered into; 
  • agreements with customers, community groups or non-governmental organizations; 
  • agreements with public authorities and customers; 
  • requirements by adopting voluntary principles or codes of practice; 
  • voluntary labelling or environmental commitments; 
  • Policy and procedures;
  • obligations arising under contractual arrangements with the organization.


4.3 Determining the scope of the XXX management system

The organization shall determine the boundaries and applicability of the XXX management system to establish its scope.

When determining this scope, the organization shall consider:

    • the external and internal issues referred to in 4.1;


    • the requirements referred to in 4.2. The scope shall be available as documented information.


Intent of the requirement(s)
To establish the physical and organizational boundaries to which the MS will apply.

Guidance for MSS readers
MSS readers should be aware that the credibility of the organization’s MS relies on the appropriate choice of its boundaries and applicability.

The documented information on scope should be a factual and representative statement of the organization’s business processes and operations included within the MS boundaries and should not mislead interested parties.


4.4 XXX management system

The organization shall establish, implement, maintain and continually improve an XXX management system, including the processes needed and their interactions, in accordance with the requirements of this document.

Intent of the requirement(s)
To ensure that processes and other elements of the organization form an effective MS (see 3.4) in accordance with the MSS, taking into consideration the context of the organization (see 4.1 to 4.3).

Guidance for MSS readers
MSS readers should be aware that the processes referred to include all processes needed to meet the requirements of Clauses 4, 5, 6, 7, 8, 9 and 10, whether these are provided internally or by external providers.


Prior to drafting additional discipline-specific requirements, MSS readers should consider to what extent an organization retains authority, accountability, and autonomy to decide how it will fulfill the MS requirements, including the level of detail and extent to which it will integrate the MS requirements into its organization. 


5. Leadership


5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the XXX management system by:

    • ensuring that the XXX policy and XXX objectives are established and are compatible with the strategic direction of the organization;


    • ensuring the integration of the XXX management system requirements into the organization’s business processes; 

    • ensuring that the resources needed for the XXX management system are available; 

    • communicating the importance of effective XXX management and of conforming to the XXX management system requirements; 


    • ensuring that the XXX management system achieves its intended result(s); 


    • directing and supporting persons to contribute to the effectiveness of the XXX  management system; 


    • promoting continual improvement; 


    • supporting other relevant roles to demonstrate their leadership as it applies to their areas of responsibility. 

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

Intent of the requirement(s)
To identify actions in which top management is directly involved to demonstrate its leadership and commitment to the MS.

Visible support, involvement and commitment of the organization’s top management is important for the successful implementation of the MS. It sets the attitude and expectations, increases awareness and acceptance, and motivates persons to be engaged in the MS initiatives. It can provide reassurance to interested parties that an effective management system is likely to be in place.

This clause also emphasizes the need for top management to ensure that the MS requirements are not perceived as being “separate” from the way the business is run.

The concept of “business” can include activities for profit or non-profit purposes, and also refer to the activities conducted by private or public entities (including, for example, government).

Guidance for MSS readers
MSS readers should note that the word "ensuring" used in parts of this clause means that top management does not necessarily perform all of these actions itself (the authority to do so can be delegated to others), but top management is responsible for making sure the actions are performed. When adding any discipline-specific requirements, MSS readers should use a similar rationale for activities that can be delegated by top management.

Some discipline-specific MSS readers (e.g. in ISO 37001) needed to differentiate between “top management” and a “governing body”. Where this “governance” function is provided by a role other than top management then MSS readers should include requirements related to that role in this clause.

The definition of a “governing body” is given in ISO 37001:2016, 3.7 as follows:
3.7
governing body
group or body that has the ultimate responsibility and authority for an organization’s activities, governance and policies and to which top management reports and by which top management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from top management.

Note 2 to entry: A governing body can include, but is not limited to, board of directors, committees of the board, supervisory board, trustees or overseers.

Examples of sources of information on the concept of governance in relation to MSS can be found in the following documents, among others:

  • ISO 18091, Quality management systems - Guidelines for the application of ISO 9001 in local government 
  • ISO/IEC 38500, Information technology - Governance of IT for the organization
  • ISO 37000, Guidance for the governance of organizations 
  • ISO 37001, Anti-bribery management systems - Requirements with guidance for use 
  • ISO 37301, Compliance management systems - Requirements with guidance for use 
  • ISO/IEC 27014, Information technology - Security techniques - Governance of  information security


5.2 XXX Policy

Top management shall establish a XXX policy that:

a)  is appropriate to the purpose of the organization; 

b)  provides a framework for setting XXX objectives;

c)  includes a commitment to meet applicable requirements;

d) includes a commitment to continual improvement of the XXX management system.


The XXX policy shall:

    • be available as documented information;


    • be communicated within the organization;


    • be available to interested parties, as appropriate.

Intent of the requirement(s)
To require top management to specify the intentions and direction of the organization that are needed as part of the effective implementation of the MS, taking into account the organization’s purpose.

The XXX policy is used to frame the XXX objectives which the organization sets for itself.

Guidance for MSS readers
MSS readers need to be aware that while the policy is required to include a commitment to meet applicable requirements, it is not realistic to expect that even the most effective MS will provide a guarantee of full conformity with all such requirements at any particular point in time.


5.3 Roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization.

Top management shall assign the responsibility and authority for:

a) ensuring that the XXX management system conforms to the requirements of this document;

b) reporting on the performance of the XXX management system to top management.

Intent of the requirement(s)
To require top management to assign and communicate responsibility and authority for relevant roles within the organization, and specifically those to ensure the XXX MS conforms to the requirements of the MSS and MS performance is reported to top management (see guidance for 5.1).

Guidance for MSS readers

MSS readers may prescribe additional requirements related to specific roles for their discipline-specific MSS. For example, requirements related to the responsibility and authority for ensuring that the MS conforms with the requirements of the MSS may be assigned to an individual, several individuals, or to a team. e.g.,Data Protection Officer (DPO), Data Protection Representative (DPR)


6. Planning


6.1 Actions to address risks and opportunities

When planning for the XXX management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

    • give assurance that the XXX management system can achieve its intended result(s); 


    • prevent, or reduce, undesired effects; 


    • achieve continual improvement. 

The organization shall plan:

a)  actions to address these risks and opportunities;

b)  how to

      • integrate and implement the actions into its XXX management system processes; 


      • evaluate the effectiveness of these actions.

Intent of the requirement(s)
To specify the planning needed for the MS by defining what needs to be considered and what needs to be addressed for the MS to achieve the 3 bullet points in 6.1 of assurance, prevention, and continual improvement.


The intent is to anticipate potential scenarios and consequences; the requirements are preventive in nature by requiring the organization to address potentially undesirable effects before they occur, while at the same time they require the organization to look out for favourable effects that can offer a potential advantage or benefit.

Planning needs to consider the issues relevant to the organization’s context identified in 4.1 and the requirements identified in 4.2, for the organization to determine potential positive and negative effects that need to be addressed.

Guidance for MSS readers
MSS readers need to be aware that the HS includes both explicit requirements related to risks and opportunities in 6.1 and deployment of risks and opportunities throughout the remaining clauses. If MSS readers require risks and opportunities to be addressed formally in discipline- specific clauses they may include such requirements in their XXX MSS.

MSS readers may need to address discipline-specific events, scenarios, or circumstances (whether planned or unplanned) that could result in a deviation from the expected. It is the effect of a deviation from the expected that can have a positive or negative impact, not the deviation itself.

MSS readers may add discipline-specific requirements to address risks (or XXX risks) that can potentially generate an unacceptable negative effect. In these cases, it is prudent to concentrate on eliminating or mitigating the risk. However, if the risk (or the mitigating action) generates a potential positive effect for the organization, then it is prudent to recognize and consider leveraging this opportunity.

If MSS readers need to add discipline-specific requirements to address risk (for example due to regulatory or sector issues), they should clarify the need for formal risk management, and agree on the positioning of any risk assessment and risk treatment text. When adding any discipline-specific requirements related to risks and opportunities, MSS readers should be aware of the linkages between Clauses 4, 6 and 8 and ensure that these are maintained. The planning referred to in 6.1 is based on the organization’s context (Clause 4) and is then further deployed via the operational planning (8.1).

MSS readers can also consult the following standards:


MSS readers may introduce discipline-specific requirements or provide guidance on managing opportunities within their MSS. In doing so, they should recognize that “opportunity” is not a defined term in the HS, so the common dictionary meaning applies unless the MSS readers choose to define the term themselves. A typical dictionary meaning of the word “opportunity” is “a time or set of circumstances that makes it possible to do something”. Some opportunities can be foreseen and determined through planning; others not. Both can provide valuable inputs into operations and improvement activities (see Clauses 8 and 10).

MSS readers may consider discipline-specific sources of opportunity which may be identified or discovered. These can include, for example:
  • analysis of deviations from expected; 
  • review of the organization’s context; 
  • review of the needs and expectations of interested parties; 
  • cause analysis; 
  • review of unplanned events; 
  • innovation; 
  • audit findings (internal or external); 
  • management review. 

For some MS disciplines, planning also needs to address emergency preparedness and response. In such cases MSS readers should acknowledge the interaction with the organization’s overall contingency and continuity planning.


6.2 XXX objectives and planning to achieve them

The organization shall establish XXX objectives at relevant functions and levels. The XXX objectives shall:

a)  be consistent with the XXX policy;

b)  be measurable (if practicable);

c) take into account applicable requirements;

d)  be monitored;

e)  be communicated;

f)  be updated as appropriate;

g)  be available as documented information.

When planning how to achieve its XXX objectives, the organization shall determine:

    • what will be done; 


    • what resources will be required; 


    • who will be responsible; 


    • when it will be completed; 


    • how the results will be evaluated.

Intent of the requirement(s)
To ensure the XXX policy is supported by objectives, that these objectives are deployed throughout the relevant parts of the organization and that plans are established to achieve them.

Guidance for MSS readers
MSS readers should be aware of the following linkages with other clauses, and ensure that any additional discipline-specific requirements are consistent with them:

  • any need for budgets, specialized skills, technology or infrastructure, for example, are determined and provided in accordance with the requirements of 7.1; 


  • objectives are communicated in accordance with the requirements of 7.4; 


  • documented information about the objectives is managed in accordance with 7.5;


  • operational planning and control needs are addressed in 8.1 


  • a mechanism for evaluating the overall results of what was accomplished is 
determined in accordance with the requirements of 9.1. 

MSS readers should state any discipline-specific requirements related to objectives in a way that allows determination of their fulfilment to be made. 


MSS readers should be aware that while 6.2 requires objectives to be measurable, this does not necessarily mean they have to be quantified. Qualitative results (e.g. “yes/no” answers) can also be considered, when supported by appropriate evidence.

By including the caveat “if practicable”, it is acknowledged that there can be situations when it is not feasible to measure the achievement of an objective. MSS readers may, however, define discipline-specific requirements that achievements of certain objectives always have to be measured (over-riding the “if practicable”).

MSS readers may also make reference to other MSS clauses when the status and progress on objectives need to be periodically checked and updated for their discipline.

If MSS readers choose to include requirements for specific performance indicators associated with objectives, these should be stated in Clause 9; not in 6.2.


6.3 Planning of changes

When the organization determines the need for changes to the XXX management system, the changes shall be carried out in a planned manner.

Intent of the requirement(s)
To ensure that the organization can achieve the intended results of its XXX MS both during and after changes. The circumstances giving rise to the need for change(s) to the MS can be planned or unplanned (see 6.1), but the changes themselves need to be carried out in a planned manner.

Guidance for MSS readers
MSS readers need to be aware that the ways in which changes are planned can vary, depending on the circumstances that gave rise to the need for change and the complexity and severity of the changes to be made.

Types of changes that MSS readers need to consider can depend on the discipline-specific MSS.

Examples include:

  • changes in the organization’s context; 


  • planned changes to products, processes, services, operations, equipment or facilities; 


  • changes in staff or external providers, including contractors;


  • changes in requirements.

If they need to add discipline-specific requirements, MSS readers should consider making reference to 8.1 for implementing and controlling planned changes.


7. Support


7.1 Resources

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the XXX management system.

Intent of the requirement(s)
To determine and provide the resources needed to establish, implement, maintain and improve the MS. Resources should be appropriate to ensure that the operation of the MS is effective in achieving its intended results.

Guidance for MSS readers
MSS readers may prescribe additional requirements for resources that are specific to their discipline.

For example:

  • human resources (persons); 
  • discipline-specific competence; 
  • organizational knowledge; 
  • organizational infrastructure (i.e., buildings, communication lines, etc); 
  • information management; 
  • technology; 
  • financial resources; 
  • work environment or environment for the operation of the processes; 
  • time (e.g., in order to implement initiatives, projects etc). 


MSS readers who wish to add discipline-specific requirements on “resources” can consult other MSS (see General Guidance as well as the following:

  • ISO 9001 (Quality management systems - Requirements) which includes requirements for “organizational knowledge” 


  • ISO 30401 (Knowledge management systems - Requirements) which provides information on the importance of organizational knowledge and describes a holistic approach to its management 


  • ISO 55001 (Asset management - Management systems – Requirements) which has a specific subclause on “information management”


7.2 Competence

The organization shall:

    • determine the necessary competence of person(s) doing work under its control that affects its XXX performance; 


    • ensure that these persons are competent on the basis of appropriate education, training, or experience; 


    • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. 

Appropriate documented information shall be available as evidence of competence.

NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the re- assignment of currently employed persons; or the hiring or contracting of competent persons.

Intent of the requirement(s)
To determine and ensure the competence necessary for persons to meet the requirements of the MSS and achieve the MS’s objectives.

Guidance for MSS readers
MSS readers should be aware that this clause should be considered in conjunction with the definition of competence (see 3.9), and the Note in 7.2 that mentions different actions by which competence can be achieved.

If MSS readers need to mention training as a way to ensure competence, an example of an additional requirement added as a new bullet could read e.g. “determine training needs associated with its XXX management system”.

For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change.

When adding discipline-specific requirements, MSS readers should avoid mixing requirements for awareness-building with those needed to achieve competence. Requirements related to awareness should be included in 7.3.

MSS readers who wish to add discipline-specific requirements on “competence” can consult other MSS (see General Guidance) as well as the following:

  • ISO 10015, Quality management - Guidelines for competence management and people development 


  • ISO 10018, Quality management - Guidance for people engagement


7.3 Awareness

Persons doing work under the organization’s control shall be aware of:

    • the XXX policy; 


    • their contribution to the effectiveness of the XXX management system, including the benefits of improved XXX performance; 


    • the implications of not conforming with the XXX management system requirements.

Intent of the requirement(s)
To ensure that persons in the organization are aware of relevant policies and MSS requirements as well as any situation or aspect that can have an effect on the intended results of the MS.

Guidance for MSS readers
MSS readers who wish to add discipline-specific requirements on “awareness” can consult other MSS (see General Guidance).

Additional items that persons can be required to be aware of can include:

  • the XXX objectives, their impact on achieving them and on risk exposure; 


  • XXX culture and specific desired behaviours.  

For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change.


7.4 Communication 

The organization shall determine the internal and external communications relevant to the XXX management system including:

    • on what it will communicate; 


    • when to communicate; 


    • with whom to communicate; 


    • how to communicate.

Intent of the requirement(s)
To ensure that information concerning the XXX MS is communicated effectively both to and from the relevant interested parties.

Guidance for MSS readers
MSS readers who wish to add discipline-specific requirements on “communication” should consider the relationships with other clauses that require communication. They can also consult other MSS (see General Guidance).

Examples of topics where other clauses of the HS require effective communication include:

  • importance of effective XXX management and of conforming to the MSS requirements (see 5.1); 


  • policy (see 5.2); 


  • responsibilities and authorities (see 5.3); 


  • performance of the MS (see 5.3); 


  • objectives (see 6.2); 


  • results of audits (see 9.2.2). 


Examples of such additional requirements may include:

  • diversity aspects (e.g. gender, language, culture, literacy, disabilities); 


  • ensuring that the views of internal and external interested parties are considered.


7.5 Documented information

7.5.1 General

The organization’s XXX management system shall include:

a)  documented information required by this document;

b)  documented information determined by the organization as being necessary for the effectiveness of the XXX management system.


NOTE The extent of documented information for a XXX management system can differ from one organization to another due to:

    • the size of organization and its type of activities, processes, products and services; 


    • the complexity of processes and their interactions; 


    • the competence of persons. 


7.5.2 Creating and updating documented information

When creating and updating documented information, the organization shall ensure appropriate:

    • identification and description (e.g. a title, date, author, or reference number); 


    • format (e.g. language, software version, graphics) and media (e.g. paper, electronic); 


    • review and approval for suitability and adequacy. 


7.5.3 Control of documented information

Documented information required by the XXX management system and by this document shall be controlled to ensure:

a)  it is available and suitable for use, where and when it is needed;

b)  it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

For the control of documented information, the organization shall address the following activities, as applicable:

    • distribution, access, retrieval and use; 


    • storage and preservation, including preservation of legibility; 


    • control of changes (e.g. version control); 


    • retention and disposition 


Documented information of external origin determined by the organization to be necessary for the planning and operation of the XXX management system shall be identified as appropriate, and controlled. 


NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

Intent of the requirement(s)
To define the documented information that needs to be created, controlled and maintained for the effective implementation of the MS. 

Example of management system documentation: 


This includes documented information that is:

  • required for all MSS (as described in 7.5.1 and in the respective clauses of the HS); 


  • required by a discipline-specific MSS; and 


  • determined by the organization as necessary to be controlled, within its specific context. 

Guidance for MSS readers
The text throughout 7.5 should be considered in conjunction with the definition of “documented information” (see 3.10). When adding discipline-specific text, MSS readers should be aware of the intent of the NOTE in 7.5.1, to indicate the factors that should be considered when the extent of documented information is defined, such as the size, type and complexity of the organization, and the competence of persons

MSS readers may prescribe additional requirements for documented information that are specific to their discipline. For example, ISO 9001 specifically requires that relevant documented information needed for the MS that is provided by an external provider be controlled.

MSS readers who wish to add discipline-specific requirements on “documented information” can consult other MSS (see General Guidance) as well as the following:

  • ISO 30301, Information and documentation - Management systems for records — Requirements 


  • ISO 10013, Quality management systems - Guidance for documented information 

MSS readers should also be aware that the information required to be documented by the MS may be integrated with other information management or documentation systems established by an organization.


8 Operation


8.1 Operational planning and control

Drafting instruction: This subclause heading will be deleted if no additional subclauses are added to Clause 8.

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:

    • establishing criteria for the processes;


    • implementing control of the processes in accordance with the criteria.

Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that externally provided processes, products or services that are relevant to the XXX management system are controlled.

Intent of the requirement(s)
To require the organization to deploy the planning carried out under Clause 6 by planning, implementing and controlling its processes at the operational level. This includes any externally provided processes. By mentioning Clause 6, this requirement includes the consideration of risks and opportunities, XXX objectives and change planning when determining the extent of control for the processes.

Guidance for MSS readers
Operational planning can be more detailed than the planning done in Clause 6, to support the planned actions determined in 6.1 and 6.2, and to ensure the effective deployment of any planned changes determined in 6.3.

MSS readers should be aware that “criteria for the processes” can differ by discipline and include (among other things) requirements related to process parameters (including process capabilities, performance and functionality) as well as criteria related to process results. Therefore MSS readers may prescribe additional requirements to clarify process criteria in the context of their discipline-specific MSS.

Clause 8 is typically the area of the HS where MSS readers add the most discipline-specific requirements. For this reason, in many MSS, Clause 8 is often longer than other clauses.

MSS readers may add discipline-specific requirements in order to ensure control over the operational processes. For example:

  • ISO 9001 includes requirements for determining customer requirements, design and development, externally provided processes, products, and services, control of production and service provision, release of product and service delivery, and control of nonconforming output; 


  • ISO 14001 includes requirements for implementing and controlling processes from a life cycle perspective; 


  • ISO 50001 requires the organization to establish control over processes only where the absence of control could lead to deviations from the XXX policy or XXX objectives; 


  • ISO 55001 has linked the requirements of Clause 8 to requirements in 10.2, considering that when controls fail, organizations may need to take corrective action; 


  • ISO 22000 applies the concept of risk when defining the degree of control over externally provided products, processes or services; 


  • ISO/IEC 20000-1 includes requirements for a number of service management processes, including configuration management, relationship management and Information security; 


  • ISO/IEC 27001 includes operational requirements for information security risk assessment and treatment. 


  • ISO 30301 includes operational requirements for designing and implementing records processes, controls and systems, linking this clause with a normative annex. 


If MSS readers need to add discipline-specific text related to suppliers (“external providers of processes, products or services”), they should do so as part of Clause 8. They also need to be aware that even if the external provider is outside the boundaries of the scope of the MS, control over the externally provided processes, products or services relevant to the intended results of the XXX MS are within the scope. External providers can include the organization’s corporate headquarters, associate companies, suppliers, or someone to whom the organization has requested to provide a process, a product or a service. 


If MSS readers need to add discipline-specific requirements to include the concept of emergency preparedness and response they should do so as part of Clause 8. MSS readers should also be aware of the linkages between “emergency preparedness and control” and the requirements related to “risks and opportunities” and “planning of change” described in Clause 6. These specific requirements can be related to the organization’s contingency planning or business continuity planning.

MSS readers who wish to add discipline-specific requirements on “emergency preparedness and control” can consult other MSS (see General Guidance) as well as the following:

  • ISO 14001, Environmental management systems - Requirements with guidance for use 


  • ISO 45001, Occupational health and safety management systems - Requirements with 
guidance for use 



9 Performance evaluation


9.1 Monitoring, measurement, analysis, and evaluation

The organization shall determine:

    • what needs to be monitored and measured; 


    • the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; 


    • when the monitoring and measuring shall be performed; 


    • when the results fro mmonitoring and measurement shall be analysed and evaluated. 

Documented information shall be available as evidence of the results.

The organization shall evaluate the performance and the effectiveness of the XXX management system.

Intent of the requirement(s)
To specify requirements for monitoring, measurement, analysis and evaluation of the MS and its processes (including process inputs and results) to determine the extent to which the planned activities are realized and planned results are achieved.

The information gained through monitoring, measurement, analysis and evaluation is intended to be used at different levels of the organization, as appropriate, to support decision-making related to the respective activities and to drive continual improvement.

Guidance for MSS readers
MSS readers who wish to add discipline-specific requirements should consider the definitions of “monitoring” and “measurement” in 3.19 and 3.20 to ensure that any discipline-specific text respects this difference. It is recommended to include any discipline-specific requirements for monitoring and measurement resources in Clause 7.

When determining what to monitor and measure, the MSS readers may address the need to evaluate the fulfilment of specific requirements within the MSS and/or related processes.

For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change.


9.2 Internal audit

9.2.1 General

The organization shall conduct internal audits at planned intervals to provide information on whether the XXX management system:

a) conforms to:

      • the organization’s own requirements for its XXX management system; 


      • the requirements of this document; 

b) is effectively implemented and maintained.

9.2.2 Internal audit programme

The organization shall plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall:

a)  define the audit objectives, criteria and scope for each audit;

b)  select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

c)  ensure that the results of audits are reported to relevant managers.

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

Intent of the requirement(s)
To specify requirements for planning, implementing and maintaining an internal audit programme to facilitate an evaluation of the MS performance, and to define the documented information required.

Guidance for MSS readers
MSS readers may make reference to ISO 19011 (Guidelines for auditing management systems) in their discipline-specific MSS to provide guidance on audits.

In formulating any additional discipline-specific text, MSS readers can also find it useful to consult the ISO/IAF ISO 9001 and ISO 14001 Auditing Practices Groups (APG) guidance.











9.3 Management review

9.3.1 General

Top management shall review the organization’s XXX management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.


9.3.2 Management review inputs

The management review shall include:

a)  the status of actions from previous management reviews;

b)  changes in external and internal issues that are relevant to the XXX management system;

c)  changes in needs and expectations of interested parties that are relevant to the XXX management system;

d)  information on the XXX performance, including trends in:

      • nonconformities and corrective actions; 


      • monitoring and measurement results; 


      • audit results; 

e) opportunities for continual improvement.


9.3.3 Management review results

The results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the XXX management system.

Documented information shall be available as evidence of the results of management reviews.

Intent of the requirement(s)
To specify requirements for review of the MS by top management, including the information to be covered and the expected results.

Top management involvement and engagement in this review is the mechanism to drive changes to the MS (6.3) and direct continual improvement priorities (Clause 10), particularly in relation to changes in the organization’s context and deviations from intended results, or by identifying favourable circumstances that can provide potential opportunities for improvement.

Guidance for MSS readers
With reference to the “suitability, adequacy and effectiveness” of the MS, MSS readers should be aware that “effectiveness” is a defined term (see 3.13). If MSS readers wish to include guidance about the words “suitability” and “adequacy” they can consult other MSS (see General Guidance). Examples can be found in the annexes to ISO 14001:2015 and ISO 45001:2018, among others.

For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change.

MSS readers may prescribe additional discipline-specific management review inputs that are needed to demonstrate the suitability, adequacy and effectiveness of the XXX MS.

In formulating any discipline-specific requirements, MSS readers should be aware of the way in which this requirement is phrased – “Top management shall review....” and not “Top management shall ensure.....”.


10 Improvement


10.1 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the XXX management system.

Intent of the requirement(s)
To specify what aspects of the MS need to be continually improved.

Guidance for MSS readers
MSS readers need to be aware that the term adopted by the HS is “continual improvement” (see 3.12) and not “continuous improvement”.


  • Continual” implies occurrence over a period of time, but with possible intervals of interruption.


  • Continuous” indicates occurrence without interruption. 


  • In the context of continual improvement, the expectation is that improvements occur periodically, over time. 


  • MSS readers also need to be aware that in some languages there is no differentiation between these two words. 

If MSS readers wish to include guidance about the words “suitability” and “adequacy” they can consult the guidance provided for 9.3.

Some discipline-specific MSS have inserted a “General” sub-clause at the beginning of Clause 10, with notes and/or guidance about different kinds of improvement, including

  • corrective action, 


  • continual improvement, 


  • breakthrough change, 


  • innovation and 


  • re-organization. 

Others have added specific criteria for evaluating improvement suggestions, specifying targets for each improvement made, as well as measuring and reporting on them. MSS readers who wish to make similar additions can consult other MSS (see General Guidance) as well as the following:

  • ISO 14001, Environmental management systems - Requirements with guidance for use


  •  ISO 45001, Occupational health and safety management systems - Requirements with 
guidance for use


  • ISO 9001, Quality management systems - Requirements


  • ISO 20000-1, Information technology - Service management -  Part 1: Service management system requirements 


  • ISO 30401, Knowledge management systems - Requirements 


  • ISO 9004, Quality management - Quality of an organization - Guidance to achieve sustained 
success 


  • ISO 56002, Innovation management - Innovation management system - Guidance


10.2 Nonconformity and corrective action

When a nonconformity occurs, the organization shall:

a)  react to the nonconformity, and as applicable:

      • take action to control and correct it; 


      • deal with the consequences; 

b)  evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does 
not recur or occur elsewhere, by:

      • reviewing the nonconformity;


      • determining the causes of the nonconformity;


      • determining if similar nonconformities exist, or can potentially occur; 

c)  implement any action needed;

d)  review the effectiveness of any corrective action taken;

e)  make changes to the XXX management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered. Documented information shall be available as evidence of:

    • the nature of the nonconformities and any subsequent actions taken; 


    • the results of any corrective action.

Intent of the requirement(s)
To specify the responses needed to address the non-fulfilment of a requirement related to process, process results, product, service, MS or any other requirement that affects the ability of the MS to achieve its intended result.

Guidance for MSS readers
MSS readers may prescribe additional discipline-specific requirements to provide context to the nonconformity and the need for corrective action. This could be specific to the MSS or related to regulatory requirements.

In formulating any discipline-specific requirements, MSS readers should be aware of the following:

  • the difference between “correction” (“action to eliminate a detected nonconformity” – see ISO 9000) and “corrective action” (“action to eliminate the cause(s) of a nonconformity and to prevent recurrence” – see 3.17); 


  • it is not always possible, technically feasible, or cost effective to identify or fully eliminate the cause, and this is not required by 10.2 in all cases; “the organization shall evaluate the need for action” and “corrective actions shall be appropriate to the effects of the nonconformities encountered”; 


  • the HS does not use the term “preventive action” so this should be avoided. Actions taken to address risks and opportunities (see 6.1) are preventive in nature with respect to potential negative effects.





Please contact us for more information or support neededinfo@tksg.global 


Last modified: Saturday, 5 November 2022, 3:24 PM