Overview to a management system
What is a management system
A management system is the way in which an organization manages the interrelated parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, information security, health and safety in the workplace and many more.
The level of complexity of the system will depend on each organization’s specific context. For some organizations, especially smaller ones, it may simply mean having strong leadership from the business owner, providing a clear definition of what is expected from each individual employee and how they contribute to the organization’s overall objectives, without the need for extensive documentation. More complex businesses operating, for example, in highly regulated sectors, may need extensive documentation and controls in order to fulfil their legal obligations and meet their organizational objectives.
The ISO model: agreed by experts
ISO management system standards (MSS) help organizations improve their performance by specifying repeatable steps that organizations consciously implement to achieve their goals and objectives, and to create an organizational culture that reflexively engages in a continual cycle of self-evaluation, correction and improvement of operations and processes through heightened employee awareness and management leadership and commitment.
The benefits of an effective management system to an organization include:
- More efficient use of resources and improved financial performance
- Improved risk management and protection of people and the environment
- Increased capability to deliver consistent and improved services and products, thereby increasing value to customers and all other stakeholders
MSS are the result of consensus among international experts with expertise in global management, leadership strategies, and efficient and effective processes and practices. MSS standards can be implemented by any organization, large or small.
ISO management standards and the concept of a harmonized structure
ISO’s management system standards (MSS) are among the most widely used and recognized documents that we publish. They include standards such as ISO 9001, ISO 14001, ISO/IEC 27001 and ISO 50001, which apply to quality management, environmental management, information security manageent and energy management respectively. In fact, there are more than 80 MSS. There’s a lot to know, and even experienced standards users might want to consult the complete list or find out more about how MSS work.
One of the fundamental principles is that all the standards can work together. Those who already use an MSS in one part of their business, and are considering implementing additional ones in another area, will find that the process has been made as intuitive as possible. That’s thanks to the Harmonized Structure (HS). The concept of HS is that management standards are structured in the same way, regardless of the domain of application. Users who are familiar with one MSS will immediately feel at ease with another, even when using if for the first time.
Annex SL: more than a shared structure
In addition to being laid out in the same way, there are some parts of a standard where identical text can be used. This improves coherence and recognition, simplifies use, and is defined in something called “Annex SL”. It means that in addition to having the same structure, MSS can contain many of the same terms and definitions. This is particularly useful for those organizations that choose to operate a single (sometimes called “integrated”) management system that can meet the requirements of two or more MSS being used simultaneously.
Annex SL plays a key role in the interoperability and user friendliness of standards for countless users of ISO management standards around the world. You can find comprehensive information about the current Annex SL here.
MSS harmonized structure (HS) (normative) |
Guidance for MSS readers (informative) |
---|---|
Throughout this document:
|
|
General a) This guidance is intended for MSS readers. It does not add to or change any requirement of the ISO/IEC Directives, Part 1 or Part 2 (including the HS). The objectives of the guidance are to promote a common understanding of the HS, reduce the need for deviations, and indicate opportunities for further alignment between the various discipline-specific requirements that an MSS committee may choose to add. b) MSS readers should be aware that an organization may address the requirements of several MSS within a single MS. They should therefore aim to ensure that any additional discipline-specific requirements can be integrated into such a system. c) If MSS readers are considering additional discipline-specific requirements, they can consult other MSS to verify if similar additions have been made and, wherever possible, use identical or similar text and positioning to ensure ongoing alignment of these additional requirements. A complete list of MSS can be found. d) Where references are made in this guidance to other documents, or where examples are provided, these references are offered to provide MSS readers with a better understanding and context of the use of discipline-specific elements of an MSS. The references and examples are not intended for inclusion in discipline-specific MSS. MSS readers can consult these standards and consider them as potential inputs when drafting their own MSS. e) There are many requirements in the HS that use the verb “determine”. MSS readers should be aware that this does not specifically require documented information to be available as evidence of conformity. f) For clauses where no additional guidance is deemed necessary, this column is marked as “No additional guidance”. |
|
IntroductionDrafting instruction: Specific to the discipline.This text has been prepared using the harmonized structure (i.e. identical clause numbers, clause titles, text and common terms and core definitions) intended to enhance alignment among MSS and to facilitate their implementation for organizations that need to meet the requirements of two or more such standards. The following verbal forms are used in International Standards:
The "Notes to entry" may be added to serve the purpose of a discipline-specific MSS provided for guidance in understanding or clarifying the associated requirement, they do not contradict, or deviate from, the defined concept. |
No additional guidance |
1. ScopeDrafting instruction: Specific to the discipline. Drafting instruction: The scope of the document shall address the intended result(s) of the management system. |
The “intended results” refer to the results that are expected to be achieved by implementing the MSS. MSS readers should be aware that throughout the HS, references to the “intended results of the MS" include, but are not limited to, those mentioned in Clause 1, within the scope of the MS as defined by the organization (see 4.3). |
2. Normative referencesDrafting instruction: Specific to the discipline. Include generic text specified in ISO/IEC Directives, Part 2. |
See guidance on Normative references in ISO/IEC Directives, Part 2. |
3. Terms and definitionsDrafting instruction 1: Common terms and core definitions shall be included in the MSS and they may also be included in a separate vocabulary standard. In Clause 3, discipline specific terms and definitions may also be included. Include generic text specified in ISO/IEC Directives, Part 2. The arrangement of terms and definitions should preferably be in systematic order, but may differ from the order given below in Clause 3. Alphabetical order is the least preferred order. Drafting instruction 2: The following terms and definitions constitute an integral part of the harmonized structure for management systems standards. Additional terms and definitions may be added as needed. Notes to entry may be added to serve the purpose of each standard. When drafting terms and definitions, MSS readers are advised to make use of the flowcharts given in Annex SL Appendix 3. Drafting instruction 3: Italic type in a definition indicates a cross-reference to another term defined in this clause, and the number reference for the term is given in parentheses. Drafting instruction 4: Where the text “XXX” appears throughout this clause, the appropriate reference should be inserted depending on the context in which these terms and definitions are being applied. For example: “an XXX objective” could be substituted as “an information security objective”. |
See guidance on Normative references in ISO/IEC Directives, Part 2. |
3.1 organization person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.6) Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private. Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger entity that is within the scope of the XXX management system (3.4). MSS readers should ensure that any use of the term “organization” with a different intent from that described in Note 2 to entry is clearly distinguished. |
No additional guidance |
3.2 interested party (preferred term) stakeholder (admitted term) person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision or activity |
No additional guidance |
3.3 top management person or group of people who directs and controls an organization (3.1) at the highest level Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization. Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top management refers to those who direct and control that part of the organization. |
No additional guidance |
3.4 management system set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and objectives (3.6), as well as processes (3.8) to achieve those objectives Note 1 to entry: A management system can address a single discipline or several disciplines. Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities, planning and operation. |
The scope of an MS may include
MSS readers should take care not to confuse the scope of the MSS, the scope of the MS, and the scope of any eventual certification of the MS. |
3.5 policy intentions and direction of an organization (3.1) as formally expressed by its top management (3.3) |
No additional guidance |
3.6 objective result to be achieved Note 1 to entry: An objective can be strategic, tactical, or operational. Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment). They can be, for example, organization-wide or specific to a project, product or process (3.8). Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational criterion, as an XXX objective or by the use of other words with similar meaning (e.g. aim, goal, or target). Note 4 to entry: In the context of XXX management systems (3.4), XXX objectives are set by the organization (3.1), consistent with the XXX policy (3.5), to achieve specific results. |
No additional guidance |
3.7 risk effect of uncertainty Note 1 to entry: An effect is a deviation from the expected - positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73) and consequences (as defined in ISO Guide 73), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73) of occurrence. |
It is recognized that some MSS disciplines have their own understanding of risk, which is not exactly aligned with that of others, but which has been adopted over many years. MSS readers need to be aware that the main advantage of the HS is to make it easier for an organization to incorporate the requirements of multiple MSS into its management system. They should therefore be aware of the need to maintain alignment wherever possible when introducing discipline-specific term entries or requirements related to risk. If MSS readers (due to discipline-specific or sector-specific requirements) need to address a particular risk group, category or type for their users, in addition to the general concept specified here, they should consult Annex SL 8.3.8. For further information, MSS readers can refer to ISO 31000, Risk management – Guidelines. |
3.8 process set of interrelated or interacting activities that uses or transforms inputs to deliver a result Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context of the reference. |
No additional guidance |
3.9 competence ability to apply knowledge and skills to achieve intended results |
No additional guidance |
3.10 documented information information required to be controlled and maintained by an organization (3.1) and the medium on which it is contained Note 1 to entry: Documented information can be in any format and media and from any source. Note 2 to entry: Documented information can refer to:
|
MSS readers need to be aware that “documented information” is a term to represent any information that needs to be documented for the effective implementation of the MS, and to demonstrate conformity to the MS requirements. This includes requirements specified by the relevant MSS as well as requirements that the organization has to, or chooses to, comply with. The term “documented information” is used to convey the fact that the focus should be primarily on the delivery of information rather than the medium used to convey it. “Documented information” replaces the nouns “documentation”, “documents” “records” and “documented procedures” used in previous editions of some MSS. MSS readers need to be aware that whenever reference is made to “documented information” throughout the HS, the requirements specified in 7.5 apply. |
3.11 performance measurable result Note 1 to entry: Performance can relate either to quantitative or qualitative findings. Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or organizations (3.1). |
No additional guidance |
3.12 continual improvement recurring activity to enhance performance (3.11) |
No additional guidance |
3.13 effectiveness extent to which planned activities are realized and planned results are achieved |
MSS readers should only use the terms "effectiveness" and "effective" when referring to the ability to deliver intended results. It is important not to confuse the concept of "effectiveness" with that of "efficiency", which relates the result achieved compared to the resources used. |
3.14 requirement need or expectation that is stated, generally implied or obligatory Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and interested parties (3.2) that the need or expectation under consideration is implied. Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10). |
No additional guidance |
3.15 conformity fulfilment of a requirement (3.14) |
The term “conformity” applies to all requirements, including those specified in the relevant MSS. The term “compliance” can have a different meaning from the term “conformity” and is not used in the HS. MSS readers who want to introduce the term “compliance” should provide appropriate guidance on how to interpret it with respect to “conformity” in their specific discipline. MSS readers should consult ISO 37301 (Compliance management systems – Requirements with guidance for use) for more information if they need to include discipline-specific requirements relating to compliance. |
3.16 nonconformity non-fulfilment of a requirement (3.14) |
Nonconformity relates to the non-fulfilment of requirements (see 3.14) including those specified by the MSS or adopted by the organization as an integral part of its MS (e.g. for products, processes, agreements with interested parties). |
3.17 corrective action action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence |
No additional guidance |
3.18 audit systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines). Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf. Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011. |
If MSS readers need to include additional discipline-specific definitions related to audit, they should consult ISO 19011 - Vocabulary. |
3.19 measurement process (3.8) to determine a value |
Measurement consists of determining a value (e.g. physical quantity, property) using measurement resources such as a measuring instrument, equipment, system or surveys. |
3.20 monitoring determining the status of a system, a process (3.8) or an activity Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe. |
MSS readers need to be aware of the difference between monitoring and measurement. Monitoring can, but does not necessarily, involve measurement (see 3.19) at intervals, especially for the purpose of regulation or control. Useful clarifications of these differences can be found in the ISO 9001 Auditing Practices Group Guidance on “Monitoring and measuring resources”. |
4. Context of the organization |
|
4.1 Understanding the organization and its contextThe organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its XXX management system. |
Intent of the requirement(s) To make sure the organization has an understanding of the issues that can affect, either positively or negatively, the organization and its ability to achieve the intended results of its XXX MS. The knowledge gained is then used to guide the planning, implementation, operation, evaluation and improvement of the MS. The determined issues represent the main inputs for several other requirements of the MSS, including determination of the scope, risks and opportunities and inputs to management review, among others. Guidance for MSS readers MSS readers should be aware that the word “issue” means “an important topic or problem for debate or discussion”. It can have a positive or negative impact on the organization. MSS readers may prescribe additional requirements related to understanding the organization and its context that are specific to their discipline. Examples of issues that MSS readers may need to consider for their specific discipline include:
cultural, social, environmental, political, legal, regulatory, financial, technological, economic, natural and competitive factors, whether international, national, regional or local
organizational identity (including its vision, mission, values and culture), governance, structure, policies, resources, capabilities, people and finance. |
4.2 Understanding the needs and expectations of interested partiesThe organization shall determine:
|
Intent of the requirement(s) To specify the requirements for an understanding of the needs and expectations of relevant interested parties that are applicable to the MS. The relevant interested parties and their relevant requirements represent important inputs for several other requirements of the MSS, including determination of the scope, risks and opportunities and inputs to management review, among others. Guidance for MSS readers MSS readers may prescribe additional requirements related to understanding the needs and expectations of interested parties in their discipline-specific MSS. They may also clarify whose and what needs and expectations should be addressed for the specific MSS. For example,
MSS readers should also be aware that not all interested party requirements necessarily become requirements for the organization.
Examples of potential interested parties that MSS readers may need to consider when formulating any discipline-specific requirements can include:
Examples of interested party requirements that MSS readers may need to consider can include:
|
4.3 Determining the scope of the XXX management systemThe organization shall determine the boundaries and applicability of the XXX management system to establish its scope. When determining this scope, the organization shall consider:
|
Intent of the requirement(s) To establish the physical and organizational boundaries to which the MS will apply. Guidance for MSS readers MSS readers should be aware that the credibility of the organization’s MS relies on the appropriate choice of its boundaries and applicability. The documented information on scope should be a factual and representative statement of the organization’s business processes and operations included within the MS boundaries and should not mislead interested parties. |
4.4 XXX management systemThe organization shall establish, implement, maintain and continually improve an XXX management system, including the processes needed and their interactions, in accordance with the requirements of this document. |
Intent of the requirement(s) To ensure that processes and other elements of the organization form an effective MS (see 3.4) in accordance with the MSS, taking into consideration the context of the organization (see 4.1 to 4.3). Guidance for MSS readers MSS readers should be aware that the processes referred to include all processes needed to meet the requirements of Clauses 4, 5, 6, 7, 8, 9 and 10, whether these are provided internally or by external providers.
|
5. Leadership |
|
5.1 Leadership and commitmentTop management shall demonstrate leadership and commitment with respect to the XXX management system by:
NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence. |
Intent of the requirement(s) To identify actions in which top management is directly involved to demonstrate its leadership and commitment to the MS. Visible support, involvement and commitment of the organization’s top management is important for the successful implementation of the MS. It sets the attitude and expectations, increases awareness and acceptance, and motivates persons to be engaged in the MS initiatives. It can provide reassurance to interested parties that an effective management system is likely to be in place. This clause also emphasizes the need for top management to ensure that the MS requirements are not perceived as being “separate” from the way the business is run. The concept of “business” can include activities for profit or non-profit purposes, and also refer to the activities conducted by private or public entities (including, for example, government). Guidance for MSS readers MSS readers should note that the word "ensuring" used in parts of this clause means that top management does not necessarily perform all of these actions itself (the authority to do so can be delegated to others), but top management is responsible for making sure the actions are performed. When adding any discipline-specific requirements, MSS readers should use a similar rationale for activities that can be delegated by top management. Some discipline-specific MSS readers (e.g. in ISO 37001) needed to differentiate between “top management” and a “governing body”. Where this “governance” function is provided by a role other than top management then MSS readers should include requirements related to that role in this clause. The definition of a “governing body” is given in ISO 37001:2016, 3.7 as follows: 3.7 governing body group or body that has the ultimate responsibility and authority for an organization’s activities, governance and policies and to which top management reports and by which top management is held accountable Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from top management. Note 2 to entry: A governing body can include, but is not limited to, board of directors, committees of the board, supervisory board, trustees or overseers. Examples of sources of information on the concept of governance in relation to MSS can be found in the following documents, among others:
|
5.2 XXX PolicyTop management shall establish a XXX policy that: a) is appropriate to the purpose of the organization; b) provides a framework for setting XXX objectives; c) includes a commitment to meet applicable requirements; d) includes a commitment to continual improvement of the XXX management system. The XXX policy shall:
|
Intent of the requirement(s) To require top management to specify the intentions and direction of the organization that are needed as part of the effective implementation of the MS, taking into account the organization’s purpose. The XXX policy is used to frame the XXX objectives which the organization sets for itself. Guidance for MSS readers |
5.3 Roles, responsibilities and authoritiesTop management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: a) ensuring that the XXX management system conforms to the requirements of this document; b) reporting on the performance of the XXX management system to top management. |
Intent of the requirement(s) To require top management to assign and communicate responsibility and authority for relevant roles within the organization, and specifically those to ensure the XXX MS conforms to the requirements of the MSS and MS performance is reported to top management (see guidance for 5.1). Guidance for MSS readers MSS readers may prescribe additional requirements related to specific roles for their discipline-specific MSS. For example, requirements related to the responsibility and authority for ensuring that the MS conforms with the requirements of the MSS may be assigned to an individual, several individuals, or to a team. e.g.,Data Protection Officer (DPO), Data Protection Representative (DPR) |
6. Planning |
|
6.1 Actions to address risks and opportunitiesWhen planning for the XXX management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
The organization shall plan: a) actions to address these risks and opportunities; b) how to
|
Intent of the requirement(s) To specify the planning needed for the MS by defining what needs to be considered and what needs to be addressed for the MS to achieve the 3 bullet points in 6.1 of assurance, prevention, and continual improvement. The intent is to anticipate potential scenarios and consequences; the requirements are preventive in nature by requiring the organization to address potentially undesirable effects before they occur, while at the same time they require the organization to look out for favourable effects that can offer a potential advantage or benefit. Planning needs to consider the issues relevant to the organization’s context identified in 4.1 and the requirements identified in 4.2, for the organization to determine potential positive and negative effects that need to be addressed. Guidance for MSS readers MSS readers need to be aware that the HS includes both explicit requirements related to risks and opportunities in 6.1 and deployment of risks and opportunities throughout the remaining clauses. If MSS readers require risks and opportunities to be addressed formally in discipline- specific clauses they may include such requirements in their XXX MSS. MSS readers may need to address discipline-specific events, scenarios, or circumstances (whether planned or unplanned) that could result in a deviation from the expected. It is the effect of a deviation from the expected that can have a positive or negative impact, not the deviation itself. MSS readers may add discipline-specific requirements to address risks (or XXX risks) that can potentially generate an unacceptable negative effect. In these cases, it is prudent to concentrate on eliminating or mitigating the risk. However, if the risk (or the mitigating action) generates a potential positive effect for the organization, then it is prudent to recognize and consider leveraging this opportunity. If MSS readers need to add discipline-specific requirements to address risk (for example due to regulatory or sector issues), they should clarify the need for formal risk management, and agree on the positioning of any risk assessment and risk treatment text. When adding any discipline-specific requirements related to risks and opportunities, MSS readers should be aware of the linkages between Clauses 4, 6 and 8 and ensure that these are maintained. The planning referred to in 6.1 is based on the organization’s context (Clause 4) and is then further deployed via the operational planning (8.1). MSS readers can also consult the following standards:
MSS readers may introduce discipline-specific requirements or provide guidance on managing opportunities within their MSS. In doing so, they should recognize that “opportunity” is not a defined term in the HS, so the common dictionary meaning applies unless the MSS readers choose to define the term themselves. A typical dictionary meaning of the word “opportunity” is “a time or set of circumstances that makes it possible to do something”. Some opportunities can be foreseen and determined through planning; others not. Both can provide valuable inputs into operations and improvement activities (see Clauses 8 and 10). MSS readers may consider discipline-specific sources of opportunity which may be identified or discovered. These can include, for example:
For some MS disciplines, planning also needs to address emergency preparedness and response. In such cases MSS readers should acknowledge the interaction with the organization’s overall contingency and continuity planning. |
6.2 XXX objectives and planning to achieve themThe organization shall establish XXX objectives at relevant functions and levels. The XXX objectives shall: a) be consistent with the XXX policy; b) be measurable (if practicable); c) take into account applicable requirements; d) be monitored; e) be communicated; f) be updated as appropriate; g) be available as documented information. When planning how to achieve its XXX objectives, the organization shall determine:
|
Intent of the requirement(s) To ensure the XXX policy is supported by objectives, that these objectives are deployed throughout the relevant parts of the organization and that plans are established to achieve them. Guidance for MSS readers MSS readers should be aware of the following linkages with other clauses, and ensure that any additional discipline-specific requirements are consistent with them:
MSS readers should state any discipline-specific requirements related to objectives in a way that allows determination of their fulfilment to be made. MSS readers should be aware that while 6.2 requires objectives to be measurable, this does not necessarily mean they have to be quantified. Qualitative results (e.g. “yes/no” answers) can also be considered, when supported by appropriate evidence. By including the caveat “if practicable”, it is acknowledged that there can be situations when it is not feasible to measure the achievement of an objective. MSS readers may, however, define discipline-specific requirements that achievements of certain objectives always have to be measured (over-riding the “if practicable”). MSS readers may also make reference to other MSS clauses when the status and progress on objectives need to be periodically checked and updated for their discipline. If MSS readers choose to include requirements for specific performance indicators associated with objectives, these should be stated in Clause 9; not in 6.2. |
6.3 Planning of changesWhen the organization determines the need for changes to the XXX management system, the changes shall be carried out in a planned manner. |
Intent of the requirement(s) To ensure that the organization can achieve the intended results of its XXX MS both during and after changes. The circumstances giving rise to the need for change(s) to the MS can be planned or unplanned (see 6.1), but the changes themselves need to be carried out in a planned manner. Guidance for MSS readers MSS readers need to be aware that the ways in which changes are planned can vary, depending on the circumstances that gave rise to the need for change and the complexity and severity of the changes to be made. Types of changes that MSS readers need to consider can depend on the discipline-specific MSS. Examples include:
If they need to add discipline-specific requirements, MSS readers should consider making reference to 8.1 for implementing and controlling planned changes. |
7. Support |
|
7.1 ResourcesThe organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the XXX management system. |
Intent of the requirement(s) To determine and provide the resources needed to establish, implement, maintain and improve the MS. Resources should be appropriate to ensure that the operation of the MS is effective in achieving its intended results. Guidance for MSS readers MSS readers may prescribe additional requirements for resources that are specific to their discipline. For example:
MSS readers who wish to add discipline-specific requirements on “resources” can consult other MSS (see General Guidance as well as the following:
|
7.2 CompetenceThe organization shall:
Appropriate documented information shall be available as evidence of competence. NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the re- assignment of currently employed persons; or the hiring or contracting of competent persons. |
Intent of the requirement(s) To determine and ensure the competence necessary for persons to meet the requirements of the MSS and achieve the MS’s objectives. Guidance for MSS readers MSS readers should be aware that this clause should be considered in conjunction with the definition of competence (see 3.9), and the Note in 7.2 that mentions different actions by which competence can be achieved. If MSS readers need to mention training as a way to ensure competence, an example of an additional requirement added as a new bullet could read e.g. “determine training needs associated with its XXX management system”. For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change. When adding discipline-specific requirements, MSS readers should avoid mixing requirements for awareness-building with those needed to achieve competence. Requirements related to awareness should be included in 7.3. MSS readers who wish to add discipline-specific requirements on “competence” can consult other MSS (see General Guidance) as well as the following:
|
7.3 AwarenessPersons doing work under the organization’s control shall be aware of:
|
Intent of the requirement(s) To ensure that persons in the organization are aware of relevant policies and MSS requirements as well as any situation or aspect that can have an effect on the intended results of the MS. Guidance for MSS readers MSS readers who wish to add discipline-specific requirements on “awareness” can consult other MSS (see General Guidance). Additional items that persons can be required to be aware of can include:
For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change. |
7.4 CommunicationThe organization shall determine the internal and external communications relevant to the XXX management system including:
|
Intent of the requirement(s) To ensure that information concerning the XXX MS is communicated effectively both to and from the relevant interested parties. Guidance for MSS readers MSS readers who wish to add discipline-specific requirements on “communication” should consider the relationships with other clauses that require communication. They can also consult other MSS (see General Guidance). Examples of topics where other clauses of the HS require effective communication include:
Examples of such additional requirements may include:
|
7.5 Documented information7.5.1 GeneralThe organization’s XXX management system shall include: a) documented information required by this document; b) documented information determined by the organization as being necessary for the effectiveness of the XXX management system. NOTE The extent of documented information for a XXX management system can differ from one organization to another due to:
7.5.2 Creating and updating documented informationWhen creating and updating documented information, the organization shall ensure appropriate:
7.5.3 Control of documented informationDocumented information required by the XXX management system and by this document shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed; b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable:
Documented information of external origin determined by the organization to be necessary for the planning and operation of the XXX management system shall be identified as appropriate, and controlled. NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information. |
Intent of the requirement(s) To define the documented information that needs to be created, controlled and maintained for the effective implementation of the MS. Example of management system documentation: This includes documented information that is:
Guidance for MSS readers The text throughout 7.5 should be considered in conjunction with the definition of “documented information” (see 3.10). When adding discipline-specific text, MSS readers should be aware of the intent of the NOTE in 7.5.1, to indicate the factors that should be considered when the extent of documented information is defined, such as the size, type and complexity of the organization, and the competence of persons MSS readers may prescribe additional requirements for documented information that are specific to their discipline. For example, ISO 9001 specifically requires that relevant documented information needed for the MS that is provided by an external provider be controlled. MSS readers who wish to add discipline-specific requirements on “documented information” can consult other MSS (see General Guidance) as well as the following:
MSS readers should also be aware that the information required to be documented by the MS may be integrated with other information management or documentation systems established by an organization. |
8 Operation |
|
8.1 Operational planning and controlDrafting instruction: This subclause heading will be deleted if no additional subclauses are added to Clause 8. The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that externally provided processes, products or services that are relevant to the XXX management system are controlled. |
Intent of the requirement(s) To require the organization to deploy the planning carried out under Clause 6 by planning, implementing and controlling its processes at the operational level. This includes any externally provided processes. By mentioning Clause 6, this requirement includes the consideration of risks and opportunities, XXX objectives and change planning when determining the extent of control for the processes. Guidance for MSS readers Operational planning can be more detailed than the planning done in Clause 6, to support the planned actions determined in 6.1 and 6.2, and to ensure the effective deployment of any planned changes determined in 6.3. MSS readers should be aware that “criteria for the processes” can differ by discipline and include (among other things) requirements related to process parameters (including process capabilities, performance and functionality) as well as criteria related to process results. Therefore MSS readers may prescribe additional requirements to clarify process criteria in the context of their discipline-specific MSS. Clause 8 is typically the area of the HS where MSS readers add the most discipline-specific requirements. For this reason, in many MSS, Clause 8 is often longer than other clauses. MSS readers may add discipline-specific requirements in order to ensure control over the operational processes. For example:
If MSS readers need to add discipline-specific text related to suppliers (“external providers of processes, products or services”), they should do so as part of Clause 8. They also need to be aware that even if the external provider is outside the boundaries of the scope of the MS, control over the externally provided processes, products or services relevant to the intended results of the XXX MS are within the scope. External providers can include the organization’s corporate headquarters, associate companies, suppliers, or someone to whom the organization has requested to provide a process, a product or a service. If MSS readers need to add discipline-specific requirements to include the concept of emergency preparedness and response they should do so as part of Clause 8. MSS readers should also be aware of the linkages between “emergency preparedness and control” and the requirements related to “risks and opportunities” and “planning of change” described in Clause 6. These specific requirements can be related to the organization’s contingency planning or business continuity planning. MSS readers who wish to add discipline-specific requirements on “emergency preparedness and control” can consult other MSS (see General Guidance) as well as the following:
|
9 Performance evaluation |
|
9.1 Monitoring, measurement, analysis, and evaluationThe organization shall determine:
Documented information shall be available as evidence of the results. The organization shall evaluate the performance and the effectiveness of the XXX management system. |
Intent of the requirement(s) To specify requirements for monitoring, measurement, analysis and evaluation of the MS and its processes (including process inputs and results) to determine the extent to which the planned activities are realized and planned results are achieved. The information gained through monitoring, measurement, analysis and evaluation is intended to be used at different levels of the organization, as appropriate, to support decision-making related to the respective activities and to drive continual improvement. Guidance for MSS readers MSS readers who wish to add discipline-specific requirements should consider the definitions of “monitoring” and “measurement” in 3.19 and 3.20 to ensure that any discipline-specific text respects this difference. It is recommended to include any discipline-specific requirements for monitoring and measurement resources in Clause 7. When determining what to monitor and measure, the MSS readers may address the need to evaluate the fulfilment of specific requirements within the MSS and/or related processes. For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change. |
9.2 Internal audit9.2.1 GeneralThe organization shall conduct internal audits at planned intervals to provide information on whether the XXX management system: a) conforms to:
b) is effectively implemented and maintained. 9.2.2 Internal audit programmeThe organization shall plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: a) define the audit objectives, criteria and scope for each audit; b) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; c) ensure that the results of audits are reported to relevant managers. Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. |
Intent of the requirement(s) To specify requirements for planning, implementing and maintaining an internal audit programme to facilitate an evaluation of the MS performance, and to define the documented information required. Guidance for MSS readers MSS readers may make reference to ISO 19011 (Guidelines for auditing management systems) in their discipline-specific MSS to provide guidance on audits. In formulating any additional discipline-specific text, MSS readers can also find it useful to consult the ISO/IAF ISO 9001 and ISO 14001 Auditing Practices Groups (APG) guidance. ![]() |
9.3 Management review9.3.1 GeneralTop management shall review the organization’s XXX management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. 9.3.2 Management review inputsThe management review shall include: a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant to the XXX management system; c) changes in needs and expectations of interested parties that are relevant to the XXX management system; d) information on the XXX performance, including trends in:
e) opportunities for continual improvement. 9.3.3 Management review resultsThe results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the XXX management system. Documented information shall be available as evidence of the results of management reviews. |
Intent of the requirement(s) To specify requirements for review of the MS by top management, including the information to be covered and the expected results. Top management involvement and engagement in this review is the mechanism to drive changes to the MS (6.3) and direct continual improvement priorities (Clause 10), particularly in relation to changes in the organization’s context and deviations from intended results, or by identifying favourable circumstances that can provide potential opportunities for improvement. Guidance for MSS readers With reference to the “suitability, adequacy and effectiveness” of the MS, MSS readers should be aware that “effectiveness” is a defined term (see 3.13). If MSS readers wish to include guidance about the words “suitability” and “adequacy” they can consult other MSS (see General Guidance). Examples can be found in the annexes to ISO 14001:2015 and ISO 45001:2018, among others. For some MSS, the phrase “XXX performance” changes the meaning of the requirement. In this case, MSS readers may use alternative text to provide clarification as long as the intent of the requirement does not change. MSS readers may prescribe additional discipline-specific management review inputs that are needed to demonstrate the suitability, adequacy and effectiveness of the XXX MS. In formulating any discipline-specific requirements, MSS readers should be aware of the way in which this requirement is phrased – “Top management shall review....” and not “Top management shall ensure.....”. |
10 Improvement |
|
10.1 Continual improvementThe organization shall continually improve the suitability, adequacy and effectiveness of the XXX management system. |
Intent of the requirement(s) To specify what aspects of the MS need to be continually improved. Guidance for MSS readers MSS readers need to be aware that the term adopted by the HS is “continual improvement” (see 3.12) and not “continuous improvement”.
If MSS readers wish to include guidance about the words “suitability” and “adequacy” they can consult the guidance provided for 9.3. Some discipline-specific MSS have inserted a “General” sub-clause at the beginning of Clause 10, with notes and/or guidance about different kinds of improvement, including
Others have added specific criteria for evaluating improvement suggestions, specifying targets for each improvement made, as well as measuring and reporting on them. MSS readers who wish to make similar additions can consult other MSS (see General Guidance) as well as the following:
|
10.2 Nonconformity and corrective actionWhen a nonconformity occurs, the organization shall: a) react to the nonconformity, and as applicable:
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does
not recur or occur elsewhere, by:
c) implement any action needed; d) review the effectiveness of any corrective action taken; e) make changes to the XXX management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. Documented information shall be available as evidence of:
|
Intent of the requirement(s) To specify the responses needed to address the non-fulfilment of a requirement related to process, process results, product, service, MS or any other requirement that affects the ability of the MS to achieve its intended result. Guidance for MSS readers MSS readers may prescribe additional discipline-specific requirements to provide context to the nonconformity and the need for corrective action. This could be specific to the MSS or related to regulatory requirements. In formulating any discipline-specific requirements, MSS readers should be aware of the following:
|
Please contact us for more information or support needed:info@tksg.global