Home Resources Blog February 2016

Getting Started with ISO Management Systems Standards

03 February 2016
This guide provides a starting point for getting to grips with ISO management systems standards, whether using them for the first time or researching standards to integrate with existing management systems.

Standards are all around us, behind the scenes. They quietly ensure our safety, comfort and convenience in every aspect of our private and professional lives. To the uninitiated, standards may only become noticeable by their absence, when things go wrong.

If you are reading this guide, you will likely be aware of management systems standards or already using them to manage organizational performance. Standards should be your trusted and indispensible reference to planning, implementing and optimizing your management systems.
The purpose of this guide is twofold: firstly, to provide a starting point for those unfamiliar with standards and secondly, to provide refresher for those using standards to leverage maximum value from them.
It gives an induction to the feel and flow of the document, understanding of the generic requirements applicable to the range of standards and specific headline concepts for key management systems disciplines. They include ISO 9001:2015 quality management systems and ISO 14001:2015 environmental management systems.

What are standards?

ISO has published over 19,000 International Standards and defines a standard as a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

The first notable point is that a standard is a document to be understood and implemented. Similar in concept to the Highway Code – it is documented, practiced and tested to ensure that drivers meet minimum accepted competence for public safety.  

There are many types of standard, but we will focus on management systems standards of which there are two main types:

  • Generic standards.  Applicable to any type of organization by addressing management disciplines such as quality, environment, energy or information security. These standards are among the most widely adopted management systems globally.

  • Industry specific standards.  Designed to address the specific needs of vertical markets. For example, the standard AS 9100 uses the ISO 9001 as a foundation and adds specific requirements of the aviation and aerospace supply chain.

ISO management systems standards provide frameworks for planning, implementing and optimizing management systems for different management disciplines or areas of risk. They are not heavily prescriptive and give a good degree of flexibility for different types of organization to implement a management system that works for them in their specific context.

Common structure and concepts

ISO management systems standards now follow ISO document Annex SL, which sets out the high-level structure and core concepts of management systems. Several standards now follow this structure, including ISO 9001:2015, ISO 14001:2015 and ISO 27001:2013. The forthcoming health and safety standard ISO 45001 will follow suit.

This significant development enables different management systems to be integrated with greater efficiency and effectiveness. The common structure is paraphrased in the contents pages and sections of the standards as follows:

1. Scope. This sets out the intended outcome and boundaries of the standard. Not to be confused with scope of the organizations management system or scope of certification, which refers to scope of organizational structure and activities to which a standard has been implemented.

2. Normative References. Standards can also reference related standards and guidance documents and these specified in the Normative References. Some standards, such as ISO 14001:2015 have no normative references and contain all the information necessary for implementation.

3. Terms and Definitions. Standards come with their own technical language to ensure accurate implementation. Section 3 defines all of the terms and definitions required.

4. Context of the Organization. Context relates to the internal and external factors that create risks and opportunities for an organization. Tools like PESTEL analysis, McKinsey 7S model and SWOT can help to define context. These tools are becoming more relevant to management systems, as strategic leadership is required by the standards.

5. Leadership. Management systems standards emphasize leadership, not just management, and the requirements of leaders and policy makers are specified in this section.

6. Planning. Each standard has requirements for defining the actions required to successfully achieve objectives, capitalize on opportunities and manage risk.

7. Support. Leaders of the organization must provide the resources needed for the establishment, maintenance and continual improvement of the management system.

8. Operation.  This section moves into operational implementation of the system with requirements for establishing, implementing and controlling processes. Depending on the nature of the standard, this may contain many or few requirements. In the case of ISO 9001:2015 the bulk of its requirements are in this section.

9. Performance Evaluation. Defined in each standard as the need to monitor, measure, analyse and evaluate performance. The requirements for internal audit and management review are found here.

10. Improvement. Using the outputs of performance evaluation, take action taken to achieve continual improvement. This is an explicit requirement of management systems standards.

It is notable that each standard uses the Plan-Do-Check-Act (PDCA) model as a founding principle and process for continual improvement of the management system. The Annex SL structure outlined above aligns directly to the stages of the PDCA model as follows:

Plan = Context > Leadership > Planning > Support

Do = Operation

Check = Performance evaluation

Act = Improvement

The anatomy of an ISO management systems standard

It is well worth familiarizing yourself with the structure of the documented standard you have chosen to work with. It will become an indispensible reference and knowing where to look for specific information will be invaluable.

The structural elements of the standards are:

  • Title-page. States the precise name and number of the given standard. This is essential as often management systems standards form part of a related series. For example, ISO 9000 is not the same standard as ISO 9001. The former sets out the fundamentals and vocabulary of quality management systems. The latter specifies requirements of a quality management system and refers to ISO 9000 in its normative references.

  • Contents. The contents pages list all sections of the standard including the requirements. It is a useful quick-reference to identify clauses, sub-clauses and sub-sub-clauses.

  • Foreword. Explains which ISO committee is responsible for the development of the standard. The information is for reference and has no practical implication for implementing the management system.

  • Introduction. Sets out the background and main aims of the standard, sometimes referred to as the ’spirit’ of the standard.

  • Requirements.  Sections one to ten detail the specific requirements of the standard. Sections 1-3 broadly state the terms of reference for the standard and are not auditable requirements. Sections 4-10 specify requirements of the management system as explained in Common structure above.

  • Annexes. Provide additional guidance and clarification of what expected in terms of compliance with the stated requirements.

  • Bibliography. Refers to related standards, which may also be defined in Section 2 Normative references.

  • Index of terms. Provides an alphabetical index of terms, cross-referenced to Section 3 Terms and definitions.

Translating the language of standards

In addition to the terms and definitions, ISO standards use the following two terms, which should not be used synonymously.

  • “Shall” indicates a requirement that must be met to comply with the standard. Internal and external auditors will assess conformity where clauses state “shall”.

  • “Should” indicates a recommendation. This is in the spirit of best practice and whilst not mandatory, may provide opportunities for improvement, which is a requirement. 

These terms state what you must do to comply and what is recommended good practice.

Where to begin with implementation

Once it is decided to use standards to implement a management system, you can follow the PDCA model throughout the project management process.

Whichever method you choose, the following tips will get you started:

  • Get a copy of the standard. Buy it from ISO here

  • Read it at least twice. Read the standard several times to get orientated with its structure, definitions and headline requirements.

  • Make notes. Read the standard in more detail, using your preferred method to make notes prior to detailed planning – identify key actions, potential team members, critical resources, project sponsors, etc.

  • Do a gap analysis. Do a dry-run audit before starting implementation. Audit the requirements from Clauses 4-10 to identify significant gaps and likely challenges. This will help focus your effort.

  • Build your team. Implementation can be difficult without support; consider getting trained or hiring a consultant – neither are essential but may help depending on your budget, resources and timeframe for implementation.

There are many more practical tips for implementing a management system, which we will address in future articles.

Core requirements of specific standards

In addition to the generic structure and concepts provided by Annex SL, each management systems standard has its own requirements for managing specific disciplines and risks.

Here we will briefly review the headline concepts of the following standards:

Understanding of the concepts and principles below is a starting point for getting the most value from the specific requirements of each standard.

ISO 9001:2015 Quality Management Systems

The ultimate purpose of ISO 9001 is to help organizations to consistently meet customer needs and improve their overall performance becoming more effective and more efficient.

The fundamental principles include:

  • 7 management principles – ISO 9001:2015 is underpinned by seven management principles which are applicable to the good running of any organization. These are described fully in ISO 9000:2015

    • Customer focus. The primary focus of quality management is to meet customer requirements and to strive to exceed customer expectations.

    • Leadership. Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives.

    • Engagement of people. Competent, empowered and engaged people at all levels throughout the organization are essential to enhance the organization’s capability to create and deliver value.

    • Process approach. Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.

    • Improvement. Successful organizations have an on-going focus on improvement.

    • Evidence-based decision making. Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.

    • Relationship management. For sustained success, organizations manage their relationships with interested parties, such as suppliers, employees and regulators.

  • Plan-Do-Check-Act model – as explained above in the, the PDCA model is the foundation of continual improvement.

  • Risk based thinking. This explicit concept refers to a subconscious or dynamic-though-process that considers risks and opportunities from internal and external sources. It does not require formal risk assessment; this concept is similar to commuting drivers and pedestrians who conduct real-time subconscious risk assessment to avoid accidents.

ISO 14001:2015 Environmental Management Systems

ISO 14001 specifies the requirements for an environmental management system — but not the specific environmental performance criteria, which are for the organization to define.
Its main aim is to provide a framework that helps organizations:

  • Enhance environmental performance. By protecting the environment through the prevention, mitigation and reversal of negative impacts.

  • Fulfil compliance obligations. Mandatory and voluntary requirements. (e.g. legal and other requirements including relevant needs and expectations of interested parties).

  • Achieve environmental objectives. Setting KPIs relating to management of risk and improved environmental performance.

Key principles in achieving these aims are:

  • Context. Evaluation of organizational context aims to provide a high-level understanding of the key issues that positively or negatively affect the management of environmental responsibilities. These come from three main sources:

    • Environmental conditions (related to environmental aspects) - climate, air quality, water quality, land use, contamination, natural resources, biodiversity, etc.

    • External - legal/regulatory, economic, technology, social/cultural, competition, drivers/trends, interested parties, etc.

    • Internal - strategic direction, capabilities, compliance status, culture, standards, operational systems, contractual relationships, etc.

  • Interested parties. To identify potential compliance obligations, the organization must evaluate the range of stakeholders who can be, or perceive themselves to be, affected by the organizations environmental aspects, for example:

    • Shareholders, board members and employees

    • Customers, suppliers and contractors

    • Regulators, communities and pressure groups

  • Life-cycle perspective.  Evaluation of environmental aspects should consider upstream and downstream issues, from raw material acquisition to final disposal. This ensures a holistic evaluation an understanding of the relationships between aspects as an interlinked system, but does not require a detailed lifecycle analysis.

Summary: Getting Started  

The key to getting started with ISO management systems standards is relatively straightforward: obtain the standard and study the key concepts, terminology and headline requirements. Do this before planning implementation to ensure your plans head in the right direction; it will save time and focus your resources.

In future articles, we will address the practicalities of implementation in more detail. We will take a deeper look at specific requirements of key management systems standards and the common activities required such as evaluation of context, management review and internal auditing. We will also consider how to integrate management systems to maximize efficiency and achieve synergy.
For more information about getting started with standards:

​If you have any advice on getting started with standards, we would love to hear from you.