Authors Posts by

ISO Update is an independent website that aims to provide information, resources, and updates around the Standards and Certification industry. We believe that organizational standards can help businesses of all shapes and sizes become more efficient and successful on a local, federal, or global scale.

0 854

A Guest Post from Glacier Consulting.

We knew it was coming! And on March 12, 2018, ISO 45001 was published. On March 13, ISO hosted a livestream video to answer all of your questions about this new standard.

Although we’ve been learning more about ISO 45001, and even wrote a blog a few months ago about the differences between ISO 45001 and OHSAS 18001, we wanted to summarize the main points made by the experts that created the standard.

The conversation was hosted by Maria Lazarte from the ISO General Secretariat with guests Richard Jones, Charles Corrie, David Smith and Jan Toft Rasmussen.

Richard Jones was actively involved in the development of OHSAS 18001 and its guidance and the development of ISO 45001. Charles Corrie is Secretary of the committee (ISO/PC 283) that developed ISO 45001. David Smith is the committee chair of ISO PC 283 responsible for the development of ISO 45001 and a variety of BSI management standard committees. Jan Toft Rasmussen is an experienced consultant on health and safety with a history of working in trade union federations and confederations.

We have summarized the main points addressed into the What, When, Why, How and Who’s below


What Is ISO 45001?

ISO 45001 is an International Standard that specifies requirements for an occupational health and safety (OH&S) management system, with guidance for its use, to enable an organization to proactively improve its OH&S performance in preventing injury and ill-health.

ISO 45001 is intended to be applicable to any organization regardless of its size, type and nature. All of its requirements are intended to be integrated into an organization’s own management processes. ISO 45001 enables an organization, through its OH&S management system, to integrate other aspects of health and safety, such as worker wellness/wellbeing; however, it should be noted that an organization can be required by applicable legal requirements to also address such issues

What Happens to OHSAS 18001?

OHSAS 18001 has been withdrawn effective March 12, 2018. Companies who are currently using OHSAS 18001 will need to migrate to ISO 45001 within three years.

What is Different Between ISO 45001 and OHSAS 18001?

They are very similar in that they both use a Plan, Do, Check, Act model. ISO 45001 encompasses most of the areas of OHSAS 18001 for occupational health and safety.

ISO 45001 Speaks To Leadership

The differences are that 45001 follows the structure of other international standards. There is a much larger focus on the responsibility of leadership in ISO 45001. It also speaks to the need for worker participation. The standard aims to have worker health and safety be a central tenant in the way a company operates, integrated into overall business processes. Health and safety isn’t a stand alone process or the responsibility of one person or department.

From the delegates on the committee representing workers, they sought to participate in making their workplace safer but they really wanted language in the standard to make sure their top management was clear that they hold ultimate responsibility for setting this into place in their organization

ISO 45001 is More Comprehensive

ISO 45001 is designed to take into account many more factors than 18001. For instance, ISO 45001 recognizes other formats for data collection and storage – such as digital formats to reduce paperwork. Beyond just health and safety, ISO 45001 gives management a tool to strengthen their entire business if they follow it.

ISO 45001 is More Proactive

ISO 45001 focuses on continually assessing opportunity to reduce risks.

ISO uses terms across all of their standards that users will be familiar with – for example, the term “legal requirements” is used instead of “compliance obligations” because they wanted to make it clear that some countries have a legal requirement to do certain things.

The standard pursues the idea that every employee has a role to play in thinking about health and safety. For example, the purchasing manager should think about risks before they place every order for equipment that workers will use.

What about small businesses?
Small businesses (SMEs) can absolutely adopt 45001 even if they don’t currently have 18001.
ISO 45001 makes it clear that all top management have a role to play in health and safety.


ISO 45001 was published on March 12, 2018. On that day, OHSAS 18001 was withdrawn. Companies who are currently using OHSAS 18001 will need to migrate to ISO 45001 within three years. Transition period started 3-12-18 and by 3-12-21 all OHSAS 18001 certifications must be migrated to ISO 45001.


Why Was The ISO 45001 Standard Created?

Too Many Work-Related Injuries, Illnesses and Deaths

Over 7,600 people die each day from work-related accidents or diseases. The video mentioned the fact that every 12 seconds a worker dies in the world on the job. The burden of occupational injuries and diseases is significant, both for employers and the wider economy, resulting in losses from early retirements, staff absence and rising insurance premiums.

International Standard Makes it Accessible

Clearly this a problem across the world that having an international standard was almost overdue. Although there are health and safety standards locally and even nationally, there needed to be an official standard that transcends borders to create a safe and healthy working environment everywhere. Hopefully, with the new international standard in place, it will create a more popular and accessible standard worldwide and the number of injured workers will decrease over time.


How Does ISO 45001 Help Workers?

The ISO 45001 standard provides a systematic, comprehensive approach to health and safety on the job. It answers many specific questions on how to prevent injury and illness, rather than just dealing with them as they arise.

Health and Safety is Everyone’s Job

All levels of the organization are addressed in this standard. It’s not just applicable to one employee or department, rather, it offers guidelines for the entire organization, especially decision makers and leadership.

Using PPE As Last Resort

Rather than offering PPE (personal protective equipment) and hanging safety signs, this standard aims to be “in front” of issues before they happen.

An example was shared in the video regarding excess noise. While many recommendations may be to simply offer PPE to workers near the noise, this standard illustrates how to work to pinpoint the noise, measure it, and how to mitigate it instead of simply handing out ear protection.

PPE is not the foundation of the safety standard. The standard helps organizations create an environment that doesn’t require PE in the first place. In other words, PPE is a last resort.

How can we convince top management to adopt ISO 45001?

There are many benefits to following or certifying to ISO 45001. These include overall improved performance, better cooperation amongst employees and managers, better respect amongst ranks of workers and management, insurance costs reduced, and less worker turnover.

In some countries, this standard helps ensure legal requirements are met. It may reduce the pressure organization’s face from labor or government inspectors. And finally, it fulfills customer request or demand that their vendor partners have a system in place to protect employees.

How is ISO 45001 Connected to other ISO Standards?

In developing ISO 45001, the committee made sure it’s compatible with Annex SL – which is the framework used by ISO 9001, 14001 and 27001. Common terminology is used between all standards so it is easier to align 45001 with 9001. For companies that use both of these standards, it will be a stronger, better, higher quality and safer company.


Who Developed ISO 45001?

ISO 45001 was developed by ISO/PC 283, a technical committee made up of experts from around the world. The ISO 45001 committee ensured they had feedback from all parties that would be affected by ISO 45001. They sought to achieve balance between government, employers and workers, so they requested and received recommendations on who should be involved in the process of developing the standard from those three major group.

Delegates from these three areas nominated to represent their interests in the development of the standard. The delegates represented 85 countries.

The committee also had external liaison representation from: International Labor Organization, International Trades Union Congress, International Organization of Employers and others.

Who Needs ISO 45001?

ISO 45001 is designed for any company, in any industry, of any size, in any location around the world. Any company that cares for their employees can use this standard, even if they are not seeking to be certified to it.

Whether Seeking Certification or Not

Companies are able to use this standard to confirm their organizations are safe by benchmarking themselves against it. It was designed to be used as a tool regardless if the company is seeking the certification or not.

Existing OHSAS 18001 Certification Holders

OHSAS 18001 has been withdrawn effective March 12, 2018. Companies who are currently using OHSAS 18001 will need to migrate to ISO 45001 within three years. Three years is the standard period of time that ISO uses to give standard holders to upgrade to newly published standards. All new certifications will be to the ISO 45001 standard.

Who Does ISO 45001 Impact?

Employees and Subcontractors/Vendors

Organizations must also consider what their suppliers and subcontractors are doing. They don’t need detailed knowledge, but the organization should put the interaction into place for personnel for suppliers within the organization’s system.

Glacier Consulting offers full consulting, auditing, and training services along with ongoing maintenance packages for all of your quality, environmental, health and safety, energy and sustainability needs.

This article was originally posted on Glacier Consulting’s website and is published here with permission.

0 4023

The concept of risk has always been implicit in ISO 9001; this new revision only makes it more explicit and builds it into the whole management system.

In ISO 9001:2015, risk management is being added with focus on risk-based thinking.  Here a systematic approach to risk is established by considering and including it throughout the standard.

In the Introduction the concept of risk-based thinking is explained. Risk is defined as the effect of uncertainty on an expected result, where:

  1. An effect is a deviation from the expected – positive or negative.
  2. Risk is about what could happen and what the effect of this happening might be.
  3. Risk also considers how likely it is to take place.

The main goal of this quality management system is for an organization to achieve conformity and customer satisfaction. In ISO 9001:2015 a risk-based thinking is used to achieve this goal.

  • In Clause 4 (Context) the organization is required to determine the risks which may affect its ability to meet the system’s objectives. The new ISO 9001 recognizes that the consequences of risk are not the same for all organizations, and this is why every organization will need to consider risk quantitatively as well as qualitatively, depending on their context.
  • In Clause 5 (Leadership) top management is required to demonstrate leadership and commit to ensuring that risks and opportunities that can affect the conformity of a product or service are determined and addressed.
  • In Clause 6 (Planning) the organization is required to take action to identify risks and opportunities, and plan how to address each of them.
  • Clause 8 (Operation) establishes that the organization is required to plan, implement and control its processes to address its risks and opportunities.
  • In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyze and evaluate the risks and opportunities.
  • In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.

These requirements are considered to cover the concept of preventive action (which has been replaced) and takes a wider view that looks at risks and opportunities. By understanding those risks and exploring ways in which the risks can be mitigated, the organization will also have an opportunity to drive change and improvement.

In order to effectively meet the quality management system’s goal, ISO 9001:2015 will require organizations to consider their risks as part of their management’s plan, which will call for an improved commitment and more involvement of top management.

0 2892

The internal audit process is essential for any organization that aims to maintain and improve their management system(s).  However, achieving an effective internal audit process can be a challenge, especially for small and medium-size organizations.

Audits need to be performed by trained and qualified auditors with the sufficient knowledge of the standard being used in order to ensure independence and objectivity. Some organizations do not have the time or budget to train existing workers to become their internal auditors or to employ someone with the required skills to perform these audits.

For those organizations, contracting out their internal audits is a feasible option. Some of the benefits organizations can obtain by doing so are:

  • Assure independence. Independence is likely to increase when the auditor does not belong to the organization. In some cases when a close relationship exists between auditors and auditees, independence and objectivity may be jeopardized.
  • Assure knowledge and skills. Most auditors from external organizations have years of training and experience. These auditors not only have the technical skills, but they also follow strict ethical guidelines.
  • Reduce costs. Employing an expert to perform the organization’s internal audits can be expensive. Contracting out will reduce the overall cost of internal audits.
  • Assure an up-to-date knowledge. As any other market, the internal audit market is competitive. This drives audit organizations to become more efficient and constantly improve the services they offer, which benefits the organization being audited.
  • Efficient use of time. Internal audits are time consuming. When they are outsourced, management has more time to focus on the core activities of their business.
  • Decrease the risk of disrupting internal audit. If an organization relies on one person to perform internal audits, a reliance on that person is created, which increases the vulnerability of process. This risk is reduced when the process is outsourced.

Outsourcing internal audits is an option that should be considered by small and medium-size organizations. However, each organization has its particular needs and circumstances and they should assess if it would suit them better to outsource internal audits or to create their own auditing team.

There are many organizations that offer audit services, and choosing one is a decision that should not be taken lightly. The time spent choosing the right one will assure an independent and objective audit which will contribute to the improvement of the organization’s management system(s).


0 939

Identifying and tracking Quality Objectives are a requirement of ISO 9001:2015. These Quality Objectives must be identified and tracked at relevant levels, functions and processes. Functions or processes, where quality objectives are required can be decided based upon complexity, size or criticality of the process. The Quality Objectives should be in-line with the quality policy and consider all applicable requirements. Quality Objectives need to be measurable, relevant to the products and services being offered and focus on enhancing customer satisfaction.

Establishing Measurable Quality Objective

Identification of relevant quality objectives which are consistent to your organization’s quality policy is the first step in planning your Quality Management System. Objectives can be established through S.M.A.R.T philosophy. S.M.A.R.T is an acronym used as a guide for establishing measurable objectives, which are Specific, Measurable, Attainable, Relevant and Time-oriented. Each objective should be:

  • Specific – The Objectives must be clearly defined or identified so everyone is able to interpreted it in the same way.
  • Measurable – An objective should be quantifiable and should be interpreted in terms of size or degree.
  • Attainable– An objective set which is beyond the capacity or capabilities of the organization would never be met. There should be mechanisms available or built to measure these objectives and the objectives should be achievable.
  • Relevant –The objectives should be relevant to the organization’s context. An objective’s alignment to Quality Policy and customer’s or statutory or regulatory requirements can be ensured, so that it is relevant to the strategic direction of the organization.
  • Time-Oriented– An objective should be time-bound. The mechanism created for calculation of objectives should address when the objective will be assessed to understand that it is met.

Quality Objectives should be set in discussion with top management and be relevant to conformity of products and services offered by the organization. Some examples of quality objectives are:

  • Improvement in customer satisfaction ratings by 3% every year
  • On-time delivery achievement of 99% every quarter
  • Improve productivity of team by 2% annually

 Deploy Quality Objectives

After Quality Objectives are identified, the next steps required for deployment of these objectives are:

  • Document Quality Objective: The Quality Objectives need be documented. You could use a Quality Manual however this is no longer required in ISO 9001:2015. Other options include, a Quality portal or document plan.
  • Communicate Quality Objectives: The Quality objectives need to be communicated to all relevant functions or departments. This may be done through Quality Awareness sessions to all teams.
  • Establish Mechanisms to capture Quality Objectives: There should be mechanisms established in the organization to calculate the Quality Objectives. The mechanisms planned need to be deployed for all functions or departments and these should be tracked on a fixed frequency to ensure compliance to these objectives.
  • Review Quality Objectives: Once an organization starts capturing these objectives, they need to review mechanisms built to evaluate the performance of these objectives. This can be done through Management reviews planned on fixed intervals. Based on the outputs of the reviews, Quality objectives may be updated, as appropriate
  • Plan Corrective Actions: Whenever the Quality Objectives do not meet the targets set, there should be corrective actions planned against it. This gives an opportunity to identify process improvements which can help enhance the performance of the Quality Objectives.

Establishing and Maintaining the performance of Quality Objectives is important to ensure effectiveness of Quality Management System. It gives an opportunity to the organization to improve its processes and bring higher efficiency in their systems.

1 3185

Every management system requires a way for approaching non-conformities and potential non-conformities. Although many organizations are familiar with the preventive and corrective action processes, there is still some confusion on understanding the differences between them.

Both preventive and corrective actions are developed to improve an organization’s management systems, and their main difference can be identified by taking a closer look at their definition which is found in most of the ISO standards, including ISO 9001:

Corrective action: action to eliminate the cause of a detected non-conformity or other undesirable situation.

Preventive action: action to eliminate the cause of a potential non-conformity or other undesirable situation.

The main difference is that corrective actions are those required to address a non-conformity that has already occurred. In other words, the actions necessary to “clean up the mess”, determine the root cause(s) of the non-conformity and prevent it from happening again. On the other hand, preventive actions are the ones taken to prevent a non-conformity from ever occurring.

Some of the specific actions taken on each of these processes are:

Corrective Action

  • The root cause(s) of the non-conformity needs to be identified and documented.
  • The effect of the non-conformity should be analyzed in order to determine its impact and the actions required to correct or neutralize the damage or possible damages.
  • The whole system needs to be scanned to ensure that the non-conformity does not occur in other areas.
  • Implement the actions that will prevent the non-conformity from reoccurring.
  • Follow up on the actions must be done to determine its effectiveness.

Preventive Action

  • Proactive actions, such as risk assessments, failure modes and effects analysis, must be taken to identify potential non-conformities.
  • The development of work instructions, documented procedures, training are examples of actions that are performed to prevent non-conformities.
  • Other activities that are regularly carried out and are part of the preventive action process are audits, management reviews and inspections.

The number of corrective and preventive actions in an organization reflects its maturity. If an organization has more corrective than preventive actions it is a sign that more resources are being invested on trying to correct non-conformities that have already occurred. Moreover, when the number of preventive actions are greater than the corrective ones, it’s an indication that an organization is on the right track on successfully preventing non-conformities from ever occurring.

The ultimate goal regarding these actions are to have as many that are preventive and zero that are corrective. It is easier and less expensive for any organization to prevent a problem from happening than to clean up the mess after it has occurred.

0 1089

All processes within an organization, from procurement of raw material, to production and final delivery involve a number of risks or hazards which people working on these areas are exposed to. The environment  an organization exists in could expose workers, visitors, contractors to various risks which could potentially harm  their health or safety. These risks may include harmful exposure to; noise, radiation, poisons, dust mechanical or electrical risks such as; falls, slips, electrical equipment or psychological risks like; fatigue, violence, bullying. Clause 8.1 of ISO 45001 requires organization plan, implement and control the processes necessary to meet the health and safety requirements and eliminate health hazards.

Organisations must plan how they will address occupational health and safety related risks to ensure risks levels are as low as possible. ISO 45001 suggests a step-by-step approach using hierarchy of controls to enhance occupational health and safety and reduce or control risks. This hierarchy is stimulated by ISO 31000.

The steps involve:

  • Eliminate the Risk: This is the first step organizations should take to control  risk. This approach requires organisations avoid the risk altogether. This calls for stopping or not starting the activities itself, which may be cause of potential risk. For example, eliminating the risk of using the hazardous substance would involve discontinuing the use of the substance altogether. This may involve redesigning the process itself.
  • Substitute the risk: Eliminating the risk may not always be possible. In such cases, organization should go for the next level of control, i.e. substitute. This involves searching for another method that is less risky. This may include substituting hazardous by the not-so-hazardous or non-hazardous activity or material.
  • Isolate the risk: This step may be taken to isolate the risk or hazard. This involves putting measures in place to remove the risk source itself. You may need to take steps that prevents people to come in contact with the risk. In case of hazardous material being used, you may create enclosures for the process so people can avoid contact with it.
  • Engineering Controls: The next level of control is engineering controls. These may be applied to change the consequence of the risk. This step focuses on applying collective protective measures rather than individual protective measures used in Isolating the risk. Design the process so that the hazardous material is locked in, these may include gas detection systems, shutdown systems, ventilation systems to control exposure to hazardous substance.
  • Administrative Controls: All the last steps would control the risk to extent or eliminate the risk. In case risk still remains, administrative controls may be applied to remaining risk. This involves providing information, instruction, training, or supervision for the risks involved. A documented procedure or work-instruction comes under administrative control. Restricted access to only trained professional to handle hazardous material is also an administrative control that can be put in place to handle hazardous material.
  • Personal Protective Equipment: If the risk still remains, Personal Protective Equipment (PPE) should be used to ensure handling of any remaining risk. This may involve PPE provided to workers for eye, face, hand, forearm protection, as required.

Using this hierarchy of controls, organizations can ensure adequate controls are planned for any OH&S related risks and ensure health and safety of its workers.

0 482
What are the differences between ISO 14001:2015 and ISO 14001:2004 -

The latest version of ISO 14001 was released in September 2015, and the three year period given for transitioning from the 2004 version to this one is approaching its deadline. Many organizations have already started their transition process and some have successfully completed it. However, because there is less than 6 months for the deadline for transitioning to this standard, we would like to mention the main points regarding this transition process.

  • After mid-September 2018, ISO 14001:2004 certifications will not be valid, which means that by this time all organizations holding an ISO 14001:2004 certificate should have completed their transition.
  • Only those organizations currently holding an ISO 14001:2004 certification can take a transition audit to seek certification to the new version. The transition audit can take place at any time; however, it is recommended that it follows the organization’s audit schedule so that it can take place at the time a surveillance or recertification audit is planned.
  • If the transition audit is conducted at the time a surveillance or recertification audit is scheduled, organizations must ensure compliance with both the existing and the new standard. Organizations need to understand that while the transition process is not completed, they should maintain compliance with the last version of the standard.

All requirements of the standard must be met, however, there are some aspects that need to be carefully checked to ensure that they have been correctly understood and implemented. These are:

  • Context: Organizations need to determine their context as this is the basis of the environmental management system (EMS).
  • Interested parties: Organizations must have a list of all relevant stakeholders along with their needs and requirements. These needs and requirements are now considered as part of the organization´s compliance obligations.
  • Scope: The scope of the EMS must be revised. Organizations need to make sure that no activities, products or services that could have significant environmental impact are excluded from the boundaries of the EMS.
  • Strategy: The EMS needs to be incorporated into the organization´s business strategy. This alignment with the strategy should be reflected in the EMS´s policy and, most importantly, its objectives.
  • Risks and opportunities: There needs to be evidence of the assessment of risks and opportunities concerning the EMS. The purpose of this assessment is the development of an action plan to address them (mitigate risks and exploit opportunities).
  • Life cycle perspective: When identifying and evaluating impacts of the environmental aspects, the organization must do it considering a life cycle perspective. It is not required to do a life cycle assessment but it will be necessary to consider impacts in activities such as procurement, designed, transportation and disposal.
  • Communication: There are more detailed requirements for internal and external communications. Among other things, a strategy for internal and external communication must be developed which must include mechanisms to consider suggestions from anyone working for the organization regarding improvements of the EMS.
  • Documented information: there are less requirements regarding documents (procedures and records), thus, organizations need to carefully examine their existing documents and make sure that these ensure effective process control and the effectiveness of the EMS.
  • Performance: it is important to demonstrate that the EMS is improving environmental performance and that this is being measured and monitored using quantitative data.

0 2310
What is a Pre-Assessment Audit? -

The implementation and certification process of a management system based on ISO 9001, ISO 14001 or any other standard requires an enormous amount of effort by everyone in an organization. Therefore, after finally obtaining the desired ISO certificate the organization will surely want to tell the world about it!

There are many ways an organization can advertise that their management system(s) comply with a specific ISO certification and that they have a certificate that proves it! Here are some ideas on how to do it:

Within the organization:

  • It is important to let all the organization’s employees know that their effort paid off. They can be rewarded with items such as mugs, coolers, t-shirts with the organization’s logo and a message such as “ISO 9001:2015 certified quality management system”.
  • A breakfast or brunch can be organized in recognition of the ISO certification achievement.
  • Sending an e-mail to all employees announcing the achievement.
  • The certificate may be displayed in the organizations front lobby.
  • A flag or banner can be displayed on the organization’s main entrance to promote the certification.

Outside the organization:

  • A press release can be distributed to the local media, industrial magazines and other newsletters to announce that the organization’s management system has been certified.
  • A letter or e-mail can be sent to customers and suppliers and even a reception can be organize to celebrate the achievement.
  • The achievement can be announced on the organization’s website, Facebook and Twitter account.
  • Messages announcing the certification can be added on the graphics of the organization’s vehicles.

There are many other ways to advertise the organization’s certification of their management system.

However, there are many mistakes organizations make when promoting their certification. An organization has to seek guidance from their Certification Body (CB) in order to avoid these mistakes. Here are some of the most common ones:

  • The International Organization for Standardization’s logo can not be used under any circumstance.
  • If it’s necessary, the advertisement should mention the scope of the certification (in the cases where one site or one process of the organization has been certified)
  • Phrases such as “ISO Certification” should be avoided; it’s essential to be specific about which standard has the organization’s management system been certified to (ISO 9001, ISO 14001, etc)
  • The organization’s certification logo can not be used in their products. These certifications certify management systems, not products nor services.

Organizations should feel proud of achieving certification of their management system and with their CB’s guidance they should find the right and the best ways to promote it.

0 713

Context of the organization is a new requirement in ISO 9001:2015 standard. Context of the organization is the business environment determined by external factors like legal, financial, social, regulatory and cultural, etc. and organization’s internal environment determined by internal factors like internal structures, governance, resource capabilities. Context of the organization also depends on the requirements of the Interested Parties.

Both internal and external context can influence strategic plans of an organization. Business environments is change quickly. Organizations who captures these changing business needs quickly are more able to survive in a highly competitive environment. In today’s business environment, a single customer compliant on a social media platform can spoil a company’s reputation.   Customer pressures can force organizations to change various policies on product returns, customer support and much more. Similarly, internal context like organizational structures or skills of employees can result in procedural changes within organizations. When developing a Quality Management system, it is important organizations understand these contexts when determining the scope of the Quality Management System.

Capturing Internal and External Issues

Internal Issues relate to the internal environment in which the organization operates. This will determine your company’s approach towards governance and its relationship with various stakeholders. Internal issues need to be understood in terms of:

  • Products or service offered
  • Organizational structures, roles and responsibilities and governance
  • Regulatory requirements
  • Objectives, policies and strategies
  • Resource capabilities and knowledge
  • Standards or models adopted by the organization

External Issues include social, technological, ethical, legal, political, and economic environment in which the organization operates. External context need to be understood in terms of:

  • The social and cultural issues
  • Legal and regulatory requirements
  • Technological or economic scenario
  • Natural and competitive environment, be it international, national, regional or local
  • Key market drivers and trends
  • Relationships with external stakeholders

While determining the Context of an organization, various methods like SWOT (strengths, weaknesses, opportunities and threats), PEST (political, economic, social and technological) analysis may be used. Brainstorming needs to be done with Management to determine context of the organization. Issues may be captured using an issue log and actions may be planned against each issue to adequately address them. These should determine the strategic direction of the organization and scope of the Quality Management System.

Capturing Requirements of Interested Parties

Relevant Interested Parties in a business scenario are all stakeholders, internal or external, who impact or could potentially impact an organization’s capability to supply products and services, which meat customer and legal requirements, consistently. Once all stakeholders have been identified, you need to understand their requirements and address them adequately. A customer requirement could be to produce quality deliveries on time or provide value for money. Management may be looking for good financial performance and Government Agencies may have statutory and regulatory requirements which organization need to address. An organization needs to identify all such requirements and plan strategies to address them.

Monitor and review the context

Once the context, issues and Interested Parties are determined, mechanisms should be built in the organization to monitor and review these requirements on regular intervals. This can be done through Management reviews. Context and requirement of interested parties may change with time, which is why it is important to keep these up-to-date with the market trends and changing internal environment of the organization.

Define the scope of QMS based on the context

Scope of the Quality Management System should be defined based on

  • The external and internal issues determined
  • The requirements of relevant interested parties
  • Products and services of the organization

The scope of Quality Management System  should clearly indicate nature of product / service being offered, context in which the organization operates and shall address requirements of all interested parties.

0 1066

What makes your company stand out from the crowd? What is your key to success, that wins over clients and keeps you ahead of the competition? Chances are, it’s your Organization Knowledge. So how can the ISO9001:2015 standard help protect your Organizational Knowledge?

How Can You Protect Your Organizational Knowledge?

Knowledge is one of the most important asset an organization has. Knowledge is irreplaceable, and how this knowledge is generated, shared and used by its people strongly determines the productivity and success of an organization.

Until recently, organizations had little or no processes for managing their knowledge; increasing potential lose and doing little to encourage efforts to generate and share new knowledge.

Due to the importance of managing knowledge within organizations, ISO 9001:2015 introduced a series of requirements regarding this matter.

On its clause 7.1.6, the standard states that:

  • The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services.
  • This knowledge shall be maintained and be made available to the extent necessary.
  • When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.

According to ISO 9001:2015 Organizational Knowledge is the necessary information that is used and shared to achieve organizational goals and to make the organization more effective.

Because this is a new subject introduced in ISO 9001:2015, it is important to understand the different types of knowledge there are, these can be.

Types of Knowledge


Explicity is the knowledge that is referred to as the Know-what. This knowledge is usually documented or it can be easily documented and shared. It can be found in documents, memos, databases, etc.


Tacit is referred as the Know-how and it is knowledge that is personal in nature. It is based on experienced and it depends on context. This type of knowledge is harder to document and articulate because it is found in the minds of the different stakeholders. There are ways to retrieve and share this knowledge (at least some of it), however, the size of the organization and complexity of the structures within the organization will determine the difficulty of this task.


Embedded is the knowledge that is found in processes, culture, routine, etc. Embedded is usually the most difficult knowledge to understand and change.

What are the Benefits of Implementing Organizational Knowledge Management Processes?

It is important for organizations to implement processes to manage this knowledge and use it to benefit and achieve organizational success. Implementing Knowledge Management processes can assist organization in:

  • Benefiting from lessons learned. Accidents and near misses can hold numerous lessons learned. This knowledge should be retrieved, documented (if possible), but especially, it should be shared to avoid future accidents, nonconformities, etc.
  • Identifying the experts on any particular area/subject. These experts can be anywhere in the organization, for example, over the years, a machinist can acquire knowledge of equipment that will not be found on manuals
  • Implementing programs to conduct on the job training sessions and tutorials
  • Retrieving and documenting knowledge for the efficiency and effectiveness of processes
  • Developing competency matrixes to improve selection processes, training and competency programs
  • Planning succession activities in a way that personal and tacit knowledge can be retained