Authors Posts by ISOUpdate.com

ISOUpdate.com

185 POSTS 23 COMMENTS
ISO Update aims to provide information, resources, and updates around the Standards and Certification industry. We believe that organizational standards can help businesses of all shapes and sizes become more efficient and successful on a local, federal, or global scale.

by -

Since its first publication in 1999, OHSAS 18001 has been a recognized occupational health and safety management system (OH & SMS) standard against which management systems can be assessed and certified.  19 years later, a new ISO standard has been released to replace OHSAS 18001; this standard is ISO 45001.

ISO 45001 is an OH SMS standard developed by an ISO Project Committee which was published on March 12th 2018. A number of differences are evident between ISO 45001 and OHSAS 18001. Some of the main differences between the two standards are explored below. The experts at The Registrar Company took the time to dissect the new standard to determine the most pertinent differences between the two standards that you need to know.



The first difference concerns its structure. ISO 45001 is based on the ISO Guide 83 (“Annex SL”) which defines a common high level structure, text and common terms and definitions for the next generation of management systems (e.g. ISO 9001, ISO 14001, etc.). This structure aims to facilitate the implementation process and the integration of several management systems in a harmonized, structured and efficient manner. Such structure is as follows:

  1. Scope
  2. Normative References
  3. Terms and Definitions
  4. Context of the Organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

In the new standard, there is a stronger focus on the organization’s context. With ISO 45001, organizations will have to look beyond their own internal health and safety issues and consider what their interested parties expect from them regarding health and safety.


Read about more differences between OHSAS 18001 and ISO 45001

Read about who needs ISO 45001


Some organizations that use OHSAS 18001 delegate health and safety responsibilities to a safety manager, rather than integrating the system into the organization’s operations. ISO 45001 requires the incorporation of health and safety aspects into the overall management system of the organization, thus driving top management to have a stronger leadership role with respect to the OH&S management system.

ISO 45001 focuses on identifying and controlling risks rather than hazards, as is currently required in OHSAS 18001.

ISO 45001 requires organizations to consider how suppliers and contractors are managing their risks.

In ISO 45001 some fundamental concepts are changed, like risk, worker and workplace. There are also new definitions of terms such as: monitoring, measurement, effectiveness, OH&S performance and process.

The terms “document” and “record” have both been replaced with the term “documented information” in ISO 45001. The standard also states that documented information must be maintained to the extent necessary to have confidence that the processes have been carried out as planned.

In spite of these changes, the overall aim of ISO 45001 remains the same as OHSAS 18001, which is to reduce unacceptable risks and ensure the safety and wellbeing of everyone involved in an organization’s activities.


The Registrar CompanyAt The Registrar Company (TRC), the new ISO 45001 standard and its complexity is our top priority. We are working diligently to offer this standard to our current and future clients, so your organization can remain top of class in health and safety. Learn about we can help your organization achieve ISO 45001 certification in 2019.

 


Read about more differences between OHSAS 18001 and ISO 45001

Read about who needs ISO 45001

by -
Become a Third Party Auditor - ISOUpdate.com

Third party auditors are those who perform an external and independent audit of an organization’s management system to evaluate if it meets the requirements of a specific standard; if successful, this third-party audit will provide the organization with certification or registration of conformity with the given standard.

A third party audit is carried out by a Registrar/Certification Body (CB) hired by the organization; therefore, in order for someone to be a third-party auditor, he/she needs to be employed by a CB.


Find a CB that is hiring in your area by visiting our Career Resources


All CB’s need to ensure that the auditor possesses the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform. Standard interviews are typical.

  • Personal attributes that will enable them to act in accordance with the principles of auditing, which include ethical conduct, fair presentation, due professional care, independence, and free use of an evidence-based approach.
  • Knowledge on the contents of ISO 19011: 2011, Guidelines for auditing management systems.
  • Knowledge and skills on audit principles, procedures and methods, which will enable them to conducted audits in a consistent and systematic manner.
  • They should be able to exhibit professional behavior during the performance of audit activities, including being ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant, open to improvement, culturally sensitive, and collaborative.
  • Knowledge and skills on management system and reference documents that will enable them to comprehend the audit scope and apply audit criteria.
  • Sector specific knowledge which will enable them to comprehend the organization’s structure, business, management practices and the legal and contractual requirements applicable to the organization being audited.

As indicated in ISO 19011, someone pursuing to become a third-party auditor can acquired all these knowledge and skills by using a combination of the following:

  • Formal education/training and experience that contribute to the development of knowledge and skills in the management system discipline and sector the auditor intends to audit.
  • Training programs that cover generic auditor knowledge and skills.
  • Experience in a relevant technical, managerial or professional position involving the exercise of judgment, decision making, problem solving and communication with managers, professionals, peers, customers and other interested parties.
  • Audit experience acquired under the supervision of an auditor in the same discipline.

After acquiring all the necessary knowledge and skills and successfully being employed by a CB, third-party auditors must pledged to advocate a particular code of ethical conduct in the performance of an audit and they must abide the internal policies and rules of the CB that hires them. All these requirements must be followed in order to protect everyone involved in the audit process.

Find a CB that is hiring in your area by visiting our Career Resources.



by -

The 2015 revision of ISO 9001 has removed the requirement of a Quality Manual, something that has been needed historically if your organization has wanted to achieve and maintain certification. This requirement appears no more! Woohoo! Shred those Quality Manuals and never look back!

Right? If the standard doesn’t say we need it, then we don’t need it. One less document to maintain. Finally, life as an ISO 9001 certified company is getting easier!

Let’s hold on a second…

A common practice to create and maintain a Quality Manual for the ISO 9001:2008 standard (and earlier versions) was to create an exact copy of the verbiage in the standard, change all of the “shall” words with “will” or similar term that fits, change all references to “the organization” to the name of your company, slap a few logos on it, give it a control number and publish it.

And then…nothing. Let it sit for years until the new standard is published and then repeat this copy-paste process all over again. That practice, although common, doesn’t help anyone.



It’s Time to Re-Think the Manual

Now is the perfect time to rethink the Quality Manual. Take a step back and really consider what a manual should do for your company – provide the framework for your entire management system. Here are a few ideas to get you started.

  1. Start thinking about the manual as something you can hand to a new employee that will help give them an introduction and overview as to how you do business – in plain English with the terms and acronyms that are used in your company – not in “standard speak”. Build this manual within the framework of the standard but in a way where the general employee won’t know it.
  2. Rename the Quality Manual. I don’t know how many times I have heard a Quality Manager complain about their organization’s culture viewing the management system as something separate from how business is done, as in, “the quality stuff is for the auditor”. Start dissolving that problem today – change the name to Business Manual. Because that is what it is – a document that describes how you do business. And we all know, well executed business processes result in top notch quality.
  3. Keep that thing updated! Considering many Quality Manuals were nearly a carbon copy of the actual standard language it was understandable that Quality Manual revisions were uncommon as well. In order to make this Business Manual an ally, it needs to be current.


Keeping your Business Manual Current

Even if your ISO Certified Company has a thorough and accurate Manual for the previous year, it is still very important to keep this document up to date. Here are some things to watch out for that may trigger the need for an update.

  1. Significant changes to business structure or business processes. Keep in tune to changing reporting structures, new processes (manufacturing or service), acquisitions, partnerships, etc.
  2. Rules and Regulations. International rules and regulations are fluid, and it is vital to integrate such changes into business operations. Any change in an Industrial Standard, big or small, could necessitate a change for your employees, external providers, managers, or customers.
  3. Technology. Technology changes very fast and new systems are installed yearly, monthly, weekly, and sometimes even daily. Technology changes can come in various forms: hardware, software, machines, equipment, etc.
  4. Safety. Changes to the physical building structure, layout and environment happen as time goes on and ensuring the manual stays up to date with these changes will assist with the awareness of the safety rules and conditions to ensure a safe work environment.

So, there are some things to think about. Even though the Quality Manual is not mandatory, it is still very much necessary. Use this opportunity to increase the role of the Manual within your business management system.


Christopher Spranger is the owner and CEO of Spranger Business Solutions; a management consulting firm that helps people run more efficient businesses across the United States. They have a team of Quality Management experts that assist companies with internal audits and in achieving Quality Management System Certification.

Interested in having Spranger Business Solution do your internal audits click here.

This article was originally posted on Spranger Business Solutions website and is published here with permission.



by -
What is a Quality Management System? - ISOUpdate.com

Quality Management System Standards refers to an established policy framework which provides guidance on how organizations should manage their key processes. The International Organization for Standardization (ISO) has diversified standards for quality management systems, each of which focuses on a particular issue affecting businesses globally. Organizations who adhere to these standards can ensure their products and services consistently meet customer requirement and improve in quality. Therefore, adhering to these guidelines and obtaining ISO Certification is vital for measuring business proficiency, increasing profitability and marketing potential.



Elements of a Quality Management System

Quality Management System Standards are tailored to suit an organization’s unique needs, however, there are some elements all management systems have in common:

  • A framework of Management Responsibility
  • Product Realization
  • Resource Management
  • Statistical Analytics
  • Purchasing Guidelines
  • Inspection and Testing Standards
  • Quality Records
  • Training Protocols
  • Quality Audits

Why businesses implement quality management system standards:

ISO standards are currently applied in many organizations from a wide range of industries including; manufacturing, aerospace, automotive and pharmaceuticals. For many organizations, the choice to implement ISO Standards is twofold; they are seeking improved quality, profitability and efficiency but it is often, a requirement from their customers or consumers. Particularly internationally-focused businesses with regulatory bodies or for suppliers of quality-sensitive products.

Benefits of Quality Management System Standards

Even when it is not a specific requirement from customers, there are still many benefits in implementing Quality Management System standards. Implementing a quality management system helps organizations achieve the following benefits;

  • Products, systems, and processes improvements
  • Increased customer service and satisfaction
  • A greater competitive advantage
  • Transparency in accountability
  • Increase market share potential
  • New avenues for marketing
  • Streamlined efficiency
  • Growth Management
  • Reduction in mistakes which improve margins
  • Greater consistency and time management
  • Development of training opportunities

Establishing a Quality Management System

Establishing a Quality Management System is a large undertaking. Written quality procedures which outline, what, who, where, when and how changes need to be implemented will be created. Working with a Quality Management Consultant is a great way to streamline the process. Find ISO Certified and Quality Management Consultants with our Consultant Directory.



by -

AS9100 applies to large aerospace suppliers only 

Although only intended to be used by aerospace companies, AS9100 is not meant for only the largest of organizations. Requirements have been determined in a descriptive way, but not by prescriptive means. The standard contains what must be done (requirements), but does not dictate how they must be accomplished by the organization (processes). Therefore, the requirements of AS9100 can be implemented in a way that works best for each individual organization, be they large or small. Using this particular method, the organization is provided with the best possible practices of what the QMS requires to be effective, regardless of the size of the aerospace organization.

by -

The implementation of ISO 27001 involves a Senior Management Team (SMT) who are committed to the goals and agree fully that the Information Security Management System (ISMS) provides benefits to the organization which may include: a market position enhancement, a lower risk of disruption in business, and an overall boost in the body of work’s compliance with legal requirements. 

For employees, however, a new system or practice being introduced to the workplace could be perceived as additional tasks to be completed, as well as, a hindrance to their daily work routine. The term internal buy-in means the ability of your employees to accept new implementations given by the management. A lack of internal buy-in is a key factor for failure of a new system being put in place. 

Benefits of internal buy-in 

Demonstrating what employees can gain from the change in system is key to a successful transition. Outlining the benefits, which include an increase in stability of the organization, as well as a decrease in disruption of the business, will make it easier for employees to buy into the changes required by an Information Security Management System, instead of trying to repel the changes. This action will make employees easier to manage in the transitional phase. 



 How to obtain a universal buy-in within your organization 

Change is difficult to implement; hence, management must take sufficient steps to ensure transition proceeds as smoothly as possible. Providing lectures, training, and seminars about how employees can benefit from the introduction of ISO 27001 would be a good start. Giving employees the space to voice concerns and inquiries and answering them will provide an honest and transparent environment that will make them trust the change more. Involving the employees, as well as the management team, in the process of development will allow employees to provide more information and concerns on the matter, as well as to become familiarized with the initial, as well as, gradual changes throughout the entire process. Adding content, such as, trivia or games during the process can also foster a light environment where people can be at ease and become more comfortable with the system changes. 

 Provide employees reasons to participate 

Employees must be an important part of the process, as members need to buy-in for the implementations to take full effect. That is why it is important for employees to know the possible consequences if they do not participate. Note that there is a difference between a scare tactic and solidly provided guidelines/expectations. Providing disciplinary procedures for non-compliance, ensuring understanding by the staff of the different guidelines involved, as well as being clear in the communication process on what is expected of the staff will help your organization achieve the utmost results possible. 

 Setting an example 

Embedding an ISMS within an organization’s body of work is an important part of growth and improvement. Senior management must take the lead in ensuring that they themselves follow the changes and guidelines that are implemented. Failure to comply with changes, by means of forgetting or showing that these new changes can be a cumbersome hindrance to everyday work routines, will provide a clear visual to employees that the new changes are ineffective, even for the managerial staff. Leading by example is the way to solve this. Some ways to set a positive example include, having senior management provide a constant line of communication, management participating as early as possible in the process, and providing training sessions on how management should demonstrate order throughout the implementation process. 

Through proper communication with employees, leading by example from senior management, and drawing up clear and definitive expectations for everyone involved, the likelihood of a buy-in to take effect is increased significantly. Just remember that all members of the organization must take part for the changes to fully set in. This means creating an environment that includes the employees in the transition process, rather than just simply issuing orders. Ensuring that a buy-in is successful increases the chances of implementing an effective and comprehensive Information Security Management System.

by -

ISO standards may seem confusing to the common reader. There are thousands of standards available, and it can sometimes be a burden to distinguish one from another. Here we explain the different functions and purpose of the ISO 9000 family, starting with the ISO 9001 standard that covers the requirements for the Quality Management System (QMS).

The ISO 9000 standards focus on quality management, created and maintained by a vast number of organizations and experts, both from the public and the private sectors. It was created with the sole intention of helping organizations, regardless of the size or the industry the organization is involved with. The ISO 9000 family of standards, when implemented correctly help companies to be better managed, more efficient at their work, and head to a more customer-focused field of view.

The ISO 9000 family of standards are based around eight Quality Management Principles, which include:

  1. Customer focus
  1. Leadership
  1. Involvement of people
  1. Process approach
  1. System approach to management
  1. Continual improvement
  1. Factual approach to decision making
  1. Mutually beneficial supplier relationships

ISO 9000 family has a multitude of standards under its wing. This includes ISO 9000 itself, which creates the path to their target goal by setting a tone for the organizations under it; be it providing fundamentals or supplying the vocabulary for these systems of bodies. The remaining standards cover a variety of specific points, which include documentation of work, training management and supervision, as well as other performance improvements that the organization may need.



ISO 9001 on the other hand determines the requirements of a Quality Management System. Any body of work within the organization responsible for these standards, who are unaware of the current system are urged to acquire ISO 9000 training provided within the organization. This will ensure that all members that govern the group have a sufficient enough grasp on the topics at hand.

Definition of iso 9001

ISO 9001 is the standard that creates the boundaries in which an organization or group must comply with, in order to meet requirements for having a Quality Management System. It is of prime importance in that it is the only standard within the ISO 9000 family that any and all organizations interested can be certified against.

Currently, the complete title of ISO 9001 is ISO 9001:2015, where the 2015 determines the most recent revision date of the said standard. It provides a framework to managing a body of work’s process and inner workings, ensuring that there would be a systematic approach in an organization’s attempt at creating consistency and meeting client demands. The capability of the organization to follow and uphold relevant laws and regulations is also ensured in this process.

is there a need TO USE THE OTHER ISO 9000 STANDARDS?

Most bodies of work do not use the other standards because the ISO 9001 in itself is an incredibly effective and efficient process, especially when used in association with a separate third party certification method. With that said, using the rest of the standards within the family can still help these groups and teams, especially if they are interested in getting the most out of the Quality Management System.

ISO 9004 guidance standard is meant to help bodies of work interested in the system to extend benefits of 9001 to the stakeholders, which adds in creating a sustained success within the company. With these methods at hand, you can assess the satisfaction of all members involved; from the clients, employees, to the suppliers and other groups. These aspects are needed to be checked firmly in order to see any improvement and growth.

questions on COMPATIBILITY WITH OTHER ISO STANDARDS

ISO 9001 is similar in structure with the ISO 14001 Environmental Management standard. Both are created in structure to be compatible with each other’s ISO management standards, meaning these two standards are an excellent way for organizations to expand their management systems.

If your company is in the process of becoming certified to ISO 9001:2015, you’re probably wondering, “What do we need to do to ensure we are prepared?”   There’s no worse feeling than being caught in the middle of an audit unprepared, especially if it is for an ISO certification. Consistent planning and preparation can make sure that you’ll never be caught unaware, but of course, the fact remains that ISO 9001:2015 includes a number of new requirements. Below, we have covered some of the most asked questions organizations have when preparing for an ISO 9001:2015 audit.

What is context of your organization all about?

This question is the benchmark point of ISO 9001:2015 and it appears in section 4.1. The standard question uses the term “context”, but this could be easily translated to Business Environment.  Quite simply it is asking you to understand the environment in which your organization is operating.  It asks you to identify your organization’s internal and external influences. These questions about “context” are usually directed to the top management and the team responsible for the QMS. The auditor will be looking for a clear examination of forces at work within and around the organization. Some organizations use a SWOT analysis (strengths, weaknesses, opportunities, and threats) to help them get a grip of this, but it is not a requirement. What the auditors learn here will be a key input for risk analysis.




Who are your interested parties and what are their requirements? 

This question relates to 4.2 and is trying to ensure organizations understand who can be affected by their organization and who has requirements for them as an organization. The term “interested parties” could also be termed “stakeholders”. The auditor will always make sure that a reasonable range of interested parties has been identified, along with their corresponding requirements.

These first two requirements now lead us to the main requirements surrounding risk in section 6.0 – Planning.

What risks and opportunities have been identified in relation to the above, and what are you doing about them? 

Risks as well as opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective.

How are you working to achieve your quality objectives?

Measurable quality objectives are not new to ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results.

How has the QMS been integrated into the organization’s business processes? 

This question is asked directly to top management (see section 5.1.1c) as they have the overall responsibility to ensure this is happening. ISO 9001 is becoming a more strategic management system. It’s not only about making sure products or services meet requirements. The standard is about managing every aspect of your business using risk based thinking and continuous improvement.

How do you capture and use organizational knowledge?

ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, exit interviews, staff meetings, customer reviews and feedback, examination of data, lessons learned logs. How the organization captures knowledge is up to them, but the process should be clear and functional. The knowledge should also be maintained and accessible. These should be documented in a way that your institution could create its own “Knowledge Base”.

These are some of the most asked questions when preparing for an ISO 9001:2015 audit.  We hope that this gave you a more clear understanding on how to use the standard to ensure a successful outcome for your organization.



by -
7 Quality Management Principles -ISOUpdate.com

When organizations decide to implement an Information Security Management System they often wonder what is the difference between ISO 27001 and the ISO 27002? To put it simply ISO 27001 holds the requirements of the Information Security Management System Standard and ISO 27002 gives guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls.

ISO 27000 is a series of international standards all related to information security. The ISO 27001 standard has an organizational focus and details requirements against which an organization’s ISMS (Information Security Management System), can be audited. ISO 27001 is a management system standard and therefore establishes specific requirements in which it can be certified by a third party accredited registrar.  If an organization wants to certify its Information Security Management System (ISMS) it needs to comply with all requirements in ISO 27001.



On the other hand, ISO 27002 is more focused on specific examples, guidelines and provides a code of practice for use by individuals within an organization. You cannot get certified against ISO 27002 because it is not a management system standard.

Instead it was established based on various guidelines and principles for initiating, implementing, improving and maintaining information security management within an organization. The actual controls in the standard address specific requirements through a formal risk assessment. The standard consists of specific guidelines for the developments in organizational security standards and effective security management practices that would be useful in building confidence within inter-organizational activities.

There are a dozen other standards in the ISO 27000 series which are all designed to assist companies is securing their organizational information. These include ISO 27005 for organizations looking for more detail on how to carry out risk assessment and risk treatment and ISO 27004 which provide guidelines intended to help organizations with monitoring, measurement, analysis and evaluation of their information security performance and the effectiveness of their ISMS.

Every standard from the ISO 27000 series is designed with a certain focus in mind but if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; ISO 27002 is design to be a tool to help organizations with the implementation of ISO 27001 or for organizations who want to implement their own management guidelines and controls surrounding Information security.



by -

The Benefits of Integrated Management Systems: Guest article from Steve Tyler, CEO & Founder of BusinessDocsOnline

Are your Business Management Systems still operating in Silos?

If so then you may want to think about adopting a more integrated approach…


Working in Silos?

There comes a point in the development of many organisations when they need to obtain some form of certification, and for the majority they will probably implement a management system for either Quality or Health & Safety.

There then follows a period of time where their requirements for certification will be covered with a single management system.

However, once an organisation grows to a point where it requires more than one management system, then that is the time for top management to step back and consider adopting a more integrated approach.

Yet too many organisations miss this opportunity and implement their management systems as stand-alone platforms. They then end up with individual management systems being used in silos.

For some organisations, working in silos may be the most suitable way to function, and there may be operational reasons why this approach works best for them.

But working in silos also has a downside…

Silo Mentality (as defined by the Business Dictionary):

“a mind-set present when certain departments or sectors do not wish to share information with others in the same company. This type of mentality will reduce efficiency in the overall operation, reduce moral, and may contribute to the demise of a productive company culture.”
Whilst an integrated management system may not work for every organisation, for many the long-term benefits will far outweigh the short-term effort required to move forward.

So why not integrate your management systems and eliminate all the inefficiencies and duplication of activities that are part and parcel of having individual systems and working in silos?

But how easy is this to achieve?

The PDCA Cycle: – Plan – Do – Check – Act

With the latest release of ISO 9001:2015, this revised standard aims to further develop the “Risk Based Thinking” approach within an organisations. It also brings two other aspects into the management system arena that are going to redefine the future of management systems. One of these is Annex SL and the other is the PDCA cycle.

Lets come back to Annex SL later, and deal with the PDCA cycle first. Within ISO 9001:2015 this functions as follows:

Plan

Top Management must assess the risks & opportunities that may impact on the organisation and carry out the planning required to ensure these risks do not affect the organisations ability to deliver its “desired outputs”. Exploiting any opportunities that have been identified must also be planned.

Do

Process activities must be carried out in such a way as to ensure they are aligned with the outputs of the planning processes.

Check

Top Management must review & measure the organisations performance against their objectives.

Act

Top Management must also plan & implement any actions that will deliver continual improvement.

Whilst the “desired outputs” of each organisation are quite unique, one way or another they all lead back to Customer Satisfaction. Once Customer Satisfaction can be monitored, it can be measured. And as the saying goes – “What gets measured gets done….”

So we can see how the PDCA cycle works for a Quality Management System, but this is really just the tip of the iceberg.

This PDCA cycle can now be applied to just about every other ISO standard, including Health & Safety [45001]*, Environmental [14001:2015] and Information Security Management [27001], and every system you implement can follow the same structure.

The net result here is that it is now possible to implement an integrated management system that combines Quality, Environmental, Health & Safety and Information Security.

But can they be that much more effective if they are integrated?

The Benefits of Integrated Management Systems

Once an organisation has decided to integrate their management systems then it’s at this point they can start to see the real benefits.

Organisations that have already implemented a single management system based around the PDCA cycle will find it up to 50% quicker when they come to implement their next management system.

The PDCA Cycle means it is possible to integrate your management systems into one platform, and organisations can now implement a single solution that controls all of the following:

  • Risks & Opportunities for Product & Services
  • Customer Requirements & Satisfaction
  • Environmental Impacts
  • Health & Safety Hazards
  • Information Security Integrity

With this integrated approach, much of what is needed from the management team can now be done under one umbrella, and top management can now take a broader view of their organisation whilst undertaking the following activities:-

  • Planning
  • Assessments of Risk & Opportunities
  • Internal Audits
  • Management Reviews
  • Continual Improvement

The end result is that:

  • The organisation can now be managed using joined-up thinking.
  • Auditing models can be revised to provide a much broader remit, but with fewer audits.
  • KPI’s & SMART objectives can now become more aligned.

But just how well are all the different standards able to interact, and how easy is it to implement a single integrated platform across 2, 3 or 4 different management systems?

That’s where Annex SL comes in…

What is Annex SL?

Annex SL is an ISO document that defines a high level structure [HSL] for the framework of a generic management system.

It was first published by ISO’s Technical Management Board (TMB) in 2012 and the recent release of ISO 9001:2015 has been revised to align with Annex SL.

Annex SL has arrived with a vengeance with the latest version of ISO 9001:2015, and is now here to stay.

In the future, all new ISO management system standards will adhere to the Annex SL framework and all current management system standards will migrate to it at their next revision.

As a result of the introduction of Annex SL, all ISO management system standards will become more consistent, and hence more compatible. They will share the same look and feel, having been built on a common foundation. The structure of all management systems will now include the following sections:

  • Context of the Organisation
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance Evaluation
  • Improvement

There are common core definitions too; the following words will have the same interpretations across all Annex SL standards:

  • organisation
  • interested party (preferred term)
  • stakeholder (admitted term)
  • requirement
  • management system
  • top management
  • effectiveness
  • policy
  • objective
  • risk
  • competence
  • documented information

  • process
  • performance
  • outsource (verb)
  • monitoring
  • measurement
  • audit
  • conformity
  • nonconformity
  • correction
  • corrective action
  • continual improvement

Annex SL represents the beginning of the end of the conflicts, duplication, confusion and misunderstanding arising from subtly different requirements across the various management system standards.

Auditors now face the challenge of focusing their own, and their clients’, thinking on viewing organisations’ management systems holistically.


About BusinessDocsOnline