If you take a look at all the ISO standards that have been published after 2015, you may notice a pattern in their structure. You see, ISO 9001, ISO 45001, ISO 14001 and the latest ISO 27001, amongst others, have adopted a high level structure. What this effectively means is that every one of these management systems is based on the same 10 clauses. This makes the implementation process significantly easier to understand.
Let’s look at it this way. One of the requirements of implementing an ISO management system is to identify the needs of the stakeholders. Now, if we are implementing ISO 9001, we must see the needs of the stakeholders in relation to the quality objectives that we have. Similarly, if we are implementing ISO 27001, we must look at the information security needs that the stakeholders of the organization have.
Seems simple enough, right? This way, we get to implement different ISO standards with the same logic.
Requirements for a Successful Integrated Management System
As you can imagine, an ISO standard has several requirements that must be adhered to in order to make an organization successful. But if I had to tell you that you have around 80% of the requirements of the standard already in place, would you believe me? The truth is, this is accurate. If those requirements are not in place, your organization will likely fail and file for bankruptcy.
Of course, as an organization, you will have several practices, processes and policies in place. When implementing an ISO management system, these policies and processes play a critical role because they enable us to build on what already exists. We do not need to start from scratch. So the ultimate lesson is, that what you have is good, we just need to refine it to make it more efficient and effective.
Remember, if these policies and processes are not great, then instead of implementing ISO, you’d likely be in the liquidation process. So don’t be too hard on yourself, just hire an ISO consultant such as myself and let the professionals guide you to success!
Breakdown of the High Level Structure of ISO Standards
The high level structure of ISO is made up of 10 different clauses. Let’s take a brief look at them…
Clause 1
Truth be told, the first three clauses of the high level structure of ISO standards are pretty straightforward and we’re going to rush through them like a breeze. Straight of the gate, we have the first clause; covering aspects which relate to the scope of that particular ISO certification.
So if, for example, we are implementing ISO 9001, the first clause will explain the scope of ISO 9001 and proceed to explain how this standard aims at building a quality management system. Similarly, this happens with all the other standards that follow the same high level structure. So, if we’re implementing ISO 27001, Clause 1 will speak about the scope of the ISMS, the information security management system.
Clause 2
Clause 2 talks about normative references, which is a different way to say legal requirements or documents of external origin. For example, if we are dealing with ISO 27001, GDPR (General Data Protection Regulation) and CCPA California’s Consumer Privacy Act() are two legal documents that are of external origin. External origin means that these documents’ existence has nothing to do directly with the organisation. Similarly, when dealing with ISO 45001, we have OHSA, which is the Occupational Health and Safety Act.
This clause asks the organization to list the laws and regulations that are relevant to, that particular standard that is being implemented.
Clause 3
The third clause of the high level structure requires the organization to define any abbreviations or ambiguous terminology that is used by the organisation within the management system. This is a straightforward task and that is all from this third clause.
Clause 4
This is the clause where the real work begins. Clause 4 talks about the context of the organization in general. However, this clause is subdivided into several sub-clauses which deal with the internal and external issues of an organization and the needs and wants of the different stakeholders.
This clause is generally tackled through tools such as SWOT Analysis and PESTLE Analysis. These tools will encourage the management to identify the various factors that will ultimately play a part in the way the organization is run.