Breakdown of the High Level Structure of ISO Standards

High Level Structure

If you take a look at all the ISO standards that have been published after 2015, you may notice a pattern in their structure. You see, ISO 9001, ISO 45001, ISO 14001 and the latest ISO 27001, amongst others, have adopted a high level structure. What this effectively means is that every one of these management systems is based on the same 10 clauses. This makes the implementation process significantly easier to understand.

Let’s look at it this way. One of the requirements of implementing an ISO management system is to identify the needs of the stakeholders. Now, if we are implementing ISO 9001, we must see the needs of the stakeholders in relation to the quality objectives that we have. Similarly, if we are implementing ISO 27001, we must look at the information security needs that the stakeholders of the organization have.

Seems simple enough, right? This way, we get to implement different ISO standards with the same logic.

Requirements for a Successful Integrated Management System

As you can imagine, an ISO standard has several requirements that must be adhered to in order to make an organization successful. But if I had to tell you that you have around 80% of the requirements of the standard already in place, would you believe me? The truth is, this is accurate. If those requirements are not in place, your organization will likely fail and file for bankruptcy.

Of course, as an organization, you will have several practices, processes and policies in place. When implementing an ISO management system, these policies and processes play a critical role because they enable us to build on what already exists. We do not need to start from scratch. So the ultimate lesson is, that what you have is good, we just need to refine it to make it more efficient and effective.

Remember, if these policies and processes are not great, then instead of implementing ISO, you’d likely be in the liquidation process. So don’t be too hard on yourself, just hire an ISO consultant such as myself and let the professionals guide you to success!

Breakdown of the High Level Structure of ISO Standards

The high level structure of ISO is made up of 10 different clauses. Let’s take a brief look at them…

Clause 1

Truth be told, the first three clauses of the high level structure of ISO standards are pretty straightforward and we’re going to rush through them like a breeze. Straight of the gate, we have the first clause; covering aspects which relate to the scope of that particular ISO certification.

So if, for example, we are implementing ISO 9001, the first clause will explain the scope of ISO 9001 and proceed to explain how this standard aims at building a quality management system. Similarly, this happens with all the other standards that follow the same high level structure. So, if we’re implementing ISO 27001, Clause 1 will speak about the scope of the ISMS, the information security management system.

Clause 2

Clause 2 talks about normative references, which is a different way to say legal requirements or documents of external origin. For example, if we are dealing with ISO 27001, GDPR (General Data Protection Regulation) and CCPA California’s Consumer Privacy Act() are two legal documents that are of external origin. External origin means that these documents’ existence has nothing to do directly with the organisation. Similarly, when dealing with ISO 45001, we have OHSA, which is the Occupational Health and Safety Act.

This clause asks the organization to list the laws and regulations that are relevant to, that particular standard that is being implemented.

Clause 3

The third clause of the high level structure requires the organization to define any abbreviations or ambiguous terminology that is used by the organisation within the management system. This is a straightforward task and that is all from this third clause.

Clause 4

This is the clause where the real work begins. Clause 4 talks about the context of the organization in general. However, this clause is subdivided into several sub-clauses which deal with the internal and external issues of an organization and the needs and wants of the different stakeholders.

This clause is generally tackled through tools such as SWOT Analysis and PESTLE Analysis. These tools will encourage the management to identify the various factors that will ultimately play a part in the way the organization is run.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

Clause 5

Cause 5 talks about leadership. More specifically, this clause pushes the top management to commit towards improving the management system. This clause also goes over the policies that relate to each management system. So if we’re dealing with ISO 14001, Clause 5 talks about the environmental policy, and similarly, if we’re dealing with ISO 45001, the clause speaks about OHSA.

The policy and its understanding towards the improvement of the company is important, especially when you couple this with the roles and responsibilities that employees will have in relation to the success of the management system.

After all, you cannot have proper leadership of an organization without roles and responsibilities set in place, no?

Clause 6

Moving on to the 6th clause of ISO’s high level structure. This clause may vary from one ISO standard to the other. However, it is based on the same two principles. These are addressing the risks and opportunities and setting SMART objectives for the future of the organization.

In Clause 4, the standard asks for internal and external issues. This should have resulted in several risks and opportunities. Now, in Clause 6, these risks and opportunities are to be prioritized and objectives are set out to tackle the respective risks and opportunities.

Note, that previously, the term SMART was used. SMART objectives are a framework for setting and achieving goals or objectives in a way that ensures they are clear, well-defined, and achievable. SMART is an acronym that stands for:

  • Specific: The objective should be clear and specific, leaving no room for ambiguity. It answers the questions of who, what, where, when, and why. It should be well-defined and easy to understand.
  • Measurable: Objectives should include concrete criteria that allow you to track progress and determine when the goal has been achieved. This often involves using specific metrics or quantifiable data.
  • Achievable: The objective should be realistic and attainable. It should be challenging but not so difficult that it’s impossible to achieve with the resources, time, and capacity available.
  • Relevant: The objective should align with your broader goals and be relevant to your mission or purpose. It should make sense in the context of your organization or personal aspirations.
  • Time-bound: Objectives should have a specific timeframe or deadline. This helps create a sense of urgency and ensures that progress is tracked over a set period.

By adhering to the SMART framework, individuals and organizations can set goals that are well-defined, quantifiable, and attainable, which makes it easier to plan, execute, and measure progress. This framework is widely used in various fields, including project management, performance management, and personal development.

Clause 7

The 7th clause of ISO’s high level structure discusses the topic of Support. When we talk about the subject of support, we are collectively speaking about company equipment, documents, people, job descriptions, and everything that in one form or another impacts the main operations of the organization.

If we are implementing ISO 27001, which deals with information security, this clause will delve into a lot of different aspects. Is the software up to date to reduce the risk of malicious attacks? Is the server room well-ventilated? Are the fire extinguishers in place and serviced frequently? Is there TFA (Two-Factor Authentication) implemented for an extra layer of protection?

Clause 8

Clause 8 is rather detailed. It discusses the operations of the organization, that is the key processes. Of course, as a result of the different specialisations of each standard, clause 8 looks at the key processes from various perspectives, be it information security, health and safety, quality or environmental.

Here, one ought to consider that ISO 27001 takes a different approach to this clause. In the latest version of this standard, the governing body introduced ANNEX A. This can be defined as a chapter within the standard that has a list of 93 controls that must be considered by the business organization. If you want more details about this clause, stay tuned for a detailed analysis in future blogs!

Clause 9

Clause 9, which is the penultimate clause of the high level structure discusses the topic of performance evaluation. This goes hand in hand with what we’ve been discussing in earlier blogs, where ISO enables organizations and their respective managements to lead with data. This clause pushes organizations to emphasize the acquisition of data that will help us to make informed decisions on the topic of our management system.

Clause 10

Clause 10, the final clause of the high level structure, is called Improvement. This clause highlights the critical step in realising that perfection is a matter that can never be achieved, no matter how hard an organization tries. Instead, the organization must put its effort in the matter of continual improvement. Then, and only then, can the organization identify issues, highlight what needs to be done and solve them throughout time.

Remember, an organization that embraces this fact becomes 1 step closer to success. If an organization does not believe in continual improvement, then the organization will surely cease to exist in the future, and the subject of success might never make it in its storyline.

WANT TO LEARN MORE ABOUT THE high level structure of ISO?

As an ISO management system consultant Luke Desira promises that your business will be cared for by himself, from the sales process to the actual implementation of the ISO standard and certification! It’s fantastic, no? Go ahead and read more about how to get ISO certified with Luke Desira here. Otherwise, you can also read about the difference between implementing ISO in a large company versus implementing ISO in a small firm.

If you are seeking knowledge regarding the different types of ISO certification, go ahead and explore! Find out about the 10 pitfalls that you may encounter during the implementation process of different types of ISO certification, and much, much more!

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.


Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

Preparing for a Stage 1 Audit for an ISO Standard - Stage 1 Audit

Preparing for a Stage 1 Audit for an ISO Standard 

In this blog, we are going to discuss the audit objectives and steps of the Stage 1 Audit. It also includes information on how to prepare for and conduct on-site activities, together with an introduction into the types of documented information to be reviewed during the stage 1 audit.  Objectives for a Stage 1 audit

Read More »
certification bodies

Certification Bodies and What to Look Out for

When getting ISO certified, one of the most important steps is found at the end of the process, that of choosing a certification body. You see, when you implement an ISO standard in an organization, you have to get certified. This has to be done through an accredited certification body. In this blog, you can

Read More »
Scroll to Top