Bip 0140-2014

Understanding the New ISO Management System Requirements Understanding the New ISO
Understanding the New ISO Management System Requirements

I n Ap ri l 2 0 1 2 , I S O u p d a te d i ts d i re cti ve s .
I n p a rti c u l a r, th e re i s a n e w a n n e x - An n ex S L - i n w h i ch Ap p e n d i x 3
d e fi n e s th e H i g h Le ve l S tru ctu re a n d I d e n ti ca l Co re Te xt fo r a l l n e w a n d re vi s e d m a n a g e m e n t s ys te m
s ta n d a rd s . Th e co n ce p t i s th a t s o m e re q u i re m e n ts , e . g . m a n a g e m e n t re vi e w, a re co m m o n to a l l
Management System Requirements
m a n a g e m e n t s ys te m s ta n d a rd s a n d th e re fo re o u g h t to b e i d e n ti ca l l y wo rd e d .
Th e b o o k e xp l a i n s th e n e w re q u i re m e n ts a n d h o w th e y a re re l a te d to th o s e i n m a n a g e m e n t s ys te m
David Brewer

s ta n d a rd s p u b l i s h e d p ri o r to th e a d ve n t o f th e n e w I S O d i re cti ve s . I n s o d o i n g i t s h o w s h o w fa m i l i a r
c o n ce p ts h a ve m e ta m o rp h o s e d i n to n e w o n e s . I t p ro vi d e s fre s h i n s i g h ts i n to u n d e rs ta n d i n g m a n a g e m e n t
s ys te m s ta n d a rd s a n d th e re b y g i ve s g u i d a n ce o n h o w to d e ve l o p a m a n a g e m e n t s ys te m fo r th e fi rs t ti m e .
I t g i ve s a d vi ce o n tra n s i ti o n i n g exi s ti n g m a n a g e m e n t s ys te m s to th e n e w re q u i re m e n ts a n d o n th e
c o n s tru cti o n a n d u s e o f i n te g ra te d m a n a g e m e n t s ys te m s .
Th e b o o k i s a i m e d p ri m a ri l y a t p e o p l e wh o e n g a g e i n cre a ti n g a n d ru n n i n g m a n a g e m e n t s ys te m s ,
i n c l u d i n g m a n a g e m e n t s ys te m a d m i n i s tra to rs , co n s u l ta n ts , tra i n e rs a n d a u d i to rs .
N o p ri o r kn o wl e d g e o f m a n a g e m e n t s ys te m s i s a s s u m e d .
W
About the author

F
D r D a vi d B re we r h a s a l o n g h i s to ry o f i n vo l ve m e n t wi th q u a l i ty s ys te m s b e g i n n i n g i n 1 9 8 0 w h e n h e a cte d F
a s q u a l i ty a s s u ra n ce s e cti o n l e a d e r o n a l a rg e s o ftwa re i n te n s i ve p ro j e ct. H e b e ca m e i n vo l ve d wi th
s ta n d a rd s w ri ti n g i n th e l a te 1 9 8 0 s a n d b e ca m e a c o - a u th o r o f th e o ri g i n a l I S M S s ta n d a rd , B S 779 9 Pa rt 2 ,
a n d i s n o w a n a c ti ve m e m b e r o f th e U K d e l e g a ti o n to I S O J TC 1 S C2 7 WG 1 wh i c h i s re s p o n s i b l e fo r th e
I S O 2 70 0 0 fa m i l y o f s ta n d a rd s ; a n d i s co - e d i to r fo r th e re vi s i o n o f I S O /I E C 2 70 0 4 ( M e a s u re m e n ts ) . W
H e h a s p l a ye d a s i g n i fi ca n t ro l e i n th e re vi s i o n o f I S O /I E C 2 70 0 1 a n d i ts c o n fo rm a n ce to th e n e w I S O
d i re cti ve s o n H i g h Le ve l S tru ctu re a n d I d e n ti c a l Co re Te xt.
H e h a s co n d u cte d a wi d e va ri e ty o f c o n s u l ta n cy a s s i g n m e n ts s p a n n i n g 3 2 ye a rs i n o ve r 2 3 co u n tri e s .
H e i s we l l kn o wn fo r h i s wo rk i n ro l l i n g o u t I S O /I E C 2 70 0 1 to th e w h o l e o f th e Ci vi l S e rvi ce i n M a u ri ti u s ,
w h i ch i s a n exe m p l a r o f h i s I S M S i m p l e m e n ta ti o n m e th o d o l o g y. D r B re we r ru n s a n i n te g ra te d m a n a g e m e n t
s ys te m , wh i ch co n fo rm s to th e q u a l i ty, b u s i n e s s co n ti n u i ty a n d i n fo rm a ti o n s e cu ri ty m a n a g e m e n t s ys te m
s ta n d a rd s . H i s s e m i n a l re s e a rch p a p e rs i n cl u d e 'M e a su rin g th e Effe ctive n e ss o f a n In te rn a l Co n tro l Syste m ',
p u b l i s h e d i n 2 0 0 3 a n d 'Exp lo itin g a n In te g ra te d M a n a g e m e n t Syste m ', p u b l i s h e d i n 2 0 0 5 .
D a vid B rewe r
BSI order ref: BIP 0140
BSI Group Headquarters

3 8 9 Ch i s wi ck H i g h R o a d
B
Lo n d o n W 4 4AL
w w w. b s i g ro u p . c o m
© B S I c o p y ri g h t
U n d e rs t a n d i n g th e N ew I SO M a n a g em en t
S ys te m R e q u i re m e n ts
U n d e rs ta n d i n g th e N e w I S O
M a n a g e m e n t S yste m Re q u i re m e n ts
David Brewer
F i rs t p u b l i s h e d in th e UK in 2 01 4
by
B SI S ta n d a rd s Li m i te d
3 89 C h i swi ck H i g h Roa d
Lo n d o n W4 4AL
© Th e B ri ti sh S ta n d a rd s I n s ti t u t i o n 2 01 4
Al l ri g h ts re se rve d . E xce p t a s p e rm i t te d u n d e r th e C o p yri g h t , D esi g n s a n d Pa t e n t s
Act 1 9 8 8 , no p a rt o f th i s p u b l i ca t i o n m a y be re p ro d u ce d , s to re d in a re t ri e va l
sys te m o r tra n s m i tt e d in a n y fo rm o r b y a n y m e a n s – e l e ct ro n i c, p h o t o c o p yi n g ,
re co rd i n g o r o th e rwi se – wi th o u t p ri o r p e rm i ss i o n in wri ti n g fro m th e p u b l i s h e r.
Wh i l s t e ve ry ca re h a s been ta ke n in d e ve l o p i n g and com pi l i n g th i s p u b l i ca t i o n , B SI
a cce p t s n o l i a b i l i ty fo r a n y l o s s o r d a m a g e ca u s e d , a ri si n g d i re ctl y o r i n d i re ctl y i n
co n n e c ti o n wi t h re l i a n c e on i ts c o n te n t s e xce p t to th e e xte n t th a t su ch l i a b i l i ty
m a y n ot be e xcl u d e d in l a w.
Wh i l e e ve ry e ffo rt h a s b e e n made to tra ce all co p yri g h t h o l d e rs , a n yo n e cl a i m i n g
co p yri g h t sh o u l d g et i n to u ch wi th th e B SI a t th e a b o ve a d d re ss.
B SI has no re s p o n si b i l i t y fo r th e p e rsi s te n ce o r a ccu ra cy o f U RLs fo r e xt e rn a l or
th i rd - p a rt y i n te rn e t we b si t e s re fe rre d to in t h i s b o o k, and d o e s n o t g u a ra n t e e th a t
a n y co n t e n t o n su ch we b s i te s i s, o r wi l l re m a i n , a cc u ra t e o r a p p ro p ri a te .
Th e ri g h t o f D r D a vi d B re we r to be i d e n t i fi e d a s th e a u t h o r o f t h i s Wo rk h a s b e e n
a sse rte d by h i m in a cco rd a n c e wi th s e cti o n s 7 7 and 78 o f th e C o p yri g h t , D esi g n s
and P a te n ts Act 1 9 8 8 .
Typ e se t i n G re a t B ri ta i n b y Le tt e rp a rt Li m i te d , www. l e tt e rp a rt. co m
P ri n t e d in G re a t B ri t a i n b y B e rfo rt s G ro u p , www. b e rfo rt s. co . u k
British Library Cataloguing in Publication Data

A ca ta l o g u e re co rd fo r th i s b o o k i s a va i l a b l e fro m th e B ri t i sh Li b ra ry
I SB N 9 7 8-0-5 80-82 1 6 6 -0
Con ten ts
F o re wo rd vi i
Ackn o wl e d g e m e n t s ix
Ch apter 1 – Th e n ew ISO m an ag em en t system req u irem en ts 1
I n t ro d u cti o n 1
M o ti va ti o n 1
High l e ve l s t ru ctu re 3
I d e n ti ca l co re te xt 4
D e vi a ti o n s 4
D i s ci p l i n e - s p e c i fi c te xt 4
Ch apter 2 – M an ag em en t system con cepts 6
D e fi n i t i o n s 6
Wh a t i s a m a n a g e m e n t s ys t e m ? 1 0
H o w m a n a g e m e n t s ys te m s wo rk 1 1
U n d e rs ta n d i n g m a n a g e m e n t s ys te m s t a n d a rd s 1 5
E vo l u ti o n o f m a n a g e m e n t s ys te m co n ce p ts 1 8
I n t e g ra t e d m a n a g e m e n t s ys t e m s 20
Ch apter 3 – U n d erstan d in g th e n ew req u irem en ts 23
Wh a te ve r h a p p e n e d to P D C A? 23
D i s ci p l i n e - s p e ci fi c re q u i re m e n ts 25
S co p e o f th e m a n a g e m e n t s ys t e m 25
P o l i cy a n d o b j e cti ve s 32
R i s ks a n d o p p o rtu n i t i e s 35
O p e ra ti o n 36
M o n i to ri n g , m e a s u re m e n t, a n a l ys i s a n d e va l u a ti o n 38
Au d i ts a n d re vi e ws 45
M a n a g em en t a n d s u p p o rt 51
I m p l e m e n ta ti o n g u i d a n ce 62
Ch apter 4 – Tran sition in g to th e n ew m an ag em en t system

stan d ard s 69
Tra n s i ti o n s tra te g i e s 69
I n t e g ra te d m a n a g e m e n t s ys t e m co n s i d e ra t i o n s 70
Are a s re q u i ri n g l i tt l e or n o ch a n g e 73
Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts v

Areas that potentiall y require a rethink 75
N ew requirements likely to be satisfied already 76
N ew requirements that m ay present a challenge 77
Areas where an organization may take the opportunity to improve 78
Sum mary 79
Bibliography 83
Standards publ ications 83
Other publications 84
vi Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts

Foreword
I n Apri l 2 01 2 , I SO u pd a ted i ts d i recti ves. I n pa rti cu l a r, th ere i s a n ew

a n n ex – An n ex SL – i n wh i ch Appen d i x 3 d efi n es th e h i g h l evel stru ctu re
a n d i d en ti ca l core text for a l l n ew a n d revi sed m a n a g em en t system
sta n d a rd s 1 . Th e con cept i s th a t som e req u i rem en ts, e. g . m a n a g em en t
revi ew, a re com m on to a l l m a n a g em en t system sta n d a rd s a n d th erefore
ou g h t to be i d en ti ca l l y word ed .
Severa l m a n a g em en t system sta n d a rd s h a ve n ow been pu bl i sh ed i n

con form a n ce wi th th ese n ew d i recti ves (e. g . I SO 2 2 3 01 : 2 01 2 on bu si n ess
con ti n u i ty a n d I SO /I E C 2 7 001 : 2 01 3 on i n form a ti on secu ri ty) wh i l e oth ers
a re bei n g revi sed (e. g . I SO 9 001 on q u a l i ty) .
Th e i d en ti ca l core text i s very g ood a t d efi n i n g th e essen ti a l fea tu res of a

m a n a g em en t system a n d d oes so wi th ou t con stra i n i n g org a n i za ti on s to
d o th i n g s i n a pa rti cu l a r wa y, wh i ch som e org a n i za ti on s m a y h a ve fel t to
be i n a ppropri a te or bu rea u cra ti c. M oreover, fa m i l i a r con cepts su ch a s
PLAN -D O -CH E CK-ACT a n d preven ti ve a cti on h a ve d i sa ppea red a n d h a ve
been repl a ced by n ew on es. Th e overa l l g oa l i s to m a ke i t ea si er to crea te
i n teg ra ted m a n a g em en t system s a n d to a d a pt m a n a g em en t system
sta n d a rd s to th e n a tu re a n d cu l tu re of org a n i za ti on s.
Th e a i m of th i s book i s to expl a i n th e n ew req u i rem en ts a n d h ow th ey

a re rel a ted to th ose i n m a n a g em en t system sta n d a rd s pu bl i sh ed pri or to
th e a d ven t of th e n ew I SO d i recti ves; to sh ow h ow fa m i l i a r con cepts h a ve
m eta m orph osed i n to n ew on es; a n d to g i ve fresh i n si g h ts i n to
u n d ersta n d i n g m a n a g em en t system sta n d a rd s. Th e book g i ves g u i d a n ce
on h ow to d evel op a m a n a g em en t system for th e fi rst ti m e. I t g i ves
a d vi ce on tra n si ti on i n g exi sti n g m a n a g em en t system s to th e n ew
i d en ti ca l core req u i rem en ts a n d on i n teg ra ted m a n a g em en t system s.
Th i s book h a s been d esi g n ed so th a t you ca n rea d i t from cover to cover

to g a i n a com preh en si ve u n d ersta n d i n g of th e n ew sta n d a rd , a n d th en
l a ter u se i t a s a referen ce book.
I h a ve over 3 0 yea rs’ worl d wi d e experi en ce i n worki n g wi th m a n a g em en t

system s a s a sta n d a rd s m a ker, con su l ta n t, a u d i tor, tu tor a n d m a n a g em en t
system a d m i n i stra tor, th e pa st severa l yea rs ru n n i n g a n u m ber of
i n teg ra ted m a n a g em en t system s. M a n y of th e i n si g h ts th a t I sh a re wi th
1
Th i s i s correct fo r th e 3 rd ed i ti o n . H owever, i n J u l y 2 01 3 , I SO pu b l i sh ed th e 4th E d i ti o n , i n
wh i ch Appen d i x 3 h a s b ecom e Ap pen d i x 2 .
Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts vi i

Foreword
yo u in th i s b o o k a re d e ri ve d fro m th i s p ra cti ca l e xp e ri e n ce , s u p p l e m e n te d
b y th e i n s i g h t s a ffo rd e d by bei n g a m e m b e r o f th e i n te rn a ti o n a l
I S O /I E C 2 7 0 0 1 : 2 0 1 3 d e ve l o p m e n t t e a m , wh e re on e o f th e t a s ks wa s to
a ch i e ve co n s e n s u s a n d co n fo rm i ty wi th An n e x S L.
Th i s b o o k i s a ‘ m u s t- h a ve ’ fo r o rg a n i z a ti o n s a n d i n d i vi d u a l s ke e n on
e n s u ri n g a s m o o th tra n s i t i o n and o bta i n i n g m a xi m u m b e n e fi t fro m th e i r
i n ve s tm e n t i n h a vi n g a m a n a g e m e n t s ys t e m .
D a vi d B re we r
vi i i Understanding the New ISO Management System Requirements

Acknowledgements
F i g u re s 2 , 3, and 4 h a ve been re p ro d u ce d b y ki n d p e rm i s s i o n of I M S –
S m a rt Li m i t e d .
Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts ix

Ch a pter 1 – Th e n ew I SO
m a n a g em en t system req u i rem en ts
I n tro d u cti o n
Si n ce Apri l 2 01 2 a l l n ew a n d revi sed m a n a g em en t system sta n d a rd s m u st

con form to n ew ru l es reg a rd i n g th e stru ctu re a n d con ten t of
m a n a g em en t system sta n d a rd s. Th ese ru l es a re d ocu m en ted i n An n ex SL,
Appen d i x 3 to th e I SO /I E C D i recti ves, Part 1 — Consolidated ISO
Supplement, referred to a s An n ex SL for sh ort. I n essen ce, An n ex SL
speci fi es th e h i g h l evel stru ctu re, i d en ti ca l core text, com m on term s a n d
core d efi n i ti on s th a t form th e n u cl eu s of fu tu re a n d revi sed I SO
m a n a g em en t system req u i rem en ts sta n d a rd s. I n d i vi d u a l m a n a g em en t
system s sta n d a rd s a d d a d d i ti on a l ‘d i sci pl i n e-speci fi c’ req u i rem en ts a s
req u i red . B eca u se of th e n ewn ess of An n ex SL som e d evi a ti on s a re
perm i tted . Th e rem a i n d er of th i s ch a pter i s l a i d ou t i n th e fol l owi n g
su bsecti on s:
1. M oti va ti on ;
2. H i g h l evel stru ctu re;
3. I d en ti ca l core text;
4. D evi a ti on s; a n d
5. D i sci pl i n e-speci fi c text.
M o ti va ti o n
Th e obj ecti ve i s to en su re th a t wh en a req u i rem en t ou g h t to be com m on

to m ore th a n on e m a n a g em en t system sta n d a rd th en i t i s i d en ti ca l l y
word ed . Th i s h a s ben efi ts wh en a n org a n i za ti on wi sh es to h a ve a si n g l e
m a n a g em en t system (often referred to a s a n i n teg ra ted m a n a g em en t
system ) th a t con form s to m ore th a n on e m a n a g em en t system sta n d a rd .
For exa m pl e a n i n teg ra ted m a n a g em en t system m i g h t con form to
I SO 9 001 (on q u a l i ty) , I SO /I E C 2 7 001 (reg a rd i n g i n form a ti on secu ri ty) a n d
I SO 2 2 3 01 (on bu si n ess con ti n u i ty) . I n th i s ca se (on ce a l l th ree sta n d a rd s
con form to th e n ew d i recti ves) th e core req u i rem en ts, sa y for
d ocu m en ted i n form a ti on , wi l l be i d en ti ca l l y word ed .
Pri or to An n ex SL, th e n eed for com pa ti bi l i ty wa s n ot n ecessa ri l y fu l l y

a ppreci a ted by sta n d a rd s d evel opers. I SO /I E C 2 7 001 : 2 005 , Information
Security Management Systems, for exa m pl e, wa s d evel oped from
Understanding the New ISO Management System Requirements 1

Ch a pter 1 – Th e n ew ISO m a n a gem en t system requirem en ts
B S 7 7 9 9 -2 : 2 002 u si n g th e I SO ‘Fa st Tra ck’ proced u re. B S 7 7 9 9 -2 : 2 002 wa s

i tsel f d evel oped by a core tea m of fi ve peopl e, wh o were en cou ra g ed by
B SI to a d opt th e pri n ci pl es of I SO 9 001 : 2 000. At th e ti m e, th e con cept of
a n i n teg ra ted m a n a g em en t system wa s a g l ea m i n B SI ’s eye, a n d certa i n l y
n o org a n i za ti on to th e kn owl ed g e of th a t core tea m h a d on e. Th ey
a d opted th e PLAN -D O -CH E CK-ACT con cept a n d u sed i t to stru ctu re
Secti on 4 of th ei r sta n d a rd coveri n g a l l of wh a t th ey reg a rd ed a s th e
i n form a ti on secu ri ty m a n a g em en t system req u i rem en ts. Th ey th en a d d ed
fi ve a d d i ti on a l secti on s (d ocu m en ta ti on req u i rem en ts, m a n a g em en t
respon si bi l i ty, i n tern a l a u d i ts, m a n a g em en t revi ew a n d i m provem en t) ,
m od el l i n g th em on th e correspon d i n g secti on s i n I SO 9 001 : 2 000. Th e
word ‘m od el l i n g ’ i s key. Req u i rem en ts were ta ken from I SO 9 001 : 2 000
a n d th en ch a n g ed , som eti m es q u i te su btl y. For exa m pl e, i n I SO 9 001 : 2 000
Su bcl a u se 4. 2 . 3 f) sta tes ‘to en su re th a t d ocu m en ts of extern a l ori g i n a re
i d en ti fi ed a n d th ei r d i stri bu ti on con trol l ed ’ beca m e, i n
I SO /I E C 2 7 001 : 2 005 , 4. 3 . 2 g ) ‘en su re th a t d ocu m en ts of extern a l ori g i n a re
i d en ti fi ed ’ a n d 4. 3 . 2 h ) ‘en su re th a t th e d i stri bu ti on of d ocu m en ts i s
con trol l ed ’. I n I SO 9 001 : 2 000 con trol of d i stri bu ti on on l y a ppl i es to
d ocu m en ts of extern a l ori g i n . I n I SO /I E C 2 7 001 : 2 005 con trol of
d i stri bu ti on a ppl i es to a l l d ocu m en ts. From a n i n teg ra ted m a n a g em en t
perspecti ve, th ere a re th erefore two i ssu es: org a n i za ti on s m u st rea d both
sta n d a rd s very ca refu l l y i n ord er to i d en ti fy su ch d i fferen ces; a n d
org a n i za ti on s m u st m a ke a ch oi ce. I n th i s ca se i t i s to a ppl y th e
d i stri bu ti on req u i rem en t to a l l d ocu m en ts wi th i n scope of th e i n teg ra ted
m a n a g em en t system , or on l y a ppl y to i n form a ti on secu ri ty rel a ted
d ocu m en ts.
Th e ch oi ce i s n ot n ecessa ri l y stra i g h tforwa rd a s som e d ocu m en ts cou l d

con ta i n el em en ts th a t a re q u a l i ty a n d i n form a ti on secu ri ty rel a ted .
Ch oi ce of opti on b) cou l d l ea ve on e won d eri n g wh eth er a d ocu m en t
sh ou l d be con trol l ed or n ot; wh erea s ch oi ce of opti on a ) cou l d m ea n
m u ch retrospecti ve work i f th e q u a l i ty m a n a g em en t system exi sted fi rst.
To si m pl y i g n ore th e d i fferen ce ou g h t to, of cou rse, l ea d to a
n on con form i ty.
D espi te su ch su btl e d i fferen ces, i t i s fortu n a te th a t I SO /I E C 2 7 001 : 2 005 i s

m od el l ed on I SO 9001 : 2 000. Th i s i s n ot th e ca se for a l l m a n a g em en t
system sta n d a rd s i ssu ed pri or to Apri l 2 01 2 . I SO /I E C 2 0000-1 : 2 005 ,
In form a tion tech n ology — Service m a n a gem en t, h a s a n en ti rel y d i fferen t
stru ctu re. So m u ch so, th a t a wh ol e sta n d a rd , I SO /I E C 2 7 01 3 : 2 01 2 ,
In form a tion tech n ology — Security tech n iques — Guida n ce on th e
in tegra ted im plem en ta tion of ISO/IEC 27001 a n d ISO/IEC 20000-1 , h a s
been d evel oped to sh ow h ow I SO /I E C 2 0000-1 : 2 01 1 ca n be i n teg ra ted
wi th I SO /I E C 2 7 001 : 2 005 .
Su ch i n teg ra ti on i ssu es a n d th e n eed for a d d i ti on a l sta n d a rd s ou g h t to

becom e reg a rd ed a s a q u a i n t pi ece of h i story wi th th e a d ven t of
An n ex SL.
2 Un dersta n din g th e New ISO Ma na gem en t System Requirem ents

High level structure
High level structure

Th e high l e ve l s tru ctu re fo r a l l n ew a n d re vi s e d m a n a g e m e n t s ys te m
s t a n d a rd s i s :
0 I n tro d u c ti o n
1 S cop e
2 N o rm a ti ve re fe re n ce s
3 Te rm s a n d d e fi n i ti o n s
4 C o n te xt o f th e o rg a n i z a ti o n
4. 1 U n d e rs ta n d i n g th e o rg a n i z a t i o n and i ts co n te xt
4. 2 U n d e rs ta n d i n g th e n eed s a n d e xp e cta ti o n s o f
i n te re s t e d p a rti e s
4. 3 D e te rm i n i n g th e s co p e o f th e XXX m a n a g e m e n t s ys t e m
4. 4 XXX m a n a g e m e n t s ys te m
5 Le a d e rs h i p
5. 1 Le a d e rs h i p and co m m i tm e n t
5. 2 P o l i cy
5. 3 O rg a n i z a ti o n ro l e s , re s p o n s i b i l i ti e s a n d a u th o ri ti e s
6 Pl a n n i n g
6. 1 Acti o n s to a d d re s s ri s ks a n d o p p o rt u n i ti e s
6. 2 XXX o b j e cti ve s a n d pl a n n i n g to a ch i e ve th e m
7 S u p p o rt
7.1 R e s o u rce s
7.2 C o m p e te n ce
7.3 Awa re n e s s
7.4 C o m m u n i c a ti o n
7.5 D o cu m e n te d i n fo rm a ti o n
7. 5.1 G e n e ra l
7. 5.2 C re a ti n g and u p d a ti n g
7. 5.3 C o n tro l o f d o cu m e n te d i n fo rm a ti o n
8 O p e ra ti o n
8. 1 O p e ra ti o n a l pl a n n i n g and co n t ro l
9 P e rfo rm a n ce e va l u a t i o n
9. 1 M o n i to ri n g , m e a s u re m e n t, a n a l ys i s a n d e va l u a t i o n
9. 2 I n te rn a l audit
9. 3 M a n a g e m e n t re vi e w
1 0 I m p ro ve m e n t
1 0. 1 N o n co n fo rm i ty a n d co rre cti ve a cti o n
1 0. 2 C o n ti n u a l i m p ro ve m e n t
N ote th a t h e re , and th ro u g h o u t t h i s b o o k, ‘ XXX’ i s u se d to re p re s e n t th e
d i s ci p l i n e th a t i s th e s u b j e ct o f th e m a n a g e m e n t s ys te m s ta n d a rd . Th u s ,
fo r I S O 9001 , XXX = q u a l i ty, fo r I S O /I E C 2 7 0 0 1 , XXX = i n fo rm a ti o n
s e cu ri ty, e tc.

Chapter 1 – The new ISO management system requirements
I d en ti ca l core text
Th e req u i rem en ts th a t a re i d en ti ca l to a l l n ew a n d revi sed m a n a g em en t

system sta n d a rd s a re kn own col l ecti vel y a s th e i d en ti ca l core text.
As a n a i d to rea d a bi l i ty, som e i d en ti ca l core req u i rem en ts a re prefa ced by

th e su bj ect n a m e of th e sta n d a rd , e. g . th e word s ‘q u a l i ty’ or ‘i n form a ti on
secu ri ty’. Th ese req u i rem en ts a re n ot q u a l i ty or i n form a ti on
secu ri ty-speci fi c. Wh i l e th e i d en ti ca l core text i s th e su bj ect of th i s book,
a g ood wa y to tel l u pon rea d i n g a m a n a g em en t system sta n d a rd i s to
ch a n g e th e d i sci pl i n e word (s) (e. g . rea d ‘i n form a ti on secu ri ty’ i n stea d of
‘q u a l i ty’) a n d see i f th e req u i rem en t i s sti l l m ea n i n g fu l . I f i t i s, th ere i s a
g ood ch a n ce th a t i t i s a n i d en ti ca l core req u i rem en t.
D evi a ti on s
A d evi a ti on i s wh ere a m a n a g em en t system sta n d a rd ch a n g es th e

i d en ti ca l core text by:
1. d el eti n g i t;
2. a d d i n g text wh i ch i s n ot d i sci pl i n e-speci fi c (i . e. th e req u i rem en t ca n
a ppl y to a l l m a n a g em en t system s, reg a rd l ess of d i sci pl i n e) ; or
3. m ovi n g i t.
D evi a ti on s h a ve been perm i tted to a l l ow th e sta n d a rd s d evel opers to

overcom e probl em s wh en a d i sci pl i n e-speci fi c req u i rem en t con tra d i cts a n
i d en ti ca l core text req u i rem en t. Th e i n ten ti on wa s n ot to a l l ow sta n d a rd s
d evel opers to ch a n g e th e i d en ti ca l core text j u st beca u se th ey d i d n ot
l i ke i t or fel t th ey cou l d sa y i t better. For th i s rea son , a l l d evi a ti on s h a ve
to be j u sti fi ed .
I t sh ou l d be n oted th a t I SO 2 2 3 01 : 2 01 2 , Societal security – Business

continuity management systems – Requirements, wa s d evel oped a t a ti m e
wh en An n ex SL wa s i tsel f i n d evel opm en t. Th ere a re th erefore
req u i rem en ts i n th a t sta n d a rd th a t a ppea r to be d evi a ti on s bu t a re i n
fa ct i d en ti ca l core text from a n ea rl i er versi on of An n ex SL.
D i sci pl i n e-speci fi c text
Req u i rem en ts th a t a re speci fi c to a pa rti cu l a r d i sci pl i n e (e. g . i n form a ti on

secu ri ty) a re referred to col l ecti vel y a s d i sci pl i n e-speci fi c text. Su ch text
m a y be em bed d ed i n to th e i d en ti ca l core text. For exa m pl e,
I SO /I E C 2 7 001 h a s req u i rem en ts for ri sk m a n a g em en t. I n
I SO /I E C 2 7 001 : 2 01 3 , th ese d i sci pl i n e-speci fi c req u i rem en ts a re pri m a ri l y i n
Su bcl a u ses 6. 1 . 2 , 6. 1 . 3 , 8. 2 a n d 8. 2 , bu t th ere a re d i sci pl i n e-speci fi c
m a tters th a t a m a n a g em en t revi ew m u st a tten d to a n d th ese h a ve been
i n serted i n to a l i st i n th e i d en ti ca l core text of Su bcl a u se 9 . 3 . N ote th a t
4 Understanding the New ISO Management System Requirements

Disciplin e-specific text
th e i n s e rti o n o f te xt ca n m o d i fy th e cl a u s e n u m b e ri n g . In
I S O /I E C 2 7 0 0 1 : 2 0 1 3 , fo r e xa m p l e , th e i n s e rti o n o f S u b cl a u s e s 6 . 1 . 2 and
6. 1 . 3 ca u s e s th e i d e n ti ca l co re te xt o f S u b cl a u s e 6. 1 to b e co m e 6. 1 . 1 .
Th e a m o u n t o f d i s ci p l i n e - s p e ci fi c te xt va ri e s b e twe e n s t a n d a rd s . In
I SO 2 2 3 01 : 2 01 2 , fo r e xa m p l e , th e re i s a p p ro xi m a te l y fo u r- a n d - a - h a l f
p a g e s o f d i s ci p l i n e - s p e ci fi c te xt i n Cl a u se 8, wh i ch s p e ci fi e s i n d e ta i l th e
re q u i re m e n ts co n ce rn i n g b u s i n e s s i m p a ct a n a l ys i s , ri s k a s s e s s m e n t,
s tra te g y, p ro ce d u re s , e xe rci s i n g and te s ti n g . Li ke wi s e on e m i g h t e xp e ct
th e re vi s e d ve rs i o n of I SO 9001 to c o n ta i n a b o u t fi ve pa g es of
d i s ci p l i n e - s p e ci fi c te xt a l s o in Cl a u s e 8, co rre s p o n d i n g to th e
‘ p ro d u ct- re a l i z a ti o n ’ re q u i re m e n ts wh i ch a re cu rre n tl y i n Cl a u s e 7 of
I SO 9 001 : 2 008. In co n tra s t , I S O /I E C 2 7 0 0 1 : 2 0 1 3 o n l y h a s a b o u t t wo pa g es
o f d i s ci p l i n e - s p e ci fi c te xt, m o s t l y l o ca te d in Cl a u s e 6. Th i s i s b e ca u s e
I S O /I E C 2 7 0 0 1 t ra d i ti o n a l l y d e a l s wi th i n fo rm a ti o n s e cu ri t y co n tro l s i n an
a n n e x, wh i ch i s a ctu a l l y q u i t e l on g – 1 3 p a g e s.
Un dersta n din g th e New ISO Ma na gem en t System Requirem ents 5

Ch a pter 2 – M a n a g em en t system
con cepts
Introduction
Th e obj ecti ve of th i s ch a pter i s to fa ci l i ta te a n u n d ersta n d i n g of
m a n a g em en t system con cepts. Th e ch a pter i s l a i d ou t i n th e fol l owi n g
secti on s:
1. d efi n i ti on of term s u sed i n An n ex SL;

2. a n expl a n a ti on of wh a t a m a n a g em en t system i s;
3. a n expl a n a ti on of h ow a m a n a g em en t system works;
4. a n expl a n a ti on of h ow to rea d a n d i n terpret m a n a g em en t system
sta n d a rd s;
5. a n expl a n a ti on of h ow m a n a g em en t system con cepts h a ve evol ved ;
and
6. a n i n trod u cti on to i n teg ra ted m a n a g em en t system s.
Definitions
Overview
An n ex SL d efi n es a va ri ety of term s th a t a re fu n d a m en ta l to
u n d ersta n d i n g m a n a g em en t system con cepts i n g en era l a n d th e i d en ti ca l
core text i n pa rti cu l a r. I f a term i s n ot d efi n ed i n An n ex SL, th en th e
d efi n i ti on g i ven i n th e O xford E n g l i sh D i cti on a ry (O E D ) i s to be u sed . I t i s
i m porta n t to u se th ese d efi n i ti on s, oth erwi se th ere i s a ri sk of
m i su n d ersta n d i n g th e req u i rem en ts of th e sta n d a rd . M a n a g em en t system
sta n d a rd s m a y a d d a d d i ti on a l term s. I f a m a n a g em en t system sta n d a rd
a l ters a n An n ex SL d efi n i ti on , th en i t i s trea ted a s a d evi a ti on . For
exa m pl e, both I SO 2 2 3 01 : 2 01 2 a n d I SO /I E C 2 7 001 : 2 01 3 u se th e I SO G u i d e
7 3 d efi n i ti on of ri sk (i . e. th e ‘effect of u n certa i n ty on obj ecti ves’) a s
opposed to th e An n ex SL d efi n i ti on (wh i ch i s j u st th e ‘effect of
u n certa i n ty’) .
Th e d efi n i ti on s a re reprod u ced a n d d i scu ssed h ere i n th ree g rou ps:
1. term s rel a ti n g to th e m a n a g em en t system ;

2. term rel a ti n g to d ocu m en ted i n form a ti on ; a n d
3. oth er term s.
6 Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts

Definitions
Terms relating to the management system

Th e An n ex SL d efi n i ti on s a re:
management system : set of i n terrel a ted or i n tera cti n g el em en ts of a n

organization to esta bl i sh policies a n d objective s a n d processes to a ch i eve
th ose obj ecti ves
organization : person or g rou p of peopl e th a t h a s i ts own fu n cti on s wi th

respon si bi l i ti es, a u th ori ti es a n d rel a ti on sh i ps to a ch i eve i ts objectives
top management: person or g rou p of peopl e wh o d i rects a n d con trol s a n

organization a t th e h i g h est l evel
policy: i n ten ti on s a n d d i recti on of a n organization a s form a l l y expressed

by i ts top m a n a g em en t
objective : resu l t to be a ch i eved
process : set of i n terrel a ted or i n tera cti n g a cti vi ti es wh i ch tra n sform s

i n pu ts i n to ou tpu ts
I t i s i m porta n t to a ppreci a te th a t a n org a n i za ti on d oes n ot h a ve to be a

com pa n y. I n d eed th ere i s a n ote i n An n ex SL, wh i ch sa ys ‘Th e con cept of
org a n i za ti on i n cl u d es, bu t i s n ot l i m i ted to sol e-tra d er, com pa n y,
corpora ti on , fi rm , en terpri se, a u th ori ty, pa rtn ersh i p, ch a ri ty or i n sti tu ti on ,
or pa rt or com bi n a ti on th ereof, wh eth er i n corpora ted or n ot, pu bl i c or
pri va te’. I t th erefore fol l ows th a t i f th e org a n i za ti on i s pa rt of a l a rg er
org a n i za ti on th en :
1. from th e perspecti ve of th e sm a l l er org a n i za ti on th e l a rg er

org a n i za ti on i s referred to ei th er a s ‘a n oth er org a n i za ti on ’ or a n
‘extern a l org a n i za ti on ’, th e two ph ra ses bei n g syn on ym ou s wi th on e
a n oth er; a n d
2. top m a n a g em en t refers to th e l ea d er of th e sm a l l er org a n i za ti on ,
n ot to th e l ea d ers of th e l a rg er org a n i za ti on .
Th i s rel a ti on sh i p i s i l l u stra ted i n Fi g u re 1 .
Term relating to documented information

Th e An n ex SL d efi n i ti on i s:
documented information : i n form a ti on req u i red to be con trol l ed a n d

organization a n d th e m ed i u m on wh i ch i t i s con ta i n ed
m a i n ta i n ed by a n
D ocu m en ted i n form a ti on i s a n ew term th a t h a s been tra d i ti on a l l y

referred to a s d ocu m en ta ti on a n d record s. A g ood wa y to th i n k of th i s i s
th a t th ere a re two types of d ocu m en ted i n form a ti on : specifications (Type

Chapter 2 – Management system concepts
Fig u re 1 : Th e org an ization m ay be part of a larg er organ ization
S) , wh i ch speci fy wh a t a n org a n i za ti on i n ten d s to d o (i . e. i n th e fu tu re)

and records of performance (Type P) , wh i ch record wh a t h a s h a ppen ed
(i . e. i n th e pa st) . As a n i tem of d ocu m en ta ti on , e. g . a web pa g e, i t cou l d
con ta i n both types; I SO h a s d eci d ed to u se a si n g l e term to cover both
d ocu m en ta ti on a n d record s.
I t i s a l so i m porta n t to n ote th a t i t ou g h t to be very ra re th a t a

m a n a g em en t system sta n d a rd g i ves n a m es to d ocu m en ts. Su bcl a u se 5 . 2
sta rts by sta ti n g ‘Top m a n a g em en t sh a l l esta bl i sh a n XXX pol i cy’ a n d
con ti n u es by req u i ri n g th a t pol i cy to h a ve certa i n ch a ra cteri sti cs, e. g . i t
i n cl u d es a com m i tm en t to con ti n u a l i m provem en t of th e m a n a g em en t
system . Th e su bcl a u se a l so sta tes th a t th e pol i cy ‘be a va i l a bl e a s
d ocu m en ted i n form a ti on ’. Th i s i s n ot a req u i rem en t to h a ve a d ocu m en t
ca l l ed ‘XXX Pol i cy’. I t i s a req u i rem en t th a t th e i n form a ti on speci fi ed i n
Su bcl a u se 5 . 2 be d ocu m en ted . H ow a n org a n i za ti on d oes th i s, a n d h ow i t
wa n ts to refer to i t, i s u p to th e org a n i za ti on to d eci d e a n d n o on e el se.
I t cou l d , for exa m pl e, pu t th e i n form a ti on req u i red by Su bcl a u se 5 . 2
tog eth er wi th oth er i n form a ti on (wh eth er req u i red el sewh ere by th e
sta n d a rd or n ot) on a n i n tra n et web pa g e en ti tl ed I n teg ra ted
M a n a g em en t System Pol i cy.

Definitions
Other terms
O th er An n ex SL d efi n i ti on s a re:
interested party (preferred term ) , stakeholder (a d m i tted term ) : person or

organization th a t ca n a ffect, be a ffected by or percei ve th em sel ves to be
a ffected by a d eci si on or a cti vi ty
requirement: n eed or expecta ti on th a t i s sta ted , g en era l l y i m pl i ed or

obl i g a tory
effectiveness : exten t to wh i ch pl a n n ed a cti vi ti es a re rea l i zed a n d pl a n n ed

resu l ts a re a ch i eved
risk: effect of u n certa i n ty on objectives

competence : a bi l i ty to a ppl y kn owl ed g e a n d ski l l s to a ch i eve i n ten d ed
resu l ts
performance : m ea su ra bl e resu l t
outsource : m a ke a n a rra n g em en t wh ere a n extern a l organization

perform s pa rt of a n org a n i za ti on ’s fu n cti on or process
monitoring : d eterm i n i n g th e sta tu s of a system , a process or a n a cti vi ty
measurement: process to d eterm i n e a va l u e
audit: system a ti c, i n d epen d en t a n d d ocu m en ted process for obta i n i n g

a u d i t evi d en ce a n d eva l u a ti n g i t obj ecti vel y to d eterm i n e th e exten t to
wh i ch th e a u d i t cri teri a a re fu l fi l l ed
conformity: fu l fi l m en t of a requirement
nonconformity: n on -fu l fi l m en t of a requirement
correction : a cti on to el i m i n a te a d etected nonconformity
corrective action : a cti on to el i m i n a te th e ca u se of a nonconformity a n d
to preven t recu rren ce
continual improvement: recu rri n g a cti vi ty to en h a n ce performance
Oxford English Dictionary terms

Th ere a re a n u m ber of term s th a t a re n ot d efi n ed by An n ex SL a n d
th erefore th ey ta ke on a m ea n i n g a s d efi n ed by th e O xford E n g l i sh
D i cti on a ry (O E D ) . Th ose wh ose m ea n i n g s a re u sed i n th i s book a re
reprod u ced bel ow:

i ssu e (O E D ) : a n i m porta n t topi c or probl em for d eba te or d i scu ssi on
scope (O E D ) : th e exten t of th e a rea or su bj ect m a tter th a t som eth i n g

d ea l s wi th or to wh i ch i t i s rel eva n t
a cti vi ty (O E D ) : a th i n g th a t a person or g rou p d oes or h a s d on e
fu n cti o n (O E D ) : a n a cti vi ty th a t i s n a tu ra l to or th e pu rpose of a person

or th i n g
sta tu s (O E D ) : th e si tu a ti on a t a pa rti cu l a r ti m e d u ri n g a p ro ce ss
pl a n (O E D ) : a d eta i l ed proposa l for d oi n g or a ch i evi n g som eth i n g
Wh a t i s a m a n a g em e n t system ?
I n ord er to g a i n fu rth er i n si g h t i n to th e d efi n i ti on of a m a n a g em en t

system , con si d er th e fol l owi n g .
1. Th e O E D provi d es a n u m ber of m ea n i n g s for th e word ‘of’, th e m ost

rel eva n t of wh i ch i s ‘i n d i ca ti n g a n a ssoci a ti on between two en ti ti es,
typi ca l l y on e of bel on g i n g , i n wh i ch th e fi rst i s th e h ea d of th e
ph ra se a n d th e secon d i s som eth i n g a ssoci a ted wi th i t’. Th u s, for
exa m pl e, on e m i g h t sa y ‘th e i n form a ti on secu ri ty pol i cy of ABC
i n corpora ted ’.
2. Th ere wi l l be peopl e wi th i n th e org a n i za ti on th a t wi l l esta bl i sh
pol i cy. I n d eed , top m a n a g em en t i s respon si bl e for esta bl i sh i n g th e
XXX pol i cy (see Su bcl a u se 5 . 2 ) . H owever, i f a m a n a g em en t system
wa s on l y m a d e u p of peopl e, th e d efi n i ti on wou l d sa y ‘a person or
g rou p of peopl e wi th th e org a n i za ti on th a t esta bl i sh es … ’. Th e
d efi n i ti on d oes n ot refer to peopl e. I n stea d i t refers to ‘i n terrel a ted
or i n tera cti n g el em en ts’.
3. An ‘el em en t’, a ccord i n g to th e O E D , i s ‘a n essen ti a l or ch a ra cteri sti c
pa rt of som eth i n g a bstra ct’, so i t is m ore th a n j u st peopl e. H owever,
th ese el em en ts ca n n ot j u st be a n yth i n g th a t i s a ssoci a ted wi th th e
org a n i za ti on ; th ey h a ve to esta bl i sh pol i cy, obj ecti ves a n d processes
to a ch i eve th ose obj ecti ves, perh a ps d i rectl y or th rou g h i n tera cti on
wi th oth er el em en ts.
4. ‘E sta bl i sh ’ m ea n s ‘to set u p on a fi rm or perm a n en t ba si s’.
Accord i n g l y, a n XXX pol i cy d ocu m en t wou l d be pa rt of th e XXX
m a n a g em en t system a s a re top m a n a g em en t a n d th e XXX con trol s.
I n con cl u si on , a n XXX m a n a g em en t system i s:
e ve ryth i n g th a t i s a ssoci a te d wi th th e org a n i za ti o n th a t i n te ra cts to
e sta b l i sh XXX p o l i cy, XXX o b j e cti ve s a n d XXX p ro ce sse s to a ch i e ve th o se
o bj e cti ve s.

Ho w m a n a g e m e n t syste m s wo rk
How management systems work

The continual improvement engine
Cyclic b e h a vio u r
Th e cycl i c beh a vi ou r of a m a n a g em en t system i s i l l u stra ted i n Fi g u re 2 by

d i rect referen ce to th ose cl a u ses th a t con tri bu te to th a t beh a vi ou r. Th e
d i a g ra m ca n be reg a rd ed a s a represen ta ti on of a con ceptu a l en g i n e
wh ere repea ted cycl es h a ve a ten d en cy to ren d er th e m a n a g em en t
system sel f-h ea l i n g (see bel ow) ; a n d con ti n u a l l y i m prove th e su i ta bi l i ty,
a d eq u a cy a n d effecti ven ess of th e m a n a g em en t system .
Th ere a re va ri ou s i n pu ts i n to th e con ti n u a l i m provem en t en g i n e. Th e

a cti on of th e en g i n e i s to tu rn th ese i n to a cti on s. Th e resu l ts of th ese
a cti on s feed ba ck i n to th e en g i n e vi a a feed ba ck l oop.
In p u ts, o u tp u ts a n d th e fe e db a ck lo o p
Som e of th ese i n pu ts correspon d to i d en ti ca l core text req u i rem en ts.

Th ese a re:
1. perform a n ce m ea su rem en t (Su bcl a u se 9 . 1 ) ;

2. i n tern a l a u d i t (Su bcl a u se 9 . 2 ) ; a n d
3. m a n a g em en t revi ew (Su bcl a u se 9 . 3 ) .
Su bcl a u ses 8. 1 a n d 9 . 3 b) req u i re a n org a n i za ti on to respon d to

opera ti on a l ch a n g e, a n d th u s opera ti on a l ch a n g e a l so provi d es a n i n pu t
i n to th e con ti n u a l i m provem en t en g i n e.
I n pra cti ce, th ere m a y be oth er i n pu ts. Th e fi rst on l y a ppl i es i f th e

org a n i za ti on opts for certi fi ca ti on . I n th i s ca se, th e resu l ts of certi fi ca ti on
a u d i ts wi l l provi d e a d d i ti on a l i n pu ts. Th e secon d a ppl i es to a l l
m a n a g em en t system s, reg a rd l ess of wh eth er th ey a re certi fi ed or n ot,
a n d th a t i s th e occu rren ce of a n i n ci d en t.
Su bcl a u se 1 0. 1 d ) req u i res a n org a n i za ti on to revi ew th e effecti ven ess of

correcti ve a cti on . For con ven i en ce, th i s h a s been a ssoci a ted i n Fi g u re 2
wi th th e m a n a g em en t revi ew, wh i ch req u i res top m a n a g em en t to
con si d er a va ri ety of topi cs, su ch a s tren d s i n a u d i t resu l ts, d u ri n g i ts
m a n a g em en t revi ews.
Ste p 1 – D e te rm in e wh e th e r in p u t is a n o n co n fo rm ity
For a l l i n pu ts, a pa rt from opera ti on a l ch a n g e, th e org a n i za ti on m u st

d eterm i n e wh eth er th e i n pu t i s a n on con form i ty. I f i t i s n ot, or i f th e
i n pu t resu l ts from a n opera ti on a l ch a n g e th en th e org a n i za ti on m u st
Un de rsta n din g th e Ne w ISO Ma n a g e m e n t Syste m R e q u ire m e n ts 11

Figure 2: The continual improvement engine

How management systems work
d eterm i n e wh eth er th e i n pu t i s a poten ti a l n on con form i ty. I f i t i s n ot,

th en i t i s ei th er a n i m provem en t or n o fu rth er a cti on i s req u i red .
Step 2 – Take immediate action as necessary

I f th e i n pu t i s a n on con form i ty, th e req u i rem en ts of Su bcl a u se 1 0. 1 a )
req u i re th e org a n i za ti on to rea ct to th e n on con form i ty a s a ppl i ca bl e by
ta ki n g a cti on to con trol a n d correct th e n on con form i ty a n d d ea l i n g wi th
th e con seq u en ces.
Step 3 – Plan considered action

I f th e i n pu t i s a n on con form i ty, Su bcl a u se 1 0. 1 b) req u i res th e
org a n i za ti on to d eterm i n e th e ca u se of th e n on con form i ty. Th e su bcl a u se
a l so req u i res th e org a n i za ti on to d eterm i n e i f si m i l a r n on con form i ti es
exi st, or cou l d poten ti a l l y occu r.
I f i t i s a poten ti a l n on con form i ty th en An n ex SL reg a rd s i t a s a ri sk. Th e

org a n i za ti on n eed s to i d en ti fy a n d a ssess th e ri sk a s speci fi ed i n
Su bcl a u se 6. 1 (see th e secti on en ti tl ed ‘Ri sks a n d opportu n i ti es’ i n
Ch a pter 3 ) . Th e org a n i za ti on th en n eed s to d eci d e wh a t a cti on s i t wa n ts
to ta ke to a d d ress th ese ri sks.
N ote th a t poten ti a l n on con form i ti es m a y be i d en ti fi ed i n Step 2 or a s a

by-prod u ct of th e root ca u se a n a l ysi s i n Step 3 .
Step 4 – Take considered action

I f th e i n pu t i s a n on con form i ty, Su bcl a u se 1 0. 1 c) req u i res th e org a n i za ti on
to ta ke a cti on . Th e req u i rem en t i s th a t th e resu l t sh a l l el i m i n a te th e
ca u ses of th e n on con form i ty, i n ord er th a t i t d oes n ot recu r or occu r
el sewh ere. Th e oth er a cti on s a re th e i m pl em en ta ti on of th e pl a n s
(Su bcl a u se 8. 1 ) to i m pl em en t th e a cti on s d eterm i n ed i n Su bcl a u se 6. 1 a n d
ca rry ou t i m provem en ts (Su bcl a u se 1 0. 2 ) .
Nonconformities
Remarks about the definition
I SO d efi n es ‘n on con form i ty’ a s ‘n on -fu l fi l m en t of a req u i rem en t’, wh ere
i n tu rn I SO d efi n es ‘req u i rem en t’ a s a ‘n eed or expecta ti on th a t i s sta ted ,
g en era l l y i m pl i ed or obl i g a tory’. A n ote to th e d efi n i ti on sta tes th a t
‘g en era l l y i m pl i ed ’ m ea n s th a t i t i s cu stom or com m on pra cti ce for th e
org a n i za ti on a n d i n terested pa rti es th a t th e n eed or expecta ti on u n d er

con si d era ti on i s i m pl i ed . An oth er n ote sta tes th a t a ‘speci fi ed

req u i rem en t’ i s on e th a t i s sta ted , for exa m pl e i n d ocu m en ted
i n form a ti on .
Example
O n Apri l 2 2 , 2 01 0, fol l owi n g a n expl osi on two d a ys ea rl i er, a
l a rg e d ri l l i n g ri g sa n k i n to th e G u l f of M exi co, u n l ea sh i n g a n
u n h ea l th y, toxi c g u sh of oi l th a t con ti n u ed l ea ki n g from th e
stri cken wel l for th e fol l owi n g fi ve m on th s.
O n e of th e m ost obvi ou s n on con form i ti es wou l d h a ve been th e

presen ce of oi l on th e su rfa ce of th e ocea n . I n a ccord a n ce wi th
Su bcl a u se 1 0. 1 b) , th e oi l com pa n y con cern ed took a cti on to
stem th e fl ow of oi l a n d cl ea n u p th e pol l u ti on . I n a ccord a n ce
wi th Su bcl a u se 1 0. 1 c) , th e com pa n y th en sou g h t a m ore
perm a n en t sol u ti on wh i ch i n vol ved pu m pi n g m u d a n d cem en t
i n to th e wel l .
Th i s exa m pl e i l l u stra tes th e n eed to con ta i n a n d repa i r th e d a m a g e

ca u sed by th e n on con form i ty wh i l e seeki n g a m ore perm a n en t sol u ti on .
Root causes
Th e root ca u se of a n on con form i ty i s n ot a l wa ys obvi ou s. B eca u se of th i s,
th e sta n d a rd req u i res top m a n a g em en t to con si d er tren d s i n
n on con form i ti es a n d correcti ve a cti on s (Su bcl a u se 9 . 3 c) ) . Stu d y of severa l
a ppa ren tl y u n rel a ted n on con form i ti es m a y l ea d to th e i d en ti fi ca ti on of
com m on fa ctors a n d h en ce th e root ca u se. I f a t fi rst vi ew a
n on con form i ty a ppea rs to be som eon e fa i l i n g to fol l ow a proced u re, i t
cou l d be beca u se of poor tra i n i n g or th e proced u re cou l d be i m possi bl e
to fol l ow i n exten u a ti n g ci rcu m sta n ces.
Documented information
Wi th reg a rd s to Su bcl a u se 1 0. 1 , a n org a n i za ti on i s req u i red to reta i n
d ocu m en ted i n form a ti on a s evi d en ce reg a rd i n g th e n a tu re of th e
n on con form i ti es a n d a n y su bseq u en t a cti on s ta ken a n d th e resu l ts of a n y
correcti ve a cti on .
Th ere i s n o d ocu m en ted i n form a ti on req u i rem en t i n Su bcl a u se 1 0. 2 .

H owever, Su bcl a u se 9 . 3 f) req u i res top m a n a g em en t to con si d er
opportu n i ti es for con ti n u a l i m provem en t i n i ts m a n a g em en t revi ews.

Un dersta n din g m a n a gem en t system sta n da rds
E vi d en ce of con form a n ce to Su bcl a u se 1 0. 2 ou g h t th erefore to be fou n d

i n th e req u i red d ocu m en ted i n form a ti on for m a n a g em en t revi ews.
Th e d ocu m en ted i n form a ti on req u i rem en ts for su ch oth er cl a u ses a re

d i scu ssed i n Ch a pter 3 .
Understanding management system standards

General
I n a n i d ea l worl d , th ere a re a va ri ety of properti es th a t a m a n a g em en t
system sta n d a rd ou g h t to possess. Rea l m a n a g em en t system sta n d a rd s
possess th ese properti es to a g rea ter or l esser exten t; for exa m pl e,
I SO /I E C 2 7 001 : 2 01 3 sa ti sfi es a l l of th em , wh erea s th ey a re on l y pa rti a l l y
sa ti sfi ed by th e preced i n g versi on (I SO /I E C 2 7 001 : 2 005 ) .
Th ese properti es con cern th e ord er of i m pl em en ta ti on , con form a n ce,

sel f-h ea l i n g properti es, a l tern a ti ve req u i rem en ts, i m pa rti a l i ty, d u pl i ca te
req u i rem en ts a n d n otes.
Requirements can be implemented in any order

I n som e sen se, a m a n a g em en t system i s a n a l og ou s to a reci proca ti n g
pi ston en g i n e (for exa m pl e, a s u sed i n a con ven ti on a l m otor ca r) . Th e
en g i n e speci fi ca ti on , a s on e m i g h t fi n d i n a sa l es broch u re, d i cta tes wh a t
th e en g i n e m u st l ook l i ke a n d perform on ce i t h a s been bu i l t. Th i s type
of speci fi ca ti on d oes n ot prescri be h ow i t i s to be bu i l t. Li kewi se a
m a n a g em en t system sta n d a rd d i cta tes wh a t th e m a n a g em en t system
m u st l ook l i ke a n d d o, on ce i t i s opera ti on a l . A m a n a g em en t system
sta n d a rd d oes n ot speci fy h ow i t sh ou l d be bu i l t. I n d eed , th ere a re m a n y
wa ys i n wh i ch a m a n a g em en t system ca n be bu i l t – som e better th a n
oth ers – a s expl a i n ed i n Ch a pter 3 . Th u s on e sh ou l d con cl u d e th a t th e
ord er i n wh i ch req u i rem en ts a re presen ted i n a m a n a g em en t system
sta n d a rd sh ou l d n ot be ta ken to i m pl y th e ord er i n wh i ch th ey a re to be
i m pl em en ted . I SO /I E C 2 7 001 : 2 01 3 m a kes th i s property a bsol u tel y expl i ci t
i n Su bcl a u se 0. 1 by sta ti n g ‘Th e ord er i n wh i ch req u i rem en ts a re
presen ted i n th i s I n tern a ti on a l Sta n d a rd d oes n ot refl ect th ei r i m porta n ce
or i m pl y th e ord er i n wh i ch th ey a re to be i m pl em en ted . Th e l i st i tem s
a re en u m era ted for referen ce pu rpose on l y. ’ Th e m a n a g em en t system wi l l
work exa ctl y a s d escri bed i n th e previ ou s secti on .
Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts 15

For con form a n ce a l l req u i rem en ts m u st be m et
si m u l ta n eou sl y
Ag a i n u si n g th e a n a l og y of th e m otor ca r en g i n e, on ce bu i l t a n d sta rted ,

a l l of th e d i fferen t processes of th e m a n a g em en t system wi l l opera te
tog eth er i n a rel a ti on sh i p very m u ch a s d escri bed i n th e previ ou s secti on .
Al l req u i rem en ts (perm i tted excl u si on s excepted ) ou g h t th ereby to be
seen to be m et si m u l ta n eou sl y.
Th i s m i g h t a ppea r to be a sta tem en t of th e obvi ou s, bu t i t m a y a ffect

on e’s i n terpreta ti on of a m a n a g em en t system sta n d a rd . Wh en rea d i n g a
pa rti cu l a r req u i rem en t d o n ot a ssu m e th a t oth er req u i rem en ts,
pa rti cu l a rl y th ose th a t a re presen ted l a ter i n th e sta n d a rd , h a ve yet to be
a ppl i ed . I n a m otor ca r en g i n e, wh en th e pi ston tra vel s d own wa rd s to
su ck i n a fresh ch a rg e of com bu sti bl e m a teri a l , i t h a s yet to tra vel u p to
i g n i te th e m i xtu re, bu t i t d i d th a t on th e previ ou s cycl e. A m u ch sa fer
a ssu m pti on i s th a t a l l req u i rem en ts a re m et si m u l ta n eou sl y.
A con form a n t m a n a g em en t system i s sel f-h ea l i n g
Cl a u se 1 0 con ta i n s req u i rem en ts for ta ki n g a cti on to i d en ti fy a n d correct

n on con form i ti es. Th ese h a ve th e effect of m a ki n g th e m a n a g em en t
system sel f-h ea l i n g . I t i s a s i f a s soon a s pa rt of th e m a n a g em en t system
becom es n on con form a n t, th e correcti ve a cti on req u i rem en ts spri n g i n to
a cti on to correct th e n on con form i ty, th ereby ren d eri n g th e wh ol e
m a n a g em en t system con form a n t on ce a g a i n . Vi ewed i n th i s wa y th e l i fe
of th e m a n a g em en t system i s a seq u en ce of con form i ty – n on con form i ty
– correcti ve a cti on – con form i ty a n d so on .
I t d oes n ot m a tter i f th e org a n i za ti on kn ows a bou t on e or m ore

n on con form i ty a t th e ti m e of a certi fi ca ti on a u d i t, provi d ed th a t i t i s
d ea l i n g wi th i t i n a ccord a n ce wi th th e req u i rem en ts of Cl a u se 1 0. From a
certi fi ca ti on perspecti ve, i t i s a g ood opportu n i ty to see th e correcti ve
a cti on com pon en t of th e m a n a g em en t system i n a cti on .
Al tern a ti ve req u i rem en ts
Ta ke ca re wh en rea d i n g com m a d el i n ea ted l i sts. I f th e l i st en d s wi th th e

word ‘or’ i t m ea n s th a t th e m a n a g em en t system m u st con form to a t l ea st
on e i tem i n th e l i st (i . e. th e u se of th e word ‘or’ sh ou l d be i n terpreted a s
m ea n i n g ‘a n d /or’) . I f i t en d s wi th th e word ‘a n d ’ i t m ea n s th a t th e
m a n a g em en t system m u st con form to every i tem i n th e l i st. For exa m pl e:
1. Su bcl a u se 7 . 2 b) sta tes ‘en su re th a t th ese person s a re com peten t on

th e ba si s of a ppropri a te ed u ca ti on , tra i n i n g , or experi en ce’. Th i s m ea n s
th a t peopl e sh a l l be com peten t on th e ba si s of a ppropri a te ed u ca ti on
a n d /or tra i n i n g a n d /or experi en ce. Th u s som eon e m i g h t be com peten t on

Un dersta n din g m a n a gem en t system sta n da rds
th e b a s i s o f e d u ca t i o n and tra i n i n g , wh i l e so m e o n e e l se m i g h t be
co m p e te n t s i m p l y o n th e b a s i s o f th e i r e xp e ri e n ce ; or
2. S u b cl a u s e 9. 3 s ta te s ‘ To p m a n a g e m e n t sh a l l re vi e w th e o rg a n i z a t i o n ’s
i n fo rm a ti o n s e cu ri ty m a n a g e m e n t s ys t e m a t pl a n n ed i n te rva l s t o e n s u re
i ts co n ti n u i n g s u i ta b i l i ty, a d e q u a cy a n d e ffe cti ve n e s s ’ . I f i t tra n s p i re s t h a t
th e m a n a g e m e n t s ys te m is no l o n g e r a d e q u a te th e n th e m a n a g em en t
s ys te m wo u l d be n o n co n fo rm a n t wi t h th i s cl a u s e .
Impartiality
S ta n d a rd s wri t te n in co n fo rm a n ce to An n e x S L m a y a t fi rs t vi e w a p p e a r
s o m e wh a t b l a n d . Th i s i s b e ca u s e th e i n te n ti o n i s o n l y to s t a te wh a t sh a ll
be d on e, n ot h o w it m igh t be d on e. I f th e l a t te r t yp e o f re q u i re m e n t
d oes a ppea r i n a m a n a g e m e n t s ys te m s ta n d a rd i t fo rce s a l l o rg a n i z a ti o n s
to do i t t h a t wa y, and th a t m a y n o t b e th e b e s t wa y fo r a l l o rg a n i z a t i o n s .
Duplicate requirements
C a re h a s a l so been t a ke n in An n e x S L to e n s u re t h a t re q u i re m e n ts a re
o n l y s ta te d o n ce . Th i s i s b e ca u s e t h e re is a d a n g e r th a t d u p l i ca te d
re q u i re m e n ts a t b e s t co n fu s e and a t wo rs t co n tra d i ct. I t i s n ow I SO
p ra cti ce , fo r e xa m p l e , to s ta te th e re q u i re m e n t s fo r d o cu m e n te d
i n fo rm a ti o n wi th i n th e cl a u s e , o r g ro u p o f cl a u s e s , to wh i ch i t re l a te s . For
i n s ta n ce , S u b cl a u s e 4. 3 s ta te s th e re q u i re m e n t s fo r d e t e rm i n i n g th e s co p e
o f th e m a n a g e m e n t s ys t e m . Th e fi n a l p a ra g ra p h s ta te s ‘ Th e s co p e sh a l l
be a va i l a b l e a s d o cu m e n t e d i n fo rm a t i o n ’ . Th u s th e re q u i re m e n ts fo r
d o cu m e n t e d i n fo rm a t i o n a re s ca tte re d t h ro u g h o u t th e s t a n d a rd . Th e y
o u g h t n ot, h o we ve r, be c o l l a te d i n to on e p l a ce a s th a t wo u l d g i ve ri s e to
a d u p l i ca ti o n .
Notes
A n o te in an I SO m a n a g e m e n t s ys te m i s i n te n d e d to a s s i s t re a d e rs t o
u n d e rs ta n d a re q u i re m e n t. I t d o e s n o t m o d i fy th e re q u i re m e n t o r i m p l y
th a t a p a rti cu l a r wa y o f m e e ti n g th e re q u i re m e n t i s i ts e l f a re q u i re m e n t.
A s u re te s t o f o n e ’s u n d e rs t a n d i n g of a n o te i s th a t th e re q u i re m e n t
sh o u l d n o t ch a n g e i f th e n o te wa s i g n o re d .
Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts 1 7

Evolution of management system concepts
Early days
Pe rh a p s th e m o st we l l -kn o wn m a n a g e m e n t syste m sta n d a rd i s I S O 9 0 0 1 .
F i rst p u b l i sh e d i n 1 9 87 , i t wa s b a se d o n B ri ti sh S ta n d a rd B S 5 7 5 0 , i tse l f
fi rst p u b l i sh e d i n 1 9 7 9 . Th e sta n d a rd s d i d n o t sp e ci fy what to
m a n u fa ctu re b u t how th e m a n u fa ctu ri n g p ro ce ss o u g h t to b e m a n a g e d
i n o rd e r to e n su re th a t th e p ro d u ct, a s d e l i ve re d to th e cu sto m e r, m e t th e
cu sto m e r’s re q u i re m e n t. I t wa s fo r th i s re a so n th a t th e y b e ca m e kn o wn
a s m a n a g e m e n t syste m sta n d a rd s.
Th e se e a rl y sta n d a rd s we re o ri e n ta te d to wa rd s p ro ce d u re s: a p ro ce d u re
fo r co n tra ct re vi e w, a p ro ce d u re to co n tro l a n d ve ri fy p ro d u ct d e si g n , e tc.
Th e re wa s n o co n ce p t o f p re ve n ti ve a cti o n o r co n ti n u a l i m p ro ve m e n t.
Th e re wa s n e ve rth e l e ss a co n ce p t o f i n sp e cti o n a n d te sti n g . Th i s a p p l i e d :
1. o n re ce i p t o f co m p o n e n ts a n d o th e r m a te ri a l s th a t wo u l d b e u se d i n
th e o rg a n i z a ti o n ’s p ro d u ct;
2. o n p ro d u ct co m p l e ti o n , p ri o r to d i sp a tch ; a n d
3. d u ri n g th e p ro ce ss o f d e si g n a n d m a n u fa ctu re , i f re q u i re d b y th e
o rg a n i z a ti o n ’s q u a l i ty p l a n .
F ro m a co n fo rm a n ce p e rsp e cti ve , th e e m p h a si s wa s p l a ce d o n
co n fo rm a n ce wi th p ro ce d u re s ra th e r th a n th e p ro ce ss o f m a n a g e m e n t.
Th i s h a d th e u n fo rtu n a te e ffe ct o f d i vo rci n g q u a l i ty fro m th e
m a n a g e m e n t p ro ce ss a n d cre a ti n g m o u n ta i n s o f p a p e rwo rk. I n d e e d o n e
ch i e f e xe cu ti ve wa s h e a rd to sa y, h a vi n g a p p o i n te d th e q u a l i ty m a n a g e r,
‘ Yo u r j o b i s to g e t B S 5 7 5 0 , b u t d o n ’t b o th e r m e , I ’ ve g o t a b u si n e ss to
ru n ’ !
Enter preventive action

Th e co n ce p t o f p re ve n ti ve a cti o n wa s i n tro d u ce d i n th e 1 9 9 4 re vi si o n o f
th e sta n d a rd . E ffe cti ve l y th i s i n vi te d o rg a n i z a ti o n s to l o o k a h e a d a n d
ta ke a cti o n to p re ve n t n o n co n fo rm i ti e s fro m h a p p e n i n g i n th e fu tu re .
Al th o u g h i t wo u l d b e so m e ye a rs b e fo re i t wa s re co g n i z e d a s su ch ,
p re ve n ti ve a cti o n wa s e ffe cti ve l y a ri sk a sse ssm e n t.
Th e e m p h a si s o f co n fo rm a n ce wi th p ro ce d u re s, h o we ve r, re m a i n e d .
J u d g i n g fro m co m m e n ts m a d e b y q u a l i ty a sse sso rs a t th e ti m e ,
o rg a n i z a ti o n s we re p ro n e to cre a ti n g th e m o st m a rve l l o u s p ro ce d u re s, a s
i f h a vi n g th e b e st th o u g h t-o u t p ro ce d u re wa s th e ke y to a su cce ssfu l
ce rti fi ca ti o n . Al a s, su ch p ro ce d u re s, n o t b e i n g fo u n d e d i n re a l i ty, we re
o fte n a ca u se fo r n u m e ro u s n o n co n fo rm i ti e s. O rg a n i z a ti o n s wo u l d b u sy
th e m se l ve s i m m e d i a te l y p ri o r to a ce rti fi ca ti o n a u d i t a n d , b y
e n d e a vo u ri n g to e n su re th a t th e p a p e r tra i l wa s co m p l e te , h o p e d to

Evolution of management system concepts
esca pe from n on con form i ty. Fol l owi n g th e a u d i t, m a n a g em en t pra cti ce

wou l d th en rel a x. Su ch beh a vi ou r d i d n ot esca pe th e a tten ti on of th e
certi fi ca ti on bod i es, wh o i n stru cted th ei r a ssessors to recom m en d th a t
org a n i za ti on s si m pl y wrote d own wh a t th ey a ctu a l l y d i d . N everth el ess, i t
wa s cl ea rl y ti m e for a m a j or overh a u l .
Pl a n -D o-Ch eck-Act a n d th e process m od el
Th e m a j or overh a u l ca m e i n th e 2 000 revi si on of I SO 9 001 . Th e em ph a si s

wa s n ow pl a ced on th e org a n i za ti on ’s bu si n ess processes. M oreover, th e
con cept of con ti n u a l i m provem en t wa s i n trod u ced , ba sed on th e D em i n g
‘Pl a n -D o-Ch eck-Act’ Cycl e, a n d a n ew su bcl a u se a ppea red d evoted
en ti rel y to m a n a g em en t com m i tm en t. Th ese ch a n g es h a ve certa i n l y g on e
a l on g wa y towa rd s m a ki n g m a n a g em en t system s a n i n teg ra l pa rt of
m a n a g i n g a n org a n i za ti on . I n d eed , th e sa m e ch i ef execu ti ve q u oted
a bove person a l l y oversa w th e tra n si ti on of h i s com pa n y’s q u a l i ty
m a n a g em en t system to I SO 9 001 : 2 000 a n d m a d e a bsol u tel y certa i n th a t i t
d i rectl y su pported h i s bu si n ess.
Ri sks a n d opportu n i ti es – th e d epreci a ti on of preven ti ve
a cti on
Th e con cept of ri sks a n d opportu n i ti es em erg es wi th An n ex SL a n d wi l l

fea tu re i n th e n ext revi si on of I SO 9 001 (a n ti ci pa ted i n 2 01 5 ) . H owever,
th e con cept of ri sk m a n a g em en t h a s been pra cti sed by som e
org a n i za ti on s i n th ei r q u a l i ty m a n a g em en t system s for a l on g ti m e. I f a n
org a n i za ti on ’s prod u cts a n d servi ces a re va ri ed , a s i s th e ca se wi th a
con su l ta n cy com pa n y for exa m pl e, th en i t i s u n l i kel y th a t every prod u ct
l i n e or proj ect wi l l req u i re exa ctl y th e sa m e q u a l i ty con trol s. Th e
n ecessa ry con trol s a re d eterm i n ed by ri sk a ssessm en t. O n e con si d ers th e
prod u ct or servi ce l i fe cycl e i n i ts en ti rety a n d a sks wh a t ca n g o wron g a t
ea ch sta g e. Con trol s a re th en i n trod u ced to preven t th e even ts th a t cou l d
l ea d to n on con form i ti es, or a t l ea st d etect th em wh en th ey occu r. I n
d evel opi n g q u a l i ty system s i n th i s wa y, i t wa s n oti ced by a ssessors th a t
th i s pra cti ce i s exa ctl y eq u i va l en t to preven ti ve a cti on . I n d eed , th i s ca se
h a s been ta ken fu rth er by th e a u th ors of An n ex SL wh o n ote:
This High Level Structure and Identical text does not include a clause
giving specific requirements for “preventive action”. This is because
one of the key purposes of a formal management system is to act as
a preventive tool. Consequently, the High Level Structure and
Identical text require an assessment of the organization’s “external
and internal issues that are relevant to its purpose and that affect its
ability to achieve the intended outcome(s)” in clause 4. 1 , and to

“determine the risks and opportunities that need to be addressed to:

assure the XXX management system can achieve its intended
outcome(s); prevent, or reduce, undesired effects; achieve continual
improvement. ” in clause 6. 1 . These two sets of requirements are
considered to cover the concept of “preventive action”, and also to
take a wider view that looks at risks and opportunities.
Th e n oti on of ri sk a n d opportu n i ti es a ri ses beca u se q u a l i ty i s n ot j u st

a bou t ri sk m a n a g em en t: prod u ct i m provem en ts a re a l so a bou t expl oi ti n g
opportu n i ti es.
I n te g ra te d m a n a g e m e n t syste m s
Pa rt of B SI ’s bu si n ess ca se for th e d evel opm en t of B S 7 7 9 9 -2 : 2 002 , th e

sta n d a rd th a t beca m e I SO /I E C 2 7 001 : 2 005 , wa s th a t i t sh ou l d em u l a te th e
con cepts to be fou n d i n I SO 9 001 : 2 000 to fa ci l i ta te th e d evel opm en t of
i n teg ra ted m a n a g em en t system s. B SI a rg u ed th a t wi th th e d evel opm en t
of oth er m a n a g em en t system sta n d a rd s su ch a s I SO 1 4001 (on
en vi ron m en ta l m a n a g em en t system s) , org a n i za ti on s m i g h t n ot be
i n terested a s th ey cou l d fi n i sh u p wi th too m a n y m a n a g em en t system s.
H owever, th i s m i g h t n ot be th e ca se i f org a n i za ti on s h a d a si n g l e,
i n teg ra ted m a n a g em en t system th a t con form ed to two or m ore
m a n a g em en t system sta n d a rd s. Th u s th e con cept of a n i n teg ra ted
m a n a g em en t system wa s born .
I n 2 006, B SI pu bl i sh ed PAS 9 9 , a pu bl i cl y a va i l a bl e speci fi ca ti on for

i n teg ra ted m a n a g em en t system s. Th i s provi d ed g u i d a n ce on h ow to
com bi n e two or m ore m a n a g em en t system s tog eth er to form a n
i n teg ra ted wh ol e. At a bou t th e sa m e ti m e, B rewer, N a sh a n d Li st took a
d i fferen t a pproa ch . Th ey fi rst rea l i zed th a t th ere wa s a com m on a spect to
m a n a g em en t system sta n d a rd s – th e Pl a n -D o-Ch eck-Act cycl e – a n d
reg a rd ed th a t a s th e ‘en g i n e’ th a t sh ou l d d ri ve system s of i n tern a l
con trol , see Fi g u re 3 . Su bseq u en tl y th ey d evi sed a n a rch i tectu re for
[a ]
i n teg ra ted m a n a g em en t system s (see Fi g u re 4) .
Th ere i s m u ch i n com m on between th i s a rch i tectu re a n d An n ex SL, th e

d i fferen ce bei n g th a t B rewer et a l . h a d to i n terpret a sta n d a rd i n term s
of th ei r a rch i tectu re before i t cou l d be i n teg ra ted , wh erea s wi th
An n ex SL, m a n a g em en t system sta n d a rd s a re bu i l t to a com m on
a rch i tectu ra l d esi g n – th e h i g h l evel stru ctu re a n d i d en ti ca l core text.
I n 2 01 2 , wi th th e pu bl i ca ti on of An n ex SL, PAS 9 9 wa s repu bl i sh ed wi th

Specification of common management system
th e revi sed ti tl e of
requirements as a framework for integration .

In tegra ted m a n a gem en t system s
Figure 3: The common components of management system standards

shown superimposed on the UK audit practices board’s model of internal
control

Figure 4: An architecture for integrated management systems

Ch a pter 3 – U n d ersta n d i n g th e n ew
req u i rem en ts
Introduction
Th e pu rpose of th i s ch a pter i s to expl a i n th e An n ex SL req u i rem en ts a n d
to provi d e g u i d a n ce a s to h ow th ese req u i rem en ts ca n be m et. Th e
g u i d a n ce i s i n ten d ed to be a ppl i ca bl e to a wi d e ra n g e of d i fferi n g
m a n a g em en t system i m pl em en ta ti on s, a ppropri a te to SM E s a s wel l a s
m u ch l a rg er org a n i za ti on s. Th e ch a pter a l so provi d es a d vi ce to
org a n i za ti on s th a t a re bu i l d i n g a m a n a g em en t system for th e fi rst ti m e.
Th e ch a pter i s l a i d ou t a s fol l ows:
1. a n expl a n a ti on of wh a t h a s h a ppen ed to th e PLAN -D O -CH E CK-ACT

(PD CA) con cept;
2. a bri ef d i scu ssi on of d i sci pl i n e-speci fi c req u i rem en ts;
3. a n expl a n a ti on of th e i d en ti ca l core text req u i rem en ts for a l l n ew
a n d revi sed m a n a g em en t system sta n d a rd s, tog eth er wi th
i m pl em en ta ti on g u i d a n ce:
a) scope of th e m a n a g em en t system (Cl a u se 4) ;
b) pol i cy a n d obj ecti ves (Su bcl a u ses 5 . 2 a n d 6. 2 ) ;
c) ri sks a n d opportu n i ti es (Su bcl a u se 6. 1 ) ;
d) opera ti on (Cl a u se 8) ;
e) m on i tori n g , m ea su rem en t, a n a l ysi s a n d eva l u a ti on
(Su bcl a u se 9 . 1 ) ;
f) a u d i ts a n d revi ews (Su bcl a u ses 9 . 2 a n d 9 . 3 ) ; a n d
g) m a n a g em en t a n d su pport (Su bcl a u ses 5 . 1 , 5 . 3 a n d Cl a u se7 ) ; a n d
4. g u i d a n ce on i m pl em en ti n g a m a n a g em en t system for th e fi rst ti m e.
N ote th a t a n expl a n a ti on of th e Cl a u se 1 0 req u i rem en ts i s g i ven i n

Ch a pter 2 (i n th e secti on en ti tl ed ‘h ow a m a n a g em en t system works’) .
Whatever happened to PDCA?

I SO 9 001 : 2 000 i n trod u ced th e con cept of con ti n u a l i m provem en t a n d
d escri bed i t i n th e i n trod u cti on to th e sta n d a rd u si n g th e D em i n g
PLAN -D O -CH E CK-ACT (PD CA) Cycl e. Som e oth er sta n d a rd s fol l owed su i t,
bu t d i d so i n a va ri ety of wa ys. I SO 1 4001 : 2 004 (on en vi ron m en ta l
m a n a g em en t system s) ci tes PD CA i n Cl a u se 4 u n d er th e h ea d i n g of

Chapter 3 – Understanding the new requirements
‘Pra cti ca l G u i d a n ce’. B S 2 5 9 9 9 -2 : 2 007 (th e foreru n n er of I SO 2 2 3 01 : 2 01 2

on bu si n ess con ti n u i ty) , I SO /I E C 2 7 001 : 2 005 (a bou t i n form a ti on secu ri ty)
a n d I SO /I E C 2 0000-1 : 2 005 (reg a rd i n g servi ce m a n a g em en t) a l l ta ke PD CA
a sta g e fu rth er, by a d opti n g th e m od el a n d bu i l d i n g i t i n to th ei r
req u i rem en t h ea d i n g s. I n con tra st, I SO 2 2 000: 2 005 (on food sa fety
m a n a g em en t system s) d oes n ot m en ti on i t a t a l l . H owever, An n ex SL a n d
sta n d a rd s su ch a s I SO /I E C 2 7 001 : 2 01 3 d o n ot m en ti on PD CA.
O rg a n i za ti on s m a y th erefore a sk ‘wh a t h a s h a ppen ed to PD CA?’
I n l ooki n g a t th e a bove-m en ti on ed sta n d a rd s, th e exten t to wh i ch

g u i d a n ce h a s been m i xed u p wi th req u i rem en ts i s q u i te n oti cea bl e.
U n fortu n a tel y, a m eth od for m eeti n g a req u i rem en t m i g h t work very
wel l for som e org a n i za ti on s, bu t i t m a y n ot work for a l l a n d for som e i t
m a y even be a bu rea u cra ti c bu rd en . I t i s th erefore fa r better i n a
m a n a g em en t system sta n d a rd on l y to speci fy th e what a n d sta y cl ea r of
th e how.
Th e req u i rem en t i s for con ti n u a l i m provem en t of th e m a n a g em en t

system . Speci fi ca l l y, Su bcl a u se 1 0. 2 of An n ex SL sta tes ‘Th e org a n i za ti on
sh a l l con ti n u a l l y i m prove th e su i ta bi l i ty, a d eq u a cy a n d effecti ven ess of
th e XXX m a n a g em en t system ’.
Th e D em i n g Cycl e i s certa i n l y a n a pproa ch th a t org a n i za ti on s ca n ta ke i n

m eeti n g th i s req u i rem en t, bu t i t i s n ot th e on l y a pproa ch : 6-Si g m a , for
exa m pl e, i s a n oth er. Certa i n l y, th e d evel opers of I SO /I E C 2 7 001 : 2 01 3 h a d
n o wi sh to con stra i n org a n i za ti on s to u se th e PD CA m od el i f th ey h a d a
d i fferen t a pproa ch to m eeti n g th e req u i rem en t for con ti n u a l
i m provem en t. H owever, th ere were oth er rea son s too a s fol l ows.
1. Th e PD CA con cept d oes n ot j u st a ppl y to th e m a n a g em en t system ; i t

ca n be a ppl i ed to a n yth i n g . Th u s a n org a n i za ti on cou l d d esi g n a n
a wa ren ess sem i n a r (pl a n ) ; ru n th e sem i n a r (d o) ; a n a l yse pa rti ci pa n t
feed ba ck (ch eck) ; a n d d eterm i n e h ow i t cou l d be i m proved (a ct) .
B eca u se of th i s, th e PD CA m od el wa s fi n d i n g i ts wa y i n to su pporti n g
sta n d a rd s (e. g . I SO /I E C 2 7 004: 2 009 on m ea su rem en ts) m a ki n g th em
fa r m ore com pl i ca ted th a n wa s n ecessa ry.
2. PLAN d oes n ot a l wa ys fol l ow ACT. O n e m i g h t pl a n a tra i n i n g cou rse,
bu t fol l owi n g revi ew th e on l y a cti on n eed ed to i m prove th e cou rse
cou l d be to m od i fy th e wa y i n wh i ch i t i s d el i vered . Th i s i s a ch a n g e
to th e D O . Th u s i n th i s ca se th e cycl e i s
PLAN -D O -CH E CK-ACT-D O -CH E CK-ACT etc. I n d eed th e i m provem en t
cycl e i s a ctu a l l y a s i l l u stra ted i n Fi g u re 2 , ra th er th a n a s i l l u stra ted i n
Fi g u re 5 .
3. Th ere i s a n i m pl i ca ti on th a t th e fi rst step i n crea ti n g a m a n a g em en t
system i s to i m pl em en t th e req u i rem en ts a ssoci a ted wi th th e PLAN
ph a se of th e PD CA m od el . H owever, a s sh own i n th e fi n a l secti on of
th i s ch a pter, for a n esta bl i sh ed org a n i za ti on , th i s i s u n tru e. A better
stra teg y i s to sta rt wi th th e CH E CK req u i rem en ts a n d proceed i n a
m a n n er th a t d oes n ot fol l ow th e cycl e g i ven i n Fi g u re 5 a t a l l .

Sco p e o f th e m a n a ge m e n t syste m
4. Su bcl a u se 4. 1 of An n ex SL wa s ori g i n a l l y pa rt of preven ti ve a cti on ,

wh i ch i n a l l of th e pre-2 01 2 sta n d a rd s wa s pa rt of ACT, n ot PLAN .
N everth el ess, th ere i s sti l l a n a ssoci a ti on wi th th e PD CA m od el i n

An n ex SL. Wri ti n g d own th e m a j or An n ex SL su bcl a u se ti tl es i n th ei r
ord er of presen ta ti on cou n ter cl ockwi se i n a ci rcl e (see Fi g u re 5 ) , su g g ests
th a t PD CA h a s becom e ‘E STAB LI SH -I M PLE M E N T-M AI N TAI N -I M PRO VE ’.
H owever, i n a n swer to th e q u esti on ‘wh a t h a s h a ppen ed to PD CA?’:
a) th e wh a t i s ‘con ti n u a l i m provem en t of th e m a n a g em en t system ’,

wh erea s PD CA i s a how ; and
b) th e cycl i c beh a vi ou r of a m a n a g em en t system i s i l l u stra ted i n
Fi g u re 2 , n ot Fi g u re 5 .
N ote th a t I SO 2 2 3 01 : 2 01 2 m a i n ta i n s th e l i n k wi th PD CA, j u st a s i n
B S 2 5 9 9 9 -2 : 2 007 . I n d eed from a tech n i ca l perspecti ve th ere i s vi rtu a l l y n o
d i fferen ce between th e two sta n d a rd s. E ffecti vel y, I SO 2 2 3 01 : 2 01 2 i s j u st
a n ‘I SO versi on ’ of B S 2 5 9 9 9-2 : 2 007 .
D i sci pl i n e-speci fi c req u i rem en ts
Th e scope of th i s ch a pter i s restri cted to a d i scu ssi on of th e i d en ti ca l core

text req u i rem en ts a n d d oes n ot exten d to a d i scu ssi on of
d i sci pl i n e-speci fi c req u i rem en ts. Th i s i s beca u se, a t th e ti m e of wri ti n g
th i s book, th ere a re too few exa m pl es of pu bl i sh ed m a n a g em en t system
sta n d a rd s th a t con form to An n ex SL; two speci fi c exa m pl es bei n g
I SO 2 2 3 01 : 2 01 2 , B u sin e ss co n tin u ity m a n a g e m e n t syste m s, and
I SO /I E C 2 7 001 : 2 01 3 , In fo rm a tio n se curity m a n a ge m e n t syste m s .
S cope of th e m a n a g em en t system
O vervi ew
Th ere a re fou r g rou ps of req u i rem en ts i n Cl a u se 4, a rra n g ed a s sh own i n

Fi g u re 6. Su bcl a u ses 4. 1 a n d 4. 2 provi d e i n pu ts to Su bcl a u se 4. 3 . Th ey a l so
provi d e i n pu ts to Su bcl a u se 6. 1 .
E ffecti vel y, th e pu rpose of th e cl a u se i s to d efi n e th e scope of th e

m a n a g em en t system (Su bcl a u ses 4. 1 to 4. 3 ) , a n d h a vi n g d on e so, to
req u i re th e org a n i za ti on to esta bl i sh , i m pl em en t, m a i n ta i n a n d
con ti n u a l l y i m prove i t, i n a ccord a n ce wi th th e req u i rem en ts of
Su bcl a u se 4. 4.

Figure 5: Annex SL management system requirements

Sco p e o f th e m a n a gem en t system
Figure 6: Relationship of requirements in Clause 4
Understanding the organization and its context
Th e requirem en t
Th ere i s a si n g l e req u i rem en t i n Su bcl a u se 4. 1 , wh i ch sta tes ‘th e

org a n i za ti on sh a l l d eterm i n e extern a l a n d i n tern a l i ssu es th a t a re
rel eva n t to i ts pu rpose a n d th a t a ffect i ts a bi l i ty to a ch i eve th e i n ten d ed
ou tcom e(s) of i ts XXX m a n a g em en t system ’.
I n a ccord a n ce wi th th e O xford E n g l i sh D i cti on a ry, a n i ssu e i s a n i m porta n t

topi c or probl em for d eba te or d i scu ssi on . An org a n i za ti on ’s
con si d era ti on of i ssu es i s n ot th erefore con fi n ed to on l y a con si d era ti on
of probl em s. I t con cern s a l l m a tters th a t cou l d a ffect th e wel l ru n n i n g of
th e m a n a g em en t system a n d th ese m a y h a ve a posi ti ve a s wel l a s a
n eg a ti ve effect on th e m a n a g em en t system . I n d eed , th i s i s wh y th e
sta n d a rd l a ter (i n Su bcl a u se 6. 1 ) refers to ri sks a n d opportu n i ti es. As th e
m a n a g em en t system bel on g s to th e org a n i za ti on , i t n eed s to fi t i n wi th
th e org a n i za ti on ’s wa y of d oi n g th i n g s. Fi rst a n d forem ost, i t i s th ere to
h el p a n org a n i za ti on a ch i eve i ts obj ecti ves, n ot to h i n d er th em .
U n d ersta n d i n g th e org a n i za ti on a n d i ts con text i s th erefore very
i m porta n t to th e su ccess of th e m a n a g em en t system .
E xa m pl es of i ssu es i n cl u d e:
• th e soci a l a n d cu l tu ra l , pol i ti ca l , l eg a l , reg u l a tory, fi n a n ci a l ,

tech n ol og i ca l , econ om i c, n a tu ra l a n d com peti ti ve en vi ron m en t,
wh eth er i n tern a ti on a l , n a ti on a l , reg i on a l or l oca l ;

• key d ri vers a n d tren d s th a t h a ve a n i m pa ct on th e obj ecti ves of th e

org a n i za ti on ;
• rel a ti on sh i ps wi th a n d percepti on s a n d va l u es of extern a l [i n terested ]
pa rti es;
• g overn a n ce, org a n i za ti on a l stru ctu re, rol es a n d a ccou n ta bi l i ti es;
• pol i ci es, obj ecti ves a n d th e stra teg i es th a t a re i n pl a ce to a ch i eve
th em ;
• ca pa bi l i ti es, u n d erstood i n term s of resou rces a n d kn owl ed g e (e. g .
ca pi ta l , ti m e, peopl e, processes, system s a n d tech n ol og i es) ;
• th e rel a ti on sh i ps wi th a n d percepti on s a n d va l u es of th e [m em bers of
th e] org a n i za ti on a n d th e org a n i za ti on ’s cu l tu re;
• i n form a ti on system s, i n form a ti on fl ows a n d d eci si on -m a ki n g
processes (both form a l a n d i n form a l ) ;
• sta n d a rd s, g u i d el i n es a n d m od el s a d opted by th e org a n i za ti on ; a n d
• form a n d exten t of con tra ctu a l rel a ti on sh i ps. 2
The dynamic nature of issues

Al l i ssu es a re l i kel y to ch a n g e over ti m e, a l bei t som e, su ch a s th e soci a l
a n d cu l tu ra l en vi ron m en ts, m ore sl owl y th a n oth ers. I t i s th erefore
pru d en t to m a i n ta i n a wa tch fu l eye on su ch ch a n g es.
Relevancy
A g ood test for rel eva n cy i s to a sk th e fol l owi n g two q u esti on s.
1. D oes th e i ssu e a ffect th e a bi l i ty of th e m a n a g em en t system to m eet

th e req u i rem en ts of th e XXX m a n a g em en t system sta n d a rd ?
2. D oes th e i ssu e a ri se beca u se of th e m a n a g em en t system a n d a ffect
th e a bi l i ty of th e org a n i za ti on to m eet i ts obj ecti ves?
Understanding the needs and expectations of interested

parties
The requirements
Th e req u i rem en ts a re th a t th e ‘org a n i za ti on sh a l l d eterm i n e:
a. i n terested pa rti es th a t a re rel eva n t to th e XXX m a n a g em en t system ;

and
b. th e req u i rem en ts of th ese i n terested pa rti es. ’
(I SO /I E C D i recti ves, Pa rt 1 , Su bcl a u se 4. 2 )
2
I SO 3 1 000: 2 009 , Risk management – Principles and guidelines, Su bcl a u ses 5. 3 . 2 a n d 5 . 3 . 3 .

Scope of the management system
Interested parties
For m a n y org a n i za ti on s, i n terested pa rti es a re l i kel y to i n cl u d e pa st,
exi sti n g a n d poten ti a l cu stom ers a n d pa st, exi sti n g a n d poten ti a l
su ppl i ers. For som e org a n i za ti on s, reg u l a tory a u th ori ti es wi l l a l so be
i n terested pa rti es. I f th e org a n i za ti on i s pa rt of a l a rg er org a n i za ti on
th en th ose oth er pa rts m a y wel l n eed to be reg a rd ed a s i n terested
pa rti es. I n d eed a n i n teresti n g ca se a ri ses i f on e of th em a l so h a s a n XXX
m a n a g em en t system . I n th e ca se of a n i n form a ti on secu ri ty m a n a g em en t
system , i f org a n i za ti on A (sa y) i s respon si bl e for g en era l i n form a ti on
secu ri ty a n d org a n i za ti on B i s respon si bl e for a ppl i ca ti on -l evel secu ri ty,
e. g . for th e corpora ti on ’s fi n a n ci a l tra n sa cti on s, org a n i za ti on A m a y pl a ce
con stra i n ts (e. g . i n th e form of pol i ci es) th a t org a n i za ti on B i s obl i g ed to
m eet. Th u s, org a n i za ti on B d oes n ot h a ve a tota l l y free h a n d :
org a n i za ti on A i s a n i n terested pa rty a n d th e con stra i n ts a re org a n i za ti on
A ’s req u i rem en ts.
Th e referen ce to pa st cu stom ers a n d su ppl i ers i s i n cl u d ed beca u se th e
org a n i za ti on m a y h a ve su rvi vi n g obl i g a ti on s su ch a s g u a ra n tees a n d
wa rra n ti es even th ou g h th ey cea se to bu y or sel l n ew prod u cts.
M oreover, a n org a n i za ti on ou g h t to a n ti ci pa te fu tu re n eed s, a n d h en ce
th e referen ce to poten ti a l cu stom ers a n d su ppl i ers. Th ere i s l i ttl e poi n t,
for exa m pl e, i n l a u n ch i n g a n ew prod u ct or servi ce i f i t fa i l s to m eet
cu stom er expecta ti on s.
Interested party requirements

I n terested pa rty req u i rem en ts a re l i kel y to be d ocu m en ted i n l a ws,
reg u l a ti on s a n d con tra cts. H owever, by th e I SO d efi n i ti on of req u i rem en t,
a req u i rem en t ca n be a n eed or expecta ti on th a t i s g en era l l y i m pl i ed . For
exa m pl e, a cu stom er m a y wel l h a ve a n expecta ti on th a t th e org a n i za ti on
wi l l fol l ow g ood i n form a ti on secu ri ty pra cti ce, even th ou g h th ere m i g h t
be n o con tra ctu a l obl i g a ti on to d o so.
Governance
G overn a n ce i s a bou t bei n g a g ood stewa rd , wh i ch a ccord i n g to th e
O xford E n g l i sh D i cti on a ry i s ‘a person em pl oyed to m a n a g e a n oth er’s
property’. I n th i s ca se, th e property i s often m on ey, wh i ch u l ti m a tel y
bel on g s to th e com pa n y sh a reh ol d ers a n d cred i tors. I n th e wa ke of
sca n d a l s resu l ti n g from u n scru pu l ou s beh a vi ou r i n th e boa rd room ,
reg u l a tors a n d g overn m en ts h a ve stepped i n a n d th e n oti on of
g overn a n ce h a s been exten d ed to ta ki n g ca re of th e n eed s a n d
expecta ti on s of a l l i n terested pa rti es. Th ere i s th u s a l i n k between
g overn a n ce a n d Su bcl a u se 4. 2 . A ca va l i er org a n i za ti on th a t pa ys l i p
servi ce to th e d i sci pl i n e-speci fi c req u i rem en ts, h opi n g to g a i n certi fi ca ti on
on th e g rou n d s th a t wh a t i t d oes i s a ccepta bl e to i ts top m a n a g em en t,

ou g h t to be ru l ed n on con form a n t wi th Su bcl a u se 4. 2 i f i ts a cti on s a re n ot

con si sten t wi th th e rea son a bl e n eed s a n d expecta ti on s of i n terested
pa rti es.
Determining the scope

Scope
Th e O xford E n g l i sh D i cti on a ry d efi n es th e term scope a s ‘th e exten t of
th e a rea or su bj ect m a tter th a t som eth i n g d ea l s wi th or to wh i ch i t i s
rel eva n t’. Th u s th e scope of a m a n a g em en t system i s ‘th e exten t of th e
a rea or su bj ect m a tter th a t i s d ea l t wi th by th e m a n a g em en t system or
wh i ch i s rel eva n t to th e m a n a g em en t system ’.
I t i s i m porta n t to rea l i ze th a t th e scope of th e m a n a g em en t system i s n ot

th e sa m e th i n g a s th e scope of a certi fi ca ti on a u d i t a n d i s g en era l l y fa r
wi d er.
The requirement
Th e req u i rem en t i n Su bcl a u se 4. 3 sta tes th a t i n ord er to esta bl i sh th e
scope of th e XXX m a n a g em en t system i t sh a l l d eterm i n e ‘th e bou n d a ri es
a n d a ppl i ca bi l i ty of th e XXX m a n a g em en t system ’. Th e su bcl a u se a l so
sta tes th a t wh en ‘d eterm i n i n g th e scope, th e org a n i za ti on sh a l l con si d er
— th e extern a l a n d i n tern a l i ssu es referred to i n 4. 1 , a n d

— th e req u i rem en ts referred to i n 4. 2 . ’
Boundaries and applicability

Th e B SI Pu bl i cl y Ava i l a bl e Speci fi ca ti on , PAS 9 9 : 2 01 2 , wh i ch con cern s th e
i n teg ra ti on of m a n a g em en t system s, recom m en d s th a t ‘th e org a n i za ti on
sh ou l d d eterm i n e wh a t th e i n teg ra ted m a n a g em en t system i s g oi n g to
cover wi th respect to th e speci fi c d i sci pl i n es (e. g . q u a l i ty or i n form a ti on
secu ri ty) a n d th ei r req u i rem en ts a n d to th e bou n d a ri es of opera ti on ’.
Th u s on e m a y rea son a bl y con cl u d e th a t th e ph ra se ‘bou n d a ri es a n d
a ppl i ca bi l i ty’ i s a referen ce to th e exten t of th e org a n i za ti on ’s
opera ti on a l processes th a t a re rel eva n t to i n form a ti on secu ri ty. For
exa m pl e, i f peopl e work from h om e, or th e org a n i za ti on u ses a n i n tern et
servi ce provi d er’s servers to h ost a n on l i n e ca ta l og u e th en a l l of th ese a re
ca n d i d a tes for i n cl u si on wi th i n th e scope of th e m a n a g em en t system .

Choosing the boundaries wisely

To p m a n a g e m e n t i s th e p e rs o n o r g ro u p of peopl e wh o d i re cts a n d
co n tro l s th e o rg a n i z a ti o n a t th e h i g h e s t l e ve l . In a cco rd a n ce wi th
S u b cl a u s e 5. 2, to p m a n a g e m e n t i s re s p o n s i b l e fo r e s ta b l i s h i n g
i n fo rm a ti o n s e cu ri ty p o l i cy, and b y S u b cl a u s e 9. 3 i t i s re s p o n s i b l e fo r
re vi e wi n g th e m a n a g e m e n t s ys t e m . I f th e re i s a n y i ssu e t h a t p re ve n ts t o p
m a n a g e m e n t fro m co n fo rm i n g to s u ch re q u i re m e n t s , th e n i t wo u l d be
wi s e to re d e fi n e th e o rg a n i z a ti o n to be a s u b s e t o f i t s fo rm e r s e l f, as
i l l u s tra te d in F i g u re 7.
Figure 7: Redefinition of an organization
In th i s ca s e , fo l l o wi n g re d e fi n i ti o n , th o s e p a rt s o f t h e o ri g i n a l
o rg a n i z a ti o n wh i ch a re n o w e xcl u d e d b e co m e an e xte rn a l o rg a n i z a ti o n
and m o s t l i ke l y a n i n te re s t e d p a rty to o . An y i s s u e s a s s o ci a t e d wi t h th e
re d e fi n i ti o n wo u l d h a ve to be i d e n t i fi e d in a cco rd a n ce wi th
S u b cl a u s e 4. 1 . Li ke wi s e , th e re q u i re m e n ts a n d e xp e cta ti o n s o f th a t
e xte rn a l o rg a n i z a ti o n wo u l d h a ve to be i d e n t i fi e d in a cco rd a n ce wi th
S u b cl a u s e 4. 2 .
Identifying elements that are external to the organization

As a n aid to i d e n ti fyi n g all e n t i ti e s t h a t a re e xt e rn a l to th e o rg a n i z a ti o n
th a t o u g h t t o be i n cl u d e d wi th i n th e s co p e o f th e m a n a g e m e n t s ys te m ,
co n s i d e r th e a cti vi ti e s o f re l e va n ce to th e o rg a n i z a ti o n th a t a re
p e rfo rm e d b y o t h e r o rg a n i z a ti o n s . I f t h e re is a d e p e n d e n cy o r i n te rfa ce

to th a t a cti vi ty, th en i t i s l i kel y th a t th e a cti vi ty ou g h t to be i n cl u d ed

wi th i n th e scope of th e m a n a g em en t system . For exa m pl e, i f th e
org a n i za ti on h a s a websi te for ta ki n g cu stom er ord ers, th en th e websi te
a n d th e cu stom er a cti vi ty of u si n g th e websi te ou g h t to be i n cl u d ed
wi th i n th e scope of th e m a n a g em en t system .
Th ere i s a n ote to th e d efi n i ti on of ‘ou tsou rce’ to th i s effect. I t sa ys ‘a n

extern a l org a n i za ti on i s ou tsi d e th e scope of th e m a n a g em en t system ,
a l th ou g h th e ou tsou rced fu n cti on or process i s wi th i n th e scope’.
XXX management system

Su bcl a u se 4. 4 si m pl y sta tes th a t th e ‘org a n i za ti on sh a l l esta bl i sh ,
i m pl em en t, m a i n ta i n a n d con ti n u a l l y i m prove a n XXX m a n a g em en t
system , i n a ccord a n ce wi th th e req u i rem en ts of th i s I n tern a ti on a l
Sta n d a rd ’. I n effect, th i s req u i rem en t i s th e i g n i ti on swi tch for th e
con ti n u a l i m provem en t en g i n e. Con form a n ce wi th th i s req u i rem en t
i m pl i es con form a n ce wi th a l l th e oth er req u i rem en ts a n d vi ce versa .
Th e req u i rem en t i s th a t ‘th e scope sh a l l be a va i l a bl e a s d ocu m en ted
i n form a ti on ’. Th ere i s n o req u i rem en t to d ocu m en t th e org a n i za ti on ’s
u n d ersta n d i n g of i tsel f, i ts con text, i ts i n terested pa rti es or th ei r
req u i rem en ts. H owever, th ere i s a l so n o req u i rem en t th a t proh i bi ts a n
org a n i za ti on from d oi n g th a t i f i t so wi sh es. For exa m pl e, d ocu m en ted
i n form a ti on con cern i n g cu stom er a n d su ppl i er d eta i l s a n d con tra ctu a l
req u i rem en ts i s l i kel y to exi st for th e pu rposes of m a n a g i n g th e bu si n ess
of th e org a n i za ti on .
Policy and objectives

XXX policy
The requirement
Su bcl a u se 5 . 2 req u i res top m a n a g em en t to ‘esta bl i sh a XXX pol i cy th a t
— i s a ppropri a te to th e pu rpose of th e org a n i za ti on

— i n cl u d es a fra m ework for setti n g XXX obj ecti ves;
— i n cl u d es a com m i tm en t to sa ti sfy a ppl i ca bl e req u i rem en ts, a n d
— i n cl u d es a com m i tm en t to con ti n u a l i m provem en t of th e XXX
m a n a g em en t system ’.
(I SO /I E C D i recti ves, Pa rt 1 , Su bcl a u se 5 . 2 )

Policy and objectives
Appropriateness
For th e pol i cy to be a ppropri a te to th e pu rpose of th e org a n i za ti on i t
rea l l y ou g h t to sh ow h ow i ts obj ecti ves (see su bseq u en t secti on ) su pport
th e overa l l pu rpose of th e org a n i za ti on a n d covers a l l of i ts fu n cti on s. For
exa m pl e, i f on e of i ts pu rposes wa s th e provi si on of 2 4x7 h el p-d esk
fa ci l i ti es to i ts cu stom ers, th en h i g h a va i l a bi l i ty of i ts I T ou g h t to be a n
obj ecti ve.
Framework
Su bcl a u se 5 . 2 c) req u i res th e pol i cy to con ta i n a fra m ework (e. g . a process)
for setti n g th e obj ecti ves.
Commitments
Th e word i n g of th e sta n d a rd i m pl i es a si m pl e sta tem en t of com m i tm en t
(e. g . ‘Top m a n a g em en t i s com m i tted to … ’) wi l l su ffi ce. H owever, top
m a n a g em en t ou g h t perh a ps to con si d er word i n g th e pol i cy to
d em on stra te th ei r com m i tm en t ra th er th a n j u st m erel y sta ti n g th a t th ey
a re com m i tted . Th ei r com m i tm en t ou g h t th en to be sel f-evi d en t from
rea d i n g th e pol i cy. For exa m pl e, th e pol i cy cou l d refl ect th ei r
u n d ersta n d i n g of th e n eed s a n d expecta ti on s of i n terested pa rti es a n d
th ei r d i recti on to fu l fi l th ose n eed s th rou g h th e rea l i za ti on of XXX
m ea su res th a t a re fi t for pu rpose a n d th ei r en th u si a sm for con form a n ce
to th e XXX m a n a g em en t system sta n d a rd . Th e form er d em on stra tes th e
com m i tm en t referred to i n Su bcl a u se 5 . 2 c) a n d th e l a tter to th e
com m i tm en t referred to i n Su bcl a u se 5 . 2 d ) .
Su bcl a u se 5 . 2 e) req u i res th e XXX pol i cy to be a va i l a bl e a s d ocu m en ted
i n form a ti on . O th er su bcl a u ses req u i re i t to be com m u n i ca ted wi th i n th e
org a n i za ti on , a n d , a s a ppropri a te, to be m a d e a va i l a bl e to i n terested
pa rti es. Th e pu rpose of th ese su bcl a u ses i s to en su re th a t th ose peopl e
a n d org a n i za ti on s wh o a re obl i g a ted to com pl y wi th i t, for exa m pl e
th rou g h em pl oym en t or oth er con tra cts, kn ow wh a t i t i s. B y m a ki n g i t, or
pa rts of i t, a va i l a bl e to i n terested pa rti es cou l d a l so be u sed to su pport
th e org a n i za ti on ’s m a rketi n g a cti vi ti es.
As n oted i n Ch a pter 2 , An n ex SL d oes n ot g i ve n a m es to d ocu m en ted

i n form a ti on , th u s a n org a n i za ti on i s u n d er n o obl i g a ti on to prod u ce a
d ocu m en t wi th th e ti tl e ‘XXX Pol i cy’. H owever, i f a certi fi ca ti on a u d i tor
wa n ted to see th e d ocu m en ted i n form a ti on con cern i n g (or rel a ti n g ) to
XXX pol i cy, th e org a n i za ti on ou g h t to kn ow wh ere i t i s. N ote th e form of

word s (‘d ocu m en ted i n form a ti on con cern i n g … ’) . A certi fi ca ti on a u d i tor

ou g h t n ot to be a ski n g to see th e XXX pol i cy d ocu m en t.
XXX objectives
The requirement
Su bcl a u se 6. 2 req u i res th e org a n i za ti on to esta bl i sh XXX obj ecti ves a t
rel eva n t fu n cti on s a n d l evel s. I t th en sta tes th a t th ese ‘obj ecti ves sh a l l
— be con si sten t wi th th e XXX pol i cy

— be m ea su ra bl e (i f pra cti ca bl e)
— ta ke i n to a ccou n t a ppl i ca bl e XXX req u i rem en ts
— be m on i tored
— be com m u n i ca ted , a n d
— be u pd a ted a s a ppropri a te’.
Th e su bcl a u se fu rth er req u i res th a t ‘wh en pl a n n i n g h ow to a ch i eve th ese

obj ecti ves th e org a n i za ti on sh a l l d eterm i n e
— wh a t wi l l be d on e
— wh a t resou rces wi l l be req u i red
— wh o wi l l be respon si bl e
— wh en i t wi l l be com pl eted
— h ow th e resu l ts wi l l be eva l u a ted ’.
Functions and levels

Th e term ‘fu n cti on ’ i n Su bcl a u se 6. 2 refers to th e fu n cti on s of th e
org a n i za ti on . Th e term ‘l evel ’ refers to th e l evel of m a n a g em en t of wh i ch
top m a n a g em en t i s th e h i g h est. Th ese i n terpreta ti on s d eri ve d i rectl y
from th e I SO d efi n i ti on s of org a n i za ti on a n d top m a n a g em en t (see
Ch a pter 2 ) .
As a n exa m pl e, a t th e h i g h est l evel th ere wou l d be XXX obj ecti ves th a t

provi d e overa l l d i recti on for th e m a n a g em en t system (e. g . ‘To en su re
bu si n ess con ti n u i ty i n th e even t of si g n i fi ca n t i n ci d en ts or d i sa sters’) . Su ch
obj ecti ves a re typi ca l of th ose th a t top m a n a g em en t m i g h t i n cl u d e i n a
bu si n ess con ti n u i ty or i n form a ti on secu ri ty pol i cy, a n d for th i s rea son on e
m i g h t refer to th em a s pol i cy obj ecti ves. At th e n ext l evel , th e va ri ou s
fu n cti on s of th e org a n i za ti on m a y wel l h a ve speci fi c XXX obj ecti ves. At
th e l owest l evel , XXX rel eva n t a cti on s m a y be pl a ced on i n d i vi d u a l s, for
exa m pl e a s a n ou tpu t of a m eeti n g , a n d ea ch of th ese wi l l h a ve a n
obj ecti ve.

Risks and opportunities
N o te th e re fo re th a t t h e re ca n be a l a rg e n u m b e r o f o b j e ct i ve s , wh i ch is
wh y S u b cl a u s e 5.2 re q u i re s a fra m e wo rk fo r s e tti n g o b j e cti ve s i n th e
p o l i cy ra t h e r th a n th e o b j e cti ve s t h e m s e l ve s . I t sh ou l d be fu rth e r n o te d ,
h o we ve r, t h a t th e re i s n o th i n g i n co n s i s te n t i n S u b cl a u s e 6. 2 wi th g e n e ra l
m a n a g e m e n t p ra ct i ce , and o rg a n i z a ti o n s o u g h t to fi n d th a t th e y co m p l y
wi th t h i s re q u i re m e n t a s a m a t te r o f co u rs e .
Types of objective
B ro a d l y s p e a ki n g th e re a re two t yp e s o f o b j e cti ve : th o s e th a t s e t a
g e n e ra l d i re cti o n and th o se th a t s e t a q u a n ti fi a b l e g oa l o r ta rg e t .
O b j e cti ve s th a t s e t a g e n e ra l d i re cti o n m a y n ot be m e a s u ra b l e . Th e re
m a y, h o we ve r, be e vi d e n ce , e. g . th ro u g h a l a ck o f i n ci d e n ts , th a t t h e
o b j e cti ve i s bei n g m et. A ca s e in q u e sti o n wo u l d be an o b j e ct i ve to
p re s e rve th e co n fi d e n ti a l i ty o f cu s t o m e r d a ta . Th e l o ss o f a n u n e n cryp te d
CD wo u l d i n d i ca te th a t co n fi d e n t i a l i ty h a d n ot been p re s e rve d . H o we ve r,
on e co u l d n ot be ce rt a i n u n l e s s th e d a ta re a p p e a re d on a we b s i t e or
n e ws p a p e r. S u ch o b j e cti ve s m a y n o t b e bou n d ed in ti m e . In s u ch ca s e s
th e re q u i re m e n t co n ce rn i n g ‘ wh e n i t wi l l be co m p l e t e d ’ wo u l d n ot be
a p p l i ca b l e .
Th o s e th a t s e t a q u a n ti fi a b l e g oa l o r ta rg e t a re in g e n e ra l m e a s u ra b l e
and wo u l d h a ve a d e fi n i t e co m p l e ti o n d a te .
S u b cl a u s e 6. 2 re q u i re s th e o rg a n i z a t i o n to re ta i n d o cu m e n te d
i n fo rm a ti o n on th e XXX o b j e cti ve s .
Risks and opportunities

Actions to address risks and opportunities
The requirement
S u b cl a u s e 6. 1 co n ce rn s a ct i o n s to a d d re s s ri s ks a n d o p p o rtu n i ti e s . S p e ci fi c
m a n a g e m e n t s ys te m s ta n d a rd s m a y h a ve a d d i ti o n a l cl a u s e s , e i th e r i n th i s
s e ct i o n a n d /o r i n Cl a u se 8 to d ea l wi th d i s ci p l i n e - s p e ci fi c ri s k a s s e s s m e n t
re q u i re m e n ts . F o r e xa m p l e I S O /I E C 2 7 0 0 1 : 2 0 1 3 h a s i n fo rm a t i o n ri s k
a sse ssm e n t a n d re l a te d re q u i re m e n ts i n S u b cl a u s e s 6 . 1 . 2 , 6. 1 . 3 , 8. 1 and
8. 2 , and I SO 2 2 3 01 : 2 01 2 h a s s i m i l a r re q u i re m e n ts i n S u b cl a u s e s 8 . 2 and
8. 3 .

Su bcl a u se 6. 1 refers ba ck to th e i ssu es d eterm i n ed i n Su bcl a u se 4. 1 a n d

th e req u i rem en ts d eterm i n ed i n Su bcl a u se 4. 2 , a n d req u i res th e
org a n i za ti on ‘wh en pl a n n i n g for th e XXX m a n a g em en t system ’ to
con si d er th ese i ssu es a n d req u i rem en ts to ‘d eterm i n e th e ri sks a n d
opportu n i ti es th a t n eed to be a d d ressed to
— a ssu re th a t th e XXX m a n a g em en t system ca n a ch i eve i ts i n ten d ed

ou tcom e(s)
— preven t, or red u ce, u n d esi red effects
— a ch i eve con ti n u a l i m provem en t’.
I t th en sta tes ‘th e org a n i za ti on sh a l l pl a n
a) a cti on s to a d d ress th ese ri sks a n d opportu n i ti es, a n d

b) h ow to
— i n teg ra te a n d i m pl em en t th ese a cti on s i n to i ts i n form a ti on
secu ri ty m a n a g em en t system processes
— eva l u a te th e effecti ven ess of th ese a cti on s’.
Why risks and opportunities?

Th e ph ra se ‘ri sks a n d opportu n i ti es’ wa s i n trod u ced i n to th e i d en ti ca l
core text beca u se d i sci pl i n es, su ch a s q u a l i ty, n ot on l y con cern ri sk
m a n a g em en t, e. g . th e a voi d a n ce of prod u ct reca l l s beca u se of q u a l i ty
fa u l ts, bu t a l so of expl oi ti n g opportu n i ti es, e. g . d el i veri n g on m a rket
n eed s a n d cu stom er sa ti sfa cti on .
Th ere i s n o expl i ci t req u i rem en t for d ocu m en ted i n form a ti on wi th
reg a rd s to Su bcl a u se 6. 1 .
Operation
General remarks
Cl a u se 8 con si sts of a si n g l e su bcl a u se: Su bcl a u se 8. 1 , en ti tl ed
‘O pera ti on a l pl a n n i n g a n d con trol ’, bu t a s m en ti on ed previ ou sl y th ere
m a y be oth er d i sci pl i n e-speci fi c su bcl a u ses.
Su bcl a u se 8. 1 h a s su bcl a u ses coveri n g fou r topi cs. Th e fi rst con cern s
pl a n n i n g , i m pl em en ta ti on a n d con trol ; th e secon d con cern s d ocu m en ted
i n form a ti on ; th e th i rd , ch a n g e m a n a g em en t; a n d th e fou rth , ou tsou rci n g .

Op era tio n
Pl a n n i n g , i m p l e m e n ta ti o n a n d co n tro l
Th e org a n i za ti on i s req u i red to ‘pl a n , i m pl em en t a n d con trol th e

processes n eed ed to m eet req u i rem en ts a n d to i m pl em en t th e a cti on s
d eterm i n ed i n 6. 1 by
— esta bl i sh i n g cri teri a for th e processes

— i m pl em en ti n g con trol of th e processes i n a ccord a n ce wi th th e
cri teri a ’.
Th e req u i rem en ts a re th e req u i rem en ts of th e m a n a g em en t system

sta n d a rd con cern ed a n d th ose i d en ti fi ed i n Su bcl a u se 4. 2 . Th u s th e
processes referred to wi l l i n cl u d e a l l m a n a g em en t system processes, a n d
a l l oth ers th a t a n org a n i za ti on d eterm i n es a s bei n g n ecessa ry to m eet
XXX req u i rem en ts.
Th e cri teri a of Su bcl a u se 8. 1 a ) a re u sed for th e con trol of th ese processes.

Th ey cou l d , for exa m pl e, refer to wh en th e process sh ou l d sta rt a n d
fi n i sh ; wh o a u th ori zes i t; or th e scope or su bj ect of th e process.
D o cu m e n te d i n fo rm a ti o n
Th e org a n i za ti on i s req u i red to ‘keep d ocu m en ted i n form a ti on to th e

exten t n ecessa ry to h a ve con fi d en ce th a t th e processes h a ve been ca rri ed
ou t a s pl a n n ed ’.
Th e a n swer to a q u esti on su ch a s ‘wh a t evi d en ce d o I n eed to con vi n ce

m e th a t som eth i n g h a s been d on e?’ wi l l a ct a s a g u i d e i n d eterm i n i n g
h ow best to i m pl em en t th i s req u i rem en t. H owever, i n som e ca ses th ere
m a y be a n eed to con vi n ce oth er peopl e, su ch a s a cou rt of l a w, a n d i n
th ese ca ses stron g er a n d m ore fa ctu a l evi d en ce m a y be req u i red .
H owever, i n a l l ca ses i t i s a q u esti on of ri sk: ‘wh a t i f a process h a s n ot
been ca rri ed ou t a s pl a n n ed , bu t I th i n k i t h a s?’; ‘wh a t a cti on s wou l d I
ta ke, a n d wh a t wou l d be th e con seq u en ces i f I a m wron g ?’ Th e a n swers
to th ese q u esti on s wi l l a l so g u i d e a n org a n i za ti on to d eterm i n e th e
exten t of th e d ocu m en ted i n form a ti on i t req u i res. I t sh ou l d a l so be
a ppreci a ted th a t th e word i n g i s a n a ttem pt to preven t th e prod u cti on of
u n n ecessa ry d ocu m en ted i n form a ti on : m a n a g em en t system s sh ou l d n ot
be bu rea u cra ti c pa per-g en era ti n g m a ch i n es.

Ch a n g e m a n a g e m e n t
Th e org a n i za ti on i s req u i red to ‘con trol pl a n n ed ch a n g es a n d revi ew th e

con seq u en ces of u n i n ten d ed ch a n g es, ta ki n g a cti on to m i ti g a te a n y
a d verse effects, a s n ecessa ry’.
Th e pu rpose of th i s req u i rem en t i s to en su re th a t i n ten d ed ch a n g es to

th e m a n a g em en t system processes a n d XXX con trol s a re properl y
con trol l ed . Th e req u i rem en t recog n i zes th a t u n i n ten d ed ch a n g es m a y
occu r, perh a ps a s a si d e-effect of a n i n ten d ed ch a n g e, or th rou g h error.
I n ei th er ca se th e con seq u en ce m a y be ben i g n or i t m a y h a ve a
d etri m en ta l effect on th e m a n a g em en t system or XXX perform a n ce. Th u s,
th ere i s fi rst a n eed to revi ew th e con seq u en ces, ta ki n g m i ti g a ti n g a cti on
a s n ecessa ry.
O u tso u rci n g
Th e org a n i za ti on i s req u i red to ‘en su re th a t ou tsou rced processes a re

d eterm i n ed a n d con trol l ed ’. Th ese, of cou rse, a re processes wi th i n th e
scope of th e m a n a g em en t system .
M o n i tori n g , m ea su rem en t, a n a l ysi s a n d e va l u a ti o n
Th e re q u i re m e n t
Su bcl a u se 9 . 1 req u i res th e org a n i za ti on to d eterm i n e
— ‘wh a t n eed s to be m on i tored a n d m ea su red

— th e m eth od s for m on i tori n g , m ea su rem en t, a n a l ysi s a n d eva l u a ti on ,
a s a ppl i ca bl e, to en su re va l i d resu l ts
— wh en th e m on i tori n g a n d m ea su ri n g sh a l l be perform ed
— wh en th e resu l ts from m on i tori n g a n d m ea su rem en t sh a l l be
a n a l ysed a n d eva l u a ted ’.
O rg a n i za ti on s a re req u i red to reta i n a ppropri a te d ocu m en ted

i n form a ti on a s evi d en ce of th e resu l ts.
Fi n a l l y th ere i s a req u i rem en t to ‘eva l u a te th e XXX perform a n ce a n d th e

effecti ven ess of th e XXX m a n a g em en t system ’.
Th i s l a st req u i rem en t esta bl i sh es th e pu rpose of Su bcl a u se 9 . 1 . I n d eed ,

I SO /I E C 2 7 001 : 2 01 3 d evi a tes from An n ex SL by pl a ci n g th i s req u i rem en t
fi rst. As a g en era l recom m en d a ti on , org a n i za ti on s ou g h t n ot to m on i tor
a n d m ea su re for th e sa ke of m on i tori n g a n d m ea su ri n g , or j u st beca u se

Mo n ito rin g , m e a su re m e n t, a n a lysis a n d e va lu a tio n
th ey h a ve th e ca pa bi l i ty to d o so. I n stea d , th ey ou g h t fi rst to d eci d e wh a t

th ey wa n t to kn ow i n ord er to eva l u a te th e XXX perform a n ce a n d th e
effecti ven ess of th e XXX m a n a g em en t system , a n d work ba ck from th ere
to d eterm i n e wh a t to m on i tor a n d m ea su re. B y vi rtu e of Su bcl a u se 6. 2
th i s wi l l i n cl u d e th e m on i tori n g of th e prog ress i n m eeti n g th e XXX
obj ecti ves.
What is monitoring and measuring?

M on i tori n g i s th e d eterm i n a ti on of th e sta tu s of a system , a process or a n
a cti vi ty; wh erea s m ea su ri n g i s a process to d eterm i n e a va l u e. Th e sta tu s
of som eth i n g i s th e si tu a ti on a t a pa rti cu l a r ti m e d u ri n g a process. Th u s
th e d i fferen ce i s on e of ti m e, a n d wi th m on i tori n g on e i s i n terested wi th
h ow a va l u e va ri es over ti m e: for i n sta n ce, i s th e n u m ber of vi ru s a tta cks
i n crea si n g or d ecrea si n g ? I s th e si tu a ti on g etti n g better or worse? I s a n
obj ecti ve on ta rg et?
What to monitor and measure
XXX p e rfo rm a n ce
Th e m on i tori n g a n d m ea su rem en t of XXX perform a n ce i s

d i sci pl i n e-speci fi c, a n d a s su ch i s m ostl y ou tsi d e th e scope of th i s book.
H owever, th e org a n i za ti on wi l l h a ve esta bl i sh ed XXX obj ecti ves for
va ri ou s fu n cti on s a n d l evel s (Su bcl a u se 6. 2 ) a n d wi l l a l so h a ve esta bl i sh ed
processes a n d possi bl y XXX con trol s (certa i n l y for I SO /I E C 2 7 001 ) i n
respon se to th e d i sci pl i n e-speci fi c req u i rem en ts. An org a n i za ti on ou g h t
to m on i tor a n d m ea su re th e ca pa bi l i ti es of th ese processes a n d con trol s
d u ri n g l i ve opera ti on .
Al l m a n a g em en t system sta n d a rd s n eed to con ten d wi th n on con form i ti es

(Su bcl a u se 1 0. 1 ) . I n a d d i ti on , som e n eed to con ten d wi th a cci d en ts,
d i sru pti on s, em erg en ci es, i n ci d en ts a n d n ea r m i sses. Th e occu rren ce of
a n y of th ese a fford s a n opportu n i ty to m a ke m ea su rem en ts on rea l
even ts (ra th er th a n even ts d el i bera tel y m a n u fa ctu red by th e org a n i za ti on
to test th ei r processes) . I n a d d i ti on , m on i tori n g of n on con form i ti es,
a cci d en ts, d i sru pti on s, em erg en ci es, i n ci d en ts a n d n ea r m i sses a l l ows a n
org a n i za ti on to d eterm i n e wh eth er i t i s u n d er a tta ck; wh eth er i n ci d en ts
a re on th e ri se, or d ecl i n e; a n d wh eth er n ea r m i sses a re h a rbi n g ers of
worse to com e. H owever, th ese a re n ot th e on l y even ts th a t a n
org a n i za ti on cou l d m on i tor. Th e tech n ol og y th a t a n org a n i za ti on m i g h t
u se i n i ts XXX processes m a y m on i tor pa rti cu l a r even ts, a n d a n
org a n i za ti on cou l d i n cl u d e th ose i n i ts l i st of wh a t to m on i tor.
Ca n d i d a tes for m ea su rem en t wou l d be th e XXX con trol s. A con trol i s a

m ea n s to red u ce ri sk. Th u s a q u a l i ty con trol cou l d , for exa m pl e, be th e

m ea n s to preven t th e occu rren ce of a n on con form i ty. Wh i l e m ea su ri n g

th e effecti ven ess of som e con trol s i n i sol a ti on (e. g . th e cri ti ca l con trol
poi n ts i n food sa fety) m a y be a sen si bl e cou rse of a cti on , for som e
d i sci pl i n es, con trol s often work i n con cert wh ere th e fa i l u re of on e
con trol , sa y to d etect a speci fi ca ti on error a t a n ea rl y sta g e of prod u ct
d esi g n , ca n be m a d e u p for a n y oth er a t a l a ter sta g e of d esi g n . I n th ese
ca ses, a better stra teg y wou l d be to a ttem pt to exerci se g rou ps of
con trol s a s a wh ol e u n d er si m u l a ted rea l -worl d con d i ti on s. H ow th i s i s
d on e a n d th e types of m ea su rem en ts th a t wou l d be m a d e i s, h owever,
d i sci pl i n e-speci fi c. For I SO 2 2 3 01 , su ch a m ech a n i sm – th e bu si n ess
con ti n u i ty exerci se – i s a l rea d y bu i l t i n a s a req u i rem en t, tog eth er wi th
a n i n d i ca ti on of th e types of en ti ti es a n d th ei r a ttri bu tes, su ch a s th e
a ctu a l ti m e ta ken to recover to a pa rti cu l a r l evel of servi ce th a t a n
org a n i za ti on m a y wi sh to m ea su re. For I SO /I E C 2 7 001 th e a pproa ch
wou l d be to si m u l a te a n i n form a ti on secu ri ty a tta ck a n d m ea su re a
va ri ety of pa ra m eters, su ch a s h ow m u ch kn owl ed g e i s req u i red a n d h ow
l on g i t ta kes to d efea t th e con trol s. Th e i d ea h ere wou l d be th a t i f a
person wi th ou t a n y tech n i ca l kn owl ed g e of I T, speci a l i st eq u i pm en t,
i n si d er kn owl ed g e of th e secu ri ty con trol s or i n si d e h el p ca n d efea t th e
org a n i za ti on ’s secu ri ty wi th i n m i n u tes, th en on e m i g h t con cl u d e th a t th e
secu ri ty pl a n , or a t l ea st pa rt of i t, i s n ot very g ood . O n th e oth er h a n d , i f
th e org a n i za ti on ca n wi th sta n d a soph i sti ca ted a tta ck m ou n ted by
experts even wi th i n si d e h el p over a peri od of m on th s or yea rs, th en on e
m i g h t con cl u d e th a t to a l l i n ten ts a n d pu rposes th a t a spect of secu ri ty i s
u n brea ka bl e. Cl ea rl y ca re wou l d n eed to be ta ken to en su re th a t su ch a
si m u l a ti on d i d n ot resu l t i n a n y u n d esi ra bl e con seq u en ces.
Effectiveness of the XXX management system

Th e m ost obvi ou s ca n d i d a tes for m on i tori n g a re obj ecti ves a n d th e
occu rren ce of n on con form i ti es. I n a d d i ti on , th ere wi l l be oth er ca n d i d a tes
d epen d i n g on th e processes th a t a re wi th i n th e scope of th e
m a n a g em en t system . For exa m pl e, a t a n y on e ti m e, h ow m a n y a cti on s
a ri si n g from revi ew a n d oth er m a n a g em en t system m eeti n g s a re
ou tsta n d i n g ? I f th ere i s a n I T h el p d esk wi th i n scope, wh a t i s th e sta tu s
of th e va ri ou s trou bl e ti ckets?
E very a cti vi ty a ssoci a ted wi th th e m a n a g em en t system a n d every

m a n a g em en t system process (e. g . ri sk a ssessm en t process) i s a ca n d i d a te
for bei n g m on i tored a n d m ea su red . To a ssi st wi th th ei r i d en ti fi ca ti on , i t i s
perh a ps worth n oti n g th a t th ere a re severa l cl a u ses th a t refer to th e
effecti ven ess of som eth i n g :
1. XXX m a n a g em en t (Su bcl a u se 5 . 1 d ) ) ;

2. th e XXX m a n a g em en t system (Su bcl a u ses 5 . 1 f) , 7 . 5 . 1 b) a n d 9 . 3 ) ;
3. th e i m pl em en ta ti on a n d m a i n ten a n ce of th e XXX m a n a g em en t
system (Su bcl a u se 9 . 2 b) ) ;

4. a cti on s to a d d ress ri sks a n d opportu n i ti es (Su bcl a u se 6. 1 e) (secon d

bu l l et poi n t) ) ;
5. obj ecti ves (Su bcl a u se 6. 2 d ) ) ;
6. a cti on s to a cq u i re th e n ecessa ry com peten ce (Su bcl a u se 7 . 2 c) ) ;
7. a wa ren ess (Su bcl a u se 7 . 3 b) ) ; a n d
8. correcti ve a cti on (Su bcl a u se 1 0. 1 d ) ) .
As ea ch of th ese i s a req u i rem en t, th en con form a n ce n eed s to be

d em on stra ted i n som e wa y. An org a n i za ti on cou l d el ect to d o th i s by
m a ki n g m ea su rem en ts a n d u si n g th e resu l ts to eva l u a te th e effecti ven ess.
An org a n i za ti on i s n ot obl i g ed to ta ke th i s a pproa ch , bu t i t cou l d be a n d
th erefore th e a cti vi ti es a n d processes i n vol ved i n m eeti n g th ese
req u i rem en ts a re ca n d i d a tes for m ea su rem en t. M oreover, a n u m ber of
cl a u ses refer to th e pl a n n i n g of som eth i n g or to a som eth i n g pl a n :
1. pl a n n i n g for th e XXX m a n a g em en t system (Su bcl a u ses 6. 1 a n d 7 . 5 . 3 ) ;

2. pl a n n i n g th e a cti on s to a d d ress ri sks a n d opportu n i ti es
(Su bcl a u se 6. 1 ) ;
3. pl a n n i n g h ow to a ch i eve i ts XXX obj ecti ves (Su bcl a u se 6. 2 ) ;
4. pl a n n i n g th e processes n eed ed (a n d ch a n g es) (Su bcl a u se 8. 1 ) ;
5. con d u ct i n tern a l a u d i ts a t pl a n n ed i n terva l s (Su bcl a u se 9 . 2 ) ;
6. revi ew th e org a n i za ti on ’s XXX m a n a g em en t system a t pl a n n ed
i n terva l s (Su bcl a u se 9 . 3 ) ; a n d
7. th e a u d i t prog ra m m e (Su bcl a u se 9 . 2 ) .
Th ese a re a l so ca n d i d a tes for m ea su rem en t.
How to monitor and measure

Th e a p p ro a ch to m a kin g m e a su re m e n ts
Th e m a ki n g of m ea su rem en ts i s a com pl ete sci en ce i n i ts own ri g h t. I t i s

ca l l ed m etrol og y. A fu n d a m en ta l pri n ci pl e, h owever, i s to sta rt by
d eterm i n i n g th e obj ecti ve of th e eva l u a ti on process. A m etrol og i st wou l d
ca l l th i s th e ‘i n form a ti on n eed ’. I t i s th e ‘i n si g h t n ecessa ry to m a n a g e
obj ecti ves, g oa l s, ri sks a n d probl em s’.
O n e effecti vel y works ba ck th rou g h th e a n a l ysi s process to d eterm i n e th e

m ea su rem en ts th a t on e n eed s to m a ke. M ea su rem en ts a re m a d e of th e
ch a ra cteri sti cs or a ttri bu tes of va ri ou s en ti ti es. A m etrol og i st wou l d ca l l
th ese ‘ba se m ea su res’. Som eti m es th ese ba se m ea su res h a ve to be
com bi n ed to form wh a t i s kn own a s a ‘d eri ved m ea su re’. For exa m pl e,
m ost peopl e a re fa m i l i a r wi th th e ca r speed om eter. Th i s i n stru m en t
m ea su res th e speed of th e ca r, bu t i n fa ct th i s i s a d eri ved m ea su re.
D epen d i n g u pon d esi g n , wh a t th e i n stru m en t a ctu a l l y d i spl a ys i s th e
d i sta n ce tra vel l ed i n a fi xed u n i t of ti m e. Th u s, d i sta n ce a n d ti m e a re th e
ba se m ea su res. Th e speed om eter effecti vel y ca l cu l a tes th e speed by
d i vi d i n g th e d i sta n ce tra vel l ed by ti m e.

O n ce a l l ba se m ea su rem en ts h a ve been m a d e a n d th e d eri ved m ea su res

h a ve been ca l cu l a ted , th e m ea su rem en t process i s com pl ete a n d th e
a n a l ysi s process ca n beg i n . Th e a n a l ysi s wou l d be perform ed i n
a ccord a n ce wi th som e a l g ori th m or ca l cu l a ti on of th e org a n i za ti on ’s own
i n ven ti on . Th i s wi l l com bi n e on e or m ore ba se a n d /or d eri ved m ea su res
wi th a ssoci a ted d eci si on cri teri a . For exa m pl e, i f on e wa s to m a ke severa l
m ea su rem en ts of th e ca r’s speed th ese cou l d be pl otted , d u ri n g th e
a n a l ysi s ph a se, a s a g ra ph of speed versu s ti m e. Th i s g ra ph wou l d
represen t th e ca r’s a ccel era ti on . H owever, beca u se th e ca r m i g h t be
tra vel l i n g d own h i l l a g a i n st a stron g h ea d wi n d , fu rth er m ea su rem en ts
cou l d be m a d e wi th th e ca r tra vel l i n g i n th e reverse d i recti on , th e h ope
bei n g th a t th e i n a ccu ra ci es i n trod u ced by th e g ra d i en t a n d h ea d wi n d
wou l d be even ed ou t. D u ri n g th e a n a l ysi s a d eci si on cri teri on cou l d
th erefore be to u se th e a vera g e va l u e of th e speed m ea su rem en ts a t a
pa rti cu l a r ti m e a fter th e ca r sta rts m ovi n g . Th e resu l ta n t g ra ph i s, of
cou rse, yet a n oth er m ea su re. M etrol og i sts g i ve th i s a speci a l n a m e too
a n d ca l l i t a n ‘i n d i ca tor’ wh i ch th ey d efi n e a s a ‘m ea su re th a t provi d es a n
esti m a te or eva l u a ti on of speci fi ed a ttri bu tes d eri ved from a m od el wi th
respect to d efi n ed i n form a ti on n eed s’.
Th e process of eva l u a ti on th en proceed s by i n terpreti n g th e i n d i ca tor(s)

i n su ch a wa y a s to a d d ress th e i n form a ti on n eed . Su ch i n terpreta ti on
m i g h t d i ffer d epen d i n g on th e i n form a ti on n eed . For exa m pl e, i f th e
obj ecti ve wa s to su pport a revi ew of th e ca r for a m a g a zi n e, th e
i n terpreta ti on m i g h t resu l t i n d escri pti ve text su ch a s ‘exh i l a ra ti n g ’, ‘n ot
a s g ood a s on e m i g h t expect’, ‘g rea t a pa rt from a fru stra ti n g d ea d spot
between 5 0 m . p. h . a n d 60 m . p. h . ’ H owever, i f th e ca r wa s bei n g tu n ed
for a ra ce, th e eva l u a ti on m i g h t be q u i te d i fferen t, g i vi n g
recom m en d a ti on s on h ow fu rth er a d j u stm en ts m i g h t be m a d e to
i m prove perform a n ce.
N ote th a t i n ord er to sa ti sfy a pa rti cu l a r eva l u a ti on obj ecti ve (i . e.

i n form a ti on n eed ) a n org a n i za ti on m i g h t n eed to m a ke m a n y si m i l a r
m ea su rem en ts over a rel a ti vel y l on g peri od of ti m e before sta rti n g th e
a n a l ysi s a n d eva l u a ti on process. Th i s i s wh y th e ‘wh en th e m on i tori n g
a n d m ea su ri n g sh a l l be perform ed ’ req u i rem en t i s sepa ra te from th e
‘wh en th e resu l ts … sh a l l be a n a l ysed a n d eva l u a ted ’ req u i rem en t.
Th e overa l l m ea su rem en t, a n a l ysi s a n d eva l u a ti on process i s sh own i n

Fi g u re 8.

Fi g u re 8: Sch em a ti c sh owi n g th e rel a ti on sh i p between th e form a l

m etrol og i ca l term (i n form a ti on n eed s, etc. ), a s presen ted i n
I SO 1 593 9: 2007 a n d th e req u i rem en t of An n ex SL to m on i tor, m ea su re,
a n a l yse a n d eva l u a te
Typ e s o f m e a su re
M ea su res ca n be ba se m ea su res, d eri ved m ea su res a n d i n d i ca tors.

H owever, th ere i s a n oth er wa y to ca teg ori ze m ea su res a n d th a t i s by th e
rel a ti on sh i p of th e i n form a ti on provi d ed by th e m ea su re to th e d efi n i ti on
of effecti ven ess (‘exten t to wh i ch pl a n n ed a cti vi ti es a re rea l i zed a n d

p l a n n e d re su l ts a ch i e ve d ’ ) . Ag a i n th e re a re th re e typ e s:
1. i m p l e m e n ta ti o n m e a su re s;
2. l o ca l e ffe ct m e a su re s; a n d
3. i m p a ct m e a su re s.
To exp l a i n th e se , i t i s u se fu l to co n si d e r a n e xa m p l e . S u p p o se th a t th e
co n ce p t o f th e m a n a g e m e n t syste m i s q u i te n e w to a n o rg a n i za ti o n .
U p o n re a d i n g S u b cl a u se 7 . 3 , i t d e ci d e s th a t i n th e ru n -u p to wa rd s
ce rti fi ca ti o n i t wi l l p u t o n a n a wa re n e ss se m i n a r fo l l o wi n g th e a d vi ce o n
su bj e ct m a te ri a l g i ve n l a te r i n th i s ch a p te r. I n th i s ca se , th e o rg a n i za ti o n ’s
o b j ecti ve i s si m p l y to p e rsu a d e a s m a n y p e o p l e a s p o ssi b l e i n th e
o rg a n i za ti o n to a tte n d , a n d th e p l a n n e d re su l t i s sa y 9 5 p e r cen t to a l l o w
implementation measure
fo r p o ssi b l e si ckn e ss a n d va ca ti o n s. Th e re q u i re m e n t m e a su re m e n t i s
si m pl y a h e a d co u n t. Th i s i s a n . I t m e re l y
d e m o n stra te s p ro g re ss i n i m p l e m e n ti n g a n o rg a n i za ti o n ’s XXX p o l i ci e s
a n d p ro ce d u re s: i f th e ta rg et wa s 9 5 p e r ce n t – h o w m a n y p e o p l e
a ctu a l l y a tte n d e d ?
O n ce th e o rg a n i za ti o n h a s a ch i eve d a h i g h a tte n d a n ce ra te , i t m i g h t th e n
l o o k m o re to wa rd s th e q u a l i ty o f th e tra i n i n g . Th e p l a n m i g h t n o w b e to
se t sp e ci fi c tra i n i n g o b j e cti ve s fo r th e se m i n a r a n d d e te rm i n e th e e xte n t
to wh i ch th e a tte n d e e s h a ve u n d e rsto o d wh a t th e y h a ve l e a rn t. I n th i s
ca se, th e p l a n n e d re su l ts, b e i n g a n i n cre a se i n a wa re n ess a n d
u n d e rsta n d i n g , a re q u i te d i sti n ct fro m a m e re h e a d co u n t. Th e
local effect measure

m e a su re m e n ts i n th i s ca se m a y we l l i n vo l ve a n e xa m i n a ti o n o f th e
a tten d e es. Th i s typ e o f m e a su re i s a n e xa m p l e o f a .
O n ce th e o rg a n i za ti o n i s co n fi d e n t th a t i t ca n se t re a l i sti c tra i n i n g g o a l s
a n d ca n m e e t th e m i n p ra cti ce , i t m i g h t tu rn i ts a tte n ti o n to a ski n g wh a t
i m p a ct d o e s th i s h a ve o n th e o rg a n i za ti o n . Th e a n swe r to th i s q u e sti o n
l i e s i n a ch a n g e to th e wa y th e re su l ts a re a n a l yse d a s we l l a s th e n e e d
fo r a d d i ti o n a l m e a su re m e n ts su ch a s th e n u m b e r o f i n ci d e n ts, n e a r m i sse s
impact measures
a n d n o n co n fo rm i ti e s wh i ch a re a ttri b u ta b l e to a l a ck o f a wa re n e ss. Th e
i n d i ca to r m e a su re s wo u l d n o w b e e xa m p l e s o f .
N o te th e p ro g ressi o n fro m i m p l e m e n ta ti o n m e a su re s th ro u g h to i m p a ct
m e a su re s. O rg a n i za ti o n s m a y wi sh to co n si d er th i s a s i n d i ca ti ve o f th e
l e vel o f e xp e ri e n ce i t h a s wi th S u b cl a u se 9 . 1 .
When to monitor and measure

As m e n ti o n e d p re vi o u sl y, o rg a n i za ti o n s wi l l h a ve th e o p p o rtu n i ty to
m a ke m e a su re m e n ts wh e n e ve r th e re h a s b e e n a n a cci d en t, d i sru p ti o n ,
e m e rg e n cy, i n ci d e n t, n e a r m i ss o r a n o n co n fo rm i ty. H o we ve r, i f th e re a re
n o n e , o r th e y h a p p e n i n fre q u e n tl y, o n e p e rh a p s d o e s n o t re a l l y kn o w

Audits and reviews
wh eth er XXX con trol s wi l l a ctu a l l y work a s i n ten d ed . I t i s th erefore

pru d en t to d el i bera tel y exerci se th em , a s expl a i n ed i n th e secti on on XXX
perform a n ce a bove.
When to analyse and evaluate

Q u i te often , a n org a n i za ti on m i g h t wa n t to perform th e a n a l ysi s a n d
eva l u a ti on a s soon a s th e m ea su rem en ts h a ve been m a d e, bu t th i s ra th er
d epen d s on th e n a tu re of th e m ea su rem en ts a n d th e eva l u a ti on
obj ecti ve. For exa m pl e, i m m ed i a tel y pri or to a m a n a g em en t revi ew (see
bel ow) a n org a n i za ti on m a y wi sh to perform a d d i ti on a l a n a l yses, perh a ps
of th e i m pa ct va ri ety.
Measurement programme
Pu tti n g tog eth er th e eva l u a ti on obj ecti ves, th e wh en s a n d h ows, wi l l
crea te a pl a n wh i ch m a y be referred to a s a m ea su rem en t prog ra m m e.
Th ere i s n o expl i ci t req u i rem en t i n An n ex SL to d o th i s, bu t org a n i za ti on s
m i g h t fi n d su ch a pl a n to be u sefu l a s i t wi l l a l l ow a n org a n i za ti on to:
1. vi su a l i ze a n y prog ressi on of m ea su res, su ch a s th ose i n th e exa m pl e

g i ven i n th e secti on on types of m ea su re;
2. en su re th a t th ose m a n a g em en t system processes a n d a spects of XXX

perform a n ce th a t i t wi sh es to eva l u a te a re i n corpora ted i n to th e pl a n ;
and
3. en su re th a t th e d a tes for pl a n n ed m ea su rem en ts a n d a n a l yses h a ve

th e proper rel a ti on sh i p to oth er pl a n n ed even ts, su ch a s a u d i ts,
m a n a g em en t revi ews a n d bu si n ess con ti n u i ty exerci ses.
Audits and reviews

Internal audits
Su bcl a u se 9 . 2 sta tes: ‘Th e org a n i za ti on sh a l l con d u ct i n tern a l a u d i ts a t
pl a n n ed i n terva l s to provi d e i n form a ti on on wh eth er th e XXX
m a n a g em en t system ;
a) con form s to
— th e org a n i za ti on ’s own req u i rem en ts for i ts XXX m a n a g em en t
system
— th e req u i rem en ts of th i s I n tern a ti on a l Sta n d a rd ;
b) i s effecti vel y i m pl em en ted a n d m a i n ta i n ed ’.

Su bcl a u se 9 . 2 con ti n u es by sta ti n g : ‘Th e org a n i za ti on sh a l l :
a) pl a n , esta bl i sh , i m pl em en t a n d m a i n ta i n a n a u d i t prog ra m m e(s) ,

i n cl u d i n g th e freq u en cy, m eth od s, respon si bi l i ti es, pl a n n i n g
req u i rem en ts a n d reporti n g . Th e a u d i t prog ra m m e(s) sh a l l ta ke i n to
con si d era ti on th e i m porta n ce of th e processes con cern ed a n d th e
resu l ts of previ ou s a u d i ts;
b) d efi n e th e a u d i t cri teri a a n d scope for ea ch a u d i t;
c) sel ect a u d i tors a n d con d u ct a u d i ts to en su re obj ecti vi ty a n d th e
i m pa rti a l i ty of th e a u d i t process;
d) en su re th a t th e resu l ts of th e a u d i ts a re reported to rel eva n t
m a n a g em en t, a n d
e) reta i n d ocu m en ted i n form a ti on a s evi d en ce of th e a u d i t
prog ra m m e(s) a n d th e a u d i t resu l ts’.
Audit programme(s)
I t i s for ea ch org a n i za ti on to d eci d e wh a t i t wa n ts to a u d i t, h ow i t wa n ts

to a u d i t, h ow often a n d by wh om . I t n eed s to prod u ce a pl a n . Th e
sta n d a rd refers to th i s a s a n a u d i t prog ra m m e, a n d a n org a n i za ti on ca n
h a ve m ore th a n on e su ch prog ra m m e.
Th e exten t of th e a u d i t prog ra m m e wi l l d epen d on a va ri ety of fa ctors

su ch a s:
1. th e scope of th e m a n a g em en t system ;
2. wh eth er th e org a n i za ti on i s sprea d a cross m a n y si tes, a n d h ow
si m i l a r th ey a re i n term s of i n form a ti on secu ri ty con trol s; a n d
3. th e com pl exi ty of XXX system s a n d tech n ol og y wi th i n th e scope a n d
th e n a tu re of th e tech n ol og y th a t i s u sed .
D epen d i n g u pon th e d i sci pl i n e, th e a u d i t prog ra m m e m a y a l so d epen d

u pon fa ctors su ch a s h ow process fa i l u res a ffect th e org a n i za ti on ’s
exposu re to XXX ri sk (e. g . i n form a ti on secu ri ty ri sk for I SO /I E C 2 7 001 a n d
bu si n ess con ti n u i ty ri sk for I SO 2 2 3 01 ) a n d ri sk of th e occu rren ce of
n on con form i ti es. I f th e sl i g h test fa i l u re resu l ts i n a n u n a ccepta bl e
exposu re th en th a t process m a y req u i re g rea ter a tten ti on th a n th ose
wh ere even th e g rossest fa i l u re m a y n ot h a ve even th e sl i g h test effect on
ri sk.
What an audit is and what an audit is not
An a u d i t i s a n exa m i n a ti on of a n a cti vi ty by a n i n d epen d en t person to a

speci fi ed obj ecti ve. I t i s n ot th e re-perform a n ce of th e a cti vi ty, a n
i n ci d en t i n vesti g a ti on or th e provi si on of a ssi sta n ce i n th e d evel opm en t
of processes a n d con trol s. Look for evi d en ce of con form i ty. I f th ere a re

Audits and reviews
n on con form i ti es th ey wi l l be fou n d , bu t a u d i ti n g i s n ot a n a d versa ri a l

pa sti m e. I t cl ea rl y sta tes i n Su bcl a u se 9 . 2 th a t th e pu rpose of i n tern a l
a u d i ti n g i s to provi d e evi d en ce of con form i ty.
Substantive versus conformance audits

Th ere a re two ba si c styl es of a u d i ti n g . I n a su bsta n ti ve a u d i t, th e a u d i tor
on l y l ooks a t th e resu l ts of th e processi n g a n d a ppl i es a rea son a bl e test.
U n rea son a bl e resu l ts i n d i ca te th a t th ere i s a process fa i l u re. I t d oes n ot
n ecessa ri l y i n d i ca te wh ere th e fa i l u re occu rred , on l y th a t th ere i s on e, or
m ore preci sel y th a t th e resu l ts a re a n om a l ou s a n d fu rth er i n vesti g a ti on i s
req u i red (u su a l l y by th e a u d i tee) . I n a con form a n ce a u d i t, i t i s a d h eren ce
to th e process or proced u re th a t i s a u d i ted . Th ere i s a n u n d erl yi n g
a ssu m pti on th a t i f th e process or proced u re i s fol l owed correctl y th en th e
resu l ts wi l l be correct. Th i s i s, of cou rse, n ot a l wa ys a sa fe a ssu m pti on .
N everth el ess, i f on e i s j u st tryi n g to sh ow th a t th e m a n a g em en t system
con form s to th e req u i rem en ts of a g i ven m a n a g em en t system sta n d a rd
th en a con form a n ce a u d i t i s a l l th a t i s rea l l y n ecessa ry. H owever, i f th e
org a n i za ti on h a s som e oth er a u d i t obj ecti ve i n m i n d , for exa m pl e, i f i t
h a s a pa rti cu l a r q u esti on reg a rd i n g th e a ppropri a ten ess or a ccu ra cy of a
process, th en a su bsta n ti ve a u d i t a pproa ch m a y be m ore a ppropri a te.

Example
An e xa m p l e o f s u b s ta n ti ve a u d i ti n g i s i l l u s tra te d in th e
fo l l o wi n g t ru e s to ry. An e xp e ri e n ce d e n g i n e e r p ro d u ce d s e ve ra l
p a g e s o f m a th e m a ti cs , c o n ce rn i n g th e a co u s t i c p o s i ti o n i n g of a
m o vi n g t a rg e t , and s h o we d i t to h i s m a n a g e r. Th e m a n a g er
fl i cke d th ro u g h th e va ri o u s p a g e s , cl e a rl y n o t p a yi n g m u ch
a tte n ti o n to th e i r co n te n t, b u t p a u si n g fo r a fe w m o m e n t s o n
th e l a st p a g e and sa i d , ‘ th e re is an e rro r i n h e re , go a wa y a n d
fi x i t ’ . Th e en g i n eer d i d so . He fo u n d th e e rro r, co rre cte d it and
re - p re s e n t e d th e re s u l ts t o h i s m a n a g e r. Th e m a n a g er d i d
e xa ctl y th e sa m e a s b e fo re : a q u i ck fl i p th ro u g h all th e pa g es
and pa u si n g on th e l a st pa g e sa i d , ‘ Ye s , yo u se e m to h a ve fi xe d
th a t o n e , b u t th e re i s a n o th e r; go a wa y a n d fi x th a t’ . Th e
e n g i n e e r wa s n o w ve ry fru s tra te d . He sa i d , ‘ Lo o k, yo u h a ve n ’t
re a d th i s . I a g re e th e re wa s a n e rro r i n th e fi rs t ve rs i o n , bu t
wh y d o yo u th i n k th e re i s on e in th i s ve rs i o n ? ’ Th e m a n a g er
re p l i e d , ‘Si m pl e. In th e fi rs t ve rs i o n yo u r fi n a l e q u a ti o n wa s
d i m e n s i o n a l l y i n co rre ct – th e l e ft- h a n d si d e wa s i n u n i ts o f
m e tre s , wh i l e th e ri g h t - h a n d si d e wa s i n u n i ts o f ti m e . In th e
s e co n d ve rs i o n , th e e q u a ti o n wa s d i m e n s i o n a l l y co rre ct, bu t
wh e n th e t a rg e t i s a t 9 0 ° to a m i cro p h o n e , th e speed o f so u n d
b e co m e s i n fi n i t e , and we b oth kn o w th a t i s a p h ys i ca l
i m p o s s i b i l i t y. ’ In re vi e wi n g th e e n g i n e e r’s wo rk, th e m a n a g er
had a ppl i ed a s u b s ta n ti ve a u d i t te ch n i q u e . He did n ot pa y
m u ch a tt e n t i o n to th e p ro ce s s th a t th e en g i n eer h a d u se d to
re a ch h i s fi n a l e q u a ti o n , b u t i n ste a d a ppl i ed a va ri e ty o f
re a s o n a b l e n e s s te s ts to th e fi n a l e q u a ti o n , i . e. th e o u tp u t o f
th e p ro ce s s .
S u ch te ch n i q u e s ca n be i n va l u a b l e in a u d i ti n g p ro ce s s e s s u ch a s ri s k
a ssessm e n t a n d b u s i n e s s i m p a ct a s s e s s m e n t, a s re q u i re d b y so m e
m a n a g e m e n t s ys t e m s t a n d a rd s .
Auditing processes
Wh e n a u d i ti n g a p ro ce s s , i f th e re is a wri t te n p ro ce d u re th e n th e a u d i to r
ca n re a d i t, co n s i d e r a n d a s k q u e s ti o n s o n wh e th e r i t i s fo l l o we d in
p ra cti c e . An i m p o rt a n t q u e s ti o n to a l wa ys a s k i s ‘ wh a t i f t h a t d o e s n ’ t
wo rk’ . An a l t e rn a ti ve i s to l i s te n to an e xp l a n a ti o n o f wh a t p e o p l e d o.
Wri te i t d o wn in th e a u d i t re p o rt . O th e r p e o p l e in th e o rg a n i z a t i o n may
we l l h a ve a vi e w o n i t. As k o n e s e l f q u e s ti o n s s u ch a s: ‘ i s th e p ro ce s s
co m p l e te , se n si b l e , co s t e ffe cti ve , d o e s i t co ve r e ve ryth i n g , wh a t i f t h a t

Audits and reviews
d o e sn ’t wo rk a n d i s th e re a b e tte r wa y? ’ B e wa re , h o we ve r, o f fo l l o wi n g
th e a ssu m p ti o n s o f th e a u th o r o f th e p ro ce ss, th e re b y m i ssi n g e xa ctl y th e
sa m e th i n g s th a t th e y d i d .
Audit results
B e ca re fu l i n d o cu m e n ti n g a u d i t re su l ts to b e o b j e cti ve . D o cu m e n t wh a t
wa s d o n e i n su ffi ci e n t d e ta i l fo r so m e o n e wh o wa s n o t p re se n t a t th e
a u d i t to d ra w th e sa m e co n cl u si o n s.
I f a n o n co n fo rm i ty h a s b e e n fo u n d , sta te cl ea rl y wh a t i t i s b y refe re n ce
to th e p re ci se cl a u se i n th e m a n a g e m e n t syste m sta n d a rd o r
o rg a n i za ti o n a l re q u i rem e n t. I n d i ca te h o w se ri o u s th e n o n co n fo rm i ty i s.
F o r e xa m p l e , i f th e n o n co n fo rm i ty i s i n d i ca ti ve o f a syste m i c fa i l u re o f a
m a n a g e m e n t syste m p ro ce ss; o r th a t a s a re su l t, th e o rg a n i za ti o n i s
e xp o se d to u n a cce p ta b l e ri sk, i s i n b re a ch o f co n tra ct o r i s a cti n g i l l e g a l l y,
th e n th e n o n co n fo rm i ty p e rh a p s o u g h t to b e re g a rd e d a s a m a j o r
n o n co n fo rm i ty, a s wo u l d i n d e e d a ce rti fi ca ti o n a u d i to r. I f th e
n o n co n fo rm i ty d o e s n o t m e e t a n y su ch cri te ri o n , b u t i s ra th e r a n
o ve rsi g h t o r te m p o ra ry l a p se o f co n tro l , th e n th e n o n co n fo rm i ty m i g h t
b e re g a rd e d a s b e i n g a m i n o r n o n co n fo rm i ty.
I t i s a l so cu sto m a ry to i d e n ti fy p o te n ti a l n o n co n fo rm i ti e s a n d m a rk th e m
a s o b se rva ti o n s.
I f so m e th i n g ra th e r sp l e n d i d h a s b e e n d i sco ve re d , re co rd th a t fa ct i n th e
a u d i t re p o rt a n d sa y wh y i t i s so g o o d . S o m e a u d i to rs m a rk th e se a s
p o si ti ve o b se rva ti o n s, b u t a m a rki n g su ch a s ‘ a ccl a m a ti o n ’ m a y b e m o re
a p p ro p ri a te . I t wi l l a ct a s a n e n co u ra g i n g e xa m p l e to o th e r m e m b e rs o f
th e o rg a n i za ti o n a n d m a y we l l i n d i ca te a n o p p o rtu n i ty fo r i m p ro ve m e n t.
I n d e e d , d o i d e n ti fy o p p o rtu n i ti e s fo r i m p ro ve m e n t.
Management reviews
The requirement
S u b cl a u se 9 . 3 i s i n fo u r p a rts.
Th e fi rst p a rt i s a b o u t th e fre q u e n cy a n d o b j ecti ve s o f th e re vi e ws. I t
sta te s: ‘ To p m a n a g e m e n t sh a l l re vi e w th e o rg a n i za ti o n ’s XXX
m a n a g e m e n t syste m a t p l a n n e d i n te rva l s to e n su re i ts co n ti n u i n g
su i ta b i l i ty, a d e q u a cy a n d e ffe cti ve n e ss’ .
Pa rt 2 e l a b o ra tes o n wh a t m u st b e co n si d e re d d u ri n g th e re vi e w, sta ti n g :
‘ Th e m a n a g e m en t re vi ew sh a l l i n cl u d e co n si d e ra ti o n o f:
a) th e sta tu s o f a cti o n s fro m p re vi o u s m a n a g e m e n t re vi e ws;

b) ch a n g es i n extern a l a n d i n tern a l i ssu es th a t a re rel eva n t to th e XXX

m a n a g em en t;
c) i n form a ti on on th e XXX perform a n ce, i n cl u d i n g tren d s i n :
— n on con form i ti es a n d correcti ve a cti on s
— m on i tori n g a n d m ea su rem en t resu l ts, a n d
— a u d i t resu l ts;
d) opportu n i ti es for con ti n u a l i m provem en t’.
Pa rt 3 speci fi es th e ou tpu ts: ‘Th e ou tpu ts of th e m a n a g em en t revi ew

sh a l l i n cl u d e d eci si on s rel a ted to con ti n u a l i m provem en t opportu n i ti es
a n d a n y n eed s for ch a n g es to th e XXX m a n a g em en t system ’.
Pa rt 4 con cern s d ocu m en ted i n form a ti on : ‘Th e org a n i za ti on sh a l l reta i n

d ocu m en ted i n form a ti on a s evi d en ce of th e resu l ts of m a n a g em en t
revi ews’.
Frequency and objectives

Th e freq u en cy of m eeti n g s i s l eft for th e org a n i za ti on to d eci d e. I n m a n y
respects th e m a n a g em en t revi ew i s a n a l og ou s to a cti on ta ken by a
ca pta i n i n sa i l i n g a sh i p. Th e revi ew ou g h t to h a ve a t i ts d i sposa l a l l
rel eva n t i n form a ti on con cern i n g th e XXX perform a n ce of th e
org a n i za ti on a n d i s a bl e to ta ke a cti on to en su re con ti n u i n g su i ta bi l i ty,
a d eq u a cy a n d effecti ven ess. Su i ta bi l i ty wi l l cover th e pri m a ry pu rpose of
th e sta n d a rd , sh ou l d th a t be sta ted i n i ts i n trod u cti on a n d th e XXX
obj ecti ves th a t th e org a n i za ti on wi l l h a ve d efi n ed a t th e h i g h est l evel .
Freq u en cy i s th erefore d eterm i n ed from th e a n swer to a q u esti on su ch a s

‘h ow l on g ca n top m a n a g em en t (i . e. th e sh i p’s ca pta i n ) a fford to be off
th e bri d g e?’
For som e org a n i za ti on s th e a n swer m a y l i e i n h a vi n g severa l m eeti n g s,

sprea d over th e yea r, wh i ch col l ecti vel y m eet th e req u i rem en ts of
Su bcl a u se 9 . 3 . I t i s a l so often better to h a ve m a n y sh ort m eeti n g s, ea ch
d esi g n ed to l a st n o l on g er th a n a n h ou r th a n to h a ve fewer l on g er
m eeti n g s.
Review considerations
Th e fi rst pa rt of th e req u i rem en t spel l s ou t th a t th e su bj ect of th e revi ew
i s th e m a n a g em en t system , a n d th e i m pl i ca ti on h ere i s th a t th e pol i ci es,
obj ecti ves a n d processes to a ch i eve th ose obj ecti ves sh a l l a l l be revi ewed .
N ote th a t th e req u i rem en t to con si d er ch a n g es i n extern a l a n d i n tern a l

i ssu es ca n be very wi d e ra n g i n g . I t wi l l cover a pl eth ora of topi cs su ch a s
ch a n g es i n l eg i sl a ti on , tech n ol og y, th e soci a l a n d pol i ti ca l cl i m a te, m a rket

Management and support
tren d s, org a n i za ti on a l d i recti on , obj ecti ves, perform a n ce a n d stru ctu re.
N ote a l so th a t th e con si d era ti on of tren d s m a y feed i n to ch a n g es
con cern i n g Su bcl a u ses 4. 1 , 6. 1 a n d 8. 1 i n ord er to wa rd off u n d esi ra bl e
ou tcom es. I t form s pa rt of th e feed ba ck l oop referred to i n Fi g u re 2 . O n e
wou l d a l so expect top m a n a g em en t to en su re th a t th e m a n a g em en t
system rem a i n s com pa ti bl e wi th th e stra teg i c d i recti on of th e
org a n i za ti on .
Review outputs
Th e pri m a ry ou tpu ts a re i n a ctu a l i ty th ose a s i l l u stra ted i n Fi g u re 2 a n d ,
i n term s of th e sh i p a n a l og y, correspon d to th ose a d j u stm en ts n ecessa ry
to m a i n ta i n th e sh i p on cou rse (correcti ve a cti on ) or steer towa rd s a m ore
d esi ra bl e d esti n a ti on (i m provem en ts) .
I t wou l d be u su a l for th e d ocu m en ted i n form a ti on to be i n th e form of
m i n u tes. H owever, i t i s th e con ten t of th ose m i n u tes th a t a ctu a l l y
provi d es evi d en ce of con form a n ce.
1. Th e va ri ou s con si d era ti on s req u i red by th e secon d pa rt of

Su bcl a u se 9 . 3 wi l l be seen to be reg u l a rl y d i scu ssed .
2. Acti on s wi l l be seen to h a ve been execu ted prom ptl y.
3. I t wi l l be evi d en t th a t d eci si on s wi l l h a ve been m a d e reg a rd i n g
con ti n u a l i m provem en t opportu n i ti es a n d ch a n g es to th e
m a n a g em en t system .
M anagement and support
Leadership and commitment
The requirement
Su bcl a u se 5 . 1 req u i res top m a n a g em en t to ‘d em on stra te l ea d ersh i p a n d
com m i tm en t wi th respect to th e XXX m a n a g em en t system by
— en su ri n g th e XXX pol i cy a n d XXX obj ecti ves a re esta bl i sh ed a n d a re

com pa ti bl e wi th th e stra teg i c d i recti on of th e org a n i za ti on
— en su ri n g th e i n teg ra ti on of th e XXX m a n a g em en t system
req u i rem en ts i n to th e org a n i za ti on ’s bu si n ess processes
— en su ri n g th a t th e resou rces n eed ed for th e XXX m a n a g em en t system
a re a va i l a bl e
— com m u n i ca ti n g th e i m porta n ce of effecti ve XXX m a n a g em en t a n d
con form i n g to th e XXX m a n a g em en t system req u i rem en ts

— en su ri n g th a t th e XXX m a n a g em en t system a ch i eves i ts i n ten d ed

ou tcom e(s)
— d i recti n g a n d su pporti n g person s to con tri bu te to th e effecti ven ess of
th e XXX m a n a g em en t system
— prom oti n g con ti n u a l i m provem en t
— su pporti n g oth er rel eva n t m a n a g em en t rol es to d em on stra te th ei r
l ea d ersh i p a s i t a ppl i es to th ei r a rea s of respon si bi l i ty’.
Th ere i s a l so a n ote wh i ch sta tes th a t referen ce to ‘bu si n ess’ sh ou l d be

i n terpreted broa d l y to m ea n th ose a cti vi ti es th a t a re core to th e pu rposes
of th e org a n i za ti on ’s exi sten ce.
Demonstrating leadership and commitment

Lea d ersh i p a n d com m i tm en t wi l l be evi d en t i n th e m a n n er i n wh i ch top
m a n a g em en t con d u cts i tsel f i n rel a ti on to th e m a n a g em en t system .
I n tern a l l y, th i s wi l l be m ost a ppa ren t i n m a n a g em en t revi ew m eeti n g s
a n d th rou g h i ts com m u n i ca ti on s wi th i n th e org a n i za ti on . E xtern a l l y, i t
wi l l be m ost a ppa ren t i n th e en th u si a sti c wa y i t con d u cts i tsel f i n
certi fi ca ti on a u d i ts, reg a rd i n g th ese, for exa m pl e, a s opportu n i ti es to
sh ow off i ts m a n a g em en t system a n d to l ook for fu rth er opportu n i ti es
for i m provem en t. As su ch , certi fi ca ti on a u d i ts ou g h t to be even ts to l ook
forwa rd to.
Lea d ersh i p i m pl i es bei n g fi rst – l ea d i n g by exa m pl e sh ou l d be th e m otto.

Th e XXX pol i cy m a y a ffect peopl e wi th i n th e org a n i za ti on i n d i fferen t
wa ys, bu t i f top m a n a g em en t com pl i es wi th th e XXX pol i cy i n respect of
th e pa rts th a t a ppl y to th em a n d d em on stra te u n d ersta n d i n g a n d
com m i tm en t to th ose oth er pa rts, th en i t i s h i g h l y l i kel y th a t su bord i n a te
m em bers of th e org a n i za ti on wi l l a ct l i kewi se. I f th ere i s som eth i n g
a bou t th e pol i cy th a t top m a n a g em en t d oes n ot l i ke, for exa m pl e i t i s
ra th er bu rea u cra ti c, th en top m a n a g em en t m u st ch a n g e i t. After a l l , i t i s
top m a n a g em en t’s pol i cy.
Con form a n ce wi th pa rti cu l a r pa rts of Su bcl a u se 5 . 1 wi l l a l so be evi d en t i n

certa i n i tem s of d ocu m en ted i n form a ti on . For exa m pl e, i t i s l i kel y th a t
evi d en ce i n su pport of c) to h ) wi l l be fou n d i n th e m i n u tes of m eeti n g s.
Th ere m a y be i ssu es a ssoci a ted wi th th ese i tem s, bu t th ere wi l l be
evi d en ce th a t su ch i ssu es a re bei n g ra i sed , d i scu ssi on i s ta ki n g pl a ce,
d eci si on s a re bei n g m a d e a n d th e i ssu es a re bei n g resol ved .
O rg a n i za ti o n a l ro l e s, re sp o n si b i l i ti e s a n d a u th o ri ti e s
Su bcl a u se 5 . 3 req u i res top m a n a g em en t to ‘en su re th a t th e

respon si bi l i ti es a n d a u th ori ti es for rol es rel eva n t to XXX a re a ssi g n ed a n d

Ma n a gem en t a n d sup p ort
com m u n i ca ted ’. Speci fi ca l l y, i t req u i res top m a n a g em en t expl i ci tl y to

‘a ssi g n th e respon si bi l i ty a n d a u th ori ty for:
a) en su ri n g th a t th e XXX m a n a g em en t system con form s to th e

req u i rem en ts of th i s I n tern a ti on a l Sta n d a rd : a n d
b) reporti n g on th e perform a n ce of th e XXX m a n a g em en t system to
top m a n a g em en t’.
Th e respon si bi l i ti es of top m a n a g em en t a re d efi n ed i n Cl a u se 5

(Lea d ersh i p) a n d Su bcl a u se 9 . 3 (M a n a g em en t revi ew) . Su bcl a u se 9 . 2 c)
req u i res th e a u d i t prog ra m m e to i n cl u d e respon si bi l i ti es. Th u s, th e
sta n d a rd expl i ci tl y i d en ti fi es fou r rol es th a t a re rel eva n t to a l l
m a n a g em en t system s. Th ese rol es con cern con form a n ce, reporti n g of
perform a n ce, top m a n a g em en t a n d a u d i ti n g .
Reso urces
Su bcl a u se 7 . 1 sta tes: ‘Th e org a n i za ti on sh a l l d eterm i n e a n d provi d e th e

resou rces n eed ed for th e esta bl i sh m en t, i m pl em en ta ti on , m a i n ten a n ce
a n d con ti n u a l i m provem en t of th e XXX m a n a g em en t system ’.
Si m pl y expressed , th i s req u i rem en t covers a l l th e resou rces n eed ed by th e

m a n a g em en t system .
Competence
Th e requirem en t
Su bcl a u se 7 . 2 sta tes: ‘Th e org a n i za ti on sh a l l :
— d eterm i n e th e n ecessa ry com peten ce of person (s) d oi n g work u n d er

i ts con trol th a t a ffects i ts XXX perform a n ce, a n d
— en su re th a t th ese person s a re com peten t on th e ba si s of a ppropri a te
ed u ca ti on , tra i n i n g , or experi en ce;
— wh ere a ppl i ca bl e, ta ke a cti on s to a cq u i re th e n ecessa ry com peten ce,
a n d eva l u a te th e effecti ven ess of th e a cti on s ta ken , a n d
— reta i n a ppropri a te d ocu m en ted i n form a ti on a s evi d en ce of
com peten ce’.
N ote th e u se of th e word ‘or’ i n i tem b. Th i s i s th e exa m pl e of a l tern a ti ve

req u i rem en ts referred to i n Ch a pter 2 . I t m ea n s th a t peopl e sh a l l be
com peten t on th e ba si s of a ppropri a te ed u ca ti on a n d /or tra i n i n g a n d /or
experi en ce.

As sta ted i n a n ote i n th e sta n d a rd : ‘a ppl i ca bl e a cti on s m a y i n cl u d e, for

exa m pl e: th e provi si on of tra i n i n g to, th e m en tori n g of, or th e
rea ssi g n m en t of cu rren t em pl oyees; or th e h i ri n g or con tra cti n g of
com peten t person s’.
Staff assessments and appraisals

Th e tra d i ti on a l m eth od for m eeti n g th i s req u i rem en t i n m ost
org a n i za ti on s i s th rou g h a process of sta ff a ssessm en ts or a ppra i sa l s, a n d
wh a tever m eth od a n org a n i za ti on cu rren tl y em pl oys ou g h t to su ffi ce for
con form a n ce to th i s req u i rem en t, pa rti cu l a rl y th e expl i ci t req u i rem en t for
th e reten ti on of d ocu m en ted i n form a ti on .
Th e fa ct th a t th i s i s a com m on m a n a g em en t system req u i rem en t a n d th a t

th e m a j ori ty of org a n i za ti on s wi l l a l rea d y h a ve a con form a n t process
u n d erpi n s th a t th ere i s n oth i n g rea l l y d i sci pl i n e-speci fi c a bou t i t a pa rt
from th e ski l l s th a t peopl e m a y req u i re. A g ood a pproa ch i s to m a i n ta i n
a m a tri x of sta ff a n d ski l l s, h i g h l i g h ti n g th ose ski l l s th a t a re n ecessa ry for
a pa rti cu l a r j ob fu n cti on . Th e ski l l s sh ou l d be wei g h ted a n d va l u es a g reed
a t ea ch reg u l a r peri od of a ssessm en t for h ow com peten t th a t m em ber of
sta ff i s for ea ch ski l l rel a ted to th ei r j ob fu n cti on . Th i s a pproa ch wi l l n ot
on l y serve a s a con ven i en t record of com peten ce bu t provi d e a n a n a l ysi s
of tra i n i n g n eed s a n d ski l l sh orta g es.
Awareness
The requirement
Su bcl a u se 7 . 3 sta tes: ‘Person s d oi n g work u n d er th e org a n i za ti on ’s
con trol sh a l l be a wa re of
— th e XXX pol i cy
— th ei r con tri bu ti on to th e effecti ven ess of th e XXX m a n a g em en t
system , i n cl u d i n g th e ben efi ts of i m proved XXX perform a n ce
— th e i m pl i ca ti on s of n ot con form i n g wi th th e XXX m a n a g em en t
system req u i rem en ts’.
I n a d d i ti on to th ese req u i rem en ts, a n org a n i za ti on m a y wi sh to i n cl u d e

oth er topi cs, su ch a s:
1. XXX pri n ci pl es (e. g . q u a l i ty pri n ci pl es, i n form a ti on secu ri ty pri n ci pl es) ;

2. wh a t ca n g o wron g (e. g . a s rel eva n t: h ow prod u ct n on con form i ti es
ca n occu r, h ow th e en vi ron m en t ca n be d a m a g ed , h ow servi ce

provi si on ca n fa i l , h ow food ca n be poi son ed , h ow d i sa sters ca n

occu r a n d h ow i n form a ti on system s ca n be a tta cked ) ;
3. wh a t ca n be d on e to preven t, d etect a n d recti fy su ch probl em s;
4. i n stru cti on s on th e u se of d i sci pl i n e-speci fi c sol u ti on s (e. g . q u a l i ty
con trol s) of pa rti cu l a r rel eva n ce, for exa m pl e beca u se th ey a re n ew
or on es th a t peopl e seem to be h a vi n g d i ffi cu l ty wi th ;
5. wh a t to d o i n th e ca se of a n XXX i n ci d en t, a cci d en t, etc. ;
6. m a n a g em en t d eci si on s, a u d i t fi n d i n g s, i n ci d en ts, a cci d en ts a n d
l esson s th a t top m a n a g em en t n ow wi sh es th e org a n i za ti on to l ea rn ;
and
7. th e XXX m a n a g em en t system .
Th ere i s n o expl i ci t req u i rem en t for d ocu m en ted i n form a ti on .
Awareness programmes
Th ere i s n o req u i rem en t for a n yth i n g ca l l ed a n ‘a wa ren ess prog ra m m e’.
Th e req u i rem en t i s for crea ti n g a wa ren ess. H ow th a t i s d on e i s for th e
org a n i za ti on to d eci d e. H owever, i n som e org a n i za ti on s a n a wa ren ess
prog ra m m e m i g h t be a ppropri a te.
An a wa ren ess prog ra m m e wou l d sch ed u l e va ri ou s a wa ren ess even ts over

a peri od of ti m e, e. g . a yea r, ea ch wi th i ts own su bj ect a n d a u d i en ce. Th i s
wou l d be a g ood a pproa ch i f th e tota l a u d i en ce wa s l a rg e a n d th ere
were a l a rg e n u m ber of su bj ects to cover. N ote, h owever, th a t d epen d en t
u pon sta ff tu rn over, on ce sta ff a wa ren ess h a s rea ch ed a certa i n l evel th e
n eed for a prog ra m m e of th i s n a tu re wi l l d i m i n i sh , a s everyon e i s
essen ti a l l y a wa re of everyth i n g th a t th ey n eed to be a wa re of. I n th i s
ca se, a wa ren ess sh i fts to i n d u cti on cou rses for n ew sta ff a n d bri efi n g
sem i n a rs a n d oth er m ea n s of com m u n i ca ti on s (see bel ow) to m a i n ta i n
a wa ren ess a s th i n g s ch a n g e. O rg a n i za ti on s sh ou l d a l so be m i n d fu l of th e
fol l owi n g .
1. Th e a pproa ch n eed ed to crea te a wa ren ess i s l i kel y to d epen d on a

va ri ety of fa ctors a ssoci a ted wi th th e peopl e con cern ed su ch a s th ei r
sen i ori ty, ed u ca ti on a n d soci a l ba ckg rou n d . D i fferen t a wa ren ess
sessi on s m a y th erefore be n eed ed for d i fferen t g rou ps of peopl e.
2. Approa ch es wh i ch i n vol ve a u d i en ce pa rti ci pa ti on a n d g rou p exerci ses
a re often m ore effecti ve th a n sem i n a rs.
3. I f top m a n a g em en t i s a wa re th en i t i s ea si er to crea te a wa ren ess a t
th e l ower l evel s.

Example
As a n e xa m p l e , d u ri n g th e ro l l - o u t o f i n fo rm a ti o n s e cu ri t y
m a n a g e m e n t s ys te m s to a n u m b e r o f g o ve rn m e n t m i n i s tri e s
and d e p a rt m e n ts , th e co n s u l t a n t s co n ce rn e d had i n vo l ve d th e
m i n i s try a n d d e p a rt m e n t h e a d s i n th e ri s k a s s e s s m e n t a n d ri s k
tre a t m e n t p ro ce s s e s . I n d eed i t wa s t o p m a n a g e m e n t th a t
p e rs o n a l l y p e rfo rm e d th e a sse ssm e n t a n d tre a t m e n t o f ri s k wi th
th e a s s i s t a n ce o f th e i r s e n i o r s ta ff a n d I T s u p p o rt p e rs o n n e l .
On e d a y, a d e p a rtm e n t h e a d i n vi t e d on e o f th e co n s u l ta n ts i n to
h i s o ffi ce and p ro u d l y s h o we d o ff h i s n e w s a fe . Th e s e n i o r ci vi l
s e rva n t e xp l a i n e d th a t h e wa s u s i n g th e s a fe to l o ck a wa y h i s
co n fi d e n ti a l p a p e rs a t n i g h t – n o l on g er d i d he wa n t to l e a ve
th e m o u t fo r p e o p l e s u ch a s th e cl e a n e rs to see. He had
wo rke d t h i s o u t fo r h i m s e l f. He had n ot been to l d to do i t. It
wa s a d i re ct re s u l t o f h i s i n vo l ve m e n t a n d h i s l e a d e rs h i p in th e
a sse ssm e n t a n d tre a tm e n t o f h i s d e p a rtm e n t ’s ri s ks . Th e s to ry o f
h i s n e w s a fe q u i ckl y s p re a d th ro u g h o u t h i s d e p a rtm e n t i n a
to p - d o wn m a n n e r. No on e wa s g o i n g to be ca u g h t o u t.
S p e e d i l y, th e y a l l eq u i pped t h e m s e l ve s wi th s a fe s a n d
i m m e d i a te l y s t a rte d fo l l o wi n g t h e i r b o s s ’s g o o d e xa m p l e .
Awareness campaigns
Th e re is no re q u i re m e n t fo r h a vi n g ‘ a wa re n e s s ca m p a i g n s ’ . Th e
re q u i re m e n t i s fo r cre a t i n g a wa re n e s s . H o w th a t i s d on e i s fo r th e
o rg a n i z a ti o n to d e ci d e . H o we ve r, o n ce again, th e y m a y b e a p p ro p ri a te
fo r s o m e o rg a n i z a ti o n s .
An a wa re n e s s ca m p a i g n s e e ks t o cre a te a wa re n e s s o f a p a rti cu l a r i s s u e ,
s u ch a s s o m e th i n g n e w o r s o m e th i n g th a t i s n o t wo rki n g s a ti s fa cto ri l y,
o ve r a s h o rt p e ri o d o f ti m e . S u cce s s fu l ca m p a i g n s h a ve th re e s ta g e s :
1 . an i n i ti a l b ri e fi n g , to te l l e ve ryo n e wh a t th e i ssu e is and wh a t s h o u l d
be d on e;
2. a p e ri o d o f re i n fo rce m e n t , wh e re va ri o u s m e th o d s a re u se d to
re i n fo rce th e m e ssa g e . F o r e xa m p l e , i f th e o rg a n i z a ti o n h a s co n t ro l
o ve r p e o p l e ’s s cre e n s a ve r i t ca n u se th e s cre e n s a ve r a s a re m i n d e r
o f th e m e ssa g e . I f th e o rg a n i z a ti o n h a s i n te rn a l m o n i to rs , th e n th e s e
co u l d be u se d to re p e a te d l y cycl e th ro u g h a s h o rt s l i d e p re s e n ta ti o n .
Th ro u g h o u t th i s p e ri o d th e re is a n eed to d e te rm i n e h o w we l l
a wa re n e s s i s b e i n g i n cre a s e d ; and
3. fe e d b a ck, a t th e en d o f th e ca m p a i g n , h o p e fu l l y to co n g ra tu l a te
e ve ryo n e and a ct a s a fi n a l re m i n d e r o f wh a t th e y h a ve l e a rn t.

Ma n a gem en t a n d sup p ort
Example
As a n exa m pl e, a n org a n i za ti on wi sh ed to ra i se a wa ren ess of i ts
pol i cy of l ocki n g con fi d en ti a l d ocu m en ts a wa y wh en n ot i n u se,
pa rti cu l a rl y wh en sta ff wen t h om e a t n i g h t. Accord i n g l y, d u ri n g
th e peri od of rei n forcem en t i n ra i si n g a wa ren ess of th i s pol i cy,
sel ected sta ff wou l d reg u l a rl y i n spect th e workpl a ce (a l a rg e
open pl a n offi ce wi th over 1 00 sta ff) a fter work. B oth offen d ers
a n d peopl e wh o h a d set a pa rti cu l a rl y g ood exa m pl e were
rewa rd ed wi th a sti cker. A g reen sti cker m ea n t a j ob wel l d on e;
a n ora n g e m ea n t a wa rn i n g ; a n d a red m ea n t a vi si t to th e top
m a n a g er’s offi ce to expl a i n th em sel ves. Th ere were a few red
sti ckers a t th e beg i n n i n g of th e ca m pa i g n , bu t n ews q u i ckl y
sprea d th a t th e boss wa s fi rm l y beh i n d th i s pol i cy, a fa ct
rei n forced by h i s own a rra y of g reen sti ckers. O ver th e
fol l owi n g few weeks th e n u m ber of ora n g e sti ckers speed i l y
red u ced to zero wh i l e th e n u m ber of g reen sti ckers i n crea sed .
Th e ca m pa i g n over, th e boss rem a rked u pon i ts su ccess a t th e
n ext d epa rtm en ta l m eeti n g , th a n ki n g everyon e for th ei r
su pport.
Communication
In tern a l a n d extern a l co m m un ica tio n s
Su bcl a u se 7 . 4 req u i res th e org a n i za ti on to ‘d eterm i n e th e n eed for

i n tern a l a n d extern a l com m u n i ca ti on s rel eva n t to th e XXX m a n a g em en t
system ’. Th u s th e sta n d a rd recog n i zes th a t both i n tern a l a n d extern a l
com m u n i ca ti on s a re i m porta n t. I f th e org a n i za ti on wa s pa rt of a l a rg er
org a n i za ti on , for i n sta n ce th e org a n i za ti on wa s th e d ra wi n g sh op i n a
l a rg e com pa n y, extern a l com m u n i ca ti on s ca n m ea n com m u n i ca ti on wi th
th e B oa rd of D i rectors a n d oth er d epa rtm en ts, a s wel l a s cu stom ers a n d
su ppl i ers a n d oth er i n terested pa rti es su ch a s th e fa m i l i es of em pl oyees
a n d th e press.
Th e req u i rem en t con ti n u es by sa yi n g ‘i n cl u d i n g (a ) on wh a t to

com m u n i ca te … ’ a n d two oth ers a s d i scu ssed bel ow.
On wh a t to co m m un ica te
O rg a n i za ti on s ou g h t to con si d er both n orm a l a n d a bn orm a l con d i ti on s.
D u ri n g n orm a l con d i ti on s, com m u n i ca ti on s ca n be u sed a s th e veh i cl e for

crea ti n g d i sci pl i n e-speci fi c a wa ren ess (see a bove) , a s wel l a s n ews (e. g .
su ccessfu l certi fi ca ti on a u d i ts) to bol ster m ora l e. Com m u n i ca ti on s ca n a l so

be u sed to wa rn of poten ti a l probl em s (e. g . a ri sk of prod u ct

n on con form i ty) a n d pen d i n g d i sru pti on s (e. g . th a t eq u i pm en t wi l l be
offl i n e for m a i n ten a n ce) . O th er topi cs cou l d i n cl u d e m eeti n g m i n u tes,
a u d i t a n d i n ci d en t (or a cci d en t) reports, a n d l esson s to be l ea rn t.
D u ri n g a bn orm a l con d i ti on s, topi cs wou l d i n cl u d e a d vi sori es a bou t

d i sru pti on s, a l tern a ti ve worki n g a rra n g em en ts a n d coord i n a ti n g bu si n ess
con ti n u i ty a cti vi ti es.
E ssen ti a l l y th e topi cs i n cl u d e everyth i n g th a t th e org a n i za ti on wa n ts

peopl e, both i n tern a l a n d extern a l , to kn ow a n d d o th a t i s rel eva n t to i ts
XXX i n terests.
When to communicate
E speci a l l y i n a bn orm a l con d i ti on s, ti m el i n ess i s a key fa ctor. H owever,
th ere m a y be certa i n restri cti on s th a t ca n a ffect rel ea se, su ch a s
i n form a ti on th a t cou l d a ffect sh a re pri ce, or a wi sh to rel ea se
i n form a ti on on l y wh en th e fu l l fa cts a re kn own .
With whom to communicate

B eca u se of th e a wa ren ess req u i rem en t (Su bcl a u se 7 . 3 , see a bove) ,
com m u n i ca ti on wi l l be req u i red wi th a l l person s d oi n g work u n d er th e
org a n i za ti on ’s con trol . I t i s a ppropri a te to com m u n i ca te wi th a l l
i n terested pa rti es. Th ere m a y a l so be oth er peopl e a n d org a n i za ti on s, n ot
con si d ered i n Su bcl a u se 4. 2 a s bei n g i n terested pa rti es, wi th wh om
com m u n i ca ti on m a y be a ppropri a te, for exa m pl e i n th e even t of a
d i sa ster. Th ese i n cl u d e:
1. fa m i l i es of sta ff (e. g . to provi d e g ood n ews of th ei r rel a ti ve’s sa fety) ;

2. em erg en cy servi ces; a n d
3. th e Press.
I f reg u l a r com m u n i ca ti on wa s en terta i n ed wi th l a w en forcem en t

a g en ci es, for exa m pl e beca u se of th e n a tu re of th e org a n i za ti on ’s
bu si n ess th e i n ci d en ce of fra u d wa s h i g h , th en i t wou l d be a ppropri a te to
i n cl u d e th em a s a n i n terested pa rty. Su ch a g en ci es wi l l i n va ri a bl y h a ve
req u i rem en ts, for exa m pl e, perta i n i n g to th e col l ecti on of evi d en ce. An
org a n i za ti on m a y a l so wi sh to en terta i n com m u n i ca ti on wi th th e Press
d u ri n g n orm a l opera ti on s a s a veh i cl e for provi d i n g m a rket a ssu ra n ce.

Other factors
I n a d d i ti on to th e An n ex SL req u i rem en ts, org a n i za ti on s m a y a l so wi sh to
con si d er wh o sh a l l com m u n i ca te a n d th e processes by wh i ch
com m u n i ca ti on sh a l l be effected .
I t i s i m porta n t to d eci d e wh o wi l l perform th e com m u n i ca ti on a n d to

en su re th a t th ey h a ve th e a ppropri a te a u th ori ty, com peten ci es a n d
kn owl ed g e. To d o oth erwi se cou l d l ea d to m i scom m u n i ca ti on a n d
con fu si on .
N ote th a t i n l a rg e corpora ti on s, a n d si m i l a r, th ere m i g h t be a n

org a n i za ti on th a t i s respon si bl e for a l l i n tern a l a n d extern a l
com m u n i ca ti on s. From th e perspecti ve of th e m a n a g em en t system , th a t
org a n i za ti on m i g h t be a n extern a l org a n i za ti on . O n e wou l d n eed to
coopera te wi th th em i n ord er to m eet th e req u i rem en ts of Su bcl a u se 7 . 4.
An y d i ffi cu l ty h ere ou g h t to be trea ted a s a n i ssu e i n respon se to
Su bcl a u se 4. 1 .
A com m u n i ca ti on process d escri bes th e m a n n er i n wh i ch a m essa g e (i . e.

th e i n pu t to th e process) i s d el i vered to th e i n ten d ed a u d i en ce (i . e. th e
ou tpu t of th e process) . To be su ccessfu l , i t n eed s to d el i ver th e ri g h t
m essa g e i n a cl ea r a n d u n a m bi g u ou s wa y. Th e ch oi ce of m ed i u m wi l l
d epen d on th e m essa g e a n d th e i n ten d ed a u d i en ce, a n d i n d eed th ere i s
a wi d e ra n g e of m ech a n i sm s to ch oose from , i n cl u d i n g :
1. bri efi n g s, m eeti n g s, sem i n a rs a n d con feren ces;

2. l etters, sta ff m a g a zi n es, m em os, em a i l s, posters a n d web pa g es
(i n tern et a n d i n tra n et) ;
3. sh ort m ovi es a n d fi l m cl i ps; a n d
4. tel eph on e a n d text m essa g i n g , etc.
Th e u se of a com bi n a ti on of m eth od s m a y a l so be a ppropri a te. For

exa m pl e, m a teri a l presen ted i n a n a wa ren ess sem i n a r cou l d be rei n forced
wi th i n tra n et a rti cl es, posters a n d vi d eos on i n tern a l m on i tors.
Th ere i s n o expl i ci t req u i rem en t for d ocu m en ted i n form a ti on i n
An n ex SL. H owever, i t wi l l be i n evi ta bl e th a t org a n i za ti on s wi l l crea te
wh a tever th ey n eed . I f com m u n i ca ti on i s effected th rou g h a
presen ta ti on , for exa m pl e, th en th e presen ta ti on m a teri a l i s, of cou rse,
d ocu m en ted i n form a ti on . M oreover, som e m a n a g em en t system sta n d a rd s
m a y h a ve d i sci pl i n e-speci fi c req u i rem en ts wi th reg a rd s to com m u n i ca ti on s
(e. g . I SO 2 2 3 01 ) .

Overview of the requirement
Su bcl a u se 7 . 5 con cern s d ocu m en ted i n form a ti on . I t i s spl i t i n to th ree
su bcl a u ses:
1. Su bcl a u se 7 . 5 . 1 , wh i ch d ea l s wi th th e d ocu m en ted i n form a ti on th a t

m u st be reta i n ed ;
2. Su bcl a u se 7 . 5 . 2 , wh i ch d ea l s wi th crea ti n g a n d u pd a ti n g ; a n d
3. Su bcl a u se 7 . 5 . 3 , wh i ch d ea l s wi th th e con trol of d ocu m en ted
i n form a ti on .
Documented information that must be retained

Su bcl a u se 7 . 5 . 1 sta tes: ‘Th e org a n i za ti on ’s XXX m a n a g em en t system sh a l l
i n cl u d e
— d ocu m en ted i n form a ti on req u i red by th i s I n tern a ti on a l Sta n d a rd

— d ocu m en ted i n form a ti on d eterm i n ed by th e org a n i za ti on a s bei n g
n ecessa ry for th e effecti ven ess of th e XXX m a n a g em en t system ’.
(I SO /I E C D i recti ves, Pa rt 1 , Su bcl a u se 7 . 5 . 1 )
Th u s, a n org a n i za ti on i s free to d eterm i n e wh a t i n form a ti on i t wi sh es to

reta i n i n a d d i ti on to th a t req u i red by th e m a n a g em en t system sta n d a rd
to wh i ch i t ch ooses to con form .
N ote th e ph ra se ‘m a n a g em en t system sh a l l i n cl u d e’, wh i ch a ppreci a tes

th e rol e pl a yed by d ocu m en ted i n form a ti on i n esta bl i sh i n g pol i cy,
obj ecti ves a n d processes.
Th ere i s a n ote to th e req u i rem en t wh i ch expl a i n s th a t th e exten t of

d ocu m en ted i n form a ti on for a n XXX m a n a g em en t system ca n d i ffer from
on e org a n i za ti on to a n oth er d u e to a va ri ety of fa ctors, su ch a s th e type
a n d si ze of org a n i za ti on , a n d th e com peten ce of peopl e. Th e l i st of
fa ctors i n cl u d ed i n th e n ote i s n ot exh a u sti ve, bu t i s i n ten d ed to rei n force
th e pri n ci pl e th a t a n org a n i za ti on ou g h t to d eci d e th e exten t of
d ocu m en ted i n form a ti on for i tsel f. As a g u i d e, th ere i s l i ttl e poi n t i n
prod u ci n g d ocu m en ted i n form a ti on th a t n o on e wi l l ever rea d , bu t g rea t
va l u e i n :
1. d ocu m en ti n g cl ea r, a ccu ra te a n d preci se i n stru cti on s i n th ose ca ses

wh ere:
a. a n org a n i za ti on wi sh es m a n y peopl e to ca rry ou t a n a cti vi ty i n a
com m on wa y; a n d
b. a n a cti vi ty i s perform ed so i n freq u en tl y th a t peopl e fi n d i t
d i ffi cu l t to rem em ber h ow i t wa s perform ed before; a n d
2. m a i n ta i n i n g a ccu ra te record s of perform a n ce.

Creating and updating

Su bcl a u se 7 . 5 . 2 sta tes: ‘Wh en crea ti n g a n d u pd a ti n g d ocu m en ted
i n form a ti on th e org a n i za ti on sh a l l en su re a ppropri a te
— i d en ti fi ca ti on a n d d escri pti on (e. g . a ti tl e, d a te, a u th or, or referen ce

n u m ber)
— form a t (e. g . l a n g u a g e, softwa re versi on , g ra ph i cs) a n d m ed i a (e. g .
pa per, el ectron i c)
— revi ew a n d a pprova l for su i ta bi l i ty a n d a d eq u a cy’.
O n ce a g a i n , org a n i za ti on s a re free to d eci d e h ow th ey wi sh to m eet

th ese req u i rem en ts, a n d provi d ed i n form a ti on i s i d en ti fi a bl e (bu l l et poi n t
a ) a n d of kn own proven a n ce (bu l l et poi n t c) th en a l m ost a n yth i n g g oes.
Th e word ‘a ppropri a te’ i s i m porta n t. I t m ea n s th a t con form a n ce to th e
th ree bu l l et poi n ts sh ou l d be su i ta bl e or proper for th a t i tem of
d ocu m en ted i n form a ti on i n th e ci rcu m sta n ces i n wh i ch i t i s u sed . I t a l so
i m pl i es th a t d i fferen t a pproa ch es ca n be u sed for d i fferen t types of
d ocu m en ted i n form a ti on .
Control of documented information

Su bcl a u se 7 . 5 . 3 i s i n th ree pa rts. Th ere i s a l so a n ote a t th e en d of th e
su bcl a u se, poi n ti n g ou t th a t th e term ‘a ccess’, a s u sed i n th e secon d pa rt
of th e su bcl a u se, ca n m ea n rea d -on l y, rea d -wri te, etc.
Th e fi rst pa rt sta tes th a t ‘D ocu m en ted i n form a ti on req u i red by th e XXX

m a n a g em en t system a n d by th i s I n tern a ti on a l Sta n d a rd sh a l l be
con trol l ed to en su re
— i t i s a va i l a bl e a n d su i ta bl e for u se, wh ere a n d wh en i t i s n eed ed

— i t i s a d eq u a tel y protected (e. g . from l oss of con fi d en ti a l i ty, i m proper
u se, or l oss of i n teg ri ty) ’.
Th e secon d pa rt sta tes: ‘For th e con trol of d ocu m en ted i n form a ti on , th e

org a n i za ti on sh a l l a d d ress th e fol l owi n g a cti vi ti es, a s a ppl i ca bl e
— d i stri bu ti on , a ccess, retri eva l a n d u se,

— stora g e a n d preserva ti on , i n cl u d i n g th e preserva ti on of l eg i bi l i ty
— con trol of ch a n g es (e. g . versi on con trol )
— reten ti on a n d d i sposi ti on ’.
Th e ph ra se ‘a s a ppl i ca bl e’ i s n oteworth y a s th e req u i rem en t for th e

preserva ti on of l eg i bi l i ty on l y a ppl i es to h a n d wri tten i n form a ti on (e. g . i s
i t cl ea r en ou g h to rea d a n d d oes n ot fa d e over ti m e) . M oreover, con trol
of ch a n g es d oes n ot n orm a l l y a ppl y to record s (a wi tn ess sta tem en t bei n g

retra cted a n d repl a ced by a n oth er wou l d , h owever, be a

cou n ter-exa m pl e) . Th e u se of th e term ‘d i sposi ti on ’ i s a l so n oteworth y. I t
covers th e tra n sfer of d ocu m en ted i n form a ti on to som ewh ere ou tsi d e th e
scope of th e m a n a g em en t system (a n d th ereby n ot u n d er th e con trol of
th e org a n i za ti on ) , su ch a s th e retu rn of cu stom er i n form a ti on to th e
cu stom er a t th e en d of a con tra ct, a s wel l a s th e d el i bera te d estru cti on of
d ocu m en ted i n form a ti on , for exa m pl e on th e expi ry of i ts reten ti on
peri od . N ote th a t som e reten ti on peri od s a re speci fi ed i n l a w, e. g . i n th e
U K by th e Com pa n i es Act, for com pa n y record s, a n d th e D a ta Protecti on
Act, for person a l l y i d en ti fi a bl e i n form a ti on .
Th e th i rd pa rt sta tes: ‘D ocu m en ted i n form a ti on of extern a l ori g i n ,

d eterm i n ed by th e org a n i za ti on to be n ecessa ry for th e pl a n n i n g a n d
opera ti on of th e i n form a ti on secu ri ty m a n a g em en t system , sh a l l be
i d en ti fi ed a s a ppropri a te, a n d con trol l ed ’.
D ocu m en ted i n form a ti on of extern a l ori g i n wou l d i n cl u d e, for exa m pl e,

copi es of I SO sta n d a rd s a n d books. Th ey a re n ot su bj ect to q u i te th e
sa m e req u i rem en ts a s d ocu m en ted i n form a ti on prod u ced i n tern a l l y a s
th e org a n i za ti on , for exa m pl e, h a s n o con trol over su i ta bi l i ty or
a d eq u a cy. H owever, a n org a n i za ti on m a y wi sh to a ssoci a te i ts own
i d en ti fi er wi th th e i n form a ti on (su ch a s a referen ce n u m ber i n a l i bra ry)
a n d th ere m a y be a n eed to con trol d i stri bu ti on , for exa m pl e, beca u se of
copyri g h t restri cti on s.
I f d ocu m en ted i n form a ti on i s prod u ced for th e org a n i za ti on by a n

extern a l org a n i za ti on (e. g . a con su l ta n t) a n d i s su bj ect to th e
org a n i za ti on ’s revi ew a n d a pprova l , th en i t sh ou l d n ot be trea ted a s
bei n g of extern a l ori g i n .
Implementation guidance
Build strategy
I f th e org a n i za ti on i s a sta rt-u p com pa n y, i t rea l l y d oes h a ve a bl a n k
sh eet of pa per a n d bu i l d i n g th e m a n a g em en t system i n th e ord er th a t
th e req u i rem en ts a re presen ted i n th e sta n d a rd i s n ot su ch a ba d i d ea .
H owever, i f th e org a n i za ti on h a s exi sted for a wh i l e, i t wi l l m ost proba bl y
a l rea d y h a ve som e sort of system of m a n a g em en t a n d som eth i n g a ki n to
wh a tever th e d i sci pl i n e-speci fi c req u i rem en ts speci fy sh a l l be i n pl a ce. I t
wi l l a l so m ost l i kel y be d oi n g m a n y th i n g s i n a sen si bl e fa sh i on , oth erwi se
i t wou l d be ch a n g i n g th e wa y i t d oes th i n g s. Th i s observa ti on i s key to
d evel opi n g a n effi ci en t a n d effecti ve i m pl em en ta ti on stra teg y.
Ra th er th a n i m pl em en t th e req u i rem en ts i n th e ord er th ey a re presen ted

i n th e sta n d a rd , a better stra teg y i s to preten d th a t th e m a n a g em en t

Im plem en ta tion guida n ce
system a ctu a l l y exi sts, a n d th en u se th e sel f-h ea l i n g properti es (Cl a u se 9

a n d 1 0) to tu rn i t i n to on e th a t rea l l y d oes con form to th e sta n d a rd .
Th e fi rst step i s to set u p a t l ea st a n em bryon i c m a n a g em en t stru ctu re

wi th wh i ch to m a n a g e th e proj ect. Th e n ext step i s to recog n i ze th a t
a l th ou g h th e d i a g ra m g i ven ea rl i er i n Ch a pter 3 a ppea rs to sta rt wi th
E STAB LI SH , a n d proceed to I M PLE M E N T, M AI N TAI N a n d I M PRO VE , th e
best pl a ce to sta rt i s wi th M AI N TAI N . U se th e perform a n ce eva l u a ti on
req u i rem en ts (Cl a u se 9 – m ea su rem en t, a u d i t a n d revi ew) to d i scover
wh a t th e org a n i za ti on a l rea d y h a s i n pl a ce i n term s of th e
d i sci pl i n e-speci fi c req u i rem en ts a n d m a n a g em en t system processes. A
con su l ta n t m i g h t ca l l th i s a g a p a n a l ysi s, bu t th ere i s on e bi g d i fferen ce:
on e i s a ctu a l l y m a ki n g u se of th e Cl a u se 9 m a n a g em en t system processes
to perform th e a n a l ysi s, a n d ra th er th a n th en wri te u p a report of g a ps,
on e u ses th e req u i rem en ts of Cl a u se 1 0 to ta ke i m m ed i a te a cti on . Th u s, i f
on e d i scovers a n on con form i ty, on e ta kes i m m ed i a te a cti on to correct i t,
bu t i f i t i s j u st som eth i n g th a t wou l d be ‘n i ce-to-h a ve’, e. g . a better wa y
of d oi n g som eth i n g , trea t i t a s a n i m provem en t. I t i s n ot n ecessa ry to
com pl ete i m provem en ts before certi fi ca ti on , h owever, i f a
pre-certi fi ca ti on com pl eti on d a te h a s been set for th e i m provem en t, i t
cl ea rl y ou g h t to be com pl ete by th e ti m e of certi fi ca ti on .
I f certa i n d i sci pl i n e-speci fi c req u i rem en ts a re m et, e. g . th ere a re q u a l i ty

(I SO 9 001 ) or i n form a ti on secu ri ty (I SO /I E C 2 7 001 ) con trol s or a bu si n ess
con ti n u i ty pl a n (I SO 2 2 3 01 ) i n pl a ce, on e m i g h t g et a h ea d sta rt on
m eeti n g th e oth er d i sci pl i n e-speci fi c req u i rem en ts by reverse en g i n eeri n g .
I n th i s ca se, i f th ere i s a l og i ca l ord er to th e wa y th e d i sci pl i n e-speci fi c
req u i rem en ts a re presen ted i n th e sta n d a rd , th en on e th a t i n vesti g a tes
con form a n ce to th e req u i rem en ts i n th e reverse ord er of presen ta ti on i s
th e better wa y to proceed . Th i s certa i n l y sh ou l d work for I SO /I E C 2 7 001
a n d I SO 2 2 3 01 .
Awa ren ess tra i n i n g a n d tra i n i n g i n oth er ski l l s th a t th e org a n i za ti on

d eem s rel eva n t (see, for exa m pl e, th e d i scu ssi on a bove on rol es i n th e
secti on on m a n a g em en t a n d su pport) ca n sta rt a s soon a s su ffi ci en t
d ocu m en ted i n form a ti on h a s been pu t i n pl a ce. For exa m pl e, tra i n i n g of
i n tern a l a u d i tors ca n n ot rea l l y be sta rted u n ti l th ere i s a n a g reed a u d i t
prog ra m m e a n d a u d i t proced u re. N ote th a t i n th i s ca se, i n a d d i ti on to
cl a ssroom tra i n i n g , tra i n ee a u d i tors m a y be g i ven on -th e-j ob tra i n i n g ,
perform i n g a u d i ts wh i ch wi l l ki ck-sta rt th e a u d i t prog ra m m e a n d bu i l d
u p a u sefu l portfol i o of a u d i t reports.
I n su m m a ry, on e sta rts pu tti n g th e m a n a g em en t processes i n pl a ce from

d a y on e. Record keepi n g sta rts from d a y on e. O n e d oes n ot sta rt a t th e
beg i n n i n g of th e sta n d a rd a n d i m pl em en t th e req u i rem en ts i n th e ord er
presen ted . Ra th er on e sta rts i n th e m i d d l e a n d works towa rd s th e en d
a n d th e beg i n n i n g si m u l ta n eou sl y, recog n i zi n g th a t Cl a u ses 9 a n d 1 0 (see
Ch a pter 2 ) a re effecti vel y th e en g i n e th a t d ri ves a n d con ti n u a l l y i m proves

Ch a pter 3 – Un dersta n din g th e n ew requirem en ts
the management system. Thus, even while the management system is

being established, these clauses will be exercised many times over.
Preparation and project planning
Overview
Figure 9 shows a schematic of a project plan, which is based on over

1 0 years of experience in building and using management systems. The
diagram shows two distinct regions of activity, called build and use. These
words have been chosen to avoid confusion with the words used in the
standard, which are establish, implement, maintain and improve. In
particular, while the management system is being built, the organization
will in fact be carrying out activities in conformance with a ll the
requirements of the standard. The same is true when the management
system is in use.
The diagram also shows the relation of build and use to various
certification activities, namely the initial certification audit (which is in
two parts) and the first surveillance audit.
Five milestones have been identified:
M1 : Project start-up;
M 2: Specifications approved;
M 3: Ready for certification;
M 4: Recommended for certification; and
M 5: Fully operational.
M1 Project sta rt-up
Project start-up will include all the activities normally required by the
organization at the start of a project. H owever, at, or soon after, the
start-up there ought to be at least a working definition of the
organization, its top management and the scope of the management
system.
One of the first activities ought to be the construction of a repository

(#1 , in Figure 9) for the documented information. This should be
designed in such a manner that it is easy to demonstrate conformance
with all the requirements of the standard. In that manner, the project
team can ensure that nothing has been missed out.
As the project proceeds, documented information (#2) will be placed into

the repository; and the management system processes will be created and
put into operation (#3). The previous section suggests an order for doing
this.

Im plem en ta tion guida n ce
Figure 9: Schematic of a project plan

A management system is as much about what people do as the

documented information that it amasses. Therefore, there is a need to
ensure that the people involved with the management system (top
management, internal auditors, etc.) have the necessary competence.
H ow this is done depends on the competencies already possessed, but in
cases where having a management system is new, the development of
competencies (#4) is likely to proceed via a number of briefing sessions
and training courses. Ideally training should be aligned to the
organization, its objectives and policies. This will allow classroom training
to be immediately followed by a period of on-the-job training, where the
newly trained individuals can be put to good use in helping to build the
management system. For example, the organization’s audit procedures
and audit programme (or at least preliminary versions of them) ought to
be drawn up before internal audit training is commenced. A possible
training course would then include:
1. explanation of the project, progress to date, and what will happen

next;
2. audit theory and technique, explained in the context of the
organization and objectives;
3. the audit requirements in the management system standard;
4. specific instruction and practice in the conduct of the organization’s
audit procedures; and
5. explanation of the audit programme and expectations from
on-the-job training.
Immediately after classroom training the newly trained auditors would

then practise their skills in carrying out the audit programme. For a
period of time, however, this would be regarded as on-the-job training,
and would therefore attract much closer supervision from an experienced
auditor. If changes are required to the audit procedures or audit
programme, then these would be administered in accordance with
Clause 1 0 of the standard (i.e. they would either be regarded as
improvements or actions to correct nonconformities).
With regards to the discipline-specific requirements, there are two cases

depending on whether the organization is an established organization or
is a new organization. In the case of an established organization, it will
have discipline-specific matters in place, but these might not conform to
the requirements of the standard or even be written down. The task
(#5a) is therefore to document it and deal with nonconformities. If there
is nothing at all, the task (#5b) is to create the discipline-specific matters
and (#5c) to implement them.
M2 Specifications approved
Once all the specification-type documented information requirements
have been met, top management can approve the management system

Implementation guidance
speci fi ca ti on a n d con fi rm th a t m i l eston e M 2 h a s been a ch i eved . At th i s

sta g e, th e d ocu m en ted i n form a ti on ou g h t to pa ss a sta g e 1 a u d i t. I f th e
org a n i za ti on wa n ted a secon d opi n i on on h ow wel l i t wa s d oi n g , i t
wou l d n ow be a ppropri a te for a certi fi ca ti on bod y to con d u ct a
pre-a ssessm en t vi si t.
M3 Ready for certification

O n ce a l l th e tra i n i n g (cl a ssroom a n d on -th e-j ob) h a s been perform ed , a n d
a l l th e m a n a g em en t system processes a re u p a n d ru n n i n g , top
m a n a g em en t ou g h t to be a bl e to pron ou n ce th a t th e m a n a g em en t
system i s rea d y for certi fi ca ti on (i . e. th a t M i l eston e M 3 h a s been
rea ch ed ) . Th ere sh ou l d be a wea l th of d ocu m en ted i n form a ti on of th e
‘record s of perform a n ce’ va ri ety to su pport th i s.
N ote th a t i f a certi fi ca ti on bod y i s a sked to con d u ct a pre-a ssessm en t vi si t

i t sh ou l d be d on e a t th e previ ou s m i l eston e, n ot h ere. At th i s a d va n ced
sta g e, th e certi fi ca ti on bod y ou g h t rea l l y to be d oi n g th e i n i ti a l a u d i t.
M4 Recommended for certification

O n com pl eti on of th e sta g e 2 a u d i t, th e a ssessm en t tea m wi l l prod u ce i ts
a u d i t report a n d recom m en d a ti on for certi fi ca ti on , wh i ch sh ou l d prove i n
fa vou r of certi fi ca ti on . Th e certi fi ca ti on bod y wi l l m a ke i ts d eci si on on
th e ba si s of th e a u d i t report a n d oth er i n form a ti on provi d ed to i t by th e
a ssessm en t tea m i n a ccord a n ce wi th i ts proced u res. I t wou l d be u n u su a l
for th e certi fi ca ti on bod y n ot to u ph ol d th e a ssessm en t tea m ’s
recom m en d a ti on .
M5 Fully operational
E very si x or twel ve m on th s th e certi fi ca ti on bod y wi l l con d u ct a
su rvei l l a n ce a u d i t (a l so kn own a s a con ti n u a l a ssessm en t vi si t, or CAV) ,
a n d every th ree yea rs th ere i s a rea ssessm en t a u d i t, wh i ch i s som ewh a t
a ki n to th e sta g e 2 i n i ti a l a u d i t i n term s of covera g e. H owever, th e fi rst
su rvei l l a n ce a u d i t i s som ewh a t of a speci a l occa si on a s i t i s a tru e test
th a t th e m a n a g em en t system i s i n d eed fu n cti on i n g a s speci fi ed i n th e
m a n a g em en t system sta n d a rd a n d h a s n ot, for wh a tever rea son , l a psed
i n to a sta te of d oi n g n oth i n g n ess i m m ed i a tel y fol l owi n g certi fi ca ti on . A
fi n a l proj ect m i l eston e, m i l eston e M 5 , i s th erefore a ssoci a ted wi th a
su ccessfu l fi rst su rvei l l a n ce a u d i t. From th e perspecti ve of th e
org a n i za ti on , a su ccessfu l a u d i t ou g h t to be on e wh ere n o m a j or
n on con form i ti es a re fou n d .

Choice of documentation media

When deciding the form and storage medium for documented
information there are four factors that ought to be considered:
1 . where to store the information;
2. how to navigate it;
3. whether it ought to be static or dynamic; and
4. whether to duplicate or not.
If documented information is kept in the form of paper documents, one
has to consider the requirements concerning its availability and suitability
(e.g. is it the correct version) for use, where and when it is needed
(Subclause 7.5.3). This is less of a problem if the documented information
is maintained in electronic form and accessed through the organization’s
intranet or extranet, or even stored in a private or public cloud.
The ability to navigate by hyperlink has clear advantages, and is
supported by many document formats including PDF, HTML and Word.
One organization, which maintains its documented information in HTML
on its intranet, [b] reported in 2004: ‘In the space of a few minutes I had
demonstrated how our management system had met about 50 % of the
BS 7799-2 requirements’. Using hyperlinks, information is literally one or
two clicks away. It speeds up management reviews and external audits
considerably.
If the information, at least some of it, is stored in a database then it can
be processed immediately prior to being displayed to the user. This has
advantages in being able to display up-to-date information, such as
monitoring and measurement results.
Finally, there is the question of duplication. An organization may well
have copious documented information stored outside of the
management system repository. It is best not to duplicate these, but
instead refer out (link) to the current versions. References (or links)
should be set up so that if the version changes, the reference (or link)
does not.

C h a p t e r 4 – Tra n s i ti o n i n g to th e n ew
m a n a g e m e n t s ys t e m s t a n d a rd s
I n tro d u cti o n
Th e o b j e cti ve o f th i s ch a p te r i s to p ro vi d e g u i d a n ce on h o w to tra n s i ti o n
an e xi s ti n g m a n a g e m e n t s ys te m to a n e w ve rs i o n of a m a n a g em en t
s ys te m s ta n d a rd th a t co n fo rm s to An n e x S L. Th e g u i d a n ce o n l y co n ce rn s
th e i d e n t i ca l co re t e xt a n d d o e s n o t a d d re s s d i s ci p l i n e - s p e ci fi c
re q u i re m e n ts . Th e g u i d a n ce h a s been d e ve l o p e d fo r s t a n d a rd s th a t
cl o s e l y fo l l o w th e I SO 9 0 0 1 : 2 0 0 8 re q u i re m e n t s th a t l e d to th e
d e ve l o p m e n t o f An n e x S L. Th e s e s t a n d a rd s i n cl u d e I S O /I E C 2 7 0 0 1 : 2 0 0 5
and I SO 2 2 3 01 : 2 01 2 .
Th i s ch a p t e r i s l a i d o u t a s fo l l o ws :
1 . Tra n s i ti o n s tra t e g i e s ;
2. I n t e g ra te d m a n a g e m e n t s ys te m co n s i d e ra ti o n s ;
3. Are a s re q u i ri n g l i tt l e or n o ch a n g e ;
4. Are a s t h a t p o t e n t i a l l y re q u i re a re th i n k;
5. N e w re q u i re m e n ts l i ke l y to be s a ti s fi e d a l re a d y;
6. N e w re q u i re m e n ts t h a t m a y p re s e n t a ch a l l e n g e ;
7. Are a s wh e re an o rg a n i z a ti o n m a y ta ke th e o p p o rtu n i t y to i m p ro ve ;
and
8. S u m m a ry.
Tra n s i ti o n stra te g i e s
At fi rs t vi e w th e ch a n g e s m a y s e e m s i g n i fi ca n t. H o we ve r, on th e ba si s of
e xp e ri e n ce i t h a s been fo u n d p o ssi b l e to tra n s i ti o n a m a n a g e m e n t s ys te m
q u i te q u i ckl y, e. g . wi th i n a fe w we e ks . H o we ve r, wh i l e d oi n g so ,
o p p o rt u n i ti e s fo r o ve ra l l i m p ro ve m e n t we re i d e n t i fi e d . Th u s , th e re a re
two b a s i c tra n s i t i o n s t ra te g i e s :
1 . a s tra i g h tfo rwa rd ‘ m a ke - o ve r’ , m a ki n g th e minimum n e ce s s a ry
ch a n g e s to th e e xi s t i n g m a n a g e m e n t s ys te m p ro ce s s e s a n d e xi s ti n g
d o cu m e n t a ti o n ; or
2. ta ke a co m p l e te l y fre s h l o o k a t th e m a n a g e m e n t s ys te m , ta ki n g
a d va n ta g e o f th e re vi s e d s ta n d a rd to m a ke , in th e ca s e o f so m e
o rg a n i z a ti o n s p e rh a p s q u i te s i g n i fi ca n t, i m p ro ve m e n ts .

Chapter 4 – Transitioning to the new management system standards
I n both ca ses, i t wi l l h el p g rea tl y i f th ere i s a d eta i l ed expl a n a ti on of h ow

th e exi sti n g m a n a g em en t system con form s to th e n on -An n ex SL
con form a n t sta n d a rd (s) . I n pa rti cu l a r, cross-referen ces to th e i n d i vi d u a l
req u i rem en ts by pa ra g ra ph , sen ten ce, bu l l et poi n t a n d even ph ra se to
th e exa ct poi n t i n exi sti n g d ocu m en ted i n form a ti on wi l l be fou n d to be
th e g rea test ben efi t. I f su ch a n expl a n a ti on d oes n ot exi st, th en a g ood
pl a ce to sta rt wou l d be to prod u ce i t. I t i s recom m en d ed th a t a n y
expl a n a ti on of con form a n ce to th e revi sed sta n d a rd i s prod u ced wi th th e
sa m e l evel of preci si on .
Integrated management system considerations

The issue
As d i scu ssed i n Ch a pter 2 , An n ex SL u ses th e term documented
information ra th er th a n th e ori g i n a l term i n ol og y of documents and
records, a n d d epreci a tes th e term preventive action .
H owever, tra n si ti on i n g a n i n teg ra ted m a n a g em en t system to a sta n d a rd

th a t con form s to An n ex SL m u st be d on e i n a m a n n er th a t preserves
con form a n ce to sta n d a rd s wh i ch a re n ot An n ex SL con form a n t. Th i s
m ea n s th a t th e tra n si ti on ed i n teg ra ted m a n a g em en t system m u st
con form to con fl i cti n g req u i rem en ts:
1. a req u i rem en t for h a vi n g documents and records (i n a n on -An n ex SL

con form a n t m a n a g em en t system sta n d a rd ) a n d a req u i rem en t for
h a vi n g documented information (i n a n An n ex SL con form a n t
m a n a g em en t system sta n d a rd ) ; a n d
2. a req u i rem en t for having preven ti ve a cti on (n on -An n ex SL
con form a n t sta n d a rd ) a n d a req u i rem en t for not having preven ti ve
a cti on (An n ex SL con form a n t sta n d a rd ) .
Ch a pter 2 expl a i n s th e rel a ti on sh i p between documents, records and
documented information i n term s of speci fi ca ti on s a n d record s of
perform a n ce. I t i s i m porta n t to rea l i ze th a t a n org a n i za ti on d oes n ot
h a ve to ca l l som eth i n g by exa ctl y th e sa m e n a m e a s i t i s referred to i n a
sta n d a rd , provi d ed th e org a n i za ti on kn ows h ow i t sa ti sfi es th e
req u i rem en ts of ea ch sta n d a rd i n q u esti on . Th u s a sol u ti on wou l d be to:
1. u pd a te a l l i n teg ra ted m a n a g em en t system d ocu m en ta ti on to u se th e

An n ex SL term i n ol og y (e. g . ‘d ocu m en ted i n form a ti on ’ i n th i s ca se) ;
2. sta te (som ewh ere i n th e i n teg ra ted m a n a g em en t system
d ocu m en ta ti on , e. g . wh ere con form a n ce to a n on -An n ex SL

In tegra ted m a n a gem en t system con sidera tio n s
con form a n t sta n d a rd i s bei n g d i scu ssed ) th a t th ere a re two types of

d ocu m en ted i n form a ti on , Type S a n d Type P a s d efi n ed i n Ch a pter 2 ; .
3. refer to d ocu m en ted i n form a ti on of Type S or Type P a s a ppropri a te
i f a d i sti n cti on i s bei n g m a d e between d ocu m en ts a n d record s.
Th e rea son for recom m en d i n g th a t exi sti n g m a n a g em en t system

d ocu m en ta ti on i s u pd a ted to u se th e An n ex SL term i n ol og y i s beca u se
u l ti m a tel y a l l m a n a g em en t system sta n d a rd s wi l l u se th a t term i n ol og y.
Preven ti ve a cti on
Wh i l e An n ex SL d oes n ot u se th e term ‘preven ti ve a cti on ’, th ere i s a n

An n ex SL req u i rem en t (1 0. 1 b) th a t refers to poten ti a l n on con form i ti es) ,
wh i ch sta tes ‘… d eterm i n i n g i f si m i l a r n on con form i ti es exi st, or cou l d
poten ti a l l y occu r’. Th u s i t i s th e term p reven tive a ctio n th a t i s
d epreci a ted , n ot th e con cept of poten ti a l n on con form i ti es.
Req u i rem en t 1 0. 1 b) a l so sta tes ‘… revi ewi n g th e n on con form i ty’. I n

con form i n g wi th th i s req u i rem en t, u pon d i scovery of a n on con form i ty, a n
org a n i za ti on wou l d revi ew th a t n on con form i ty. As pa rt of th a t revi ew
th e org a n i za ti on wou l d d eterm i n e wh eth er th ere were a n y a ssoci a ted
poten ti a l n on con form i ti es. I n n on -An n ex SL con form a n t sta n d a rd s, th e
process m a y wel l th en con ti n u e by prod u ci n g a ‘Preven ti ve Acti on Pl a n ’,
a s i l l u stra ted i n Fi g u re 1 0. Th e exi sten ce of th i s pl a n i s effecti vel y
ou tl a wed by An n ex SL, com pel l i n g on e to i d en ti fy i ts repl a cem en t. To d o
th i s, on e si m pl y n eed s to ch a n g e th e n a m e. I t cou l d si m pl y be referred to
a s a n a cti on pl a n , a s i l l u stra ted i n Fi g u re 1 1 .
Fi g u re 1 0: Fra g m en t of th e preven ti ve a cti on process i n a n on -An n ex SL
con form a n t sta n d a rd

Th u s , tra n s i ti o n i n g to an An n e x S L co n fo rm a n t s t a n d a rd wo u l d be
re p l a ce d by a p ro ce s s o f t h e fo rm :
Figu re 1 1 : Replacem en t frag m en t in an Ann ex SL con form ant stan d ard
In e xp l a i n i n g th i s p ro ce s s , in o rd e r to p re s e rve co n fo rm a n ce wi th
n o n - An n e x S L co n fo rm a n t s t a n d a rd s , i t wi l l h o we ve r b e n e ce s s a ry t o
e xp l a i n th a t:
1 . ‘ i d e n ti fy ri s k’ in th e tra n s i ti o n e d i n t e g ra te d m a n a g e m e n t s ys te m
s a ti s fi e s a n y n o n - An n e x S L co n fo rm a n t re q u i re m e n t fo r ‘ d e t e rm i n i n g
p o te n ti a l n o n co n fo rm i t i e s a n d th e i r ca u se s’ ; and
2. ‘ tre a t ri s k’ and ‘ i m p l e m e n t a cti o n p l a n s’ in th e tra n s i ti o n e d
i n te g ra te d m a n a g e m e n t s ys te m s a ti s fi e s a n y n o n - An n e x S L
co n fo rm a n t re q u i re m e n t to ‘ d e t e rm i n e and i m p l e m e n t a cti o n
n eed ed ’.
In a d d i ti o n , e xi s ti n g p ro ce d u re s m a y n e e d to be a u g m e n te d to re a c t to
n o n co n fo rm i t i e s a n d ta ke a cti o n , a s a p p l i ca b l e , to co n tro l and co rre ct th e
n o n co n fo rm i t y a n d d ea l wi th th e co n s e q u e n ce s . Au g m e n ta ti o n m a y a l so
be re q u i re d to d e te rm i n e wh e t h e r s i m i l a r n o n co n fo rm i t i e s e xi s t, o r co u l d
p o te n ti a l l y o ccu r a n d to e n s u re th a t co rre ct i ve a c ti o n s a re a p p ro p ri a te to
th e e ffe ct s o f th e n o n co n fo rm i ti e s e n co u n te re d . I t i s p o ssi b l e th a t
p ro ce d u re s a l re a d y e xi s t fo r th e s e re q u i re m e n ts , b u t u n d e r th e h ea d i n g
o f p re ve n ti ve ra th e r t h a n co rre cti ve a cti o n .
In a d d i ti o n , e xi s ti n g p ro ce d u re s m a y n e e d to be a u g m e n te d to re a c t to
n o n co n fo rm i t i e s a n d ta ke a cti o n , a s a p p l i ca b l e , to co n tro l and co rre ct th e
n o n co n fo rm i t y a n d d ea l wi th th e co n s e q u e n ce s . Au g m e n ta ti o n m a y a l so
be re q u i re d to d e te rm i n e wh e t h e r s i m i l a r n o n co n fo rm i t i e s e xi s t, o r co u l d
p o te n ti a l l y o ccu r a n d to e n s u re th a t co rre ct i ve a c ti o n s a re a p p ro p ri a te to
th e e ffe ct s o f th e n o n co n fo rm i ti e s e n co u n te re d . I t i s p o ssi b l e th a t
p ro ce d u re s a l re a d y e xi s t fo r th e s e re q u i re m e n ts , b u t u n d e r th e h ea d i n g
o f p re ve n ti ve ra th e r t h a n co rre cti ve a cti o n .

Areas requiring little or no change
Areas requiring little or no change

Requirement changes
For peopl e fa m i l i a r wi th pre-An n ex SL sta n d a rd s th ere a re i d en ti ca l core
text req u i rem en ts th a t m i g h t ei th er l ook q u i te a l i en or l a ck con ten t.
I n d eed , th e word ‘g en eri c’ i s a cri ti ci sm th a t h a s been spoken a g a i n st
An n ex SL. H owever, th i s i s beca u se of th e d esi re to d efi n e what n ot how.
To g i ve a n exa m pl e, I SO /I E C 2 7 001 : 2 005 h a s a (d i sci pl i n e-speci fi c)
req u i rem en t to i d en ti fy i n form a ti on secu ri ty ri sks. Th e req u i rem en t
con ti n u es by speci fyi n g i n su b-bu l l ets: i d en ti fy a ssets, i d en ti fy ri sks a n d
i d en ti fy vu l n era bi l i ti es. Th e su b-bu l l ets d escri be j u st on e wa y to i d en ti fy
ri sks. Th ere a re oth er m eth od s for i d en ti fyi n g ri sk th a t d o n ot d o i t th a t
wa y. Th u s th e 2 005 versi on of I SO /I E C 2 7 001 sta tes what: i . e. i d en ti fy
i n form a ti on secu ri ty ri sks, a n d th en proceed s to speci fy how: i . e. i d en ti fy
a ssets, i d en ti fy ri sks a n d i d en ti fy vu l n era bi l i ti es. Th e 2 01 3 versi on of
I SO /I E C 2 7 001 j u st sta tes i d en ti fy i n form a ti on secu ri ty ri sks, i . e. th e what.
Th ere i s n o m en ti on of how. I n d eed th e term s a ssets, th rea ts a n d
vu l n era bi l i ti es a ppea r n owh ere i n th e sta n d a rd a s a req u i rem en t or even
a s a n ote.
I n th i s ca se, a n i n form a ti on secu ri ty m a n a g em en t system th a t con form s

to th e ri sk i d en ti fi ca ti on req u i rem en ts of I SO /I E C 2 7 001 : 2 005 m u st a l so
con form to th ose of I SO /I E C 2 7 001 : 2 01 3 . Th e fa ct th a t th e i d en ti fi ca ti on
of a ssets, th rea ts a n d vu l n era bi l i ti es i s n o l on g er a req u i rem en t i s
i rrel eva n t. For th i s rea son , th ere a re q u i te a n u m ber of a rea s wh ere a n
exi sti n g m a n a g em en t system req u i res l i ttl e or n o ch a n g e i n ord er to
con form to th e correspon d i n g An n ex SL req u i rem en ts. Th ese a rea s a re
i d en ti fi ed a n d d i scu ssed i n th e fol l owi n g su bsecti on s.
Policy
I n th e ca se of som e pre-An n ex SL m a n a g em en t system sta n d a rd s th ere i s
a req u i rem en t to prod u ce a n XXX m a n a g em en t system pol i cy a s opposed
to wh a t i s req u i red by An n ex SL, wh i ch i s j u st a n XXX pol i cy. I n d eed ,
I SO /I E C 2 7 001 : 2 005 , for exa m pl e, g oes a s fa r a s sa yi n g th a t th e XXX
m a n a g em en t system pol i cy i s a su perset of th e XXX pol i cy (wh ere i n th i s
ca se, XXX = i n form a ti on secu ri ty) . Th e An n ex SL req u i rem en t on l y to
prod u ce a n XXX pol i cy m a y ca u se con fu si on . ‘Wh a t h a ppen s to th e extra
pol i cy m a teri a l th a t wen t i n to th e m a n a g em en t system com pon en t of th e
XXX m a n a g em en t system pol i cy?’ i s a q u esti on th a t som e org a n i za ti on s
m i g h t a sk.
Th e a n swer i s a ctu a l l y q u i te si m pl e. Th e n a m es th a t a n org a n i za ti on

wa n ts to g i ve to th e va ri ou s pa rts of i ts su i te of d ocu m en ted i n form a ti on
i s n ot m a n d a ted by An n ex SL. I f a n org a n i za ti on h a s a d ocu m en t or web
pa g e ca l l ed ‘AB C pol i cy’ th a t con ta i n ed a l l th e pol i cy i n form a ti on

re q u i re d b y th e p re-An n e x S L ve rsi o n o f th e m a n a g e m e n t syste m
sta n d a rd s wi th wh i ch i t cl a i m s co n fo rm a n ce, th e n n o th i n g n e e d s to
ch a n g e p ro vi d e d :
a. th e re i s a re q u i re m e n t to re ta i n su ch i n fo rm a ti o n ; o r
b. th e o rg a n i za ti o n co n si d e rs th a t i t i s ‘ n e ce ssa ry fo r th e e ffe cti ve n e ss o f
th e XXX m a n a g e m e n t syste m ’ ; a n d
c. th e re a re n o a d d i ti o n a l d i sci p l i n e -sp e ci fi c re q u i re m e n ts fo r
d o cu m e n te d p o l i cy i n fo rm a ti o n .
H o we ve r, o rg a n i za ti o n s m a y fe e l th e n e e d to e xp l i ci tl y a d d sta te m e n ts o f
i n ten t i n re g a rd s to S u b cl a u se 5 . 3 , th i rd a n d fo u rth b u l l e ts, a n d a d d
fu rth e r p o l i cy sta te m e n ts, fo r e xa m p l e , re g a rd i n g e xte rn a l a n d i n te rn a l
co m m u n i ca ti o n s. I n d e e d , a p o l i cy sta te m e n t i s o fte n a co n ve n i e n t wa y to
d o cu m e n t co n fo rm a n ce wi th a re q u i re m e n t.
Control of documentation
N o ch a n g e s o u g h t to b e re q u i re d to e xi sti n g d o cu m e n te d p ro ce d u re s
co n ce rn i n g co n tro l o f d o cu m e n ta ti o n a l th o u g h m i n o r a d j u stm e n ts m a y
b e re q u i re d to th e e xp l a n a ti o n o f co n fo rm a n ce. H o we ve r, o rg a n i za ti o n s
sh o u l d ch e ck fo r n e w d i sci p l i n e -sp e ci fi c re q u i re m e n ts a n d d e vi a ti o n s.
Management review
co n ce rn i n g m a n a g e m en t re vi e w, a p a rt fro m e n su ri n g th a t th e to p i cs
l i ste d i n S u b cl a u se s 9 . 3 a ) to f) a re co n si d e re d . M i n o r a d j u stm e n ts m a y b e
re q u i re d to th e e xp l a n a ti o n o f co n fo rm a n ce . H o we ve r, o rg a n i za ti o n s
sh o u l d ch e ck fo r n e w d i sci p l i n e -sp e ci fi c re q u i re m e n ts a n d d e vi a ti o n s.
Internal audit
co n ce rn i n g i n te rn a l a u d i t a l th o u g h m i n o r a d j u stm e n ts m a y b e re q u i re d
to th e e xp l a n a ti o n o f co n fo rm a n ce . H o we ve r, o rg a n i za ti o n s sh o u l d ch e ck
fo r n e w d i sci p l i n e -sp e ci fi c re q u i re m e n ts a n d d e vi a ti o n s.
Terms of reference for top management

A ch a n g e m a y b e re q u i re d to a cco m m o d a te th e sp e ci fi c re sp o n si b i l i ti e s
g i ve n i n S u b cl a u se s 5 . 1 a ) to h ) .

Areas that potentially require a rethink
Responsibilities
A ch a n g e m a y b e re q u i re d to a cco m m o d a te th e sp e ci fi c re sp o n si b i l i ti e s
g i ve n i n S u b cl a u se s 5 . 3 a ) a n d b ) .
Awareness
A ch a n g e m a y b e re q u i re d to a cco m m o d a te th e re q u i re m e n ts o f
S u b cl a u se 7 . 4 a s th e p ro ce ss o f cre a ti n g a wa re n e ss m a y b e re g a rd e d a s a
fo rm o f co m m u n i ca ti o n .
Improvement
E n su re th a t e xi sti n g p ro ce d u re s fo r co n ti n u a l i m p ro ve m e n t a re e xte n d e d
to co ve r th e su i ta b i l i ty a n d a d e q u a cy o f th e m a n a g e m e n t syste m a s we l l
a s i ts e ffecti ve n e ss.
Areas that potentially require a rethink

Nature of challenges
Th e re a re two a re a s wh e re th e An n e x S L re q u i re m e n ts a re n o t n e w to
m a n a g e m e n t syste m sta n d a rd s, b u t th e wa y th ey a re e xp re sse d m a y
ca u se o rg a n i za ti o n s to re th i n k th e i r a p p ro a ch to co n fo rm a n ce . Th e fi rst
co n ce rn s th e sco p e o f th e m a n a g e m e n t syste m a n d th e se co n d th e XXX
o b j e cti ve s.

D u ri n g th e co u rse o f re vi si n g I S O /I E C 2 7 001 , i t b e ca m e e vi d e n t th a t th e re
h a s b e e n a l o n g -re i g n i n g m i su n d e rsta n d i n g o f th e p h ra se ‘ sco p e o f th e
m a n a g e m e n t syste m ’ , wh e re p e o p l e h a d co n fu se d i t wi th ‘ sco p e o f a
ce rti fi ca ti o n a u d i t’ . Th e re i s a n o te to th e d e fi n i ti o n o f th e te rm
‘ m a n a g e m en t system ’ i n An n e x S L wh i ch sa ys ‘ Th e sco p e o f a
m a n a g e m e n t syste m m a y i n cl u d e th e wh o l e o f th e o rg a n i za ti o n , sp e ci fi c
a n d i d e n ti fi e d fu n cti o n s o f th e o rg a n i za ti o n , sp e ci fi c a n d i d e n ti fi e d
se cti o n s o f th e o rg a n i za ti o n , o r o n e o r m o re fu n cti o n s a cro ss a g ro u p o f
o rg a n i za ti o n s’ . Th i s m a y u n wi tti n g l y e xa ce rb a te su ch co n fu si o n i f i t i s n o t
re a l i ze d th a t th e wo rd s ‘ m a y i n cl u d e ’ sh o u l d b e u n d e rsto o d to i m p l y th a t
th e re m a y b e o th e r th i n g s wi th i n th e sco p e , a n d i n p a rti cu l a r th i n g s th a t
a re e xte rn a l to th e o rg a n i za ti o n . As d i scu sse d i n Ch a p te r 2 , th e sco p e o f
th e m a n a g e m e n t syste m wi l l i n cl u d e eve ryth i n g th a t i s o f i n te re st to th e
m a n a g e m e n t syste m . Th u s, a s e vi d e n ce d b y th e n o te to th e d e fi n i ti o n o f
th e te rm ‘ o u tso u rce ’ i n An n e x S L, o u tso u rce d fu n cti o n s a n d p ro ce sse s a re

wi th i n th e scope of th e m a n a g em en t system . H owever, th ese a re u n l i kel y

to be i n cl u d ed wi th i n th e scope of a certi fi ca ti on a u d i t, wh i ch i s g en era l l y
j u st th e org a n i za ti on .
I f, on refl ecti on , th ere a re en ti ti es th a t ou g h t to be i n cl u d ed wi th i n th e

scope of th e m a n a g em en t system bu t were previ ou sl y excl u d ed ,
tra n si ti on i n g to a n An n ex SL con form a n t m a n a g em en t system sta n d a rd
wi l l provi d e a con ven i en t opportu n i ty to red efi n e th e scope.
XXX o b j e cti ve s
Si m i l a rl y, a d i fferen ce of opi n i on exi sts on wh eth er th e term ‘obj ecti ve’ i s

a g en era l a i m or a speci fi c g oa l th a t sh ou l d be m et wi th i n a speci fi ed
ti m e fra m e. H opefu l l y, An n ex SL cl a ri fi es th e fa ct th a t i t ca n be both (i . e.
both i n terpreta ti on s a re correct) by th e u se of th e ph ra se ‘rel eva n t
fu n cti on s a n d l evel s’ i n Su bcl a u se 6. 2 .
H owever, for a n org a n i za ti on th a t th ou g h t of i ts XXX obj ecti ves a s on l y

bei n g ti m el ess pol i cy obj ecti ves, th e req u i rem en t of Su bcl a u se 6. 2 m a y
com e a s a sh ock. N everth el ess, i t m a y on l y req u i re a ch a n g e to th e wa y
con form a n ce i s d escri bed a s i t i s l i kel y th a t a n org a n i za ti on a l rea d y sets
obj ecti ves a t a l l rel eva n t fu n cti on s a n d l evel s, a n d i t i s on l y j u st a
q u esti on of recog n i zi n g th a t i t d oes a n d d escri bi n g h ow i t d oes i t.
For exa m pl e, i t i s g ood pra cti ce wh en pl a ci n g a cti on s to d efi n e obj ecti ves,
a ssi g n respon si bi l i ti es a n d set ta rg et d a tes for com pl eti on . I f a n
org a n i za ti on a l rea d y d oes th i s, th en i t a l rea d y con form s to th i s cl a u se.
N e w re q u i re m e n ts l i ke l y to b e s a ti s fi e d a l re a d y
N a tu re o f ch a l l e n g e s
Th ere a re som e n ew req u i rem en ts i n An n ex SL, bu t i t i s l i kel y th a t th ese

wi l l a l rea d y be m et by m a n y org a n i za ti on s. I n su ch ca ses, a n org a n i za ti on
m erel y n eed s to d eterm i n e h ow i t com pl i es a n d th en a d d a sm a l l a m ou n t
of d ocu m en ted i n form a ti on , wh i ch ou g h t to be rea d i l y a va i l a bl e, to th e
tra n si ti on ed m a n a g em en t system . As m en ti on ed i n th e secti on on ‘ch oi ce
of d ocu m en ta ti on m ed i a ’ i n Ch a pter 3 , org a n i za ti on s sh ou l d n ot
d u pl i ca te th i s i n form a ti on , bu t m erel y referen ce i t.
I n te re s te d p a rti e s a n d th e i r re q u i re m e n ts
Su bcl a u se 4. 2 req u i res a n org a n i za ti on to d eterm i n e th e i n terested

pa rti es th a t a re rel eva n t to th e XXX m a n a g em en t system , a n d th ei r
req u i rem en t. I t i s h i g h l y l i kel y th a t a n org a n i za ti on a l rea d y kn ows th i s

New requirem en ts th a t m a y p resen t a ch a llen ge
i n form a ti on . For exa m pl e, i n terested pa rti es m a y i n cl u d e cu stom ers a n d

su ppl i ers, a n d th ei r req u i rem en ts wi l l be d ocu m en ted i n con tra cts,
pu rch a se ord ers a n d speci fi ca ti on s, etc. Th u s, a l l th a t n eed s to be d on e i s
i d en ti fy wh ere th i s i n form a ti on i s d ocu m en ted a n d referen ce i t. I t i s a l so
h i g h l y l i kel y th a t th e org a n i za ti on a l rea d y m a kes u se of th i s i n form a ti on
th ereby provi d i n g con form a n ce wi th oth er su bcl a u ses su ch a s 6. 1 .
I n te g ra ti o n
Th e An n ex SL i n teg ra ti on req u i rem en t i s i n Su bcl a u se 5 . 1 (‘en su ri n g th e

i n teg ra ti on of th e XXX m a n a g em en t system req u i rem en ts i n to th e
org a n i za ti on ’s bu si n ess processes’) . I f th e bu si n ess fu n cti on s of a n
org a n i za ti on a re represen ted by a set of on e or m ore work fl ow
d i a g ra m s th en i f th e a cti vi ti es th a t correspon d to th e m a n a g em en t
system req u i rem en ts a re sprea d th rou g h ou t su ch work fl ow d i a g ra m s,
th en th e i n teg ra ti on req u i rem en t i s proba bl y m et. Con versel y, i f th e
m a n a g em en t system req u i rem en ts a re con ta i n ed i n a si n g l e work fl ow
wh i ch con ta i n s n oth i n g el se, th en th e i n teg ra ti on req u i rem en t i s
proba bl y n ot m et.
I n th e fi rst ca se, i t i s th en a q u esti on of h ow best to d em on stra te

con form a n ce. I f work fl ow d i a g ra m s exi st, or ca n be vi su a l i zed , e. g .
th rou g h a softwa re i n terfa ce, th en th a t wou l d be a n ea sy wa y to
d em on stra te con form a n ce. I f th e i n teg ra ti on req u i rem en t i s n ot m et,
th en th e work fl ow con cept m a y provi d e a rou te to a ch i evi n g
con form a n ce.
N e w re q u i re m e n ts th a t m a y p re s e n t a ch a l l e n g e
N a tu re o f ch a l l e n g e s
Fol l owi n g on from a bove, th ere a re som e n ew req u i rem en ts for wh i ch

th e req u i red d ocu m en ted i n form a ti on proba bl y d oes n ot exi st a n d
req u i res som e th ou g h t a n d perh a ps l a tera l th i n ki n g to crea te i t. Th ere
a re two a rea s th a t fa l l i n to th i s ca teg ory: i ssu es, a n d m on i tori n g ,
m ea su rem en t, a n a l ysi s a n d eva l u a ti on .
I s su e s
I t i s l i kel y th a t th e i ssu es referred to i n Su bcl a u se 4. 1 wou l d be

wel l -kn own to a n org a n i za ti on , bu t n ot n ecessa ri l y wri tten d own a n d
certa i n l y n ot i n a wa y wh i ch wou l d rea d i l y d em on stra te con form a n ce.
An i m porta n t i ssu e for m ost org a n i za ti on s wou l d be i ts m oti va ti on for

h a vi n g a m a n a g em en t system . An org a n i za ti on wou l d , of cou rse, kn ow

wh a t th a t wa s a n d i t wou l d h a ve been a m a j or d ri ver i n h ow th e ori g i n a l

m a n a g em en t system h a s been d esi g n ed . N ote th a t th i s m oti va ti on m a y
h a ve ch a n g ed over ti m e: th e ori g i n a l m oti va ti on bei n g su persed ed by
a n oth er a s th e ben efi ts of h a vi n g a m a n a g em en t system a re rea l i zed .
An oth er i m porta n t i ssu e wou l d be th ose con cern ed wi th th e XXX

d i sci pl i n e i tsel f, e. g . q u a l i ty i ssu es or en vi ron m en ta l i ssu es. I f th ese a re
u n kn own or th e org a n i za ti on i s oth erwi se u n certa i n of th em , i t m a y be
possi bl e to reverse en g i n eer th em from a con si d era ti on of th e XXX pol i cy,
obj ecti ves a n d th e respon ses to pa rti cu l a r d i sci pl i n e-speci fi c req u i rem en ts
(e. g . pl a n n i n g of prod u ct rea l i za ti on for I SO 9 001 , bu si n ess i m pa ct
a n a l ysi s for I SO 2 2 3 01 a n d i n form a ti on secu ri ty ri sk a ssessm en t a n d ri sk
trea tm en t for I SO /I E C 2 7 001 ) .
O th er i ssu es, wh i ch a re l i kel y to h a ve a l rea d y been a d d ressed by a n

org a n i za ti on wou l d rel a te to th e opera ti on of th e m a n a g em en t system ,
su ch a s m a n a g em en t com m i tm en t a n d sta ff m oti va ti on . Fi n a l l y,
org a n i za ti on s sh ou l d con si d er l ooki n g th rou g h m a n a g em en t m eeti n g
m i n u tes a n d i ts record s of preven ti ve a cti on s for fu rth er i ssu es.
M o n i to ri n g , m e a su re m e n t, a n a l ysi s a n d e va l u a ti o n
Th e req u i rem en ts of Su bcl a u se 9 . 1 a re fa r m ore d eta i l ed a n d exa cti n g

th a n a n yth i n g th a t m a y be d eem ed si m i l a r i n a n y pre-An n ex SL
con form a n t m a n a g em en t system sta n d a rd . I f th ere a re d i sci pl i n e-speci fi c
req u i rem en ts, su ch a s cu stom er feed ba ck i n I SO 9 001 , th a t a re l a rg el y
u n ch a n g ed i n th e revi sed sta n d a rd , th en th ese a re cl ea r ca n d i d a tes for
som eth i n g th a t th e org a n i za ti on ca n d ecl a re a topi c for m on i tori n g ,
m ea su rem en t, a n a l ysi s a n d eva l u a ti on a s i t i s som eth i n g th a t i t a l rea d y
d oes. Sta ff com peten ce i s a n oth er exa m pl e. H owever, Ch a pter 3
recom m en d s th a t org a n i za ti on s d o n ot m on i tor a n d m ea su re j u st beca u se
th e org a n i za ti on h a s th e ca pa bi l i ty to d o so: th ere m u st be a rea son a n d
th a t, a s expl a i n ed i n Ch a pter 3 , i s th e i n form a ti on n eed . O rg a n i za ti on s
a re th erefore stron g l y a d vi sed to fol l ow th e a d vi ce g i ven i n Ch a pter 3 .
Are a s wh ere a n org a n i za ti on m a y ta ke th e
op p ortu n i ty to i m p rove
D u ri n g th e cou rse of tra n si ti on i n g , a n org a n i za ti on m a y fi n d on e or m ore

opportu n i ti es for i m provem en t. Th ese a re j u st a s, i f n ot m ore, l i kel y to
rel a te to d i sci pl i n e-speci fi c req u i rem en ts a s th ey a re to th e i d en ti ca l core
text req u i rem en ts. O n ce i d en ti fi ed , org a n i za ti on s n eed to d eci d e wh eth er
to m a ke th e ch a n g es i m m ed i a tel y, or h i g h l i g h t th em a s opportu n i ti es for
i m provem en t wi th th e i n ten ti on of m a ki n g th e ch a n g es a t a n
a ppropri a te ti m e i n th e fu tu re.

Sum m a ry
Th e fi rs t co u rs e o f a cti o n i s m o re typ i ca l i f th e o rg a n i z a t i o n i s u si n g th e
t ra n s i ti o n as a re a s o n fo r m a ki n g o th e r ch a n g e s , wh i l e th e s e co n d i s u se d
i f th e o rg a n i z a ti o n h a s a d o p te d a m i n i m a l i s ti c tra n s i ti o n s t ra te g y.
Summary
Transition strategy
Tra n s i ti o n i n g u si n g th e m i n i m a l i s ti c s tra t e g y ca n be a cco m p l i s h e d q u i te
q u i ckl y, and g i ve n th e i m p ro ve m e n t l i ke l y to th e d i s ci p l i n e - s p e ci fi c
re q u i re m e n ts i n a re vi s e d s t a n d a rd , o rg a n i z a ti o n s a re e n co u ra g e d to
tra n s i ti o n a s so o n a s th e y ca n ra th e r th a n p u t o ff tra n s i t i o n i n g to th e
l a te s t p o s s i b l e ti m e . H o we ve r, o n ce d e ta i l e d pl a n n i n g fo r tra n s i ti o n is
u n d e rwa y, o rg a n i z a ti o n s m a y we l l e n co u n te r a n o ve rwh e l m i n g d e s i re to
m a ke i m p ro ve m e n ts , wh i ch i s g ood .
Th e ch a n g e o f n o m e n cl a tu re ca n be re a d i l y re s o l ve d b y re a l i z i n g th a t
re fe re n ce to d o cu m e n t s i n n o n - An n e x S L s t a n d a rd s a re s t a te m e n ts o f
i n t e n t wh e re a s re co rd s co n ce rn e vi d e n ce o f p a s t p e rfo rm a n ce .
Preventive action
E xi s ti n g p ro ce d u re s wi l l n eed to be re vi s e d . H o we ve r, a si m pl e ch a n g e ,
co m b i n e d wi th th e ch a n g e s fo r co rre ct i ve a ct i o n , wo u l d be to re fe r to
‘ a cti o n p l a n s’ ra t h e r th a n ‘ p re ve n ti ve a cti o n p l a n s’ .
Document names
I t d o e s n o t m a tte r wh a t th e s ta n d a rd ca l l s a d o cu m e n t o r re fe rs to an
i te m o f d o cu m e n te d i n fo rm a ti o n . An o rg a n i z a ti o n ca n a l wa ys ca l l i t by
a n o th e r n a m e , p ro vi d e d th e re l a ti o n s h i p i s kn o wn .
XXX policy
Th e re a re a d d i ti o n a l re q u i re m e n ts fo r th e XXX p o l i cy, wh i c h a re si m p l e ,
and fo r a l l o rg a n i z a ti o n s o u g h t n o t e xce e d on e A4 p a g e o f te xt i n tota l .

Co n tro l o f d o cu m e n ta ti o n a n d i n te rn a l a u d i t
No ch a n g e s o u g h t to be re q u i re d , a l th o u g h m i n o r a d j u s tm e n ts m a y b e
re q u i re d to th e e xp l a n a ti o n o f co n fo rm a n ce . H o we ve r, o rg a n i z a ti o n s
sh o u l d ch e ck fo r n e w d i s ci p l i n e - s p e ci fi c re q u i re m e n ts a n d d e vi a t i o n s .
Te rm s o f re fe re n ce fo r to p m a n a g e m e n t, m a n a g e m e n t
re vi e w, re sp o n si b i l i ti e s, a wa re n e ss a n d i m p ro ve m e n t
M i n o r ch a n g e s a n d a d d i ti o n s a re l i ke l y to be re q u i re d in th e se a re a s .
S co p e o f th e m a n a g e m e n t syste m
I t i s p o ssi b l e th a t e xi s ti n g m a n a g e m e n t s ys t e m d o cu m e n t a ti o n co n fu s e s
scope of the management system wi th th e scope of a certification audit .
R e s o l u ti o n o f s u ch co n fu s i o n i s s tra i g h tfo rwa rd .
O b j e cti ve s
At fi rs t vi e w th i s m a y a p p e a r to be a s i g n i fi ca n t ch a n g e if an
o rg a n i z a ti o n i s u se d o n l y to s e tt i n g high l e ve l t i m e l e s s p o l i cy o b j e ct i ve s .
H o we ve r, i t i s l i ke l y t h a t th e re q u i re m e n t to e s ta b l i s h o b j e cti ve s a t
re l e va n t fu n ct i o n s a n d l e ve l s i s a l re a d y m e t , and all an o rg a n i z a ti o n
n e e d s to do i s d o cu m e n t wh a t i t d o e s .
I n te re ste d p a rti e s
I t i s h i g h l y l i ke l y th a t a n o rg a n i z a ti o n a l re a d y h a s d o cu m e n t e d
i n fo rm a t i o n th a t i d e n ti fi e s t h e i n te re s te d p a rti e s a n d d o cu m e n t s th e i r
re q u i re m e n ts . Al l th a t i s th e n n eed ed i s to re fe re n ce i t.
I n te g ra ti o n
Th e i n te g ra ti o n re q u i re m e n t wi l l be m e t i f th e a cti vi ti e s t h a t co rre s p o n d
to th e m a n a g e m e n t s ys te m re q u i re m e n ts a re s p re a d th ro u g h o u t th e
o rg a n i z a ti o n ’s b u s i n e s s fu n cti o n wo rk fl o ws .
I ssu e s
I s s u e s a re l i ke l y to be d i s co ve re d th ro u g h a co n s i d e ra ti o n o f:
1 . th e o rg a n i z a ti o n ’s m o t i va ti o n s fo r h a vi n g a m a n a g e m e n t s ys te m ;

Sum m a ry
2. i s s u e s co n ce rn e d wi th th e XXX d i s ci p l i n e i t s e l f, e. g . q u a l i ty i s s u e s o r
e n vi ro n m e n ta l i ssu e s;
3. i s s u e s re l a ti n g to th e o p e ra ti o n o f th e m a n a g e m e n t s ys te m , s u ch as
m a n a g e m e n t co m m i tm e n t a n d s ta ff m o ti va ti o n ;
4. m a n a g e m e n t m e e ti n g m i n u te s; and
5. re c o rd s o f p re ve n ti ve a cti o n s .
M o n i to ri n g , m e a su re m e n t, a n a l ysi s a n d e va l u a ti o n
Th i s i s l i ke l y to be b y fa r th e g re a te s t ch a l l e n g e of a t ra n s i ti o n . Th e
a d vi ce g i ve n in Ch a p te r 3 sh o u l d be fo l l o we d , and in p a rti cu l a r n o t to
m o n i tor a n d m e a s u re j u s t b e ca u s e th e o rg a n i z a ti o n h a s th e ca p a b i l i ty t o
do so : th e re m u st be a va l i d i n fo rm a ti o n n eed a s th e fi rs t fe w
re q u i re m e n ts i n S u b cl a u s e 9. 1 a re t h e re to s u p p o rt t h e fi n a l re q u i re m e n t ,
wh i ch i s to a s s e s s XXX p e rfo rm a n ce and XXX m a n a g e m e n t s ys t e m
e ffe cti ve n e s s .
O p p o rtu n i ti e s fo r i m p ro ve m e n t
D u ri n g th e co u rs e o f tra n s i ti o n i n g , an o rg a n i z a ti o n m a y fi n d on e o r m o re
o p p o rt u n i ti e s fo r i m p ro ve m e n t. Tre a t th e s e in a cco rd a n ce wi th th e
ch o s e n tra n s i ti o n s tra te g y.

B i bl i og ra ph y
Standards publications
B S 7 7 9 9 -2 : 2 002 , In form a tion security m a n a gem en t system s — Pa rt 2:
Specifica tion with guida nce for use
B S 2 5 9 9 9 -2 : 2 007 , Business con tinuity m a n a gem en t — Pa rt 2: Specifica tion
I SO 9 001 : 2 000 a n d 2 008, Qua lity m a n a gem en t system s — Requirem en ts
I SO 1 4001 : 2 004, En vironm enta l m a na gem en t system s — Requirem ents

with guida n ce for use
I SO /I E C 2 0000-1 : 2 005, In form a tion tech nology — Service m a n a gem ent —

Pa rt 1 : Specifica tion
I SO 2 2 000: 2 005 , Food sa fety m a n a gem en t system s — Requirem en ts for

a n y orga n iza tion in the food ch a in
I SO 2 2 3 01 : 2 01 2 , Societa l security — Business con tin uity m a n a gem en t

system s — Requirem en ts
I SO /I E C 2 7 001 : 2 005 a n d 2 01 3 , Inform a tion techn ology — In form a tion

security m a na gem en t system s — Requirem ents
I SO /I E C 2 7 004: 2 009 , Inform a tion techn ology — Security tech niques —

Inform a tion security m a n a gem ent m ea surem en ts
I SO /I E C 2 7 01 3 : 2 01 2 , Inform a tion techn ology — Security tech niques —

Guida nce on th e in tegra ted im plem enta tion of ISO/IEC 27001 a nd
ISO/IEC 20000-1
rd
I SO /I E C D i recti ves, Pa rt 1 — Con solida ted ISO Supplem en t (3 E d i ti on )
PAS 9 9 : 2 01 2 , Specifica tion of com m on m a n a gem en t system requirem en ts

a s a fra m ework for in tegra tion
Understa nding th e New ISO Ma n a gem en t System Requirem en ts 83

Bibliography
Other publications
[a]Brewer, D.F.C., Nash, M.J. and List, W. (2005) Exploiting an integrated
management system, available at:
http://www.gammassl.co.uk/research/MSExploitation.pdf [accessed
September 201 3]
[b] Brewer, D.F.C. (2004) A tale of BS 7799-2 certification, available at:
http://www.gammassl.co.uk/research/archives/ISMS/Certification%20
v02.pdf [accessed September 201 3]

Understanding the New ISO Management System Requirements Understanding the New ISO
Understanding the New ISO Management System Requirements

I n Ap ri l 2 0 1 2 , I S O u p d a te d i ts d i re cti ve s .
I n p a rti c u l a r, th e re i s a n e w a n n e x - An n ex S L - i n w h i ch Ap p e n d i x 3
d e fi n e s th e H i g h Le ve l S tru ctu re a n d I d e n ti ca l Co re Te xt fo r a l l n e w a n d re vi s e d m a n a g e m e n t s ys te m
s ta n d a rd s . Th e co n ce p t i s th a t s o m e re q u i re m e n ts , e . g . m a n a g e m e n t re vi e w, a re co m m o n to a l l
Management System Requirements
m a n a g e m e n t s ys te m s ta n d a rd s a n d th e re fo re o u g h t to b e i d e n ti ca l l y wo rd e d .
Th e b o o k e xp l a i n s th e n e w re q u i re m e n ts a n d h o w th e y a re re l a te d to th o s e i n m a n a g e m e n t s ys te m
David Brewer

s ta n d a rd s p u b l i s h e d p ri o r to th e a d ve n t o f th e n e w I S O d i re cti ve s . I n s o d o i n g i t s h o w s h o w fa m i l i a r
c o n ce p ts h a ve m e ta m o rp h o s e d i n to n e w o n e s . I t p ro vi d e s fre s h i n s i g h ts i n to u n d e rs ta n d i n g m a n a g e m e n t
s ys te m s ta n d a rd s a n d th e re b y g i ve s g u i d a n ce o n h o w to d e ve l o p a m a n a g e m e n t s ys te m fo r th e fi rs t ti m e .
I t g i ve s a d vi ce o n tra n s i ti o n i n g exi s ti n g m a n a g e m e n t s ys te m s to th e n e w re q u i re m e n ts a n d o n th e
c o n s tru cti o n a n d u s e o f i n te g ra te d m a n a g e m e n t s ys te m s .
Th e b o o k i s a i m e d p ri m a ri l y a t p e o p l e wh o e n g a g e i n cre a ti n g a n d ru n n i n g m a n a g e m e n t s ys te m s ,
i n c l u d i n g m a n a g e m e n t s ys te m a d m i n i s tra to rs , co n s u l ta n ts , tra i n e rs a n d a u d i to rs .
N o p ri o r kn o wl e d g e o f m a n a g e m e n t s ys te m s i s a s s u m e d .
W
About the author

F
D r D a vi d B re we r h a s a l o n g h i s to ry o f i n vo l ve m e n t wi th q u a l i ty s ys te m s b e g i n n i n g i n 1 9 8 0 w h e n h e a cte d F
a s q u a l i ty a s s u ra n ce s e cti o n l e a d e r o n a l a rg e s o ftwa re i n te n s i ve p ro j e ct. H e b e ca m e i n vo l ve d wi th
s ta n d a rd s w ri ti n g i n th e l a te 1 9 8 0 s a n d b e ca m e a c o - a u th o r o f th e o ri g i n a l I S M S s ta n d a rd , B S 779 9 Pa rt 2 ,
a n d i s n o w a n a c ti ve m e m b e r o f th e U K d e l e g a ti o n to I S O J TC 1 S C2 7 WG 1 wh i c h i s re s p o n s i b l e fo r th e
I S O 2 70 0 0 fa m i l y o f s ta n d a rd s ; a n d i s co - e d i to r fo r th e re vi s i o n o f I S O /I E C 2 70 0 4 ( M e a s u re m e n ts ) . W
H e h a s p l a ye d a s i g n i fi ca n t ro l e i n th e re vi s i o n o f I S O /I E C 2 70 0 1 a n d i ts c o n fo rm a n ce to th e n e w I S O
d i re cti ve s o n H i g h Le ve l S tru ctu re a n d I d e n ti c a l Co re Te xt.
H e h a s co n d u cte d a wi d e va ri e ty o f c o n s u l ta n cy a s s i g n m e n ts s p a n n i n g 3 2 ye a rs i n o ve r 2 3 co u n tri e s .
H e i s we l l kn o wn fo r h i s wo rk i n ro l l i n g o u t I S O /I E C 2 70 0 1 to th e w h o l e o f th e Ci vi l S e rvi ce i n M a u ri ti u s ,
w h i ch i s a n exe m p l a r o f h i s I S M S i m p l e m e n ta ti o n m e th o d o l o g y. D r B re we r ru n s a n i n te g ra te d m a n a g e m e n t
s ys te m , wh i ch co n fo rm s to th e q u a l i ty, b u s i n e s s co n ti n u i ty a n d i n fo rm a ti o n s e cu ri ty m a n a g e m e n t s ys te m
s ta n d a rd s . H i s s e m i n a l re s e a rch p a p e rs i n cl u d e 'M e a su rin g th e Effe ctive n e ss o f a n In te rn a l Co n tro l Syste m ',
p u b l i s h e d i n 2 0 0 3 a n d 'Exp lo itin g a n In te g ra te d M a n a g e m e n t Syste m ', p u b l i s h e d i n 2 0 0 5 .
D a vid B rewe r
BSI order ref: BIP 0140
BSI Group Headquarters

3 8 9 Ch i s wi ck H i g h R o a d
B
Lo n d o n W 4 4AL
w w w. b s i g ro u p . c o m
© B S I c o p y ri g h t

Bip 0140-2014

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bip 0140-2014

Uploaded by

Copyright:

Available Formats

Understanding the New ISO Management System Requirements Understanding the New ISO

Understanding the New ISO Management System Requirements

About the author

a s q u a l i ty a s s u ra n ce s e cti o n l e a d e r o n a l a rg e s o ftwa re i n te n s i ve p ro j e ct. H e b e ca m e i n vo l ve d wi th

d i re cti ve s o n H i g h Le ve l S tru ctu re a n d I d e n ti c a l Co re Te xt.

s ta n d a rd s . H i s s e m i n a l re s e a rch p a p e rs i n cl u d e 'M e a su rin g th e Effe ctive n e ss o f a n In te rn a l Co n tro l Syste m ',

p u b l i s h e d i n 2 0 0 3 a n d 'Exp lo itin g a n In te g ra te d M a n a g e m e n t Syste m ', p u b l i s h e d i n 2 0 0 5 .

BSI order ref: BIP 0140

BSI Group Headquarters

Al l ri g h ts re se rve d . E xce p t a s p e rm i t te d u n d e r th e C o p yri g h t , D esi g n s a n d Pa t e n t s

re co rd i n g o r o th e rwi se – wi th o u t p ri o r p e rm i ss i o n in wri ti n g fro m th e p u b l i s h e r.

Wh i l s t e ve ry ca re h a s been ta ke n in d e ve l o p i n g and com pi l i n g th i s p u b l i ca t i o n , B SI

a cce p t s n o l i a b i l i ty fo r a n y l o s s o r d a m a g e ca u s e d , a ri si n g d i re ctl y o r i n d i re ctl y i n

Wh i l e e ve ry e ffo rt h a s b e e n made to tra ce all co p yri g h t h o l d e rs , a n yo n e cl a i m i n g

B SI has no re s p o n si b i l i t y fo r th e p e rsi s te n ce o r a ccu ra cy o f U RLs fo r e xt e rn a l or

a sse rte d by h i m in a cco rd a n c e wi th s e cti o n s 7 7 and 78 o f th e C o p yri g h t , D esi g n s

Typ e se t i n G re a t B ri ta i n b y Le tt e rp a rt Li m i te d , www. l e tt e rp a rt. co m

P ri n t e d in G re a t B ri t a i n b y B e rfo rt s G ro u p , www. b e rfo rt s. co . u k

British Library Cataloguing in Publication Data

Ch apter 1 – Th e n ew ISO m an ag em en t system req u irem en ts 1

Ch apter 2 – M an ag em en t system con cepts 6

Ch apter 3 – U n d erstan d in g th e n ew req u irem en ts 23

Ch apter 4 – Tran sition in g to th e n ew m an ag em en t system

Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts v

vi Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts

I n Apri l 2 01 2 , I SO u pd a ted i ts d i recti ves. I n pa rti cu l a r, th ere i s a n ew

Severa l m a n a g em en t system sta n d a rd s h a ve n ow been pu bl i sh ed i n

Th e i d en ti ca l core text i s very g ood a t d efi n i n g th e essen ti a l fea tu res of a

Th e a i m of th i s book i s to expl a i n th e n ew req u i rem en ts a n d h ow th ey

Th i s book h a s been d esi g n ed so th a t you ca n rea d i t from cover to cover

I h a ve over 3 0 yea rs’ worl d wi d e experi en ce i n worki n g wi th m a n a g em en t

wh i ch Appen d i x 3 h a s b ecom e Ap pen d i x 2 .

Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts vi i

e n s u ri n g a s m o o th tra n s i t i o n and o bta i n i n g m a xi m u m b e n e fi t fro m th e i r

vi i i Understanding the New ISO Management System Requirements

Un dersta n din g th e New ISO Ma n a gem en t System Requirem en ts ix

Si n ce Apri l 2 01 2 a l l n ew a n d revi sed m a n a g em en t system sta n d a rd s m u st

Th e obj ecti ve i s to en su re th a t wh en a req u i rem en t ou g h t to be com m on

Pri or to An n ex SL, th e n eed for com pa ti bi l i ty wa s n ot n ecessa ri l y fu l l y

Understanding the New ISO Management System Requirements 1

B S 7 7 9 9 -2 : 2 002 u si n g th e I SO ‘Fa st Tra ck’ proced u re. B S 7 7 9 9 -2 : 2 002 wa s

Th e ch oi ce i s n ot n ecessa ri l y stra i g h tforwa rd a s som e d ocu m en ts cou l d

D espi te su ch su btl e d i fferen ces, i t i s fortu n a te th a t I SO /I E C 2 7 001 : 2 005 i s

Su ch i n teg ra ti on i ssu es a n d th e n eed for a d d i ti on a l sta n d a rd s ou g h t to

2 Un dersta n din g th e New ISO Ma na gem en t System Requirem ents

High level structure

1 0. 1 N o n co n fo rm i ty a n d co rre cti ve a cti o n

N ote th a t h e re , and th ro u g h o u t t h i s b o o k, ‘ XXX’ i s u se d to re p re s e n t th e

fo r I S O 9001 , XXX = q u a l i ty, fo r I S O /I E C 2 7 0 0 1 , XXX = i n fo rm a ti o n

Understanding the New ISO Management System Requirements 3

Th e req u i rem en ts th a t a re i d en ti ca l to a l l n ew a n d revi sed m a n a g em en t

As a n a i d to rea d a bi l i ty, som e i d en ti ca l core req u i rem en ts a re prefa ced by

A d evi a ti on i s wh ere a m a n a g em en t system sta n d a rd ch a n g es th e

D evi a ti on s h a ve been perm i tted to a l l ow th e sta n d a rd s d evel opers to

I t sh ou l d be n oted th a t I SO 2 2 3 01 : 2 01 2 , Societal security – Business

D i sci pl i n e-speci fi c text

Req u i rem en ts th a t a re speci fi c to a pa rti cu l a r d i sci pl i n e (e. g . i n form a ti on

4 Understanding the New ISO Management System Requirements

s tra te g y, p ro ce d u re s , e xe rci s i n g and te s ti n g . Li ke wi s e on e m i g h t e xp e ct

I SO 9 001 : 2 008. In co n tra s t , I S O /I E C 2 7 0 0 1 : 2 0 1 3 o n l y h a s a b o u t t wo pa g es

Un dersta n din g th e New ISO Ma na gem en t System Requirem ents 5

1. d efi n i ti on of term s u sed i n An n ex SL;

Th e d efi n i ti on s a re reprod u ced a n d d i scu ssed h ere i n th ree g rou ps: