Good news! You’ve achieved certification to an ISO standard, whether it’s for quality, information security, environmental management or perhaps another standard. It’s taken a while and it’s been hard work, but now it’s all over. Or is it?
After the initial excitement has faded, chances are you’ll be surprised at how quickly the first surveillance audit comes around. Will it be a case of having to create lots of missing information in a panic the day before, or will it be a shrug of the shoulders and a cool “let them come”? The choice is yours.
Here we take a look at five main principles of maintaining your ISO management system so that you remain audit-ready at all times.
Principle 1 – Streamline
If you’ve just achieved certification, chances are that your ISO management system is relatively new. As such, it’s likely to be a little rough around the edges, due partly to the need to put so many processes, procedures, reviews etc. in place in a short space of time, and partly due to the fact that ISO management systems are new to you, and your understanding of how they work is still developing.
Because of this, there is probably scope for streamlining your management system, including doing the following:
Making processes and procedures more efficient; removing unneeded steps and stopping collecting information that’s not used or isn’t helpful.
Merging documentation together, to create a more focused set that is appropriate to the various audiences involved.
Reviewing your objectives and monitoring activities – does each metric carry its weight in terms of helping the management system achieve its goal? Could a smaller set of metrics do the job just as well but take less time to collect?
Going through your risk assessment to pull out those that are duplicates, or are so unlikely as to not deserve your attention.
Pushing some tasks that are still being done by a central ISO management system function out into the business where they belong; for example, are you still delivering awareness training, and could it not be done by HR with the appropriate coaching?
Principle 2 – Automate
Once you’ve removed those parts of your management system that aren’t needed, it’s time to look at how you can automate as many of the remaining aspects of it as possible. There are lots of tools available today that can perform tasks that were previously manual (for example sending emails), and in so doing improve not only the timeliness but also the accuracy of them. Look at each of your processes and procedures and ask yourself whether they can be fully or partially automated, perhaps using systems and cloud tools that you already use for other things. For example, can your document management review process be entered into a system that tracks versions and flags when a document is scheduled for review?
It’s not just systems that can be used to automate aspects of your management system; some could be candidates for outsourcing where you pay a third party for a service that saves you time and adds more knowledge to your management system. This could be relevant to keeping up to date with legal changes or keeping on top of your internal audits.
Principle 3 - Schedule
For those aspects that you can’t streamline or automate, the next option is to schedule them so that they don’t get forgotten. This could involve putting dates in calendars for infrequent tasks such as annual management reviews, risk assessments and the internal audit programme. For more frequent tasks, a structure of regular meetings (with minutes of course) with set agendas may be helpful to ensure that you keep on top of things. Once your week, month, quarter and year is planned out, it becomes a case of following the schedule, rather than worrying about remembering what needs to be done.
Principle 4 - Adopt the Culture
One of the key ideas of an ISO management system is that it should be embedded within your organisation, so that it’s not a separate entity, but “the way we do things here”. This partly comes down to awareness training for pretty much everyone, supplemented by more detailed training for people involved in specific processes or procedures.
This comes to the fore when changes happen such as moves or reorganisations; either the management system parts are retrofitted after the event (not good) or they happen naturally with everything else in the project (much better).
Principle 5 - Think Evidence
If you want to ace your surveillance audits every time, then you must have something to show the auditor. This is another area where it pays to be proactive because if you did something six months ago, your chances of recreating evidence of it are slim. Get into the habit of keeping records at the time and encourage everyone else to do the same.
Last Words
Surveillance audits shouldn’t be stressful; they should be a welcome check that you haven’t missed anything and a boost to improving your management system still further. If you’re finding your heart rate is increasing weeks before the audit date, then try some of these tips to smooth the journey and keep everything on track to maintain your ISO certification.
