When getting to grips with ISO standards for the first time, you will notice that they are structured in clauses, a bit like a contract.
This structure is common across all of the management system standards that ISO publishes, such as ISO 9001, ISO 22301 and ISO/IEC 27001, and is known as the โAnnex SLโ format or, more helpfully, the โHigh Level Structureโ. So, what weโre about to say applies to all of the standards in this format.
Why are we starting at Clause 4? Because Clauses 1-3, although useful, donโt contain any auditable requirements, focusing instead on information about the document (such as references and definitions) rather than on things you need to do.
Whatโs in Clause 4?
Clause 4 of the management system is called โContext of the organisationโ and is divided into 4 sub-clauses:
Understanding the organisation and its context
Understanding the needs and expectations of interested parties
Determining the scope of the management system
Management system and its process
Letโs look at each of these in turn.
Sub-Clause 4.1 - Understanding the organisation and its context
In all the ISO management system standards, sub-clause 4.1 is relatively small but requires some careful thought to complete. It asks you to identify the external and internal issues that are relevant to the purpose of the management system. This requires you to look at those issues that can have an effect on your management system.
For instance, if you are looking at an ISO9001 Quality Management System (QMS), you would be looking at those issues that could affect the quality of your products and services to your customers.
External issues could be what we have seen recently, such as fuel restrictions which had an impact upon distribution of products, or changes in regulations that relate to your business sector.
Other examples of external issues include:
Statutory and regulatory requirements
Business sector specific requirements and agreements
Globalisation
Natural environment
Social, economic, political, and cultural factors
Internal issues could be equipment limitations that have an impact on the efficiency of your manufacturing cycle, or business reorganisations and location moves that impact on the employees.
Other internal factors to think about include:
Strategic direction
Types of products or services
Available resources
Size and complexity of the organisation
Levels of competence and organisational knowledge
Performance of the organisation
Depending upon the type of management system, you need to identify these issues that affect that particular subject, such as occupational health and safety (ISO45001) or IT service management (ISO/IEC 20000).
One way of determining your internal and external factors is to conduct a SWOT (Strengths, Weaknesses, Opportunities and Threats) and PESTLE (Political, Economic, Social, Technology, Legal and Environmental) exercise. Focusing on these areas will help you to identify potential factors that could influence your management system.
You should also include some information about your organisation, some history, your locations, if a multi-site organisation, and the types of products or services you produce or deliver.
This is also a good place to include your mission, vision, values, and culture:
Mission โ the organisationโs purpose for existing
Vision โ aspiration of what the organisation would like to become
Values โ principles and/or thinking patterns intended to play a role in shaping the organisationโs culture and to determine what is important to the organisation, in support of the mission and vision
Culture โ beliefs, history, ethics, observed behaviour and attitudes that integrated within the identity of the organisation
It is important that the organisationโ culture aligns with its mission, vision and values. Top management should review the mission, vision, values, and culture at planned intervals and whenever the context of the organisation changes. This should be included in the management review meeting.
Sub-Clause 4.2 - Understanding the needs and expectations of interested parties
This is a very important part of Clause 4 and of the management system and needs to be documented as fully as possible. It also links with another area of the standard, Sub-Clause 6.1 โ Actions to address risks and opportunities, so itโs important to get this right.
You are required to determine those interested parties that are relevant to your management system. Whatโs an โinterested partyโ? ISO defines it as a โperson or organisation that can affect, be affected by, or perceive itself to be affected by a decision or activityโ. A similar term thatโs often used interchangeably is โstakeholderโ.
As in Sub-Clause 4.1, interested parties can be external or internal.
Once you have identified these interested parties, you need to identify their relevant needs and expectations. Letโs take an example of a typical interested party โ Customers.
What would their needs and expectations be?
Need: They would need the organisation to produce high quality products or deliver first class services.
Expectation: They would expect the organisation to deliver the products on time or deliver the service in a professional and engaging way.
Not every interested party would have both a need and expectation, but they will have one of them!
You also need to identify if any of these needs or expectations are compliance requirements. These could be statutory or mandatory requirements that affect your organisation, or contractual requirements.
THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES | ||||
INTERESTED PARTY (The entity or person who can influence your work) | NEED/REQUIREMENT (What they require that can affect your output) | ACTION TO BE TAKEN (The action to be taken to monitor, or mitigate the potential problem) | NAME OF PERSON RESPONSIBLE | MONITORING AUTHORITY (Individual(s) who will be monitoring the action taken) |
Customers | Quality Service | To keep customers updated on the status of their application.
Conduct internal audits to ensure quality control on processes. | Customer Relationship Exec
Lead Auditor | Ops manager
Quality Manager |
Local Government Depts | Compliance with changing regulations | Regular checks on new legislations, rules, requirements. | Company Representative | Ops Manager |
Certification body | To verify we are compliant with the standard | Scheduled internal audits, management review meetings and awareness sessions with all departments, | Lead Auditor
Quality Coordinator | Quality Manager |
Lawyers | An understanding of the requirements | Ensure all requirements are clearly documented, signed off and dated before sending to Legal Department. | Ops Manager | COO |
The table above shows an example of external interested parties, but you would need to consider internal ones too.
When you come to address Sub-Clause 6.1 โ Actions to address risks and opportunities, you will need to relate to both the external and internal issues identified in Sub-Clause 4.1 and the needs and expectations identified here in Sub-Clause 4.2. A similar type of table, using the same columns 1 and 2 would help to show an auditor alignment.
Sub-Clause 4.3 - Determining the scope of your management system
The standards require you to determine the boundaries and applicability of your management system to establish its scope. This is another important area that needs careful thought.
This sub-clause will need input from the previous two sub-clauses as it requires you to consider the external and internal issues that you identified and the compliance obligations that were highlighted during the review of interested parties.
You also need to think about the business units and their functions that will be included. For example, you may decide that you are only going to include the production department of your organisation within your ISO9001 QMS and not your sales and finance departments. You may also need to consider what aspects of the product or services lifecycle are included within the scope. Some management systems must cover all of the business, such as the ISO14001 Environmental management system. However, in this case you will still need to state the physical boundaries of the EMS.
For example, if your head office is situated in Bristol, but your production facilities are in Swindon and Gloucester, your boundaries could cover all of these if they were included within the scope of the management system. You should also consider the organisationโs activities, products, and services when defining your scope.
All this information needs to be documented in as clear terms as possible as it will be used to define the scope that is stated on your certificate too.
Sub-Clause 4.4 - The management system and its processes
This sub-clause requires you to establish, implement, maintain, and continually improve the management system, including processes needed to achieve the intended outcomes of the management system.
You must determine the processes needed for the management system and their application throughout the organisation. So effectively you must identify those processes needed to ensure that the management system actually does what you intend it to do.
Obviously, the specifics of those processes will dependent upon the management system concerned.
If it were ISO9001 then you would be looking at:
Inputs required and the outputs expected from those processes
Determine the sequence and interaction of those processes
Determine the monitoring requirements, etc, etc.
These processes must be documented, along with supporting information, such as checklists, work instructions and so on, that will be used to evidence that the processes are being followed and monitored as planned. Note: This is what an auditor will be looking for!
In Summary
Clause 4 is an important part of the standard and feeds into several other clauses, so getting it right will have an impact further down the implementation journey.
It sets the background to the reason the organisation wants to implement the management system and identifies, right at the start, those requirements and needs from parties inside and outside of the organisation that can have an impact upon or be impacted by the management system.
It helps you identify the areas of the organisation that are going to be included within the scope of the management system. From this, it drives you to identify the processes within those areas that are critical to the organisation. From this, you can put in place the documentation that supports those processes and ensures that they are being followed properly.
So, spend a little time on Clause 4, and you wonโt regret it.
