When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
When getting to grips with ISO standards for the first time, you will notice that they are structured in clauses, a bit like a contract.
This structure is common across all of the management system standards that ISO publishes, such as ISO9001, ISO14001 and ISO/IEC 27001, and is known as the “Annex SL” format or, more helpfully, the “High Level Structure”. So what we’re about to say applies to all of the standards in this format.
Why are we starting at Clause 4? Because Clauses 1-3, although useful, don’t contain any auditable requirements, focusing instead on information about the document (such as references and definitions) rather than on things you need to do.
Clause 4 of the management system is called “Context of the organization” and is divided into 4 sub-clauses:
Let’s look at each of these in turn.
In all the ISO management system standards, sub-clause 4.1 is relatively small but requires some careful thought to complete. It asks you to identify the external and internal issues that are relevant to the purpose of the management system. This requires you to look at those issues that can have an effect on your management system.
For instance, if you are looking at an ISO9001 Quality Management System (QMS), you would be looking at those issues that could affect the quality of your products and services to your customers.
External issues could be what we have seen recently, such as fuel restrictions which had an impact upon distribution of products, or changes in regulations that relate to your business sector.
Other examples of external issues include:
Internal issues could be equipment limitations that have an impact on the efficiency of your manufacturing cycle, or business reorganizations and location moves that impact on the employees.
Other internal factors to think about include:
Depending upon the type of management system, you need to identify these issues that affect that particular subject, such as occupational health and safety (ISO45001) or IT service management (ISO/IEC 20000).
One way of determining your internal and external factors is to conduct a SWOT (Strengths, Weaknesses, Opportunities and Threats) and PESTLE (Political, Economic, Social, Technology, Legal and Environmental) exercise. Focusing on these areas will help you to identify potential factors that could influence your management system.
You should also include some information about your organization, some history, your locations, if a multi-site organization, and the types of products or services you produce or deliver.
This is also a good place to include your mission, vision, values, and culture:
It is important that the organization’ culture aligns with its mission, vision and values. Top management should review the mission, vision, values, and culture at planned intervals and whenever the context of the organization changes. This should be included in the management review meeting.
This is a very important part of Clause 4 and of the management system and needs to be documented as fully as possible. It also links with another area of the standard, Sub-Clause 6.1 – Actions to address risks and opportunities, so it’s important to get this right.
You are required to determine those interested parties that are relevant to your management system. What’s an “interested party”? ISO defines it as a “person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity”. A similar term that’s often used interchangeably is “stakeholder”.
As in Sub-Clause 4.1, interested parties can be external or internal.
Once you have identified these interested parties, you need to identify their relevant needs and expectations. Let’s take an example of a typical interested party – Customers.
What would their needs and expectations be?
Need: They would need the organization to produce high quality products or deliver first class services.
Expectation: They would expect the organization to deliver the products on time or deliver the service in a professional and engaging way.
Not every interested party would have both a need and expectation, but they will have one of them!
You also need to identify if any of these needs or expectations are compliance requirements. These could be statutory or mandatory requirements that affect your organization, or contractual requirements.
The table above shows an example of external interested parties, but you would need to consider internal ones too.
When you come to address Sub-Clause 6.1 – Actions to address risks and opportunities, you will need to relate to both the external and internal issues identified in Sub-Clause 4.1 and the needs and expectations identified here in Sub-Clause 4.2. A similar type of table, using the same columns 1 and 2 would help to show an auditor alignment.
The standards require you to determine the boundaries and applicability of your management system in order to establish its scope. This is another important area that needs careful thought.
This sub-clause will need input from the previous two sub-clauses as it requires you to consider the external and internal issues that you identified and the compliance obligations that were highlighted during the review of interested parties.
You also need to think about the business units and their functions that will be included. For example, you may decide that you are only going to include the production department of your organization within your ISO9001 QMS and not your sales and finance departments. You may also need to consider what aspects of the product or services lifecycle are included within the scope. Some management systems must cover all of the business, such as the ISO14001 Environmental management system. However, in this case you will still need to state the physical boundaries of the EMS.
For example, if your head office is situated in Bristol, but your production facilities are in Swindon and Gloucester, your boundaries could cover all of these if they were included within the scope of the management system. You should also consider the organization’s activities, products, and services when defining your scope.
All of this information needs to be documented in as clear terms as possible as it will be used to define the scope that is stated on your certificate too.
This sub-clause requires you to establish, implement, maintain, and continually improve the management system, including processes needed to achieve the intended outcomes of the management system.
You must determine the processes needed for the management system and their application throughout the organization. So effectively you must identify those processes needed to ensure that the management system actually does what you intend it to do.
Obviously, the specifics of those processes will dependent upon the management system concerned.
If it were ISO9001 then you would be looking at:
These processes must be documented, along with supporting information, such as checklists, work instructions and so on, that will be used to evidence that the processes are being followed and monitored as planned. Note: This is what an auditor will be looking for!
Clause 4 is an important part of the standard and feeds into a number of other clauses, so getting it right will have an impact further down the implementation journey.
It sets the background to the reason the organization wants to implement the management system and identifies, right at the start, those requirements and needs from parties inside and outside of the organization that can have an impact upon or be impacted by the management system.
It helps you identify the areas of the organization that are going to be included within the scope of the management system. From this, it drives you to identify the processes within those areas that are critical to the organization. From this, you can put in place the documentation that supports those processes and ensures that they are being followed properly.
So spend a little time on Clause 4, and you won’t regret it.
Written by Ken Holmes and Ted Spiller.
Ken is CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).
Ted is CertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.
CertiKit’s ISO Toolkits and ISO Services are available help you understand and implement your chosen ISO standard(s). The toolkits include easy to understand templates and guides, plus a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.
Click the links to find out more about the ISO Toolkits and ISO Services.