Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO Guide – Clause 4: Scope, Context and Requirements

When getting to grips with ISO standards for the first time, you will notice that they are structured in clauses, a bit like a contract.

This structure is common across all of the management system standards that ISO publishes, such as ISO9001, ISO14001 and ISO/IEC 27001, and is known as the “Annex SL” format or, more helpfully, the “High Level Structure”. So what we’re about to say applies to all of the standards in this format.

Why are we starting at Clause 4? Because Clauses 1-3, although useful, don’t contain any auditable requirements, focusing instead on information about the document (such as references and definitions) rather than on things you need to do.

ISO Guide: Clause 4, scope, context & requirements

What’s in Clause 4?

Clause 4 of the management system is called “Context of the organization” and is divided into 4 sub-clauses:

  1. Understanding the organization and its context
  2. Understanding the needs and expectations of interested parties
  3. Determining the scope of the management system
  4. Management system and its process

Let’s look at each of these in turn.

Sub-Clause 4.1 - Understanding the organization and its context

In all the ISO management system standards, sub-clause 4.1 is relatively small but requires some careful thought to complete. It asks you to identify the external and internal issues that are relevant to the purpose of the management system. This requires you to look at those issues that can have an effect on your management system.

For instance, if you are looking at an ISO9001 Quality Management System (QMS), you would be looking at those issues that could affect the quality of your products and services to your customers.

External issues could be what we have seen recently, such as fuel restrictions which had an impact upon distribution of products, or changes in regulations that relate to your business sector.

Other examples of external issues include:

  • Statutory and regulatory requirements
  • Business sector specific requirements and agreements
  • Globalization
  • Natural environment
  • Social, economic, political, and cultural factors

Internal issues could be equipment limitations that have an impact on the efficiency of your manufacturing cycle, or business reorganizations and location moves that impact on the employees.

Other internal factors to think about include:

  • Strategic direction
  • Types of products or services
  • Available resources
  • Size and complexity of the organization
  • Levels of competence and organizational knowledge
  • Performance of the organization

Depending upon the type of management system, you need to identify these issues that affect that particular subject, such as occupational health and safety (ISO45001) or IT service management (ISO/IEC 20000).

One way of determining your internal and external factors is to conduct a SWOT (Strengths, Weaknesses, Opportunities and Threats) and PESTLE (Political, Economic, Social, Technology, Legal and Environmental) exercise.  Focusing on these areas will help you to identify potential factors that could influence your management system.

You should also include some information about your organization, some history, your locations, if a multi-site organization, and the types of products or services you produce or deliver.

This is also a good place to include your mission, vision, values, and culture:

  • Mission – the organization’s purpose for existing
  • Vision – aspiration of what the organization would like to become
  • Values – principles and/or thinking patterns intended to play a role in shaping the organization’s culture and to determine what is important to the organization, in support of the mission and vision
  • Culture – beliefs, history, ethics, observed behaviour and attitudes that integrated within the identity of the organization

It is important that the organization’ culture aligns with its mission, vision and values. Top management should review the mission, vision, values, and culture at planned intervals and whenever the context of the organization changes. This should be included in the management review meeting.

Sub-Clause 4.2 - Understanding the needs and expectations of interested parties

This is a very important part of Clause 4 and of the management system and needs to be documented as fully as possible. It also links with another area of the standard, Sub-Clause 6.1 – Actions to address risks and opportunities, so it’s important to get this right.

You are required to determine those interested parties that are relevant to your management system. What’s an “interested party”? ISO defines it as a “person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity”. A similar term that’s often used interchangeably is “stakeholder”.

As in Sub-Clause 4.1, interested parties can be external or internal.

Once you have identified these interested parties, you need to identify their relevant needs and expectations. Let’s take an example of a typical interested party – Customers.

What would their needs and expectations be?

Need: They would need the organization to produce high quality products or deliver first class services.

Expectation: They would expect the organization to deliver the products on time or deliver the service in a professional and engaging way.

Not every interested party would have both a need and expectation, but they will have one of them!

You also need to identify if any of these needs or expectations are compliance requirements. These could be statutory or mandatory requirements that affect your organization, or contractual requirements.

The table above shows an example of external interested parties, but you would need to consider internal ones too.

When you come to address Sub-Clause 6.1 – Actions to address risks and opportunities, you will need to relate to both the external and internal issues identified in Sub-Clause 4.1 and the needs and expectations identified here in Sub-Clause 4.2. A similar type of table, using the same columns 1 and 2 would help to show an auditor alignment.

Sub-Clause 4.3 - Determining the scope of your management system

The standards require you to determine the boundaries and applicability of your management system in order to establish its scope.  This is another important area that needs careful thought.

This sub-clause will need input from the previous two sub-clauses as it requires you to consider the external and internal issues that you identified and the compliance obligations that were highlighted during the review of interested parties.

You also need to think about the business units and their functions that will be included. For example, you may decide that you are only going to include the production department of your organization within your ISO9001 QMS and not your sales and finance departments.  You may also need to consider what aspects of the product or services lifecycle are included within the scope. Some management systems must cover all of the business, such as the ISO14001 Environmental management system. However, in this case you will still need to state the physical boundaries of the EMS.

For example, if your head office is situated in Bristol, but your production facilities are in Swindon and Gloucester, your boundaries could cover all of these if they were included within the scope of the management system.  You should also consider the organization’s activities, products, and services when defining your scope.

All of this information needs to be documented in as clear terms as possible as it will be used to define the scope that is stated on your certificate too.

Sub-Clause 4.4 - The management system and its processes

This sub-clause requires you to establish, implement, maintain, and continually improve the management system, including processes needed to achieve the intended outcomes of the management system.

You must determine the processes needed for the management system and their application throughout the organization. So effectively you must identify those processes needed to ensure that the management system actually does what you intend it to do.

Obviously, the specifics of those processes will dependent upon the management system concerned.

If it were ISO9001 then you would be looking at:

  • Inputs required and the outputs expected from those processes
  • Determine the sequence and interaction of those processes
  • Determine the monitoring requirements, etc, etc.

These processes must be documented, along with supporting information, such as checklists, work instructions and so on, that will be used to evidence that the processes are being followed and monitored as planned. Note: This is what an auditor will be looking for!

In Summary

Clause 4 is an important part of the standard and feeds into a number of other clauses, so getting it right will have an impact further down the implementation journey.

It sets the background to the reason the organization wants to implement the management system and identifies, right at the start, those requirements and needs from parties inside and outside of the organization that can have an impact upon or be impacted by the management system.

It helps you identify the areas of the organization that are going to be included within the scope of the management system. From this, it drives you to identify the processes within those areas that are critical to the organization. From this, you can put in place the documentation that supports those processes and ensures that they are being followed properly.

So spend a little time on Clause 4, and you won’t regret it.

 

Written by Ken Holmes and Ted Spiller

Ken is CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Ted is CertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.


How can CertiKit help with your ISO Implementation?

CertiKit’s ISO Toolkits and ISO Services are available help you understand and implement your chosen ISO standard(s). The toolkits include easy to understand templates and guides, plus a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.

Click the links to find out more about the ISO Toolkits and ISO Services.

We’ve helped more than 7000 businesses with their compliance

Testimonials

Thanks for saving me many, many hours of policy writing!

Le Rucher
France

View all Testimonials