Blog ISO Guide – Clause 6: Planning

What’s in Clause 6?

Clause 6 of the management system consists of three subclauses:

• 1 Actions to address risks and opportunities
• 2 Objectives and planning to achieve them
• 3 Planning of changes

Let’s look at each of these in turn to better understand what they require us to do.

Subclause 6.1 - Actions to address risks and opportunities

Subclause 6.1 of the ISO management system standards deals with the actions required to address risks and opportunities related to the requirements of interested parties. This subclause emphasizes the importance of identifying, analysing, and evaluating risks and opportunities that can affect an organization’s ability to achieve its objectives. It fits in with one of the key principles of ISO management systems, which is risk-based thinking. 

Risk-based thinking is a fundamental concept in ISO management systems, such as ISO 9001 (quality management) and ISO 14001 (environmental management). It is an approach that enables organizations to identify and manage risks and opportunities that could impact their objectives, performance, and stakeholders. It involves considering potential risks and opportunities at every stage of the quality management process, from planning to delivery, in order to prevent or mitigate negative outcomes and maximize positive outcomes. This approach emphasizes proactive and preventive actions, rather than reactive measures.

For instance, in ISO 9001 the key principles are to:

• Identify risks and opportunities that could impact their quality management system, products or services, customers, and stakeholders.
• Evaluate the significance of these risks and opportunities, taking into account their likelihood, potential impact, and the effectiveness of existing controls.
• Develop and implement appropriate risk mitigation or opportunity exploitation measures, based on the evaluation of risks and opportunities.
• Continuously monitor and review the effectiveness of the risk management process and update the risk management plan as necessary.

By adopting a risk-based thinking approach, organizations can identify and address potential risks and opportunities in a proactive manner, leading to more efficient and effective quality management practices, increased customer satisfaction, and improved overall performance.

Benefits of risk-based thinking

Some of the benefits of adopting risk-based thinking are: 

1. Improved decision-making: By identifying and assessing risks and opportunities, organizations can make informed decisions that are based on a thorough understanding of the potential consequences of their actions. This can lead to more effective and efficient decision-making, reducing the likelihood of costly mistakes or missed opportunities.
2. Increased resilience: By understanding the risks and opportunities that could impact their business, organizations can build resilience and better prepare for unexpected events. This can help them to respond quickly and effectively to crises, reducing the impact on their business and stakeholders.
3. Continuous improvement: Risk-based thinking encourages organizations to continuously review and improve their management systems. By identifying risks and opportunities, organizations can identify areas for improvement and take proactive steps to address them.

To summarise risk-based thinking, it is a critical component of ISO management systems that can help organizations to make better decisions, increase resilience, and drive continuous improvement.

Examples of how this requirement can be applied

The following are some examples of how the requirements in this subclause can be applied in practice:

1. Identification of Risks and Opportunities: The first step is to identify the risks and opportunities that may affect the organization. For example, an organization may identify the risk of a cybersecurity breach or the opportunity to expand into new markets.

2. Risk Assessment: Once the risks and opportunities are identified, the next step is to assess their potential impact on the organization. For example, a cybersecurity breach could lead to a loss of customer data, reputation damage, or financial losses.

3. Risk Mitigation: After assessing the risks, the organization must take steps to mitigate them. For example, the organization may implement a cybersecurity policy, invest in IT infrastructure, and train employees on cybersecurity best practices.

4. Opportunity Maximization: Organizations must also take steps to maximize opportunities. For example, an organization may develop a marketing strategy to expand into new markets, invest in research and development to develop new products, or form partnerships with other companies.

5. Monitoring and Review: Finally, it is essential to monitor and review the effectiveness of risk and opportunity management actions taken. This helps to ensure that the organization is continually improving its management system and achieving its objectives.

Example of an actions to address table

Let’s look at an example of how risks and opportunities relate to the interested parties of the management system.

The above table sets out the following:

• The interested Party
• Their Need or Expectation
• The identified risk or opportunity
• The effectiveness of the actions that were implemented to meet their needs or requirements

Remember that this sub-clause is linked to sub-clause 4.2. which is titled Understand the needs and expectations of interested parties, so using the same columns 1 and 2 in the table above would help to show an auditor alignment.

Overall, clause 6.1 of the ISO management system standards requires organizations to take a proactive approach to managing risks and opportunities. By identifying, assessing, and mitigating risks and maximizing opportunities, organizations can improve their performance, meet their objectives, and remain competitive in their industries.

Subclause 6.2 - Objectives and planning to achieve them

ISO management system objectives refer to the goals and targets set by an organization to achieve compliance with ISO standards. These objectives help organizations to establish a framework for consistent and effective management practices across all areas of their operations, leading to improved efficiency, customer satisfaction, and overall performance.

The actions used to achieve ISO management system objectives typically involve a systematic and structured approach that includes the following steps:

1. Planning: This involves establishing clear and measurable objectives, identifying the resources needed to achieve them, and developing an action plan to implement the necessary changes.
2. Implementation: This involves carrying out the action plan, assigning responsibilities, and monitoring progress towards achieving the objectives.
3. Evaluation: This involves assessing the effectiveness of the actions taken and identifying areas for improvement.
4. Improvement: This involves making changes to the management system and taking corrective actions where necessary to ensure continued compliance with ISO standards and the achievement of the organization’s objectives.

Some common examples of objectives

Some common actions that organizations take to achieve ISO management system objectives include:

1. Documenting policies and procedures: Organizations create clear and concise documentation outlining their policies and procedures to ensure that everyone in the organization understands the standards they need to meet and the actions they need to take.
2. Training and awareness: Organizations provide training and awareness programs to ensure that all employees understand their roles and responsibilities in implementing the management system and achieving the organization’s objectives.
3. Monitoring and measurement: Organizations use monitoring and measurement tools to evaluate their performance against the objectives and identify areas for improvement.
4. Continual improvement: Organizations use a continuous improvement process to regularly review and update their management system to ensure ongoing compliance with ISO standards and the achievement of their objectives.

The difference between business and ISO management system objectives

A business objective is a specific, measurable, achievable, relevant, and time-bound goal that an organization sets to achieve its overall mission and vision. Business objectives are usually focused on improving the organization’s financial performance, customer satisfaction, market share, employee engagement, or other strategic areas of focus.

On the other hand, an ISO management system objective is a specific goal that an organization sets to meet the requirements of a specific ISO management system standard, such as ISO 9001 (Quality Management), ISO 27001 (Information Security Management). ISO management system objectives are designed to improve the organization’s management practices, processes, and systems to meet the requirements of the relevant standard. These also need to be SMART.

While business objectives and ISO management system objectives are different, they are not mutually exclusive. In fact, an organization can use ISO management system objectives to achieve its business objectives. For example, an organization may set an ISO management system objective to improve its product quality, which can help it achieve its business objective of improving customer satisfaction and market share.

Additionally, an organization may set business objectives that align with ISO management system standards, such as reducing its environmental impact, which can help it achieve compliance with ISO 14001.

Subclause 6.3 - Planning of changes

This part of the clause deals with changes to the management system, and requires them to be adequately carried out, with due regard to what’s intended to be achieved, and making sure that all of the relevant parts of the system are updated consistently. This involves identifying when a change is happening, understanding its consequences for the management system, and then implementing it smoothly. A simple change management process will help to achieve this.

Additional requirements in other management systems

While there are similarities in the requirements of Clause 6 across ISO management systems written in the Annex SL format, there may also be some differences based on the specific standard and its focus. Here are some key differences you may encounter in the requirements of Clause 6 for different ISO management systems:

1. ISO 9001 (Quality Management System)

• The emphasis is on planning changes related to the quality management system, including processes, products, and services
• The requirements focus on meeting customer requirements, enhancing customer satisfaction, and improving product and service quality

2. ISO 14001 (Environmental Management System)

• The focus is on planning changes related to the environmental management system, particularly addressing environmental aspects, impacts, and performance
• The requirements emphasize the prevention of pollution, compliance with applicable environmental regulations, and continual improvement of environmental performance

3. ISO 45001 (Occupational Health and Safety Management System)

• The requirements centre around planning changes related to the occupational health and safety management system, with a focus on hazard identification, risk assessment, and risk control.
• The emphasis is on ensuring a safe and healthy work environment, preventing work-related injuries and ill-health, and complying with applicable health and safety regulations.

4. ISO 27001 (Information Security Management System)

• The focus is on planning changes related to the information security management system, including the identification and assessment of information security risks.
• The requirements emphasize the protection of sensitive information, safeguarding data confidentiality, integrity, and availability, and complying with relevant legal and regulatory requirements.

While these are some notable differences, it’s important to remember that the Annex SL format establishes a common high-level structure and core requirements across ISO management systems. This allows for easier integration and alignment of different management systems within an organization, facilitating synergies and streamlining the overall management system approach. However, each specific ISO standard has its own unique context and requirements that reflect the nature of the discipline it addresses.

Links to other areas of the standard

Clause 6 in an ISO management system written in the Annex SL format serves as a critical link between various other clauses of the standard. It establishes the foundation for effective planning and management of changes throughout the management system. Here’s how Clause 6 typically connects with other clauses.

1. Context of organization (Clause 4)

• Clause 6 builds upon the organization’s understanding of its context, including internal and external factors and interested parties.
• It considers these factors when determining the need for changes and planning their implementation.

2. Leadership (Clause 5)

• The leadership’s commitment and involvement are crucial in driving and supporting the planning and management of changes.
• The leadership sets the direction, objectives, and resources for change initiatives and ensures they align with the organization’s strategic goals

3. Support (Clause 7)

• The support clause ensures that resources, including human resources, infrastructure, and competence, are identified, and allocated for implementing planned changes.
• It also emphasizes the importance of communication and creating awareness of changes to stakeholders within the organization

4. Operation (Clause 8)

• Changes planned in Clause 6 often lead to adjustments in the organization’s operational processes, procedures, and activities.
• Clause 8 guides the implementation of these changes, ensuring that they are executed effectively and in line with the planned objectives.

5. Performance evaluation (Clause 9)

• Clause 6 establishes the framework for evaluating the performance of changes within the management system.
• Clause 9 then focuses on monitoring and reviewing the effectiveness and suitability of the implemented changes, including identifying nonconformities and opportunities for improvement.

6. Improvement (Clause 10)

• The changes implemented under Clause 6 are subject to continuous improvement.
• Clause 10 guides the organization in taking corrective and preventive actions based on the monitoring and review results, driving further enhancements and adjustments to the management system.

In summary

 Clause 6 is the core of identifying risks, opportunities and improvements within the ISO management standards.

• Subclause 6.1 – Actions to address risks and opportunities is linked to clauses 4.1 and 4.2 and needs to be documented.
• Subclause 6.2 – Organizations need to establish relevant objectives for their management system, that are implemented, monitored, communicated and updated as appropriate.
• Subclause 6.3 – The organization must control changes that affect their management system by considering their potential consequences, the integrity of the management system, availability of resources and responsibilities.

There are variations of the requirements as stated earlier, but these are the core requirements.

Overall, Clause 6 acts as a vital thread that runs through the entire management system, linking together various aspects of planning, support, operation, evaluation, and improvement. It ensures that changes within the organization are effectively planned, managed, monitored, and improved in alignment with the organization’s context, leadership commitment, and strategic objectives.

Written by Ken Holmes and Ted Spiller. 

Ken is CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Ted is CertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.

How can CertiKit help with your ISO Implementation?