Blog ISO Guide – Clause 7: Support

What’s in Clause 7?

Clause 7 of the management system consists of five subclauses:

• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.5 Documented Information

Let’s look at each of these in turn.

Subclause 7.1 Resources

Subclause 7.1 of the ISO management system standards deals the resources required for the implementing and running of the management system. In most of the standards we’re talking about, the subclause is a short one-liner that simply requires that the resources are identified and provided. Although brief, it requires you to consider the current capabilities and restriction of internal resources, such as manpower, experience, equipment and budget. Resources support the operation of all processes in an organization and are critical for ensuring effective and efficient performance and its sustained success. The organization should implement sufficient control over its processes to achieve efficient and effective use of its resources. Depending on the nature and complexity of the organization, some of the resources will have different impacts on the sustained success of the organization. When considering future activities, the organization should take into account the accessibility and suitability of resources, including externally provided resources. The organization should frequently evaluate its existing use of resources to determine opportunities for improving their use, optimizing processes, and implementing new technologies to reduce risks.

ISO9001 in particular goes into a lot more detail in this area, and (in addition to the general requirements) adds five other specific requirements:

• 7.1.2 People – The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.
• 7.1.3 Infrastructure – The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services – these can include buildings and associated utilities, equipment (including hardware and software), transportation resources and information and communication technology.
• 7.1.4 Environment for the operation of processes – The organization shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services. – This can be a combination of human and physical factors, such as: social (for example non-discriminatory, calm, nonconfrontational), psychological (for example stress-reducing, burnout prevention) and physical (such as temperature, humidity, light, airflow, noise).
• 7.1.5 Monitoring and measuring resources – The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements. This includes any calibration equipment needed to ensure the conformity of your product, such as scales, micrometres and exhaust gas monitors.
• 7.1.6 Organizational knowledge – The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. This knowledge will need to be hosted somewhere, and be available to the people who need it, in an appropriate form, such as on paper or electronically. You’ll also need to ensure it stays up to date.

Subclause 7.2 Competence

This requires the organization to define the skills required for the management system, ensure that the relevant people have them, and maintain proof of their competence.

Subclause 7.3 Awareness

The organization has to ensure that persons doing work under the organization’s control are aware of key information, including the relevant standard’s policy, objectives, their contribution to the effectiveness of the management system, including the benefits of improved performance, and what happens if they don’t conform to the requirements of the management system.

Variations of Subclause 7.3 Awareness

For ISO45001:2018 Occupational Health and Safety management system there are a few more requirements, involving people being made aware of:

• incidents and the outcomes of investigations that are relevant to them
• hazards, OH&S risks and actions determined that are relevant to them
• the fact that they can remove themselves from work situations that they consider dangerous, and that they will not be punished for doing so.

Subclause 7.4 Communication

This is generally the same across all the standards and requires the organization to determine the internal and external communications that are relevant to the management system, including:

• On what it will communicate – this would include contracts, recruitment, social media, press releases etc.
• When to communicate – if this was part of a process, such as send invoice for products or service supplied, confirmation of job offer to successful job candidate, data breach report to the ICO (UK), etc.
• With whom to communicate – either internal to the organization, such as internal memo, reports etc. or external, such as clients, contractors, regulatory bodies etc.
• How to communicate – the format that the communication takes, such as email, fax, original document, telephone etc.
• Who communicates – who within the organization can send these communications, such as HR can only send job offers, CISO or IT Manager can only send data breach information to ICO, Internal Auditors can send audit reports.

The two tables below are examples of communication matrices for internal and external communications for a quality management system (ISO9001).

Figure 1 – example of internal communications

Figure 2 – example of external communications

The ISO45001 standard goes into a bit more detail on communication, requiring diversity to be taken into account, responding to relevant communications, and ensuring the information given is reliable.

Subclause 7.5 Documented information

This requirement is the same across the ISO standards written in the Annex SL format, and this is one of the main reasons it is easier to integrate ISO management systems. Common documentation helps reduce duplication, review time and increases the knowledge of interdependencies between management systems and associated processes.

There are 3 sub-clauses:

• 7.5.1 General
• 7.5.2 Creating and updating
• 7.5.3 Control of documented information

Subclause 7.5.1 General

This tells the organization what will be included. These are:

• Documented information required by the relevant standard – mandatory documented information such as audit schedule, audit reports, management review meeting notes, objectives, etc.
• Documented information determined by the organization as being necessary for the effectiveness of the management system – standard operating procedures, check lists, proposal templates, etc. This will differ from organization to organization.

Subclause 7.5.2 Creating and updating

When creating and updating documented information, the organization shall ensure appropriate:

• identification and description (such as a title, date, author, or reference number);
• format (for example language, software version, graphics) and media (such as paper or electronic);
• review and approval for suitability and adequacy.

Subclause 7.5.3 Control of documented information

Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

• it is available and suitable for use, where and when it is needed;
• it is adequately protected (for example from loss of confidentiality, improper use, or loss of integrity).

Your procedures should also address the following activities, as applicable:

• distribution, access, retrieval and use;
• storage and preservation, including preservation of legibility;
• control of changes (version control);
• retention and disposition

Mandatory documented information

In various places within the standards, it is stated that items must be available as documented information. This allows a list of mandatory information to be created, which can help in assessing readiness for audit. For example, the documented information to be retained for ISO9001 is:

• Monitoring and measuring equipment calibration records (clause 7.1.5.1)
• Records of training, skills, experience and qualifications (clause 7.2)
• Evidence of Communication
• Control of Documented Information (7.5)
• Product/service requirements review records (clause 8.2.3.2)
• Record about design and development outputs review (clause 8.3.2)
• Records about design and development inputs (clause 8.3.3)
• Records of design and development controls (clause 8.3.4)
• Records of design and development outputs (clause 8.3.5)
• Design and development changes records (clause 8.3.6)
• Control of externally provided processes, products and services (8.4)
• Characteristics of product to be produced and service to be provided (clause 8.5.1)
• Records about customer property (clause 8.5.3)
• Production/service provision change control records (clause 8.5.6)
• Record of conformity of product/service with acceptance criteria (clause 8.6)
• Record of nonconforming outputs (clause 8.7.2)
• Monitoring and measurement results (clause 9.1.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)

Links to other areas of the standard

Clause 7 in an ISO management system written in the Annex SL format serves as a critical link between various other clauses of the standard. It provides the necessary support for effective leadership, planning, operation, performance evaluation, and improvement.

Here’s how clause 7 connects with other clauses:

• Clause 5 – Leadership – support the implementation of effective leadership practices by outlining the necessary support elements.
• Clause 6 – Planning – When determining quality objectives, risks, and opportunities, the organization needs to plan the necessary support activities to achieve the desired outcomes. This ensures that support is integrated into the overall planning process.
• Clause 8 – Operation – provides the support necessary for the successful execution of operational processes. This includes ensuring adequate resources, infrastructure, competence, and awareness of personnel involved in the operation. Support activities in Clause 7 enable smooth operations and facilitate the achievement of planned results.
• Clause 9 – Performance evaluation – The organization needs to monitor, measure, analyse, and evaluate support processes to determine their effectiveness and identify areas for improvement. This information feeds into the performance evaluation process described in Clause 9.
• Clause 10 – Improvement – contributes to the improvement process by ensuring that support elements are continually reviewed, adjusted, and optimized.

In Summary

Clause 7 in the ISO standards is closely interconnected with the other clauses. It provides the necessary support for effective leadership, planning, operation, performance evaluation, and improvement.

By considering and integrating support requirements throughout the management system, organizations can enhance their ability to meet their customer and own requirements and achieve their management system objectives.

Written by Ken Holmes and Ted Spiller. 

Ken is CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Ted is CertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.

How can CertiKit help with your ISO Implementation?