When getting to grips with ISO (International Organisation for Standardisation) standards for the first time, you will notice that they are structured in clauses, a bit like a contract. This structure is common across all of the management system standards that ISO publishes, such as ISO 9001, ISO 22301 and ISO/IEC 27001, and is known as the “Annex SL” format or, more helpfully, the “High Level Structure”.
So, what we’re about to say applies to all of these standards. Note however that the Annex SL wording has evolved over time, so the exact format and wording of each standard depends not only on its subject, but also on when it was last revised.
What’s in Clause 7?
Clause 7 of the management system consists of five subclauses:
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented Information
Let’s look at each of these in turn.
Subclause 7.1 Resources
Subclause 7.1 of the ISO management system standards deals the resources required for the implementing and running of the management system. In most of the standards we’re talking about, the subclause is a short one-liner that simply requires that the resources are identified and provided. Although brief, it requires you to consider the current capabilities and restriction of internal resources, such as manpower, experience, equipment and budget. Resources support the operation of all processes in an organisation and are critical for ensuring effective and efficient performance and its sustained success. The organisation should implement sufficient control over its processes to achieve efficient and effective use of its resources. Depending on the nature and complexity of the organisation, some of the resources will have different impacts on the sustained success of the organisation. When considering future activities, the organisation should take into account the accessibility and suitability of resources, including externally provided resources. The organisation should frequently evaluate its existing use of resources to determine opportunities for improving their use, optimising processes, and implementing new technologies to reduce risks.
ISO9001 in particular goes into a lot more detail in this area, and (in addition to the general requirements) adds five other specific requirements:
7.1.2 People – The organisation shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.
7.1.3 Infrastructure – The organisation shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services – these can include buildings and associated utilities, equipment (including hardware and software), transportation resources and information and communication technology.
7.1.4 Environment for the operation of processes – The organisation shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services. – This can be a combination of human and physical factors, such as: social (for example non-discriminatory, calm, nonconfrontational), psychological (for example stress-reducing, burnout prevention) and physical (such as temperature, humidity, light, airflow, noise).
7.1.5 Monitoring and measuring resources – The organisation shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements. This includes any calibration equipment needed to ensure the conformity of your product, such as scales, micrometres and exhaust gas monitors.
7.1.6 Organisational knowledge – The organisation shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. This knowledge will need to be hosted somewhere, and be available to the people who need it, in an appropriate form, such as on paper or electronically. You’ll also need to ensure it stays up to date.
Subclause 7.2 Competence
This requires the organisation to define the skills required for the management system, ensure that the relevant people have them, and maintain proof of their competence.
Subclause 7.3 Awareness
The organisation has to ensure that persons doing work under the organisation’s control are aware of key information, including the relevant standard’s policy, objectives, their contribution to the effectiveness of the management system, including the benefits of improved performance, and what happens if they don’t conform to the requirements of the management system.
Variations of Subclause 7.3 Awareness
For ISO45001:2018 Occupational Health and Safety management system there are a few more requirements, involving people being made aware of:
incidents and the outcomes of investigations that are relevant to them
hazards, OH&S risks and actions determined that are relevant to them
the fact that they can remove themselves from work situations that they consider dangerous, and that they will not be punished for doing so.
Subclause 7.4 Communication
This is generally the same across all the standards and requires the organisation to determine the internal and external communications that are relevant to the management system, including:
On what it will communicate – this would include contracts, recruitment, social media, press releases etc.
When to communicate – if this was part of a process, such as send invoice for products or service supplied, confirmation of job offer to successful job candidate, data breach report to the ICO (UK), etc.
With whom to communicate – either internal to the organisation, such as internal memo, reports etc. or external, such as clients, contractors, regulatory bodies etc.
How to communicate – the format that the communication takes, such as email, fax, original document, telephone etc.
Who communicates – who within the organisation can send these communications, such as HR can only send job offers, CISO or IT Manager can only send data breach information to ICO, Internal Auditors can send audit reports.
The two tables below are examples of communication matrices for internal and external communications for a quality management system (ISO9001).
Internal Communications
INFORMATION | SENDER | FORMAT | FREQUENCY | RECIPIENTS |
Quality policy | Top management | Annually | All employees | |
Internal audit results | Internal auditor | Report | Quarterly | Management, Teams, Representatives |
Customer complaints | Customer | Email/Form | As received | Quality dept., Support team, Relevant depts, Management |
Nonconformity reports | Employees | Online form | As identified | Quality dept., Support team, Relevant depts, Management |
Change notification | CAB | As required | Affected depts, Board, Management | |
Supplier evaluation | Procurement | Evaluation | Annually | Procurement, Dept., Report, Quality Dept., Management |
Management review | Top management | Meeting | Annually | Management team, relevant stakeholders |
Figure 1 – example of internal communications
External Communications
COMMUNICATION METHOD | PURPOSE | RESPONSIBLE PARTY | FREQUENCY |
Website | Provide information about products and services | Marketing | Ongoing |
Social media | Engage with customers and promote new offerings | Social media coordinator | Regular posting |
Press release | Announce company news, product launches, and achievements | Public relations Manager | As needed |
Customer newsletter | Share updates, tips, and industry insights with customers | Marketing coordinator | Monthly |
Email campaign | Reach out to potential customers and promote special offers | Sales dept. | As needed |
Trade shows | Showcase products, generate leads, and network with industry professionals | Sales and marketing dept. | Annually |
Figure 2 – example of external communications
The ISO45001 standard goes into a bit more detail on communication, requiring diversity to be taken into account, responding to relevant communications, and ensuring the information given is reliable.
Subclause 7.5 Documented information
This requirement is the same across the ISO standards written in the Annex SL format, and this is one of the main reasons it is easier to integrate ISO management systems. Common documentation helps reduce duplication, review time and increases the knowledge of interdependencies between management systems and associated processes.
There are 3 sub-clauses:
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
Subclause 7.5.1 General
This tells the organisation what will be included. These are:
Documented information required by the relevant standard – mandatory documented information such as audit schedule, audit reports, management review meeting notes, objectives, etc.
Documented information determined by the organisation as being necessary for the effectiveness of the management system – standard operating procedures, check lists, proposal templates, etc. This will differ from organisation to organisation.
Subclause 7.5.2 Creating and updating
When creating and updating documented information, the organisation shall ensure appropriate:
identification and description (such as a title, date, author, or reference number);
format (for example language, software version, graphics) and media (such as paper or electronic);
review and approval for suitability and adequacy.
Subclause 7.5.3 Control of documented information
Documented information required by the quality management system and by this International Standard shall be controlled to ensure:
it is available and suitable for use, where and when it is needed;
it is adequately protected (for example from loss of confidentiality, improper use, or loss of integrity).
Your procedures should also address the following activities, as applicable:
distribution, access, retrieval and use;
storage and preservation, including preservation of legibility;
control of changes (version control);
retention and disposition
Mandatory documented information
In various places within the standards, it is stated that items must be available as documented information. This allows a list of mandatory information to be created, which can help in assessing readiness for audit. For example, the documented information to be retained for ISO9001 is:
Monitoring and measuring equipment calibration records (clause 7.1.5.1)
Records of training, skills, experience and qualifications (clause 7.2)
Evidence of Communication
Control of Documented Information (7.5)
Product/service requirements review records (clause 8.2.3.2)
Record about design and development outputs review (clause 8.3.2)
Records about design and development inputs (clause 8.3.3)
Records of design and development controls (clause 8.3.4)
Records of design and development outputs (clause 8.3.5)
Design and development changes records (clause 8.3.6)
Control of externally provided processes, products and services (8.4)
Characteristics of product to be produced and service to be provided (clause 8.5.1)
Records about customer property (clause 8.5.3)
Production/service provision change control records (clause 8.5.6)
Record of conformity of product/service with acceptance criteria (clause 8.6)
Record of nonconforming outputs (clause 8.7.2)
Monitoring and measurement results (clause 9.1.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Links to other areas of the standard
Clause 7 in an ISO management system written in the Annex SL format serves as a critical link between various other clauses of the standard. It provides the necessary support for effective leadership, planning, operation, performance evaluation, and improvement.
Here’s how clause 7 connects with other clauses:
Clause 5 – Leadership – support the implementation of effective leadership practices by outlining the necessary support elements.
Clause 6 – Planning – When determining quality objectives, risks, and opportunities, the organisation needs to plan the necessary support activities to achieve the desired outcomes. This ensures that support is integrated into the overall planning process.
Clause 8 – Operation – provides the support necessary for the successful execution of operational processes. This includes ensuring adequate resources, infrastructure, competence, and awareness of personnel involved in the operation. Support activities in Clause 7 enable smooth operations and facilitate the achievement of planned results.
Clause 9 – Performance evaluation – The organisation needs to monitor, measure, analyse, and evaluate support processes to determine their effectiveness and identify areas for improvement. This information feeds into the performance evaluation process described in Clause 9.
Clause 10 – Improvement – contributes to the improvement process by ensuring that support elements are continually reviewed, adjusted, and optimised.
In Summary
Clause 7 in the ISO standards is closely interconnected with the other clauses. It provides the necessary support for effective leadership, planning, operation, performance evaluation, and improvement.
By considering and integrating support requirements throughout the management system, organisations can enhance their ability to meet their customer and own requirements and achieve their management system objectives.
