When getting to grips with ISO (International Organisation for Standardisation) standards for the first time, you will notice that they are structured in clauses, a bit like a contract. This structure is common across all of the management system standards that ISO publishes, such as ISO 9001, ISO 22301 and ISO/IEC 27001, and is known as the “Annex SL” format or, more helpfully, the “High Level Structure”.
So, what we’re about to say applies to all of these standards. Note however that the Annex SL wording has evolved over time, so the exact format and wording of each standard depends not only on its subject, but also on when it was last revised. Note also that Clause 8 is easily the clause with the most variation across standards, so although many of the headings are the same, the content (as you’d expect) is different.
What is Clause 8 about?
In the context of ISO management systems, Clause 8 refers to the “Operation” of the management system. This clause is a fundamental part of ISO standards, such as ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 45001 (Occupational Health and Safety Management).
The purpose of Clause 8 – Operation is to provide guidelines and requirements for effectively implementing the processes and activities necessary to achieve the organisation’s objectives and deliver the products or services in line with its policies and plans.
Clause 8 typically covers a range of topics related to the day-to-day operations of an organisation and its management system. The specific content varies depending on the type of management system, but some common themes include:
Operational Planning: This involves defining processes and resources needed to achieve the organisation’s goals. It includes considerations for identifying risks, opportunities, and potential impacts on quality, environment, health and safety, or other relevant aspects.
Resource Management: Ensuring that the necessary resources (human, infrastructure, technology, etc.) are available and allocated appropriately to support the operation of the management system and the organisation’s overall objectives.
Product or Service Provision: This covers the processes involved in creating, producing, or delivering the organisation’s products or services while adhering to specified requirements, including quality, environmental, and safety criteria.
Control of Processes, Products, and Services: Implementing controls to ensure that processes and products/services meet defined standards and requirements. This may involve inspections, testing, monitoring, and corrective actions.
Emergency Preparedness and Response: Establishing plans and procedures to handle potential emergencies or unexpected situations that could impact the organisation’s operations, safety, or environment.
In essence, Clause 8 – Operation guides organisations on how to execute their plans, deliver their products/services, and maintain the effectiveness of their management system in line with the defined requirements and policies. It emphasizes the practical implementation of the management system standards, helping organisations to achieve consistent and desirable outcomes while managing risks and opportunities.
Let’s look at the specifics of some of the common standards.
ISO 9001 – Quality Management
Clause 8 in ISO9001 requires you to plan, control and implement process necessary for your products and services to conform with your requirements and those of the standard. It also has the only mandatory procedure, which is clause 8.4 – Control of externally provided processes, products and services.
ISO 9001 is an international standard that outlines the requirements for a quality management system (QMS) within an organisation. Clauses 8.1 to 8.7 of ISO 9001 pertain to the planning and realisation of products and services, which are crucial aspects of maintaining consistent quality throughout an organisation’s processes. Here’s a brief explanation of each of these clauses:
8.1 Operational Planning and Control: This clause emphasises the importance of systematically planning and controlling the processes needed to produce products and services that meet customer requirements. It involves defining criteria for processes, ensuring availability of resources, and identifying potential risks and opportunities that could affect the quality of outputs.
8.2 Requirements for Products and Services: In this clause, organisations are required to establish and document the criteria for reviewing, verifying, and validating product or service requirements. This ensures that customer needs and expectations are clearly understood and translated into specific characteristics that products or services must possess.
8.3 Design and Development of Products and Services: Organisations must follow a structured approach to design and development, including identifying design inputs, conducting reviews, verifying designs, and validating them to ensure they meet the specified requirements before moving into production.
8.4 Control of Externally Provided Products and Services: This clause pertains to controlling the quality of products and services that are provided by external suppliers. Organisations are required to assess and select suppliers based on their ability to meet quality standards, establish clear requirements, and monitor supplier performance.
8.5 Production and Service Provision: This clause addresses the actual processes of producing and providing services. It covers factors such as controlling production and service provision, ensuring product and service conformity, preventing mix-ups, and preserving the integrity of products during handling and storage.
8.6 Release of Products and Services: Before products or services are delivered to customers, organisations must have a process in place to verify that all requirements have been met. This includes inspections, tests, and approvals to ensure the final output is of the desired quality.
8.7 Control of Nonconforming Outputs: This clause deals with products and services that do not meet established requirements, referred to as “nonconforming outputs.” Organisations need to have procedures for identifying, segregating, evaluating, and taking appropriate action on such nonconformities to prevent their unintended use or delivery.
These clauses collectively emphasise the significance of meticulous planning, effective control, and continuous monitoring to ensure that products and services consistently meet or exceed customer expectations. Adhering to these clauses helps organisations enhance their quality management systems and ultimately deliver better value to their customers.
Links to other areas of the ISO9001 standard
It’s important to understand how the requirements in Clause 8 relate to other clauses within the standard. Alignment with other clauses is as follows:
Clause 4: Context of the Organisation: The context analysis identifies the external and internal factors that can affect the organisation’s operations, helping to determine risks and opportunities.
Clause 5: Leadership: Leadership’s commitment to quality and their involvement in the operational processes are critical for successful implementation.
Clause 6: Planning: Quality objectives are established, and operational planning takes place to achieve these objectives.
Clause 7: Support: Resources, including competent personnel and infrastructure, are provided to support the operational processes.
Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating operational performance help to identify areas for improvement.
Clause 10: Improvement: Actions to improve operational processes are taken based on the results of performance evaluations.
ISO 14001 – Environmental Management
With Clause 8 in ISO 14001, you are required to develop operational planning, emergency response, and environmental monitoring. ISO 14001 is an international standard that focuses on environmental management systems (EMS), helping organisations establish a framework to manage their environmental responsibilities effectively. Clauses 8.1 and 8.2 of ISO14001 are part of the “Operation” phase, which deals with the execution of the environmental management system.
Here’s a brief explanation of each of these clauses:
8.1 Operational Planning and Control: This clause highlights the importance of planning and controlling an organisation’s operations in a manner that takes into account the potential environmental impacts. It requires organisations to establish and maintain procedures that ensure their operations are carried out in accordance with the environmental objectives and targets set in the earlier phases of the EMS. The aim is to prevent or minimise adverse environmental effects and promote sustainable practices. Key points addressed in this clause include:
Identifying Significant Environmental Aspects: Organisations need to identify activities, products, and services that can have a significant impact on the environment.
Legal and Other Requirements: Ensuring compliance with relevant environmental laws, regulations, and other requirements is a crucial part of operational planning.
Operational Control: Organisations must implement controls to manage and mitigate the identified environmental aspects. This might involve specifying procedures, work instructions, and performance criteria for activities that have potential environmental impacts.
8.2 Emergency Preparedness and Response: This clause focuses on preparing for and responding to environmental emergencies. Organisations need to identify potential environmental emergencies, establish procedures to address them, and periodically test and review these procedures to ensure their effectiveness. The aim is to minimise the impact of emergencies on the environment, human health, and safety. Key points addressed in this clause include:
Emergency Preparedness: Organisations must develop plans to effectively respond to various types of environmental emergencies, such as spills, leaks, or other incidents that could harm the environment.
Response Procedures: Clear procedures and responsibilities must be defined for managing emergencies, including communication, containment, and corrective actions.
Training and Drills: Personnel should be trained in emergency response procedures, and regular drills or simulations should be conducted to ensure readiness.
Continuous Improvement: Lessons learned from emergency situations should be used to improve emergency response plans and procedures over time.
These clauses collectively guide organisations in aligning their operations with environmental objectives, minimising negative environmental impacts, and being prepared to handle emergencies that might arise. This approach helps organisations demonstrate their commitment to sustainable practices and responsible environmental management.
Links to other areas of the 14001 standard
As with ISO9001, the areas covered in Clause 8 of ISO14001 mesh with other parts of the standard in the following way:
Clause 4: Context of the Organisation: Understanding the environmental context helps identify the environmental aspects and impacts to be addressed in the operational processes.
Clause 5: Leadership: Leadership commitment is crucial for the effective implementation of environmental controls and resource allocation.
Clause 6: Planning: Environmental objectives and targets are set, and operational planning takes place to achieve these objectives.
Clause 7: Support: Resources, awareness, and competence are provided to support the operational processes.
Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating environmental performance helps identify areas for improvement.
Clause 10: Improvement: Actions to improve environmental performance are taken based on the results of performance evaluations.
ISO 45001 – Occupational Health and Safety
Within Clause 8, ISO 45001 requires you to plan, control hazards and mitigation, manage change and procurement, and prepare emergency responses. ISO 45001 is an international standard that sets the requirements for occupational health and safety management systems (OHSMS). It provides a framework for organisations to manage and improve their occupational health and safety performance. Clauses 8.1 and 8.2 of ISO 45001 are part of the “Operation” section of the standard, focusing on the implementation and control of the OHSMS. Here’s a brief explanation of each of these clauses:
8.1 Operational Planning and Control: This clause emphasises the need for organisations to establish and maintain procedures to effectively plan, implement, and control their operational processes in a manner that addresses health and safety risks and opportunities. The primary goal is to prevent work-related injuries, illnesses, and incidents. Key aspects covered in this clause include:
Identification of Hazards and Risks: Organisations need to identify potential hazards in their operational processes and assess the associated risks to worker health and safety.
Determination of Necessary Controls: Based on the hazard and risk assessments, organisations must determine appropriate controls to mitigate or eliminate these hazards and reduce the associated risks.
Operational Controls: Procedures and measures must be established to ensure that workers are protected from identified hazards during their tasks. This might involve specifying safe work practices, using protective equipment, and implementing engineering controls.
8.2 Management of Change: This clause addresses the need for organisations to effectively manage changes that could impact occupational health and safety. Changes can include modifications to processes, equipment, personnel, or the working environment. Key points addressed in this clause include:
Identification of Changes: Organisations must have a process to identify and assess changes that could affect health and safety. This ensures that potential risks associated with changes are recognised and addressed.
Assessment of Impacts: Before implementing changes, organisations need to evaluate the potential impact on worker health and safety and take appropriate measures to control these impacts.
Communication and Training: Workers and relevant stakeholders should be informed about changes and provided with necessary training to safely navigate the new conditions.
Monitoring and Review: The effects of changes on health and safety should be monitored and reviewed to ensure that the intended outcomes are achieved and that new risks are promptly addressed.
These clauses guide organisations in effectively managing their operational processes to ensure the health and safety of their workers. By identifying risks, implementing controls, and managing changes carefully, organisations can maintain a safe and healthy work environment and continuously improve their OHSMS performance.
Links to other areas of the 45001 standard
Alignment with other clauses within ISO45001 is as follows:
Clause 4: Context of the Organisation: Understanding the context helps identify the occupational health and safety risks and opportunities in the operational processes.
Clause 5: Leadership: Leadership commitment is crucial for implementing and maintaining effective operational controls.
Clause 6: Planning: Objectives and action plans are established to control occupational health and safety risks in the operational processes.
Clause 7: Support: Resources, training, and awareness are provided to support the operational controls.
Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating occupational health and safety performance helps identify areas for improvement.
Clause 10: Improvement: Actions to improve occupational health and safety performance are taken based on the results of performance evaluations.
ISO/IEC 27001 – Information security, cybersecurity and privacy protection
Clause 8 in ISO 27001 requires the organisation to develop operational planning and control, information security risk assessments and treatments. This clause provides the framework to establish operational planning and control, risk assessment and treatment, business continuity planning and disaster recovery and monitoring, measurement, analysis and evaluation. Here’s a brief explanation of these clauses:
Clause 8.1 – Operational Planning and Control: This clause focuses on the operational aspects of managing information security within an organisation. It emphasizes the need to establish processes and controls that ensure information security requirements are met while carrying out daily operations. Key points covered in this clause include:
Risk assessment and Treatment: Organisations must continue to assess risks to their information assets and implement appropriate measures to manage and mitigate these risks.
Selection of Controls: Based on the risk assessment, organisations need to select and implement appropriate security controls from the ISO 27001 Annex A, which provides a comprehensive set of controls addressing various aspects of information security.
Documentation of Controls: The controls selected for implementation must be documented, along with the procedures and guidelines for their effective use.
Clause 8.2 – Information Security Risk Assessment: This clause centres on the ongoing process of assessing and managing information security risks. It’s a critical component of the ISMS as it helps organisations proactively identify potential vulnerabilities and threats. Key aspects covered in this clause include:
Risk Assessment Process: Organisations need to establish a structured process to identify, assess, and prioritize information security risks.
Risk Treatment: Based on the risk assessment results, organisations must decide on appropriate risk treatment strategies, which may involve avoiding, mitigating, transferring, or accepting risks.
Review and Iteration: The risk assessment process should be reviewed and updated regularly to account for changes in the organisation’s context and the evolving threat landscape.
Clause 8.3 – Information Security risk treatment: This clause directs the organisation to implement the information security risk treatment plans that were defined in clause 6.1.3. Key points covered in this clause include:
During the operation of the ISMS, whenever the risk assessment is updated, the organisation then applies the risk treatment consistent with clause 6.1.3 (information security risk treatment) and updates the risk treatment plan. Then the risk treatment plan is again implemented.
The information security risk treatment process should be performed after each iteration of the security assessment process in clause 8.2 or when the implementation f the risk treatment plan or parts of it fails.
These clauses collectively guide organisations in establishing effective information security management systems, which are crucial in protecting sensitive information from unauthorised access, breaches, and other security threats.
Links to other areas of the 27001 standard
As with the other standards, there is a high degree of alignment with other clauses:
Clause 4: Context of the Organisation: Understanding the information security context helps identify the risks and opportunities related to information security in operational processes.
Clause 5: Leadership: Leadership commitment is essential for implementing and maintaining effective information security controls.
Clause 6: Planning: Plans are established to protect information assets in operational processes through information security risk assessments and risk treatments. Planning: Information security objectives and how to achieve them.
Clause 7: Support: Resources, training, and awareness are provided to support the implementation of information security controls.
Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating information security performance helps identify areas for improvement.
Clause 10: Improvement: Actions to improve information security performance are taken based on the results of performance evaluations.
In summary
Clause 8 in each of these ISO management systems deals with operational aspects related to quality, environmental management, occupational health and safety, or information security, depending on the standard.
The alignment with other clauses ensures that the operational processes are well-integrated into the overall management system, thereby contributing to the achievement of organisational objectives and continuous improvement.
For some of the standards discussed (such as ISO27001), clause 8 is not a lengthy one, whereas for others it takes up many pages of the standard document. Consequently, the length of time you will spend on this clause will vary significantly according to the standard you are implementing.
