Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog ISO Jargon – Understanding Key Terms

ISO Jargon - Understanding Key Terms

 

Part of the battle when first encountering ISO standards is to understand some of the terms used, and the way things are phrased. As with any new language, a little knowledge can go a long way, so we’ve taken some of the more common ISO-speak and tried to give you a better chance of understanding what they really mean.

understanding ISO jargon with speech bubble with ISO words in.

ISO and ISO/IEC

You may have noticed that some of the common standards are just “ISO” (such as ISO 9001 and ISO 14001) and some of them are “ISO/IEC” (think ISO/IEC 27001, ISO/IEC 20000). First of all, ISO stands for “International Organization for Standardization” which, on the face of it, should surely be IOS but let’s not worry about that (and Apple has now taken “IOS” for itself anyway so we’re too late). IEC is the International Electrotechnical Commission which is an international not-for-profit along the same lines as ISO, but different. Those standards that are “ISO” are the product of ISO on its own, but those that have “ISO/IEC” in the name are collaborations with the IEC. Unfortunately for the IEC, it’s common to refer to standards such as ISO/IEC 27001 as simply “ISO27001” because, let’s be honest, it’s much easier. Sorry IEC.

Annex SL

The common ISO management system standards used to be worded differently, which was fine until you wanted to run an integrated management system across more than one standard. So ISO acted to bring the headings and wording into line which is why if you have implemented ISO27001 and then read ISO9001 it sounds very familiar. The common wording is generally referred to as “Annex SL”, a terrible name which is derived from the appendix of the relevant ISO strategy document. It’s also variously called “High Level Structure” and “Annex L”. For those of you implementing ISO27001, don’t get confused with “Annex A” – that’s a different thing entirely.

Management System

Depending on the standard, you will have come across a “QMS” or an “ISMS” or an “EMS” or something else ending in “MS”. These are all different forms of management system, for example a QMS is a Quality Management System and an ISMS is an Information Security Management System. In ISO terms the management system is the part of the standard that puts in place the overall process to plan, do, check and act (this is the Deming, or PDCA Cycle, which ISO often mentions in the introduction to its standards) on the subject area, whether that’s quality or environmental or occupational health and safety. All of the standards we’re discussing here are referred to as “management system standards” because, you guessed it, they have a management system.

Requirements

This term is commonly used in two ways; the first is to refer to the “shalls” of the standards (see Shall, Should, May, Can below) which means those things you must meet to comply with the standard. The second is to refer to the inputs to the processes defined in the standards, that is a definition of what is to be achieved. In basic terms, the processes are converting requirements into outputs.

Scope

A term used in two ways; one is in Clause 1 of the standards to define how they apply to organizations in general, and the second is in Clause 4 to mean what is included in the management system, for example which locations, which products or services or which parts of the organization.

Context

This means what’s going on both within and outside the organization that could affect its success. It refers to the environment that the management system operates within.

Shall, Should, May, Can

These words have specific meanings within ISO standards. “Shall” indicates a requirement, that is, something that must be done. “Should” indicates a recommendation, so it’s optional but still a good idea. “May” indicates a permission, so you are allowed to do something if you choose to. Lastly, “can” indicates a possibility or a capability, which means to say that there is the ability to do something, but it’s not necessarily recommended either way.

Documented Information

This used to be referred to as “documents and records”, but the aim of this term is to widen the definition to other forms of information, including that in systems. This is basically “evidence” (see below).

Interested parties

Quite a wide-ranging term, which refers to anyone (including organizations) who is affected by or affects the management system; that is, a party that has an interest in it. This can be a long list when you really start to think about it (which you should).

External and internal issues

Related to the term “context”, these issues can be anything that affects, or has the potential to affect, the management system. Again, a bit of imagination is needed here, to cover the subject fully.

Risk and opportunity

Risk gets a lot of attention in ISO standards, and basically means something that hasn’t happened yet (although it may have happened before) but might, and so needs to be planned for or actions taken to address it now. So you’re looking into the future and planning ahead.

Opportunity is risk’s nicer twin, in that it involves considering the good things that might happen and getting ready to make the most of them if they do (as well as trying to make them more likely and more advantageous).

Criteria

Commonly used in areas such as risk assessment and internal auditing, criteria refers to the set of circumstances under which something is being done, or the rules that govern something, for example the criteria under which a risk will be accepted (maybe it’s below a specified score) or the criteria for an audit (such as the fact that it will be done in the English language).

Applicability

Not all requirements and controls in ISO standards apply to all organizations, and the idea of applicability allows you to exclude certain things, where allowed. Examples are product traceability in ISO9001 (does your product need a serial number?) and the Annex A controls in ISO27001, where a Statement of Applicability is a required document to state which controls you aren’t using.

Continual improvement

Improvement is a big part of ISO management system standards, and in recent times the word “continuous” has been replaced with “continual” to describe the nature of improvement required. Perhaps it’s a subtle difference, but whereas “continuous” means all the time without a break, “continual” means more of a general direction of travel over time. So you can relax a little more.

Competence

This refers to how well someone can perform a task. The key thing to remember about this term is that it can be fulfilled in several ways, not just via training and qualifications. So experience is valid, without it having to be formally recognised.

Accredited

Often wrongly used interchangeably with “certified”, this term means that an organization has been accredited by an accreditation body to then certify other organizations. For example, in the UK BSI is accredited by UKAS to certify other organizations.

Certified

If an organization has been certified against an ISO standard then it has been formally audited by an accredited registered certification body who has judged that they meet the requirements of the relevant standard.

Registered Certification Body

Or RCB, this is usually an auditing company, such as BSI, who has been accredited by an accreditation body to perform certification audits. You can find out more about this with our Guide to Choosing an RCB.

Evidence

From an auditing point of view, it’s all about evidence. If an auditor can’t see that you’re doing something, then they can’t certify that it’s happening. So evidence refers to the proof that something is in place, is happening etc. Part of the culture change in implementing an ISO standard is to produce evidence, such as meeting minutes, that show what was discussed and decided.

Nonconformities

Often found during an audit, a nonconformity is something that isn’t as it should be according to the relevant standard, or your stated way of doing things. So it could be that your procedure says that a form should be completed, but on one occasion it wasn’t – that’s a nonconformity. This term is used in a quite a wide sense to refer to anything that isn’t as it should be within your management system, and you can raise them yourself. Nonconformities usually come in two sizes; minor and major.

Observations

At an audit, an auditor may make an observation which is intended to be helpful, rather than saying something isn’t as it should be (which would be a nonconformity). Observations may not be tracked in the same way as nonconformities and are optional (albeit often useful).

Opportunity for improvement

An OFI is a term used by some registered certification bodies in the same way as an observation.

Root cause

When a nonconformity has been found, it is required that the core reason for it happening (the root cause) must be identified, so that things can be fixed and the chances of it recurring reduced. There are several formal techniques for root cause analysis which are often mentioned, including Pareto Charts, The 5 Whys and the interestingly-named Ishikawa Fishbone Diagram.

Corrective action

When a nonconformity occurs, you need to fix it. The action you take to right the wrong is your corrective action.

In Summary

ISO standards are less impenetrable than they used to be, but it still take a while to get familiar with some of the terms used and to decide what you actually need to do to meet the requirements.  Hopefully this brief run-through of some of the more common ISO jargon will help.

 

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

How can CertiKit help with your ISO Implementation?

CertiKit’s ISO Toolkits and ISO Services are available help you understand and implement your chosen ISO standard(s). The toolkits include easy to understand templates and guides, plus a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.

Click the links to find out more the ISO Toolkits and ISO Services.

We’ve helped more than 4000 businesses with their compliance

Testimonials

The toolkit is well laid out, clearly written and easy to adapt. I like the fact that it is compliant to the standard as a start point. This is difficult to achieve considering the diversity of organisations it is covering.

SSTL
UK

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy