When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
One subject worth mentioning is that of something the ISO calls “Annex SL” (not to be confused with “Annex A” from ISO/IEC 27001!).
This is a very obscure name for a concept that represents a big change in ISO management system standards, starting with ISO22301. There are a number of ISO standards that involve operating a “management system” to address the specific subject of the standard.
Some of the main examples are:
ISO9001 – Quality management
ISO14001 – Environmental management
ISO45001 – Occupational heath and safety management
ISO22301 – Business continuity management
ISO/IEC 27001 – Information security management
ISO/IEC 20000 – IT service management
Traditionally, all of these standards have had a slightly different way of implementing and running a management system and the wording of the standards has varied sometimes quite significantly. This is ok until an organization decides to try to run a single management system across multiple standards, for example ISO9001 and ISO/IEC 27001. Then it becomes difficult for the organization to marry up differing ways of doing the same thing and it makes the auditors’ job harder (and longer and more expensive) too.
So, to get around this problem of “multiple management systems” the ISO decided to standardise the wording of the management system parts of the standards. They produced a long document with numerous appendices, one of which was “Annex SL” containing a first draft of the standard wording. Over time the ISO phased in this common “Annex SL” wording and all new standards or new versions of existing standards now have it. As it happens, ISO22301 was the first to adopt this new layout and so may be called the first “Annex SL” standard. Since 2012 all of the other management system standards have been gradually revised until we now have a situation where they are all compatible with each other (with minor variations).
The good news for an organization implementing (for example) a BCMS based on ISO22301 or an ISMS based on ISO/IEC 27001 is that they will by default be putting in place an “Annex SL” management system. This will make it much easier for them to implement other standards such as ISO9001 at a later date.
Each ISO standard that follows Annex SL has the same high-level structure as follows:
Sections 1-3 are for reference and don’t cover the requirements that are in sections 4-10. Section 0 is the introduction. The requirements of sections 4-10 are mandatory and meeting them determines the outcome of your certification audit
Editor’s note: The original post was published in June 2016, and updates have been made in February 2022 for accuracy and comprehensiveness.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO standard of your choice, go to our guidance pages where you can find more specific information about each standard and more downloadable resources.