One subject worth mentioning is that of something the ISO calls “Annex SL” (not to be confused with “Annex A” from ISO/IEC 27001!).
This is a very obscure name for a concept that represented a big change in ISO management system standards, starting with ISO22301. There are a number of ISO standards that involve operating a “management system” to address the specific subject of the standard.
Some of the main examples are:
ISO/IEC 27001 – Information security management
ISO9001 – Quality management
ISO22301 – Business continuity management
ISO14001 – Environmental management
ISO45001 – Occupational heath and safety management
ISO/IEC 20000 – IT service management
Traditionally, all of these standards have had a slightly different way of implementing and running a management system and the wording of the standards has varied sometimes quite significantly. This is ok until an organisation decides to try to run a single management system across multiple standards, for example ISO9001 and ISO/IEC 27001. Then it becomes difficult for the organisation to marry up differing ways of doing the same thing and it makes the auditors’ job harder (and longer and more expensive) too.
So, to get around this problem of “multiple management systems” the ISO decided to standardise the wording of the management system parts of the standards. They produced a long document with numerous appendices, one of which was “Annex SL” containing a first draft of the standard wording. Over time the ISO phased in this common “Annex SL” wording and all new standards or new versions of existing standards now have it. As it happens, ISO22301 was the first to adopt this new layout and so may be called the first “Annex SL” standard. Since 2012 all of the other management system standards have been gradually revised until we now have a situation where they are all compatible with each other (with minor variations).
The good news for an organisation implementing (for example) a BCMS based on ISO22301 or an ISMS based on ISO/IEC 27001 is that they will by default be putting in place an “Annex SL” management system. This will make it much easier for them to implement other standards such as ISO9001 at a later date.
What is the structure of Annex SL?
Each ISO standard that follows Annex SL has the same high-level structure as follows:
Scope
Normative references
Terms and definitions
Context of the organisation
Leadership
Planning
Support
Operation
Performance evaluation
Improvement
Sections 1-3 are for reference and don’t cover the requirements that are in sections 4-10. Section 0 is the introduction. The requirements of sections 4-10 are mandatory and meeting them determines the outcome of your certification audit
