Management system guidance
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
Determining the context of your organization is a requirement that is new to ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018. Also known as contextual intelligence, this approach is not new to those familiar with business planning and strategic development, but it is new in terms of its specific inclusion into ISO management system standards.
Your organization is now required to identify and assess all internal issues and external issues that could impact upon your management system’s ability to deliver its intended results. You can read more about the different types of internal and external issues below. You will need to develop a methodology to understand the needs and expectations of all interested parties. If you need a procedure to help with determining your organization’s context, click here.
Identify the stakeholders of your organization’s management system and capture their relevant requirements that might influence the type and complexity of your management system. We suggest that you use the context analysis template to help determine internal issues relevant to your organization’s purpose and strategic direction that may affect its ability to achieve the intended result(s) of its management system.
This information should be retained as a strategy or tactical planning document to underpin your organization’s policies and to provide a road map to achieve future goals.
You should allow time to develop an understanding of the key internal and external factors that influence your business, and to set up processes to capture, monitor and review these issues. The following types of documents and tools often help to provide a source of contextual information:
Policy statement(s) regarding your organization’s purpose and strategic direction; Individual strategy documents underpinning your organization’s policies that provide a road map to achieve its goals; Records of meetings where context is routinely discussed and monitored; Structured risk assessments of external and internal issues; Use of PESTLE template (Political, Economic, Social, Technological, Legal, Environmental) analysis tools for external issues; Use of SWOT template (Strengths, Weaknesses, Opportunities, Threats) analysis tools for internal issues; Documented information describing organizational context, included as part of a quality manual. A review of organizational context could include interviews with senior management, questionnaires, surveys and research. Cross-functional input is essential for the specific expertise required to identify the full breadth of issues, such as finance, training, human resources, commercial, engineering and design, etc.
Not only will this ensure a broader appreciation of organizational context but also wider engagement, particularly with those functions not previously involved with the management system.
You will need to determine and understand the various quality, safety and environmental conditions that could become inputs to internal and external issues, which are typically experienced in your type of organization that can have positive or negative impacts. It is important to remember that Clause 4.1 ‘Understanding the Organization and its Context’ interacts with the following clauses:
Clause 4.3 - ‘When determining the scope, the organization shall consider the external and internal issues referred to in 4.1’; Clause 5.1.1 - ‘Top management shall ensure that the quality, environmental or health & safety policies and objectives are established for the management system and are compatible with the organization’s strategic direction and its context’; Clause 5.2.1a - ‘Top management shall establish, review and maintain its quality, environmental or health and safety policies appropriate to the purpose and context of the organization’; Clause 6.1.1 - ‘When planning the management system, the organization shall consider issues referred to in 4.1 and determine risks and opportunities that need to be addressed’; Clause 9.3.1 - ‘The management review shall be planned and carried out taking into consideration changes in external and internal issues relevant to its management system that includes its strategic direction’. There should be no need to have separate a contextual description for each environmental, health and safety or quality management system. In theory; a single, integrated, contextual statement that suits the requirements of each management system since there would be a degree of overlap between the context of a OHSMS, a QMS or an EMS.
In practice however, the needs and expectations; and the types of interested party will likely have some degree of overlap too, as well as, subtle but important differences which would require clear definition. You should consider the focus of your QMS as being different to the focus of your EMS, or your OHS management system; your organizational context must reflect that. Identifying internal issues To help understand your business’s internal issues, at the micro-level, you need to understand its strengths and weaknesses and be able to identify relevant opportunities and threats. Undertake a SWOT analysis to review and evaluate current business strategies, the position and direction of your organization, business propositions and other commercial leads.
The SWOT analysis should be developed in such a way that the weaknesses and threats become inputs to determining risk and opportunity. Internal issues might typically be influenced the following:
Organizational activities; Types of product and service; Strategic direction; Capabilities (people, knowledge, processes, systems); Working practices; Employment practices; Location and conditions; Worker knowledge; Organizational structure; Policy and objectives; Values; Strategy; Competence; Culture; Knowledge; Performance; Quality, safety and environmental conditions capable of affecting or being affected by your organization. Sources of information relating to internal issues might include:
Organizational structure, including the identification of roles and responsibilities and governance arrangements; External reports showing how well your business is performing; Statements relating to your organization’s mission, vision and core values; Emphasis placed upon business ethics and organizational codes of conduct; Feedback obtained from employees through opinion surveys; Information management systems and processes for capturing and deploying knowledge and lessons learned; Organizational capability studies, identification of load/capacity and resource requirements to achieve demand; Register of identified internal risks and their treatment. The ISO standards do not specify that internal issues, or their monitoring and review be documented, so there might not be ‘lists of internal issues’ or records of reviews. However, information can be obtained via interviews with relevant Top management in relation to your organization’s context and its strategic direction, the identified issues and conditions, and how these may affect the intended outcomes of your management system.
Identifying external issues External issues might include political, financial or economic trends, customer demographics or emerging product developments. You should undertake a PESTLE analysis in order to establish a suitable understanding of these circumstances, and the market in which your business operates at the macro level.
PESTLE analysis provides a framework for measuring market and growth potential according to external political, economic, social, technological, legal and environmental factors. External issues might typically be influenced the following:
Cultural, social, political and regulatory; Innovation, technology, industry requirements, market requirements, suppliers and partners; Financial, economic, natural and competitive issues, whether international, national, regional or local; Quality, safety and environmental conditions capable of affecting or being affected by your organization. Sources of information relating to external issues might include:
Reports relating to market environment, economic conditions, new technology, new markets, customer expectations; Reports relating to supplier intelligence, political considerations, investment opportunities, social factors etc.; Identification of factors relating to changes in legislation and regulation, including environmental and H&S impact; Feedback relating to product/service performance and lessons learned; Register of identified external risks and their treatment. A workshop approach often allows ideas to be shared and provides an effective and efficient way of achieving a valuable outcome. The workshop could simply be a discussion identifying the issues that can be mapped out using Political, Economic, Social, Technological, Legal and Environmental (PESTLE) analysis. This method helps to structure the conversation and will also help to achieve buy-in to what is often seen as a peripheral or niche area.
To be compliant, evidence should be reviewed that proves that your business has identified all pertinent internal and external issues at periodic intervals. Although there is no requirement for any documented information to defining organizational context, it is helpful to retain the following types of documented information to help justify compliance:
Business plans and strategy reviews; Quality manual Competitor analysis; Economic reports from business sectors or consultant’s reports; SWOT template analysis output; PESTLE template analysis output; Risk and opportunity assessments; Statement contained within a Management System Manual; Minutes of management review meetings (that show decisions and actions relating organizational context); Process maps, tables, spreadsheets, mind mapping diagrams. To assess whether your organization has a high-level, conceptual understanding of its internal and external issues that affect it, either positively or negatively, its ability to achieve the intended outcomes, you should describe the processes used by your organization to identify internal and external issues and make reference to all objective evidence, including examples of these issues.
The guidance shown on this page is relevant to ISO 9001, ISO 14001 and ISO 45001. Understanding the needs and expectations of interested parties is a new requirement. You should allow time to develop an understanding of your business’s internal and external stakeholder interests that might impact upon your management system’s ability to deliver its intended results, or those that might influence your business’s strategic direction.
This information should be gathered, reviewed and regularly monitored through formal channels, such as management review meetings. We suggest that you undertake analysis of interested parties to determine the relevant interested parties and their requirements that relate to your business activities, and those which impact the management system.
interested-parties In order to determine the relevance of an interested party or its requirements, your organization needs to answer: ‘does this interested party, or their requirements, affect our organization’s ability to achieve the intended outcomes of its management system?’ If you need a procedure to help with determining your organization’s internal and external interested parties, click here.
If the answer is ‘yes’, then the interested parties’ requirements should be captured and considered when planning your management system. There are many ways to capture this information, your approach could include:
Information summarised as an input to the quality risk and opportunity registers; Information summarised as an input to the identification of environmental aspect and impact registers; Information summarised as an input to the identification of health & safety hazard and risk registers; Recorded in a simple spreadsheets with version control; Logged and maintained in a database to allow tracking and reporting; Captured, recorded, and disseminated through key meetings. Try using brainstorming techniques to identify relevant external and internal interested parties, e.g. customers, partners, end users, external providers, owners, shareholders, employees, trade unions, government agencies, regulatory authorities, local community. We suggest that you capture this information using a free copy of our ‘Interested Party Analysis’ template.
Similar to the context review discussed previously in Clause 4.1, cross functional input is vital, as certain functions will identify with particular stakeholders, for example procurement with suppliers, and sales with customers. A workshop approach should be encouraged which can be undertaken independent to, or in conjunction with the context review workshop.
Once stakeholders and their requirements are identified, the next step is to consider which stakeholder requirements generate compliance obligations. Legal requirements should be identified before other requirements. This process of adopting requirements will allow you to focus and coordinate on what’s important.
Make reference to all objective evidence, including examples of interested parties and any resulting compliance obligations. Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your management system.
You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned. Ensure that your organization has properly identified its interested parties, and subsequently determined if any of their needs and expectations to be adopted as a compliance obligation. Ensure that this process is revisited periodically because the relevant requirements of relevant interested parties may change over time.
Although not specifically required, objective evidence could be a list or matrix of the interested parties, their corresponding needs and expectations, and indication of which of these accepted as compliance obligations. Compliance obligations might include: All relevant legal requirements; All requirements imposed by upper levels in the organization (for example corporate requirements); All relevant requirements of relevant interested parties that the organization decides to comply with, whether contractually (customers) or voluntarily (environmental or safety commitments). Communicating with stakeholders, particularly in relation to compliance obligations or legal requirements is vital. Communication with stakeholders should be based on performance data generated by your organization’s management system, which will require robust monitoring and measurement to ensure that the data is reliable.
You should ensure that the monitoring and measurement processes are included in the internal audit programme so your organization can assure itself that the checking processes and validated and that the data it is communicating is accurate. It is important to remember that Clause 4.2 ‘Understanding the needs and Expectations of Interested Parties’ interacts with the following clauses:
Clause 4.3 - ‘When determining the scope, the organization shall consider requirements of relevant interested parties referred to in 4.2’; Clause 5.2.2 - ‘The quality, environmental or health and safety policies are available to relevant interested parties, as appropriate’; Clause 6.1.1 - ‘When planning the management system, the organization shall consider the requirements referred to in 4.2, and determine risks and opportunities that need to be addressed’; Clause 8.3.2 - ‘In determining the stages and controls for design and development, the organization shall consider the level of control expected for the design and development process by customers and other relevant interested parties’; Clause 9.3.2 - ‘Management reviews are planned and carried out considering information on management system performance and effectiveness, including trends in customer satisfaction and feedback from relevant interested parties’. Internal stakeholders could include: Types of Internal interested parties: Possible needs and expectations: How to capture key issues: Employees and contractors Shared culture, attitudes and job security Employee meetings, consultation and feedback Clients and customers Competitive pricing, reliability and value Client/customer reviews and relationship management/customer feedback Suppliers Beneficial supplier-client relationships Supplier reviews and relationship management Unions and worker representatives Representation and cooperation Consultation and feedback on employment and safety issues
External stakeholders could include: Types of External interested parties: Possible needs and expectations: How to capture key issues: Regulators Compliance and reporting Critical product specification issues and conformity Shareholders Profitability and strategies for growth Consultation and engagement exercises to identify concerns Neighbours and communities Social responsibility and engagement Consultation and engagement exercises to identify environmental concerns Local Authorities and Government Consultation and information Engagement with planning and development issues
The relevant requirements of interested parties must be available as inputs into the management system planning process, as potential risks and opportunities (Clause 6.1). There is no requirement to retain documented information, but the following types of documentation would help to evidence this:
Minutes of meetings (from meetings from each group of interested party); Requirement spreadsheets and databases (CRM & ERM type applications); External communications and documentation; Quality manual; Flow down and capture of requirements relevant to the management system defined in contracts, orders, statements of work, terms of business etc; Records of meetings where interested parties and their requirements are routinely discussed and monitored. Stakeholder mapping to determine importance; Records of surveys, networking, face-to-face meetings, association membership, attending conferences, lobbying, participation in benchmarking.
The guidance shown on this page is relevant to ISO 9001, ISO 14001 and ISO 45001. Defining the scope of your management system is a key step when developing any management system. The scope should concisely describe the activities, regulatory requirements, facilities, and remote locations that are to be covered under, and supported by the management system.
The scope of registration and certification will need to reflect precisely and clearly the activities covered by your organization’s management system; any exclusion to non-applicable requirements of the standards should be documented and justified in the manual. No single business-related activity should exist outside of the scope. You should discuss the scope of registration very early in your contact with the registrar, prior to or during the selection process.
From a review of the nature of your business’s operations, products and services, the scope of the management system should be apparent by the extent of the processes and controls that your organization has already established.
Look for confirmation that your organization has determined the boundaries and applicability of the management system to establish its scope with reference to any external and internal issues (Clause 4.1), the requirements of relevant interested parties (Clause 4.2), and the nature of your organization’s products and services. Consideration of the boundaries and applicability of the management system can include:
The range of products and services; Different sites and activities; External provision of processes, products and services; Common support provided by centralised functions; Processes, procedures, instructions, or site-specific requirements. The scope of your management system may include the whole of the organization, specific and identified functions within the organization, specific sections of the organization, or one or more functions across a group of organizations. Auditors will challenge your organization if any activities, products and services that would likely have a significant impact on the environment or those that impact health and safety are omitted from the scope. Your organization’s scope determinations should be reasonable and consistently applied.
Ensure that your organization has considered its degree of control and influence over its activities, products and services from a life cycle perspective. The degree of control needs to be determined for environmental aspects associated with such things as procured goods and services, outsourced processes, product performance requirements, end of life treatment (recycling, disposal, etc.).
The management system scope must be retained as documented information in accordance with Clause 7.5.1, usually within the management system manual. The scope statement is normally shown on the certificate, for most registrars, 15 words or less, is generally sufficient. Here are two examples shown below:
‘provision of marketing, sales, support, development and implementation of software solutions, located at…’
‘manufacture of precision machined components for aerospace and industrial customers, including the delivery of these activities to requirements, located at…’
ISO 9001:2015 includes specific requirements necessary for the adoption of the processes approach when developing, implementing and improving a management system. This requires your organization to systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the policy and strategic direction. Although ISO 14001 and ISO 45001 do not ‘specifically’ require the adoption of the process approach, both standards do infer its use.
Certification Auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses but should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy.
We suggest that you map out which departments and functions are responsible for executing each element (from Section 4.0 to Section 10.0) of the standard as it applies to each process, using a free copy of our ‘Process Clause Matrix’ template. If you need a procedure to help with determining your organization’s processes, click here. Auditors will want to determine:
How well the ‘process approach’ understood and deployed within the organization; How well the management system aligns line with the organizational context and the requirements of interested parties; How likely the will the management system achieve its intended outcomes and enhance environmental, safety & quality performance? Identification of the processes needed for the management system (e.g. process models, process grouping, process flow diagram); Management system processes and their sequence and interaction (e.g. process mapping, turtle diagrams, SIPOC; What information exists to ensure effective operation and control of the processes, e.g. defined process requirements, defined roles, required competencies, associated training, guidance material; How the expected inputs and outputs from each of the identified processes, together with assignment of responsibilities and authorities are aligned; The necessary criteria and methods to ensure effective operation and control of the processes, e.g. process monitoring indicators, performance indicators, target setting, data collection, trend analysis, audit results. The arrangements for governing the processes (e.g. process reviews, dashboards, risks and opportunities relating to the process, resource needs, user training and competency, continual improvement initiatives, frequency of reviews, agenda, minutes, actions); The organizational approach towards continual improvement and the type of action taken when process performance is not meeting intended results; How the capture of customer, statutory and regulatory requirements, and the method used to build these into the QMS (e.g. requirements capture, gap analysis, requirements embedded into the process definition, assigned contract assurance instructions, formal links to information, use of specified documentation). Existing operational procedures, quality manuals, work instructions and flow charts are valid examples of documented information and can be used to evidence the requirement for ‘documented information to support the operation of processes is being met’. Check that process inputs and outputs are defined, and review how each of the processes are sequenced and how they interact.
Your organization should begin using quality, health and safety, and environmental performance indicators to control and monitor issues, and associated risks and opportunities. These types of objective evidence will indicate that your organization has successfully integrated the management system processes into its business processes.
Evidence may include Top management reviewing management system KPI’s as part of regular business reviews, awareness of contractors and employees of management system goals and expectations, etc. Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organization has:
Assigned duties/process owners; (Clause 5.3) Assessed risks and opportunities; (Clause 6.1) Provided resources; (Clause 7.1) Maintained and retained documented information. (Clause 7.5.1) Implemented measurement criteria; (Clause 9.0) Improved the management system and its processes; (Clause 10.3) Ensure that the documentation created and maintained by your organization to support the operation of the processes, such documentation might be in the form of a management system manual, staff handbook, documented procedures, work instructions, guidance material, data cards, physical samples, IT systems (including intranet and internet), universal or bespoke software, templates and forms.
Documentation identified and retained by your organization that shows that the processes were carried it as planned, should be retained as physical hard copy records, electronic media (data servers, hard drives, compact discs, or flash drives etc.).
Specific documentation created and maintained by your organization that includes a description of relevant interested parties (Clause 4.2), scope of the management system including boundaries and applicability (Clause 4.3), description of the processes needed for the QMS together with their sequence, interaction and application and assignment of responsibilities for the processes.
Certification Auditors are likely to audit your organization’s processes in sufficient depth and detail to evaluate if those processes are capable of meeting planned results and performance levels. You should therefore audit your organization’s management system to focus on process performance and effectiveness. Give priority to the following:
Review your organization’s processes, their sequence and how they interact; Identify functions and the assignment of responsibilities; Review performance against requirements and defined measures, focusing on processes that directly impact the customer; Review your organization’s process for monitoring and measurement, validation and approval of processes, and process changes; Review the availability of resources and the information required to operate and support associated activities, including appropriate training and competency of personnel; Review process-based management techniques, including the examination of process measures that might include level of quality, output effectiveness, control limits, process capability determination; Review any existing plans to ensure performance objectives and targets are monitored, measured, and analyzed in order to realize the planned activities and achieve the planned results; Review all applicable action taken when objectives and targets are not met to promote continual improvement; Pursue audit trails that address customer concerns or requests for corrective actions, performance against objectives, and relevant process controls. Based upon the extent of your organization’s management system processes, you should seek evidence that your organization has maintained documented information to support the operation of its processes; and that it has retained documented information to provide confidence that the processes are being carried out as planned.
Identify key processes and supporting processes Key processes such as design and development, manufacturing, customer service and purchasing are key to giving the customer what they want.
Supporting processes do not contribute directly to what the customer wants but do help the key processes to achieve their output. Support processes include often human resources, finance, document control, training and facilities maintenance, etc.
A good way to do this is to think about how workflows through your organization. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how the departments interface with each other.
When defining your processes, try to keep it simple. A process such as ‘receiving inspection’ could be a a sub-process of the ‘purchasing’ process, for example. Certification Auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as your company chooses.
It should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be determined and documented the organization may wish to consider factors such as:
Effect on quality; Effect on the environment; Effect on safety and wellbeing; Risk of customer dissatisfaction; Statutory and/or regulatory requirements; Economic risk; Effectiveness and efficiency; Competence of personnel; Complexity of processes. Once you have defined the processes and interfaces; go back to the standard and determine which processes are responsible for meeting which requirements. When defining your organization’s processes, think about each process and department and assign try to define those processes around the current organizational model and not around the requirements of the standard. For each process, ensure that is has:
Owner(s) and participants, defined and documented; Procedures, work instructions or forms; Inputs, activities and outputs; Key performance indicators; Risks and opportunities. Determine the sequence and interaction of processes The Certification Auditors must see evidence that the organization has determined their processes and that the interactions are also defined, all within the management system manual. Subsequently, this includes the actual and technical inputs and outputs of the processes to show their inter-relationship.
This requires the description of the interactions between the processes and should include process names, process inputs and process outputs in order define their interactions. Interaction means how one influences the other. Auditors commonly agree that the description of the interactions of the processes cannot be done if the processes are not determined (names).
The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the processes and their sequence and interactions were determined.
Such documents may be used by organizations should they deem them useful, but they are not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing the interaction between processes.
Controlling outsourced processes Outsourced processes must be controlled by the organization and these controls must be defined and described within their system. Organization’s are required to identify the controls they apply for any outsourced processes. Examples of some outsourced processes include:
A process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes, this includes management activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc.
This may include the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders.
A process completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc. These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls.
If this is the case, written documentation would be the purchasing documentation and records however; these processes are required to be documented in the quality manual.
If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes.
Outsourced processes may be controlled through such methods as, but not limited to, auditing, contractual agreements, process performance data review on an on-going basis or purchasing processes.
Ensuring control over outsourced processes does not absolve the organization of the responsibility for conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as, the potential impact of the outsourced process on the organization’s capability to provide a product or service that conforms to requirements, the degree to which the control of the process is shared, or the capability of achieving the necessary control through the application of the purchasing process.
You should expect to see evidence that your organization has determined their processes and interactions. If your organization calls it a ‘process’, it must be monitored for effectiveness and improved.
Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organization’s management system. You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned.
[Sources: iso9000family, ]