The biggest change to come to ISO management system standards (MSS) in recent years is the so-called “Annex SL”. Annex SL is a high-level structure (HLS) described in ISO/IEC Directives, Part 1 which provides direction to standards writers by setting out guidelines which include a generic structure for requirements as well as common terms and text. About time, I say!
Before Annex SL
Comparing other management system standards of the past (e.g. ISO/IEC 27001:2005 and ISO 9001:2008) you can see that the underlying concepts and approach are basically the same. They all address requirements such as scoping, policy, roles and responsibilities, competency, operations, internal audit, management review, corrective action, and others. However, they have historically each told us the same thing in different ways.
For example, in ISO 9001:2008 the requirement for management review was in clause 5.6, whilst in ISO/IEC 27001:2005 it was clause 7. Equally annoying, the text used to define requirements was often different despite the underlying requirements in most standards having the same basic meaning or intent.
Integrating management systems was often seen as challenging, with the first step being focused on identifying all the differences and the similarities between the standards that you intended to implement. Some advocated the use of PAS 99, a guide for integrating management systems.
With the Annex SL in play, all new management system standards will be based on the same underlying framework, and older standards will be updated.
A standard framework
This new framework is based on the same old ideas and concepts but has been refined into a more logical sequence of processes which is still generically based on the PDCA cycle. So if you are looking for “management review” in any standard now, you’ll know to look toward the back and into clause 9.3, under ‘Performance Evaluation’. So it is now a relatively simple task to link requirements across standards in an integrated management system.
Between standards, wherever the common requirements and text can be used, they will be. Only deviating if necessary.
In this new structure, you will see that most of the major differences will occur in clause 8 “Operations”. That’s because this is where all the action takes place. I.e., in a quality management system we are implementing processes to enhance customer satisfaction, whereas in an information security management system we are focusing on the preservation of information confidentiality, integrity, and availability. Clause 8 is the heart of the process, so will vary significantly between standards.
Annex SL Appendix 2 defines the following outline structure. I’ll state the major headings here along with a little explanation of what the section is generally addressing within the overall management system process.
Clause 4 – Context of the organization
This section ensures that an organization understands its own business and determines the purpose of the management system, after having considered internal and external issues, such as legal, regulatory, or contractual obligations, and the requirements, needs, and expectations of interested parties.
It also defines the requirement to set out the scope of the management system.
Clause 5 – Leadership
Emphasizes requirements of top management (read as CEO/VP/Board/Etc.) to be accountable and to ensure that the organization is able to achieve the intended outcomes of the management system, and to ensure the integration into business processes.
This includes requirements such as establishing organizational policy and defining clear roles, responsibilities, and authorities to be able to achieve outcomes.
Clause 6 – Planning
When planning to implement the mangement system, and to achieve the intended outcomes, we must consider risks and opportunities, and plan actions to address them.
Hand-in-hand with planning, of course, we need to clearly define our objectives.
Clause 7 – Support
The support clause requires that management provides all the necessary support in order to implement the plan and operate the changes. So here we will find requirements covering resources, competency, awareness, communication, and documentation.
Clause 8 – Operations
This is where the standards will vary most, but put simply, we must implement the plan. I.e. design, build, and sell the product; or lock the door when we leave at night per company policy. You can think about this as being the day-to-day routine.
A general clause here states the requirement to plan and control our processes, and this includes items such as establishing criteria, keeping necessary documentation (e.g. records), and managing external processes, such as suppliers.
Clause 9 – Performance Evaluation
This section covers the importance and the need to check the outcomes and results of operating the management system (clause 8). I.e. tracking objectives, reviewing customer feedback, analyzing incidents and trends, etc.
We’ll also find the requirements for a higher level of checking, through the internal audit process. And back to our leadership once more – who said that all of this is important and relevant – with the management review process.
Clause 10 – Improvement
Finally, we have improvement requirements, which will be the actions taken to address the outcomes of our performance evaluation.
In the case of any nonconformance, this section covers the requirements for “corrective action”. And where there is no nonconformance, the organization must continue to maintain and make improvements to its processes and enhance results.
Annex SL not only provides a common structure but also the suggested text for each of the sections. The text is general and will be used unless there is a need to change it. When it comes to consistency in reading across the various standards and integration, this is gold dust.
In general, the text in clause 4 through 7, 9, and 10 will be very similar in all standards, as these clauses are the more overarching framework elements of the management system. Whereas, clause 8, will necessarily be specific to the subject of the standard, be it information security, business continuity, environmental or quality management.
The direction and thinking on management systems has also changed over the years and some noticeable changes are prevalent in this new structure. I’ll highlight a few of the major ones here.
There is now much more emphasis on the role of organizational leaders and leadership, as opposed to simply “management”. This is really all about accountability and culture, in my opinion.
“Top” management is specifically addressed, and if you can’t think why that might be, then take a step back for a moment and ask yourself why you would otherwise be implementing all of these requirements if the organization’s leadership didn’t want or care about the outcomes of your intended management system?!
There is a lot more emphasis on the outcomes of the management system and its overall effectiveness in achieving objectives. Meaning, it shouldn’t be a checkbox exercise. The organization should be establishing and implementing processes that add value and contribute toward the strategic direction of the organization. Not just doing things for the sake of doing them, or “because the standard says so”.
Put another way, there is no “one right way” to do anything. It is for the organization to do as it pleases, with the focus being on achieving its policy and objectives (which must, of course, be appropriate given the business context), and then being able to prove that.
Ultimately, it’s all about the management system’s effectiveness and ability to continually improve.
Has the classic, and often misunderstood “Preventative Action” been removed? No, it has not!
Older standards made reference to preventative action with the idea being that we should be pro-active in identifying any potential problems or nonconformities and address them before they become nonconformities. But you will not see the term “preventative action” in these standards anymore. However, the concept remains.. as risk and opportunities under clause 6 “Planning”. Much more logical, in my opinion!
The Annex SL provides guidelines to management system standards writers on the structure and common text that should be used and will help implementers to better understand the relationships between the different standards and to be able to more easily implement and integrate them more effectively.
Clearly then, the good news is that if you know one, then you pretty much know them all!