Structure of ISO management system standards

The International Organization for Standardization (ISO) defines a management system as a set of procedures an organisation needs to follow in order to meet its objectives. A management system standard provides a model to follow when setting up and operating a management system. Some of the top-level benefits of a successful management system include:

• enhanced use of resources
• improved risk management
• increased customer satisfaction by meeting product/service expectations

ISO has published many management system standards for topics ranging from quality and environment to information security and business continuity management. For this reason, and to help accomplish their business objectives, most organisations have more than one management system standard in place. With this comes a need to integrate and combine the standards in effective ways, because uncoordinated systems take up extra time and resources.

The structure of ISO management system standards

Existing management system standards often have different structures, requirements and terminology, so integration is challenging. At ABAC®, we can help you address this problem. By adopting these standards together in an integrated way, ISO 31000, ISO 37001 and ISO 37301 will produce less duplication, confusion and misunderstandings.

Management system auditors use a core set of generic requirements across disciplines and industry sectors. In the future, all ISO management system standards will have the same high-level structure, identical core text, as well as common terms and definitions:

• Clause 1: Scope

It sets out the intended outcomes of the management system. The outcomes are industry specific and should be aligned with the context of the organisation (see clause 4).

• Clause 2: Normative references

This section provides details of the reference standards or publications relevant to the particular standard.

• Clause 3: Terms and definitions

The clause explains terms and definition applicable to the specific standard in addition to any formal related terms and definitions standard.

• Clause 4: Context of the organisation

The section describes why the organisation exists. The organisation needs to identify internal and external issues that can impact on its intended outcomes, as well as all stakeholders and their expectations. It also needs to document its scope and set the boundaries of the management system. Clause 4 has four subclauses: 4.1) Understanding the organisation and its context; 4.2) Understanding the needs and expectations of stakeholders; 4.3) Determining the scope of the management system, and 4.4) The management system

• Clause 5: Leadership

Top management is accountable for all management systems. They need to integrate the management system into core business process, ensure the system achieves its intended outcomes and allocate the necessary resources. Top management is also responsible for communicating the importance of the system to heighten employee awareness and involvement. Clause 5 has three sub-clauses: 5.1) Leadership and commitment; 5.2) Policy; and 5.3) Organisational roles, responsibilities and authorities

• Clause 6: Planning

Having identified risks and opportunities, the organisation needs to specify how these risks will be managed. This proactive approach replaces preventive actions and reduces the need for corrective actions later. The objectives of the management system should be measurable, monitored, communicated, aligned to the policy of the system and updated when needed. Clause 6 has two sub-clauses: 6.1) Actions to address risks and opportunities, and 6.2) Management system objectives and planning to achieve them.

• Clause 7: Support

After addressing the context, commitment and planning, organisations need to look at the support needed to meet their goals and objectives. This includes resources, targeted internal and external communications, as well as documented information that replaces previously used terms such as documents, documentation and records. Clause 7 has five sub-clauses: 7.1) Resources; 7.2) Competence; 7.3) Awareness; 7.4) Communication; 7.5) Documented information.

• Clause 8: Operation

The bulk of the management system requirements specific to the topic under consideration are within this single clause. Clause 8 addresses both in-house and outsourced processes, while overall management of the process includes adequate criteria to control these processes, as well as ways to manage planned and unintended change. Clause 8 has only one sub-clause: 8.1) Operational planning and control

• Clause 9: Performance evaluation

Decisions are required on how performance will be monitored, measured, analysed and evaluated. Internal audit activities are part of the process to ensure the management system conforms to the requirements of the organisation and is successfully implemented and maintained. Management review, evaluates whether the management system is suitable, adequate and effective. Clause 9 has three subclauses: 9.1) Monitoring, measurement, analysis and evaluation; 9.2) Internal audit; 9.3) Management review;

• Clause 10: Improvement

Clause 10 looks at ways to address non-conformities and corrective action, as well as strategies for improvement on a continual basis. The requirement for continual improvement in performance and enhanced delivery of stakeholder expectations should be embedded in all management system standards. Clause 10 has two sub-clauses: 10.1) Non-conformity and corrective action; and 10.2) Continual improvement.

The purpose of ISO standards

Let’s have a look at the ISO 3700, ISO 31000, and ISO 37301 management standards and their purpose.

ISO 37001 Anti-Bribery Management System

To help combat the threat of bribery and corruption, ISO issued the ISO 37001:2016 Anti-Bribery Management System (ABMS) standard to help businesses, nonprofits and governmental agencies reduce their risk of bribery and corruption by establishing, implementing, maintaining and improving an anti-bribery management system. This is critically important, as bribery and corruption can lead to criminal punishments, fines, regulatory action, lowered employee morale and damage to reputation.

When an organisation makes the decision to move forward with ISO 37001 Anti-Bribery Management System training and certification, the benefits are immediate. That’s because ISO 37001 puts methods in place that do the following:

• Ensure that your organisation is implementing a viable anti-bribery management system using widely accepted controls and systems.
• Give your company the tools it needs to prevent bribery and mitigate related risks
• Provide assurance to management, investors, business associates, personnel and other stakeholders that the organisation is actively pursuing internationally recognised and accepted processes to prevent bribery and corruption.
• Help your company create new and better business partnerships with entities that recognise your certified status, including supply chain manufacturing, joint ventures, pending acquisitions and co-marketing alliances
• Potentially reduce corporate insurance premiums
• Provide your customers, stakeholders, employees and partners with confidence in your business operations and ethics
• Provide a competitive edge over non-certified organisations in your industry or niche
• Provide acceptable evidence to prosecutors or courts that the organisation has taken reasonable steps to prevent bribery and corruption

ISO 37001 certifies that your organisation has implemented reasonable and proportionate measures which prevent, detect and respond to bribery and comply with anti-bribery laws, internally and externally (i.e. agents, consultants, suppliers, distributors and other third-parties). These measures involve top-level leadership, training, bribery risk assessment, due diligence adequacy, financial and commercial controls, reporting, audit and investigation. Learn more about ISO 37001 standard today.

ISO 31000 Risk Management Standard

ISO developed the 31000:2018 Risk Management Standard to help organisations address operational continuity, and provide confidence and reassurance in your organisation’s economic resilience, professional reputation and environmental and safety outcomes. Like most ISO management standards, ISO 31000 can be tailored to your organisation to help achieve the best results.

ISO 31000 Risk Management provides principles, framework and a process for managing risk. Public, private and community enterprises can all benefit from ISO 31000 because it covers most business activities, including research, planning, management and communications. Implementing ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.

Being ISO 31000 certified means that you are protecting your organisation from potential risks that could endanger the operational efficiency, governance, and stakeholders’ confidence. It will help strengthen and achieve the strategic objectives of your organisation by establishing a risk-based system of values, enabling your organisation to:

• Enhanced risk management will support achieving goals & objectives
• Reduce costs through proper risk management
• Respond to change effectively & find viable solutions
• Create and protect the value
• Create a consistent basis for decision making & planning
• Increase the likelihood of achieving objectives
• Productively identify the opportunities and threats
• Identify and mitigate the risk throughout the organisation
• Gain stakeholder confidence and trust

Learn more about ISO 31000 Risk Management standard with our free playbook!

ISO 37301 Compliance Management Standard

ISO 37301 is a widely accepted standard that provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an organisation’s compliance management program. It covers all compliance-related issues, including anti-trust, fraud, misconduct, export control, anti-money laundering, and other unexpected risks which might affect your business.

Previously named ISO 19600, the standard was introduced by the International Organization for Standardisation (ISO) in April 2014, and replaced by ISO/DIS 37301 in 2021. ISO 37301 will establish requirements for implementing a compliance management system, as opposed to ISO 19600 CMS, which only provides recommendations.

ISO 37301 is a so-called Type A standard and – unlike its predecessor ISO 19600 – is certifiable. That being said, 90% of the new standard is based on ISO 19600:2014. Companies that have previously aligned themselves to this one will not need to make radical changes. And organisations can have their compliance management system verified through an independent third party in the future.

If your organisation performs regular risk assessments, you have probably noticed that corporate compliance consistently ranks as one of the most significant risks. The implementation and certification of a robust compliance program can help you maintain integrity and ensure compliance with all applicable rules and regulations in a systematic, structured and pro-active manner.

CMS helps organisations to comply with the legislation that is applicable to them and with the commitments assumed with their stakeholders. They reduce the economic or reputational risks of failing to comply with them and are a fundamental tool for organisations to comply with their corporate social responsibility policies. They undoubtedly help to create a culture of integrity and compliance that fosters sustained success and the survival of the organisation.

Do you seek to benchmark your existing system against international best practices? Certification of your compliance management system by an independent third-party such as ABAC® not only provides assurance to your stakeholders, it also enables organisations to detect opportunities and to further increase the effectiveness of their CMS.

Learn more about ISO 37301 standard today.

ISO certification & training benefits

When your organisation makes the decision to become certified in ISO 37001, ISO 31000, and ISO 37301, there are numerous benefits that come with implementing these management standards.

1. Get government tenders: ISO certification is now required in a majority of government tenders.
2. Build credibility internationally: ISO certification helps your organisation gain credibility to build overseas business.
3. Better customer satisfaction: ISO standards are designed to enable an organisation to serve their customers better, and hence increase customer satisfaction. ISO certification enhances customer satisfaction by meeting customer requirements.
4. Improve product quality: Since product quality matches the international level, this can reduce the risk order rejections which can occur due to the flaw in the product.
5. Improve business efficiency: ISO certification implementation enhances functional efficiency of an organisation. ISO certification helps you develop SOPs and work Instructions for all your processes. ISO implementations help you manage your resources effectively, as you become able to use all your resources to their maximum extent.
6. Improve marketability: ISO certification helps to improve the credibility of business with current and new clients, which leads to creating a niche market for your business.

At ABAC®, our experts can help your organisation implement ISO 37001, ISO 31000, and ISO 37301 in a seamless way that integrates these management systems together. This is the most effective way to reap the benefits of these world-class standards, with training and best practices that position your organisation to mitigate risk and create actionable systems for increased success. Powered by CRI Group, ABAC® educates, equips and supports the world’s leading business organisations with the latest best-in-practice risk assessments, performance assessments, systems improvement and standards certification.