The Complete Guide to ISO Management Systems (Ebook for Normal People)
ISO
I Edited by Oliver Peterson Adam Henshall
Contributions from Oliver Peterson Adam Henshall Ben Mulholland Thom James Carter
Principle design Adam Mousa
Design assistance Annace Dato
II Index
Introduction 1. What is ISO? A Simple Introduction for Normal People 1 2. Management System Standards: 2 An Overview of ISO’s Shared Framework 2 Annex L 3 3. Making ISO Work For (Not Against) Your Organization 4 The Problem of ISO 4 The Standard Operating Procedure (SOP) Solution 4 The First Ever Business Process 5 Using Standardized Processes to Work 5 Times Faster 5 SOP Anatomy: What does a SOP Look Like? 6 Importance and Benefits of Standardizing Your Processes 7 Policy & Procedure: Why Systematize Your Business? 7 4. Best Practices: Writing SOPs for ISO 9 Understand How to Present Your SOPs 9 Create a simple checklist 9 Create a complex linear checklist 10 Map out a process flow diagram 10 Align Your Stakeholders 10 Be Clear on the Purpose 11 Determine the SOP Scope 11 Use a Consistent Style 12 Use Correct Notation (If Applicable) 12 Determine Each Step of the SOP 13 Identify Potential Problems 13 Determine Success Metrics 13 Test the SOP 14 Seek Feedback 14 Understand the Process for Optimizing a Process 15 Perform a Risk Assessment 15 Consider a Flow Diagram 15 Finalize and Implement the SOP 16 5. ISO for Business Process Management: More Compliant, More Actionable BPM 17 6. Continuous Improvement: A Central Theme of ISO 18 The Deming Cycle 18 Plan 19 Do 20 Study 20 Act 21 The Important Distinction Between PDSA and PDCA 21 7. ISO for Quality Management Systems (QMS) 24 What is a Quality Management System? 24 Overview of ISO for Quality Management 25
Index i Standard Showcase: ISO 9001:2015 for Quality Management 26 What Does ISO 9001:2015 Look Like? 26 Benefits of Implementing ISO 9001:2015 for Quality Management 27 Key Principles of ISO 9001:2015 for Quality Management 27 8. ISO for Environmental Management Systems (EMS) 28 What is an Environmental Management System? 28 Overview of ISO for Environmental Management 28 Standard Showcase: ISO 14001:2015 for Environmental Management 29 Benefits of Implementing ISO 14001:2015 29 Risk reduction 29 Leading by example 29 Tax incentives 29 For your employees 30 Brand image and PR 30 Renewable & non-renewable resources 30 Key Principles of ISO 14001:2015 for Environmental Management 30 1. Environmental policy 30 2. Planning 31 3. Implementation 31 4. Study & correct 31 5. Management review 31 6. Continuous improvement 31 9. ISO for Energy Management Systems (EnMS) 32 What is an Energy Management System? 32 Overview of ISO for Energy Management 32 Energy audits 32 Energy management systems 32 Energy services 33 Energy savings 33 Energy efficiency 33 Standard Showcase: ISO 50001:2018 for Energy Management 33 Benefits of Implementing ISO 50001:2018 for Energy Management 33 Key Principles of ISO 50001:2018 for Energy Management 34 10. ISO for Food Safety Management Systems (FSMS) 35 What is a Food Safety Management System? 35 Overview of ISO for Food Safety Management 36 Standard Showcase: ISO 22000:2018 for Food Safety Management 36 Benefits of Implementing ISO 22000:2018 for Food Safety Management 36 Take control of your processes and procedures 36 Document important processes and procedures 37 Improve customer & client satisfaction 37 Encourage others locally and internationally to work with you 37 Eliminate food risks 37 Key Principles of ISO 22000:2018 for Food Safety Management 37 11. ISO for Corporate Social Responsibility (CSR) 39
Index ii What is Corporate Social Responsibility? 39 Overview of ISO for Corporate Social Responsibility 39 Benefits of Implementing ISO 26000:2010 for Corporate Social Responsibility 40 Standard Showcase: ISO 26000:2010 for Corporate Social Responsibility 40 Key Principles of ISO 26000:2010 for Corporate Social Responsibility 40 Accountability 40 Transparency 41 Ethical behavior 41 Respect for stakeholder interests 41 Respect for the rule of law 42 Respect for international norms of behavior 42 Respect for human rights 42 Seven Core Subjects of ISO 26000 43 Organizational governance 43 Human rights 43 Labor practices 43 Environment 43 Fair operating practices 44 Consumer issues 44 Community involvement and development 44 Sustainable Development 44 12. ISO for Risk Management Systems (RMS) 46 What is a Risk Management System? 46 Overview of ISO for Risk Management 46 Standard Showcase: ISO 31000:2018 for Risk Management 47 Benefits of Implementing ISO 31000:2018 for Risk Management 47 Key Principles of ISO 31000:2018 for Risk Management 48 13. ISO for Management System Auditing (ISO Audits) 50 Overview ISO for Management System 50 Auditing 50 Seven Principles of ISO Auditing 51 Integrity: The foundation of professionalism 51 Fair presentation: the obligation to report truthfully and accurately 52 Due professional care: Diligence and judgement in auditing 52 Confidentiality: Security of information 52 Independence: Audit impartiality and objectivity 52 Evidence-based approach: Rational, reliable, reproducible results 53 Risk-based approach: Considering risks and opportunities 53 ISO Certification: Is It Necessary? 53 Benefits of ISO Certification 54 How ISO 9001 certification benefits your business: 54 How ISO 9001 certification benefits your customers: 54 How ISO 9001 certification benefits your employees 55 Different Types of ISO Audit 55 First-party 56
Index iii Second-party 56 Third-party 56 14. Free ISO Checklists 58 ISO 9001 Internal Audit Checklist for Quality Management Systems 59 How to use this checklist for ISO 9001 60 ISO 14001 Environmental Management Self Audit Checklist 61 How to use this checklist for ISO 14001 62 ISO 19011 Management Systems Audit Checklist 63 How to use this checklist for ISO 19011 64 ISO 26000 Social Responsibility Performance Assessment Checklist 65 How to use this checklist for ISO 26000 66 ISO 27001 Information Security Management System (ISO27K ISMS) Audit Checklist 67 How to use this checklist for ISO 27001 68 ISO 45001 Occupational Health and Safety (OHS) Audit Checklist 69 How to use this checklist for ISO 45001 70 15. Agile ISO: How to Combine Compliance with Rapid Process Improvement 71 Recent ISO Changes = Agile Friendly 71 But What Makes This Agile? 72 Requirements for Agile ISO 72 How to Get Started with Agile ISO (5 Easy Steps) 73 16. How Process Street Works 75 Stop Tasks 76 Conditional Logic 76 Dynamic Due Dates 77 Task Permissions 77 Task Assignments 78 Role Assignments 78 Webhooks and Integrations 79 Approvals 79 Further Reading 80 Business Process Management 80 Standard Operating Procedures 80 Templates 80 General ISO audit 80 QMS audit 80 EMS audit 80 IMSMS audit 80 CSR audit 80 OHS audit 81 SOP 81 Disclaimer 82 References 83
Index iv Introduction
ISO is a constantly changing beast, and as such you can find an abundance of (mis)information online pertaining to outdated terminology, standards, or worse, McArticles that promise to deliver useful, actionable insight when in actual fact the information lacks substance or repeats incorrect information.
This guide is an attempt to provide a useful, actionable overview of ISO for business application; specifically how to implement ISO in a way that works for your organization as an asset, as opposed to a cumbersome and unwieldy system of sluggish documentation for documentation’s sake.
I’ll attempt to outline the most important ideas of ISO, as well as current terminology, and how to approach implementation.
So, let’s start with some basics.
Introduction 1. What is ISO? A Simple Introduction for Normal People ISO
ISO stands for International Organization for Standardization, and it’s one of the most renowned and well-established entities for setting and maintaining standards in the world. ISO’s standards have been implemented by companies and organizations of all sizes and industries throughout 164 countries since its founding in London, 1947.
So, ISO basically creates new standards; these standards are agreed upon by relevant experts in the field. The point of ISO is to provide an informed and reliable basis for companies and organizations to base their standard operating procedures, and generally run their operations.
A standard can be defined as an established set of requirements that have been agreed upon by many people. This is the same for an ISO standard. In order for an ISO standard to be created, it must be substantiated by a number of experts from many different, autonomous standards organizations.
So, this means that when a company follows an ISO standard, they are following a standard that was agreed upon by 100+ standards organizations as the best possible practice guidelines to follow.
That’s pretty much what ISO is all about. They have published thousands of standards across all types of industries. More recently, ISO has created a shared structure that many of their standards utilize to make cross-functionality and multi-standard integration more easy.
This shared structure is known as the MSS structure.
1. What is ISO? 1 2. Management System M Standards: An Overview of ISO’s Shared S Framework S
Certain ISO standards focus on management systems, such as: quality management (ISO 9001), risk management (ISO 31000), and environmental management systems (ISO 14001), to name a few.
These are sometimes referred to as “Management System Standards”. They outline specific guidelines for companies to follow in order to effectively build and maintain management systems.
Some of the more popular ISO MSS include:
• ISO 9001:2015 (quality management systems) • ISO 14001:2015 (environmental management systems) • ISO/IEC 27001:2013 (information security management systems)
In addition, there are also ISO MSS that provide guidelines for management standards that operate within specific, somewhat niche, industries or departments, such as:
• ISO 13485:2016 (Medical devices) • ISO/TS 22163:2017 (Railway applications) • ISO/TS 29001:2010 (Petroleum industries)
Certain ISO MSS act as guides or provide further elaboration on particular areas of an organization’s management system, to help deepen the understanding of more complex systems.
• Some of these standards include: • ISO/TS 22003:2013 (Food safety management systems) • ISO/TR 10013:2001 (QMS documentation guidelines) • ISO 19011:2018 (Auditing management system guidelines) • ISO 26000:2010 (Social responsibility guide) • ISO 31000:2018 (Risk management guide)
The one thing many of these standards share is their core structure, known as the Annex L
2. Management System Standards 2 structure. Annex L
Annex L (formerly Annex SL) is a high-level, 10-part structure built to optimize the development, upkeep, and continuous improvement of management systems. The purpose of Annex L is to promote uniformity amongst the Management System Standards.
As ISO continues to update its standards, it will eventually conform all its standards to follow the Annex L structure as its foundation, so that the standards are more compatible with each other and easier to integrate.
The Annex L MSS structure is:
1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement
This is the structure shared by all ISO Management System Standards, and as such will be the basis for all standards looked at in this document.
2. Management System Standards 3 3. Making ISO Work For (Not Against) Your Organization
We’ve looked at some high-level stuff, but what does it really mean to implement ISO in your company? What are the core elements of ISO?
Basically, it comes down to lots of procedures that tie together - checking, auditing, documenting - all of the inner workings of your business, in the form of procedures.
When it comes to ISO, procedures are the base unit of a management system.
That said, the task is to make ISO work for your organization by facilitating more efficient, effective procedures. This brings us to one of the chief problems of ISO. The Problem of ISO
It is common to see that the core idea of how ISO should be implemented and work for an organization is lost in the idea of documentation vs execution. Too often will there be an obsession with recording and documenting procedures to ensure compliance with requirements of a given standard, without actually asking the crucial question:
“Are the procedures actually good? Do they work, and are they actionable?”
Without considering how to make your procedures actionable and thereby understanding ISO as a tool to facilitate continuous improvement, organizations miss the point of ISO entirely.
ISO is not just about meeting arbitrary requirements for short-term gains (and maybe pleasing a couple of prospective customers on paper) - rather it’s about grasping the core functional units of a business system with an intent to enhance work productivity and efficiency. The Standard Operating Procedure (SOP) Solution
SOPs go hand-in-hand with ISO standards. With a solid understanding of how to make ISO work for your organization, you can build better SOPs, and vice-versa.
What do we mean by “SOPs”, exactly? Why is it necessary to think about work in such a convoluted manner, you might ask?
The point is that when you formalize a process, you think about the workflow with productivity
3. Making ISO Work 4 in mind and it makes it easier to execute and optimize. Standard operating procedures are essentially just processes; more specifically, they’re ways of formalizing and documenting processes so they’re easier to understand and improve. The First Ever Business Process
The earliest known definition of a business process comes from Scottish economist Adam Smith. Breaking down his idea to the simplest elements, in 1776 he described a business process in place at a theoretical pin factory, involving 18 separate people to make one pin:
”One man draws out the wire, another straights it, a third cuts it, a fourth points it, a fifth grinds it at the top for receiving the head: to make the head requires two or three distinct operations: to put it on is a particular business, to whiten the pins is another … and the important business of making a pin is, in this manner, divided into about eighteen distinct operations, which in some manufactories are all performed by distinct hands, though in others the same man will sometime perform two or three of them.”
Why should we care about how many people it takes to make the pins, or how many steps are in the process? Well, Smith found that by creating a process and assigning the steps to individual specialists, productivity increased 24,000%. Using Standardized Processes to Work 5 Times Faster
A process is necessary for the division of labor because the task isn’t just in one person’s head any more.
The full-stack pin engineer might be a fine person to write the process, but shouldn’t be running it from start to end alone — the job is 240 times more efficient when it’s split up amongst pin specialists: the person who cuts pin wires all day is less fallible than the solo pin master craftsman.
Let’s stop talking about pins.
On a winter morning in 1907, Henry Ford took Charles E. Sorensen to Piquette Avenue Plant, an empty building in Detroit that would go on to become the birthplace of America’s first mass-produced affordable car. “We’re going to start a completely new job” he told the head of production.
Ford explained his idea for a new process. Instead of one artisan creating a product alone, everyone was taught to do one of 84 simple, repetitive jobs. With this new approach to processes, Ford cut the manufacturing time of the Model T down from 12.5 hours to 2.5 hours.
Not only was that a triumph for Ford’s bank account, it was one of the most revolutionary moments ever to occur, not just in the history of cars or manufacturing, but in the entire history of business.
3. Making ISO Work 5 SOP Anatomy: What does a SOP Look Like?
The image below shows broadly how standard operating procedure documentation is presented:
Standard Operating Procedure Title New ehicle Purchase Process
Department Admin Support
Department, SOP AS Date ID Department Department Head Approval head signs off
Purpose sers can uickly To establish guidelines for purchasing a new vehicle refer to the purpose All Admin Support staff are responsible for following and not read the the SOP whole SOP
Definitions Clarify any RM Resource Management upcoming argon PO Purchase Order
Procedure