This blog briefly explains the new ISO high-level structure for management systems standards. To try and explain this in simple terms we have restricted ourselves to one single paragraph for each clause in the new structure.
So what is this high-level structure and where can I find it?
The High-Level Structure (HLS) is a set of 10 clauses that all ISO management system standards are required to use in the future. This is so that all management system standards will have the same look and feel, and will enable greater integration between systems of different disciplines. The HLS then uses core text which will be in every management system standard plus contextualized text that will be added depending on what the management system is about – whether it be Quality, OHS, Environment, Food Safety or another discipline.
Edit: The HLS is intended for all future management systems standards to follow the same structure to ensure consistency. The High Level Structure is not intended for organisations to use to order and structure their own discipline-specific management system.
What are the 10 core clauses of the High Level Structure?
This is about the scope of the ISO standard, not about the scope of the system. For quality, it’s about the customer, OHS is about people, and environment is about the environmental/community impact. The clause also states that organizations are to meet statutory and regulatory requirements and to continually improve, and that all requirements are generic and intended to be applicable to all organizations, regardless of type, size, and product/service provided.
2. Normative references
There are no normative references currently planned for the upcoming revisions of ISO 9001, ISO 14001, and ISO 45001. This section is there to keep the numbering in alignment with other ISO standards.
3. Terms and definitions
Each standard will include some generic management system terms and definitions, along with some discipline-specific terms. Currently, ISO 14001 and AS/NZS 4801 already include terms and definitions in the standard, while ISO 9001 provides them in its sister standard, ISO 9000.
4. Context of the organization
ISO now want you to determine the issues that influence your organisation, be they internal or external. External issues will include such things as legal, technological, or cultural, and may be international, national, or local. Internal will include things like values, culture, and knowledge. The needs of interested parties are also to be understood along with the scope of the management system, i.e. what is it covering. Processes, along with their inputs and outputs are to be identified, and documented information will be required as appropriate.
Top management have to demonstrate leadership. To do this they need to establish policies and ensure responsibilities and authorities are communicated and understood. Management also have to promote the discipline across the organization, whether it is quality, environment, or OHS.
Organizations now need to use a risk-based approach to address threats and opportunities, and to ensure the management system actually does what it is required to do – that it can prevent or reduce undesired affects and achieve improvement. Objectives and plans need to be developed to meet these objectives; these need to be cascaded through the organization and include responsibilities and timeframes. Additionally, changes need to be planned and the potential consequences (positive or negative) of any change needs to be known. Note 1: Currently ISO/DIS 14001:2014 is the only standard to correctly use the terms risk, threat and opportunity, both ISO/DIS 9001:2014 and ISO/DIS 45001:2014 do not use the term threat and therefore suggest that all risk is negative. It is expected that this will be corrected upon final release. Note 2: ISO 31000:2009 Risk management – Principles and guidelines have been developed to assist organizations in managing risk, however there is no current requirement in the HLS for organizations to specifically use the ISO 31000:2009 format.
Resources need to be provided to support the management system, including providing competent people, appropriately maintained infrastructure and environment, and monitoring and measuring equipment and its calibration. Additionally, the knowledge necessary for the discipline is to be determined, maintained, and made available. The previous document control and records management have been replaced with documented information, where the organization determines what documentation is necessary and the most appropriate medium for that documentation.
This replaces Product Realization, Operational Control, and Hazard Identification, Risk Assessment, and Control of Risks in ISO 9001, ISO 14001, and AS/NZS 4801 respectively. There is a stronger emphasis on organizations determining the processes required for their operations, along with appropriate acceptance criteria and contingency plans e.g. non-conformances, incidents and emergency preparedness. The HLS also has requirements now for change management and control of external providers (such as contractors, outsourced processes, procurement etc.).
9. Performance evaluation
Performance evaluation takes over from evaluation, data analysis, and monitoring and measurement clauses. Specifically, ISO 14001 and ISO 45001 require an Evaluation of Compliance (Legal and other), while ISO 9001 requires the monitoring of Customer Satisfaction. Internal Audits and Management Reviews are also included here.
Organizations are required to react appropriately to non-conformities and incidents, and take action to control, correct, deal with consequences, and eliminate the cause so that it does not recur or occur elsewhere. The organization is also required to improve the suitability, adequacy, and effectiveness of the management system. Preventive action is gone – replaced by the risk based process approach in section 4 and actions to address risks in section 6.
Stay tuned for next week’s blog, which will go into further detail about some of the big changes that are coming our way with the new revisions of ISO 9001, ISO 14001, and the release of ISO 45001. Article can be found here: https://auditortraining.pwc.com.au/part-3-changing-iso-standards/
Disclaimer: These are the views of the PwC’s Auditor Training & Certification and do not necessarily represent the views of other parties. Further changes to ISO 9001, ISO 14001, and ISO 45001 and other associated documents may occur prior to their final release.