You’ve probably seen stickers or logos on vans, websites and brochures with the acronym “ISO”. If you’ve ever wondered what it means, here’s some more information about these standards, what they mean and why your organisation might want to get certified.
The International Organization for Standardization (ISO) develop, maintain, review and update all ISO standards. Certified organisations must comply with all new requirements by the end of a predetermined transition period. ISO are always developing new standards and guidance documents to help organisations improve and develop.
Each country has its own national accreditation organisation, the UK’s is UKAS. They accredit certification bodies, auditing their management systems and procedures to ensure they continue to comply with the certification requirements for the standards they certify. UKAS review a sample of reports from each organisation to ensure standards are being maintained across all certification bodies. They also attend a sample of audits conducted by each certification body. They do not get involved in the audit, simply observe the competence of the auditor that has been appointed by the certification body to carry out the audit. A certificate holder cannot decline a UKAS observation.
The biggest certification bodies in the UK are BM Trada, BSI, Bureau Veritas, SGS, Alcumus ISOQUAR and Lloyds Register. Certification bodies are accredited by the countries accreditation body, and are constantly monitored to ensure consistent standards across the organisations. The certification bodies audit and certify organisations. They can also recommend consultants to support implementation, Totem Sustainability is currently recommended by BM Trada, NQA, Bureau Veritas and Alcumus ISOQUAR.
A certified company has been issued a certificate by a certification body and have successfully demonstrated compliance with their chosen standard through audit. Certificates are issued for 3 years and the organisation will need to receive at least one external audit per year to maintain their certification, depending on the size and complexity of the organisation. The 3 year cycle is completed by a recertification audit which may be longer than in interim ‘surveillance’ audits, and the certification body will aim to cover all locations and activities in scope over the three year cycle, if this is impractical on an annual basis.
*An organisation cannot be accredited, an organisation is certified.
All ISO standards are now developed following a consistent framework called Annex SL. This breaks the standard down into key areas around which requirements relevant to the objective of the standards are developed. The below table shows the sections which all ISO standards will contain going forward.
- Normative references
- Terms and definitions
- Context of the organisation
- Performance Evaluation
Not all standards have been transitioned to the new framework yet, but ISO 9001 was one of the first.
Sections 1-3 are administrative, and while they are useful to understand, you don’t have to ‘comply’ with them, as such. They refer to other standards and explain what different references and terms mean, in the context of the standard in question.
This diagram below is used in the ISO standards (in different variations) to visualise the relationship between the structure of Annex SL and the organisation. The dotted blue line is the boundary of the management system, which is usually also the boundary of the organisation, though this does depend on the structure of the organisation, more on that later.
Annex SL is based upon a Plan, Do, Check, Act cycle (PDCA) and the diagram shows how these relate to the different sections of Annex SL. PDCA is described as:
- Plan: establish objectives and processes necessary to deliver results in accordance with the organisation’s policy.
- Do: implement the processes as planned.
- Check: monitor and measure processes against the policy, including its commitments, objectives and operating criteria, and report the results.
- Act: take actions to continually improve.
Clauses 4-10 require an organisation to have documents, procedures or some other form of evidence to demonstrate an understanding of the requirements, and that their solutions have bene effectively implemented.
We will be adding blog posts in the near future which explore these in more detail for ISO 9001 and ISO 14001, so check back soon for updates.
The following is a list of ISO certification that have transitioned to Annex SL, followed by a list of those which are still to be transitioned.
Transitioned to Annex SL
- ISO 9001:2015, Quality
- ISO 14001:2015, Environmental
- ISO 14298:2013, Graphic technology
- ISO 18788:2015, Management system for private security operations
- ISO/IEC 19770-1:2017, Information technology – IT asset management
- ISO/IEC 20000-1:2018, Information technology – Service management
- ISO 20121:2012, Event sustainability
- ISO 21001:2018, Educational organizations
- ISO 21101:2014, Adventure tourism – Safety
- ISO 21401:2018, Tourism and related services
- ISO 22000:2018, Food safety
- ISO 22301:2019, Security and resilience
- ISO/IEC 27001:2013, Information technology – Security techniques
- ISO 30301:2019, Information and documentation
- ISO 30401:2018, Knowledge management
- ISO 35001:2019, Biorisk management
- ISO 34101-12019, Sustainable and traceable cocoa beans
- ISO 37001:2016, Anti-bribery
- ISO 37101:2016, Sustainable development in communities
- ISO 39001:2012, Road traffic safety (RTS)
- ISO 41001:2018, Facility management
- ISO 44001:2017, Collaborative business relationship
- ISO 45001:2018, Occupational health and safety
- ISO 50001:2018, Energy
- ISO 55001:2014, Asset management
- ISO 15378:2017, Primary packaging materials for medicinal products
- ISO 19443:2018, Quality management systems —nuclear energy sector
- ISO/TS 22163:2017, Railway applications
- ISO/IEC 80079-34:2018, Explosive atmospheres
Yet to be transitioned
- ISO 10012:2003, Measurement
- ISO 20252:2012, Market, opinion and social research
- ISO 28000:2007, Specification for security management systems for the supply chain
- ISO 30000:2009, Ships and marine technology
What’s your experience of ISO standards? Are you looking to implement new one? Get in touch if you’d like to discuss or leave a comment.