When implementing an ISO management system, you should check whether your quality, environmental, health & safety and/or information security policies have been communicated and understood throughout your organisation. The policies must also be available to any relevant interested parties.

If the personnel interviewed do not know what their measurable objectives are and/or do not know what the organisational objectives are that they have a direct impact upon, then you might need to evaluate the communication of your policies and objectives.

Inferred awareness through knowledge of procedures is not considered sufficient - otherwise why have the requirement in the first place? A quick and convenient way to promote and communicate the policy might be to create a shortened version of the main policy - try condensing it to five key words or even a couple of short sentences. This can be posted on bulletin boards, for example.

You could even add it to the reverse side of staff security passes or ID badges. The point is that you need to determine if your policy meets the intent and are understood. The exact content of policies does not need to be recited by individuals, but an awareness of the policies and how their job affects the company objectives is what you’re aiming for.

Organisational roles, responsibilities and authorities

Each employee needs to know who is responsible for the various elements of your management system to ensure a successful implementation. Develop an organisation chart and create job descriptions in order to clearly define roles, responsibilities and authorities and communicate those responsibilities and authorities throughout your organisation.

You should develop and make available to all employees a list of key personnel and their job descriptions, responsibilities, along with an organisational chart of key employees as they relate to your management system. This should effectively define, document, and communicate the organisational structure of the management system.

There is a need to demonstrate that there are identified staff who are responsible for ensuring parts of your management system is being properly taken care of. The sort of actions to think about might include:

• Communication of roles, responsibilities and authority;
• Processes and procedures to fulfil requirements are adequately resourced;
• Awareness of expectations is demonstrated in all relevant levels of the organisation;
• Reporting on the operation (e.g. results of audits and inspections) and performance of the management system (e.g. in business meetings, KPI reviews, etc).

You should ensure that your organisation’s personnel have not only been advised of their management system responsibilities and authorities, but also that they understand these in the context of the overall purpose of the management system. You should also ensure that Top Management have assigned responsibility and authority for preserving the integrity of the organisation’s management system during changes (e.g. developing a new product or service line, moving premises, etc).
​
​If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.
​
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Whichever management system you put in place, Top management must ensure that the requirements of the management system, including the policies and objectives, are consistent with the strategic context and direction of your organisation, and that the policies and objectives are established whilst ensuring that the human and financial resources needed for implementing the management system are available.

Top Management should take a ‘hands-on’ approach to the management system during interviews and whilst recording compliance to other requirements e.g. determining organisational context, policies, objectives, management review minutes, provision of resources etc.

• How are policies and objectives established?
• Do they align with the strategic direction and the organisational context?
• How are policies and objectives communicated within the organisation?
• Can you demonstrate how policies are understood and applied?
• How are the requirements of the Management System integrated into the business processes?
• How is awareness of the process approach promoted?
• How are resources determined?
• How do you communicate the importance of effective Management System management, and conforming to Management System requirements?
• How do you ensure that the Management System achieves its intended results?
• How do you engage, direct and support people who contribute to the effectiveness of the Management System?
• How is continual improvement promoted?
• How are other relevant management roles supported to demonstrate leadership in their areas of responsibility?

Without solid management commitment, you will not have a successful management system. This is not a commitment in words, it is the continuous and active demonstration to everyone in the organisation that the need to meet customers’ expectations is vital. The actions required of Top Management must include:

• Supporting the management system and actively promoting the agenda;
• Encouraging the goal of meeting customer, regulatory and statutory requirements;
• Developing and supporting the management system by defining and communicating policies;
• Establishing organisational objectives;
• Ensuring appropriate resources are available;
• Implementing and improving the management system by encouraging employees to achieve requirements;
• Reviewing management system performance;
• Ensuring resources are available to improve the management system.

​
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.
​
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Outsourced processes must be controlled by the organisation and these controls must be defined and described within their system. Organisations are required to identify the controls they apply for any outsourced processes. Examples of some outsourced processes include:

• A process completed wholly or partially by a sister facility outside the scope of management system, such as performing design, purchasing or customer related processes, including management activities such as business planning, goal setting, resources, data analysis, budgeting, etc. This may include the entire element or a subsection e.g. the sister facility completes supplier evaluation and re-evaluation of suppliers and the site running the management system initiates purchase orders.

• A process completed by an outside supplier or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc. These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls. If this is the case, written documentation would be the purchasing documentation and records, however these processes are required to be documented.

If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes.

Outsourced processes may be controlled through such methods as, but not limited to, auditing, contractual agreements, process performance data review on an on-going basis of purchasing processes.

Ensuring control over outsourced processes does not absolve the organisation of the responsibility for conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as the potential impact of the outsourced process on the organisation’s capability to provide a product or service that conforms to requirements, the degree to which the control of the process is shared, or the capability of achieving the necessary control through the application of the purchasing process.

You should expect to see evidence that your organisation has determined their processes and interactions. If your organisation calls it a ‘process’, it must be monitored for effectiveness and improved.

Look for evidence that your organisation has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organisation’s management system.

​You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organisation’s management system are planned.

If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

So far we've looked at setting up a management system for your organisation that conforms to ISO standards. But what evidence would you be able to show that it's working?

Evidence may include Top Management reviewing management system KPI’s as part of regular business reviews, awareness of contractors and employees of management system goals and expectations, etc. Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organisation has:

• Assigned duties/process owners;
• Assessed risks and opportunities;
• Provided resources;
• Maintained and retained documented information;
• Implemented measurement criteria;
• Improved the management system and its processes.

Ensure that the documentation created and maintained by your organisation to support the operation of the processes is undertaken. Such documentation might be in the form of a management system manual, staff handbook, documented procedures, work instructions, guidance material, data cards, physical samples, IT systems (including intranet and internet), universal or bespoke software, templates and forms, etc.

Documentation identified and retained by your organisation that shows that the processes were carried out as planned should be retained as physical hard copy records or electronic media (data servers, hard drives, flash drives etc.).

Specific documentation needs to be created and maintained by your organisation, including a description of relevant interested parties (Clause 4.2), scope of the management system including boundaries and applicability (Clause 4.3), description of the processes needed for the Management System together with their sequence, and interaction and application and assignment of responsibilities for your processes.

You should audit your organisation’s management system to focus on process performance and effectiveness. Give priority to the following:

• Review your organisation’s processes, their sequence and how they interact;
• Identify functions and the assignment of responsibilities;
• Review performance against requirements and defined measures, focusing on processes that directly impact the customer;
• Review your organisation’s process for monitoring and measurement, validation and approval of processes, and process changes;
• Review the availability of resources and the information required to operate and support associated activities, including appropriate training and competency of personnel;
• Review process-based management techniques, including the examination of process measures that might include level of quality, output effectiveness, control limits, and process capability determination;
• Review any existing plans to ensure performance objectives and targets are monitored, measured, and analysed in order to realise the planned activities and achieve the planned results;
• Review all applicable action taken when objectives and targets are not met to promote continual improvement;
• Pursue audit trails that address customer concerns or requests for corrective actions, performance against objectives, and relevant process controls.

Based upon the extent of your organisation’s management system processes, you should seek evidence that your organisation has maintained documented information to support the operation of its processes; and that it has retained documented information to provide confidence that the processes are being carried out as planned.
​
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Defining the scope of your management system is a key step when developing any management system. The scope should concisely describe the activities, regulatory requirements, facilities, and remote locations that are to be covered under, and supported by, the management system.

The scope of registration and certification (if you decide to go down this route) will need to reflect precisely and clearly the activities covered by your organisation’s management system - any exclusion to non-applicable requirements of the standards should be documented and justified.

From a review of the nature of your business’ operations, products and services, the scope of the management system should be apparent by the extent of the processes and controls that your organisation has already established.

Look for confirmation that your organisation has determined the boundaries and applicability of the management system to establish its scope with reference to any external and internal issues (discussed below), the requirements of relevant interested parties (also discussed below), and the nature of your organisation’s products and services. Consideration of the boundaries and applicability of the management system can include:

• The range of products and/or services;
• Different sites and activities;
• External provision of processes, products and services;
• Common support provided by centralised functions;
• Processes, procedures, instructions, or site-specific requirements.

The scope of your management system may include the whole of the organisation, specific and identified functions within the organisation, specific sections of the organisation, or one or more functions across a group of organisations.

Ensure that your organisation has considered its degree of control and influence over its activities, products and services from a lifecycle perspective. The degree of control needs to be determined for environmental aspects associated with such things as procured goods and services, outsourced processes, product performance requirements, and end of life treatment (recycling, disposal, etc).

The management system scope must be retained as documented information. If you’re getting certified, the scope statement is normally shown on the certificate, for most Certification Bodies, in 15 words or less. Here are two examples shown below:

‘provision of marketing, sales, support, development and implementation of software solutions, located at…’

‘manufacture of precision machined components for aerospace and industrial customers, including the delivery of these activities to requirements, located at…’

You may not design your products because your customers supply product specifications and drawings, in which case you can exclude the product design processes and requirements.

If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).