Management System General Requirements (ISO 19600)
ISO 19600 provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization according to ISO Directives Part 1 - Consolidated ISO Supplement - Procedures specific to ISO, Annex SL, Appendix 2 (normative) - High level structure, identical core text, common terms and core definitions.
The guidelines on compliance management systems are applicable to all types of organizations. The extent of the application of these guidelines depends on the size, structure, nature and complexity of the organization. ISO 19600 is based on the principles of good governance, proportionality, transparency and sustainability.
All management system standards of the future will have the same high level structure, identical core text, as well as common terms and definitions. Whilst the high level structure cannot be changed, sub-clauses and discipline-specific text can be added.
Annex SL applies to all management system standards, such as full ISO standards, Publicly Available Specifications (PAS) and Technical Specifications (TS). The revised ISO 9001, ISO 22301, ISO/IEC 27001, ISO/IEC 20000-1 and ISO 14001, as well as the new ISO 45001 will all be based on Annex SL’s high level structure:
Clause 1: Scope
The scope sets out the intended outcomes of the management system.
The outcomes are industry specific and should be aligned with the context of the organization (clause 4).
Clause 2: Normative references
Provides details of the reference standards or publications relevant to the particular standard.
Clause 3: Terms & definitions
Details terms and definition applicable to the specific standard in addition to any formal related terms and definitions standard.
Clause 4: Context of the organization
Clause 4 consists of four sub-clauses:
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the managements system
4.4 The management system
As the flagstone of a management system, clause 4 determines why the organization is here. As part of the answer to this question, the organization needs to identify internal and external issues that can impact on its intended outcomes, as well as all interested parties and their requirements. It also needs to document its scope and set the boundaries of the management system – all in line with the business objectives.
Clause 5: Leadership
Clause 5 comprises three sub-clauses:
5.1 Leadership and commitment
5.3 Organizational roles, responsibilities and authorities
The new high level structure places particular emphasis on leadership, not just management as set out in previous standards. This means top management now has greater accountability and involvement in the organization’s management system. They need to integrate the requirements of the management system into the organization’s core business process, ensure the management system achieves its intended outcomes and allocate the necessary resources. Top management is also responsible for communicating the importance of the management system and heighten employee awareness and involvement.
Clause 6: Planning
Clause 6 includes two sub-clauses:
6.1 Actions to address risks and opportunities
6.2 Management system objectives and planning to achieve them
Clause 6 brings risk-based thinking to the front. Once the organization has highlighted risks and opportunities in clause 4, it needs to stipulate how these will be addressed through planning. The planning phase looks at what, who, how and when these risks must be addressed. This proactive approach replaces preventative action and reduces the need for corrective actions later on. Particular focus is also placed on the objectives of the management system. These should be measurable, monitored, communicated, aligned to the policy of the management system and updated when needed.
Clause 7: Support
Clause 7 consists of five sub-clauses:
7.5 Documented information
After addressing the context, commitment and planning, organizations will have to look at the support needed to meet their goals and objectives. This includes resources, targeted internal and external communications, as well as documented information that replaces previously used terms such as documents, documentation and records.
Clause 8: Operation
Clause 8 has one sub-clause:
8.1 Operational planning and control
The bulk of the management system requirements lies within this single clause.
Clause 8 addresses both in-house and outsourced processes, while the overall process management includes adequate criteria to control these processes, as well as ways to manage planned and unintended change.
Clause 9: Performance evaluation
Clause 9 is formed of three sub-clauses:
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Here organizations need to determine what, how and when things are to be monitored, measured, analysed and evaluated. An internal audit is also part of this process to ensure the management system conforms to the requirements of the organization as well as the standard, and is successfully implemented and maintained. The final step, management review, looks at whether the management system is suitable, adequate and effective.
Clause 10: Improvement
With two sub-clauses in place, Clause 10 looks at how non-conformities and corrective actions should be managed:
10.1 Non-conformity and corrective action
10.2 Continual improvement
In an ever-changing business world, not everything always goes according to plan. Clause 10 looks at ways to address non-conformities and corrective action, as well as strategies for improvement on a continual basis.