Published on: March 27, 2022
On 25 October 2022, a new version of ISO 27001 was published – ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems. Learn more about the standard update in this blog article.
As you start your studies in ISO Management Systems, it’s common to get confused about the key concepts and technicalities.
We’ve put this blog article together to answer common questions regarding this topic and explain the four main ISO Standards: ISO 9001:2015, ISO 45001:2018, ISO 14001:2015, and ISO 27001:2013. Even if you’re already working in this area, this is an excellent opportunity to review the core concepts and make sure nothing’s been forgotten along the way. Let’s get started!
ISO Management System Standards are documents that provide requirements, specifications, and guidelines that when met and used consistently, ensure that an organisation’s products, services, and processes operate to a high standard of each discipline.
The ISO Standards are developed, published and kept up to date by the International Organisation for Standardisation, also known as “ISO“. The Standards define the requirements for Business Management Systems to achieve international best practice for a chosen discipline (e.g. Occupational Health and Safety, Quality, Environment, or Information Security).
The ISO story started in 1946, in London, when representatives from 25 countries met to discuss the future of International Standardisation. In 1947, ISO officially came into existence.
Today, the organisation is based in Geneva, Switzerland, and has become the world’s largest developer of voluntary international standards, with 167 member countries. To develop the Standards, ISO counts on more than 250 technical committees (groups of experts that focus on a specific subject).
Businesses from any industry can get certified to an ISO Management System Standard. To achieve certification, the organisation needs to have its Business Management System audited by an Accredited Conformity Assessment Body (commonly called a Certification Body). They will conduct the Certification Audits to verify that the business meets the requirements of one or more ISO Management Systems Standards.
Before exploring the main ISO Standards, it’s also important to understand:
A Business Management System is a set of documented policies, processes and other relevant documentation that an organisation implements to guide the business towards its objectives and goals.
A Business Management System can conform with the requirements of one or more ISO Standard(s). An organisation can integrate the requirements of one or more standards into its management system and achieve certification for one or more ISO standards, as long as their management system can demonstrate that they meet the requirements for all of them.
For instance, the ISO 9001 Standard is a set of quality management requirements that a business needs to meet if aiming to achieve certification to ISO 9001:2015 Quality Management Systems. These Quality Management requirements need to be integrated throughout the business management system and its processes in order to achieve certification to ISO 9001:2015. If certified, your business will then be recognised as running according to an internationally recognised quality standard.
The level of complexity of the management system depends on the context of each organisation. Smaller businesses might not need extensive documentation, while more complex businesses operating in highly regulated sectors, for example, may need a more comprehensive set of documentation and controls to meet compliance responsibilities and their business objectives.
ISO has published more than 23,000 International Standards. Each Standard has a specific number and is followed by the year of its release.
While some are industry-focused, others are more generic and versatile across any type of organisation. The latter is the case of the four main ISO Management Systems Standards:
This is by far the most popular standard. This Standard is about developing and implementing a Quality Management System (QMS) with a risk management approach and a strong focus on customer satisfaction, leadership, motivation, process and business continuous improvement to deliver high-quality products and services, not only to the end consumer but all stakeholders.
This provides a systematic approach to enable an organisation to manage Occupational Health and Safety (OH&S) risks and opportunities, eliminating hazards and minimising Occupational Health and Safety risks. The Standard’s framework helps businesses effectively prevent workers’ work-related injury and ill health and provide a safe and healthy workplace. The Safety Management Standard emphasises the responsibilities of the management and leadership team and highlights the necessity of everyone in the workplace to participate.
This Standard provides a framework for the business to have better management control in reducing its environmental impact and achieving higher conformance with environmental legislative and regulatory requirements. By conforming with this Standard, the business can operate efficiently and lawfully while also minimising its negative influence on the environment.
Promoting the protection, confidentiality and integrity of information is the focus of this Standard. By applying a risk management approach, ISO 27001:2013 provides a framework for assessing and treating information security threats. By developing a tailored Information Security Management System, the organisation can keep assets such as financial information, intellectual property, employee details, customer data and other information entrusted to them by third parties safe.
Andressa is our Digital Marketing specialist, supporting our communication strategy across all channels. She holds an MBA in Digital Management and over ten years of experience in content development for social media, websites and marketing campaigns.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.
Once subscribed, you’ll receive regular updates about ICExperts Academy and monthly blog posts straight to your inbox.
We respect your privacy. Easily unsubscribe at anytime.