This blog aims to provide a brief, no-fuss 'simple English' explanation of the new ISO high-level structure for management systems standards.
The High-Level Structure or HLS for short, is a set of 10 clauses that all ISO management system standards are now required to use. The raison d'etre behind its existence is simply to provide greater uniformity and integration between varying management systems. The HLS uses core text, inherent in every management system standard. along with 'contextualised' or discipline specific text, i.e. text relating to the discipline of the management system be it Quality, Environment, Energy etc.
Note* The HLS is not intended as a template for organisations to structure their own discipline-specific management system.
Refers to the scope of the standard; for ISO 9001 it relates to the customer, ISO 45001 to employees/people, and ISO 27001 it's about data and information asset security. In addition, this clause states that organisations must meet statutory and regulatory requirements, continually improve, and that all requirements are generic, applicable to all businesses, regardless of type, size, or product/service provided.
As yet, there are no plans to include normative references in future revisions of ISO 9001, ISO 14001, and ISO 45001. This clause is included purely to maintain numerical alignment with other ISO standards.
Each standard will include a mix of generic management system and discipline-specific terms and definitions.
ISO want organisations to determine the internal and external issues that influence their business.
In addition, processes, along with their inputs and outputs, are to be identified, with documented information required as and where appropriate.
Senior management are now mandated to demonstrate leadership through establishing policies, whilst also ensuring responsibilities and authorities are not just communicated and but clearly understood. They must also promote the relevant discipline - Energy/Quality/OHS management etc - throughout the organisation.
Organisations are now obliged to use a risk-based approach to address threats and opportunities, and to ensure that the management system actually does what it is required to do – i.e. that it can prevent or reduce undesired affects and achieve improvement.
Relevant resources and supports need to be in place to ensure smooth running of the management system; this would include skilled personnel and appropriately maintained infrastructure/environment, as well as monitoring and measuring equipment. In addition, subject matter expertise must be determined, maintained, and made available.
The previous document control and records management have been replaced with documented information, where the organisation determines what documentation is necessary and which format is most appropriate.
A single, simplified replacement for Product Realisation, Operational Control, Hazard Identification, Risk Assessment, and Control of Risks in ISO 9001 and ISO 14001.
Operation places more of an emphasis on organisations determining the processes required for their operations, along with appropriate acceptance criteria and contingency plans e.g. non-conformances, incidents and emergency preparedness.
The HLS now also has requirements for change management and control of external providers eg. contractors, outsourced processes, procurement and so on.
As with Operation, 'Performance Evaluation' is one a single, simplified replacement for the evaluation, data analysis, monitoring and measuring clauses.
While ISO 45001 requires an Evaluation of Compliance (Legal and other), ISO 9001 requires the monitoring of Customer Satisfaction. Internal Audits and Management Reviews are also included here.
Organisations are now required to react appropriately to non-conformities and incidents, and to take appropriate or recommended action to control, correct, deal with consequences, and eliminate the cause so that it does not recur or occur elsewhere.
Further, there is a requirement to improve the suitability, adequacy, and effectiveness of the management system, while Risk-based process approach replaces preventive action.