ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Annex SL
(normative)

Proposals for management system standards

SL.1 General
Whenever a proposal is made to prepare a new management system standard (MSS), including sectoral
applications of generic MSS, a justification study (JS) shall be carried out in accordance with Appendix 1
to this Annex SL.

NOTE No JS is needed for the revision of an existing MSS whose development has already been approved
(unless it was not provided during its first development).

To the extent possible, the proposer shall endeavour to identify the full range of deliverables which will
constitute the new or revised MSS family, and a JS shall be prepared for each of the deliverables.

SL.2 Obligation to submit a JS

All MSS proposals and their JS must be identified by the relevant TC/SC/PC leadership and the JS must
be sent to the ISO/TMB (or its MSS task force) for evaluation and approval before the NWI ballot takes
place. It is the responsibility of the relevant TC/SC/PC secretariat to identify all MSS proposals, without
exception, so that there will be no MSS proposals which fail (with knowledge or without knowledge) to
carry out the JS or which fail to be sent to the ISO/TMB for evaluation.

NOTE No JS is required for a Type B MSS providing guidance on a specific Type A MSS for which a JS has
already been submitted and approved. For example, ISO/IEC 27003:2010 (Information technology — Security
techniques — Information security management system implementation guidance) does not need to have JS
submitted as ISO/IEC 27001:2013 (Information technology — Security techniques — Information security
management systems — Requirements) has already had a JS submitted and approved.

SL.3 Cases where no JS have been submitted

MSS proposals which have not been submitted for ISO/TMB evaluation before the NWI ballot will be
sent to the ISO/TMB for evaluation and no new ballot should take place before the ISO/TMB decision
(project on hold). It is considered good practice that the TC/SC/PC members endorse the JS prior it is
sent to the ISO/TMB.

NOTE Already published MSS which did not have a JS submitted will be treated as new MSS at the time of
revision, i.e. a JS is to be presented and approved before any work can begin.

SL.4 Applicability of Annex SL

The above procedures apply to all ISO deliverables including IWAs.

© ISO/IEC 2017 – All rights reserved 127

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

SL.5 Terms and definitions

For the purposes of this Annex SL, the following terms and definitions apply.

SL.5.1
management system
See definition contained in Appendix 2 (clause 3.4) of this Annex SL.

SL.5.2
Management System Standard
MSS
Standard for management systems (SL.5.1).

Note to entry: For the purposes of this document, this definition also applies to other ISO deliverables (e.g. TS,
PAS).

SL.5.3
Type A MSS
MSS providing requirements

EXAMPLES

— Management system requirements standards (specifications).

— Management system sector-specific requirements standards.

SL.5.4
Type B MSS
MSS providing guidelines

EXAMPLES

— Guidance on the use of management system requirements standards.

— Guidance on the establishment of a management system.

— Guidance on the improvement/enhancement of a management system.

SL.5.5
High Level Structure
HLS
outcome of the work of the ISO/TMB/JTCG “Joint technical Coordination Group on MSS” which refers to
high level structure (HLS), identical subclause titles, identical text and common terms and core
definitions. See Appendix 2 to this Annex SL.

128 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

SL.6 General principles

All projects for new MSS (or for MSS which are already published but for which no JS was completed)
must undergo a JS (see SL.1 and Note to SL.3). The following general principles provide guidance to
assess the market relevance of proposed MSS and for the preparation of a JS. The justification criteria
questions in Appendix 1 to this Annex SL are based on these principles. The answers to the questions
will form part of the JS. An MSS should be initiated, developed and maintained only when all of the
following principles are observed.

1) Market relevance — Any MSS should meet the needs of, and add value for, the primary users
and other affected parties.

2) Compatibility — Compatibility between various MSS and within an MSS family should be
maintained.

3) Topic coverage — An MSS should have sufficient application coverage to eliminate or

minimize the need for sector-specific variances.

4) Flexibility — An MSS should be applicable to organizations in all relevant sectors and

cultures and of every size. An MSS should not prevent organizations
from competitively adding to or differentiating from others, or
enhancing their management systems beyond the standard.

5) Free trade — An MSS should permit the free trade of goods and services in line with
the principles included in the WTO Agreement on Technical Barriers to
Trade.

6) Applicability of — The market need for first-, second- or third-party conformity

conformity assessment assessment, or any combination thereof, should be assessed. The
resulting MSS should clearly address the suitability of use for conformity
assessment in its scope. An MSS should facilitate joint audits.

7) Exclusions — An MSS should not include directly related product (including services)
specifications, test methods, performance levels (i.e. setting of limits) or
other forms of standardization for products produced by the
implementing organization.

8) Ease of use — It should be ensured that the user can easily implement one or more
MSS. An MSS should be easily understood, unambiguous, free from
cultural bias, easily translatable, and applicable to businesses in general.

SL.7 Justification study process and criteria

SL.7.1 General

This clause describes the justification study (JS) process for justifying and evaluating the market
relevance of proposals for an MSS. Appendix 1 to this Annex SL provides a set of questions to be
addressed in the justification study.

© ISO/IEC 2017 – All rights reserved 129

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

SL.7.2 Justification study process

The JS process applies to any MSS project and consists of the following:

a) the development of the JS by (or on behalf of) the proposer of an MSS project;

b) an approval of the JS by the ISO/TMB (or ISO/TMB MSS task force).

The JS process is followed by the normal ISO balloting procedure for new work item approval as
appropriate.

SL.7.3 Justification study criteria

Based on Annex C of the ISO/IEC Directives, Part 1, 2012, and the general principles stated above, a set
of questions (see Appendix 1 to this Annex SL) must be used as criteria for justifying and assessing a
proposed MSS project and must be answered by the proposer. This list of questions is not exhaustive
and any additional information that is relevant to the case should be provided. The JS should
demonstrate that all questions have been considered. If it is decided that they are not relevant or
appropriate to a particular situation, then the reasons for this decision should be clearly stated. The
unique aspect of a particular MSS may require consideration of additional questions in order to assess
objectively its market relevance.

SL.8 Guidance on the development process and structure of an MSS

SL.8.1 General

The development of an MSS will have effects in relation to

— the far-reaching impact of these standards on business practice,

— the importance of worldwide support for the standards,

— the practical possibility for involvement by many, if not all, ISO Member Bodies, and

— the market need for compatible and aligned MSS.

This clause provides guidance in addition to the procedures laid down in the ISO/IEC Directives, in
order to take these effects into account.

All MSS (whether they are Type A or Type B MSS) shall, in principle, use consistent structure, common
text and terminology so that they are easy to use and compatible with each other. The guidance and
structure given in Appendix 2 to this Annex SL shall, in principle, also be followed (based on ISO/TMB
Resolution 18/2012).

A Type B MSS which provides guidance on another MSS of the same MSS family should follow the same
structure (i.e. clauses numbering). Where MSS providing guidance (Type B MSS) are involved, it is
important that their functions be clearly defined together with their relationship with the MSS
providing requirements (Type A MSS), for example:

— guidance on the use of the requirements standard;

— guidance on the establishment/implementation of the management system;

— guidance on improvement/enhancement of the management system.

130 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Where the proposed MSS is sector specific:

— it should be compatible and aligned with the generic MSS;

— the relevant committee responsible for the generic MSS may have additional requirements to be
met or procedures to be followed;

— other committees may need to be consulted, as well as CASCO on conformity assessment issues.

In the case of sector specific documents, their function and relationship with the generic MSS should be
clearly defined (e.g. additional sector-specific requirements; elucidation; or both as appropriate).

Sector-specific documents should always show clearly (e.g. by using different typographical styles) the
kind of sector-specific information being provided.

NOTE 1 The ISO/TMB/JTCG “Joint Technical Coordination Group on MSS” has produced a set of rules for the
addition of discipline specific text to the identical text.

NOTE 2 Where the identical text or any of the requirements cannot be applied in a specific MSS, due to special
circumstances, this should be reported to the ISO/TMB through the TMB Secretary at tmb@iso.org (see SL.9.3).

SL.8.2 MSS development process

SL.8.2.1 General

In addition to the JS, the development of an MSS should follow the same requirements as other ISO
deliverables (ISO/IEC Directives, Part 1, Clause 2).

SL.8.2.2 Design specification

To ensure that the intention of the standard, as demonstrated by the justification study, will be
maintained, a design specification may be developed before a working draft is prepared.

The responsible committee will decide whether the design specification is needed and in case it is felt
necessary, it will decide upon its format and content that is appropriate for the MSS and should set up
the necessary organization to carry out the task.

The design specification should typically address the following.

User needs The identification of the users of the standard and their associated needs, together
with the costs and benefits for these users.

Scope The scope and purpose of the standard, the title and the field of application.

Compatibility How compatibility within this and with other MSS families will be achieved, including
identification of the common elements with similar standards, and how these will be
included in the recommended structure (see Appendix 2 to this Annex SL).

Consistency Consistency with other documents (to be) developed within the MSS family.

NOTE Most, if not all of the information on user needs and scope will be available from the justification study.

The design specification should ensure that

a) the outputs of the justification study are translated correctly into requirements for the MSS,

© ISO/IEC 2017 – All rights reserved 131

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

b) the issues of compatibility and alignment with other MSS are identified and addressed,

c) a basis for verification of the final MSS exists at appropriate stages during the development process,

d) the approval of the design specification provides a basis for ownership throughout the project by
the members of the TC/SC(s),

e) account is taken of comments received through the NWI ballot phase, and

f) any constraints are taken into account.

The Committee developing the MSS should monitor the development of the MSS against the design
specification in order to ensure that no deviations happen in the course of the project.

SL.8.2.3 Producing the deliverables

SL.8.2.3.1 Monitoring output

In the drafting process, the output should be monitored for compatibility and ease of use with other
MSS, by covering issues such as

— the high level structure (HLS), identical subclause titles, identical text and common terms and core
definitions the need for clarity (both in language and presentation), and

— avoiding overlap and contradiction.

SL.8.2.4 Transparency of the MSS development process

MSS have a broader scope than most other types of standard. They cover a large field of human
endeavour and have an impact on a wide range of user interests.

Committees preparing MSS should accordingly adopt a highly transparent approach to the development
of the standards, ensuring that

— possibilities for participation in the process of developing standards are clearly identified, and

— the development processes being used are understood by all parties.

Committees should provide information on progress throughout the life cycle of the project, including

— the status of the project to date (including items under discussion),

— contact points for further information,

— communiqués and press releases on plenary meetings, and

— regular listings of frequently asked questions and answers.

In doing this, account needs to be taken of the distribution facilities available in the participating
countries.

Where it may be expected that users of a Type A MSS are likely to demonstrate conformity to it, the MSS
shall be so written that conformity can be assessed by a manufacturer or supplier (first party, or self-
declaration), a user or purchaser (second party) or an independent body (third party, also known as
certification or registration).

132 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Maximum use should be made of the resources of the ISO Central Secretariat to facilitate the
transparency of the project and the committee should, in addition, consider the establishment of a
dedicated open-access website.

Committees should involve the national member bodies to build up a national awareness of the MSS
project, providing drafts as appropriate for different interested and affected parties, including
accreditation bodies, certification bodies, enterprises and the user community, together with additional
specific information as needed.

The committee should ensure that technical information on the content of the MSS under development
is readily available to participating members, especially those in developing countries.

SL.8.2.5 Process for interpretation of a standard

The committee may establish a process to handle interpretation questions related to their standards
from the users, and may make the resulting interpretations available to others in an expedient manner.
Such a mechanism can effectively address possible misconceptions at an early stage and identify issues
that may require improved wording of the standard during the next revision cycle. Such processes are
considered to be “committee specific procedures” [see Foreword f)].

SL.9 High level structure, identical core text and common terms and core
definitions for use in Management Systems Standards

SL.9.1 Introduction

The aim of this document is to enhance the consistency and alignment of ISO MSS by providing a
unifying and agreed upon high level structure, identical core text and common terms and core
definitions. The aim being that all ISO Type A MSS (and B where appropriate) are aligned and the
compatibility of these standards is enhanced. It is envisaged that individual MSS will add additional
“discipline-specific” requirements as required.

NOTE In Annex SL.9.1 and Annex SL.9.4 “discipline-specific” is used to indicate specific subject(s) to which a
management system standard refers, e.g. energy, quality, records, environment etc.

The intended audience for this document is ISO Technical Committees (TC), Subcommittees (SC) and
Project Committees (PC) and others that are involved in the development of MSS.

This common approach to new MSS and future revisions of existing standards will increase the value of
such standards to users. It will be particularly useful for those organizations that choose to operate a
single (sometimes called “integrated”) management system that can meet the requirements of two or
more MSS simultaneously.

Appendix 2 to this Annex SL sets out the high level structure, identical core text and common terms and
core definitions that form the nucleus of future and revised ISO Type A MSS and Type B MSS when
possible.

Appendix 3 to this Annex SL sets out guidance to the use of Appendix 2 to this Annex SL.

SL.9.2 Use

ISO MSS include the high level structure and identical core text as found in Appendix 2 to this Annex SL.
The common terms and core definitions are either included or normatively reference an international
standard where they are included.

© ISO/IEC 2017 – All rights reserved 133

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

NOTE The high level structure includes the main clauses (1 to 10) and their titles, in a fixed sequence. The
identical core text includes numbered sub-clauses (and their titles) as well as text within the sub-clauses.

SL.9.3 Non applicability

If due to exceptional circumstances the high level structure or any of the identical core text, common
terms and core definitions cannot be applied in the management system standard then the TC/PC/SC
needs to explain their rationale for review by:

a) providing an initial deviation report to ISO/CS with the DIS submission;

b) providing a final deviation report to ISO/TMB (through the ISO/TMB Secretary at tmb@iso.org)
upon submission of the final text of the standard for publication.

TC/PC/SC shall use the ISO commenting template to provide their deviation reports.

NOTE 1 The final deviation report can be an updated version of the initial deviation report.

NOTE 2 TC/PC/SC strive to avoid any non-applicability of the high level structure or any of the identical core
text, common terms and core definitions.

SL.9.4 Using Annex SL Appendix 2

Discipline-specific text additions to Annex SL Appendix 2 are managed as follows.

1. Discipline-specific additions are made by the individual ISO/TC, PC, SC or other group that is
developing the specific ISO management system standard.

2. Discipline-specific text does not affect harmonization or contradict or undermine the intent of the
high level structure, identical core text, common terms and core definitions.

3. Insert additional sub-clauses, or sub-sub-clauses (etc.) either ahead of an identical text sub-clause
(or sub-sub-clause etc.), or after such a sub-clause (etc.) and renumbered accordingly.

NOTE 1 Hanging paragraphs are not permitted — see ISO/IEC Directives, Part 2, clause 22.3.3.

NOTE 2 Attention is drawn to the need to check cross referencing.

4. Add or insert discipline-specific text within Appendix 2 to this Annex SL. Examples of additions
include:

a) new bullet points

b) discipline-specific explanatory text (e.g. Notes or Examples), in order to clarify requirements

c) discipline-specific new paragraphs to sub-clauses (etc.) within the identical text

d) adding text that enhances the existing requirements in Appendix 2 to this Annex SL

5. Avoid repeating requirements between identical core text and discipline-specific text by adding
text to the identical core text taking account of point 2 above.

6. Distinguish between discipline-specific text and identical core text from the start of the drafting
process. This aids identification of the different types of text during the development and balloting
stages.

134 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

NOTE 1 Distinguishing options include by colour, font, font size, italics, or by being boxed separately, etc.

NOTE 2 Identification of distinguishing text is not necessarily carried into the published version.

7. Understanding of the concept of “risk” may be more specific than that given in the definition under
3.9 of Appendix 2 to this Annex SL. In this case a discipline-specific definition may be needed. The
discipline-specific terms and definitions are differentiated from the core definition, e.g. (XXX) risk.

NOTE The above can also apply to a number of other definitions.

8. Common terms and core definitions will be integrated into the listing of terms and definitions in the
discipline-specific management system standard consistent with the concept system of that
standard.

SL.9.5 Implementation

Follow the sequence, high level structure, identical core text, common terms and core definitions for
any new management system standard and for any revisions to existing management system standard.

SL.9.6 Guidance

Find supporting guidance in Appendix 3 to this Annex SL.

© ISO/IEC 2017 – All rights reserved 135

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Appendix 1

(normative)

Justification criteria questions

1. General

The list of questions to be addressed in the justification study are in line with the principles listed in
SL.6. This list is not exhaustive. Additional information not covered by the questions should be provided
if it is relevant to the case.

Each general principle should be given due consideration and ideally when preparing the JS, the
proposer should provide a general rationale for each principle, prior to answering the questions
associated with the principle.

The principles the proposer of the MSS should pay due attention to when preparing the justification
study are:

1. Market relevance

2. Compatibility

3. Topic coverage

4. Flexibility

5. Free trade

6. Applicability of conformity assessment

7. Exclusions

NOTE No questions directly refer to the principle 8 “ease of use”, but it should guide the development of the
deliverable.

Basic information on the MSS proposal

1 What is the proposed purpose and scope of the MSS? Is the document supposed to be a
guidance document or a document with requirements?
2 Does the proposed purpose or scope include product (including service) specifications, product
test methods, product performance levels, or other forms of guidance or requirements directly
related to products produced or provided by the implementing organization?
3 Is there one or more existing ISO committee or non-ISO organization that could logically have
responsibility for the proposed MSS? If so, identify.
4 Have relevant reference materials been identified, such as existing guidelines or established
practices?
5 Are there technical experts available to support the standardization work? Are the technical
experts direct representatives of the affected parties from the different geographical regions?
6 What efforts are anticipated as being necessary to develop the document in terms of experts
needed and number/duration of meetings?

136 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

7 Is the MSS intended to be a guidance document, contractual specification or regulatory

specification for an organization?

Principle 1: market relevance

8 Have all the affected parties been identified? For example:

a) organizations (of various types and sizes): the decision-makers within an organization who
approve work to implement and achieve conformance to the MSS;
b) customers/end-users, i.e. individuals or parties that pay for or use a product (including
service) from an organization;
c) supplier organizations, e.g. producer, distributor, retailer or vendor of a product, or a
provider of a service or information;
d) MSS service provider, e.g. MSS certification bodies, accreditation bodies or consultants;
e) regulatory bodies;
f) non-governmental organizations.
9 What is the need for this MSS? Does the need exist at a local, national, regional or global level?
Does the need apply to developing countries? Does it apply to developed countries? What is the
added value of having an ISO document (e.g. facilitating communication between organizations
in different countries)?
10 Does the need exist for a number of sectors and is thus generic? If so, which ones? Does the
need exist for small, medium or large organizations?
11 Is the need important? Will the need continue? If yes, will the target date of completion for the
proposed MSS satisfy this need? Are viable alternatives identified?
12 Describe how the need and importance were determined. List the affected parties consulted
and the major geographical or economical regions in which they are located.
13 Is there known or expected support for the proposed MSS? List those bodies that have
indicated support. Is there known or expected opposition to the proposed MSS? List those
bodies that have indicated opposition.
14 What are the expected benefits and costs to organizations, differentiated for small, medium and
large organizations if applicable?
Describe how the benefits and the costs were determined. Provide available information on
geographic or economic focus, industry sector and size of the organization. Provide information
on the sources consulted and their basis (e.g. proven practices), premises, assumptions and
conditions (e.g. speculative or theoretical), and other pertinent information.
15 What are the expected benefits and costs to other affected parties (including developing
countries)?
Describe how the benefits and the costs were determined. Provide any information regarding
the affected parties indicated.
16 What will be the expected value to society?
17 Have any other risks been identified (e.g. timeliness or unintended consequences to a specific
business)?

© ISO/IEC 2017 – All rights reserved 137

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Principle 2: compatibility

18 Is there potential overlap or conflict with (or what is the added value in relation to) other
existing or planned ISO or non-ISO international standards, or those at the national or regional
level? Are there other public or private actions, guidance, requirements and regulations that
seek to address the identified need, such as technical papers, proven practices, academic or
professional studies, or any other body of knowledge?
19 Is the MSS or the related conformity assessment activities (e.g. audits, certifications) likely to
add to, replace all or parts of, harmonize and simplify, duplicate or repeat, conflict with, or
detract from the existing activities identified above? What steps are being considered to ensure
compatibility, resolve conflict or avoid duplication?
20 Is the proposed MSS likely to promote or stem proliferation of MSS at the national or regional
level, or by industry sectors?

Principle 3: topic coverage

21 Is the MSS for a single specific sector?

22 Will the MSS reference or incorporate an existing, non-industry-specific ISO MSS (e.g. from the
ISO 9000 series of quality management standards)? If yes, will the development of the MSS
conform to the ISO/IEC Sector Policy (see 34.2 of ISO/IEC Directives, Part 2), and any other
relevant policy and guidance procedures (e.g. those that may be made available by a relevant
ISO committee)?
23 What steps have been taken to remove or minimize the need for particular sector-specific
deviations from a generic MSS?

Principle 4: flexibility

24 Will the MSS allow an organization competitively to add to, differentiate or encourage
innovation of its management system beyond the standard?

Principle 5: free trade

25 How would the MSS facilitate or impact global trade? Could the MSS create or prevent a
technical barrier to trade?
26 Could the MSS create or prevent a technical barrier to trade for small, medium or large
organizations?
27 Could the MSS create or prevent a technical barrier to trade for developing or developed
countries?
28 If the proposed MSS is intended to be used in government regulations, is it likely to add to,
duplicate, replace, enhance or support existing governmental regulations?

Principle 6: applicability of conformity

29 If the intended use is for contractual or regulatory purposes, what are the potential methods to
demonstrate conformance (e.g. first party, second party or third party)? Does the MSS enable
organizations to be flexible in choosing the method of demonstrating conformance, and to
accommodate for changes in its operations, management, physical locations and equipment?

138 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

30 If third-party registration/certification is a potential option, what are the anticipated benefits

and costs to the organization? Will the MSS facilitate joint audits with other MSS or promote
parallel assessments?

Principle 7: exclusions

31 Does the proposed purpose or scope include product (including service) specifications, product
test methods, product performance levels, or other forms of guidance or requirements directly
related to products produced or provided by the implementing organization?

© ISO/IEC 2017 – All rights reserved 139

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Appendix 2

(normative)

High level structure, identical core text, common terms and core definitions

NOTE In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road traffic safety, IT
security, food safety, societal security, environment, quality) that needs to be inserted. Blue italicized text is given
as advisory notes to standards drafters.

Introduction

DRAFTING INSTRUCTION Specific to the discipline.

1. Scope

DRAFTING INSTRUCTION Specific to the discipline.

2. Normative references

DRAFTING INSTRUCTION Clause Title shall be used. Specific to the discipline.

3. Terms and definitions

DRAFTING INSTRUCTION 1 Clause Title shall be used. Terms and definitions may either be within the
standard or in a separate document. To reference Common terms and Core definitions + discipline specific
ones. The arrangement of terms and definitions shall be according to the concept systems of each standard.

For the purposes of this document, the following terms and definitions apply.

DRAFTING INSTRUCTION 2 The following terms and definitions constitute an integral part of the
“common text” for management systems standards. Additional terms and definitions may be added as
needed. Notes may be added or modified to serve the purpose of each standard.

DRAFTING INSTRUCTION 3 Italics type in a definition indicates a cross-reference to another term

defined in this clause, and the number reference for the term is given in parentheses.

DRAFTING INSTRUCTION 4 Where the text “XXX” appears throughout this clause, the appropriate
reference should be inserted depending on the context in which these terms and definitions are being
applied. For example: “an XXX objective” could be substituted as “an information security objective”.

3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.8)

Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or
not, public or private.

140 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

3.2
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision
or activity

3.3
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and
objectives (3.8) and processes (3.12) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and
operation.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.

3.5
top management
person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.

3.6
effectiveness
extent to which planned activities are realized and planned results achieved

3.7
policy
intentions and direction of an organization (3.1), as formally expressed by its top management (3.5)

3.8
objective
result to be achieved

© ISO/IEC 2017 – All rights reserved 141

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and
process (3.12)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an XXX objective, or by the use of other words with similar meaning (e.g. aim, goal, or
target).

Note 4 to entry: In the context of XXX management systems, XXX objectives are set by the organization, consistent
with the XXX policy, to achieve specific results.

3.9
risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

3.10
competence
ability to apply knowledge and skills to achieve intended results

3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on
which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:

— the management system (3.4), including related processes (3.12);

— information created in order for the organization to operate (documentation);

— evidence of results achieved (records).

3.12
process
set of interrelated or interacting activities which transforms inputs into outputs

142 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

3.13
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including
services), systems or organizations (3.1).

3.14
outsource (verb)
make an arrangement where an external organization (3.1) performs part of an organization’s function
or process (3.12)

Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the
outsourced function or process is within the scope.

3.15
monitoring
determining the status of a system, a process (3.12) or an activity

Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

3.16
measurement
process (3.12) to determine a value

3.17
audit
systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

3.18
conformity
fulfilment of a requirement (3.3)

3.19
nonconformity
non-fulfilment of a requirement (3.3)

© ISO/IEC 2017 – All rights reserved 143

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

3.20
corrective action
action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence

3.21
continual improvement
recurring activity to enhance performance (3.13)

4. Context of the organization

4.1 Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its XXX management system.

4.2 Understanding the needs and expectations of interested parties

The organization shall determine:

— the interested parties that are relevant to the XXX management system;

— the relevant requirements of these interested parties.

4.3 Determining the scope of the XXX management system

The organization shall determine the boundaries and applicability of the XXX management system to
establish its scope.

When determining this scope, the organization shall consider:

— the external and internal issues referred to in 4.1;

— the requirements referred to in 4.2.

The scope shall be available as documented information.

4.4 XXX management system

The organization shall establish, implement, maintain and continually improve an XXX management
system, including the processes needed and their interactions, in accordance with the requirements of
this International Standard/this part of ISO XXXX/this Technical Specification.

5. Leadership

5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the XXX management
system by:

— ensuring that the XXX policy and XXX objectives are established and are compatible with the
strategic direction of the organization;

144 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

— ensuring the integration of the XXX management system requirements into the organization’s
business processes;

— ensuring that the resources needed for the XXX management system are available;

— communicating the importance of effective XXX management and of conforming to the XXX
management system requirements;

— ensuring that the XXX management system achieves its intended outcome(s);

— directing and supporting persons to contribute to the effectiveness of the XXX management system;

— promoting continual improvement;

— supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.

NOTE Reference to “business” in this International Standard/this part of ISO XXXX/this Technical
Specification can be interpreted broadly to mean those activities that are core to the purposes of the
organization’s existence.

5.2 Policy

Top management shall establish a XXX policy that:

a) is appropriate to the purpose of the organization;

b) provides a framework for setting XXX objectives;

c) includes a commitment to satisfy applicable requirements;

d) includes a commitment to continual improvement of the XXX management system.

The XXX policy shall:

— be available as documented information;

— be communicated within the organization;

— be available to interested parties, as appropriate.

5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned
and communicated within the organization.

Top management shall assign the responsibility and authority for:

a) ensuring that the XXX management system conforms to the requirements of this International
Standard/this part of ISO XXXX/this Technical Specification;

b) reporting on the performance of the XXX management system to top management.

© ISO/IEC 2017 – All rights reserved 145

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

6. Planning

6.1 Actions to address risks and opportunities

When planning for the XXX management system, the organization shall consider the issues referred to
in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be
addressed to:

— give assurance that the XXX management system can achieve its intended outcome(s);

— prevent, or reduce, undesired effects;

— achieve continual improvement.

The organization shall plan:

a) actions to address these risks and opportunities;

b) how to:

— integrate and implement the actions into its XXX management system processes;

— evaluate the effectiveness of these actions.

6.2 XXX objectives and planning to achieve them

The organization shall establish XXX objectives at relevant functions and levels.

The XXX objectives shall:

a) be consistent with the XXX policy;

b) be measurable (if practicable);

c) take into account applicable requirements;

d) be monitored;

e) be communicated;

f) be updated as appropriate.

The organization shall retain documented information on the XXX objectives.

When planning how to achieve its XXX objectives, the organization shall determine:

— what will be done;

— what resources will be required;

— who will be responsible;

— when it will be completed;

— how the results will be evaluated.

146 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

7. Support

7.1 Resources

The organization shall determine and provide the resources needed for the establishment,
implementation, maintenance and continual improvement of the XXX management system.

7.2 Competence

The organization shall:

— determine the necessary competence of person(s) doing work under its control that affects its XXX
performance;

— ensure that these persons are competent on the basis of appropriate education, training, or
experience;

— where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
of the actions taken;

— retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the re-
assignment of currently employed persons; or the hiring or contracting of competent persons.

7.3 Awareness

Persons doing work under the organization’s control shall be aware of:

— the XXX policy;

— their contribution to the effectiveness of the XXX management system, including the benefits of
improved XXX performance;

— the implications of not conforming with the XXX management system requirements.

7.4 Communication

The organization shall determine the internal and external communications relevant to the XXX
management system, including:

— on what it will communicate;

— when to communicate;

— with whom to communicate;

— how to communicate.

© ISO/IEC 2017 – All rights reserved 147

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

7.5 Documented information

7.5.1 General

The organization’s XXX management system shall include:

a) documented information required by this International Standard/this part of ISO XXXX/this

Technical Specification;

b) documented information determined by the organization as being necessary for the effectiveness of
the XXX management system.

NOTE The extent of documented information for a XXX management system can differ from one organization
to another due to:

— the size of organization and its type of activities, processes, products and services;

— the complexity of processes and their interactions;

— the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate:

— identification and description (e.g. a title, date, author, or reference number);

— format (e.g. language, software version, graphics) and media (e.g. paper, electronic);

— review and approval for suitability and adequacy.

7.5.3 Control of documented information

Documented information required by the XXX management system and by this International
Standard/this part of ISO XXXX/this Technical Specification shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed;

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

For the control of documented information, the organization shall address the following activities, as
applicable:

— distribution, access, retrieval and use;

— storage and preservation, including preservation of legibility;

— control of changes (e.g. version control);

— retention and disposition.

Documented information of external origin determined by the organization to be necessary for the
planning and operation of the XXX management system shall be identified, as appropriate, and
controlled.

NOTE Access can imply a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information.

148 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

8. Operation

8.1 Operational planning and control

DRAFTING INSTRUCTION This subclause heading will be deleted if no additional subclauses are added to
Clause 8.

The organization shall plan, implement and control the processes needed to meet requirements, and to
implement the actions determined in 6.1, by:

— establishing criteria for the processes;

— implementing control of the processes in accordance with the criteria;

— keeping documented information to the extent necessary to have confidence that the processes
have been carried out as planned.

The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled.

9. Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

The organization shall determine:

— what needs to be monitored and measured;

— the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid
results;

— when the monitoring and measuring shall be performed;

— when the results from monitoring and measurement shall be analysed and evaluated.

The organization shall retain appropriate documented information as evidence of the results.

The organization shall evaluate the XXX performance and the effectiveness of the XXX management
system.

9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on
whether the XXX management system:

a) conforms to:

— the organization’s own requirements for its XXX management system;

— the requirements of this International Standard/this part of ISO XXXX/this Technical

Specification;

b) is effectively implemented and maintained.

© ISO/IEC 2017 – All rights reserved 149

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods,
responsibilities, planning requirements and reporting, which shall take into consideration the
importance of the processes concerned and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) retain documented information as evidence of the implementation of the audit programme and the
audit results.

9.3 Management review

Top management shall review the organization's XXX management system, at planned intervals, to
ensure its continuing suitability, adequacy and effectiveness.

The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the XXX management system;

c) information on the XXX performance, including trends in:

— nonconformities and corrective actions;

— monitoring and measurement results;

— audit results;

d) opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement
opportunities and any need for changes to the XXX management system.

The organization shall retain documented information as evidence of the results of management
reviews.

10. Improvement

10.1 Nonconformity and corrective action

When a nonconformity occurs, the organization shall:

a) react to the nonconformity and, as applicable:

— take action to control and correct it;

— deal with the consequences;

150 © ISO/IEC 2017 – All rights reserved

 ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not
recur or occur elsewhere, by:

— reviewing the nonconformity;

— determining the causes of the nonconformity;

— determining if similar nonconformities exist, or could potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken;

e) make changes to the XXX management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

The organization shall retain documented information as evidence of:

— the nature of the nonconformities and any subsequent actions taken;

— the results of any corrective action.

10.2 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the XXX
management system.

© ISO/IEC 2017 – All rights reserved 151

ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2017

Appendix 3

(informative)

Guidance on high level structure, identical core text, common terms and core definitions

Guidance on the high level structure, identical core text, common terms and core definitions is provided
at the following URL:

Annex SL Guidance documents

(http://isotc.iso.org/livelink/livelink?func=ll&objId=16347818&objAction=browse&viewType=1).

152 © ISO/IEC 2017 – All rights reserved