ISO High Level Structure

Why the ISO High Level Structure is so important!

Different Management Systems, Common Sense, ISO, and the High-Level Structure

ISO has written the requirements for many management systems over the years for a range of different disciplines including such things as quality management, food safety, information security, asset management, and business continuity. 

Now each time a new one of these standards get developed a technical committee is established of experts from within the discipline and around the world.

The technical committee over a period of time – and it tends to take a fair while; then writes, reviews, amends, reviews again, and eventually agrees and approves the requirements for their particular discipline. For example, Quality has Technical Committee TC 176, Environment TC 207, and Asset management TC 251.

Now because each technical committee is different, they write the standards and the requirements differently. So whilst they often have common elements such as training and competence, records management, corrective action, and the like. The particular requirements for each could be different, which of course makes it different for organizations to not only understand but also to implement. This was increasingly difficult for organizations that needed to comply with multiple standards and who also had to deal with multiple auditors.

Back in 2012 and because ISO means “same” the powers that be in ISO decided that whilst disciplines did have their own specific technical needs and requirements, the structure, text, and terms and definitions of management system standards should be the same, and as a result ISO developed and released the High-Level Structure (HLS) which all technical committees are required to use.

What this means is that when a new management system standard is developed or an existing one reviewed and revised the result should align with the High-Level Structure. This should not only make these standards simpler to understand from a user point of view but also much simpler to write and develop from a technical committee point of view.

So what does this High-Level Structure look like?

Essentially it is non-discipline-specific management system with all the required wording except the discipline is replaced with XXX. For example, it states in section 7.3 Awareness,

Persons doing work under the organization’s control shall be aware of:

• the XXX policy;
• their contribution to the effectiveness of the XXX management system, including the benefits of improved XXX performance;
• the implications of not conforming with the XXX management system requirements.

So we can see that the XXX just gets replaced with the applicable standard title, such as, information security, food safety, asset management, and so on. The technical committee then just adds anything else it needs to ensure all its specific requirements are covered. Importantly the technical committee is not allowed to remove anything from the High-Level Structure.

This High-Level Structure consists of the following 10 clauses,

1. Scope
2. This is the scope of the ISO standard, so for OHS it’s people, quality it’s the customer. Organizations also have to meet statutory and regulatory requirements, and continually improve. The requirements are generic and intended to be applicable to all organizations, regardless of type, size, and product/service provided.
3. Normative references
4. Any document to which reference is made in the standard in such a way as to make it indispensable for the application of the standard. There are often no normative references.
5. Terms and definitions
6. This will include some of the generic management system terms and definitions, along with those that are specific to the discipline.
7. Context of the organization
8. Both external and internal issues that influence the organization need to be determined. External issues include things such as legal, technological, or cultural, and may be international, national, or local. Internal includes things like values, culture, and knowledge. Interested party needs are to be understood as well as the scope of the management system.
9. Leadership
10. Top management needs to demonstrate leadership, through polices and by ensuring responsibilities and authorities are communicated and understood. They also have to promote the discipline across the organization.
11. Planning
12. A risk-based approach is required to address threats and opportunities, and to ensure the management system can prevent or reduce undesired affects. Objectives and plans are to be developed and cascaded through the organization including responsibilities and timeframes.
13. Support
14. Resources need to be provided to support the management system, including providing competent people, appropriately maintained infrastructure and environment. Document control and records management have been replaced with documented information, where the organization determines what documentation is necessary and the most appropriate medium for that documentation.
15. Operation
16. Processes for operations, along with appropriate acceptance criteria is required along with contingency plans for non-conformances, incidents and emergency preparedness. Change management and control of external providers (such as contractors, outsourced processes, procurement etc.) is needed.
17. Performance evaluation
18. Evaluation, data analysis, and monitoring and measurement including the Evaluation of Compliance (Legal and other), is required. Internal Audits and Management Reviews are to be conducted.
19. Improvement
20. Organizations are required to address non-conformities and incidents, and take action to control, correct, deal with consequences, and eliminate the cause. The organization has to improve the suitability, adequacy, and effectiveness of the management system.

In summary

Therefore in the future all management system standards should have the same look and feel. This though will take some time and whilst some standards already follow this high level structure like ISO 9001:2015, ISO 14001 and ISO 55001:2014, others have yet to reviewed and converted to this common format, such as ISO 22000 Food safety management systems.

Finally, even though ISO is mandating that all the management system standards should share this common structure – ISO is definitely not saying that an organizations management system should follow this format. Organizations are required to develop management systems that meet the needs of their operation, the knowledge and competency level of their people, and the requirements of those interested in the organization.

Banner image sourced from Freepik