ISO 9001, 14001 and 45001 - the ultimate guide

1. Welcome

The journey to certification starts here. This guide helps you understand the work before you make decisions, plan the project, and start implementing the management system.

Whether you’re the CEO or part of the project team responsible for certification, this guide gives you a practical overview of the scope and the decisions, checks, and implementation work involved when working toward certification according to:

• ISO 9001 (Quality)
• ISO 14001 (Environment)
• ISO 45001 (Occupational health and safety)

The goal is to give you enough knowledge to build a management system that can be assessed against these standards.

The certification project should be about continuous business improvement, not bureaucracy and documentation.

At AmpliFlow, we have worked with management systems and ISO standards for over two decades and have used that experience to shape both our advisory work and AmpliFlow as a tool.

AmpliFlow keeps responsibilities, documents, goals, deviations, and follow-up in one system. That reduces manual work and makes it easier to keep the management system alive after the audit.

Happy reading.

2. What is a management system?

A management system is a practical tool that helps organizations effectively plan, direct, follow up, and improve their activities. It’s a collection of processes and procedures that, when applied throughout the organization, support continual improvement and help the organization monitor and evaluate compliance with relevant laws, regulations, and standards while working toward its goals.

Unfortunately, it often describes how you want the organization to work, not how it really works.

A management system should be a tool for senior management to ensure that the business is conducted according to established procedures and support employees in their daily work, not a collection of documents that no one reads.

All companies consist of a set of processes that work together to ensure that they achieve their set goals and become successful. These processes include project management, resource management, customer relationships, and more.

Aside from the processes, a management system also encompasses policy, goals, environmental impact, and risks. These components are part of the management system so the company can steer work, follow up results, and improve in a structured way.

What you include in the management system depends on the areas it is built to cover. A management system may cover areas such as quality, environment, or work environment. What you choose to cover depends on your business’s priorities and the requirements of your customers and other stakeholders.

Other areas that management systems commonly cover are information security, energy management, food safety, medical technology, and social responsibility. For most companies, however, the journey usually starts with considerations of quality, the environment, and/or their workplace.

A management system gives structure and helps you improve efficiency while you work toward your objectives.

Imagine if everyone in the organization operated under the same system, continuously improved, hit their targets, and executed your strategy effectively. A well-implemented management system can make this happen.

Analog and digital management systems

Before we discuss how to build a management system or what standards cover, we need to discuss analog and digital management systems.

Too many people are still stuck with a visualization of their management system as a pile of PDFs, documents, and hard-to-work Excel sheets that are just dusted off from the file server during an audit. It is not used daily by all employees and hardly conveys a feeling of “high quality.”

You may think it is wrong to claim that a management system set up in Word, Excel, PowerPoint or Visio stored on a file server is an analog system. And in a way, you’re right about that, but it’s not the storage that makes it digital or analog, but the focus on documents that makes it analog.

If you can print it on paper without losing anything in the daily operations except easy access to the documentation, it is still a very analog system.

If we think digitally when establishing the management system, we can use IT tools to create a system that not only meets the requirements of selected standards but also increases efficiency, provides smart ways to collaborate, and constantly improves the organization.

The management system goes from being a description of how things should work to a tool that makes things work.

The management system should be a working tool.

If everything is where the employees are already working, the things will be used. Logical, right?

A digital approach can also cost less, move faster, and give better results.

Transitioning from an analog to a digital management system can feel overwhelming for many, but it is a necessary change to increase productivity and efficiency in the organization.

A digital management system is not a way to store documents; it is a tool used daily by all employees. It provides better insight and understanding of processes, helps identify and resolve issues faster, and provides better opportunities for collaboration and continuous improvement.

3. ISO, standards, and certification

This chapter provides an overview of key concepts, along with three ISO standards central to this e-book:

• ISO 9001 for Quality Management
• ISO 14001 for Environmental Management
• ISO 45001 for Occupational Health and Safety Management

Introduction

To help you navigate this guide effectively, we will first clarify some fundamental concepts, such as an ISO standard, the meaning of certification, and what constitutes a management system.

What is a “standard”?

In short, a standard is a collection of knowledge in a specific field that is locally or internationally recognized. Certification means that an independent certification body has assessed the management system as conforming to the selected standard within the defined scope.

The certificate is issued after an external auditor has reviewed the management system and the work covered by the certification.

What is ISO?

When we hear the word standard, we often immediately think of ISO. ISO (International Organization for Standardization) is an independent, non-governmental international organization that collaborates with experts to develop global standards. One current example is ISO/IEC 42001 for artificial intelligence management systems, which makes it possible to certify an AI management system.

What does an auditor do?

An external auditor is a qualified individual from a certification body who is impartial regarding the company to be certified.

Their task is to review the company’s management system for conformity with selected standards. They check whether the company has implemented the processes and controls needed for the defined scope.

What does AmpliFlow do?

AmpliFlow is a partner and IT-software vendor that can support you throughout the entire process, from ideas to certification. After implementing the management-system work in AmpliFlow, with or without the help of expert consultants, the goal is to have a management system that can be assessed against the requirements in your chosen standards. Then, it is time to call an auditor to perform the actual audit. Vendors and partners like AmpliFlow are not allowed to issue the certificate, because that would create a conflict of interest.

4. ISO 9001, 14001, and 45001 in brief

ISO 9001: quality

ISO 9001 is an internationally recognized management system standard that specifies requirements for a quality management system. It sets requirements and provides a framework that helps businesses and organizations meet relevant customer and stakeholder needs while handling laws and regulations that apply to the product or service.

Implementing ISO 9001 in your organization means engaging in a systematic approach to managing your business.

ISO 9001 is at its core about continuous improvement. This means constantly looking for ways to improve your work, whether you develop your products or services or manage internal processes.

The process orientation within ISO 9001 also means that all parts of the organization are seen as interconnected parts of a whole and not isolated silos. This approach allows for more rapid identification and effective resolution of organizational problems, contributing to overall success.

Combined with risk-based thinking, it helps you understand and manage the parts of the business that affect quality.

ISO 9001 gives you a structured way to run and improve the parts of the business that affect quality and customer satisfaction.

ISO 14001: environment

ISO 14001 is another management system standard, specifically for environmental management systems. The standard aims to help organizations identify, manage, and control their environmental impact.

An environmental aspect is part of an organization’s activities, products, or services that interacts or can interact with the environment. An environmental impact is a change to the environment caused wholly or partly by an environmental aspect.

Getting ready for certification includes identifying relevant legal and other requirements, assessing current performance, setting objectives and action plans, and monitoring whether the measures work.

ISO 45001: occupational health and safety management

ISO 45001 is the standard that specifies requirements and gives guidance for an effective occupational health and safety management system.

The standard contains requirements for identifying, managing, and continuously improving the safety of the work environment.

This includes everything from assessing risks and opportunities to establishing operational processes and control measures.

ISO 45001 requires the organization to identify and manage potential workplace risks, establish measurable occupational health and safety goals, and develop plans to achieve them.

Operational processes for both routine and non-routine activities shall support this. The standard emphasizes the importance of continuous improvement through regular monitoring and review of the occupational health and safety management system and action in the event of deviations and incidents. Relevant parts need documented information where the standard requires it or where the organization needs it to show that the work functions.

In addition, worker participation is critical, with consultation in formulating policies and plans, participation in risk assessments and decision-making processes, and participation in implementing changes.

5. Plan the implementation as a project

Now that we have covered standards, certification, and management systems, we can look at how to establish a management system that can be assessed during a certification audit.

Building a management system is an exciting process that, when executed correctly, can improve your business’s efficiency, quality, and profitability.

However, establishing a management system significantly affects everyone throughout the company. Therefore, take it step by step to ensure that the organization can adapt, understand the importance of each aspect, and start working under the new ways of working.

Before a project

Before we start a project, we need a clear plan, the correct tools, and established communication processes.

Here are a couple of hygiene factors that you need to have in place before the project starts:

• Identify the scope and goals of the project. Why are all the different reasons you are getting certified?
• Identify all project stakeholders, including team members, management, customers, and vendors
• Define the main tasks and activities that are required.
• Appoint a project manager and other key roles in the team
• Establish the timeline and key milestones for the project
• Establish a follow-up and tracking process for the project
• Create a communication plan to engage stakeholders at different stages of the project

When these things are in place, you can start the project to establish a management system that can be assessed during certification audit.

The sub-projects

Establishing a management system is a project that consists of many smaller workstreams. This section gives a broad overview, followed by later chapters with more detailed information about each component.

Brief overview of what an ISO certification project entails:

Introduction to the ISO project

Introduce the project to all staff. Present the ISO standards, what they mean for the organization and how they will be implemented.

Stakeholder analysis

Perform a stakeholder analysis. This analysis identifies and analyzes stakeholders interests and expectations.

Information and document management

Implement information and document management structure according to ISO requirements.

Process mapping

The management team and all staff map out the organization’s important processes, sub-processes, process steps and activities.

Customer requirements management

The sales manager and sales reps establish processes to effectively manage customer requirements.

Competence management

The HR manager and managers ensure that the requirements for securing, maintaining and developing competence are met.

Deviations, CAPA and improvement suggestions

The management team establishes processes for managing deviations and suggestions for improvement. Establishment of a severity matrix to grade deviations, risks, etc.

Handling of customer feedback and complaints

Sales representatives and all staff establish processes for handling and following up an array of improvement opportunity types. For instance, customer complaints, deviations, risk observations, etc.

Risk management

The CEO and management team identify, classify, and manage operational risks.

Policy

The CEO and the management team establish and revise policies. The types of qualities established will largely be governed by the selected ISO standards. For ISO 9001, quality, you will need a quality policy. For ISO 14001, you will need an environmental policy.

Goal management and KPIs

The CEO and management team set goals and strategies for the company.

Vendor Management

The supplier coordinator and purchasing department establish the process for managing and assessing suppliers.

Crisis management

The CEO and management team establish a process for managing and preparing for crises if certifying according to a standard that requires this like ISO 14001 or ISO 45001.

Regulatory management and monitoring

The CEO and the management team establish processes for and map current legislation and processes to monitor this continuously.

Environmental aspects, ISO 14001

The CEO and the management team map and establish processes for managing environmental aspects, focusing on significant environmental aspects.

Work environment management, ISO 45001

The CEO and management team, together with relevant managers, establish processes for systematic work to ensure a safe, healthy, and productive workplace.

Yearly calendar

The CEO and management team establish an annual calendar that governs all certification-related and other important company activities. This calendar ensures that you carry out these activities in a timely manner and make it clear to everyone in the organization what will happen when.

Management review

The CEO and the management team conduct the management review and prepare the organization for certification audits.

6. Audit and the certification cycle

Internal audit

Internal audits provide information on whether the management system meets the organization’s own requirements and the applicable ISO requirements, and whether it is ready for external certification audit. Auditors should be competent and selected so the audit process is objective and impartial.

External certification audit

An external certification body audits the organization and issues a certificate if the management system conforms to the selected standard within the defined scope.

External Certification Audit

Now that we know what we need to do to get ready it’s time to go through the certification process. This covers a few different activities from choosing a certification body to preparing for and undergoing audits.

We’ll also cover what it takes to maintain certification and how you can ensure that your management system continues to evolve and improve over time.

Plan for the audit

Let’s start by looking at the key steps and considerations in the audit process and how you can ensure that your business is ready to meet these challenges.

If all goes well, you receive an ISO certificate as evidence that the management system has been certified against the selected standard within the defined scope.

If everything is in order, your organization can use the certificate and any certification-body mark according to the certification body’s rules.

How an ISO audit works:

• Document review: Examination of the organization’s documentation to assess conformity with applicable ISO requirements.

• Initial meeting: Presentation of the company, its staff, and the scope of the certification.

• Review of operations: Investigation and review of the company’s processes, systems, and equipment.

• Supplementary document review: In-depth analysis of core processes such as business development, marketing, delivery, and sales.

• Formulation of non-conformities, observations, and recommendations: Identification and documentation of any issues or deficiencies.

• Closing meeting and report writing: Review of audit results with the organization. The auditor prepares a detailed audit report.

• Reporting of actions: The client reports implemented actions based on the audit results.

• Obtaining ISO certificate: If everything goes well, an ISO certificate is awarded as evidence that the management system has been certified against the selected standard within the defined scope.

7. Document control and controlled information

Document control and documented information

Document management describes how documents and information assets are created, changed, controlled and archived.

The more important information a document or information contains, the more important it is that it is managed well.

Design drawings, recipes, references, and code libraries are examples of documents and information assets where careful management is critical.

Document management aims to ensure that the correct information is conveyed to the right person so they can do their job correctly and find the accurate information as quickly as possible.

Rules for handling documents and information assets reduce the likelihood of outdated information being used in business and the risk of implementing important things incorrectly.

Chapter 28 includes an excerpt from a document control template showing how document control can work in a company that uses tools such as SharePoint and Microsoft Teams.

In the standards, this is called control of documented information. Building a systematic approach to document control is a requirement in ISO 9001, ISO 14001, and ISO 45001, and has relatively little to do with technology. From a standard perspective, the important point is that the control method works and that documented information is controlled correctly.

It does not need to be complicated, even if you are seeking certification against ISO 9001, ISO 14001, or ISO 45001.

8. Stakeholder analysis

Stakeholder analysis

A stakeholder analysis identifies, analyzes, and manages stakeholders’ interests and expectations.

When we talk about stakeholders, many people immediately think of customers and customer requirements.

But stakeholders are broader than that. Examples of stakeholders include:

• Customers
• Employees
• Owner
• Management team
• CEO
• Board
• Suppliers
• Online forums
• The community/local area
• Society in general

You need to determine which stakeholder groups are relevant, which requirements matter for the management system, and how this information is monitored and reviewed. Document it at the level needed to control the work.

Since stakeholder analysis should be a natural part of everyday life and leadership within the company, processes need to be established to consider stakeholders’ opinions and to encourage their participation and support.

You will also evaluate stakeholder opinions and improve the processes to meet their needs and expectations over time. It is not entirely uncommon that, for example, new technical innovations suddenly make stakeholders place completely new demands on you than before.

As you can imagine, it is valuable for any organization to understand its surroundings to deliver high-quality products and services that customers need.

9. Process mapping

Process mapping

Process charts are typically the result of process mapping and are used to visualize the company’s processes.

All companies have processes. Management system ISO standards require you to understand and control the processes needed for the management system. Process mapping is a practical way to show that work. A process mapping aims to identify, analyze, and improve the processes necessary to achieve the company’s goals.

A process is typically defined as several standalone or interacting steps to achieve a goal. This can involve collecting data, analyzing information, making decisions, acting, and following up on the results. Simply put, a process takes inputs and converts them to outputs.

More formally, it can be described as SIS does:

A process is a set of interrelated or interacting activities that use inputs to deliver an intended result.

NOTE: Inputs and outputs may be tangible (e.g., materials, components, or equipment) or intangible (e.g., data, information, or knowledge).

We usually say that the processes are what transform your customers’ needs and wishes into satisfied customers. Organizations that understand and manage their processes as a complete system can become more efficient and better achieve their goals.

Process work helps you manage and improve processes so they support the organization’s policy and direction. With a complete understanding of the company’s processes, we can see how they can be improved to reduce costs, increase efficiency, and meet customer expectations.

One thing that is sometimes forgotten is that a process chart is the perfect tool to ensure that everyone can understand, or at least know where to find, how the company works. They are excellent tools for onboarding or when major organizational changes are implemented.

To perform a process mapping and create a process chart you:

• Visualize your processes to get a better understanding of their steps and activities
• Identify which processes are essential/high-risk
• Understand which activities in the processes are critical to achieving the company’s goals
• Identify potential risks
• Identify how the processes can be targeted and followed up
• Analyze and work with effective deviation management to find improvement opportunities

It doesn’t have to be as complicated as you might first think, but it does require experience to know how to efficiently perform a process mapping exercise.

Our experience tells us that companies often provide too much detail when performing process mapping for ISO 9001 certification.

It is important to identify the steps relevant to meeting the requirements, but at the same time, make sure that you do not add unnecessary information that does not support the company’s goals or is at too low a level. You will get audited on what you show, so don’t show more than you need to.

Process mapping is often done with tools that create flowcharts and swimlane diagrams to visualize the processes and clarify their steps. AmpliFlow has tools for process mapping that help you create process charts that show steps, responsibilities, and links between processes.

The choice of tools can sometimes become a headache because we must involve IT, but here’s our advice: think simply and don’t overdo it.

Process mapping within ISO 9001 is a useful way to show processes, interactions, responsibilities, and controls in the quality management system, but do not forget the big picture and simplicity.

10. Customer requirements and requirements management

Customer requirements management

Customer requirements management is a way to identify, assess, confirm, follow up, and manage requirements from customers and other requirement owners. It helps you show how your products and services meet customer requirements and other applicable requirements.

A good first step is collecting feedback from customers, business intelligence, or marketing tools.

Depending on the industry you operate in, the requirements can be more formal and often come from standards or legal requirements.

Once the requirements have been identified, they need to be analyzed to determine if it is realistic to meet them. This means investigating what resources are required, whether there are any technical or financial constraints, and whether it is possible to meet the requirements at all.

Then you must develop measures to meet the requirements. This may involve implementing processes, improving the product or service, developing new features, improving customer service, or improving quality.

Finally, you need to document relevant changes and monitor customer requirements and expectations.

An example of how a customer requirement can be formulated

The question of who benefits from our work with customer requirements management is a very relevant question to ask. Below we list a couple of different types of stakeholders and what value is created for them:

Salesperson

Customer requirements management is great for salespeople because it helps them focus on understanding what customers need, want, and most importantly, why they need it.

By understanding the customers’ needs, sales reps can create solutions that better suit the customers’ needs and get better results.

It also helps to improve customer loyalty by ensuring that even the requirements that customers don’t directly talk about are met.

Product Developer

Product developers can take advantage of the customer requirements management process to understand and define the requirements to create a product that will meet customer needs.

By managing customer requirements, product developers can also ensure that their products and services meet all the requirements set by customers.

Customer Service Personnel

Customer service needs to understand the customers’ needs and expectations to provide the best service based on the customer’s conditions.

Understanding customer requirements enables high-quality service that meets customer expectations.

Marketer

Marketers can take advantage of customer requirements management to understand customer needs and expectations and to create marketing that meets customer requirements.

By managing customer requirements and demands, marketers can ensure that their marketing is aligned with the actual needs of customers and that we are marketing the right things.

CEO

The CEO needs to understand the needs and expectations of the customers and to ensure that the company’s products and services are cost-effective and meet the customers’ requirements.

11. Competence and competency matrix

Competence management

One of the critical factors in becoming a successful company is having the right people with the right skills in the right place.

Competency management involves identifying, developing, and retaining key competencies that are necessary to meet the organization’s goals.

The ISO standards emphasize the importance of ensuring that the organization has access to sufficient expertise. This applies to both existing and future needs.

To achieve this, the standards set specific requirements for how competence management should be handled within the organization.

These requirements include the following aspects:

Identify the necessary skills

The organization must identify the competencies needed to meet the requirements of the management system. This includes considering both technical and leadership competencies.

Assessment of competence

The organization must assess the existing skills of its employees and identify any skills gaps that need to be filled.

Documentation and follow-up

The organization should retain suitable evidence of competence and evaluate the effectiveness of actions taken to acquire necessary competence.

The next sections show practical tools for competence work and how they support business performance.

Competence matrix

A competency matrix is a tool used to identify, organize, and communicate competencies within a company.

It usually consists of a tool (Excel, web tools such as AmpliFlow’s competence tool, etc.) with columns listing the competencies required in different areas of the organization and a row for each employee.

Each column represents a specific competency, and the ability to meet the competency is assessed with a number.

Leaders can use the competency matrices to identify which people are best suited to tackle specific tasks. They can also help them make more informed decisions about which people/skills need to be recruited, gain a better understanding of the types of competencies necessary to achieve a particular goal and plan for future development work.

Competence matrixes can be more efficient when used in smart IT systems where they are integrated into a digital management system with permission handling, visualization, etc.

12. Training plans and employee reviews

Training and skills development

If the organization identifies competence gaps, it must take suitable action where applicable. Training is one option. Mentoring, reassignment, hiring, or contracting competent people can also be valid actions.

Training Plans

Training plans help your organization plan, carry out, and evaluate actions to build necessary competence.

Training plans serve as a systematic and structured method for planning, implementing, and following up on employee training activities.

When creating a learning plan, you should include the following information:

1. Training: Describe the type of training that is planned, including the purpose, goals, and content.
2. Responsible manager: Specify who organizes and implements the training.
3. Resources: Specify what resources are needed to complete the training, such as training materials, space, and equipment.
4. People to train: Based on their existing skills and training needs, choose which employees will participate in the training.
5. Deadline: Specify a date for when the training is to be completed.
6. Status: Indicate the status of the training, such as planned, in progress, or completed.
7. Log completed: After completing the training, record the date and any comments on how the training went.
8. Evaluation: Describe how the effectiveness of the training will be evaluated, for example, by measuring changes in skill levels or job performance.
9. Evaluation Date: Enter a date for when the evaluation was conducted.
10. Comments: Add additional comments about the training and its implementation.
11. Performance evaluation: After completing the review, record the results and any actions that need to be taken to improve future training efforts.

By using training plans, you can manage skills development in a structured way. This will help your organization meet the requirements of ISO standards and continuously improve its performance.

Staff appraisals

Staff appraisals are not a named ISO requirement, but they can be a practical way to follow up competence, working conditions, goals, and support needs.

A staff appraisal aims to create an open dialogue between employer and employee, allowing them to discuss their work situation undisturbed.

It’s a platform for both parties to discuss employee performance, both positive and negative. When we talk about performance, we need to look at the whole work situation. Evaluating the work environment, what supports the employee’s needs, skills development, and the employee’s motivation are all components that directly or indirectly contribute to performance.

A staff appraisal also lets the employer show that the employee matters and that good work is noticed.

It is important for employees to actively participate in appraisals, as they provide opportunities to receive valuable feedback and support.

Appraisals should not be one-way communication. It should discuss issues affecting the company and discuss personal goals and action plans to achieve them, at least as necessary.

The appraisals give the employer essential feedback while allowing employees to ask questions and obtain support.

An appraisal begins with the employer and employee discussing goals and the employee’s and the company’s responsibility for achieving them. It can also include discussing the challenges that the employee is facing and strategies for dealing with them.

The employer should also ask questions about employees’ personal goals and help achieve them.

An agreement between the union and the employers’ organization often states how often staff appraisals and salary reviews should be conducted. The manager or employee can also request a spontaneous appraisal.

A trend to watch is that more and more companies are abandoning annual performance reviews. One common reason is that the company thinks it is better to use other, more time-efficient, and cost-effective follow-up methods. The company may also feel that annual performance appraisals do not produce the expected results and that tighter feedback loops provide better results.

Remember that all companies are different, so deciding which review method works best for you and keeping track of what is agreed upon in the area are essential.

Regardless of cadence, making it easy to prepare, conduct, and follow up on appraisals is vital so that they are not seen as a cost that can be cut but as an investment that gives results.

IT tools with built-in access control and the ability to easily view the employee’s competence matrix and other information about the employee with the performance appraisal become extra important.

13. Deviations, improvements, and actions

Deviation management, improvement proposals, and customer complaints

Deviation management is a process used to handle deviations and customer feedback.

Quite logical.

The point is that when we handle events like deviations and customer feedback effectively, we can improve our products and services while improving customer experience.

A deviation arises when a requirement is not met. It can relate to a product, a service, a working method, a legal requirement, or a management-system requirement.

Deviations and suggestions for improvement are connected, but they are not the same thing. A deviation needs handling and sometimes corrective action. An improvement suggestion can also arise when no requirement has been breached.

Now that you are moving towards certification, the concept of “continuous improvement” will come up repeatedly, and deviation management is a process for just that: constantly improving by proactively and reactively acting on events, observations, and ideas within the organization.

With the right tools, training, and culture, this can contribute to increased quality, efficiency, and customer satisfaction.

Below is a quick guide to get started with deviation management.

1. Define what a deviation or non-conformance looks like for your organization: It’s essential to have a clear definition so that everyone understands what to look for and report.
2. Create a process for reporting and handling deviations: The process should be clear and easy to follow and include how information about deviations should be documented and tracked.
3. Train staff: Make sure everyone in the organization understands what a deviation is, how to report it, and what happens when they do it.
4. Implement a system to manage deviations. It can be an IT tool or a manual system depending on your needs.
5. Follow up and evaluate the process regularly: make sure the process works, actions have the intended effect, and necessary evidence is retained.
6. Communicate effectively: Communicate regularly about how the process works, what results you see, and what actions are being taken to fix issues.
7. Customize the process to your needs: Every organization is unique, so ensure your process is tailored to your needs and challenges.

14. Risk management

Risk management

Working with systematic risk management helps you identify, analyze, assess, manage, and follow up risks that may affect the company. It is an effective way to prevent problems and improve results.

Risk management is like the brakes on a car. The function is to slow down, but the purpose is to let us drive fast. In ISO work, risk is the effect of uncertainty on results. It can be a threat to reduce, but it can also be an opportunity you want to use.

By anticipating, identifying, and managing risks, you can prevent problems before they occur.

To succeed with risk management, you need to identify potential risks, evaluate them, develop action plans to manage them, and, of course, follow up on them regularly.

You also need to ensure that the necessary resources are in place to manage risk, protect customer interests, and adapt processes to changing market conditions and customer needs.

At the same time, we need to consider the company’s benefits of risk management. Remember to think from the perspectives of “we as a company,” “me as a leader,” and “me as an individual.” If we cannot link the work to these three areas, achieving significant effects won’t be easy.

If we have learned anything from Covid, everything can change overnight. That makes preparation useful.

ISO 9001 is based on a concept called risk-based thinking. In short, risk-based thinking means planning and taking measures to manage risks and opportunities, which means working systematically with risk management.

When you identify a risk, you need to properly assess it by following the checklist below. If you repeat this and find a systematic approach to the work, you will be well-equipped to succeed.

1. Define the risk scenario

2. Identify potential consequences

3. Determine if the risk is realistic

4. Grade the risk according to a severity or impact matrix

5. If you use risk numbers: calculate a risk number

6. Identify measures and set an action plan to reduce the risk

7. Assign responsible

8. Set a deadline for managing the risk

9. Follow up whether the action has changed the risk picture, for example with an updated risk number if you use that method

15. Policy

Policy

A policy is a statement of intent and direction set by top management to guide decisions and help the organization reach its goals.

Policies should cover the subject areas that top management has identified as important for the organization’s strategy and management system. Common subject areas are quality, environment, information security, and occupational health and safety.

Having multiple policies is not uncommon, but creating a “company policy” covering all these areas is a good option.

The policy sets the direction for decisions and daily work. It also describes the framework within which the organization can act in the subject area.

Organizations working with ISO management-system standards need to establish, maintain, and update their policies when needed so they remain relevant and aligned with the organization’s context, purpose, and commitments. The policy should be clear enough that people can understand and use it in the work.

There is no requirement that a policy must be long and tedious. A policy that is easy to understand and follow is better.

A good quality policy describes, for example:

• Who we are
• What we do
• How we live up to the requirements of the subject area

More often, organizations have requirements or areas that are important to the company based on more than just ISO 9001 and quality. In order for employees not to drown in different policies, it is appropriate to create an operational policy that addresses all or at least several of these subject areas.

A good company policy describes, for example:

• Who we are

• What we do

• What makes us unique and leads to our success

• How we act in our relationship with our customers

• How we who lead and work within the organization are expected to act

• How we work systematically with issues important to our customers, us, and the world around us.

For example, for ISO 14001 and 45001, you need to address work environment requirements, environmental requirements, and other vital requirements from the company’s different stakeholders.

There are many ways to make a policy. It can be long or short, as well as a document or a printed poster. Creating a policy can be creative, and there’s no one-size-fits-all template. What matters is that the policy reflects the organization’s values, goals, and expectations.

However, a policy is only as good as its implementation. Therefore, it is important to formulate a policy and ensure that everyone within the organization knows and understands it.

16. Internal audit

Internal Audit

To be certified the company must undergo a certification audit conducted by an independent and accredited organization. Before this happens, it is important that the company conducts internal audits to assess whether the management system meets the organization’s own requirements and the standard requirements, and where action is needed.

Internal auditors play a central role in this work. They need to be knowledgeable of the current standards and how they are applied in practice, as well as able to analyze and evaluate the company’s processes and systems objectively.

To perform useful internal audits, auditors need enough competence to audit the selected criteria and scope. The audit process must stay objective and impartial.

Example two-day internal audit for ISO 9001, 14001 and 45001:

Day 1

• An introductory meeting with a presentation of participants, a review of the program, and a review of the company’s background and operations.
• Review the handling of complaints, deviations, and suggestions for improvement, including internal audits and external and internal communication within the company.
• Review of sourcing, supplier follow-up, and purchasing processes within the company, with a focus on environmental management and supplier monitoring.
• Review of marketing and sales processes, including identification of customer requirements and expectations and transfer and reporting of information to the downstream.
• Review of delivery processes, focusing on work environment management, including planning, execution, risk assessment, and invoicing of assignments.
• Summary of results and time available to the internal auditor.

Day 2

• Review of HR, including hiring, induction, requirements for and verification of the staff’s competence, and planning and follow-up of competence development.
• Review of leadership and commitment within the company, including business intelligence, strategy, business development, long-term and short-term goals, management meetings and communication, as well as management of operational risks.
• Summary of results and time available to the internal auditor.
• Conclusion of the audit with a review of results and discussion of possible improvement measures, as well as adaptation to the requirements of the ISO standards.

17. Goal management

Goal management

Clear goals help leaders and employees see what should happen, who owns it, and how progress is measured.

Objectives and goals create a basis for decision-making, resource allocation, and determining whether we succeed. It helps everyone in the organization work toward the same overall purpose and makes coordination easier. Good goals are also linked to the company’s vision and mission.

Goal management gives the organization a practical way to steer improvement work. By following these simple steps, you can create a culture of responsibility, commitment, and results while meeting the requirements of ISO 9001 and 14001.

In addition to including how goals are set, the goal management process should consist of a review and evaluation system to ensure that the objectives are met and that the company is on the right track to achieve its desired goals.

Goals can be SMART: specific, measurable, accepted, realistic, and time-bound. This will help you clearly define what you want to achieve and how you will know when you have done it.

Each management system standard in this guide requires objectives that fit the policy, can be followed up, are shared with the right people, are updated when needed, and can be evaluated. They should be measurable where the standard requires it or where it is practical:

• ISO 9001 (Quality Management): Quality objectives must be established, documented, and consistent with the quality policy. These objectives should cover essential aspects like customer satisfaction, process improvement, and product conformity.

• ISO 14001 (Environmental Management): The organization must set environmental objectives. They should support environmental performance, relevant compliance obligations, significant environmental aspects, and related risks and opportunities.

• ISO 45001 (Occupational Health and Safety Management): Calls for establishing health and safety objectives that contribute to risk reduction, continuous improvement in occupational health and safety, and compliance with legal, regulatory, and other requirements.

Below is an example step-by-step approach to build goal management that supports the ISO requirements:

1. Align goals with strategy

Begin by articulating your company’s strategic vision, mission, and commitments to quality, environmental responsibility, and employee safety. This alignment is essential because ISO standards require that objectives are consistent with your company’s overall policy.

2. Set SMART goals

Specific, Measurable, Accepted, Realistic, Time-Bound (SMART). Ensure every unambiguous goal sets a clear target. For example:

• Quality: Improve customer satisfaction scores by 10% within 12 months.

• Environmental: Reduce energy consumption by 15% over the next three years.

• Health & Safety: Reduce workplace incidents of severity grading three or higher by 20% within the next 12 months.

3. Action plans

Assign clear responsibilities to teams and individuals. Your documented action plans should specify who is responsible for each goal, what resources are required, and the timeline for achieving them.

Confirm that necessary resources (financial, human, and technological) are allocated to support achieving these objectives. This is often examined during audits to ensure the goals are aspirational and actionable within the set timeframe.

Define how each goal will be measured. This allows the organization to quantitatively measure progress and determine how close you are to achieving your goals. A good practice is to set up multiple measurements that counterbalance each other.

Set up systems to collect the necessary data. Depending on your organization’s size and maturity, this may involve automated dashboards, periodic surveys, or manual data collection.

Schedule regular internal audits and management reviews to support compliance evaluation and improvement. These reviews should assess progress against the set objectives and determine if further action is required.

4. Celebrate achievements

When an objective is met, celebrate these achievements. Recognition helps reinforce the goal-driven culture and motivates teams.

A culture of continuous improvement not only boosts compliance with the standards but fosters an environment where employees are engaged and committed to the organization’s mission.

Once objectives are achieved, review the lessons learned and set new, more ambitious goals to drive further improvements across quality, environmental performance, and health and safety.

By integrating goal setting, monitoring, and review practices into the daily operations, you create an environment where everyone knows what is expected and where you can objectively measure and improve over time.

18. Supplier management

Supplier Management

Supplier & vendor management is a fundamental part of a company’s governance and directly impacts the company’s performance, quality, and environmental responsibility.

Effective supplier management helps to ensure quality and environmental performance, maintain good business relationships, and build trust between companies and their suppliers.

ISO 9001 requires control of external providers that affect product and service conformity. ISO 14001 focuses on outsourced processes, procurement, life cycle perspective, and communicating relevant environmental requirements to suppliers.

Supplier management covers deliveries, risks, value creation, and the company’s strategic goals.

By conducting risk assessments, creating clear evaluation criteria, integrating environmental requirements into the procurement process, maintaining good communication, and documenting and following up on supplier performance, you can build strong relationships with your suppliers.

Here is how you can do it:

1. Create a straightforward process for evaluating and selecting suppliers based on risk assessment, considering how they may affect your business regarding quality and the external environment.
2. Establish criteria for monitoring supplier performance and follow up through surveys and site visits
3. Work with suppliers to achieve continuous improvement and encourage certification to relevant standards such as ISO 9001 and ISO 14001.
4. Document and follow up on supplier assessments and supplier performance regularly.

Start by identifying the suppliers that are most critical to your business. Think about suppliers of raw materials, services, equipment, and other vital resources.

Then, assess each vendor’s risk. This may include factors such as their ability to meet your needs, their geographical location, their financial stability, and their possible impact on the external environment (i.e., everything around us, including nature and built-up areas).

Create a list of criteria to assess each vendor’s performance.

Examples of criteria can be:

• The quality of the products or services they deliver
• How quickly and efficiently they can deliver
• How well do they handle any issues or complaints
• Their ability to understand and meet your specific needs and requirements
• Their environmental performance, including energy efficiency, waste management, and the use of renewable resources

When doing business with suppliers, you should always include environmental requirements in your procurement processes. This could mean requiring them to adhere to specific environmental standards, such as ISO 14001, or reducing their energy consumption and carbon emissions.

Integrate climate and environmental requirements into procurement processes and work with suppliers to reduce energy consumption and carbon emissions.

Supplier monitoring is a critical part of effective supplier management. It allows you to follow up and evaluate suppliers’ performance, which in turn helps ensure that they meet your requirements for quality, timelines, and environmental considerations.

To monitor your suppliers effectively, you can use the following methods:

1. Regular audits

Establish a timetable that reflects the importance of each vendor. Use a standardized checklist to evaluate the supplier’s performance against agreed quality criteria such as delivery times and quality controls. The results are then discussed with the supplier to identify areas for improvement and ensure continuous development.

2. Supplier reports

Request regular submissions of reports from suppliers highlighting key performance metrics, such as production volumes and environmental impact. This will become a tool to measure the supplier’s actual performance and provide immediate feedback for areas that require improvement.

3. Site visits

Conduct regular visits to your suppliers to see their operations in action. This gives you first-hand experience of how well they manage production and allows you to identify any issues or inefficiencies.

4. Supplier surveys

Send surveys to your suppliers for their views on how effectively the collaboration works. This will give you further insight into their business and offer an opportunity to identify any areas that could be improved.

5. Customer feedback

Customer feedback can provide invaluable information about the supplier’s performance. If customers regularly complain about the quality of the products or services being delivered, it’s a sign that you may need to review your supplier relationships.

By regularly monitoring your suppliers’ performance, you can ensure that they meet your expectations and requirements. Monitoring suppliers also means acting on the insights you gain. If a supplier is not performing as expected, it is important to address the issue with them and work together to find a solution. If the problems persist after measures have been taken, it may be necessary to consider changing suppliers.

Keep open and regular communication with your suppliers. This helps to build strong relationships, encourages continuous improvement, and ensures that any issues can be resolved quickly and efficiently.

Documentation and follow-up make supplier management easier to control. They help to ensure that the expectations and requirements of all parties are met and that any issues or shortcomings are addressed promptly and efficiently. Here are some ways that you can use documentation and follow-up in your supplier management:

1. Supplier agreement

These should document all critical aspects of your relationship with the supplier, including specific requirements for products or services, delivery times, pricing information, payment terms, and any environmental requirements.

2. Performance reports

By regularly documenting a supplier’s performance, you can monitor it over time, identify trends or patterns, and act quickly if performance starts to drop.

3. Meeting notes

Document all meetings with your suppliers, including what was discussed, what actions were decided, and what questions or issues arose.

4. Follow-up actions

If there are any issues or shortcomings in a vendor’s performance, you should follow them regularly until the issue is resolved. Document these actions to track progress and ensure no information is lost.

5. Supplier changes

If you decide to switch suppliers, you should document the entire process, including the reasons for the switch, the selection process for the new provider, and any steps to ensure a smooth transition.

19. Crisis management and emergency preparedness

Crisis management and emergency preparedness

Crisis management is important for companies and organizations that want to control quality, environmental responsibility, and safety. ISO 14001 and ISO 45001 include explicit requirements for emergency preparedness and response. ISO 9001 requires risk-based planning and relevant contingency measures where risks can affect products, services, customers, or process results.

This chapter separates the standards’ requirements and turns them into practical work.

ISO 9001, ISO 14001, and ISO 45001 share the same basic idea: the organization should understand risks, plan actions, and follow up whether the chosen ways of working work. But they do not set identical crisis-plan requirements.

• ISO 9001 requires risk-based planning where risks can affect products, services, customer requirements, or process results. That may lead to contingency procedures, but the standard does not require a general crisis management plan for every type of crisis.
• ISO 14001 requires the organization to prepare for and respond to potential emergencies that can affect the environment. Procedures should be tested where practicable and updated when needed.
• ISO 45001 requires emergency preparedness and response for situations relevant to occupational health and safety. The work should consider hazards, OH&S risks, and the people who may be affected.

A practical preparedness plan should therefore connect scenarios to the business:

1. Which events can affect customers, the environment, or occupational health and safety?
2. Who alerts, decides, and communicates?
3. Which first actions reduce harm or disruption?
4. Which exercises, checks, and updates are needed so the procedure works?

Practical examples of crisis include natural disasters, technical failures, and cyberattacks. Regardless of the situation, organizations must have clear procedures and plans in place to effectively manage crises, minimize damage, and protect staff and operations.

For example, suppose a company is experiencing a significant data breach. In that case, their crisis management plan should include steps to isolate the issue, inform stakeholders, conduct an investigation to identify the cause of the breach, resolve the problem, and then implement measures to avoid future breaches.

20. Legal and compliance obligations

Legislation management and monitoring

Companies must comply with applicable laws and regulations.

Regulatory management means identifying and handling the statutory, regulatory, legal, and other requirements that apply to your products, services, environmental aspects, OH&S risks, and management system.

You must understand and identify which laws and regulations are relevant to your operations and effectively integrate regulatory management into your management systems. This may involve collaborating with legal experts, government agencies, or industry associations.

Steps to ensure effective legislative management:

1. Mapping of laws and regulations that are relevant to the business
2. Create a process to monitor changes in legislation
3. Develop a procedure for communicating legal requirements and updates to all stakeholders
4. Ensure that staff are trained and aware of the legal requirements that apply to their duties
5. Evaluate compliance regularly and use internal audits to check whether the process works

To achieve this, organizations should invest in internal resources and external expertise to stay current on legislation and implement effective systems to comply with requirements.

21. Management work and management review

The management team

The management team is an important part of an organization. It overviews what is happening in the outside world, analyze challenges, and prioritize based on the organization’s goals and vision.

The management team makes decisions and implements the organization’s goals and strategy. It also plays an essential role in learning and developing the organization and is often expected to innovate and drive results.

The management team’s focus is always on the company’s success, which means that every decision should be based on true and credible information about how the business works.

The management team is responsible to the organization’s board and employees, jointly driving the business in the right direction in relation to the organization’s strategy, policies, risks, and goals. The group is comprised of competent people with different knowledge and experience who work together to develop the business.

Much of the management team’s work involves decision-making, and management team meetings are the most often used tool for this.

Management team meetings should be an effective forum where goals, visions, and follow-ups are made in a structured way.

ISO 9001, 14001, and 45001 require management to review the organization’s management system at planned intervals to assess its suitability, adequacy, and effectiveness.

Many organizations choose monthly or quarterly management meetings as a practical rhythm. That is a way of working, not an ISO requirement. The ISO requirement is that top management reviews the management system at planned intervals and has enough input to judge whether it remains suitable, adequate, and effective.

At monthly management team meetings, the management team may focus on the following:

• Events in the outside world, for example, linked to customer industries
• Events within the business, such as registered customer comments and deviations with an impact rating of 3 or higher
• Monthly financial statements
• Action plans linked to the organization’s goals

On the other hand, the management review is a special type of management team meeting that must be held at planned intervals, often at least annually in practice.

The management review should cover the topics that show whether the management system is still suitable, adequate, and effective. Business topics such as budget, product development, and marketing can be included, but they do not replace the standards’ review inputs.

An ISO-aligned agenda should normally cover:

• status of actions from previous management reviews
• changes in internal and external issues that affect the management system
• customer feedback, stakeholder requirements, and relevant compliance obligations
• objectives, measurements, and process performance
• environmental performance and fulfilment of compliance obligations when ISO 14001 is included
• occupational health and safety performance, incidents, risks, and worker participation when ISO 45001 is included
• nonconformities, corrective actions, and improvements
• internal and external audit results
• resources, competence, and need for changes
• risks and opportunities
• decisions about improvement, responsibility, and follow-up

Budget, product development, and long-term plans can follow after that part. Then the meeting works both as a management meeting and as an ISO management review that can be shown during an audit.

It is also important for management to review the organization’s management system at planned intervals to assess its suitability, adequacy, and effectiveness. This is done naturally during management team meetings and especially during the management review.

22. Environmental aspects

Environmental aspects

Environmental aspects are a fundamental part of ISO 14001. In this section, we will explore what is required regarding environmental aspects within ISO 14001 and how organizations can implement these principles in their operations.

An environmental aspect is part of an organization’s activities, products, or services that interacts or can interact with the environment. These aspects can have positive and negative environmental impacts. The work should identify significant aspects and the risks and opportunities that follow from them.

Examples of environmental aspects can be:

• Greenhouse gas emissions and air pollution
• Consumption of energy and water
• Waste management and recycling
• Use of hazardous chemicals and materials
• Impact on biodiversity and ecosystems

ISO 14001 requires that organizations implement a systematic process to identify their environmental aspects. This means mapping and analyzing the activities, products, and services within the environmental management system scope that the organization can control or influence, using a life-cycle perspective. The process may include:

• Review of existing documents and procedures
• Interviews with key people within the organization
• Observations of workplaces and processes
• Analysis of data on resource consumption and emissions

After identifying the environmental aspects, the organization must assess their importance using established criteria and prioritize them. This can involve assessing each aspect based on its potential impact on the environment, how much control your organization has over it, and the extent to which legal requirements or other external factors affect its management.

Once the most critical environmental aspects have been identified and prioritized, you must plan actions and controls where needed to address significant environmental aspects, compliance obligations, and risks and opportunities.

This can involve:

• Changes in processes and technology

• Training and awareness raising for employees

• Development of environmental policies and goals

• Implementation of monitoring and measuring environmental performance

• Establishment of emergency and contingency plans to deal with any environmental incidents

• Integrates environmental aspects into the organization’s strategy and decision-making processes

• Establishes roles and responsibilities for the management of environmental aspects at all levels of the organization

• Communicates environmental aspects and performance to stakeholders, such as employees, customers, suppliers, and government agencies

• Conduct internal audits at planned intervals and, when certified, handle external certification audits

But the work doesn’t end here, as you might think. An important principle of ISO 14001 is continuous improvement.

The organization should always strive to improve its environmental performance by:

• Set measurable goals and follow-up routines to evaluate progress
• Conducting regular reviews of environmental aspects and their management
• Identify and implement improvement actions based on results from monitoring, measurement, and audits
• Update and adapt the environmental management system to meet changing conditions, such as new legal requirements, technological innovations, or changing market requirements

23. Occupational health and safety management

Work environment management

Work environment management’s primary purpose is to create and maintain a work environment that is safe and healthy for workers and other people who can be affected by the organization, such as contractors and visitors where relevant. ISO 45001 gives organizations a framework to systematically identify hazards, assess OH&S risks, and control work-environment risks. When implemented correctly, an effective occupational health and safety management system can help reduce the number of work-related injuries and illnesses while also improving the well-being and productivity of employees.

To establish an effective system according to ISO 45001 you should manage:

Leadership and worker participation

Top management needs to be engaged, and the organization needs processes for consultation and participation with workers, especially non-managerial workers in hazard identification, risk assessment, and improvement. Employees have direct insight into risks in their work environment, so they must be able to contribute observations and suggestions.

Risk assessments

Hazard identification and risk assessments should be carried out proactively, on an ongoing basis, and before planned changes to identify risk factors linked to the work. These can include physical risks (such as ergonomic problems or noise), chemical risks (such as exposure to dangerous substances), psychosocial risks (such as stress or bullying in the workplace), and biological risks (such as exposure to infectious diseases).

Goals

Clear goals for the work should be set, and performance should be evaluated continuously for continuous development.

Training

Workers should receive relevant training for their responsibilities at work.

Documentation

Documented information should exist where ISO 45001 requires it and where the organization needs it to show that the OH&S management system works. This can include incident reports for accidents and near misses.

Review

The system needs to be regularly reviewed and updated to ensure its effectiveness.

Communication

Establish communication processes with employees on work-related issues and encourage active participation in the area.

Legislation

The organization should determine and have access to current legal and other requirements that apply to its hazards, OH&S risks, and OH&S management system. Data-protection rules may also need to be handled when occupational health and safety work contains personal data.

24. Life after certification

Becoming certified vs staying certified

Certification is not the finish line. Becoming certified means that management has established a systematic way to plan, do, check, and act on relevant requirements, and that a certification body has assessed the management system as conforming to the selected standard within the defined scope.

Becoming certified

Whatever standard you certify against, there are defined requirements you need to meet.

How much of this is already in place, and which skills you have for building the required ways of working, varies from organization to organization.

If you lead a company moving toward certification, you need to understand the requirements in the standards you have chosen.

The work is about putting a system in place for how you meet and maintain those requirements over time. The organization also needs to understand what you do, why you do it, and how the work is done.

Staying certified

Staying certified means that you keep recurring activities alive during the year: responsibilities, goals, deviations, risks, supplier follow-up, internal audits, and management review.

The certification body’s auditor will normally follow up through recurring surveillance audits under the certification agreement. The purpose is to check that the management system is used, reviewed, improved, and still works within the certification scope.

25. Conclusion

In this e-book, we’ve outlined the benefits of ISO certification and how it can help improve business efficiency, reduce risk, and increase customer satisfaction.

We have also presented information for building and maintaining an effective management system.

Our team at AmpliFlow is ready to help your organization navigate the ISO certification process.

With over 20 years of experience in the field and our own IT tool, we can support you from early planning to the certification audit.

AmpliFlow gives you less administration and a management system that people use in daily work.

We help you understand and apply ISO requirements in areas such as customer requirements, interested parties, environmental aspects, and legislation. We help you build evidence, routines, and follow-up so you can show how you meet applicable requirements. The goal is not only to support certification, but also to give you a foundation for continual improvement.

Book a meeting if you want to see how AmpliFlow can make the path to ISO certification and continued improvement work easier.

We can help you take the next step toward your goals.

Book a meeting with AmpliFlow

26. Appendix A: common misconceptions about management systems

In this chapter, we will address some common misconceptions about management systems. Many people mistakenly believe that implementing a management system only involves creating a large amount of documentation or that ISO certification is a one-time activity. In fact, an effective management system can help reduce documentation, and ISO certification demonstrates a continuous commitment to improvement and quality in all aspects of the business.

”It’s basically about creating lots of documents.”

Management systems are used to control and manage operations.

It’s not uncommon for organizations to be able to reduce the amount of documentation by working on these issues.

”Management systems are only for large companies.”

Management systems can be adapted for companies of all sizes and types, from small startups to multinational corporations. Smaller businesses often benefit significantly from implementing a management system because it can help them become more organized, efficient, and competitive.

”Management systems are difficult to implement.”

Implementing a new management system can be challenging, but the work becomes easier with the right tools, guidance, and support. Companies can use consultants, courses, and internal training when they need help.

”Management systems are expensive.”

The costs of implementing a management system vary depending on the company’s size, complexity, and specific needs. However, investing in an effective management system can save money through increased efficiency, reduced errors, and fewer quality issues.

”Management systems are not flexible.”

Another common misconception is that management systems cannot be adapted to a company’s unique needs and circumstances. In fact, most management systems are designed to be highly flexible and can be customized to suit any type of business.

”ISO certification is a one-time activity.”

Complying with ISO standards is a process, not an event. Certification shows that the management system has been assessed against a specific standard and scope, and that the organization needs to keep monitoring, auditing, reviewing, and improving the system over time. ISO 9001 requires continual improvement of the suitability, adequacy, and effectiveness of the quality management system, with evidence from follow-up, internal audit, management review, and improvement work where the standard requires documented information.

”Management systems are only for production industries.”

A management system can be adapted to many industries, including the service sector, the public sector, non-profit organizations, and more. Any organization can benefit from structured processes and clear guidelines for managing different aspects of the business.

”Management systems limit innovation & lead to bureaucracy.”

A good management system can support innovation by giving ideas, decisions, tests, and improvements a clear path.

An effective management system should help reduce bureaucracy by making processes more efficient and streamlined. If a management system leads to increased bureaucracy, it may be a sign that it needs to be reviewed and adapted.

Conclusion

Many misconceptions about management systems come from making the work too abstract. With the right setup, the system helps the company steer work, follow up results, and improve how the business runs.

27. Appendix B: mistakes and advice

Over the years, we have seen that one common reason ISO projects become difficult is that companies choose the hard path and end up in an unnecessarily complex process. It does not have to be that way. Certification can be made simpler. Here are some of our best pieces of advice for making the ISO certification process faster and more efficient, so you avoid the same traps that many companies fall into.

The misunderstanding about detail

A common mistake is to believe that certification is about describing the business in extreme detail. Many people think that the more detailed the description is, the easier certification becomes. In practice, it is often the opposite. You are audited against what you show.

For example, you do not need to describe step by step how every sentence in a quotation is produced in a flowchart. It is enough to describe, at an overall level, how your sales process works.

ISO standards leave a lot open for you to decide. Many consultants and companies mistakenly believe that everything must be perfect before certification and that documentation is the important thing. The result is often too much documentation, barely used, out of step with reality, and costly in time and money.

Instead, focus on work that supports the company’s development and success. Keep this question in mind: “Will what we are creating now help us run the business more efficiently and safely?”

Setting a reasonable level of detail at the beginning of the process helps you reach your goal faster. After certification, you can gradually improve the way you work and aim for greater success, whether you want to set a world record or simply become the best in your region.

Certification as an investment, not only a cost

Companies often see ISO certification only as a cost instead of an investment.

ISO certification does not need to be a heavy and expensive process. With the right mindset, tools, and methods, the certification work can become an investment that gives you a stable foundation for continued development and success.

28. Appendix C: Office 365 document control procedure

This procedure describes how our company uses Office 365 to manage our documents and ensure that relevant and up-to-date information is available to the people who need it, where and when they need it. This helps us keep our information organized, traceable, and under control, contributing to efficiency, productivity, and regulatory compliance.

Note that this example needs to be adapted to your company and industry. For instance, a pharmaceutical company will have much stricter requirements regarding document management than a gardener.

Information management

The company’s published and approved information, which is valid and current and available to everyone, shall be published on the intranet.

The material on the intranet precedes all other material you may find within the company.

When we publish a page on the intranet, we distinguish between primary and supporting information.

Primary / supporting information

The primary information should be as concise as possible, covering 80% of what the average visitor might need.

The remaining 20% and other reference/supporting information are published as supporting information by being published in the library, as shown at the bottom of the main page or as links.

The purpose of the primary information is to be a gateway to everything related to the subject area.

Supporting information may be needed to fully understand the primary information, but not all visitors to the area use it. Examples include specific legal texts, accumulated knowledge in the field, forms, or other related material.

When a supporting material is ready for publication, the PDF version of the document is copied to the correct folder under a primary page on the intranet and is then published.

Documents that are subject to audit, such as our QMS documentation, are sent for approval when published on the intranet. The system automatically handles the approval flow based on the type of document, which means that the document must be marked with “type” before it can be sent for approval; otherwise, the system will tell you.

Document templates

We have linked all our current templates in the most common Office 365 tools, such as Word, Excel, and PowerPoint.

When creating a new document:

1. Click “File” in the top left corner of the Office 365 tool’s menu and select “New.”
2. Click on the tab for your company-specific templates (“Company name,” to the right of the default Office tab) and choose the template based on what you need to do
3. Save the document under “Files” in the correct Team, channel, and folder according to our rules for “Naming of documents.”

Example. To produce a quote in Word for a customer, click on the templates under the folder “Business Develop” and select a quote template for the product/service you are going to quote. Make sure to save the quote in the Teams group “Sales” in the channel folder “Quotes.” If a folder for the customer does not already exist, create one and name it with the customer’s full name.

Development of templates

New templates are created from the general template in the respective Office 365 tools.

Take an existing template and save it under the heading Files in Team “Development” and channel “New templates” under “Naming of documents.” Make suggestions for changes in the template and ping the KMA coordinator to the template via Teams.

Other relevant things to describe

The basic principle is that a user should be able to understand how to handle company information by reading about intranet document management.

Supporting information

Examples of things you need to describe:

• Microsoft Teams Structure
• Microsoft Teams life cycle
• Communicating changes when updating information
• Archiving outdated information
• Your folder and file structure
• Rules for naming documents
• Project Management
• Document management in OneDrive

Depending on the company, other specific parts may, of course, be needed, such as

• CAD file management
• InDesign file management
• Process for approval of governing documents

Guide to more efficient working methods

This document management routine gives us a practical guide for working more efficiently, securely, and productively. By following this procedure, we can control information so it is accessible, up-to-date, and in accordance with our company policies, laws, and regulations.