Mark HammarWith the ISO 9001, 27001, and 45001 management system standards using the Annex SL format, we see that there are two sections at the start of the standard under clause 4, Context of the Organization. While some people are confused by these requirements, the intention behind them is not new to implementing the management system.
So, what are clauses 4.1 and 4.2 about, and how are they intended to be used?
You can read a bit more on how Annex SL works in this article: Has the PDCA Cycle been removed from the new ISO standards?
The intention behind ISO requirements in clause 4.1, considering issues that affect the management system, and clause 4.2, identifying the requirements of interested parties, is to tailor a management system to the unique needs of your organization.
What are the clauses about?
The two sections at the beginning of each standard are clause 4.1, Understanding the Organization and its Context, and clause 4.2, Understanding the Needs and Expectations of Interested Parties. With clause 4.1, the requirements of the standard are that you identify internal and external issues that are applicable to your management system, and that you keep up to date with changes regarding these issues.
Clause 4.2 requires that you identify who your interested parties are, i.e., those people or organizations that have an interest in how your management system meets their needs. You then need to identify the requirements of these interested parties, and again keep up to date on changes in the requirements.
The intention of these clauses is for companies to create processes that not only meet the requirements of the ISO standards, but also incorporate customer, legal, internal, and other requirements into those processes.
So, what these clauses are about is identifying all of these other requirements that need to be incorporated into your management system processes along with the requirements of the ISO standard.
To see how this works for various ISO standards, see these articles:
- How to identify the context of the organization in ISO 9001:2015
- Determining the context of the organization in ISO 14001
- Defining the context of the organization according to ISO 45001
- All you need to know about setting the ISO 27001 scope
How do clauses 4.1 & 4.2 influence the ISO management system?
When you create a management system, you need to know that you are not only using the requirements of the ISO standard to develop the processes. You will also need to include requirements that come from other interested parties, such as customers, as well as legal requirements. Since these other requirements will be different for each organization, the ISO standard is flexible enough to provide the framework on what needs to be done, but not conflict with other requirements.
Identifying these other requirements is what clauses 4.1 and 4.2 are all about. Clause 4.1 asks that you identify issues that need to be addressed, such as dealing with a workforce that changes all the time, while clause 4.2 asks that you identify interested parties, such as customers, legal entities, and workers who have a stake in how the management system functions.
So, the ISO management system standards are written to allow you to incorporate these other requirements that are unique to your organization into your processes without creating a conflict.
Some examples on how this would work with the different standards
It is often easier to understand these concepts with some examples, and since we are discussing all of the newer updates to the ISO management system standards, here are some examples for each standard:
ISO 9001 Quality Management System requirements: With the QMS, there is a requirement to have a process for dealing with nonconforming products and services (clause 8.7). The standard requires that when you identify that a product or service does not meet the requirements, you decide how to address it from a prescribed list (rework, use as is, scrap, etc.); that you verify when the correction is made; and that you keep a record of what was wrong, what you did, what concessions were made (if any), and who authorized the actions. If you have an internal issue (clause 4.1), such as several experienced employees retiring, then you will need to identify how you will transfer their knowledge and skills to less experienced people. If you have customer requirements (clause 4.2) that they need to approve any Use As Is decisions, then this will need to be added to your process flow as well.
ISO 14001 Environmental Management System requirements: With the EMS, there are requirements around communication, such as the need for a process for internal and external communication that includes what will be communicated, when, how, and with whom, including any applicable documentation of communication. If you have identified that your employees lack the skills required to identify environmental interactions and assess their impact (clause 4.1), then you might need to provide training to acquire these skills. If you have requirements to notify the local town planning office when you are cutting down a tree (clause 4.2), then this communication will need to be managed if you choose to expand your building into an area with trees that will be removed.
ISO 45001 Occupational Health & Safety Management System requirements: With the OHSMS, there are requirements around competence (clause 7.2), which includes the skills, knowledge, experience, training, education, etc. needed for employees to do their jobs. The requirements are that you determine what competence is required of employees, ensure that they have the competence, take action to increase competence if it is not there and check that this has been effective, and keep records that show people have the competence needed for the job they are doing. If you have identified that safety communication is poor in the organization, you may need to develop or find a training course on communication in your company (clause 4.1). If there is a legal requirement (clause 4.2) that you train people yearly on Workplace Hazardous Materials Information System (WHMIS) information, then this will need to be on your list of competence for employees.
ISO 27001 Information Security Management System requirements: With the ISMS, there are requirements to perform risk assessment and treatment according to clause 6.1, for which you need employees that understand how this is done. If you identified that you do not have employees with enough skills (clause 4.1), you might need to send your employees to training to acquire those skills; alternatively, you could hire an external expert (e.g., a consultant) to do this risk management for you. If you have identified a requirement from one of your main customers to use a particular method for risk assessment (clause 4.2), then you have to adapt your risk management methodology accordingly.
Bringing it all together into a way of doing business
The ISO management system standards are not intended to add overhead to a business, but rather to help a business better manage the activities it does. Every business needs to address internal and external issues that affect it, and ensure that they meet legal and other requirements in the industry and location they are part of.
The idea of using the requirements of an ISO management system standard is not to override these requirements, nor to replace having good business knowledge of your unique company, but rather to provide the framework needed to better manage these requirements and issues in a systematic way that leads to improvement.
To implement ISO standards easily and efficiently, use our Documentation Toolkits that provide step-by-step guidance and all documents for various ISO standards.
