ISO CERTIFICATION OUTCOMES

Expected outcomes for accredited certification to an ISO management system standard certification (from the perspective of the organization’s interested parties)

“For the defined certification scope, an organization with a certified management system has policies and processes in place to achieve the objectives defined by the scope (“Clause 1 ”) of the specific management system standard.

For example: “An organization with a certified quality management system is managing its systems and processes so as to:

a) consistently provide products and services that meet customer and applicable statutory and regulatory requirements;

b) facilitate opportunities to enhance customer satisfaction.”

Or “An organization with a certified environmental management system is managing its interactions with the environment and is demonstrating its commitment to:

a) enhancement of environmental performance and the protection of the environment;

b) fulfilment of compliance obligations;

c) continually enhancing its environmental management system to achieve its environmental objectives.

What accredited management system certification means

To achieve an organization’s objectives related to the Expected outcomes intended by the management systems standard, the accredited management system certification is expected to provide confidence that the organization has a management system that conforms to the applicable requirements of the specific ISO standard.

In particular, it is to be expected that the organization:

1. has a system which is appropriate for its organizational context and certification scope;

2. has defined a policy appropriate for the intent of the specific management system standard and to the nature, scale and impacts of its activities, products and services over their lifecycles

3. is addressing risks and opportunities associated with its context and objectives;

4. analyses and understands customer needs and expectations, as well as the relevant statutory and regulatory requirements related to its products, processes and services;

5. ensures that product, process and service characteristics have been specified in order to meet customer and applicable statutory/regulatory requirements;

6. has determined and is managing the processes needed to achieve the Expected outcomes intended by the management system standard;

7. has ensured the availability of resources necessary to support the operation and monitoring of these products, processes and services;

8. monitors and controls the defined product process and service characteristics;

9. aims to prevent nonconformities, and has systematic improvement processes in place to:

  • react and correct any nonconformities that do occur (including product and service nonconformities that are detected after delivery);

  • determine the cause of nonconformities and take corrective action to avoid their recurrence;

  • determine if similar nonconformities exist, or could potentially occur;

  • implement any action needed;

  • review the effectiveness of any corrective action taken; and

  • address complaints from interested parties;

10. has implemented an effective internal audit and management review process;

11. is monitoring, measuring, analysing, evaluating and improving the effectiveness of its management system.

12. has implemented processes for communicating internally, as well as responding to and communicating with interested external parties.

ISO 9001

QUALITY MANAGEMENT SYSTEMS

ISO 9001 is a standard that sets out the requirements for a quality management system. It helps businesses and organizations to be more efficient and improve customer satisfaction.

Implementing a quality management system will help you:

  • Assess the overall context of your organization to define who is affected by your work and what they expect from you. This will enable you to clearly state your objectives and identify new business opportunities.

  • Put your customers first, making sure you consistently meet their needs and exceed their expectations. This can lead to repeat custom, new clients and increased business for your organization.

  • Work in a more efficient way as all your processes will be aligned and understood by everyone in the business or organization. This increases productivity and efficiency, bringing internal costs down.

  • Meet the necessary statutory and regulatory requirements.

  • Expand into new markets, as some sectors and clients require ISO 9001 before doing business. • Identify and address the risks associated with your organization.

ISO 9001 builds on seven quality management principles.

Following these principles will ensure your organization or business is set up to consistently create value for its customers. With these seven pillars firmly in place, implementing a quality management system will be much easier.

The seven quality management principles are:

1. Customer Focus.

Meeting – and exceeding – customer needs is the primary focus of quality management and will contribute to the long-term success of your enterprise. It is important to not only attract but also retain the confidence of your customers, so adapting to their future needs is key.

2. Leadership.

Having a unified direction or mission that comes from strong leadership is essential to ensure that everyone in the organization understands what you are trying to achieve.

3. Engagement of People.

Creating value for your customers will be easier if you have competent, empowered and engaged people at all levels of your business or organization.

4. Process Approach.

Understanding activities as processes that link together and function as a system helps achieve more consistent and predictable results. People, teams and processes do not exist in a vacuum and ensuring everyone is familiar with the organization’s activities and how they fit together will ultimately improve efficiency.

5. Improvement.

Successful organizations have an ongoing focus on improvement. Reacting to changes in the internal and external environment is necessary if you want to continue to deliver value for your customers. This is of paramount importance today when conditions evolve so quickly.

6. Evidence-based Decision Making.

Making decisions is never easy and naturally involves a degree of uncertainty, but ensuring your decisions are based on the analysis and evaluation of data is more likely to produce the desired result.

7. Relationship Management.

Today’s businesses and organizations do not work in a vacuum. Identifying the important relationships you have with interested parties such as your suppliers – and setting out a plan to manage them – will drive sustained success

Suggested timeline: 14 months from application to audit - consult other proposed timelines.

TSA offers consultancy services each step of the way with assistance in: defining objectives; identifying key processes; creation of the management system manual; assistance with related processes and procedures; training of staff in quality awareness; training of staff in internal audit practice, writing of audit questions; strengthening the performance management system that you have in place.

ISO 27001

INFORMATION SECURITY MANAGEMENT SYSTEMS

This certification outlines the essential requirements for creating, executing, and enhancing an information security management system within an organization. Embracing such a system is a crucial strategic choice that shapes an organization's overall direction. Developing and executing this system is guided by the organization's unique goals, security needs, operational procedures, and its scale and composition, all of which are subject to evolution over time.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

INFORMATION SECURITY MANAGEMENT SYSTEMS

ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This certification also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Meeting the certification requires focus on:

Organisation:

  • providing a live description of the context of the organization;

  • Understanding the organization and its context

  • ​Understanding the needs and expectations of interested parties

  • ​Determining the scope of the information security management system

  • ​Information security management system

Leadership

  • Addressing leadership and commitment

  • Policy

  • ​Organizational roles, responsibilities and authorities

Planning

  • Actions to address risks and opportunities

  • ​Information security objectives and planning to achieve them

Support

  • ​Resources

  • Competence

  • Awareness

  • Communication

​Documented information

Operation

  • Operational planning and control

  • Information security risk assessment

  • Information security risk treatment

Performance evaluation

  • Monitoring, measurement, analysis and evaluation

  • ​Internal audit

  • ​Management review

​Improvement

  • Continual improvement

  • Nonconformity and corrective action

Annex A Information security controls

Suggested timeline: 14 months from application to audit - consult other proposed timelines.

TSA offers consultancy services each step of the way with assistance in: establishing the bases for the various risk assessment processes; training information security controls; creation of the management system manual; assistance with related processes and procedures; training of staff in information security awareness; training of staff in data protection awareness; establishing a record of processing activities

ISO 21001

EDUCATIONAL ORGANISATIONS - MANAGEMENT SYSTEM FOR EDUCATIONAL ORGANISATIONS

ISO 21001 is a stand-alone management system standard, aligned with ISO 9001, designed to improve the management systems of educational organizations and enhance their influence on learners and other stakeholders. This standard is versatile and can be integrated harmoniously with various regional, national, proprietary, and other pertinent standards, offering a comprehensive framework for educational institutions to optimize their operations.

EDUCATIONAL ORGANISATIONS - MANAGEMENT SYSTEM FOR EDUCATIONAL ORGANISATIONS

The potential benefits to an organization of implementing a management system for educational organizations (EOMS) based on this certification are:

  • better alignment of objectives and activities with policy (including mission and vision);

  • enhanced social responsibility by providing inclusive and equitable quality education for all;

  • more personalized learning and effective response to all learners and particularly to learners with special education needs, distance learners and lifelong learning opportunities;

  • consistent processes and evaluation tools to demonstrate and increase effectiveness and efficiency;

  • increased credibility of the organization;

  • a means that enables educational organizations to demonstrate their commitment to effective educational management practices;

  • a culture for organizational improvement;

  • harmonization of regional, national, open, proprietary, and other standards within an international framework;

  • widened participation of interested parties;

  • stimulation of excellence and innovation.

This EOMS entails the following management principles:

  • a) focus on learners and other beneficiaries;

  • b) visionary leadership;

  • c) engagement of people;

  • d) process approach;

  • e) improvement;

  • f) evidence-based decisions;

  • g) relationship management;

  • h) social responsibility;

  • i) accessibility and equity;

  • j) ethical conduct in education;

  • k) data security and protection.

Suggested timeline: 14 months from application to audit - consult other proposed timelines.

TSA offers consultancy services each step of the way with assistance in: strengthening of the learner based curriculum and assessment; the application; training in transformational leadership; ethics and governance; data security and protection; curriculum and study plan review; processes and policies.

ISO 29994

EDUCATION AND LEARNING SERVICES - REQUIREMENTS FOR DISTANCE LEARNING

ISO 29994 is a standard intended to provide specific requirements for distance learning services. It is applicable to any distance learning services that are addressed to learners themselves as well as to sponsors who are acquiring the services on behalf of the learners.

This document is intended to be used alongside ISO 29993. Distance learning service providers (DLSP) can implement this document and ISO 29993 to ensure the consistent delivery of distance learning services.

The potential benefits to an organization of implementing a distance learning system for educational organizations based on this certification are:

  • providing the learner with transparent processes that enhance your credibility as a distance learning provider

  • providing protection to the consumer by preventing prejudicial practices

  • improve the quality of distance learning for all interested parties.

Suggested timeline: 14 months from application to audit - consult other proposed timelines.

TSA offers consultancy services each step of the way with assistance in: Information review bringing it in line with standard requirements; needs analysis structure; curriculum design/ service design; service delivery; learning materials; learner support mechanisms; provision of learner- support staff and training; payment requirements; processes and policies.

ISO 22301

BUSINESS CONTINUITY MANAGEMENT

This standard specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.

This document is applicable to all types and sizes of organizations that:

  • implement, maintain and improve a BCMS;

  • seek to ensure conformity with stated business continuity policy;

  • need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;

  • seek to enhance their resilience through the effective application of the BCMS.

This document can be used to assess an organization’s ability to meet its own business continuity needs and obligations.

The outcomes of maintaining a BCMS are shaped by the organization’s legal, regulatory, organizational and industry requirements, products and services provided, processes employed, size and structure of the organization, and the requirements of its interested parties.

A BCMS emphasizes the importance of:

  • understanding the organization’s needs and the necessity for establishing business continuity policies and objectives;

  • operating and maintaining processes, capabilities and response structures for ensuring the organization will survive disruptions;

  • monitoring and reviewing the performance and effectiveness of the BCMS;

  • continual improvement based on qualitative and quantitative measures.

A BCMS, like any other management system, includes the following components:

  • a policy;

  • competent people with defined responsibilities;

  • management processes relating to:

    • policy;

    • planning;

    • implementation and operation;

    • performance assessment;

    • management review;

    • continual improvement;

  • documented information supporting operational control and enabling performance evaluation.

Benefits of a business continuity management system

The purpose of a BCMS is to prepare for, provide and maintain controls and capabilities for managing an organization’s overall ability to continue to operate during disruptions. In achieving this, the organization is:

  • a) from a business perspective:

    • 1) supporting its strategic objectives;

    • 2) creating a competitive advantage;

    • 3) protecting and enhancing its reputation and credibility;

    • 4) contributing to organizational resilience;

  • b) from a financial perspective:

    • 1) reducing legal and financial exposure;

    • 2) reducing direct and indirect costs of disruptions;

  • c) from the perspective of interested parties:

    • 1) protecting life, property and the environment;

    • 2) considering the expectations of interested parties;

    • 3) providing confidence in the organization’s ability to succeed;

  • d) from an internal processes perspective:

    • 1) improving its capability to remain effective during disruptions;

    • 2) demonstrating proactive control of risks effectively and efficiently;

    • 3) addressing operational vulnerabilities.

Plan-Do-Check-Act (PDCA) cycle

This standard applies the Plan (establish), Do (implement and operate), Check (monitor and review) and Act (maintain and improve) (PDCA) cycle to implement, maintain and continually improve the effectiveness of an organization’s BCMS.

This ensures a degree of consistency with other management systems standards, thereby supporting consistent and integrated implementation and operation with related management systems.

Meeting the certification requires focus on:

Organisation:

  • providing a live description of the context of the organization;

  • Understanding the organization and its context

  • ​Understanding the needs and expectations of interested parties

  • ​Determining the scope of the business continuity management system

  • Business continuity management system

Leadership

  • Addressing leadership and commitment

  • Policy

  • ​Organizational roles, responsibilities and authorities

Planning

  • Actions to address risks and opportunities

  • Business continuity objectives and planning to achieve them

Support

  • ​Resources

  • Competence

  • Awareness

  • Communication

​Documented information

Operation

  • Operational planning and control

  • Business impact analysis and risk assessment

  • Business continuity strategies and solutions

  • Business continuity plans and procedures

  • Evaluation of business continuity documentation and capabilities

Performance evaluation

  • Monitoring, measurement, analysis and evaluation

  • ​Internal audit

  • ​Management review

​Improvement

  • Continual improvement

  • Nonconformity and corrective action

Suggested timeline: 14 months from application to audit - consult other proposed timelines.

TSA offers consultancy services each step of the way with assistance in: establishing the bases for the various business continuity processes; training in incident response; creation of the business continuity system manual; assistance with related processes and procedures; training of staff in response according to role; establishing the business continuity plans according to department.