Certification agencies (conformity assessment agencies) must receive a third-party conformity assessment in accordance with the requirements of the ISO/IEC 17000:2004 international standard. A notification is an independent assessment of the certification agency's competence in accordance with the requirements of CASCO standards followed by the issuing of official permission to carry out work in the system under the established rules.
Primary objects of management certification for organizations for which management system certification agencies are notified:
This International Standard specifies requirements for a quality management system when an organization:
a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and
b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
All the requirements of this International Standard are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.
NOTE 1 In this International Standard, the terms “product” or “service” only apply to products and services intended for, or required by, a customer.
NOTE 2 Statutory and regulatory requirements can be expressed as legal requirements.
ISO 14000 is a family of standards related to environmental management that exists to help organizations (a) minimize how their operations (processes, etc.) negatively affect the environment (i.e. cause adverse changes to air, water, or land); (b) comply with applicable laws, regulations, and other environmentally oriented requirements; and (c) continually improve in the above.
ISO 14000 is similar to ISO 9000 quality management in that both pertain to the process of how a product is produced, rather than to the product itself. As with ISO 9001, certification is performed by third-party organizations rather than being awarded by ISO directly. The ISO 19011 and ISO 17021 audit standards apply when audits are being performed.
The requirements of ISO 14001 are an integral part of the European Union's Eco-Management and Audit Scheme (EMAS). EMAS's structure and material are more demanding, mainly concerning performance improvement, legal compliance, and reporting duties. The current version of ISO 14001 is ISO 14001:2015, which was published in September 2015.
OHSAS 18001, Occupational Health and Safety Assessment Series (officially BS OHSAS 18001), was a British Standard for occupational health and safety management systems. Compliance with it enabled organizations to demonstrate that they had a system in place for occupational health and safety. BSI cancelled BS OHSAS 18001 to adopt ISO 45001 as BS ISO 45001. ISO 45001 was published in March 2018 by the International Organization for Standardization. Organizations that are certified to BS OHSAS 18001 can migrate to ISO 45001 by March 2021 if they want to retain a recognized certification.
ISO 50001 is the international standard for Energy Management Systems, created by the International Organization for Standardization (ISO). The standard specifies the requirements for establishing, implementing, maintaining and improving an energy management system, whose purpose is to enable an organization to follow a systematic approach in achieving continual improvement of energy performance, including energy efficiency, energy security, energy use and consumption.
The standard aims to help organizations continually reduce their energy use, and therefore their energy costs and their greenhouse gas emissions.
ISO 50001 was originally released by ISO in June 2011 and is suitable for any organization, whatever its size, sector or geographical location. The second edition, ISO 50001:2018 was released in August 2018.
The system is modelled after the ISO 9001 Quality Management System and the ISO 14001 Environmental Management System (EMS) and the 2018 version has clauses modular with both.
A significant feature in ISO 50001 is the requirement to "... improve the EnMS and the resulting energy performance" (clause 4.2.1 c). The other standards mentioned here (ISO 9001 and ISO 14001) both require improvement to the effectiveness of the Management System but not to the quality of the product/service (ISO 9001) or to environmental performance (ISO 14001). It is anticipated that by implementing ISO 9001 and 14001 together an organization would improve quality and environmental performance, but the standards do not currently specify this as a requirement.
ISO 50001, therefore, has made a major leap forward in 'raising the bar' by requiring an organization to demonstrate that they have improved their energy performance. There are no quantitative targets specified – an organization chooses its own then creates an action plan to reach the targets. With this structured approach, an organization is more likely to see some tangible financial benefits.
The ISO 22000 international standard specifies the requirements for a food safety management system that involves the following elements:
Critical reviews of the above elements have been conducted by many scientists. Communication along the food chain is essential to ensure that all relevant food safety hazards are identified and adequately controlled at each step within the food chain. This implies communication between organizations both upstream and downstream in the food chain. Communication with customers and suppliers about identified hazards and control measures will assist in clarifying customer and supplier requirements.
Recognition of the organization's role and position within the food chain is essential to ensure effective interactive communication throughout the chain in order to deliver safe food products to the final consumer.
The most effective food safety systems are established, operated and updated within the framework of a structured management system and incorporated into the overall management activities of the organization. This provides maximum benefit for the organization and interested parties. ISO 22000 has been aligned with ISO 9001 in order to enhance the compatibility of the two standards.
ISO 22000 can be applied independently of other management system standards or integrated with existing management system requirements.
ISO 22000 integrates the principles of the Hazard Analysis and Critical Control Point (HACCP) system and application steps developed by the Codex Alimentarius Commission. By means of auditable requirements, it combines the HACCP plan with prerequisite programmes. Hazard analysis is the key to an effective food safety management system, since conducting a hazard analysis assists in organizing the knowledge required to establish an effective combination of control measures. ISO 22000 requires that all hazards that may be reasonably expected to occur in the food chain, including hazards that may be associated with the type of process and facilities used, are identified and assessed. Thus it provides the means to determine and document why certain identified hazards need to be controlled by a particular organization and why others need not.
During hazard analysis, the organization determines the strategy to be used to ensure hazard control by combining the prerequisite programmes and the HACCP plan.
ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO/IEC 27001 requires that management: