Introduction to

UNIT 1 INTRODUCTION TO Management Systems

MANAGEMENT SYSTEMS
Structure
1.0 Objectives
1.1 Introduction
1.2 ISO 9001:2000 Quality Management System-Requirements
1.2.1 Introduction to ISO 9001
1.2.2 ISO 9000
1.3 ISO 14001:2004 Environmental Management System-Requirements
1.3.1 Introduction to ISO 14001: 2004
1.3.2 How to Use ISO 14001
1.3.3 Your General Approach
1.3.4 Application
1.3.5 Structure and Interpretation
1.4 OHSAS 18001:2007 Occupational Health and Safety Management
Systems Requirements
1.4.1 Introduction to OHSAS 18001: 2007
1.4.2 How to Use 18001 OHSAS 18001:2007
1.4.3 PDCA Methodology
1.4.4 Your General Approach
1.5 ISO/IEC 27001:2005 Information Technology-Security Techniques-
Information Security Management System-Requirements
1.5.1 ISO and IEC
1.5.2 ISO/IEC 27001 vs. BS 7799-2
1.5.3 Introduction to ISO/IEC 27001
1.5.4 The PDCA Model
1.5.5 Your General Approach
1.5.6 The Process Approach
1.6 Let Us Sum Up
1.7 Key Words
1.8 Answers to Check Your Progress Exercise
1.9 Suggested Reading

1.0 OBJECTIVES
The aim of this unit is to introduce us to international standards representing
different management systems. After reading this, we shall become familiar
with the following management systems standards. These standards are
applicable to all industries including food industry.
a) ISO 9001:2000,
b) ISO 14001:2004,
c) OHSAS 18001:1999, and
d) ISO 27001:2005.
The following standards are applicable specifically to food industry.
a) ISO 22000
b) BRC Food
c) IFS
d) SQF
e) HACCP

7
Management Systems,
Auditing and Accreditation
1.1 INTRODUCTION
The management system of an organisation is a system to establish policy and
objectives and to achieve those objectives. Management systems encompass all
possible spheres of life, industrial and non-industrial. They include quality
management, environmental management, food safety management,
occupational health and safety management, information security management.
These management standards are prepared by International Organisation
for Standardization (ISO). It is located in Switzerland (Geneva) and was
established in 1947 to develop common international standards in many
areas. Its members come from over 150 national standards bodies. The Bureau
of Indian Standards, the National Standards Body (NSB) in India, is a member
of ISO.

1.2 ISO 9001:2000 QUALITY MANAGEMENT

SYSTEM-REQUIREMENTS
1.2.1 Introduction to ISO 9001
I S O 9 0 0 1 is sweeping the world. It is rapidly becoming the most important
quality management systems standard. Thousands of companies in over 1 0 0
countries have already adopted it, and many more are in the process of doing
so. Why? Because it assists organisations, of all types and sizes, to implement
and operate effective quality management systems. It saves money.
Customers expect it and competitors use it.
ISO 9 0 0 1 applies to all types of organisations. It doesn’t matter what size
they are or what they do. It can help both product and service oriented
organisations achieve standards of quality that are recognized and
respected throughout the world.

1.2.2 ISO 9000

The term I S O 9 0 0 0 refers to a set of quality management standards.
ISO 9000 currently includes three quality management systems standards: ISO
9000:2005, ISO 9001:2000 and ISO 9004:2000. ISO 9001:2000 presents
requirements, while ISO 9000:2005 deals with fundamentals and vocabulary,
and ISO 9004:2000 presents guidelines for performance improvements. All of
these are system standards (not product standards).
ISO’s purpose is to facilitate international trade by providing a single set of
standards that people everywhere would recognize and respect.
The ISO 9000:2000 Standards apply to all kinds of organisations in all
kinds of areas. Some of these areas include manufacturing, processing,
servicing, printing, forestry, electronics, steel, computing, legal services,
financial services, accounting, trucking, banking, retailing, drilling,
recycling, aerospace, construction, exploration, textiles, pharmaceuticals,
oil and gas, pulp and paper, petrochemicals, publishing, shipping,
energy, telecommunications, plastics, metals, research, health care,
hospitality, utilities, pest control, aviation, machine tools, food
processing, agriculture, government, education, recreation, fabrication,
sanitation, software development, consumer products, transportation,

8
design, instrumentation, tourism, communications, biotechnology, chemicals, Introduction to
Management Systems
engineering, farming, entertainment, horticulture, consulting, insurance, and
so on.
These standards are explained in detail separately in this course.

1.3 ISO 14001:2004 ENVIRONMENTAL

MANAGEMENT SYSTEM-REQUIREMENTS
1.3.1 Introduction to ISO 14001:2004
ISO 14001:2004 is an environmental management standard. It defines a set of
environmental management requirements for environmental management
systems. The purpose of this standard is to help all kinds of organisations to
protect the environment, to prevent pollution and to improve their overall
environmental performance.
This standard was first published as ISO 14001:1996 and was revised as ISO
14001:2004
Since it was first published in 1996, ISO 14001 has rapidly become the most
important environmental standard in the world. Thousands of organisations use
it, environmentalists support it, and governments actively encourage its use.
ISO 14001 applies to all types of organisations. It doesn’t matter what size
they are or what they do.

1.3.2 How to Use ISO 14001

If you don’t already have an Environmental Management System (EMS), you
can use this ISO 14001 standard to establish one. And once you’ve
established your EMS, you can use it to manage the environmental aspects
of your organisation’s activities, products and services, and to improve its
overall environmental performance. Environmental performance is all about
how well you manage and control your environmental aspects and the impact
they have on the environment.
You can also use this standard to demonstrate that you are doing everything
you can to protect the environment and improve your environmental
performance. You can demonstrate your organisation’s commitment in several
ways:
1) You can simply announce to the world that your EMS complies with
the ISO 14001 standard (if it actually does).
2) You can ask your customers or other interested parties to confirm that
your EMS complies with the ISO 14001 standard.
3) You can ask an ISO 14001 registrar or external auditor to verify that your
EMS complies with the ISO 14001 standard.
ISO 14001 expects organisations to comply with all of the requirements that
make up the standard. No exceptions. According to ISO, every ISO 14001
requirement must be built into every EMS. However, the size and complexity
of environmental management systems vary quite a bit.
How far you go is up to you. The size and complexity of your EMS, the extent
of your documentation, and the resources allocated to it will depend on
9
Management Systems, many things. How you meet each of the ISO 14001 requirements, and to what
Auditing and Accreditation extent, depends on many factors, including:
1) The size of your organisation.
2) The location of your organisation.
3) The scope of your organisation’s EMS.
4) The content of your environmental policy.
5) The nature of your activities, products and services.
6) The environmental impact of your environmental aspects.
7) The legal and other requirements that must be met.

1.3.3 Your General Approach

If you don’t already have an EMS, ISO 14001 suggests that you start with a
review of your organisation’s environmental status. Your environmental
review should:
• Identify your organisation’s environmental aspects. Study normal and
abnormal operating conditions, as well as accidents, disasters, and
emergency situations. Identify the environmental aspects associated with
all operating conditions and situations.
• Clarify the legal and other requirements that apply to your organisation’s
environmental aspects. Legal requirements include national and
international as well as local and regional laws and regulations.
Other requirements include agreements that have been established with
governments, customers, community groups and others as well as commitments,
guidelines, principles, or codes of practice that influence how your
environmental aspects ought to be handled.
• Examine your organisation’s current environmental management policies,
procedures, and practices. Pay special attention to your organisation’s
purchasing and contracting policies, procedures and practices.
• Define the scope of your EMS. When ISO 14001 asks you to define the
scope of your EMS, it is asking you to define its boundary. You can
choose to apply ISO 14001 to the entire organisation or only to a
specific operating unit or facility. Once you’ve made this decision, you’ve
defined the scope or boundary of your EMS. Henceforth, all activities,
products and services that fall within this boundary must comply with the
ISO 14001 standard.
Once you’ve considered the above factors, you can begin the development of
your organisation’s unique environmental management system.
But if you’ve already established an EMS and you simply need to update it to
meet the new standard, you need to do a gap analysis. A gap analysis will
compare your current EMS with ISO 14001:2004 standard.
This comparison will pinpoint the areas that fall short of the standard (the
gaps). Once you know where to focus your attention, you can begin to make
the changes that are needed to comply with the ISO 14001:2004 standard.

10
 Introduction to
1.3.4 Application Management Systems

This international standard specifies requirements for an environmental

management system to enable an organisation to develop and implement a
policy and objectives which take into account legal requirements and other
requirements to which the organisation subscribes, and information about
significant environmental aspects. It applies to those environmental aspects
that the organisation identifies as those which it can control and those which it
can influence. It does not itself state specific environmental performance
criteria.

1.3.5 Structure and Interpretation

Clause/ Clause/Subclause title Clause/Subclause : Contents/Interpretation
Subclause
No.

-- Introduction This discusses the need for implementation of this

standard.
The methodology PDCA on which the model is
based is explained as follows :
Plan : Establish the objectives and processes
necessary to deliver results in accordance
with the organisation’s environmental
policy.
Do : Implement the processes.
Check : Monitor and measure processes against
environmental policy, objectives, targets,
legal and other requirements, and report the
results.
Act : Take actions to continually improve
performance of the environmental
management system.
1. Scope Specifies basis of requirements and applicability
criteria.
2. Normative reference No normative reference are cited.
3. Terms and definitions Twenty key terms are defined. The terms are as
follows :
3.1 Auditor
3.2 Continual improvement
3.3 Corrective action
3.4 Document
3.5 Environment
3.6 Environmental aspect
3.7 Environmental impact
3.8 Environmental management system
3.9 Environmental objective
3.10 Environmental performance
3.11 Environmental policy
3.12 Environmental target
3.13 Interested party
3.14 Internal audit
3.15 Non-conformity
3.16 Organisation
3.17 Preventive action
3.18 Prevention of pollution
3.19 Procedure
3.20 Record

11
Management Systems, Clause/ Clause/Subclause title Clause/Subclause : Contents/Interpretation
Auditing and Accreditation Subclause
No.

4. Environmental ---
Management System
requirements
4.1 General requirements Requirement of establishing, documenting,
implementing, maintaining and continually
improving an environmental management system is
stated.
Requirement of defining and documenting the scope
of the environmental management system is stated.
4.2 Environmental policy Requirement to define the organisation’s
environmental policy within the defined scope of its
environmental management system is stated.
Requirement about the contents (including
commitment to legal and other requirements) is
stated.
Requirement for a commitment to continual
improvement and prevention of pollution.
Requirement of documentation, implementation and
maintenance of policy is stated.
Requirement of communicating the policy to the
concerned (including employees and those who work
on behalf of the organisation) is stated.
Requirement of making the policy available to the
public is stated.
4.3 Planning ---
4.3.1 Environmental aspects Requirement for establishing, implementing and
maintaining a procedure to identify the
environmental aspects of its activities, products and
services within the defined scope of the
environmental management system that it can
control and those that it can influence is stated.
Requirement for determining the significant
environmental aspects is stated.
Requirement for documenting and updating this
information is stated.
4.3.2 Legal and other Requirement for establishing, implementing and
requirements maintaining a procedure to identify and have access
to the applicable legal and other requirements is
stated.
Requirement of determining how these requirements
apply to its environmental aspects is stated.
4.3.3 Objectives, targets and Requirement of establishing, implementing and
programs maintaining documented measurable environmental
objectives and targets at relevant functions and levels
within the organisation is stated.
Requirement of establishing, implementing and
maintaining a program for achieving organisational
objectives and targets is stated.
4.4 Implementation and ---
operation

12
Clause/ Clause/Subclause title Clause/Subclause : Contents/Interpretation Introduction to
Subclause Management Systems
No.

4.4.1 Resources, roles, Requirement of ensuring the availability of resources

responsibility and essential to establish, implement, maintain and
authority improve the environmental management system is
stated.
Requirement of defining, documenting and
communicating the roles, responsibilities and
authorities is stated.
Requirement of appointing a management
representative is stated.
4.4.2 Competence, training Requirement of ensuring that relevant personnel are
and awareness competent on defined basis is stated.
Requirement of identifying training needs associated
with environmental aspects and environmental
management system is stated.
Requirement of establishing, implementing and
maintaining a procedure to make persons aware of
aspects associated with environmental management
system is stated.
4.4.3 Communication Requirement of establishing, implementing and
maintaining a procedure for internal and external
communication is stated.
4.4.4 Documentation Requirement of maintaining the documents relevant
to established environmental management system is
stated.
4.4.5 Control of documents Requirement of establishing, implementing and
maintaining a procedure to control the documents
relevant to established environmental management
system is stated.
4.4.6 Operational control Requirement of establishing, implementing and
maintaining a procedure related to identified
environmental aspects is stated.
4.4.7 Emergency Requirement of establishing, implementing and
preparedness and maintaining a procedure for identifying, reviewing
response and responding to emergency situations and testing
them is stated.
4.5 Checking ---
4.5.1 Monitoring and Requirement of establishing, implementing and
measurement maintaining a procedure for monitoring and
measuring key characteristics of its operations
including calibration/verification of equipments is
stated.
4.5.2 Evaluation of Requirement of establishing, implementing and
compliance maintaining a procedure for evaluating compliance
with legal and other requirements is stated.
4.5.3 Non-conformity, Requirement of establishing, implementing and
corrective action and maintaining a procedure for nonconformities and
preventive action taking corrective and preventive actions is stated.
4.5.4 Control of records Requirement of establishing, implementing and
maintaining a procedure for maintaining relevant
records is stated.
4.5.5 Internal audit Requirement of establishing, implementing and

13
Management Systems, Clause/ Clause/Subclause title Clause/Subclause : Contents/Interpretation
Auditing and Accreditation Subclause
No.

maintaining a procedure for planning, conducting,

reporting and recording internal audits is stated.
4.6 Management review Requirement of reviewing the organisation’s
environmental management system at planned
intervals is stated.
Annex A Guidance on the use of Clause by clause guidance is given for effective
the standard implementation of environmental management
system.
Annex B Correspondence with Two tables establish correspondence between ISO
ISO 9001:2000 14000:2004 and ISO 9001:2000 and vice versa.
Bibilo- Reference of standards List of relevant standards is given viz. ISO
graphy 9000:2000, ISO 9001:2000, ISO 14001:2004 and
ISO 19011:2002.

1.4 OHSAS 18001:2007 OCCUPATIONAL HEALTH

AND SAFETY MANAGEMENT SYSTEMS
REQUIREMENTS
1.4.1 Introduction to OHSAS 18001:2007
OHSAS 18001:2007 is an occupational health and safety management
standard. It defines a set of Occupational Health and Safety (OH&S)
management requirements for Occupational Health and Safety
Management Systems (OHSMS).
OHSAS 18001:2007 was developed by the OHSAS Project Group, a
consortium of 43 organisations from 28 countries. This consortium includes
national standards bodies, registrars (certification bodies), OH&S institutes,
and consultants.
This new OHSAS 18001:2007 standard was officially published during July of
2007. It cancels and replaces OHSAS 18001:1999. Since it was first published
in 1999, OHSAS 18001 has rapidly become the most widely used
international OH&S management standard. OHSAS 18001 applies to all types
of organisations. It doesn’t matter what size they are or what they do.
The purpose of OHSAS 18001 is to help organisations to manage and control
their OH&S risks and to improve their OH&S performance. They can achieve
this purpose by developing an OHSMS that complies with OHSAS 18001.
An OHSMS is a network of interrelated elements. These elements
include responsibilities, authorities, relationships, functions, activities,
processes, practices, procedures, and resources. These elements are used to
establish OH&S policies, plans, programs and objectives.
Certainly the concept of an OHSMS is rather abstract. However, fortunately,
you don’t really have to completely grasp, absorb or memorize what it means.
Simply by meeting all of the OHSAS 18001 requirements (Part 4), you will
automatically establish an integrated OHSMS for your organisation.

14
 Introduction to
1.4.2 How to Use 18001 OHSAS 18001:2007 Management Systems
If you don’t already have an Occupational Health and Safety
Management System (OHSMS), you can use this OHSAS 18001 standard to
establish one. And once you’ve established your organisation’s OHSMS, you
can use it to manage and control your OH&S risks and to improve your
OH&S performance.
OHSAS 18001 expects organisations to comply with all of the requirements
that make up the standard. According to the standard, your OHSMS must
comply with every OHSAS 18001 requirement (Part 4 of the standard).
However, the size and complexity of OHSMS vary quite a bit. How far you go
is up to you. The size and complexity of your OHSMS, the extent of your
documentation, and the resources allocated to your system will depend on
many things. How you meet each of the OHSAS 18001 requirements, and to
what extent, depends on many factors, including:
1) The size of your organisation.
2) The location of your organisation.
3) The nature of your organisation’s culture.
4) The nature of your organisation’s activities.
5) The nature of your organisation’s legal obligations.
6) The nature and scope of your organisation’s OHSMS.
7) The content of your organisation’s OH&S policy.
8) The nature of your organisation’s OH&S hazards.
9) The nature of your organisation’s OH&S risks.
OHSAS 18001 is designed to be used for certification (registration) purposes.
However, OHSAS 18001 does not require certification. You can be in
compliance without being formally certified (registered). You can self-assess
(self audit) your OHSMS and simply declare that it complies with the OHSAS
18001 standard (if it actually does).
If you wish to become certified, you need to ask a registrar to
audit your OHSMS. If your system complies with OHSAS 18001,
your registrar will issue a certificate that you can use to formally announce that
your OHSMS is compliant.

1.4.3 PDCA Methodology

OHSAS 18001 uses what is called the Plan-Do-Check-Act (PDCA)
methodology. It uses this methodology to organize the standard and you can
use it to establish your OHSMS.
The PDCA methodology is used to organize OHSAS 18001 in the following
way:
1) P L A N – Parts 4.1, 4.2, and 4.3 expect you to plan the establishment of
your OHSMS.
2) D O – Part 4.4 expects you to implement your OHSMS.
3) C H E C K – Parts 4.5 and 4.6 expect you to monitor, measure and report
on the performance of your OHSMS.
15
Management Systems, 4) A C T – Parts 4.5 and 4.6 expect you to improve your OHSMS.
Auditing and Accreditation
You can also use a PDCA approach to help you establish your organisation’s
OHSMS. By taking the following four steps you will be using a PDCA
approach:
1) P L A N – Plan your OHSMS.
2) D O – Establish your OHSMS.
3) C H E C K – Evaluate your OHSMS.
4) A C T – Improve your OHSMS.

1.4.4 Your General Approach

The following material presents a brief OHSMS development plan.
It summarizes the general approach you will take to develop your own unique
OHSMS. It uses a PDCA approach and is taken directly from our OHSAS
18001. Translated into plain english. If you use our plain english standard to
develop your organisation’s OHSMS, you will automatically take the
following steps:
1) Define the scope of your OHSMS.
2) Define your organisation’s OHSMS policy.
3) Develop a methodology to identify hazards and assess risks.
4) Establish procedures to identify hazards and assess risks.
5) Identify your organisation’s hazards and assess your risks.
6) Establish procedures to evaluate and select OH&S controls.
7) Evaluate the adequacy of your existing OH&S controls.
8) Select OH&S controls that reduce your OH&S risks.
9) Document the results of your control selection process.
10) Identify relevant legal and non-legal OH&S requirements.
11) Respect all relevant legal and non-legal OH&S requirements.
12) Establish unique OH&S objectives for your organisation.
13) Establish programs to achieve your OH&S objectives.
14) Appoint a member of top management to manage OH&S.
15) Ensure the competence of those who influence OH&S.
16) Identify your OH&S training and awareness needs.
17) Establish OH&S training and awareness procedures.
18) Implement OH&S training and awareness procedures.
19) Establish procedures to manage OH&S communications.
20) Establish procedures to manage OH&S participation.
21) Document your organisation’s unique OHSMS.
22) Control your organisation’s OH&S documents and records.
23) Implement controls to manage OH&S hazards and risks.
16
24) Establish an OH&S emergency management process. Introduction to
Management Systems
25) Monitor and measure your organisation’s OH&S performance.
26) Record the results of your OH&S monitoring and measuring.
27) Evaluate compliance with legal and non-legal requirements.
28) Record the results of your OH&S compliance evaluations.
29) Establish procedures to investigate OH&S incidents.
30) Establish non-conformity management procedures.
31) Perform regular internal audits of your OHSMS.
32) Review your OHSMS at planned intervals.
33) Update and improve your OHSMS.
Of course, you may already have an existing OHSMS. If this is true, you don’t
need to follow a detailed OHSMS development plan. You would probably find
it easier and more efficient to use a gap analysis approach, instead.
A gap analysis would compare your existing OHSMS with the OHSAS 18001
requirements. Such a comparison would pinpoint the areas that fall short of the
standard (the gaps). By focusing on filling your unique occupational health and
safety gaps, you will soon comply with the OHSAS 18001 standard.
If you already have an existing OHSMS, a gap analysis is more targeted and
efficient. It is more targeted and efficient because it takes an incremental
approach and ignores areas that already comply with the standard.

1.5 ISO/IEC 27001:2005 INFORMATION

TECHNOLOGY-SECURITY TECHNIQUES-
INFORMATION SECURITY MANAGEMENT
SYSTEM-REQUIREMENTS
1.5.1 ISO and IEC
ISO is the International Organisation for Standardization. It was set up in 1947
and is located in Geneva, Switzerland. Its purpose is to develop standards that
support and facilitate international trade. IEC is the International
Electrotechnical Commission. It was set up in 1906 and is also located in
Geneva, Switzerland. Its purpose is to develop standards for all types of
electrotechnologies. Both ISO and IEC are supported by national member
bodies. These member bodies participate in the standards development
process through technical committees.

1.5.2 ISO/IEC 27001 vs. BS 7799-2

ISO/IEC 27001:2005 was developed by ISO/IEC JTC 1, SC 27
(Joint Technical Committee 1, Subcommittee 27). JTC 1 is
responsible for all kinds of information technology standards while SC 27 is
specifically responsible for the development of standards related to IT security
techniques.

17
Management Systems, ISO/IEC 27001:2005 was officially published on October 15, 2005. This
Auditing and Accreditation new ISO 27001:2005 standard cancels and replaces the old BS 7799-2
standard (published in 2002 by BSI). The old BS 7799-2 information security
standard is now obsolete and has been officially withdrawn.

1.5.3 Introduction to ISO/IEC 27001

ISO/IEC 27001 is an information security management standard. It defines a
set of information security management requirements. These requirements
are defined in sections 4, 5, 6, 7 and 8.
The purpose of ISO/IEC 27001 is to help organisations establish and maintain
an Information Security Management System (ISMS). ISO/IEC 27001 applies
to all types of organisations. It doesn’t matter what your organisation does or
what size it is. ISO IEC 27001 can help your organisation meet its information
security management needs and requirements.
ISO/IEC 27001 is designed to be used for certification purposes. In
other words, once you’ve established an ISMS that meets both the
ISO/IEC 27001 requirements and your organisation’s needs, you can
ask a registrar to audit your system. If your registrar likes what it sees, it will
issue an official certificate that states that your ISMS meets the ISO/IEC 27001
requirements. According to ISO/IEC 27001, you must meet every requirement
(specified in clauses 4, 5, 6, 7, and 8) if you wish to claim that your ISMS
complies with the standard.
However, while you must meet every requirement, the size and complexity of
information security management systems varies quite a bit. How you meet
each of the ISO 27001 requirements, and to what extent, depends on many
factors, including your organisation’s:
• Size and structure
• Needs and objectives
• Security requirements
• Business processes
ISO/IEC 27001 also lists a set of control objectives and controls.
These are listed in Annex. A (our Part 9) and come from the ISO/IEC 27002
(17799:2005) information security standard.
In addition to control objectives and controls, ISO 27002 also
provides implementation guidance and other information. These last two items
are not included in ISO 27001. As a result, you may find it helpful to also
purchase the ISO/IEC 27002 (17799) standard.
While ISO/IEC 27001 expects you to meet every requirement, it does
allow you to exclude selected Annex. A control objectives and controls if you
can justify doing so. Briefly put, you may exclude or ignore Annex. A control
objectives and controls whenever they address risks you can live with, and
whenever doing so will not impair your ability and obligation to meet all
relevant legal and security requirements.
More precisely, you may ignore or exclude selected control
objectives and controls under the following circumstances:

18
• You may exclude selected control objectives and controls if they address Introduction to
Management Systems
security risks that you can accept and if you can show that your decision to
accept these risks complies with your organisation’s official risk
acceptance criteria.
• You must also be able to justify your exclusion decision.
• You must also be able to show that accountable persons have accepted the
associated risks.
• You may exclude selected control objectives and controls if you have used
a risk assessment to identify your organisation’s information security
requirements and you believe that these requirements will, nevertheless, be
met.
• You may exclude selected control objectives and controls whenever this
does not impair your ability and responsibility to meet your organisation’s
information security requirements.
• You may exclude selected control objectives and controls if you can show
that all applicable legal and regulatory requirements will, nevertheless, be
met.
• You may exclude selected control objectives and controls whenever this
does not impair your ability and responsibility to meet all applicable legal
and statutory requirements.

1.5.4 The PDCA Model

ISO/IEC 27001 uses the Plan-Do-Check-Act (PDCA) model. ISO/IEC has
used this model to organize the standard and you can use it to help you
establish your Information Security Management System (ISMS). ISO/IEC
uses this model in the following way:
• PLAN–Section 4 expects you to plan the establishment of your
organisation’s ISMS.
• DO–Section 5 expects you to implement, operate, and maintain your ISMS.
• CHECK–Sections 6 and 7 expect you to monitor, measure, audit, and
review your ISMS.
• ACT–Section 8 expects you to take corrective and preventive actions and
continually improve your ISMS.
Since ISO/IEC has used a PDCA model to organize the ISO/IEC 27001
standard, it is conveniently designed to facilitate system development. If you
follow the five general steps (sections 4 to 8) that make up the standard, you’ll
automatically develop comprehensive ISMS.

1.5.5 Your General Approach

The following material presents a brief information security management
system development plan. It summarizes the general approach you will take to
develop your own unique ISMS. It uses a PDCA approach and is taken directly
from our plain English version of the standard. If you use our plain english
standard to develop your organisation’s ISMS, you will automatically take the
following steps:
19
Management Systems, 1) Define the scope and boundaries of your ISMS.
Auditing and Accreditation
2) Define your organisation’s ISMS policy.
3) Define your approach to risk management.
4) Identify your organisation’s security risks.
5) Analyze and evaluate your security risks.
6) Identify and evaluate your risk treatment options.
7) Select control objectives and controls to treat risks.
8) Prepare a detailed statement of Applicability.
9) Develop a risk treatment plan to manage your risks.
10) Implement your organisation’s risk treatment plan.
11) Implement your organisation’s security controls.
12) Implement your organisation’s educational programs.
13) Manage and operate your organisation’s ISMS.
14) Implement your organisation’s security procedures.
15) Use procedures and controls to monitor your ISMS.
16) Use procedures and controls to review your ISMS.
17) Perform regular reviews of your organisation’s ISMS.
18) Verify that your security requirements are being met.
19) Review your risk assessments on a regular basis.
20) Review your residual risks on a regular basis.
21) Review acceptable levels of risk on a regular basis.
22) Perform regular internal audits of your ISMS.
23) Perform regular management reviews of your ISMS.
24) Update your organisation’s information security plans.
25) Implement ISMS improvements.
26) Take appropriate corrective actions.
27) Take appropriate preventive actions.
28) Communicate ISMS changes to interested parties.
29) Establish records that document your decisions.
30) Document your organisation’s ISMS.
31) Protect and control your ISMS documents.
32) Establish records for your organisation’s ISMS.
33) Maintain records for your organisation’s ISMS.
Of course, you may already have existing ISMS. If this is true, you don’t need
to follow a detailed ISMS development plan. You would probably find it easier
and more efficient to use a gap analysis approach, instead.

20
A gap analysis would compare your existing ISMS with the ISO/IEC 27001 Introduction to
Management Systems
requirements. Such a comparison would pinpoint the areas that fall short of the
standard (the gaps). By focusing on filling your unique information security
gaps, you will soon comply with the ISO/IEC 27001 standard.
If you already have an existing ISMS, a gap analysis is more targeted and
efficient. It is more targeted and efficient because it ignores areas that already
comply with the standard.

1.5.6 The Process Approach

ISO/IEC 27001 also uses a process approach. The process approach
is a management strategy. When managers use a process approach, it means
that they control their processes, the interaction between these processes, and
the inputs and outputs that “glue” these processes together. It means that
they manage by focusing on processes and on inputs and outputs. ISO/IEC
27001 suggests that you use a process approach to manage and control your
ISMS processes.
In general, a process uses resources to transform inputs into outputs. In every
case, inputs are turned into outputs because some kind of work or activity is
carried out. And because the output of one process often becomes the input of
another process, inputs and outputs are really the same thing.
ISO/IEC 27001 suggests that you structure every ISMS process using the Plan-
Do-Check-Act (PDCA) model. This means that every process should be:
• Planned (PLAN)
• Implemented, operated, and maintained (DO)
• Monitored, measured, audited and reviewed (CHECK)
• Improved (ACT)
The PDCA model runs through every aspect of the ISO IEC 27001 standard.
The standard not only recommends that the PDCA model be used to structure
every ISMS process, it was also used to structure the standard itself. And since
it was used to structure the standard, you will automatically use a PDCA
approach as you use the standard to develop your own ISMS.

Check Your Progress Exercise 1 "

Note: a) Use the space below for your answers.
b) Check your answers with those given at the end of the unit.
1) Name any four standards applicable to an industry irrespective of its type.
………………………………………………………………………………
………………………………………………………………………………
………………………………………………………………………………
……………………………………………………………………………….
2) Name any six standards applicable to food industry.
………………………………………………………………………………
………………………………………………………………………………
21
Management Systems, …………………………………………………………………………….…
Auditing and Accreditation
……………………………………………………………………………….
3) In ISO 14000: 2004 explain the meaning of environmental aspects.
………………………………………………………………………………
………………………………………………………………………………
…………………………………………………………………………….…
……………………………………………………………………………….
4) In OHSAS 18001:2007 explain how PDCA methodology is used in the
structure of the standard.
………………………………………………………………………………
………………………………………………………………………………
…………………………………………………………………………….…
……………………………………………………………………………….
5) What is the purpose of implementing ISO 27001: 2005 in any industry?
………………………………………………………………………………
………………………………………………………………………………
…………………………………………………………………………….…
……………………………………………………………………………….

1.6 LET US SUM UP

This unit introduced us to international standards representing different
management systems. They include quality management, environmental
management, food safety management, occupational health and safety
management, information security management.
All management system follow Plan-Do-Check-Act PDCA model. This means
every process should be planed, implemented, operated and maintained (DO),
monitored, measured, audited and reviewed (Check) and improved (Act).
It also describes the general approach, application, structure and interpretation
of these standards.

1.7 KEY WORDS

Quality : Degree to which a set of inherent characteristics fulfils
requirements.
Requirement : Need or expectation that is stated, generally implied or
obligatory.
Quality : Management system to direct and control an
Management organisation with respect to quality.
System
22
Corrective : Action to eliminate the cause of a detected non- Introduction to
Management Systems
Action conformity or other undesirable situation.
Preventive : Action to eliminate the cause of a potential non-
Action conformity or other undesirable potential situation.
Competence : Demonstrated ability to apply knowledge and skills.
Effectiveness : Extent to which planned activities are realized and
planned results achieved.
Product : Result of a process.
Document : Information and its supporting medium.
Record : Document stating results achieved or providing evidence
of activities performed.
Customer : Customer’s perception of the degree to which the
Satisfaction customer’s requirements have been fulfilled.
Environment : The term environment refers to an organisation’s natural
and human surroundings. An organisation’s environment
extends from within the organisation itself to the global
system, and includes air, water, land, flora, fauna,
as well as human beings.
Environmental : An environmental aspect is a feature or characteristic
Aspect of an activity, product, or service that affects or can
affect the environment.
Environmental : An environmental impact is a change to the
Impact environment. Such change can be positive or negative.
Environmental impacts are caused by environmental
aspects. Your environmental aspects can have a direct
and decisive impact on the environment or contribute
only partially or indirectly to a larger environmental
change.
Environmental : An organisation’s environmental management system
Management (EMS) is one part of a larger management system. The
System (EMS) EMS part of this larger management system is used to
establish an environmental policy and to manage the
environmental aspects of an organisation’s activities,
products and services.
Environmental : An environmental objective is a specific environmental
Objective goal. Your organisation’s environmental objectives
must be consistent with its environmental policy.
Environmental : Environmental performance is all about how
Performance well an organisation manages the environmental
a s p e c t s of its activities, products and services
and the impact they have on the
e n v i r o n m e n t . Your organisation’s environmental
p e r f o r m a n c e can be improved by reducing its
negative environmental impact or increasing its positive
environmental impact.

23
Management Systems, Environmental : An environmental policy statement expresses
Auditing and Accreditation Policy a commitment to the implementation and maintenance
of an organisation’s environmental management
system and the improvement of its overall
environmental performance.
Environmental : An environmental target is a detailed performance
Target requirement. Environmental targets are derived from
environmental objectives and are used to achieve
these objectives. Targets can apply to specific
areas or to the organisation as a whole.
Hazard : A hazard is any situation, substance, activity, event, or
environment that could potentially cause injury or ill
health shutdowns.
Hazard : Hazard identification is a process that involves
Identification recognizing that an OH&S hazard exists and then
describing its characteristics.
Incident : An incident is a work related event during which injury,
ill health, or fatality actually occurs, or could have
occurred.
Information : Information security is all about protecting and
Security preserving information. It’s all about protecting and
preserving the confidentiality, integrity, authenticity,
availability, and reliability of information.
Information : An Information Security Management System (ISMS)
Security includes all of the policies, procedures, plans,
Management processes, practices, roles, responsibilities,
System (ISMS) resources and structures that are used to protect and
preserve information. It includes all of the elements that
organisations use to manage and control their
information security risks. An ISMS is part of a larger
management system.
Information : An information security policy statement expresses
Security Policy management’s commitment to the implementation, main-
tenance and improvement of its information security
management system.
Risk : The concept of risk combines three ideas: it selects an
event, and then combines its probability with its
potential impact.
Statement of : A Statement of Applicability is a document that lists your
Applicability organisation’s information security control objectives
and controls.
Threat : A threat is a potential event. When a threat turns into
an actual event, it may cause an unwanted incident.
It is unwanted because the incident may harm an
organisation or system.
Vulnerability : A vulnerability is a weakness in an asset or group
of assets. An asset’s weakness could allow it to be
exploited and harmed by one or more threats.
24
1.8 ANSWERS TO CHECK YOUR PROGRESS " Introduction to
Management Systems
EXERCISE
Your answer should include following points:
Check Your Progress Exercise 1

1) ● ISO 9001: 2000

• ISO 14001: 2004
• OHSAS 18000: 2007
• ISO 27001: 2005

2) ● ISO 9001: 2000

• ISO 14001: 2004
• OHSAS 18000: 2007
• ISO 27001: 2005
• HACCP
• ISO 22000: 2005

3) An environmental aspect is a feature or characteristic of an activity,

product, or service that affects or can affect the environment.

4) The PDCA methodology is used to organize OHSAS 18001 in the

following way:
i) P L A N - Parts 4.1, 4.2 and 4.3 expect you to plan the establishment
of your OHSMS.
ii) D O - Part 4.4 expects you to implement your OHSMS.
iii) C H E C K - Parts 4.5 and 4.6 expect you to monitor, measure and
report on the performance of your OHSMS.
iv) A C T - Parts 4.5 and 4.6 expect you to improve your OHSMS.

5) The purpose of ISO IEC 27001 is to help organisations establish

and maintain an Information Security Management System (ISMS).
ISO IEC 27001 applies to all types of organisations. It doesn’t matter
what your organisation does or what size it is. ISO IEC 27001 can
help your organisation meet its information security management
needs and requirements.

1.9 SUGGESTED READING

http://www.iso.org
ISO 19011:2002 – Guidelines for Quality and/or Environmental Management
Systems Auditing.
ISO 9000:2000 – Quality Management Systems- Fundamentals and
Vocabulary.
ISO 9001:2000 – Quality Management Systems- Requirement.
25
Management Systems, ISO 9004:2000 – Quality Management Systems- Guidelines for Performance
Auditing and Accreditation Improvements.
ISO 10012:2003 – Quality Assurance Requirements for Measuring Equipment.
ISO 10013:1995 – Guidelines for Developing Quality Manuals.

26