ISO standards aim to standardize best practices and establish requirements that support process improvement across the globe. However, for those just getting started in this field, some terms may cause confusion. That’s why we’ve prepared this basic glossary with 5 essential management system terms you need to know to better apply ISO standards in your organization.
1. Management System
It’s fundamental to understand what is being certified — what is a management system?
“A set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.
A management system may address a single discipline or multiple disciplines;
Elements of a management system include the organization’s structure, roles and responsibilities, planning, and operations;
The scope of a management system may include the whole organization, specific identified functions of the organization, specific identified sections of the organization, or one or more functions across a group of organizations.”
This definition makes it clear that:
- An organization can be certified under more than one standard;
- The management system encompasses all the requirements imposed by the standards;
- The management system must be well defined.
The term Management System appears constantly throughout ISO standards, but it’s especially emphasized in clause 4.4, which clearly states that a fully functioning management system is mandatory. Failing to meet this requirement is considered a major nonconformity and can immediately result in a recommendation for non-certification.
2. Governing Body
Another key term in management systems is Governing Body, frequently mentioned in ISO standards when discussing responsibilities. Let’s define it:
“A group or body that has the ultimate responsibility and authority for the organization’s activities, governance, and policies, and to which top management is accountable.
Not all organizations, particularly smaller ones, have a governing body separate from top management;
A governing body may include, but is not limited to, a board of directors, board committees, supervisory board, trustees, or overseers.”
In short, the governing body is the group or person with the highest decision-making authority in the organization. It is responsible for setting direction, ensuring resources, and overseeing management system performance. It may consist of a board of directors, executive leadership, or even the business owner.
3. Risk
Risk is defined as the effect of uncertainty on objectives. But let’s look at the full description:
“1. Effect is a deviation from the expected — positive or negative;
Uncertainty is the state, even partial, of deficiency of information related to an event, its consequence, or likelihood — or a lack of understanding or knowledge of an event, its consequence, or likelihood;
Risk is often characterized by reference to potential ‘events’ and ‘consequences’ or a combination of both;
Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated ‘likelihood’ of occurrence.”
This shows that risk includes both threats and opportunities that may impact organizational results. Risk management is a central element in multiple standards like ISO 9001, ISO 45001, and ISO 27001.
ISO standards consistently emphasize the importance of identifying risks and opportunities — don’t think of risk only as something negative.
4. Due Diligence
Due diligence is commonly used in ISO compliance and information security standards, but it’s essential for any organization because of its direct link to risk.
“A process to deepen the assessment of the nature and extent of risks and assist organizations in making informed decisions regarding specific transactions, projects, activities, business partners, and personnel.”
This is one of those management system terms that had a well-established purpose even before ISO included it. In simple terms, it means: researching the background of a company or person your organization plans to engage with. Knowing their history helps reduce risk or determine your risk appetite — how much you’re willing to risk your reputation when associating with that entity.
5. Interested Party
An interested party, or stakeholder, is any individual or organization that can affect, be affected by, or perceive itself as affected by a decision or activity. Interested parties can be internal or external to the organization.
This term is closely related to others we’ve covered here: risk, governing body, and due diligence.
Interested parties may include: employees, the community, shareholders, clients, investors, service providers, etc. These are all individuals or groups who can be impacted by a company’s activities — either directly (e.g., financial results, delivered services, manufactured products) or indirectly (e.g., environmental or social impact).
