Types of ISO Standards
Standardization within a business is a familiar concept; it’s better when accounting and purchasing use the same terminology, for example, and it helps when management can understand reports from operations. It’s best practice to develop these concepts and terminology with alignment to external standards as well, so that customers and suppliers will also understand a company’s processes and information. There are a number of recognized external bodies that create standardized systems, but the most popular and well-known – and most frequently adopted – standards come from the ISO.
ISO stands for the International Organization of Standardization. It’s an international body dedicated to creating, setting and promoting standards. To date, they’ve published over 22,600 standards and related documents, applicable to all sorts of industries, from manufacturing to food safety to accounting and health care.
These standards present an approach that has been agreed on by international experts. The standards themselves are a collection of best practices which promote product compatibility, identify safety issues and share solutions and know-how. For example, ISO standards are why an American cell phone can connect to service in Europe with little difficulty, why food offered in a supermarket is safe to eat and why credit cards can be used anywhere.
There are a number of different types of ISO standards. Some of the most popular ones include:
- ISO 9000 - Quality Management. ISO 9000 lays out the criteria for a quality management system that will help a business continue to improve quality and customer relations. It’s a set of standardized tools and practices to identify areas of improvement, and is internationally viewed as the best practice for quality management.
- ISO 22000 - Food Safety Management. ISO 2200 sets out what an organization needs to do to ensure their food is safe for public consumption. It contains guidelines that can be used at all points in the industry, no matter the size of the business.
- ISO/IEC 27000 - Information Security Management Systems. ISO/IEC 27000 contains the family of standards used to keep informational assets safe. Businesses that manage personal data, customer data, finances or intellectual property use these standards to ensure this information remains protected.
- ISO 31000 - Risk Management. Risk is a part of every business decision. ISO 31000 provides a framework for managing these risks, with best practices for identifying risks and consequences.
While there are many different kinds of ISO standards, only a select few of them can be certified. Certification is a process that takes place outside ISO, where a company’s program is reviewed by an independent party to confirm it meets ISO standards. While certification is not done by ISO, accredited certification organizations, who use ISO’s standards on certification, are available to audit internal programs and business practices. After review, these third-party agencies will certify whether a company meets the ISO criteria.
ISO 9000 is the usual starting point, as it provides a basis for most of the other ISO standards that might apply to a business. A company certified in ISO 9000 can be expected to have quality standards which lead to quality products and services, which can help a company when bidding for jobs.
Example standards that can be certified include ISO 22000, ISO 27000, ISO 14000 (Environmental Management Systems), ISO 20000 (IT Service Management Systems) and ISO 22301 (Business Continuity Management). Standards like ISO 31000 or ISO 26000 (Social Responsibility) cannot be certified, as they contain guidelines rather than requirements.
Companies can choose whether to certify or not. If a company indicates they comply with ISO standards, it means they have internally used ISO as a guideline for their program development. Certification means that a qualified independent party has reviewed their programs and certified compliance. In some fields, certification may not be necessary, but in many professional industries, ISO certification is the norm for all customers and competitors.
Within the context of ISO, a management system is the method a business uses to manage the tasks required for success. This is usually a collection of procedures, policies and processes a business adopts, which will be related to their objectives. These objectives can be everything related to success, from operational efficiency and quality control to environmental performance and asset management. The management system should ensure that all parts of the business fit together, operate efficiently and focus on quality improvement.
ISO 9000, the quality management standard, is the usual baseline for these systems. This family of standards defines and sets out the pieces needed for a quality management system and directions on how to follow. The main critical pieces of this family are:
- ISO 9000 (2015 version): Sets out the fundamental definitions of a quality management system and defines certain vocabulary with regards to the quality management concept.
- ISO 9001 (2015 version): Lists and explains the requirements needed to meet the standards for quality management defined in ISO 9000. ISO 9001 is the only standard in this family a business can obtain certification for.
- ISO 9004 (2009 version): Defines the guidelines for continuous improvement, which is meant to ensure a business’ success long-term by pushing for continuous objective analysis of current status with an eye to potential improvements.
- ISO 19011 (2011 version): A companion family of standards containing guidelines for auditing management systems.
ISO 9000 (and the standards within) sets out seven quality management principles (QMP) for senior management to focus on when developing a quality management system that will work within their organization.
- Customer Focus: Understanding the customer’s needs, meeting their requirements and looking to exceed their expectations.
- Leadership: Making sure leaders at all levels are engaged, ensuring designated leaders are given the tools to be successful and aligning actions to the overall direction.
- Engagement of People: Ensuring individuals at all levels are valued, engaged and empowered to bring up issues, make suggestions and execute change.
- Process Approach: Managing a business’ internal actions and activities as a series of processes that work together as an effective system.
- Improvement: Emphasizing continuous improvement at every level of the business, and making sure individuals are empowered to make and measure improvements.
- Evidence-Based Decision Making: Using appropriate methods to analyze and evaluate data, and using the results to ensure better decision-making.
- Relationship Management: Maintaining good relationships with business partners, such as suppliers, to encourage collaboration and create new business opportunities.
It’s up to each individual business to determine what QMP means within their own internal structure. A common mistake when implementing QMP and ISO 9000 is to attempt to change internal processes to fit an assumed standard template of requirements. Successful implementation is more likely if a business looks at existing processes and fits QMP into what already works.
Another common mistake is resources; while the quality management standards are expected to eventually make a business more effective and efficient, organizations often grossly underestimate the time and workload initially required to ensure successful implementation and certification.
ISO standards exist to help businesses adopt practices that help to straighten out and standardize their internal procedures. At any scale of business, understanding the advantages of standards and the concept of QMP can lead to a good number of business advantages; reduction of waste, improved efficiency and lower cost of production are some of the results that can be achieved by incorporating these standards.