N360 JTCG Concept Document To Support Annex SL

ISO/TMB/JTCG N 360
ISO/TMB/JTCG
Joint technical Coordination Group on MSS (TAG 13)
Email of secretary:
Convenorship:
N360 JTCG concept document to support Annex SL

Document type: Other committee document
Date of document: 2013-12-03
Expected action: INFO
Background: Dear all,
Attached please find JTCG N 360 concept document developed by TF4 and approved by JTCG at
its Atlanta meeting. Many thank you to TF4 for the substantial work in its development
Kind regards
Anne-Marie
Committee URL: http://isotc.iso.org/livelink/livelink/open/tmbjtcg

ISO/TMB Joint Technical Coordination Group JTCG N360
- Chair: Anne-Marie Warris

- Secretary: vacant
JTCG Concept document to support of Annex SL
Please find attached Concept document developed by TF4 and approved by JTCG at its
meeting.
Please note the Annex SL text in here has not been updated in line with JTCG N362 proposal
for minor edits
Please note due to time constraints the format of the table has not been adjusted to
remove the breaks that should not be there. It is intended that the table shall be one
continues text table with no breaks between clauses.
1
Secretariat administered by: SIS, Swedish Standards Institute
email: [email protected] Phone +46 8 5555 2025
JTCG/TF4/ N27
3 December 2013
Annex SL Concepts document

Principle 1: Standards Writers of Management System Standards (MSS) , not organizations implementing a
Target audience MSS based on Annex SL
Principle 2: Simple text need not be explained. It is not necessary to provide separate explanations for each
Clear understanding of the English language sentence and bullet
Principle 3: MSS specific interpretations or applications are not included, but rather avoided.
Reflect intent of Annex SL
(as written in 2010)
Principle 4: Standard writers are obliged to evaluate the sufficiency of the Annex SL requirements for their
Additions discipline specific MSS and include additional requirements in any clause, as appropriate to their
technical subject.
This guidance is provided in a table format that includes the Annex SL text provides where necessary information on the concept behind the
requirement in the Annex SL text, and guidance, examples or comments as appropriate.
2
Annex SL (text) as taken from ISO Directives 2013
editions – not updated in line with JTCG proposal in Concept of the requirement Guidance, examples, or commentary
JTCG N362
The intent of the Introduction is to give specific Refer to ISO/IEC Directives Part 2: Rules for
Introduction information or commentary about the technical the structure and drafting of International
NOTE Specific to the discipline. content of the MSS, and about the reasons prompting Standards, for specific requirements,
its preparation. An Introduction is optional. It shall not guidance and examples.
contain requirements.
The intent of the Scope clause is to succinctly define Refer to ISO/IEC Directives Part 2: Rules for
1. Scope without ambiguity the subject of the MSS and the the structure and drafting of International
NOTE Specific to the discipline. aspects covered, thereby indicating the limits of Standards, for specific requirements,
applicability of the MSS or particular parts of it. It shall guidance and examples.
not contain requirements.
This clause is not to be confused with the scope of the

management system (see 4.3)
The intent of the Normative Reference clause is to Refer to ISO/IEC Directives Part 2: Rules for
2. Normative references give a list of the referenced documents which have the structure and drafting of International
NOTE Clause Title shall be used. Specific to the been cited in the MSS in such a way as to make them Standards, for specific requirements,
discipline. indispensable for the application of the MSS. guidance and examples.
Normative references are optional.
The intent of the Terms and Definitions clause is to This section should contain only the
3. Terms and definition provide the common set of harmonized definitions for definitions of words used by specialists in
NOTE Clause Title shall be used. Terms and definitions MSS terminology. Further, standards writers provide the particular subject field in which the
may either be within the standard or in a separate document. To additional definitions for the discipline-specific terms, document is written, i.e., these words are
reference Common terms and Core definitions + discipline specific i.e., words used in particular subject fields by called “terms” that are necessary for
3
JTCG N362
ones. specialists that are necessary for understanding the understanding the MSS. Words used in
MSS. general language and ordinary
For the purposes of this document, the following terms and
definitions apply. communicative settings are not defined, as
As per ISO directives, Part 2, D.1.2, arrangement, the everyday use and meaning of these
NOTE 1 The following terms and definitions constitute an integral Terms and definitions should be preferably organized words can be found in a dictionary.
part of the “common text” for management systems standards. according to the hierarchy of the concepts.
Additional terms and definitions may be added as needed. Notes For instance, the word “dog” in general
Alphabetic order is the least preferred.
may be added or modified to serve the purpose of each standard. language is commonly understood to
mean a domestic canine. However, the
NOTE 2 Bold type in a definition indicates a cross-reference to
another term defined in this clause, and the number reference for word “dog” in mechanical engineering
the term is given in parentheses. has a very specific meaning restricted to
NOTE 3 Where the text “XXX” appears throughout this clause, the this field. The former is a “word”, and the
appropriate reference should be inserted depending on the context latter is a “term”.
in which these terms and definitions are being applied. For example:
“an XXX objective” could be substituted as “an information security Terms that are not used in a MSS do not
objective”.
have to be defined.
Terms and their associated definitions can

be located in this clause of the MSS or
included in a referenced document.
Suggested references for dictionaries are
listed in ISO/IEC Directives, Part 2, Sixth
edition, 2011, B.2 Reference works for
language.
Rules for drafting terms and definitions are
given in ISO Directives, Part 2, Annex D,
together with special rules for terminology
standards, such as vocabularies,
nomenclatures or lists of equivalent terms in
different languages.
4
JTCG N362
3.01
organization
person or group of people that has its own functions with
responsibilities, authorities and relationships to achieve
its objectives (3.08)
Note 1 to entry: The concept of organization includes, but is

not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part
or combination thereof, whether incorporated or not, public or
private.
3.02 Interested parties can include:

interested party (preferred term) - Customers
stakeholder (admitted term)
- Community
person or organization (3.01) that can affect, be
affected by, or perceive themselves to be affected by a - Suppliers
decision or activity - Regulators
- Nongovernment organizations
- Investors
- Employees
3.03 Requirements, other than legal

requirement requirements, become obligatory when
need or expectation that is stated, generally implied or adopted by the organization.
obligatory
NOTE 1 to entry: “Generally implied” means that it is custom

or common practice for the organization and interested parties
that the need or expectation under consideration is implied.
NOTE 2 to entry: A specified requirement is one that is

stated, for example in documented information.
5
JTCG N362
3.04
management system
set of interrelated or interacting elements of an
organization (3.01) to establish policies (3.07) and
objectives (3.08) and processes (3.12) to achieve
those objectives
NOTE 1 to entry: A management system can address a

single discipline or several disciplines.
NOTE 2 to entry: The system elements include the
organization’s structure, roles and responsibilities, planning,
operation, etc.
NOTE 3 to entry: The scope of a management system may
include the whole of the organization, specific and identified
functions of the organization, specific and identified sections of
the organization, or one or more functions across a group of
organizations.
3.05
top management
person or group of people who directs and controls an
organization (3.01) at the highest level
NOTE 1 to entry: Top management has the power to

delegate authority and provide resources within the
organization.
NOTE 2 to entry: If the scope of the management system
(3.04) covers only part of an organization then top
management refers to those who direct and control that part of
the organization.
3.06
effectiveness
extent to which planned activities are realized and
planned results achieved
3.07
policy
6
JTCG N362
intentions and direction of an organization (3.01) as
formally expressed by its top management (3.05)
7
JTCG N362
3.08
objective
result to be achieved
NOTE 1 to entry: An objective can be strategic, tactical, or

operational.
NOTE 2 to entry: Objectives can relate to different disciplines
(such as financial, health and safety, and environmental goals)
and can apply at different levels (such as strategic,
organization-wide, project, product and process (3.12)).
NOTE 3 to entry: An objective can be expressed in other
ways, e.g. as an intended outcome, a purpose, an operational
criterion, as an XXX objective or by the use of other words with
similar meaning (e.g. aim, goal, or target).
NOTE 4 to entry: In the context of XXX management systems
XXX objectives are set by the organization, consistent with the
XXX policy, to achieve specific results.
3.09 Discipline specific standards can define
risk
“risk” in terms that are specific to their
effect of uncertainty
discipline. ISO 31000 provides a definition of
NOTE 1 to entry: An effect is a deviation from the expected ”risk” that some discipline-specific standards
— positive or negative.
can use (see also definition 3.09).
NOTE 2 to entry: Uncertainty is the state, even partial, of
deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
NOTE 3 to entry: Risk is often characterized by reference to
potential events (ISO Guide 73, 3.5.1.3) and consequences
(ISO Guide 73, 3.6.1.3), or a combination of these.
NOTE 4 to entry: Risk is often expressed in terms of a
combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO
Guide 73, 3.6.1.1) of occurrence.
3.10
competence
8
JTCG N362
Ability to apply knowledge and skills to achieve intended
results
9
JTCG N362
3.11
documented information
information required to be controlled and maintained by
an organization (3.01) and the medium on which it is
contained
NOTE 1 to entry: Documented information can be in any

format and media and from any source.
NOTE 2 to entry: Documented information can refer to
– the management system (3.04), including related
processes (3.12);
– information created in order for the organization to operate
(documentation);
– evidence of results achieved (records).
3.12
process
set of interrelated or interacting activities which
transforms inputs into outputs
3.13
performance
measurable result
NOTE 1 to entry: Performance can relate either to

quantitative or qualitative findings.
NOTE 2 to entry: Performance can relate to the management
of activities, processes (3.12), products (including services),
systems or organizations (3.01).
10
JTCG N362
3.14 For purposes of Annex SL, an outsourced
outsource (verb) process is one which
make an arrangement where an external organization
 the function or process is integral
(3.01) performs part of an organization’s function or
process (3.12) to the organization’s functioning
 the function or process is needed
NOTE 1 to entry: An external organization is outside the for the MS to achieve its intended
scope of the management system (3.04), although the outcome
outsourced function or process is within the scope.
 liability for the function or
process conforming to
requirements is retained by the
organization
 the organization and the external
provider have an integral
relationship e.g. one where the
process is perceived by interested
parties as being carried out by
the organization
3.15
monitoring
determining the status of a system, a process (3.12) or
an activity
NOTE 1 to entry: To determine the status there may be a

need to check, supervise or critically observe.
3.16
measurement
process (3.12) to determine a value
11
JTCG N362
3.17 Annex SL 9.2 pertains to internal audits. Independence can be demonstrated by the
audit
systematic, independent and documented process freedom from responsibility for the activity
Annex SL requires that internal audits are conducted being audited or freedom from bias and
(3.12) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit by the organization or by an external party on its conflict of interest.
criteria are fulfilled behalf.
“Audit evidence” consists of records,
statement of fact and other information
NOTE 1 to entry: An audit can be an internal audit (first party) relevant to the audit criteria and verifiable,
or an external audit (second party or third party), and it can be
a combined audit (combining two or more disciplines).
and “audit criteria” are the set of policies,
procedures or requirements (3.03) used as a
reference against which audit evidence is
Note 2 to entry: An internal audit is conducted by the compared as defined in ISO 19011
organization itself, or by an external party on its behalf.
NOTE 3 to entry: “Audit evidence” and “audit criteria” are Audit findings and the audit conclusion may
defined in ISO 19011. be described collectively as the audit result.
”Audit findings” consist of the results of the
evaluation of the collected audit evidence
against audit criteria and the “audit
conclusion” is the outcome of an audit after
consideration of the audit objectives and all
audit findings, as defined in ISO 19011.
A combined audit is an audit of an

organization’s management system against
two or more sets of audit criteria or
standards (for example, quality, safety, etc)
and often referred to as an ‘integrated’
audit.
12
JTCG N362
3.18
conformity
fulfilment of a requirement (3.03)
3.19
Nonconformity relates to the requirements
nonconformity
non-fulfilment of a requirement (3.03) specified by the management system
standard and to the requirements adopted
by the organization
3.20 Corrective action is action taken to eliminate

corrective action
the cause of a nonconformity, whereas
action to eliminate the cause of a nonconformity (3.19)
and to prevent recurrence “correction” is immediate action taken to
eliminate a detected nonconformity
3.21
continual improvement
recurring activity to enhance performance (3.13)

The intent of the clause on Understanding the Examples of issues that may be important to
4. Context of the organization organization and its context is to specify the an MS, and may need to be addressed by an
4.1 Understanding the organization and its context requirements for a high-level (e.g. strategic) MSS include:
understanding of the important issues that can affect, – environmental characteristics or
The organization shall determine external and internal either positively or negatively, the MS. conditions related to climate,
issues that are relevant to its purpose and that affect its pollution, resource availability, and
ability to achieve the intended outcome(s) of its XXX Issues can be e.g. important topics for the biodiversity, and the effect these
management system. organization, problems for debate and discussion, or conditions may have on the
changing circumstances organization’s ability to achieve its
objectives;
The knowledge gained is then used to guide the – the external cultural, social, political,
13
JTCG N362
efforts to plan, implement and operate the legal, regulatory, financial,
management system. technological, economic, natural and
competitive context, whether
Standards writers may prescribe additional international, national, regional or
requirements related to understanding the local;
organization and its context in their discipline specific – characteristics or conditions of the
MSS. organization, such as
o organizational governance,
information flows and
decision-making processes
o organizational policies,
objectives, and the strategies
that are in place to achieve
them;
o the capabilities of the
organization, understood in
terms of resources (e.g.
capital, time, people,
knowledge, processes,
systems and technologies);
o the organization's culture;
o standards, guidelines and
models adopted by the
organization;
o the life cycle of the
organization’s products and
services.
4.2 Understanding the needs and expectations of The intent of the clause on Understanding the needs Examples of potential interested parties may
interested parties and expectations of interested parties is to specify include:
the requirements for a high-level (e.g. strategic)  legal and regulatory authorities
The organization shall determine understanding of the needs and expectations of (local, regional, state/provincial,
 the interested parties that are relevant to the relevant interested parties that are applicable to the
14
JTCG N362
XXX management system, and MS and to the MSS national or international),
 parent organizations,
The organization shall determine Not all interested party requirements are  customers,
requirements of the organization. Some are not  trade and professional associations,
 the relevant requirements of these interested
parties
applicable to the organization or relevant to the  community groups,
management system. Others are mandatory because  non-governmental organizations,
they have been incorporated into laws, regulations,  suppliers,
permits and licenses by governmental or court action.  neighbours,
There may be others that an organization may decide  employees and others working on
to voluntarily adopt or decide to enter into an behalf of the organization.
agreement or contract. Once adopted or agreed to, it Examples of interested party requirements
must comply. may include:
 law;
If an interested party ‘perceives’ themselves to be
 permits, licences or other forms of
affected by the management system, they must make
authorization;
it known.
 orders issued by regulatory agencies;
 judgments of courts or administrative
Apart from legal requirements, the needs and
tribunals;
expectations of an interested party become
 treaties, conventions and protocols;
obligations when they are specified and the
organization decides that it will adopt them. Once the  relevant industry codes and
organization subscribes, then they become standards; and
organizational requirements (see 4.3).  contracts which have been entered
into;
The knowledge gained is then used to guide the  agreements with community groups
efforts to plan, implement and operate the or non-governmental organizations;
management system.  agreements with public authorities
and customers;
Standards writers can prescribe additional  organizational requirements;
requirements related to understanding the needs and  voluntary principles or codes of
expectations of interested parties in their discipline practice;
specific MSS.  voluntary labelling or environmental
15
JTCG N362
commitments;
 obligations arising under contractual
arrangements with the organization.
4.3 Determining the scope of the XXX management The intent of the clause on Determining the scope of It should be noted that the term scope can
system the management system is to establish the physical be used in three different applications:
and organizational boundaries to which the - the Scope of the ISO MSS (clause 1)
The organization shall determine the boundaries and management system will apply. - the scope of the organization’s
applicability of the XXX management system to management system (as defined by
establish its scope. The organization has the freedom and flexibility to 4.3)
define its boundaries and may choose to implement - the “scope” of an organization’s
When determining this scope, the organization shall MSS within the entire organization, a specific unit, or certification.
consider particular function(s) within an organization.
 the external and internal issues referred to in An understanding of the context (4.1) and the
4.1, and requirements of relevant interested parties (4.2) are
considerations when establishing the scope of the
 the requirements referred to in 4.2.
management system and in determining which
requirements the organization will adopt.
The scope shall be available as documented
Documentation of the scope is created and controlled
information.
in accordance with the requirements of Documented
information (7.5).
Standards writers can prescribe additional

requirements for determining the scope of the
management system in their discipline specific MSS.
4.4 XXX management system The intent of the Management System clause is to The minimum processes required to be
specify the overarching requirement(s) related to established in a MSS include:
creating the ‘necessary but sufficient’ set of processes - Management system processes (4.4)
The organization shall establish, implement, maintain
that, together, form an effective management system - Operational planning and control
and continually improve an XXX management system,
in conformance to the MSS. processes, including outsourced
including the processes needed and their interactions,
16
JTCG N362
in accordance with the requirements of this processes (8.1)
International Standard. The organization retains authority, accountability, and
autonomy, to decide how it will fulfil the management
system requirements, including the level of detail and
extent to which it will integrate the management
system requirements into its business.

requirements for the management system or its
processes in their discipline specific MSS.
Note when drafting an MSS, reference to this clause

may avoid the need to keep repeating phrases such as
“establish, maintain, and continually improve …”, for
e.g. a process , a procedure, a management system, in
multiple clauses.
The intent of the clause on Leadership and Visible support, involvement and
5. Leadership Commitment is to identify actions in which top commitment of the organization’s top
5.1 Leadership and commitment management is personally involved with and directs in management is important to the successful
the organization. implementation of the MSS. It sets the tone
Top management shall demonstrate leadership and and expectations, increases acceptance, and
commitment with respect to the XXX management Top management may not perform all of these motivates personnel to be engaged in the
system by actions themselves (e.g., they may delegate MS initiatives. It can provide reassurance to
responsibility to others), but they are accountable for external parties that an effective
 ensuring that the XXX policy and XXX making sure they are performed. management system is likely in place.
objectives are established and are compatible
with the strategic direction of the organization
Standards writers can prescribe additional An example of a “business process” may be
 ensuring the integration of the XXX requirements related to leadership and commitment an organization’s central human resource
management system requirements into the in their discipline specific MSS. function, which may be responsible for
organization’s business processes ensuring that the competency requirements
In the 2nd bullet the importance of “integration … into of an MSS are met.
17
JTCG N362
NOTE Reference to “business” in this International Standard the organization’s business processes” is emphasized
should be interpreted broadly to mean those activities that are
and it is assigned as one of Top management’s roles.
core to the purposes of the organization’s existence.
 ensuring that the resources needed for the XXX In the 7th bullet “to demonstrate their leadership as it
management system are available applies to their areas of responsibility” refers to the
“relevant management roles”, and not to Top
 communicating the importance of effective XXX management.
management and of conforming to the XXX
management system requirements
The 7th bullet is intended to require Top management
 ensuring that the XXX management system
to create a culture and environment that encourages
achieves its intended outcome(s) people with leadership roles (not necessarily formal
management positions, e.g. team leaders) to work
 promoting continual improvement actively towards implementing the requirements of
the management system and seeking to achieve the
supporting other relevant management roles to XXX objectives.
demonstrate their leadership as it applies to their
areas of responsibility. Standards writers can prescribe additional
requirements for leadership and commitment in their
discipline specific MSS.
5.2 Policy The intent of the clause on Policy is to specify the high While the policy is expected to contain a
level organizational commitments required of the commitment to satisfy applicable
Top management shall establish a XXX policy that MSS, taking into account the organization’s purpose. requirements, in particular laws and
It is used to frame the objectives which the regulations, it is understood that even the
 is appropriate to the purpose of the organization sets for itself. most effective MS will not guarantee full
organization compliance at any particular point in time.
Documentation of the policy is created and controlled Under such circumstances, it should not be
 provides a framework for setting XXX
in accordance with the requirements of Documented considered out of conformance so long as
objectives
information (7.5). the MS results in the prompt detection and
 includes a commitment to satisfy applicable corrective action of the system deficiencies
requirements, and The policy is communicated internally in accordance that contributed to the instance(s) of
with the requirements of the Communication clause noncompliance.
18
JTCG N362
 includes a commitment to continual (7.4). It also shall be made available to other
improvement of the XXX management system. interested parties.

The XXX policy shall requirements related to policy in their discipline
specific MSS.
 be available as documented information
 be communicated within the organization
 be available to interested parties, as

appropriate
5.3 Organization roles, responsibilities and authorities The intent of the clause on Organization roles, The role of ensuring that the management
responsibilities and authorities is to assign system conforms with the requirements of
Top management shall ensure that the responsibilities responsibility and authority for the implementation of the MSS can be assigned to an individual,
and authorities for relevant roles are assigned and the MS requirements to relevant roles within the shared by several individuals, or assigned to
communicated within the organization. organization. a team. Such individuals should have
sufficient access to top management in
Top management shall assign the responsibility and Top management is accountable for these order to keep management informed of the
authority for: responsibilities and authorities being assigned and status and performance of the MS.
communicated to the respective persons performing
a) ensuring that the XXX management system those roles.
conforms to the requirements of this International
Standard: and
The responsibilities and authorities are communicated
in accordance with the requirements of the
b) reporting on the performance of the XXX
Communication clause (7.4).
management system to top management.
Demonstration of conformance to the requirements
of the MSS is conducted in accordance with the
requirements of the Internal audit clause(9.2)
Performance reporting is conducted in accordance

19
JTCG N362
with the requirements of Management review (9.3)

requirements related to policy in their discipline
specific MSS.
The intent of the clause on Actions to address risks Reference to ‘Risks and Opportunities’ is
6. Planning and opportunities is to specify the requirements for intended to broadly describe something that
6.1 Actions to address risks and opportunities the planning needed as a prerequisite to establishing poses a threat having detrimental or
the MS. It specifies what needs to be considered and negative effect, or alternatively, something
When planning for the XXX management system, the what needs to be addressed. The planning is that has the potential for a beneficial or
organization shall consider the issues referred to in 4.1 performed at a strategic level, versus the tactical positive effect. It is not intended to be the
and the requirements referred to in 4.2 and determine planning done for Operational planning and control same as the technical, statistical, or scientific
the risks and opportunities that need to be addressed (8.1). interpretation of the term risk.
to
At a minimum, planning needs to consider the issues Threat and opportunity determination may
 assure the XXX management system can relevant to the organization’s context identified in be through informal means, or may be
achieve its intended outcome(s) (4.1) and the organization’s applicable requirements though formal qualitative or quantitative
identified in (4.3) in order to address any negative or methodologies
 prevent, or reduce, undesired effects positive consequence posed in a prioritized fashion.
Prioritization is based on the three bullet items.
 achieve continual improvement.
Annex SL calls for actions to address risks in 6.1, but
does not call for risk management, risk assessment or
The organization shall plan:
risk treatment. For those MSS that need to address
a) actions to address these risks and risk formally, the MSS should clarify its need for a
opportunities, and “risk management“ approach, and agree on the
positioning of risk assessment and risk treatment text
b) how to (i.e. should it go in clause 6 or clause 8, or in both).
 integrate and implement the actions into its

XXX management system processes The purpose of planning is to anticipate potential
scenarios and consequences, and as such is
20
JTCG N362
evaluate the effectiveness of these actions. preventive in addressing undesired effects before
they occur. Similarly, it looks for favourable
conditions or circumstances that can offer a potential
advantage or beneficial outcome and includes
planning for those worthy of pursuit.
Planning also includes determining how to

incorporate the actions deemed necessary or
beneficial into the MS, either through objective
setting (6.2), operational control (8.1) or other specific
clauses of the MS, e.g. resource provisions (7.1),
competence (7.2).
The mechanism for evaluating the effectiveness of the

preventive action taken is also planned, and can
include monitoring, measurement techniques (9.1),
internal audit (9.2) or management review (9.3).

requirements related to actions to address risks and
opportunities in their discipline specific MSS.
6.2 XXX objectives and planning to achieve them The text is self-explanatory; readers should note Intentionally left blank
linkages to Leadership and commitment (5.1) and
The organization shall establish XXX objectives at Policy (5.2).
relevant functions and levels.
Objectives should be specified in a way that allows
The XXX objectives shall determination of their fulfilment to be made. By
including the caveat “where practicable”, it is
 be consistent with the XXX policy acknowledged that there may be situations when it
may not be feasible to measure an objective.
 be measurable (if practicable)
The status and progress on objectives are periodically
21
JTCG N362
 take into account applicable requirements checked in accordance with the requirements of
Monitoring, measurement, analysis and evaluation
 be monitored (9.1) and updated as appropriate, consistent with the
requirements of Continual improvement (10.2).
 be communicated, and
 be updated as appropriate.
Objectives are communicated in accordance with the
requirements of the Communication clause (7.4).
The organization shall retain documented information
on the XXX objectives. Documentation of the objectives is created and
controlled in accordance with the requirements of
When planning how to achieve its XXX objectives, the Documented information (7.5).
organization shall determine
 what will be done The actions required to achieve the objectives (i.e.,
‘what’) and the associated timeframe (i.e., ‘when’) are
 what resources will be required determined. In addition, assignment of responsibility
for doing it (i.e., ‘who’) is established in accordance
 who will be responsible with the requirements of Organization roles,
responsibilities and authorities (5.3). Any need for
 when it will be completed budgets, specialized skills, technology or
infrastructure, for example, are determined and
 how the results will be evaluated
provided in accordance with the requirements of
Resources. (7.1). Lastly, a mechanism for evaluating
the overall results of what was accomplished is
determined in accordance with the requirements of
(9.1) and reported in accordance with Management
Review (9.3).

requirements related to objectives and planning to
achieve to them in their discipline specific MSS.
22
JTCG N362
The intent of the clause on Resources is to anticipate, Resources may include
7. Support determine and allocate the resources needed for  human resources
7.1 Resources creating and implementing the MS (including its  specialized skills or knowledge
operations and controls), as well as those needed for  organizational infrastructure (i.e.,
The organization shall determine and provide the its ongoing maintenance and improvement. buildings, communication lines, etc)
resources needed for the establishment,  technology
implementation, maintenance and continual Standards writers can prescribe additional financial resources
improvement of the XXX management system. requirements related to resources in their discipline
specific MSS.
7.2 Competence The text is self-explanatory when read in conjunction Intentionally left blank
with the definition of competence (3.10).
The organization shall
 determine the necessary competence of Documentation providing objective evidence of
person(s) doing work under its control that competence is created and controlled in accordance
affects its XXX performance, and with the requirements of Documented information
(7.5).
 ensure that these persons are competent on
the basis of appropriate education, training, or
experience; Standards writers can prescribe additional
requirements related to competence in their
 where applicable, take actions to acquire the discipline specific MSS.
necessary competence, and evaluate the
effectiveness of the actions taken, and
NOTE Applicable actions may include, for example: the

provision of training to, the mentoring of, or the re-assignment
of currently employed persons; or the hiring or contracting of
competent persons.
 retain appropriate documented information as

evidence of competence.
7.3 Awareness The intent of the clause is self-explanatory. Awareness of the policy should not be taken
to mean that it needs to be memorized;
23
JTCG N362
Persons doing work under the organization’s control Standards writers can prescribe additional rather, persons should be aware of the key
shall be aware of requirements related to awareness in their discipline policy commitments, and their role in
specific MSS. achieving them.
 the XXX policy
 their contribution to the effectiveness of the

XXX management system, including the
benefits of improved XXX performance
 the implications of not conforming with the XXX

management system requirements.
7.4 Communication The intent of the clause is self-explanatory. Communications should adhere to the
principles of transparency, appropriateness,
The organization shall determine the internal and
Annex SL requires communication on the following: credibility, responsiveness and clarity.
external communications relevant to the XXX
-importance of effective XXX management and of
management system including
conforming to the MS requirements Communication can be verbal or written,
 on what it will communicate -policy one-way or two-way, internal or external.
-responsibilities and authorities
 when to communicate -performance of the MS
-objectives
 with whom to communicate. [-contribution to the effectiveness of the MS,
including the benefits of improved performance
how to communicate
-implications of not conforming with the MS
requirements]
-results of audits
Standards writers can include specific requirements

for communication, including information that is
necessary to communicate, either in this clause, or in
the other clauses.
24
JTCG N362
7.5 Documented information The intent of the clause General, Documented The minimum documented information
Information is to provide a description of the types of required to be created, controlled and/or
7.5.1 General information that must be created, controlled, and maintained in a MSS includes:
maintained in a management system. This includes - Scope of the management system
The organization’s XXX management system shall that which is - Policy
include - required for all MSS (as presented in clause
- Objectives
7.5.1 and in the respective clauses of Annex
SL), - Evidence of competence
 documented information required by this
- required by a particular MSS, and - Documented information of external
International Standard
- any additional information the organization origin necessary for the planning and
determines necessary to be documented. operation of the management system
 documented information determined by the
organization as being necessary for the - Documented information necessary to
effectiveness of the XXX management system. The phrase “documented information as evidence of have confidence that the processes
...” implies the former term “record”. have been carried out as planned
NOTE The extent of documented information for a XXX - Monitoring, measurement, analysis
management system can differ from one organization to
another due to and evaluation results
— the size of organization and its type of activities, It is the responsibility of the organization to - Evidence of internal audit programme
processes, products and services, determine what documented information it needs implementation
— the complexity of processes and their interactions, beyond that which is required by the MSS. The - Internal audit results
and
— the competence of persons. factors it should take into account are listed in the - Management review results
note. - Nature of nonconformities and actions
taken
The term “documented information” refers to - Corrective action results
information that a MSS determines is necessary to
control and maintain in any format or media (see Documented information, originally created
7.5.3) for purposes other than the MSS, may be
used.
Documented information is created and controlled in
accordance with the requirements of 7.5.2 and 7.5.3.
Standard writers may include specific examples of

appropriate documented information.
25
JTCG N362
7.5.2 Creating and updating The intent of the clause Creating and Updating The identification, format and media used
Documented Information is to specify the for documented information are the choice
When creating and updating documented information requirements for uniquely identifying the information, of the organization implementing the MSS; it
the organization shall ensure appropriate defining the format and media it will be maintained need not be in the form of a textual format
in, and for its approval. or a paper manual.
 identification and description (e.g. a title, date,
author, or reference number) Standards writers can prescribe additional
requirements related to creating and updating
 format (e.g. language, software version,
documented information in their discipline specific
graphics) and media (e.g. paper, electronic)
MSS.
 review and approval for suitability and
adequacy.
7.5.3 Control of documented information The intent of the clause on Control of documented The information required to be documented
information is to specify the internal controls that by the MSS may be integrated with other
Documented information required by the XXX need to be considered and implemented for information management or documentation
management system and by this International Standard information that is required to be documented. Not systems established by an organization.
shall be controlled to ensure all internal controls are applicable to all types of
documented information.
 it is available and suitable for use, where and
when it is needed In addition to internal information that is required to
be documented, information created by external
 it is adequately protected (e.g. from loss of
parties may be required for the MSS. The
confidentiality, improper use, or loss of
integrity). identification and control of such information is also
required.
 distribution, access, retrieval and use,
NOTE Access implies a decision regarding the requirements related to control of documented
permission to view the documented information only, or
the permission and authority to view and change the
information in their discipline specific MSS.
documented information, etc.
 storage and preservation, including

26
JTCG N362
preservation of legibility
 control of changes (e.g. version control)
 retention and disposition
Documented information of external origin determined

by the organization to be necessary for the planning
and operation of the XXX management system shall be
identified as appropriate, and controlled.
The intent of the clause on Operational planning and Operational planning can be more detailed
8. Operation control is to specify the requirements that need to be than the planning done in 6.1and at the
8.1 Operational planning and control implemented within the organization’s operations to tactical level focused on the business
make sure the MSS requirements are fulfilled, and the operations in support of those actions
The organization shall plan, implement and control the priority risks and opportunities are being addressed. determined in Actions to address risks and
processes needed to meet requirements, and to opportunities (6.1).
implement the actions determined in 6.1, by Operational control includes the methods
implemented to make sure business operations,
 establishing criteria for the processes activities or equipment do not exceed specified
conditions or performance standards or violate
 implementing control of the processes in regulatory compliance limits, and thereby effectively
accordance with the criteria achieve the intended outcome of the MS. These
controls establish technical requirements necessary to
 keeping documented information to the extent
achieve the desired optimal functionality for business
necessary to have confidence that the
processes have been carried out as planned. processes, such as technical specifications or
operating parameters or a prescribed methodology.
The organization shall control planned changes and Operational control is required for situations related
review the consequences of unintended changes, to business processes where absence of controls
taking action to mitigate any adverse effects, as could lead to deviations from the policy and
necessary. objectives or poses unacceptable risk. These
situations can be related to business operations,
27
JTCG N362
The organization shall ensure that outsourced activities or processes; production, installation or
processes are controlled. servicing; maintenance; or contractors, suppliers or
vendors. The degree of control exercised will vary
depending on many factors, including the functions
performed; their importance or complexity; the
potential consequences of deviation or variability; or,
the technical competency involved versus what is
available.
Documentation needed to have confidence that the

operational control processes have been carried out
as planned is created and controlled in accordance
with the requirements of Documented information
(7.5).
Requirements for management of change, both

planned and unintended changes, are required to
prevent or otherwise minimize the chance technical
requirements are not fulfilled, or new risks are
introduced.
When operational controls fail, action is necessary to

address any resultant undesired effect(s).
Control of outsourced processes is not unlike the

control of operations; however the degree of control
can be limited to partial control or influence. It is not
intended to change any legal relationship with the
external entity performing the outsourced process.

requirements related to operational planning and
28
JTCG N362
control in their discipline specific MSS.
The intent of the clause on Monitoring, Intentionally left blank
9. Performance evaluation measurement, analysis and evaluation is to specify
9.1 Monitoring, measurement, analysis and evaluation the requirements for implementing checks to be sure
the intended results of the MS are achieved as
The organization shall determine planned.
 what needs to be monitored and measured
Checking can be qualitative (monitoring) or
 the methods for monitoring, measurement, quantitative (measurement).
analysis and evaluation, as applicable, to
ensure valid results The characteristics that are monitored or measured,
analyzed and evaluated provide the ‘necessary and
 when the results from monitoring and
measurement shall be analysed and evaluated.
sufficient’ information to judge the extent to which
the MS planned activities are realized and its planned
The organization shall retain appropriate documented results are achieved.
information as evidence of the results.
The information gained through monitoring or
The organization shall evaluate the XXX performance measurement, analysis and evaluation is presented to
and the effectiveness of the XXX management system. top management in accordance with the
requirements of Management Review (9.3).
Documentation of the monitoring, measurement,

analysis and evaluation results is created and
controlled in accordance with the requirements of
Documented information (7.5).

requirements related to monitoring, measurement,
analysis and evaluation in their discipline specific MSS.
The intent of the clause on Internal audit is to specify The management and conduct of internal
9.2 Internal audit
the requirements for planning, implementing and audits should abide by the principles of
29
JTCG N362
The organization shall conduct internal audits at maintaining an internal audit programme for integrity, fair presentation, due professional
planned intervals to provide information on whether purposes of checking that the organization’s MS care, confidentiality, independence and an
the XXX management system; conforms to both the MSS requirements and any evidence-based approach.
additional MS related requirements the organization
a) conforms to
self imposes, and that the MS is being effectively Guidance on establishing an internal audit
 the organization’s own requirements for its XXX implemented and maintained as planned. programme, performing management
management system
system audits and evaluating the
 the requirements of this International Standard;
An internal audit programme requires that competence of audit personnel is given in
-internal audits be planned and scheduled based on ISO 19011.
b) is effectively implemented and maintained. the importance of the processes audited and the
results of previous audits
The organization shall: -a methodology for planning and conducting internal
audits be established
a) plan, establish, implement and maintain an -roles and responsibilities within the audit programme
audit programme(s), including the frequency, be assigned taking into account the integrity and
methods, responsibilities, planning requirements
independence of the internal audit process
and reporting. The audit programme(s) shall take
into consideration the importance of the processes -the audit criteria (i.e., policies, procedures or
concerned and the results of previous audits; requirements used as a reference against which
relevant and verifiable records, statements of fact or
b) define the audit criteria and scope for each other information will be compared) and audit scope
audit; (i.e., description of the physical locations,
organizational units, activities and
c) select auditors and conduct audits to ensure
objectivity and the impartiality of the audit process;
processes, as well as the time period covered) for
each audit planned.
d) ensure that the results of audits are reported to
relevant management, and The internal audit programme is planned and
implemented and maintained by internal personnel,
e) retain documented information as evidence of or can be managed by external persons acting on the
the implementation of the audit programme and the organization’s behalf. In either case the selection of
audit results. internal audit programme personnel needs to meet
Competence (7.2) requirements.
30
JTCG N362
The results of internal audits are reported to the
management responsible for the functions/unit
audited, and any other individuals deemed
appropriate in accordance with the requirements of
the Communication clause (7.4).
Documentation providing evidence of internal audit

programme implementation and audit results is
created and controlled in accordance with the
requirements of Documented information (7.5).
Information, including trends, on internal audit results

is reviewed in accordance with the requirements of
Management review (9.3).

requirements related to internal audit in their
Intentionally left blank
9.3 Management review
The intent of the clause on Management review is to
Top management shall review the organization's XXX specify the requirements related to the conduct of a
management system, at planned intervals, to ensure its holistic review of the MS by top management,
continuing suitability, adequacy and effectiveness. including the information to be covered and the
expected outputs.
The management review shall include consideration of:
a) the status of actions from previous Top management is required to be personally
management reviews; engaged in this review. It is their mechanism to drive
changes to the MS and direct continual improvement
b) changes in external and internal issues that priorities, particularly in relation to the changing
are relevant to the XXX management system;
circumstances in the organization’s context,
c) information on the XXX performance, deviations from intended results, or favourable
conditions that offer an advantage with beneficial
31
JTCG N362
including trends in: outcome.
 nonconformities and corrective actions Documentation of the management review results is

created and controlled in accordance with the
 monitoring and measurement results, and
requirements of Documented information (7.5).
 audit results;
d) opportunities for continual improvement. requirements related to management review in their
The outputs of the management review shall include
decisions related to continual improvement
opportunities and any need for changes to the XXX
management system.

as evidence of the results of management reviews.
32
JTCG N362
The intent of the clause on Nonconformity and Intentionally left blank
10. Improvement
corrective action is to specify the requirements for
10.1 Nonconformity and corrective action responding when the MSS and MS (including
operational) requirements are not satisfied. It
When a nonconformity occurs, the organization shall: includes taking action to correct the situation,
examine the cause and determine if other
a) react to the nonconformity, and as applicable
occurrences exist or potentially exist elsewhere so
 take action to control and correct it, and that action can be taken to prevent reoccurrence.
Further, it requires evaluation of the action taken to
 deal with the consequences; confirm that the intended result was achieved, and
evaluation of the MS to determine if changes are
b) evaluate the need for action to eliminate the warranted to avoid future occurrences of similar
causes of the nonconformity, in order that it does nonconformities.
not recur or occur elsewhere, by
 reviewing the nonconformity Documentation of the nonconformity, corrective

action and the results is created and controlled in
 determining the causes of the accordance with the requirements of Documented
nonconformity, and information (7.5).
 determining if similar nonconformities exist, Standards writers can prescribe additional

or could potentially occur; requirements related to nonconformity and corrective
action in their discipline specific MSS.
c) implement any action needed;
d) review the effectiveness of any corrective

action taken; and
e) make changes to the XXX management

system, if necessary.
Corrective actions shall be appropriate to the effects of

the nonconformities encountered.
33
JTCG N362
as evidence of:
 the nature of the nonconformities and any

subsequent actions taken, and
 the results of any corrective action
The intent of the clause on Continual improvement is Continual implies occurrence over a period
10.2 Continual improvement
to specify the requirements to improve the of time, but with intervals of interruption
The organization shall continually improve the Management System (MS). Improvement is focused in (unlike ‘continuous’ which indicates
suitability, adequacy and effectiveness of the XXX three main areas: occurrence without interruption). In the
management system. Suitability – the extent to which the MS ‘fits’ and is context of continual improvement, the
right for the organization’s purpose, its operations, expectation is that improvements occur
culture, and business systems periodically, over time. The rate, extent and
Adequacy – the extent to which the MS is sufficient in timescale of actions that support continual
meeting the applicable requirements; and improvement are determined by the
Effectiveness – the extent to which planned activities organization, in light of its context, economic
are realized and planned results achieved. factors, and other circumstances.
Continual improvement involves making changes to

the design and implementation of the MS in order to
improve the organization’s ability to achieve
conformity with the requirements of the MSS and
meet its objectives and policy commitments. Although
there may be value in improving the system elements
alone, the intended outcome of planned actions and
other MS changes is an improvement in the
organization’s performance.
Several clauses of a MSS can assist in achieving

continual improvement. A coordinated
34
JTCG N362
implementation of these clauses may help to develop
a robust way to achieve this improvement, including,
but not limited to:
- taking actions to address risks and opportunities
(6.1);
- establishing objectives (6.2);
- upgrading operational controls (8.1), taking into
consideration new technologies, methods or
information;
- analyzing and evaluating performance (9.1);
- conducting internal audits (9.2);
- conducting management reviews (9.3); and
- detecting nonconformity(ies) and implementing
corrective action(s) (10.1).
The organization periodically evaluates and reviews

its MS in accordance with the requirements of
(9.1) and Internal Audit (9.2) and Management
Review (9.3) to identify opportunities for
improvement, and plans appropriate actions to be
taken in accordance with Actions to address risks and
opportunities (6.1), Objectives and planning to
achieve them (6.2), and Operational planning and
controls (8.1).

requirements related to continual improvement in
their discipline specific MSS.
35

N360 JTCG Concept Document To Support Annex SL

Uploaded by

Copyright:

Available Formats

N360 JTCG Concept Document To Support Annex SL

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

N360 JTCG Concept Document To Support Annex SL

Uploaded by

Copyright:

Available Formats

ISO/TMB/JTCG N 360

N360 JTCG concept document to support Annex SL

Date of document: 2013-12-03

Expected action: INFO

Background: Dear all,

Committee URL: http://isotc.iso.org/livelink/livelink/open/tmbjtcg

- Chair: Anne-Marie Warris

JTCG Concept document to support of Annex SL

Annex SL Concepts document

This clause is not to be confused with the scope of the

Terms and their associated definitions can

Note 1 to entry: The concept of organization includes, but is

3.02 Interested parties can include:

3.03 Requirements, other than legal

NOTE 1 to entry: “Generally implied” means that it is custom

NOTE 2 to entry: A specified requirement is one that is

NOTE 1 to entry: A management system can address a

NOTE 1 to entry: Top management has the power to

NOTE 1 to entry: An objective can be strategic, tactical, or

NOTE 1 to entry: Documented information can be in any

NOTE 1 to entry: Performance can relate either to

NOTE 1 to entry: To determine the status there may be a

A combined audit is an audit of an

3.20 Corrective action is action taken to eliminate

recurring activity to enhance performance (3.13)

Standards writers can prescribe additional

Standards writers can prescribe additional

Note when drafting an MSS, reference to this clause

Standards writers can prescribe additional

 be communicated within the organization

 be available to interested parties, as

Performance reporting is conducted in accordance

Standards writers can prescribe additional

 integrate and implement the actions into its

Planning also includes determining how to

The mechanism for evaluating the effectiveness of the

Standards writers can prescribe additional

Standards writers can prescribe additional

NOTE Applicable actions may include, for example: the

 retain appropriate documented information as

 their contribution to the effectiveness of the

 the implications of not conforming with the XXX

Standards writers can include specific requirements

Standard writers may include specific examples of

 storage and preservation, including

 control of changes (e.g. version control)

 retention and disposition

Documented information of external origin determined

Documentation needed to have confidence that the

Requirements for management of change, both

When operational controls fail, action is necessary to

Control of outsourced processes is not unlike the

Standards writers can prescribe additional

Documentation of the monitoring, measurement,

Standards writers can prescribe additional

Documentation providing evidence of internal audit

Information, including trends, on internal audit results

Standards writers can prescribe additional

 nonconformities and corrective actions Documentation of the management review results is