What is a Management System?
Management System Definition
ISO 27000:2016 defines a Management System as a:
“…set of interrelated or interacting elements of an organisation to establish policies and objectives and processes to achieve those objectives.”
It could further be stated that:
“People in the organisation are assigned to predefined roles, who are responsible for maintaining and achieving the objectives set by the organisation within their specific discipline e.g. quality management or information security.
Activities leading to achieving these objectives are carried out as part of the Management System and they may be documented in any form. The Management System may consist of Roles, Policies, Processes, Procedures, Instructions, and other information.”
A Management System can address a single discipline e.g. Quality Management (ISO 9001) or several disciplines like Quality Management and Environment Management (ISO 13485 and ISO 14971). In such a case it is called an Integrated Management System. The Management System should always have its scope.
Depending upon the decision taken by the organisation, it can apply to the whole or just a part of the organisation. Adhering to a Management System as defined by ISO is always voluntary. Nevertheless, in some cases having a Management System can be a way to fulfil legal requirements. For instance, having an ISO 13485 compliant Management System is required for an organisation to put a medical product onto the European market. Not all Management Systems follow ISO standards. For example, U.S Federal Regulation 21 CFR 820 introduces a quality Management System for manufacturers of medical devices aiming to introduce a medical product to the U.S market.
Examples of Management Systems
The table below presents different Management Systems.
| Standard Number | Abbreviation | Discipline |
|---|---|---|
| ISO 9001 | Quality management systems – Requirements | Non-Industry-Specific |
| ISO 13485 | Medical devices – Quality management systems – Requirements for regulatory purposes | Medical Devices |
| ISO 27001 | Information technology – Security techniques – Information security management systems – Requirements | Information Security |
| ISO 22301 | Societal security – Business continuity management systems – Requirements | Information Security |
| ISO 14001 | Environmental management systems – Requirements with guidance for use | Environment Management |
| ISO 14971 | Medical devices – Application of risk management to medical devices | Medical Devices |
| 21 CFR 820 | Code of Federal Regulations Title 21 Part 820 Quality System Regulation | Medical devices |
Certification of Management Systems
Some Management Systems can be certified. Certification is a process of an independent auditor validating that the organisation meets the requirements of the specific Management System. The certification is carried out by a certification body. The certification is usually comprised of two stages. The first stage is to check if the Management System has been defined and described as required to the specific standard. The second stage is to check that the described Management System is a reality in the organisation’s everyday operations, rather than being something which is not adhered to.
Management System Life Cycle
The Life Cycle of a Management System can be divided into the following phases:
- Definition
- Implementation / Deployment
- Certification
- Operations
- Continual Improvement
- Re-certification
To start with the System must be Defined. It can be done by the organisation acting independently or with a help of a consultant. Using the know-how of our company can significantly shorten that process!
The goal of the next phase is to identify the type of System currently in operation in the organisation. If a System Definition can be found by examining the actual activities of the organisation then this should be relatively simple.
Here the organisation needs to decide if it is looking for certification; if it is then it is now time for a certification audit. Please, note that this phase is optional as not all organisations decide to certify their Management System. Also, a certification may not be possible for a given discipline.
The next two stages are of the utmost importance. Firstly, the operations stage. This is “business-as-usual”. If defined accurately, the Management System is now helping the organisation’s operations. Secondly, any Management System should have the ability to continually improve. A trigger for such a change might come internally from feedback within the organisation, internal or external security incidents or externally reported failures to conform. Any such triggers need to be handled systematically in order to improve the way the organisation operates. As the System’s certification comes to the end of its validity a new re-certification audit should take place. Thus, the cycle starts again.