Ensuring that your Management System is kept up-to-date is one of the most important aspects of complying with ISO Standards, especially as it is part of maintaining your certification to your chosen Standard. It's not a document that is written once and only ever read occasionally - a Management System is a constantly evolving document or series of documents.
To make sure you get the maintenance of your Management System right, follow our guide:
As detailed within your Management System, you should be performing regular scheduled activities. These activities may result in changes to your Management System, both in terms of your documented processes, and in evidence gathered during your internal audit activities. (see "Internal Audits" below).
To ensure that your business' processes are fit for purpose and operating efficiently, it is important to perform regular Internal Audits. These reviews may focus on individual departments or processes, and enable you to verify that processes are effective or will identify differences between what your business says it is doing in the Management System, and what is actually happening. This could be because the process is outdated and does not reflect the current process or it could be that staff are not following the documented processes correctly, i.e. failure to record information on inspection sheets.
When a process is identified as outdated it is vital that the Management System be updated accordingly, as the effects of this one process being different can fan out across your business through the various related tasks and processes.
There's work to do as well if the documented process is not being carried out, not to change the Management System, but to re-train the team on how to carry out the process as documented. After all, failure to do so could have knock-on effects throughout the business, slowing down the production line or affecting the quality of service provided. Follow-up monitoring would then be carried out to ensure that the re-training had been effective.
A Management Review is a formal, structured meeting which involves top management and takes place at regular intervals throughout the year. Where Internal Audits focus on the specifics, Management Reviews look at the bigger picture. These meetings look at how the Management System is running as a whole, looking for patterns in Internal Audit results and any raised non-conformities (see "Non-conformities" below).
By looking at things from a greater height, other efficiency savings or improvements can be identified, and the Management System updated accordingly. Training can then be rolled out across any affected teams to ensure these changes are taken on board and implemented throughout the business.
During these meetings the targets and objectives for your business should also be reviewed and their documentation updated as necessary if any changes are needed to the objective or the activities that will be involved in achieving it.
Although not carried out by your team, an External Audit is still an important part of compliance. An External Audit is where a third party comes to your organisation, at least once annually, and reviews your processes to make sure that they match what is written in your Management System but also that they still comply with the Standard(s) to which your business is certified.
Any issues brought up during the audit should be rectified, by updating the documentation for your Management System or by re-training the affected individuals where failure to adhere to processes was identified.
External Audit Evidence and Documented Information
The task for gathering evidence for your External Audit is partly covered by your efforts in the Internal Audit and Management Review activities, but you also need to provide evidence elsewhere.
Any document that forms part of your recorded processes, but will not change/be altered, should be kept on file as part of your evidence. This includes items such as training certificates, production records, test results and minutes of meetings.
Issues where your documented processes do not match what is happening in your business are known as non-conformities, especially if these differences result in non-compliance with your chosen Standard(s).
Train your staff to recognise and report instances of non-conformity so that you can act on it quickly, adjusting your Management System accordingly.
Keep records of these reports, and any actions taken as you will need to review these records during Management Reviews, and they also act as evidence during External Audits.
Why Should Businesses Maintain their Management System?
At the end of the day it's all about efficiency and quality. Regardless of which Standard(s) your Management System is following, the general aim of it is to make your business more efficient and be the best it can be in those areas, whether that is in the realms of Health & Safety with ISO 45001, or Information Security through ISO 27001.
By continually improving your Management System, making incremental changes to your processes and ensuring those changes are recorded, you are setting your business up for success - and that's partially why you implemented a Management System in the first place!
Even if you are following the ISO Standard's guidance for continual improvement, if you don't record your changes you are trusting your improvements to the memory of your employees, which is fine - but what happens? someone forgets, a member of your team leaves, or new people join up, but they are trained to old procedures? Without having a documented record of your changes, you run the risk of losing progress towards a more efficient business and even negatively affecting your customers with an inconsistent journey.