Featured Product
This Week in Quality Digest Live
Management Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Lee Simmons
Lessons from a deep dive into 30 years of NFL and NBA management turnover
Mike Figliuolo
Sure, you have to be professional, but have a good time anyway
Margaret Graziano
Unlocking the power of organizational culture
Graham Ward
Asserting yourself and setting clear boundaries

More Features

Management News
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Manufacturers embrace quality management to improve operations, minimize risk
How well are women supported after landing technical positions?
Adds increased focus on governance
Survey shows 85% of top performers rely on it to achieve business objectives

More News

Inderjit Arora


Myth: Your Management System Documentation Must Resemble the ISO Standard

A management system written just to align with ISO QMS clauses won’t deliver the feedback you need

Published: Monday, September 30, 2019 - 11:03

Every company uses a system to understand the requirements and inputs of its customers, and then plans to deliver outputs meeting those requirements as a conforming product or service. The International Organization for Standardization (ISO) publishes management system standards that, when correctly interpreted, enable companies to systematically and consistently provide desired outputs while addressing risks.

Using the framework provided by ISO, companies can design systems and processes that work together to deliver desired outputs (i.e., products or services). An organization should endeavor to define its outputs accurately, after understanding customer requirements, both stated and unstated. ISO standards allow companies of any size and industry to implement them; hence, a lot is left open to interpretation.

Despite this, certification to these management system standards delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO management system certification, such as ISO 9001, gives confidence of a certain basic framework being implemented and followed.

Risks are identified in the context of the organization. The organization’s core process derives its objectives directly from the company policy. Key and support procedures ensure that these objectives are met in order to deliver a confirming product or confirming service.

Why ‘ISO-ized’ systems fail

This understanding of how a management system works to deliver products and services must be understood in the spirit of the ISO standard. The standard is not like a magic wand that will guarantee excellence or success. It needs careful interpretation to design the processes necessary to meet stakeholder requirements. Unfortunately, many companies try to “ISO-ize” their management systems by simply writing processes and procedures around the standard’s clauses, with no regard to whether the processes or procedures make sense for their business. Many ISO-ized management systems fail to deliver sustained success because such systems can’t deliver the feedback that a good system should.

Processes must be documented around what users actually do. These processes then need to be resourced, controlled, monitored, audited, and reviewed for continuing suitability, adequacy, and effectiveness. Organizations blunder into believing that ISO-izing their systems is the panacea to all their problems. It is not. Management systems documented to reflect a standard’s clauses only benefit external auditors of the systems. Auditors and auditing are an integral part of a system, but they are meant to provide objective inputs for improvements, not to dictate how the system functions. Good management systems should be documented for easy use by their users.

The process approach to systems

A process-based approach is fundamental to implementing a management system. Success in implementing ISO management standards—for efficiency, managing risk, security, environment, aerospace quality, food safety, or whatever—lies in a good plan that accounts for system risks, given the organizational business context. Ideally, a management system should capture the “as-is” of the system, compare it to requirements, and identify any gaps between the two. This enables the design of new procedures and an update of existing procedures. A process approach is designed to meet measurable objectives, ones that are based on the policy of the organization’s leadership. System users do the work to meet the objectives, and the procedures must capture the “how” of what they do.

The relationship between understanding requirements, risks, and inputs to creating the policy should be systematically considered when designing a management system and prior to resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership throughout the entire implementation process, i.e., from planning and implementing to monitoring and reviewing for performance for improvement. This motivates top management to take personal ownership of their management systems.


ISO management system standards are not prescriptive and need interpretation by users of the system. Using the plan-do-check-act (PDCA) cycle approach, leaders convey their policy to the system users. The system ensures adequate controls and resources so that outputs correlate with inputs and meet measurable objectives as set. The system allows for feedback to be captured, so risks and opportunities for improvement are identified and addressed in a timely manner.

As for the auditors, let us encourage them to use their innovative approaches to identify how the system meets the standard’s requirements and intent. To make it easy, we could provide them with a cross-reference matrix to demonstrate where the standard’s requirements are met within the documented system procedures.

Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of a “de-ISO-ized” system.


About The Author

Inderjit Arora’s picture

Inderjit Arora

Inderjit Arora is the President and CEO of Quality Management International Inc. (QMII). He serves as a team leader for consulting, advising, auditing, and training in management systems. He specializes in several ISO and industry specific standards. He is an Exemplar Global certified Lead Auditor and is on the US TAG-176 committee, and a member of the US Submarine League. IJ  is a popular speaker at several universities and forums on management systems, conflict management, crisis communication and leadership. Dr. Arora is a Master Mariner with an MBA from the College of William and Mary and additionally MSC in defense studies and graduation in nuclear sciences. He has a 32 year record of achievement in the military, mercantile marine, and civilian industries. He writes a blog and contributes to several professional magazines, including Quality Digest. His articles have been published in the USCG Proceedings.


Documentation Must Resemble ISO

The point is well taken that a QMS should be tailored to the culture and processes of each organization. The downside to using a different numbering system or structure to the documentation is that you will have to build a crosswalk for your external auditor.

They are in 2-3 companies a week and their brain is hard-wired to the Standard and its numbering system. Using a different structure will increase audit hours and lead to confusion by the auditor. If it is a new registration, the quality manual might not pass the desk audit by the registrar.

Management System aligned to the Standard

Dear Tom,

With due respect to your views and concerns here are my thoughts. First please don't write a management system (MS) for auditors. Audits are meant to provide inputs for TM to better resource the systema and appreciate risks. The system should be written for the users of the system. The Employees of the organization work to their procedures to meet requirements and produce confirming products and services. The MS therefore (per clause 4.4 of ISO 9001) should be designed to processes and provide the interactions between processes. A system written to clauses will never meet this requirement nor be user friendly. The very purpose of the MS is lost. For certification or otherwise, it is the auditors job to audit and see confirmity. Lot of the auditors are confused because they come in search of non-confirmty. Good auditors should be auditing to look for conformity. It is a total waste of money if the system is written for the purpose of auditing!


RE; RE Documentation must resemble ISO

Indeed a QMS should be tailored to the culture and processes of each organization. In my view, this is far more important than squeezing audit hours or satisfying hard-wired auditors. New technology can help us serve both sides as IT_enabled DMS systems facilitate easy cross-referencing of procedures/processes and ISO requirements. This will support a QMS tailored for the organization and keep costs in control, even with hard-wired auditors.

Management System aligned to the Standard

I agree. Apart from the IT and availability of tools, the basic principle is to write a management system (MS) for the organization. Not for the auditors.