oSIST ISO/DGuide 83:2011

DRAFT ISO GUIDE 83
Secretariat: TMB
Voting begins on Voting terminates on
2011-05-06 2011-09-06
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION


High level structure and identical text for management system
standards and common core management system terms and
definitions
Structure à niveau élevé et texte identique pour les normes de système de management et termes et
définitions principaux communs de système de management
ICS 01.120; 03.100.01

Please see the administrative notes on page iii

Member bodies are advised that while this document is being issued in the form of a draft ISO Guide for
voting in accordance with annex A of Part 1 of the ISO/IEC Directives, the Technical Management Board has
not taken a final decision with regard to the final form of publication of the document.
WARNING — THIS DOCUMENT IS NOT AN ISO GUIDE. IT IS DISTRIBUTED FOR REVIEW AND COMMENT. IT IS SUBJECT TO CHANGE WITHOUT
NOTICE AND MAY NOT BE REFERRED TO AS A GUIDE.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT GUIDES MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME DOCUMENTS TO WHICH
REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
©
ISO 2011

---------------------- Page: 1 ----------------------
ISO DGUIDE 83

Copyright notice
This ISO document is a Draft Guide and is copyright-protected by ISO. Except as permitted under the
applicable laws of the user's country, neither this ISO draft nor any extract from it may be reproduced,
stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying, recording
or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.





ii © ISO 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO DGUIDE 83
In accordance with the provisions of Council Resolution 15/1993 this document is circulated in the English
language only.
Conformément aux dispositions de la Résolution du Conseil 15/1993, ce document est distribué en version
anglaise seulement.

To expedite distribution, this document is circulated as received from the committee secretariat. ISO Central
Secretariat work of editing and text composition will be undertaken at publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du secrétariat du
comité. Le travail de rédaction et de composition de texte sera effectué au Secrétariat central de l'ISO au
stade de publication.




© ISO 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO DGUIDE 83


ISO/TMB Joint Technical Coordination Group JTCG N44rev1
 February 2011
Chair: Ron Waumans
Secretary: Dick Hortensius



Final draft High Level Structure and identical text for MSS and common MS terms and
core definitions


This document contains the consolidated outcomes of JTCG Task groups 1 and 3 as reviewed and approved
th
during the 8 meeting of JTCG, 15 October 2010 in Vienna.

It combines documents JTCG TF 1 N 36 and JTCG TF 3 N 127.


Secretariat administered by:
NEN, PO BOX 5059, 2600 GB Delft, Netherlands
email: dick.hortensius@nen.nl  TP+1 31 15 2690 115       TF+1 31 15 2690 207



DRAFT 2011

---------------------- Page: 4 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 2



1. High Level Structure, with draft “Identical text”

Note : In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road
traffic safety, IT security, food safety, societal security, environment, quality) needs to be inserted.
Blue italicized text is given as advisory notes to standards’ drafters.

Introduction
Note: Unique to the discipline
1. Scope
Note: Specific to the discipline; possibly some identical text
2. Normative references
Note: Clause Title shall be used. Unique to the discipline
3. Terms and definitions
Note: Clause Title shall be used. Terms and definitions may either be within the standard or in a separate
document. To reference Aligned definitions + discipline specific ones
4. Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its
ability to achieve the intended outcomes of its XXX management system.
These issues shall be taken into account when establishing, implementing, maintaining and improving the
organization’s XXX management system.
4.2 Understanding the needs and expectations of interested parties
When establishing its XXX management system, the organization shall determine
 its relevant interested parties and
 their requirements (i.e. their needs and expectations whether stated, implied or obligatory)
4.3 Determining the scope of the management system
The organization shall determine the scope of the XXX management system, such that the boundaries and
applicability of the XXX management system can be clearly communicated to relevant internal and external
parties.
When determining the scope of the management system the organization shall consider:
- the external and internal issues referred to in 4.1
- the requirements referred to in 4.2,
The organization shall retain documented information on the scope of the XXX management system
4.4 XXX management system
The organization shall, establish, implement, maintain and improve an XXX management system in accordance
with the requirements of this International Standard including the processes needed and their interactions.
2
DRAFT 2011

---------------------- Page: 5 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 3




5. Leadership

5.1 General

Persons in top management and other relevant management roles throughout the organization
shall demonstrate leadership with respect to the XXX management system.

NOTE This can be shown, for example, by motivating and empowering persons to contribute to the
effectiveness of the XXX management system


5.2 Management commitment

Top management shall demonstrate its commitment by

- ensuring the XXX management system is compatible with the strategic direction of the organization
- integrating the XXX management system requirements into the organization’s business processes;
- providing the resources to establish, implement, maintain and continually improve the XXX management
system
- communicating the importance of effective XXX management and conforming to the XXX management
system requirements;
- ensuring that the XXX management system achieves its intended outcomes
- directing and supporting continual improvement

NOTE Reference to “business” in this International Standard should be interpreted broadly to mean those
activities that are core to the purposes of the organization’s existence.


5.3 Policy

Top management shall establish a XXX policy. The policy shall:

- be appropriate to the purpose of the organization,

- provide the framework for setting XXX objectives;

- include a commitment to satisfy applicable requirements,

- include a commitment to continual improvement of the XXX management system

- be communicated within the organization

- be available to interested parties, as appropriate.
The organization shall retain documented information on the XXX policy.

5.4 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and
communicated within the organization.

Top management shall assign the responsibility and authority for

a) ensuring that the XXX management system conforms to the requirements of this International Standard

b) reporting on the performance of the XXX management system to top management

3
DRAFT 2011

---------------------- Page: 6 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 4




6 Planning

6.1 Actions to address risks and opportunities

The organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and
determine the risks and opportunities that need to be addressed to
- assure the management system can achieve its intended outcome(s)
- prevent undesired effects
- realize opportunities for improvement.

The organization shall:

a) evaluate the need to plan actions to address these risks and opportunities, and

b) where applicable
- integrate and implement these actions into its XXX management system processes (see 8.1)
- ensure information will be available to evaluate if the actions have been effective (see 9.1)


6.2 XXX objectives and plans to achieve them
Top management shall ensure that XXX objectives are established and communicated for relevant functions
and levels within the organization.
The XXX objectives shall:
- be consistent with the XXX policy
- be measurable (if practicable)
- take into account applicable requirements
- be monitored and updated as appropriate
The organization shall retain documented information on the XXX objectives.
To achieve its XXX objectives, the organization shall determine:
- who will be responsible
- what will be done
- what resources will be required

- when it will be completed

- how the results will be evaluated

7. Support
7.1Resources
The organization shall determine and provide the resources needed for the XXX management system
4
DRAFT 2011

---------------------- Page: 7 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 5




7.2 Competence
The organization shall:
- determine the necessary competence of person(s) doing work under its control that affects its XXX
performance
- ensure these persons are competent on the basis of appropriate education, training, or experience,
- where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the
actions taken
- retain appropriate documented information as evidence of competence.
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or
the re-assignment of current employees; or the hiring or contracting of competent persons.
7.3 Awareness
Persons doing work under the organization’s control shall be aware of:
- the XXX policy
- their contribution to the effectiveness of the XXX management system, including the benefits of improved XXX
performance
- the implications of not conforming with the XXX management system requirements
7.4 Communication
The organization shall determine the need for internal and external communications relevant to the XXX
management system including
- what to communicate
- when to communicate
- to whom it will communicate
7.5 Documented information
7.5.1 General
The organization’s XXX management system shall include:

- documented information required by this International Standard

- documented information determined by the organization as being required for the effectiveness of the XXX
management system

7.5.2 Create and update
The process for creating and updating documented information shall ensure appropriate:
- identification and description (e.g. a title, date, author, number )
- format (e.g. language, software version, graphics) and media (e.g. paper, electronic)
5
DRAFT 2011

---------------------- Page: 8 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 6



- review and approval for adequacy
NOTE The extent of documented information for a XXX management system can differ from one organization
to another due to:
- the size of organization and its type of activities, processes, products and services,
- the complexity of processes and their interactions, and
- the competence of persons
7.5.3 Control of documented Information
Documented information required by the XXX management system and by this International Standard shall be
controlled.
Control of documented information shall include the following, as applicable:
- Distribution
- Access
- Storage and preservation
- Retrieval and use
- Control of changes (e.g. version control)
- Preservation of legibility (i.e. clear enough to read)
- Prevention of the unintended use of obsolete information
- Retention and disposition
Documented information of external origin determined by the organization to be necessary for the planning and
operation of the XXX management system shall be identified as appropriate, and controlled.
When establishing control of documented information, the organization shall ensure that there is adequate
protection for the documented information (e.g. protection against compromise, unauthorized modification or
deletion).
NOTE Access implies a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information, etc.
8. Operation

8.1 Operational planning and control

The organization shall determine, plan, implement and control those processes needed to address the risks
and opportunities determined in 6.1 and to meet requirements, by:

- establishing criteria for those processes

- implementing the control of these processes in accordance with the criteria

- keeping documented information to demonstrate that the processes have been carried out as planned.

6
DRAFT 2011

---------------------- Page: 9 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 7



The organization shall control planned changes and review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary
The organization shall control processes that are contracted-out or outsourced.
9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
The organization shall determine:
- what needs to be measured and monitored;
- the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results.
- when the monitoring and measuring shall be performed;
- when the analysis and evaluation of monitoring and measurement results shall be performed.
The organization shall evaluate the XXX performance and the effectiveness of the XXX management system.
Additionally, the organization shall:
- take action when necessary to address adverse trends or results before a nonconformity occurs.
- retain relevant documented information as evidence of the results.
9.2 Internal Audit
The organization shall conduct internal audits at planned intervals to provide information to assist in the
determination of whether the XXX management system
a) conforms to
 the organization’s own requirements for its XXX management system
 the requirements of this International Standard.
b) is effectively implemented and maintained.

The organization shall
- plan, establish, implement and maintain an audit programme(s), including the frequency, methods,
responsibilities, planning requirements and reporting, while taking into consideration the importance of the
processes concerned and the results of previous audits.
- define the audit criteria and scope for each audit
- select auditors and conduct audits to ensure objectivity and the impartiality of the audit process.
- ensure that the results of the audits are reported to relevant management
- retain documented information as evidence of the results.
9.3 Management review
Top management shall review the organization's XXX management system, at planned intervals, to ensure its
continuing suitability, adequacy and effectiveness.

The management review shall include consideration of:

- the status of actions from previous management reviews;
- changes in external and internal issues that are relevant to the XXX management system,
- information on the XXX performance, including trends in:
7
DRAFT 2011

---------------------- Page: 10 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 8



 nonconformities and corrective actions
 monitoring and measurement evaluation results and
 audit results,
- opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities
and the possible need for changes to the XXX management system
The organization shall retain documented information as evidence of the results of management reviews.
10. Improvement

10.1 Nonconformity and corrective action

The organization shall:

- identify nonconformities,

- react to the nonconformities, and as applicable
 take action to control, contain and correct them,
 deal with the consequences

The organization shall also evaluate the need for action to eliminate the causes of nonconformities, including:
- reviewing nonconformities
- determining the causes of nonconformities,
- identifying if potential similar nonconformities exist elsewhere in the XXX management system
- Evaluating the need for action to ensure that nonconformities do not recur or occur elsewhere
- determining and implementing action needed, and
- reviewing the effectiveness of any corrective action taken.
- making changes to the XXX management system, if necessary

Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of
- the nature of the nonconformities and any subsequent actions taken, and
- the results of any corrective action

10.2 Continual improvement
The organization shall continually improve the suitability, adequacy or effectiveness of the XXX management
system.
NOTE The organization can use the processes of the XXX management system such as leadership, planning
and performance evaluation, to achieve improvement










8
DRAFT 2011

---------------------- Page: 11 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 9



2 Terms and definitions

For the purposes of this document, the following terms and definitions apply.

NOTE 1 The following terms and definitions constitute an integral part of the “common text” for management systems
standards. Additional terms and definitions may be added as needed. Notes may be added or modified to serve the
purpose of each standard.
NOTE 2 Bold type in a definition indicates a cross-reference to another term defined in this clause, and the number
reference for the term is given in parentheses.
NOTE 3 Where the text “XXX” appears throughout this clause, the appropriate reference should be inserted depending
on the context in which these terms and definitions are being applied. For example: “an XXX objective” could be substituted
as “an information security objective “.
T.1 Terms related to “plan”

T.1.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives (T.1.4)
NOTE The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise,
authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
T.1.2
risk
effect of uncertainty on objectives (T.1.4)
NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and
can apply at different levels (such as strategic, organization-wide, project, product and process (T.2.2)). An objective can
be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an XXX objective or by
the use of other words with similar meaning (e.g. aim, goal, or target).
NOTE 3 Risk is often characterized by reference to potential events (Guide 73, 3.5.1.3) and consequences (Guide 73,
3.6.1.3), or a combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in
circumstances) and the associated likelihood (Guide 73, 3.6.1.1) of occurrence.
NOTE 5 Uncertainty is the state, even partial, of efficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood.
NOTE 6 In the context of XXX management system standards XXX objectives are set by the organization, consistent
with the XXX policy, to achieve specific results. When applying the term risk and components of risk management, this
should be related to the objectives of the organization that include, but are not limited to the XXX objectives as specified in
6.2 of the common MSS text.
T.1.3
policy
intentions and direction of an organization (T.1.1) as formally expressed by its top management (T.1.5)
T.1.4
objective
result to be achieved
NOTE 1 An objective can be strategic, tactical, or operational.
9
DRAFT 2011

---------------------- Page: 12 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 10



NOTE 2 An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion,
as an XXX objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
T.1.5
top management
person or group of people who directs and controls an organization (T.1.1) at the highest level
NOTE 1 Top management has the power to delegate authority and provide resources within the organization.
NOTE 2 An organization can for this purpose be identified by reference to the scope of the implementation of a
management system (T.2.1).
T.1.6
interested party (preferred term)
stakeholder (admitted term)
person or group of people that holds a view that can affect the organization (T.1.1)
T.1.7
requirement
obligatory need or expectation that is stated or implied
T.2 Terms related to “do”

T.2.1
management system
set of interrelated or interacting elements of an organization (T.1.1) to establish policies (T.1.3) and
objectives (T.1.4), and processes (T.2.2) to achieve those objectives
NOTE 1 A management system can address a single discipline or several disciplines.
NOTE 2 The system elements include the organization’s structure, roles and responsibilities, planning, operation, etc.
NOTE 3 The scope of a management system may include the whole of the organization, specific and identified
functions of the organization, specific and identified sections of the organization, or one or more functions across a group of
organizations.
T.2.2
process
set of interrelated or interacting activities which transforms inputs into outputs
T.2.3
competence
ability to apply knowledge and skills to achieve intended results
T.2.4
documented information
information required to be controlled and maintained by an organization (T.1.1)
NOTE 1 Documented information can be in any format and media and from any source.
NOTE 2 Documented information can, e.g., refer to
– the management system (T.2.1), including related processes (T.2.2);
– information created in order for the organization to operate;
– evidence of results achieved.
T.2.5
performance
measurable result
NOTE 1 Performance can relate either to quantitative or qualitative findings.
10
DRAFT 2011

---------------------- Page: 13 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 11



NOTE 2 Performance can relate to the management of activities, processes (T.2.2), products (including services),
systems or organizations (T.1.1).
T.2.6
outsource (verb)
make an arrangement where an external organization (T.1.1) performs part of an organization’s function or
process (T.2.2)
NOTE An external organization is outside the scope of the management system (T.2.1), although the outsourced
function or process is within the scope.
T.3 Terms related to “check”

T.3.1
monitoring
determining the status of a system, a process (T.2.2) or an activity
NOTE To determine the status there may be a need to check, supervise or critically observe.
T.3.2
measurement
process (T.2.2) to determine a value
T.3.3
audit
systematic, independent and documented process (T.2.2) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
NOTE 1 An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a
combined audit (combining two or more disciplines).
NOTE 2 “Audit evidence” and “audit criteria” are defined in ISO 19011.
T.3.4
effectiveness
extent to which planned activities are realized and planned results achieved
T.3.5
conformity
fulfilment of a requirement (T.1.7)
T.3.6
nonconformity
non-fulfilment of a requirement (T.1.7)
T.4 Terms related to “act”

T.4.1
correction
action to eliminate a detected nonconformity (T.3.6)
T.4.2
corrective action
action to eliminate the cause of a nonconformity (T.3.6) and to prevent recurrence
NOTE In the case of other undesirable outcomes, action is necessary to minimise or eliminate the causes and to
reduce the impact or prevent recurrence. Such actions fall outside the concept of “corrective action” in the sense of this
definition.
11
DRAFT 2011

---------------------- Page: 14 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 12



T.4.3
continual improvement
recurring activity to enhance performance (T.2.5)

12
DRAFT 2011

---------------------- Page: 15 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 13



Annex A – Application guidance notes on HLS and identical text

General comment
Clarifications or descriptions should be given for phrases such as “as applicable” or “as appropriate”, perhaps in the
Introduction

General comment
When referring to objectives, always use a “qualifier” (e.g. XXX objectives; XXX management system objectives;
process objectives etc)
General comment

For those standards that address risk, there should be agreement on the positioning of risk assessment and risk
treatment text (i.e. should it go in clause 6 or clause 8)

Introduction
This content of this clause will be unique to the discipline
1. Scope
a) This will be specific to the discipline with possibly some identical text
b) The Scope should define the “intended outcomes” of the relevant MSS
Use “intended outcome” and not “expected outcome”
- Expected outcome is that “expected” by interested parties
- “Intended Outcome” is that which is “intended” as a result of the application of the standard, or process etc.
2. Normative references
The Normative clause title shall be used, even when no references are given, for clause alignment purposes; however
the content will be unique to the discipline
3. Terms and definitions
The “Terms and definitions” clause title shall be used.
Terms and definitions may either be within the standard or in a separate standard/document.
The clause should reference the Aligned definitions + discipline specific ones

5.4 Organizational roles, responsibilities and authorities

Some MSS disciplines may wish to add a note that: < management system is often assigned to a “Management Representative”>>


6.1 Actions to address risks and opportunities

Discipline specific standards can define “risk” in terms that are specific to their discipline. ISO 31000 provides a
definition of ”risk” that some discipline specific standards can use (see also definition T.1.2). Additionally, each
discipline should clarify its need for a formal “risk management “ approach.

7.1Resources
13
DRAFT 2011

---------------------- Page: 16 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 14



Each discipline may need to add a specific Note giving examples of resources
8. Operation
The concept behind this clause is that it applies to an organization’s general operations, as well as to the operation of
its management system


14
DRAFT 2011

---------------------- Page: 17 ----------------------
ISO DGUIDE 83

ISO Joint Technical Coordination Group JTCG N44rev1
Page 15



Annex B - Application guidance notes on common terms and definitions
1. Whenever management systems common terms are included in the text of a management systems
standard they shall be included in the terms and definitions clause of the standard or in a separate, normatively
referenced document.
2. Management systems core definitions shall be stated without any deviation. However, the understanding
of the conc
...