ISO has been developing voluntary technical standards over almost all sectors of business, industry and technology since 1947.
With the exception of ISO 9000 and ISO 14000, the vast majority of ISO standards are highly specific. They are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics to ensure that materials, products, processes and services are fit for their purpose.
Then, in 1987, came ISO 9000, followed nearly 10 years later by ISO 14000, which have brought ISO to the attention of a much wider business community. These are very different from the majority of ISO's highly specific standards.
Generic management system standards
The vast majority of ISO standards are highly specific to a particular product, material, or process. However, both ISO 9000 and ISO 14000 are known as generic management system standards.
Generic means that the same standards can be applied to any organization, large or small, whatever its product - including whether its "product" is actually a service - in any sector of activity, and whether it is a business enterprise, a public administration, or a government department.
Management system refers to what the organization does to manage its processes, or activities in order that the products or services that it produces meet the objectives it has set itself, such as the following:
- satisfying the customer's quality requirements,
- complying to regulations, or
- meeting environmental objectives.
In a very small organization, there is probably no "system", as such, just "our way of doing things", and "our way" is probably not written down, but all in the head of the manager or owner head. The larger the organization, and the more people involved, the more the likelihood that there are some written procedures, instructions, forms or records. These help ensure that everyone is not just "doing his or her own thing", and that the organization goes about its business in an orderly and structured way, so that time, money and other resources are utilized efficiently.
To be really efficient and effective, the organization can manage its way of doing things by systemizing it. This ensures that nothing important is left out and that everyone is clear about who is responsible for doing what, when, how, why and where.
Management system standards provide the organization with a model to follow in setting up and operating the management system. This model incorporates the features on which experts in the field have reached a consensus as representing the international state of the art. A management system which follows the model - or "conforms to the standard" - is built on a firm foundation of state-of-the-art practices.
Large organizations, or ones with complicated processes, could not function well without management systems - although they may have been called by some other name. Companies in such fields as aerospace, automobiles, defence, or health care devices have been operating management systems for years.
The ISO 9000 and ISO 14000 families of management system standards now make these successful practices available for all organizations when it comes to meeting their objectives concerning quality and the environment.
ISO 9000 and ISO 14000 in plain language
This section tells you briefly what ISO 9000 and ISO 14000 are and what they are not.
Both "ISO 9000" and "ISO 14000" are actually families of standards which are referred to under these generic titles for convenience. Both families consist of standards and guidelines relating to management systems, and related supporting standards on terminology and specific tools, such as auditing (the process of checking that the management system conforms to the standard).
ISO 9000 is primarily concerned with "quality management". In the everyday context, like "beauty", everyone may have his or her idea of what "quality" is. But, in the ISO 9000 context, the standardized definition of quality refers to all those features of a product (or service) which are required by the customer.
"Quality management" means what the organization does to ensure that its products or services satisfy the customer's quality requirements and comply with any regulations applicable to those products or services.
ISO 14000 is primarily concerned with "environmental management". In plain language, this means what the organization does to minimize harmful effects on the environment caused by its activities.
In addition, both ISO 9000 and ISO 14000 require organizations that implement them to improve their performance continually in, respectively, quality and environmental management.
Both ISO 9000 and ISO 14000 concern the way an organization goes about its work, and not directly the result of this work. In other words, they both concern processes, and not products - at least, not directly. Nevertheless, the way in which the organization manages its processes is obviously going to affect its final product.
In the case of ISO 9000, the efficient and effective management of processes is, for example, going to affect whether or not everything has been done to ensure that the product satisfies the customer's quality requirements.
In the case of ISO 14000, the efficient and effective management of processes is going to affect whether or not everything has been done to ensure a product will have the least harmful impact on the environment, at any stage in its life cycle, either by pollution, or by depleting natural resources.
However, neither ISO 9000 nor ISO 14000 are product standards. The management system standards in these families state requirements for what the organization must do to manage processes influencing quality (ISO 9000) or the processes influencing the impact of the organization's activities on the environment (ISO 14000).
In both cases, the philosophy is that management system requirements are generic. No matter what the organization is or does, if it wants to establish a quality management system or an environmental management system, then such a system has a number of essential features which are spelled out in the relevant ISO 9000 or ISO 14000 standards.
Certification, registration and accreditation
Three words that will certainly crop up on your road to ISO 9000 or ISO 14000 are "certification", "registration" and "accreditation". Just what exactly do they mean? Let's first take the first two.
According to the standardized definitions*, they are not quite the same thing. In the context of ISO 9000 or ISO 14000, "certification" refers to the issuing of written assurance (the certificate) by an independent, external body that has audited an organization's management system and verified that it conforms to the requirements specified in the standard. "Registration" means that the auditing body then records the certification in its client register.
The organization's management system has therefore been both certified and registered. For practical purposes, in the ISO 9000 and ISO 14000 contexts, the difference between the two terms is not significant and both are acceptable for general use.
"Certification" seems to be the term most widely used worldwide, although registration (from which "registrar" as an alternative to registration/certification body) is often preferred in North America, and the two are also used interchangeably.
On the contrary, using "accreditation" as an interchangeable alternative for certification or registration is a mistake, because it means something different. In the ISO 9000 or ISO 14000 context, accreditation refers to the formal recognition by a specialized body - an accreditation body - that a certification body is competent to carry out ISO 9000 or ISO 14000 certification in specified business sectors. In simple terms, accreditation is like certification of the certification body. Certificates issued by accredited certification bodies - and known as "accredited certificates" - may be perceived on the market as having increased credibility.
Therefore, it is okay to state that your organization has been "certified" or "registered" (if, indeed, it has!), but inaccurate to state that it has been "accredited" (unless your organization is a certification/registration body).
Certification is not compulsory
You can implement ISO 9000 or ISO 14000 without seeking to have your management system audited and certified as conforming to the standards by an independent, external certification body. What?!?
That's right! We are so used to hearing about ISO 9000 and ISO 14000 certification that it's easy to assume you can't have the standard with certification - but it's a fact, you can implement and benefit from an ISO 9000 or ISO 14000 system without having it certified. Like all ISO standards, ISO 9000 and ISO 14000 are voluntary standards. Your organization can implement them solely for the internal benefits they bring in increased effectiveness and efficiency of your operations, without incurring the investment required in a certification programme.
Deciding to have an independent audit of your system to confirm that it conforms to the standard is a decision to be taken on business grounds - if for example:
- it is a contractual, regulatory, or market requirement,
- it meets customer preferences,
- it is part of a of a risk management programme, or if you think
- it will motivate your staff by setting a clear goal for the development of the management system.
Choosing a certification body
When choosing a certification body to carry out ISO 9001 or ISO 14001 certification, these are the aspects the organization needs to take into account.
- The first point out that an organization can implement ISO 9001 or ISO 14001 without seeking certification. The best reason for wanting to implement the standards is to improve the efficiency and effectiveness of company operations. Certification of your management system is not an ISO 9001 or ISO 14001 requirement.
- Deciding to have an independent audit of your system to confirm that it conforms to ISO 9001 or ISO 14001 is a decision to be taken on business grounds: for example
- if it is a contractual or regulatory requirement
- if it is a market requirement or to meet customer preferences
- if it falls within the context of a risk management programme
- or if you think it will motivate your staff by setting a clear goal for the development of your management system.
- Criteria to consider include:
- evaluate several certification bodies,
- bear in mind that the cheapest might prove to be the most costly if its auditing is below standard, or if its certificate is not recognized by your customers
- establish whether the certification body has auditors with experience in your business sector
- following the publication of the ISO 9000:2000 series, establish whether the certification body has integrated the evolution in the focus of the standards from conformity to performance.
- Another point to clarify is whether or not the certification body has been accredited and, if so, by whom. Accreditation, in simple terms, means that a certification body has been officially approved as competent to carry out certification in specified business sectors by a national accreditation body. In most countries, accreditation is a choice, not an obligation and the fact that a certification body is not accredited does not, by itself, mean that it is not a reputable organization. For example, a certification body operating nationally in a highly specific sector might enjoy such a good reputation that it does not feel there is any advantage for it to go to the expense of being accredited. That said, many certification bodies choose to seek accreditation, even when it is not compulsory, in order to be able to demonstrate an independent confirmation of their competence.
ISO does not carry out ISO 9001 or ISO 14001 certification
ISO is responsible for developing, maintaining and publishing the ISO 9000 and ISO 14000 families of standards but ISO does not itself audit or assess the management systems of organizations to verify that they have been implemented in conformity with the requirements of the standards. ISO does not issue ISO 9001 or ISO 14001 certificates.
The auditing and certification of management systems is carried out independently of ISO by more than 750 certification bodies active around the world. ISO has no authority to control their activities. The ISO 9000 and ISO 14000 certificates issued by certification bodies are issued under their own responsibility and not under ISO's name.
ISO itself does not carry out assessments or audits to check that its standards are being implemented by users in conformity with the requirements of the standards. Conformity assessment - as this process is known - is a matter between suppliers and their customers in the private sector, and of regulatory bodies when ISO standards have been incorporated into public legislation.
In addition, there exist many testing laboratories and certification bodies which offer independent (also known as "third party") conformity assessment services to provide confirmation that products (including hardware, software and processed materials), services or systems measure up to ISO standards. Such organizations may perform these services under a mandate to a regulatory authority, or as a commercial activity, the aim of which is to create confidence between suppliers and their clients.
In some countries, the national standards institutes that make up ISO's membership carry out conformity assessment, either on behalf of their respective governments, or as a business operation. ISO itself has no authority to control conformity assessment activities, whether these are business activities by its members, or by other organizations.
However, ISO's Committee on conformity assessment, ISO/CASCO, develops standards and guidelines covering various aspects of conformity assessment activities and the organizations that perform them. The voluntary criteria contained in these standards and guides represent an international consensus on what constitutes good practice. Their use contributes to the consistency and coherence of conformity assessment worldwide and so facilitates trade across borders.
ISO's logo is not for use
Upon certification, many organizations turn to ISO to request use of "the ISO 9000 logo". No such ISO logo exists. There is only the ISO logo itself, which is a registered trademark. Unless authorized by ISO, use of its logo is prohibited. ISO will not allow its logo to be used in connection with the certification of management systems, even when these certifications attest conformity to ISO 9001 or ISO 14001.
Examples of unacceptable use of the ISO logo would include use on products, on Web sites, in marketing materials, advertisements and company letterheads.
Allowing the ISO logo to be used would give the false impression that ISO carries out certification activities, or has approved or authorized the organization using its logo. These activities are not business functions of ISO.
ISO is not an auditor, assessor, registrar, or certifier of management systems, products, services, materials or personnel, nor does it endorse any such activities performed by other parties. ISO develops International Standards but does not operate any schemes for assessing conformity with them.
ISO 9001 and ISO 14001 certificates are issued independently of ISO by more than 750 certification bodies worldwide, although the organization does develop voluntary standards and guidelines to encourage good practice by these certification bodies.
ISO has no "ISO 9000 logo". In addition, you may not use ISO's logo, which is copyrighted. ISO will take whatever actions it considers necessary to prevent the misuse of its logo.
Publicizing your certification
If your business or organization has invested time, energy and money to obtain an ISO 9001 or ISO 14001 certificate, you understandably wish to publicize your achievement. To help you to do so, ISO has published guidelines: Publicizing your ISO 9001 or ISO 14001 certification. The guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders such as staff, customers, business partners and the general public.
These guidelines will prove useful in preparing promotional and communication materials such as press releases, advertisements, marketing brochures, videos, staff announcements, logos, slogans and catch lines for diverse media ranging from print and broadcasting, and Internet, to product labels, signs, banners, vehicle fleets and so on.
Among misleading practices that ISO wants to put an end to are the following:
- Misuse of the ISO logo, which is a registered trademark.
- Giving the false impression, through expressions such as "ISO certification", that it is ISO which has issued a certificate. ISO's core business function is developing standards. Certification to ISO standards is carried out independently of ISO. ISO does not issue certificates relating to ISO 9001, ISO 14001, or any other of the thousands of International Standards it has developed.
- Failing to specify whether a certification is to ISO 9001:2000 or to a 1994 version of ISO 9001, ISO 9002 or ISO 9003. This failure invites confusion between the new and improved 2000 version and the older standards which it has replaced.
- Giving the false impression that ISO 9001 is a product quality label, or that ISO 14001 is a label signifying a "green" or "environmentally friendly" product. This is not so. They are not product standards. The requirements of a product standard are specific to the product concerned - a child's car seat, for example, has different specifications to an office chair and standards for these two products will have correspondingly different requirements. ISO 9001 and ISO 14001 are what are known as "generic management system standards". "Generic" means that the standards' requirements can be applied to any organization, regardless of the product it makes (or whether the "product" is actually a service activity). "Management system" refers to what the organization does to manage its processes (the activities it undertakes to realize a product or a service).
When an organization has a management system certified to ISO 9001 or ISO 14001 standard, this means that an independent auditor has checked that the processes influencing quality (ISO 9001), or the processes influencing the impact of the organization's activities on the environment (ISO 14001), conform to the relevant standard's requirements. The objective is to give the organization's management and its customer’s confidence that the organization is in control of the way it does things. While this confidence logically extends to the things it makes, neither ISO 9001 nor ISO 14001 contains requirements for specific products. Therefore, certifications to these standards should not be presented as product guarantees.
Compatibility of ISO 9000 and ISO 14000 families
ISO has no plans to merge the ISO 9000 and ISO 14000 families and is nevertheless sensitive to the needs of users who wish to implement both quality and environmental management systems.
Therefore, the ISO technical committees ISO/TC 176 (responsible for ISO 9000) and ISO/TC 207 (responsible for ISO 14000) have an ongoing collaboration to achieve a high degree of compatibility between the two families of standards to facilitate their implementation by user, either as side-by-side systems, or as integrated management systems.
This collaboration addresses such issues as common terminology and structure of the standards and its biggest achievement so far is the development of a joint auditing standard for quality and environmental management systems.
ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing, replaces six older standards in the ISO 9000 and ISO 14000 families. Its use will give organizations a more integrated and balanced view of their operations, making it an outstanding tool for continuous improvement towards business excellence. It is also aimed to help user organizations optimize their management systems, facilitate the integration of quality and environmental management, and, in allowing single audits of both systems, save money and decrease disruption of work units being audited.
Both the ISO 9000 and ISO 14000 families of International Standards emphasize the importance of audits as a management tool for monitoring and verifying the effective implementation of an organization's policy for quality and/or environmental management. Audits are also an essential part of activities such as external certification/registration and of supply chain evaluation and surveillance.
ISO 19011 provides a uniform approach for the auditing of environmental and quality management systems. As many organizations implement both EMS and QMS - either as separate systems or as an integrated management system - they want to harmonize and, where possible, combine the auditing of these systems.
ISO 9000 for busy managers
Welcome to the ISO 9000-specific portion of our Magical Demystifying Tour!
The ISO 9000 family of standards represents an international consensus on good management practices with the aim of ensuring that the organization can time and time again deliver the product or services that:
- Meet the customer's quality requirements, and
- applicable regulatory requirements, while aiming to
- enhance customer satisfaction, and
- achieve continual improvement of its performance in pursuit of these objectives.
These good practices have been distilled into a set of standardized requirements for a quality management system, regardless of what your organization does, its size, or whether it's in the private, or public sector.
The existence of an organization without customers, or with dissatisfied customers, is in peril! To keep customers - and to keep them satisfied - your product (which may, in fact, be a service) needs to meet their requirements. ISO 9000 provides a tried and tested framework for taking a systematic approach to managing your business processes (your organization's activities) so that they consistently turn out product conforming to the customer's expectations. And that means consistently happy customers!
The requirements for a quality system have been standardized - but most of us like to think our business is unique. So how does ISO 9000 allow for the diversity of say, on the one hand, a "Mr. and Mrs." enterprise, and on the other, to a multinational manufacturing company with service components, or a public utility, or a government administration?
The answer is that ISO 9000 lays down what requirements your quality system must meet, but does not dictate how they should be met in your organization - which leaves great scope and flexibility for implementation in different business sectors and business cultures...as well as different national cultures.
The organization should itself audit its ISO 9000-based quality system to verify that it is managing its processes effectively - or, to put it another way, to check that it is fully in control of its activities.
In addition, the organization may invite its clients to audit the quality system in order to give them confidence that the organization is capable of delivering products or services that will meet their requirements.
Lastly, the organization may engage the services of an independent quality system certification body to obtain an ISO 9000 certificate of conformity. This last option has proved extremely popular in the market-place because of the perceived credibility of an independent assessment. The organization may thus avoid multiple audits by its clients, or reduce the frequency or duration of client audits. The certificate can also serve as a business reference between the organization and potential clients, especially when supplier and client are new to each other, or far removed geographically, as in an export context.
Where ISO 9000 came from and who is behind it
In the ISO system, ISO standards are developed by national delegations of experts from business, government and other relevant organizations. They are chosen by the ISO members - the national standards institutes participating in the technical committee concerned - and are required to present a national consensus position based on the views of stakeholders in their country.
In 1979, a new ISO technical committee was approved: ISO/TC 176, Quality management and quality assurance. Initially, 20 member countries decided to become active participants (P-members) in the work of this new committee and another 14 countries opted to follow the work as observers (O-members). Today, the number of countries participating in ISO/TC 176 is 69, with another 18 as observers. The new committee set to work and, in 1986, had completed its first standards. Published in the early part of 1987, these standards were known as the ISO 9000 series.
At the end of 2002, ISO had 13 544 standards in its portfolio. ISO standards are usually assigned a catalogue number automatically. When the first output of ISO/TC 176 was nearing completetion, ISO was already approaching an total of some 9 000 published standards. It was realized even then that TC 176's standards would have a significant impact and so it was decided to give the series the next available round figure - 9000 - as a designation because round figures are more memorable.
When ISO/TC 176 embarked on the development of generic quality management standards for worldwide application, it was able to take advantage of a substantial base of national experience, notably in the United Kingdom and in Canada. In the United Kingdom, the BS 5750 standards were well on their way to broad acceptance and, in Canada, a series of national standards known as CSA Z299 were also widely used. Other countries with well developed quality management practices, such as Japan, also took a keen interest in the work of the new committee. In addition, experience of military quality assurance specifications, such as the NATO AQAP series and US MIL-SPEC, enriched the sources from which TC 176 was able to draw.
At this point, you may be wondering how you can help shape the ISO 9000 standards. In the ISO system, the business sectors most interested in implementing the eventual standards are the ones who provide experts to develop the standards. Your own interest may be such that you would like to provide input, or even participate in the work. In fact, there are channels and opportunities for you have a say in the future development of ISO 9000. Contact the ISO member for your country for details.
Get the best of out of the ISO 9000 family
The emphasis on certification tends to overshadow the fact that there is an entire family of ISO 9000 standards. This family comprises standards providing requirements, guidance, terminology and vocabulary for quality management systems, and supporting standards addressing specific issues, such as auditing.
The ISO 9000 family is presented in the free brochure, ISO 9000 - Selection and use. This is the second edition of this brochure which has been updated to take into account the publication of the ISO 9000:2000 series. It presents the main features of the revised standards, such as the merging of the familiar ISO 9001, ISO 9002 and ISO 9003 into the new ISO 9001:2000, which is now the unique certification standard in the ISO 9000 family.
However, the principal aim of the brochure is to emphasize that organizations stand to obtain the greatest value when the standards in the new core series are used in an integrated manner, both with each other and with the other standards making up the ISO 9000 family as a whole.
The brochure includes:
- A list of the ISO 9000 quality management system standards and guidelines
- Examples of typical applications of the documents
- A step-by-step process to implement a quality management system
A brief view of the future evolution of the ISO 9000 family.