HOW TO ACHIEVE CERTIFICATION IN 12 WEEKS GUARANTEED!

HOW TO ACHIEVE CERTIFICATION IN

12 WEEKS... GUARANTEED!

eBook prepared byISO Certification Expertswww.isocertificationexperts.com.au

2

How to achieve Certification in 12 weeks... Guaranteed!

eBook byISOCertificationExperts

www.isocertificationexperts.com.au

https://isocertificationexperts.com.au/certification-process/certification-readiness-guarantee/

3

12 Steps to Achieving Certification Diagram Forward (Essential pre-reading)Introduction (Pre-work)

Chapter 1: Getting to know your businessChapter 2: Business PlanningChapter 3: Plan your Management SystemChapter 4: Start Developing your Management System DocumentationChapter 5: Start Implementing, with training and coachingChapter 6: Set up your monitoring and measuring toolsChapter 7: Provide further training, now that your system is fully up and runningChapter 8: Decide upon your CAB and book in your Stage 1 and Stage 2 Certification AuditsChapter 9: Internal AuditsChapter 10: Management ReviewChapter 11: Stage 1 AuditChapter 12: Stage 2 Audit

Conclusion - Achieve Certification!

459

101223252829313335383941

43

Table of Contents


4

12 Steps to Achieving Certification

AchievingCertification

Start Implementing,with training and coaching 5

Set up your monitoring and measuring tools

6

Provide further training,now that yoursystem is fully

up and running

7

Decide upon yourCAB and book

in your Stage 1 and Stage 2 Certification

Audit

8

Business Planning

2

Start Developing your Management

System Documentation

4

Stage 2 Audit

122

Stage 1 Audit11

1

Plan yourManagement

System

3

ManagementReview

10

InternalAudits

9

Getting toknow yourbusiness

1

12 Steps to Achieving Certification Diagram


https://isocertificationexperts.com.au/how-to-achieve-certification-in-12-weeks-guaranteed-book/?fb3d=10














5

Forward (Essential pre-reading)

Why ISO Management Standards?

ISO Management Standards are utilised in organisations all over the world. They are the trusted “best practice” guidelines for optimal organisation management, and provide the framework for continual improvement.

Becoming ISO certified means long-term benefits for an organisation, as well as customer satisfaction through ongoing enhancement of the business management processes.

ISO Standards are documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

The most commonly adopted ISO Management System Standards, which are applicable across all industries and all sizes of organisations, include:

ISO 9001:2015 Quality management systems

ISO 14001:2015 Environmental management systems

ISO 45001:2018 Occupational health and safety management systems ISO 27001:2013 Information security management systems

Why Certification? The key reasons to become certified to an ISO Management System Standard could be any one or more of the following:

• A customer requires you to have Certification to do business with them• To improve your marketing edge • To boost customer confidence• To reduce insurance premiums• For business improvement• To satisfy tender requirements

Certification means that the Management System of a business is certified to one or more Management Standards. Businesses certified to ISO Standards within Australia and New Zealand operate Business Management Systems which are recognised world-wide.

ISO (the International Organisation for Standardisation) is an independent, non-governmental organisation, based in Geneva, Switzerland. It is the world’s largest developer of voluntary international Standards and facilitates world trade by providing common Standards between nations.

Certification proves to the outside world that you’re serious about making excellence a part of your daily work practices - performing better, reducing risk and achieving sustainable growth.


6

Over time, Certification can actually improve the value of a business by providing the framework for consistent delivery of products and services, with built-in continual improvement mechanisms to make it truly sustainable over the longer term. Certification is sometimes the only point of difference against your closest competition when tendering for work; and it can often be a contractual requirement imposed by your clients. Compliance versus Conformity Compliance means an obligatory commitment to comply with, for ex-ample, legal, regulatory and statutory requirements for performing a particular business activity.

Conformance is an organisation’s choice or non-obligatory commitment to achieve an ISO Certification, for instance. Different types of audits Internal Audit is a type of audit performed by an organisation on its own systems and processes.

It is often called a First Party Audit and is usually conducted by someone within the organisation, although sometimes a contractor may be employed. This is a great opportunity for the business to improve their systems, and the effectiveness of their management system.

External Audits are divided into Second or Third Party Audits.

Second Party Audits are usually conducted on a supplier by someone who has an interest in the organisation under the contracted conditions. This process ensures that this interested party meets the contracted obligations.

Third Party Audits occur when an organisation decides to engage an independent (Certification) company to verify that the requirements of a particular set of criteria (ie, a Standard) have been met. This is initiated by an organisation’s decision to conform to the particular Standard.



7

What is a Business Management System?

A Business Management System is a set of documented information, including policies, procedures, and processes, used in developing and deploying the organisational strategies, and all associated operational and management activities.

The importance of the Plan-Do-Check-Act (PDCA) cycle

Implementing the Plan-Do-Check-Act (PDCA) cycle, with a focus on risk-based thinking, supports achieving effective management of processes and of the management system.

The numbers in brackets represent the clauses of the ISO Management Standards.

The PDCA diagram can be explained as follows:

• Plan: set up the main objectives of the system and processes together with the required resources to meet customer requirements, the policies applicable to an organisation, and identify and assess the risks and opportunities

• Do: implement the planned objectives

• Check: the processes and impacted products and services have to be monitored and measured against applicable requirements, objectives and policies, followed by reporting the results

• Act: improve the performance


Support (7),Operation (8)

PerformanceEvaluation (9)

Improvement (10)

Planning (6) Leadership (5)

Quality Management System (4)

Organisation and its context (4)

Customerrequirements

Needs andexpectations ofrelevant interestedparties (4)

Customersatisfaction

PLAN DO

CHECKACT

Customerrequirements

Productsand services


8


What is the Process Approach?

The adoption of a process approach is crucial for a business when implementing, and continually improving the effectiveness of, a Business Management System.

When business activities and resources are managed via a defined process, the desired outcomes are achieved more efficiently, more consistently and predictably, and at a lower cost, optimising the overall performance of the organisation.

Often the output from one process directly becomes the input into the next process – this interaction between the business processes is referred to as the process approach.

Risk-based thinking

Risk-based thinking is an essential part of achieving an effective Business Management System. An organisation needs to develop a plan with appropriate actions addressing the risks and opportunities. This will ensure continually increasing effectiveness of the Business Management System with the aim of achieving enhanced results and preventing negative impacts.


9

Introduction (Pre-work)

Introduction Making the strategic decision to “meet the requirements of ISO Management Standards” can improve the organisation’s overall performance and provide a stable ground for continual improvement. In order to make the right decision, it is essential to consider your business requirements.

Expert Advice:

Unless you have an in-house competent management systems expert, it can work out less expensive, more effective and more efficient to engage an expert management consultant from a credible company to assist you with the initial development and implementation process…

Firstly, you need to decide which Standard(s) you would like to get your business certified to.

Secondly, you should think about the scope of business activities covered by the management system. The organisation’s scope defines the boundaries and applicability of the management system. If your business has several locations / sites, different operations and activities, you need to identify which ones will be covered by the management system, and included in the certification.

Then you need to decide when you would like to achieve certification. Your industry may request you to meet the requirements of the Standard(s) by a certain time. Therefore, it is vital to know the timeframe for effective development and implementation of your Business Management System.

It’s also important to consider whether you’ll need assistance from an external consultant, such as ISO Certification Experts, and what to look for when seeking a consultant. You may already have a designated person in your organisation who’s experienced and competent to take responsibility for the Business Management System. If not, you might engage an external management consultant who will facilitate the process of preparing your business for certification readiness and provide ongoing support (i.e. internal audits, attendance at your surveillance audits etc.). When looking for a consultant, you should ask for:

• their professional profile, to review their qualifications, overall experience and experience in your industry

• details about other similar projects they’ve completed and if they were successful

• their location and availability for the duration of your initial project, and ongoing

• fixed costs for your initial project, up to certification readiness



https://isocertificationexperts.com.au/certification-process/achieving-and-maintaining-certification/


















10

You need to know where you’re starting from.

This means conducting an initial review of your existing business management and operational processes. This will involve reviewing your existing documented business information (templates, forms, procedures, policies, manuals, reports, etc.), current systems, services, products and the way you operate.

If you think that, as a result of this initial review, you already have the majority of the required documentation and implementation activities in place, ISO Certification Experts can assist you by conducting an initial Gap Analysis to identify how well you conform to the requirements of the Standard(s). In this instance, we will provide you with a full report and comprehensive list of “gaps” that need to be fulfilled to meet all the requirements of the Standard(s). If you think you’re close, this approach takes less time than developing the management system from scratch.

The organisation also needs to identify its key stakeholders and other interested parties (internal and external), and their interest in the effectiveness of your Business Management System.

Each Management System Standard goes on to provide generic examples of Interested Parties – these are presented in the table below:

Chapter 1: Getting to know your business


Simply identifying the interested parties is not enough. It’s important to identify the requirements of these interested parties relevant to your management systems, as well as your existing business processes, in order to address their requirements, as well as prioritising them.


11

You should end up with something like the example below – but create a framework that suits your own needs.


A further enhancement to this process can be identification of the Power/Interest ranking criteria (as shown below) for each interested party.


12

Chapter 2: Business Planning


Effective business planning is conducted across a variety of activities, including:

• PESTEL Analysis• SWOT Analysis• Risk Assessment• Opportunities Assessment• Development of an Objectives and Targets Management Plan• Defining the core business processes, their sequence and interactions

PESTEL Analysis

A PESTEL Analysis is a framework or tool used by marketers to analyse and monitor the macro-environmental (external marketing environment) factors that have an impact on an organisation.


13

PESTEL stands for:

Political Economic Social Technological Environmental Legal P – Political Factors

• The current and potential influences from political pressures• How and to what degree a government intervenes in the

economy

E – Economic Factors

• The local, national and world economic impact• Economic growth, interest rates, exchange rates and the

inflation rate

S – Social Factors

• The ways in which changes in society affect the organisation• Cultural aspects, health consciousness, population growth rate,

age distribution, career attitudes and emphasis on safety

T – Technological Factors

• How new and emerging technology affects the organisation• Research and development activity, automation, technology

incentives and the rate of technological change

E – Environmental Factors

• Local, national and global environmental issues• Ecological aspects such as weather, climate, and climate change

L – Legal Factors

• How local, national and global legislation affects the organisation

• Discrimination, consumer, antitrust, employment, health and safety laws etc.

After you’ve completed a PESTEL Analysis, you should be able to use the outcomes to help you conduct a more meaningful SWOT Analysis.



14

SWOT Analysis


Expert Advice:

Use this free information to “go it alone” or contact us to arrange a no-obligation Free Strategy Session with one of our experts. It’s up to you…

The external and internal issues that are relevant to an organisationand could influence the outcomes of the Business ManagementSystem are identified through the SWOT Analysis process.

The point of a SWOT Analysis is to help you develop a strongbusiness strategy by making sure you’ve considered all of yourbusiness’s strengths and weaknesses, as well as the opportunitiesand threats it faces in the marketplace.

SWOT stands for:

StrenghtsWeaknessOpportunitiesThreats

Strengths and weaknesses are internal to the business (reputation,patents, location etc). You can change them over time but notwithout some work.


https://isocertificationexperts.com.au/certification-process/certification-readiness-process/













15


To get the most complete, objective results, a SWOT Analysis is bestconducted by a group of people with different perspectives andstakes in your business.

Existing businesses can use a SWOT Analysis at any time to assessa changing environment and respond proactively. In fact, it’srecommended to conduct a strategy review meeting at least once ayear, including a SWOT Analysis.

Example SWOT Analysis

Opportunities and threats are external (suppliers, competitors,prices) - they are out there in the market, happening whether youlike it or not. You can’t change them.


16

Risk Assessment

The weaknesses and threats identified during the PESTEL/SWOTAnalysis process form the basis for a Risk Assessment. The RiskAssessment identifies potential hazards and associated harm foreach task or scenario relevant to the business.

For each scenario:

• existing risk controls are described• the level of current risk is rated• additional controls required are identified • the risk is rated to achieve the value of the residual risk

Assessing the risk is most effectively carried out in a teamenvironment with the people required to complete the activity orprocess.

Most activities or processes are broken down into a variety ofseparate tasks. For each task, it’s important to consider the hazards,the potential harm or negative outcomes and the conditionsrequired for those negative outcomes to occur.

Whenever assessing the risks associated with a task, the followingprimary risk factors should be considered as a minimum:

• The physical activities required to complete the task e.g. repetitive movement, high force, physical exertion, awkward posture

• The work environment e.g. lighting, work layout, traffic, thermal comfort, working in isolation

• The nature of the hazard itself e.g. working with chemicals, micro-organisms, radiation, machinery, potentially violent clients

• The individual workers involved, e.g. level of training, skills, experience, health, age, physical capacity

Control the Risks

Establish suitable risk control measures for the highest priorityrisks with reference to the Risk Assessment. For example, if theassessment finds that poor lighting in the area is a risk factor, thenthe lighting should be improved as a risk control.


New businesses should use a SWOT Analysis as part of theirplanning process. There is no “one size fits all” plan for yourbusiness, and thinking about your new business in terms of itsunique “SWOTs” will put you on the right track right away, and saveyou from a lot of headaches later on.


17

When considering risk control options, it is essential thatsupervisors and managers consult with workers directly involvedin the process. These experienced people typically have good,practical ideas about suitable risk control measures. Gainingtheir ownership and commitment to the chosen risk controls isalso essential to attaining acceptance for the use of the controlmeasures.

The following range of risk control measures should be considered.Known as the “hierarchy of hazard control”, these are listed inpriority order ie., the most effective is listed first, with less effectiveoptions listed lower. The highest practical levels of risk controlshould be chosen. A combination of higher and lower level riskcontrols is usually desirable.

1. Eliminate the hazard or task if the risks outweigh the potential benefits.

2. Substitute the hazard with something less hazardous e.g., substitute a toxic substance with another that is non-toxic.

3. Isolate the hazard by using barriers or distance eg., put insulation around noisy equipment.

4. Use engineering controls, such as local exhaust ventilation to remove dust/fumes, or automate the process.

5. Minimise the size or volume of the hazard and the duration of exposure to the hazard.

6. Rearrange the work area and work flow eg., have deliveries made to the end-point to avoid re-handling, intersperse repetitive activity with different tasks to avoid overuse injuries etc.

7. Establish Safe work practices, such as restricting access to



18

the area, keeping the area free of clutter, being prepared for emergencies e.g., spills, and prepare and use safe work method statements for hazardous tasks.

8. Provide Training and supervision appropriate to the level of expertise of the personnel involved. As a minimum, this would include familiarisation with local hazards and their control, safe work methods and emergency procedures.

9. Wear personal protective equipment (PPE) such as robust footwear, gloves, laboratory coats, safety glasses, ear plugs/ muffs, dust masks etc., as a secondary measure to supplement the other agreed risk controls.


The Risk Assessment methodology recommended by ISO Certifica-tion Experts follows the DMAIC Improvement Cycle which is a data-driven quality strategy for improving processes, and also an integral part of the Six Sigma method.

Six Sigma is a method that provides organisations tools to improve the capability of their business processes. This increase in perfor-mance and decrease in process variation helps lead to defect reduc-tion and improvement in profits, employee morale, and quality of products or services. DMAIC is an acronym for five interconnected improvement cycle phases:

Define - the problems, improvement activities, opportunities for improvement, the objectives, and customer (internal and external) requirements

Measure - the initial conditions and process performance in terms of the principle “what I don’t measure, I can’t control”

Analyse - the facts, causes of deficiencies and causes of variations

Improve - key phase of the whole cycle, in which the improvement is based on analysed and measured facts - addressing and eliminating the root causes

Control - the improved processes and future process performance

The information gathered from the Risk Assessment process should be used to develop the appropriate control requirements identified.


19


An Example of a Task/Scenario within a Risk Assessment Report & Imple-mentation of Additional Risk Controls

Example Review Schedule

The chosen risk control measures should be implemented as soon as possible. Assign responsibility to an appropriate worker and set a due-by date for implementation. The person responsible for implementing the risk control measures should inform those who were consulted during the decision-making process about any subsequent changes to plans and progress to-wards completion. Sometimes, the most ideal risk control options may be prohibitively expensive and need to be planned for in the longer term, e.g. in next year’s budget. In these cases, short term and medium term risk con-trol measures (implemented within one week and 3 months respec-tively, for example) should be established for the interim period.



20

Risk Matrix

The purpose of assessing on both Likelihood and Consequence is to manage risks before they become issues. However, if a risk has even-tuated, then only the Consequence is relevant when rating the issue.

Example Risk Matrix


Insignificant

AlmostCertain

Likely

Moderate

Unlikely

Rare

1

1

2

3

4

5

2 3 4 5Minor Significant Major Severe

Medium5

Medium4

Low3

Very Low2

Very Low1

Medium8

Medium6

Low4

Very Low2

High12

Medium9

Medium6

Low3

Very High16

High12

Medium8

Medium4

Extreme20

Very High15

High10

Medium5

10 15 20 25High Very High Extreme Extreme

LIK

ELIH

OO

DCONSEQUENCE

Wha

t’s th

e ch

ance

of

the

risk

occu

rrin

g?How severe could the outcomes be if the risk event occurred?

Example Consequence Guidelines

Example Likelihood Guidelines

Chance

Is expected to occur inmost circumstances

Has occurred 9 or 10 times in the past 10 years in this organisation or circumstances are such that will almost certainly cause it to happen

>95%

>65%

>35%

<35%

<5%

Occurred more than 7 times over 10 years in thisorganisation or in other similar organisations orcircumstances have such that it is likely to happenin the next few years

Has occurred in this organisation more than 3 timesin the past 10 years or occurs regularly in similarorganisations or is considered to have a reasonablelikelihood of occuring in the next few years

Has occurred 2 or 3 times over 10 years in thisorganisation or similar organisations

Has occurred or can reasonably be considered tooccur only a few times in 100 years

Will probably occur inmost circumstances

Might occur at sometime

Could occur at sometime

May occur only in exceptional circumstances

Frequency Probability

LIK

ELIH

OO

DW

hat’s

the

chan

ce o

f the

risk

occ

urrin

g? 5. Almost Certain

4. Likely

3. Moderate

2. Unlikely

1. RareExam

ple

Like

lihoo

d G

uide

lines


21

Objectives, Targets and Management Plan

The strengths and opportunities identified during the SWOT Analysis process can be transformed into Business Objectives and Targets, which will ensure that all opportunities are explored to achieve busi-ness growth and maximise rewards.

The Objectives and Targets should be defined across many areas of the business. The measurement tools, required actions, responsible person, target date and required resources should be defined for each Objective and Target.

The review of the Objectives & Targets should be conducted at least annually (usually during the Management Review Meeting) with monitoring of progress throughout the year.

Example Objectives, Targets and Management Plan


Defining the core business processes, their sequence and interactions

The core business processes can be defined by the project team spending time with each “process owner” to identify and document the processes they’re responsible for. This can be conducted, for ex-ample, by mapping all core processes in the form of flowcharts to simplify the process and to make it easy to understand. This can sometimes replace using the wordy / lengthy procedures that no one reads.

An example of identification of the core processes could be mapping the business development, customer order, purchasing, design, pro-duction, and on-site delivery processes.


22

Once the individual core processes have been identified, the se-quence and interaction between them can be defined.

For a better understanding of the sequence and interaction of the processes, please refer to the examples below.


Example Sequence and Interaction of the Business Processes diagram for a Construction Company:

Example Sequence and Interaction of the Business Processes diagram for a Consulting Company:


23

The business planning activities will provide a great level of detail about the context of your organisation, leading into successful planning of your management system.

Our approach is to take the findings from the business planning phase, with reference to the identified control measures and action items required to improve your day-to-day business operations, followed by making reference to the specific requirements of the chosen Standard(s), to decide where the gaps are for your business requirements as well as the Standard(s) requirements.

We also then consult with relevant staff in the areas of the business where improvements are required, to get them on board for their input. Each individual may have their own way of working, using certain templates, checklists and forms which might be useful for us to share with the wider organisation, and adapt the way you do business with the requirements of the relevant Standard(s). It’s a very healthy exercise for any organisation to conduct - especially in a business that hasn’t really defined / finalised their organisation structure or the individual roles and responsibilities, as it will bring more clarity in these areas.

As much information and current business documentation as possible needs to be shared, so the most meaningful results can be achieved for your Business Management System - reflecting the way you do business.

Next you’ll need to map out your current business folder structure, servers, cloud-based systems or hard copy documents that you may have in place to come up with a better solution, meeting all your business needs, and the requirements of the Standards, providing better clarity and simplification. For instance, it’s crucial to know how to supersede / archive the outdated documents to ensure there is only the most recent version of the document available for the relevant staff. It’s also important to decide about the access rights and restrictions to the folders that may include sensitive data.

Once the structure of your Business Management System is identified, the required documentation that needs to be developed has to be decided upon, to meet the requirements of the Standard(s). We suggest to make the Business Management System folder structure as simple as possible (see the example picture below):

Chapter 3: Plan your Management System



24

To identify and capture each document of your Business Management System, create a standalone register tracking the documents in separate tabs to group, for example, the policies, procedures, templates, business planning documentation etc., with each document’s individual number/shortcut, document name, its version date, status, responsible person, next review date and the relevant comments. An example register can be seen below.


Now you’re ready to start developing your Business Management System documentation.

Expert Advice:

By working with professionals who have done this many times before, you can get this next critical and challenging phase done much easier by taking advantage of their experience and expertise.


















25

One of the first steps in the development of your Business Management System documentation is making a decision about your current business logo and the format used throughout all documentation. Once the template of your documentation is ready for use, creating your documents can begin.

Starting with the Business Management System Manual is the best way to kick off your management system documentation development:

a. You can clearly describe your management system overview, mentioning what is required and what is in place.

b. Defining your business scope is key for transparent and clear clarification of your business objectives and requirements.

c. The business overview should contain all of the most important points about your business such as the strategy, vision, values, management and governance etc.

d. Identification of the core business processes, their sequence and interaction can further clarify and bring together the scope and overview information.

e. A section on risk management describes how you identify, assess and prioritise the risks throughout the processes of SWOT Analysis, Risk Assessment and setting the Business Objectives and Targets and Management Plans.

f. The organisation chart displays a reporting or relationship hierarchy. It is usually a diagram with the names and positions to clarify roles and responsibilities.

g. A section describing the location of each type of management system document and which systems are in place is helpful as a reference, to finish off the Manual.

Chapter 4: Start Developing your Management System Documentation



26


Company policies should be designed to embrace the organisation’s dedication to continuous improvement to meet customer requirements.

The aim of having the policies is also for the protection of workers rights and the business interests of employers.

All the appropriate policies have to be in place in order to meet the requirements of the relevant Standard(s), as well as to comply with regulatory and industry requirements.

Procedures outline the responsibilities and guidelines for the business processes. All the processes that have an impact on the operation of the business should be documented. They can be divided into several categories such as Administration, Service, Management, Marketing, Logistics, Warehousing, for example.

Registers capture a set of data and often provide the input to data analysis. The types and number of registers varies depending on the activities of the business and the level of automation in capturing data across the business. Examples include a Summary of Business Management System Documentation, Legal and Other Requirements Register, Internal Audit Schedule, Training and Competency Matrix, and so on.

Templates should be available as tools for recording and controlling business processes. They can be used, for example, to keep records of conducting internal audits, employee inductions, performance reviews, minutes of meetings, incident reports, and so on.

The Reference Library section of your Business Management System would usually consist of the external documents (ie. documents not created by your business) that you make reference to as part of conducting your business processes. It could include Standards, legislation, codes of practice, specifications, guidelines etc.

Expert Advice:

You’re the Expert at what you do, so continue spending your time on what you do best - “running your business”. Let us spend our time on getting you Certification Ready - “Guaranteed”...


















27

Business Planning documentation can include, for example, records of Interested Parties Analysis, SWOT Analysis, Objectives and Targets, Management Plans and Risk Assessments. These are the key documents that identify the business objectives, targets, risks and opportunities for improvement.

The development of the business process documentation will continue throughout weeks 5, 6, 7 and 8.



28

Chapter 5: Start Implementing, with training and coaching

Chapter 5: Start Implementing, with training and coaching

Certification can only be achieved with everyone on board. As you kick off implementation across the business, everyone needs to adapt to meeting the requirements, and provide valuable feedback for continual improvement.

Now that the documentation is completed, it’s up to everyone within the organisation to start utilising the new documents and get engaged in implementing the processes, but first the newly developed documentation needs to be reviewed by top management and also by the person responsible for the process.

If, after this final review, it’s found that the process isn’t accurate, now is the time to update the documentation to more accurately reflect the actual process. It’s really important that the documents are established based on the actual business practices, and that the instructions can be followed easily. It’s even more beneficial when the process is reviewed by more than one person, as everyone tends to have their own way of working. This will ensure the process is explained in a way that’s understood by all people who need to implement it.

Introducing the new system to all workers is essential, and it can be conducted through a formal awareness training session (see Chapter 7) and/or one-on-one coaching, so all workers are familiar with and confident to use the new documentation, and are familiar with its location.

Successful businesses today are facing constant change - the ISO Management Standards provide the framework for change management via continual improvement.

Undertaking this process provides structure and consistency across the business to launch further growth. The Business Management System documentation will evolve and change over time with the changing needs of the business, and the ownership and responsibility for each process should be spread across the workplace with individual “process owners” so the entire workload doesn’t lie with any one individual.

Expert Advice:

12 weeks or more is a long time to waste so “getting it right the first time” can be a big time and money saver for you - ISO Certification Experts offers you a “Certification Readiness Guarantee”...


















29

Chapter 6: Set up your monitoring and measuring tools


Measurement, monitoring, analysis and evaluation are critical for assessment of the Business Management System performance, to ensure that all elements of the management system are performing as planned and the target results are being achieved.

Monitoring can be defined as a continuous observation of a process, system or activity for a specific scope, whilst maintaining records of the observation. Measuring is used to determine the actual value of the process parameter in scope.

Planning of monitoring and measuring processes should identify the following elements:

• processes to be monitored and measured• specific parameters (e.g. batch loads, frequency, conditions, etc.)• who is responsible for the process• equipment or software required• monitoring and measuring techniques• performance criteria• how will the results be documented • actions for closing out any nonconformities

Data analysis and evaluation can be completed by using various statistical techniques, depending of the type of data. For example, Root Cause Analysis, Fishbone diagram (A Cause and Effect Diagram), Scatter Diagram, and many others. The results of the monitoring and measuring need to be compared to the expected planned results and the process needs to be corrected if the results don’t meet the planned expectations.

Trying to monitor and measure all aspects of the Business Management System might be costly and would result in data overload. A risk-based approach will help to identify “what, when and how” to monitor and measure. For example, you could consider the impact of a process on the product conformity and if the impact is critical, define the monitoring and measurement tools and complete the analysis and evaluation of this process.

A good example of monitoring and measuring the Business Management System Performance which is relevant to the majority of organisations is monitoring, measurement, analysis and evaluation of Customer Satisfaction.


30

One of the main objectives of ISO 9001:2015 is ensuring that customer needs and expectations are being met. So how do you find out if your customers are satisfied? You need to determine the methods for monitoring and measuring the information relating to customer satisfaction. You should monitor customer satisfaction of your internal and external customers.

Some options to collect this information can be via customer surveys or meetings with customers. You need to define the right questions which will provide you with valuable data once the customer completes the feedback / survey / meeting appointment. You need to evaluate the data and analyse the results. Monitoring of trends in customer satisfaction will provide you with a baseline for continuous improvement.



31

Chapter 7: Provide further training, now that your system is fully up and running


Now that your Business Management System is fully up and running, it’s time to provide further training to ensure everyone knows how to use it. It’s important to educate everyone on the new system, as it’s now up to everyone to fully utilise it to make the most of its effective use.

The training could include topics such as:

Remember that the Certification Readiness Process started from the initial identification of the business goals and Standard(s) to be certified to, to identifying the starting point, conducting a Gap Analysis (if required), and creating a Certification Readiness Plan, which all lead to this point of final system implementation.

The Process of Achieving and Maintaining Certification includes:

• why there is a need for implementing the requirements of ISO Management Standards and the benefits to the business

• an overview of the system format and file locations• the objectives, targets and management plans set by the

business• newly implemented monitoring and measuring and

related requirements• the certification readiness process• the process of achieving certification, its stages and

maintaining it

• Selection of a Conformity Assessment Body • Stage 1 Documentation and Readiness Review • Stage 2 Implementation and Certification Audit • Achievement of the Certification!• Year 1 Surveillance Audit• Year 2 Surveillance Audit• Year 3 Re-Certification Audit

(followed by annual Surveillance and triennial Re-Certification Audits).


32

Going through the individual phases of the project (as listed below) will help with understanding the importance of the system:

• Business Planning activities - initial review of the existing Management and Operational Processes, identification of the business core processes, identification of the business stakeholders, SWOT Analysis, Risk Assessment and creating the Objectives and Targets Management Plan

• Developing the management system - Business Management System manual, policies, procedures, template forms and registers

• Implementation - awareness training for management and staff, developing a risk-based Internal Audit Schedule, conducting the internal management system audits and a management review meeting

It’s vital to emphasise the importance of risk-based thinking and business management principles, as well as provide an overview of expectations for participation and the short to medium term management activities, as outlined below.

At this stage it’s just the beginning of the journey. Effective implementation can only be achieved with everyone on board. There is also a need for participation in the Internal and External Audits.

After certification has been successfully achieved, the ongoing improvement of the management system can commence, facilitated by regular internal audits. The internal audits can be divided into relevant business areas (For example, Manufacturing; Customer Service; Administration; Marketing) starting with the areas that are most critical to business success (ie, the highest risk business processes).

Management Review of the organisation’s Business Management System should be conducted at least annually. However, it’s recommended that Management Review is conducted at least twice per year for the first couple of years while the system is getting up and running.

Expert Advice:

Internal Training is extremely beneficial to any business. It can be easily implemented with the assistance of a training frameworkdeveloped by an external expert.




https://isocertificationexperts.com.au/our-services-2/consulting/















33

Chapter 8: Decide upon your CAB and book in your Stage 1 and Stage 2 Certification Audits


All developed countries and most developing countries have Accreditation Bodies that are either part of governments or recognised by governments. In Australia and New Zealand, the governments established the Joint Accreditation System of Australia and New Zealand (JAS-ANZ) for the accreditation of Conformity Assessment Bodies (CABs).

CABs are organisations that provide certification to Business Management System Standards. They conduct the third-party audits to ensure the business meets the certification requirements of the Standard(s) and they hold the licence to issue the certification certificates.

These relationships are illustrated in the following diagram:

After completing all the above steps mentioned in chapters 1 to 7, your Business Management System should be ready for the certification process. However, it is recommended to conduct a full round of internal audits and a management review meeting before your Stage 1 Audit. This way you’ll have a chance to go through everything that’s been developed and check how it actually works in real life.


34


When selecting your Conformity Assessment Body (CAB), it’s important to ensure they have appropriate knowledge of your industry and the work you do, are realistic and take a value-adding approach.

You can obtain free quotes here from several CABs for your comparison. Then it is up to you which is the most suitable for your business. When comparing CAB’s, you should consider:

• checking they are listed on the JAS-ANZ Register• relevance to your industry• competitive pricing• travel and other incidental expenses - check they have auditors in

your city• experience and reputation• the CAB’s Certification Logo, which will be displayed next to your

logo

A CAB is responsible for providing a competent auditor who is certified and has industry-specific experience. To ensure you will be satisfied with your auditor you can always request a copy of their professional profile which can make your decision-making process easier. It’s best to book the CAB early to achieve your target date for certification, as they are sometimes booked up a few months in advance.

Expert Advice:

Choosing the “right fit” Conformity Assessment Body for your business can make the whole process much easier.

ISO Certification Experts offers free, independent, no-obligation quotes from CABs appropriate for your business.


https://isocertificationexperts.com.au/get-a-free-quote/

http://www.jas-anz.org/accredited-bodies/all


https://isocertificationexperts.com.au/our-services-2/certification/ Page




















35

Chapter 9: Internal Audits


The key objective of the Internal Audit process is to provide assurance that the organisation’s processes are operating effectively and are conforming to the requirements of the ISO Standard(s).

The Internal Audits can identify any deficiencies of the Business Management System. A well-implemented internal audit process can be one of the greatest contributors toward continuous improvement of the management systems and the business.

Audit Planning

Internal Audits need to be scheduled at regular intervals, taking a risk-based approach, and ensuring that all processes are audited at least once every three years. However, for the first couple of years, we recommend all processes are audited at least once every year. Taking a risk-based approach means that higher risk processes, or processes with more frequent issues, are audited more often than the others.

Example Internal Audit Schedule

Internal Auditor Selection

The Internal Auditors need to be trained and deemed competent to conduct internal management system audits. There also needs to be objectivity and impartiality of the audit process. This means that the auditors cannot audit their own work.


36

If utilising internal business resources for Internal Audits, each Auditor needs to be trained and deemed competent, and there needs to be at least two auditors available, and from different areas of the business.

In many cases, having two impartial auditors might not be possible, and in this instance the use of an external resource should be considered.

Audit Criteria

The Audit criteria needs to be defined for each audit. This can be detailed in the Audit Plan, and confirmed in the Audit Report. When conducting the Internal Audit, the criteria can be in the form of a checklist with predefined questions, or a copy of the process being audited with a list of questions to be verified. Any previous issues related to the audit scope also need to be checked.

The audit criteria needs to be communicated with the auditee prior to the audit, usually via an Audit Plan.

Conducting the Internal Audit

The audit should start with an opening meeting, where the auditor summarises the audit scope and expected timetable. The auditor also talks about the confidentiality of the whole process as well as the fact that the audit is just a sampling process, as it is impossible to review everything in such a short timeframe.

The auditor should follow the Audit Plan, covering all areas and systematically working through the checklist or the process, whilst reviewing the evidence presented and taking notes. The findings (e.g. C - conforming, OFI - opportunity for improvement, NC - non-conformance) should be discussed with the auditee and recorded during the audit. The key focus is to gather the evidence that the process is functioning as defined in the management system and is effective in delivering the required outcomes.

The audit should finish with a closing meeting, where the auditor summarises and discusses each of the audit findings to ensure that they are understood and that there are no surprises about the outcome when the auditee receives the report.



37

Audit Report

The Audit Report should contain a summary of the findings and the completed audit checklist, including the notes of evidence reviewed and personnel interviewed. The Audit Report needs to be communicated to the relevant managers of the area being audited, as well as the senior management team.

Following up and Closing out the audit findings

The findings raised during the audit should be recorded in the Issues Register (or similar) and addressed with the appropriate corrective action, resulting in resolution of the issue.

During the next audit the auditor should verify that the corrective actions have been completed and the implementation is effective. If any of the issues remain open, it is usually followed up by a discussion with the intention to have the problem resolved as soon as possible.



38

Chapter 10: Management Review

Chapter 10: Management Review

Management Reviews are structured meetings of the organisation’s top management that take place at regular intervals.

As opposed to the management meetings that cover areas such as sales, operations, and other day-to-day matters, the formal Management Review meetings focus on the requirements of the Business Management System, covering all topics required by the Standard(s).

The main objectives of the Management Review are to determine and evaluate the performance and effectiveness of the Business Management System, review the suitability of business policies and business objectives, and identify the need for change and improvement. Regular Management Review meetings ensure that top management are made aware of the changes, updates and revisions of the management system.

The inputs for Management Review should include the following agenda items:

• Previous management review action items• Summary of business changes since the last meeting and how

they affect the Business Management System• Any changes in external and internal issues relevant to the

Business Management System (e.g. Organisation changes, Process changes, Regulatory changes, Markets changes, etc.)

• Risks and Opportunities• The extent to which the objectives and targets are being met• Setting of the business objectives and targets (annually)• The adequacy of resources• Internal and External Audit results • The performance of external providers• Trends in incidents, non-conformities and corrective actions• Trends in customer satisfaction and feedback from relevant

interested parties• Trends in performance of the business processes • Trends in monitoring and measurement results• Other discipline-specific items such as safety management

performance, environmental management performance etc, depending on which ISO Standard you’re working to

The outputs of the Management Review should include the summary of decisions and required actions for identified opportunities for improvement, resource needs and any need for changes to the Business Management System.

The Management Reviews need to be documented (e.g. Meeting Minutes), distributed to all appropriate personnel and must be made available to third party auditors.


39

Chapter 11: Stage 1 Audit


Certification is a 3-year cycle, usually with audits 12 months apart, starting with initial certification which consists of two Audits: Stage 1 and Stage 2.

Stage 1 (Readiness Review) is a full review of your business processes and documented information to ensure all requirements of the Standard(s) (relevant to your business) have been met. It is an assessment of your current Business Management System, verifying whether you are meeting the chosen Standard’s requirements.

The auditor will review the Business Management System documented information, assess the site-specific aspects and communicate with workers where relevant. They will check that the objectives and targets are in place and understood. The auditors will review the scope of the Business Management System, core processes and operations, the equipment in use, the levels of controls that have been developed and any legal and other industry relevant requirements.

The internal audit schedule, the internal audit reports and the management review meetings will be reviewed too, to ensure they are being performed as planned and that the records of these activities and follow up actions are kept.

The outcome of this audit is a report, identifying any actions required prior to moving forward with the Stage 2 Conformity Audit.

A Non-Conformance (or Area of Concern) is a failure to meet a specified requirement of a Standard, which is identified during the audit process. Non-Coformances are either Minor or Major and must be resolved and closed within the designated time frame.

Major Non-Conformance can be characterised as an absence or a failure to conform to the requirements of the Standard. It could be a failure to address or implement an entire clause of the Standard, or an instance where the objective evidence reviewed raises a major concern of the capability of the Business Management System to achieve the business policies and customer satisfaction. Failure to address Major Non-Conformances (or Critical Areas of Concern) can result in non-achievement or suspension of your Certification.

Minor Non-Conformance can be a minor issue within a management system, possibly leading to a major non-conformance if it isn’t addressed within an appropriate time period. It could be that a process hasn’t yet been fully or effectively implemented, or records couldn’t always be produced during the audit to prove full implementation of a process. The issue should be investigated further, taking appropriate corrective and preventive actions, and assigning to a particular person who will be responsible for it.


40

Opportunities for Improvement (OFI) are observed areas/concerns raised during the audit. These observations may prove beneficial toward making your system more effective. Formal, written responses are usually not required; however, if you concur, effective actions should be applied. OFIs are reviewed at the next audit, in relation to your decisions and actions taken.

A successful Stage 1 Audit enables you to proceed to the Stage 2 Audit.



41



Stage 2 (Certification Audit) is an assessment conducted at your office (and project sites, if applicable) to ensure that you actually do what your processes and documented information say you do.

The Stage 2 Audit evaluates how well your Business Management System has been implemented and how effective it is. During the audit, the auditor will identify the degree of conformity with the requirements of the Standard(s), and raise any non-conformances or opportunities for improvement. If the Stage 2 audit is successful, the Business Management System will be certified. The Stage 2 Audit includes:

• All the relevant documented information demonstrating the conformity against the requirements of the Standard

• Key performance indicators such as the business objectives and targets, performance measuring, monitoring, reviewing and reporting

• Addressing the results of internal audits, management review meetings, and relevance of the policies

• Core business processes including plans and control of the operations

• Review of example project operations and documented information

The duration of the Stage 2 Audit is specified by the CAB, depending on the size of the organisation, its industry and its complexity.

Organisations don’t always achieve certification first time. This means one or more major non-conformances are raised by an auditor, and the organisation will usually have 30 days to show that the raised issue(s) have been effectively addressed. The effectiveness of addressing the major non-conformance(s) is reviewed by the auditor at additional expense to the organisation - the auditor will sometimes need to re-visit to conduct the review, but can sometimes conduct the review remotely via submitted documentation, to confirm that the organisation is now meeting all requirements.

Expert Advice:

The Auditing process is often the most stressful part of becoming Certified. Being prepared is the key to making this easier.It makes sense to work with a company that Guarantees your success.





















42

In the case of having only one or more minor non-conformances raised, the organisation can still achieve certification by showing they are working towards addressing them as soon as possible. You need to be able to show an auditor a plan for addressing a non-conformance by further investigation of the issue, assigning the issue to a particular person with a deadline and identification of the resources needed. By doing that, the auditor will be assured that the problem will be resolved properly.

Often organisations will have their consultant present throughout the Stage 1 and Stage 2 Audits to assist throughout the process, and capture all of the auditors comments so the management team can focus on the discussions and interactions throughout the audit.



43

Conclusion - Achieve Certification!

Conclusion- Achieve Certification!

Achieving ISO Certification is only the beginning…

In order to maintain your Certification, you will be required, as a minimum, to have annual audits to verify your Business Management System continues to be effectively implemented within the business.

During Surveillance Audits, the auditor will be looking for continual improvement of your Business Management System. Successful audit outcomes require continual enhancement within the workplace, evidence that you’re conducting regular Internal Audits as well as the business planning activities and the management review meetings. The Surveillance Audits are not as comprehensive or as long as the Stage 1 and Stage 2 Audits.

At the completion of three years of Certification, a Re-Certification Audit will be conducted. The Re-certification Audit is a more comprehensive version of a Surveillance Audit, sampling across the entire Business Management System. The Stage 1 Audit doesn’t need to be conducted again, providing there have been no significant changes to the Business Management System documentation or upgrades to new Standards.

Some of the benefits of ISO Certification could be:

• You want to continually improve the efficiency and effectiveness of your business operations for sustainable growth

• You want to mitigate your overall business risk (and, in some instances, Certification can reduce your insurance premiums)

• Certification to a particular Standard could be a regulatory requirement within your industry

• Certification could be required in order to tender for work above a designated dollar value

• Certification could be necessary to meet the requirements of your contracts with your clients

• Quality Certification is the most recognised way to prove to your customers that you’re serious about making them happy

• Safety Certification is the most recognised way to demonstrate your commitment to a safe and healthy workplace

• Environmental Certification is the most recognised way to demonstrate your commitment to minimising the impact your business has on the environment

Expert Advice:

Your Certification Goal has been reached. Congratulations! You can now look forward to; Being awarded that next Tender

Continuous Improvement of your Business Management and Operations

Setting and achieving your ongoing Business Goals and Objectives with a motivated team



https://isocertificationexperts.com.au/our-services-2/certification/
























Documents

HOW TO ACHIEVE CERTIFICATION IN 12 WEEKS GUARANTEED!