.webp)
First of all, there is a choice between setting up the required system yourself or through the support of an external party. Undoubtedly both paths are going to yield results, but it is important to realize that implementing a so-called management system involves a lot of work.
What does an ISO track look like?
Step 1. GAP analysis
The starting point is a GAP analysis. This involves taking stock of the entire organization and identifying all processes, stakeholders and the internal and external context of the organization.
Step 2. Risk Analysis
Based on a brainstorm, all possible risks (and opportunities) for the organization are identified. These are assessed and managed with the aim of reducing the chance and/or impact. After all, a risk is nothing more than the chance that an event with a negative impact will occur.
Step 3. Management System
The management system is the set of processes, procedures, responsibilities and documentation. Want to know what the right software is to set up an ISO management system? Read also our article "The right software for your ISO management system?".
Step 4. Awareness
An important part of implementing a management system is raising awareness in the organization. This involves informing and educating all internal stakeholders about which parts of the system are relevant to them. This helps to create support within the organization. Also read our article "Increasing Awareness? An explanation of awareness in ISO 27001 information security.'
Step 5. Internal audit & board review
During the internal audit, you look for improvements in the organization's management system. Also read our article "What does an internal audit look like?".
In addition to the internal audit, a mandatory component is the management review. This involves the management reviewing the organization's management system at scheduled intervals. This is to ensure ongoing suitability, applicability, effectiveness and alignment with the strategic direction of the organization.
Step 6. Certification audit
Now we have arrived at the official part: the audit that verifies that the management system meets the requirements of the standard for which it is designed. This audit is always performed by a certification body (this term stands for organizations appointed by the Dutch Council for Accreditation to issue certifications).
Often the audit consists of two parts:
- The preliminary examination, which tests the readiness of the organization for the certification audit; and
- The certification audit, in which random testing of the management system is performed.
After the certification audit, the lead auditor will issue a positive or negative recommendation to the certification body to certify the organization.
Step 7. Maintain management system
You have received the certificate and want to keep it. This means maintaining the management system. The certification cycle is three years, starting from the time the certificate is issued. A surveillance audit will take place every year, with a recertification audit in the third year. In this, the entire management system will be scrutinized.
Want to see our entire implementation process in detail? Click here!
In our white paper, we take you step by step through our implementation process.
