Communicating about your management system
At the time of writing, we have reached the end of the transition period from previous versions of ISO 9001 and ISO 14001 to the 2015 edition. You have completed your transition, haven’t you?
During that time the greatest emphasis has of course been on the headline changes – such as:
- The extensive references to risk-based thinking
- The explicit requirements for process management in the Quality standard
- The life-cycle perspective in the Environmental standard
- The enhanced requirements for “Leadership” from top management
However, there were numerous other changes to requirements as ISO sought to increase the relevance of the standards and bring them into line with mainstream business planning and management. We addressed several of these topics in earlier blog articles. Another topic that we often observe not receiving the attention it perhaps deserves is Communication (clause 7.4 in various ISO certification standards). The requirement in that clause is essentially to determine the internal and external communications relevant to your management system. Your organization should determine what topics it will communicate on, and then decide the who, what, when, how, and who with.
This topic is a great example of how a management system based on the ISO standards can help organizations to deal with a wide range of issues more effectively and prevent small issues becoming much larger ones. For example, let’s consider the subject of customer complaints. Do people in your organization know who is authorised to respond to one and how? With social media in particular, a well-intentioned, but ill-judged response can very quickly make the proverbial mountain out of a molehill.
At Qudos, we generally recommend developing a Communications Plan. The process of developing such a plan is a great way to focus on what needs to be communicated about your management system and then set out how you want that to work. A template plan is included in our Quality Toolkit. A complimentary resource pack containing this template and number of useful planning tools and sample policies is also available on request.
From an information security perspective, consideration should also be given to the classification of information to identify what can be shared with whom. For example, some information - such as marketing material - may be publicly available. Other information may be restricted to more restricted groups or individuals (internally or externally). For those seeking ISO 27001 compliance, the standard requires a documented classification policy. This would typically include:
- Scope of application.
- Roles and responsibilities
- A classification scheme with categories (such as 'commercial-in-confidence').
- A description of those categories (For commercial-in-confidence, that might be "Information created for or received from a client. May only be accessed internally on a need-to-know basis. May not be changed or communicated to other external party without prior, written permission from the relevant client").
- Requirements for labeling, handling etc.
- Transfer arrangements.
- Requirements for verification and conformance.
An example classification policy is included in InfoSec Policy Toolkit - available in Qudos 3 and the Qudos Club library.