Skip to the main navigation Skip to the content

Resources

About

Contact

Guide

Demystifying the standards

Introduction

This paper looks at standards, their benefits and motivators. It canvases the key players as well as various options you can take on the certification journey. It outlines a step-by-step process you can follow to use the standards and – successful use permitting – get certified.

Standards

In 1987 the International Standards Organisation (ISO) released its first management system standard, the original ISO 9000. Since then, the field of management standards has increased significantly.

As at July 2022, there were more than 43 Type A management standards published by the ISO with additional standards and documentation.

Management standards are used by organisations to demonstrate that the management practices in the organisation have achieved certain quality benchmarks. All of the management standards embrace the concept of continuous improvement, which is the management practice of always examining your current processes and seeking to improve them.

The benefits of standards

Companies big and small, government agencies, educational institutions, research institutions and not-for-profits all over the world implement standards. They implement these standards to help them set themselves apart from their competitors, to demonstrate their conformance to good practices and to protect their assets, processes and information.

Here are some of the benefits that can arise from implementing standards:

Where your organisation implements a management standard:

  • You have a better understanding of what your business is about and what your business is trying to achieve.
  • You have processes in place to find things that aren’t working and improve on them.
  • You have systems in place to identify risks and either reduce the likelihood of them occurring or reduce the consequence when they do occur.

Where your organisation attains certification to a management standard:

  • You have an outwardly visible tick of approval from an independent body that certifies that you have achieved the standard.
  • Customers and suppliers have a higher level of trust in your business processes and business management.
  • You have independent, impartial, expert auditors that know your organisation and can identify relevant opportunities for improvement as your organisational maturity grows.

Where you’re a supplier organisation to an organisation that is certified:

  • You have confidence that when you supply goods/services to your client organisation you know that they will be effectively managed.
  • It may mean that you get paid quicker and paid correctly (especially if their certification covers their accounts payable process).

Where you’re a customer organisation to an organisation that is certified:

  • You have confidence that the services/products being delivered are being managed effectively.
  • Depending on the standard implemented, it may give you the benefit of greater assurance that the company supplying the service is going to be around next year.
  • You receive the benefit that your private information is being protected.
Motivators and drivers for certification

Not every organisation needs to be certified. There are different drivers for each organisation. It will depend on the industry sector they operate in, the clients that they have, the board’s tolerance of risk or the regulations that direct you operate. A key driver is also competition in the marketplace.

Regulation

This is a common driver for organisations to be certified. With this driver your organisation is required to comply with certain legislation or regulation to be able to operate in the sector or deliver certain services.

Sometimes the regulations are quite prescriptive, such as the requirements for some service providers to the Australian Government to achieve certification in ISO/IEC 27001. In this particular case, the regulations also require application of certain information security controls from the Australian Government Information Security Manual.

A more familiar example is health and safety. Mining and minerals companies in Australia are familiar with OHS obligations under the Safe Work Australia Model Work Health and Safety Laws, which are given effect through legislation in each state and territory. While the exact phrasing differs, these all require that organisations operate effective occupational health and safety management systems.

For mining companies, these are often supplemented by state/territory specific regulations. For example, Western Australia’s Work Health and Safety (Mines) Regulations 2022 require that mines must operate a mine safety management system that includes performance standards for measuring mine safety, and ‘a system for auditing the effectiveness of the mine safety management system against the performance standards, including the methods, frequency and results of the audit process’.

In Western Australia – and in other states and territories – OHS authorities and the legal system understand that accredited certification to ISO 45001 is a strong indicator of a mining organisation’s overall commitment to meeting these requirements.

Competition

This is another common driver. Organisations choose to obtain certification when they see that their competitors have certification or when they perceive that certification gives them a competitive edge over the competition.

This occurred in Asia in the late 1990’s and early 2000’s when many companies sought to achieve ISO 9001 – the quality standard to demonstrate that the products that they produced were built within a quality environment.

Clients

Some clients will demand that service providers have certain management standards in place. This is a way that the client obtains assurance that the service provider is protecting the assets or processes of the client.

Clients may use the demonstration of certification as a key method to select or not select certain providers in the marketplace.

Should we apply the standards, conform with the standards or seek certification in the standards?

It’s a common misconception that organisations need to be certified in the standards to reap the benefits. It’s true that to reap all of the benefits you need to achieve and maintain certification.

However, you can also adopt the principles and practices described in the standards to improve your business without being certified.

A business can choose to apply or conform with the standard or they may pick and choose from several different standards to implement good practices. Since there are more than 40 different management standards available through the ISO to be certified to, it’s up to you to decide which ones are right for your organisation.

Shortlist of three standards for mining and mineral company resilience in Australia

The Australian Government has made a conscious decision to encourage critical minerals and mining organisations to consider these three standards as being important for the continued success of the industry:

⦁ ISO 22301 – Business Continuity
⦁ ISO/IEC 27001 – Information Security
⦁ ISO 55001 – Asset management.

The Government made this decision because it sees value in Australian businesses maximising the value of their assets, including protecting their information assets, and protecting their important business processes.

The Government does not demand that all organisations achieve these standards, however, in some circumstances it may place a contractual requirement on organisations to achieve certain standards while for other industries it will strongly encourage them.

As these are international standards, this can improve Australia’s standing overseas as businesses and governments in other countries look to buy products and services that are certified to international standards.

Who’s who in the standards and why this is important

There are numerous organisations involved with standards and you will see these names around as you progress through your journey. Some of them you may engage with frequently, while others may just be on the periphery.

The Conformance Assessment Body (CABs) also known as ‘certification body (CB)’

These are the organisations authorised by JAS-ANZ to issue conformity assessment certificates (certificates attesting to conformance to specified requirements, including certain ISO/IEC standards).

JAS-ANZ

JAS-ANZ is the organisation that ensures that CABs are delivering appropriate quality services. They issue certificates in line with the requirements of certification.

Standards vendors

ISO and IEC are the standards makers who have authorised certain vendors around the world to sell the standards.

Lead auditors

These are people who have demonstrated certain levels of skill in the audits of management standards. They are required to have undertaken certain training and have a certain number of years of experience and on-job experience.

Getting support and advisory

If you decide that your business is going to obtain certification, then you may need some help. Many organisations may try to do the documentation and process refinement all on their own, but it can be useful to get some outside help from experts in the field of standards or experts in the field of the practice to help with the standard.

There are many different CABs. Once you know exactly which standard you’re seeking, you can visit the JAS-ANZ website to choose a CAB.

Choosing a CAB

Some CABs have expertise in certain areas while others may cover all certifications. Don’t just choose the first one you see — the CAB is much like an auditor or a business advisor, so you should choose one that will work well with your business. You may want to find one that has experience in your industry or one that has many years’ experience in the particular practice. You have to be comfortable with the CAB you select.

How to determine the right approach for you – adoption, conformance or certification

When you decide that your organisation should start the journey of applying standards, there’s an important aspect that you need to consider. This will impact cost, assurance and can impact the degree of implementation that you end up achieving.

You need to ask and decide:

  • Should our business be aware of the standards?
  • Should our business purchase the standards and choose which bits we like and then implement just those sections?
  • Should our business purchase the standards and then adopt the good practices of the standard?
  • Should our business implement the standard as a once-off activity?
  • Should our business implement the standard with the support of an advisor and then obtain an internal assessment that we essentially conform with the requirements of the standard?
  • Should our business fully embrace the standards, achieve conformance with the requirements and be certified by a conformance assessment body so that we can outwardly demonstrate that we are certified in the relevant standard?

This is not an easy decision. Each of the options above have different costs and benefits.

Some important considerations are:

  • Can the business afford to go all the way?
  • Can the business afford to not go all the way?
  • Does the business have the financial support to achieve certification?
  • Does the business have the risk appetite to achieve certification?
  • Does the business have readily available expertise to help the business progress through to certification?
  • What are our regulatory requirements?
  • What do our stakeholders expect?
  • What does our board want?

Once you answer these questions, you’re ready to proceed on your journey.

At the very worst, you may read the standards and find that your organisation is already implementing equivalent or superior technical solutions to the challenges of asset management, information security or business continuity. If so, this in itself will be valuable: you will be able to explain honestly to internal or external stakeholders that your organisation is operating world best-practice management techniques for these challenges.

A step-by-step guide through the certification journey

Another page available here, Beginning your standards journey, discusses the cycle of business improvement. It’s a perpetual four-step cycle consisting of these stages: Plan-Do-Check-Act.
These are the steps you need to take to achieve certification.

Plan
  • Make your decision to proceed or not proceed on this journey
  • Form a team that is going to drive this in your business
  • Find a sponsor in your organisation
  • Get buy-in from the organisation executive
  • Establish a strategy and then operational objectives
  • Prepare a plan. Treat this as a project
Do
  • Develop your scope
  • Review your organisation
  • Document the processes
  • Improve your processes
Check
  • Conduct your stage 1 review
  • Improve and refine your processes
  • Conduct your stage 2 review
  • Get certified
Act
  • Continuously improve on your business
It doesn’t end there

Of course, within the scope of the program you need to continue the cycle of Plan-Do-Check-Act to refine and improve your processes.

While many organisations see the certification in the management standard as the end-goal, that is not the case. The management standards are built around continuous improvement. This means that once you’re certified you actually start on your next journey to maintain your certification and improve your processes.

When you are first certified, the certifying body will discuss with you timelines for their next surveillance audit. The certificate you receive at certification is designed to be valid for up to three years, however, it’s only maintained when you have a surveillance audit completed every 12 months (first surveillance) and every calendar year thereafter (including in subsequent certification cycles).

When you conduct your certification audit, there may have been some minor issues raised that require management attention to improve processes at your organisation, or perhaps these were raised as opportunities for improvement. While you may be disappointed to receive these, this is just a part of the ongoing journey to continuously improve. The surveillance audit is not just to make sure that you organisation has not gone backwards, but also to make sure that you continue to improve.

The standards discussed here all have areas where your organisation needs to be introspective and ask how things can improve. This may be through the requisite internal audits or through other self-assessments.

FAQs
Where can I learn more?

You can visit the JAS-ANZ website to learn more or contact one of the many experts across Australia that may be able to help.

Why is the government making our organisation implement these standards?

Unless it is a contractual obligation between your organisation and the government, then the government is not making you implement these standards. The Australian Government encourages adoption of these standards as good practice to help promote business in Australia.

Which standard is right for me?

JAS-ANZ has developed a checklist to help you determine which standard may be the appropriate standard for your organisation. You can find it here.

Where do I start?
You’re in the right place. Take a look at the section ‘A step-by-step guide’ above. We also have different papers to help you get started:

Guide

Start Your Standards Journey Here
All Guides