Guide
Start Your Standards Journey Here
Resources
Start Your Standards Journey Here
JASANZ Register
Looking for help with getting certified to management system standards?
JASANZ has a Register of accredited bodies who can help.
So, you are interested in how ISO and IEC standards can improve information security, asset management, and/or business continuity in your organisation. That’s a great start on your standards journey.
These international standards are known around the world as foundations for resilient, well-managed organisations. The extent the standards can be used is up to you — from simply reading them and gaining ideas for improvement, all the way through to using them as a basis to redesign your integrated management system and better empower your top management to control risks and opportunities.
After operating a management system for one of these standards for at least six months, including undertaking internal audits and management reviews, you may consider showing yourselves and key stakeholders that you are indeed implementing a management system(s) that meets and indeed hopefully exceeds the minimum requirements of the standards.
Getting certified can:
It’s important to understand that certification is not an endpoint but a journey. It’s a program of continuous improvement in the management of your systems.
This is a cycle of business improvement embodied in the management standards:
Plan – preparing for your process
Do – performing the actual process
Check – analysing and validating that the process operated as expected
Act – implement improvements in the process.
This cycle continues perpetually to drive business improvement into the future.
Figure 1 — The cycle of business improvement
To start on that journey, your organisation needs to do a little bit of introspection first. You should know what you’re about, why you exist and what internal and external aspects define you.
As with any project, there are risks, and organisations can begin to manage these risks if they first understand their context. The following checklist is designed to help organisations determine their context, and in determining their context understand the journey that they wish to take on implementing management system standards.
This checklist has been developed specifically for the three standards:
⦁ ISO 22301 – Business Continuity
⦁ ISO/IEC 27001 – Information Security Management Systems
⦁ ISO 55001 – Asset Management Systems.
To help you prepare for the checklist, there are certain concepts and definitions that should be understood.
An organisation
An organisation is any assemblage of people coming together to achieve a certain task, tasks, projects or programs with the view to deliver certain outcomes. An organisation may be a small business with one or two people performing a service or manufacturing a product, or it could be a large multinational conglomerate producing thousands of products or delivering numerous services. An organisation can be shareholder-owned, government-owned and could be for-profit or not-for-profit. The organisation brings together various resources to either produce products or deliver services. No two organisations are alike — each structures itself in its own way to deliver the services and products it creates.
A stakeholder
A stakeholder is anyone with an interest in the business. These could be owners, shareholders, employees, vendors, customers, users of the services, users of the products, government organisations that regulate the industry in which the organisation operates or activists with an interest in the organisation. Competitors can also be seen as stakeholders as are industry bodies.
An asset
An asset is any item or thing owned or used by the organisation that has potential or actual value to an organisation. For example, this could be the development, production and delivery of their service. Assets are a very broad range of items and these can be both tangible and intangible. The assets are there to provide value, and provide maximum benefit if they are managed within the context of the organisation’s objectives and asset management strategies and policies. Accountants will regularly separate assets into categories such as plant and equipment, real estate, buildings or goodwill.
However, there are other assets that are often not included on an organisation’s balance sheet — the value derived from the employees, the culture, knowledge and memory held within the organisation. A strategic asset management plan documents the full extent of your organisational assets, and outlines an integrated framework for planning, prioritizing and decision-making for these to support your overall objectives. It thereby provides a consolidated plan at the asset portfolio level.
Internalities (or internal issues)
Internalities are guidance and reference policies, procedures or principles or tenets that steer the organisation. These may be policies established by the board or industry practices or other external guidance.
Externalities (or external issues)
Externalities are the policies, procedures, legislation and laws the organisation must comply with to operate its business. These can be laws and legislation stipulated by government agencies or may be expectations arising from customers, industry groups or other external stakeholders like industry bodies or unions.
There may also be external requirements from suppliers or other stakeholders through contracts, as well as the actual marketplace the organisation operates in.
Once an understanding of relevant requirements from internal and external issues is attained, you can begin to consider how these respective requirements will be addressed through the asset management, information security, and/or business continuity systems or under an overall integrated management system.
The application of management systems and their extent of integration is dependent on understanding your key processes.
Key processes (also called ‘key business processes’)
The key processes are those processes in the organisation that deliver the organisational objectives, and are affected by internalities and externalities. These could be the steps in the extraction of ore from the ground, the refinement of ore into purified minerals and the sale of the minerals to buyers, or it could be the processing of electronic transactions.
To further develop your context, you’ll need certain documentation or information available to you. This list describes some of the items that you’ll find useful as you prepare to work through your checklist.
Please note: while having all these documents is helpful, it’s not absolutely essential.
Internal documentation
⦁ Your organisational strategy, mission statement, vision statement
⦁ Business overview — this could be a marketing document that you share with clients or suppliers
⦁ A list of key suppliers
⦁ A list of key customers
⦁ The names of the directors (or equivalent top management)
⦁ A list of the sites you operate
⦁ A description of the activities undertaken at each of the sites
⦁ A detailed copy of your balance sheet for the last 3 years
⦁ A detailed copy of your profit and loss statement for the last 3 years
⦁ An overview of the computer systems in use in your organisation
⦁ An overview of the business processes in your organisation
⦁ A draft strategic asset management plan
External documentation
⦁ Copies of any regulations or other legislation must comply with
⦁ A list of key contracts
⦁ Names of key government bodies or other authorities you interact with.
The context checklist
Your next steps are:
- Purchase the relevant standard(s). This can be done through several providers and in Australia, you should first visit Standards Australia. They offer the Standards in English, in Australian Dollars with GST.
- Read the standard(s).
- Re-read Section 4 of the standard(s) “Context of the organisation”.
- Begin to develop your context in line with the requirements using the information that you developed from the checklist above. If you have access to a flow-charting tool, you might find it helpful to create some pictorial representations of your environment.
- Ask someone else in the organisation to review your draft context. As a mining and minerals company, you may already have undertaken analysis of your contexts for quality management (ISO 9001), environmental management (ISO 14001), and/or occupational health and safety management (ISO 45001). These provide excellent starting points for analysing the context for your organisational resilience.
- Check your organisational maturity levels with reliable frameworks:
- For asset management maturity, you can use the Asset Management Council of Australia’s ‘Asset Management Maturity Model (AMMM)’ self-assessment tool, which ensures a consistently applied maturity assessment that enables effective performance benchmarking.
- For information security, you can use the Australian Cyber Security Centre resources Essential Eight Maturity Model (One to Three). You can also download ISO/IEC TS 27110, Information technology, cybersecurity and privacy protection – Cybersecurity framework development guidelines, which describes how to create or refine a robust system to protect against cyber-attacks. Also see the ISO/IEC TS 27110 guidance on australiancriticalminerals.com
- For business continuity, you can gauge your maturity through guidance in the free ISO publication ‘Security and resilience – Business continuity management systems – Requirements’ (2019), together with concepts from the above maturity models. Also see the implementation guidance for ISO 22301 on australiancriticalminerals.com
- Read case studies on AustralianCriticalMinerals.com of critical minerals companies who are successfully using the management system standards.
- Consider reading additional supporting guidance, such as ‘Living Asset Management Maturity’ (Hardwick et al, 2020; Ed Anderson & Nugent), which provides a deeper explanation of asset management-based thinking, the ethos and evidence underlying ISO 55001, as well as practical case studies. The predominately Australian-based experts who authored this and related books also provide a regular webinar series, ‘Asset Management Reflections Webinar’, open to all with an interest in asset management.
- You may want to build a business case to demonstrate to executives that this is a worthy project.
- Revise (or develop) your strategic asset management plan that contains and aligns asset management objectives, strategies and approaches for developing and managing the asset portfolio and the asset management system. It may be comprised of individual asset management plans that specify discrete activities, resources, costs and timescales required for chosen assets of interest. Reputable consultants in asset management are available to help you develop and improve your strategic asset management plan.
- To better understand the interaction of the three standards (and others), an informative guide, ‘The Integrated Use of Management System Standards’, is available from the ISO. You may be able to download it from your ISO standards vendor, otherwise it is available to download direct from the ISO here.
- Develop (or update) an internal audit program for implementation of your management system(s), and begin your first series of internal audits to build capacity of your personnel and gain insights into the strengths and weaknesses of your organisation.
- Over time, your personnel could undertake further professional training in the three disciplines. Various good options exist for information security training, while credible training for the other two disciplines is less commonly available. However, for:
- Asset Management, the Asset Management Council of Australia provides training in asset management fundamentals, and how to develop a strategic asset management plan.
- For business continuity (and other standards), credible certification bodies in Australia and overseas provide auditor and Lead Auditor training. These range from one to three days, and are excellent options to develop internal auditors and key personnel overseeing the overarching management systems in your organisation.
When will I know that I’ve finished writing the context?
Accept that your organisation will always change, as will the people in it, so you may never ‘finish’ the perfect context. Do the best that you can now and share your drafts early with wise others.
When will I know that I’ve finished writing the context?
We have finished writing our context and strategic asset management plan, you find only one or two of ISO 55001, ISO/IEC 27001, and/or ISO 22301 resonate with your organisation, rather than all three. It is more than fine to adopt only one or part of the three standards. As stated by the ISO itself: ‘[A] fundamental principle is that all the standards can work together. Those who already use a management system standard in one part of their business, and are considering implementing additional ones in another area, will find that the process has been made as intuitive as possible.’
Where can I get some help?
If you’ve already decided on a Certifier (a person, organisation or body accredited by JAS-ANZ to certify your conformity with the standards, also known as a ‘certification body’), then you could ask them for assistance or ask them to recommend someone.
If you don’t have a Certifier, you could search for one on the JAS-ANZ Register. JAS-ANZ is well connected across Australia and New Zealand and can help you connect with professionals who can help you on your journey. Contact JAS-ANZ.
My organisation just wants to adopt the principles of the standards, not necessarily get certified. Do we still need to draft a context scope?
If your organisation doesn’t want to get certified, then no, you don’t need to draft a context of the organisation. But if your organisation is still interested in achieving the objectives of the standard without getting certified — then having a clear context for your organisation will help you understand the things that are important for your organisation as you endeavour to achieve the principles.