What Is an ISO Standard and a Management System?

"We do it according to ISO." You hear that sentence a lot, but what does it actually mean? Anyone who wants to introduce or have a management system audited should keep two terms cleanly apart: the standard and the management system. The two are connected, but they are not the same thing.

What is a standard?

A standard is a voluntary document developed by consensus. ISO is the International Organization for Standardization, based in Geneva, where national standards bodies work together. A standard describes how to do something "according to recognized good practice." It is not a law, yet it can become effectively binding through contracts, tenders or regulation.

A label such as "ISO/IEC 27001" already tells you something about a standard's pedigree: ISO is the international body, IEC the International Electrotechnical Commission, and the two publish information-security and AI standards jointly. In Europe and Germany the same text is then adopted as "EN" and "DIN" respectively. The content stays identical, only the level of adoption changes.

What is a management system?

A management system is the way an organization steers a particular topic, using objectives, roles, processes, documents and controls. A quality management system (QMS) steers quality, an information security management system (ISMS) steers information security, and an AI management system (AIMS) steers the responsible use of AI.

A management system standard sets out the requirements for such a system, not for a single product. An ISO 9001 certificate therefore says something about how you work, not about a specific manufactured part.

Why the standards look so similar: Annex SL

Modern management system standards, including ISO 9001, ISO/IEC 27001 and ISO/IEC 42001, follow a common backbone called the "Harmonized Structure" (formerly Annex SL / High Level Structure). As a result they share the same clauses: context of the organization, leadership, planning, support, operation, performance evaluation and improvement.

• Context: Who are we, which interested parties exist, and what is the scope?
• Leadership: Top management takes responsibility and sets a policy.
• Planning: Risks and opportunities are assessed and objectives are set.
• Support & operation: Resources, competence, documentation and processes that are actually lived.
• Performance evaluation & improvement: internal audit, management review, corrective actions.

The big advantage: anyone already living ISO 9001 will recognize the same logic in ISO/IEC 27001 or ISO/IEC 42001, and can integrate the systems instead of maintaining three separate bureaucracies.

The core principle: PDCA

Behind every management system sits the PDCA cycle: Plan, Do, Check, Act. A management system is therefore never "finished". It is an ongoing loop of continual improvement. And that is exactly what an audit examines: is the loop genuinely being lived?

Certifiable, or just a guideline?

Not every ISO publication is certifiable. Requirements standards such as 9001, 27001 or 42001 (recognizable by the word "shall") are the basis for a certificate. Alongside them sit guidance documents and technical reports that only offer orientation and are not certified against. So if you are aiming for certification you need the right standard, plus an accredited certification body to issue it.

A management system is never "finished". It is an ongoing loop of continual improvement, and an audit asks whether that loop is genuinely being lived.