Guidance

Removing the Confusion About Standards

The Team
May 24, 20256 minute read

ISO standards, while designed to bring clarity and consistency, often contain terms and concepts that can be confusing for organizations new to implementation or even seasoned practitioners. Some of the most commonly misunderstood terms or features:

1. Certification vs. Accreditation

  • Certification: This is what an organization receives when its management system (e.g. Quality Management System for ISO 9001) has been audited by a third-party certification body and found to conform to the requirements of a specific ISO standard. It’s the “stamp of approval” for the organization’s system.
  • Accreditation: This is the formal recognition by an accreditation body (e.g. UKAS in the UK, JASANZ in Australia and ANAB in the US) that a certification body is competent and impartial to carry out certification audits against specific standards. In essence, accreditation is “certification of the certifiers.” You want your certification to come from an accredited certification body, as this ensures the credibility and international recognition of your certificate.

Confusion Point: Many people use “ISO accredited” interchangeably with “ISO certified.” An organization gets certified, while the body that certifies them gets accredited.

2. “Documented Information” vs. “Records”

The ISO standards (especially since the 2015 revisions) use the term “documented information” to cover both “documents” and “records.” However, their distinction is crucial:

  • Documents (or “maintained documented information”): These are typically procedures, policies, work instructions, manuals, specifications, forms (when blank), and other information that describes how things should be done. They are dynamic, meaning they can be updated and revised to reflect changes in processes. The standard requires them to be “maintained.”
  • Records (or “retained documented information”): These are evidence of activities performed or results achieved. They are static and provide proof that something has been done or occurred. Examples include completed forms, audit reports, meeting minutes, inspection results, training logs, and customer feedback. Records are “retained” and generally not edited, as they serve as historical evidence.

Confusion Point: Differentiating between what needs to be maintained (and therefore controlled for versioning) and what needs to be retained (as immutable evidence) can be tricky.

3. “Continual Improvement” vs. “Continuous Improvement”

While often used synonymously in everyday language, ISO standards emphasize “continual improvement”:

  • Continual Improvement: This implies an ongoing series of improvements, which may not necessarily be uninterrupted. It suggests that improvement activities occur regularly, but there might be pauses or breaks between improvement cycles. It’s a progressive, iterative process. The Plan-Do-Check-Act (PDCA) cycle is the primary tool for driving continual improvement.
  • Continuous Improvement: This implies an uninterrupted flow of improvement, which is often difficult to achieve in practice.

Confusion Point: The nuance between “continual” (periodic, ongoing) and “continuous” (uninterrupted) can be subtle but is important for understanding the standard’s intent.

4. “Risk-Based Thinking”

Introduced more prominently in the 2015 versions of standards like ISO 9001 and ISO 14001, risk-based thinking replaced the explicit requirement for “preventive action.”

  • Risk-Based Thinking: This is a fundamental concept that means considering risks and opportunities throughout the entire management system. It’s about proactively identifying what could go wrong (risks) and what could go right (opportunities) that could affect the achievement of objectives, and then taking actions to address them. It’s not necessarily about formal, complex risk management processes for every little thing, but rather about incorporating risk consideration into everyday decision-making and process design. It helps an organization determine the rigor needed for planning and controls.

Confusion Point: Many organizations initially interpret this as needing a massive, separate risk management system, when in fact, it’s meant to be integrated into all processes. Also, the dual focus on opportunities alongside risks is often overlooked. Note that many practitioners prefer to refer to “risk events” as either threats or opportunities (see ISO 9001).

5. “Context of the Organization”

This clause (typically Clause 4.1 in common standards) requires an organization to understand its internal and external issues that are relevant to its purpose and strategic direction, and that can affect its ability to achieve the intended results of its management system.

  • Context of the Organization: This involves analysing the environment in which the organization operates.
  • Internal Issues: Relate to the organization itself (e.g., culture, values, performance, resources, knowledge).
  • External Issues: Relate to the environment outside the organization (e.g., political, economic, social, technological, legal, environmental factors – often analyzed using PESTLE or SWOT). The aim is to identify what influences the organization’s ability to achieve its objectives and manage its risks and opportunities.

Confusion Point: Organizations sometimes struggle with the breadth of “issues” to consider and how deeply they need to document this “understanding.” It’s not about creating an exhaustive list of every internal and external factor, but identifying those that are truly relevant to the management system’s objectives.

6. “Interested Parties” or “Stakeholders”

Clause 4.2 requires understanding the needs and expectations of relevant “interested parties.” Note, however, that ISO has a preference for interested parties, which should be used wherever possible.

  • Interested Parties (or Stakeholders): These are persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. They include internal parties (e.g., employees, top management) and external parties (e.g., customers, suppliers, regulators, investors, local community). The standard requires the organization to determine which of these interested parties are relevant to the management system and what their relevant needs and expectations are.

Confusion Point: Determining who are the “relevant” interested parties and what their “relevant” needs and expectations are can be subjective. Organizations sometimes overcomplicate this by trying to address every single expectation of every potential party, rather than focusing on those directly impacting the management system’s effectiveness.

7. “Process Approach” vs. “PDCA Cycle”

These two concepts are highly interconnected but distinct:

  • Process Approach: This is a fundamental principle of ISO standards, requiring organizations to identify, understand, and manage interrelated processes as a system to achieve desired results efficiently and effectively. It’s about viewing the organization as a collection of processes that take inputs, transform them, and produce outputs, with clear interactions between them.
  • PDCA (Plan-Do-Check-Act) Cycle: This is a tool or methodology for implementing and managing a process or system and driving continual improvement.
  • Plan: Establish the objectives of the system and its processes, and resources needed to deliver results.
  • Do: Implement the plan.
  • Check: Monitor and measure processes and the resulting products/services against policies, objectives, and requirements.
  • Act: Take actions to improve performance as necessary.

Confusion Point: While the PDCA cycle is used within the process approach, they are not the same. The process approach is the overarching way of organizing and understanding the business, while PDCA is an iterative method for managing and improving individual processes or the system as a whole.

Understanding these distinctions is key to effective ISO implementation and avoiding common pitfalls during audits.

Keywords
Share this Article
Further Reading

IEC 31010 Risk Assessment Techniques

Continuous or Continual Improvement?

ISO 45003 Psychological Health and Safety at Work

ISO 9004 Quality of an Organization

Trending Articles
IEC 31010 Risk Assessment Techniques
June 11, 2025

IEC 31010 Risk Assessment Techniques

Quality control
April 15, 2024

ISO 9001 Quality Management Systems

Medical device
April 15, 2024

ISO 14971 Medical Devices Risk Management

CCTV
April 15, 2024

ISO 18788 Management System for Private Security Operations

Logistics
April 15, 2024

ISO 23354 Business Requirements for End-to-End Visibility of Logistics Flow

ISO 14093 Mechanism for Financing Local Adaptation to Climate Change
April 16, 2024

ISO 14093 Mechanism for Financing Local Adaptation to Climate Change

No Comments

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

Free Self-Audit Tool

Our self-audit tool is designed to help organizations evaluate their conformity with the requirements of an ISO management system standard. It provides a structured approach to assess compliance, identify gaps, and implement improvements.
Download your free copy of the self-audit tool from here (.pdf).

Back To Top