The following requirements must be met in order to achieve ISO Certification.

All of these requirements can be found within the international standard ISO 9001: 2015 under Clause 4.2 General Requirements for Registration, which states that certification is only granted to an organization that meets the following criteria 

The quality system must be complete, documented, implemented, and maintained. The main purposes of the quality system are to:

Requirements of Quality Management System

Implementation and maintenance of a Quality Management System require the involvement of top management. This is because it is impossible for any organization to work effectively with systems that are not understood or supported by senior management. Senior management also has responsibility for the continued effectiveness of the quality management system and, therefore, must be committed to it. Senior management is responsible for ensuring that any necessary changes are made to continually improve the organization’s ability to meet customer and applicable statutory or regulatory requirements. Senior Management is also responsible for managing risk and ensuring effective communication internally and externally.

With this responsibility, the organization should be able to show that top management provides direction for the quality policy and overall strategy of the organization through continual improvement activities. Management is also responsible for ensuring that resources are available to support the effective implementation and continual improvement of the quality system. The organization should be able to demonstrate that top management provides appropriate leadership in the achievement of its objectives as well as in the improvement of processes, products, and services. Examples of this are updating quality objectives, driving new initiatives, or providing resources for improvement activities.

Furthermore, top management provides the organization with the guidance, resources, and tools that are needed to continually improve its processes.

In addition to providing direction for the quality system, senior management is responsible for identifying risks and opportunities and for allocating resources necessary to implement appropriate measures to appropriately manage these risks or opportunities 

Additional responsibilities of top management are to: 

The quality system must be documented, which includes policies, procedures, and records. This documentation must be sufficient enough for the management of the organization as well as its customers to understand what is being implemented in order for it to be executed properly. Management must also ensure that documentation is accurate, complete, and consistent.

The organization should be able to demonstrate that documented procedures are available for quality management activities such as product/service design; product/service realization; and continual improvement activities including planning, implementing, monitoring, and controlling the quality management system and that these procedures are regularly reviewed for their effectiveness, currency, and compliance with the quality policy.

Procedures should be documented in sufficient detail so they can be properly enforced by management. Those responsible for making sure documentation is complete and correct must be identified and the process for ensuring its completeness and correctness should also be documented.

Defined responsibilities and authorities, which include responsibility for quality by management personnel are necessary in order to monitor activities at all levels of the organization. These defined responsibilities and authorities must be detailed enough so that management can understand what is expected of them with regard to quality. Management must ensure that the responsibilities for quality are stated in terms of job title as well as specific tasks and functions.

The organization should be able to demonstrate that top-level responsible managers have been given appropriate training and/or competence in quality management. Training can be provided by the organization or can be obtained from outside sources, such as professional associations. Management should also have access to up-to-date knowledge about the products/services they manage and quality management techniques.

Management must ensure that all staff is familiar with their quality responsibilities and that the entire organization is aware of its obligations. This includes properly identifying those who have been given responsibility for quality by management.

The implementation, monitoring, and control of the quality system must include appropriate procedures to ensure that the requirements for personnel competence are provided as an ongoing part of the quality management system.

Procedures to investigate process/product failures and non-conformities are needed in order for the organization to continually identify ways in which it can improve its processes or products. This includes procedures such as an incident investigation, corrective action, preventive action, and reviews to ensure process/product failures or non-conformities do not recur.

The organization should provide a means of controlling product quality during the design stages as well as in the production, installation, and servicing of products. 

Requirements in Environmental Management 

Conducting an aspect impact study establishing an environmental management system

The organization must develop a procedure to conduct an environmental management assessment. This process includes determining the impact of the organization’s activities on the environment and identifying how its products, services, processes, and facilities affect the environment. This assessment will be ongoing as new or modified services and processes are introduced or existing ones changed, modified, or discontinued. The assessment should identify the environmental aspects of these changes and evaluate them as well as the impact of proposed new products. 

The organization needs to define how it will manage its relationships with suppliers that may have environmental responsibilities which are not under the control of management. These obligations could include provisions in supplier contracts such as clauses mandating environmental assessments of new suppliers. 

The organization should determine whether a contract manufacturer or outsourcing facility has its own environmental management system and how it will meet its own specific requirements as well implementing the requirements of the organization, which is using the services of that facility. If such a relationship is established, management must establish procedures to monitor performance and ensure compliance with these requirements. 

Management should establish a procedure to conduct a gap analysis of environmental aspects and processes in order to identify both areas where the organization has met its obligations and those where there are inadequate procedures or controls. Management must determine how it will meet gaps that have been identified. 

The organization must develop an environmental management system that describes the policies, practices, and procedures that are used to fulfill its obligations as they relate to management responsibility. It must include the responsibilities of all personnel in designing, manufacturing, selling, delivering, installing, maintaining products and services. This includes how a product is decommissioned when it has reached the end of its useful life. The system should also incorporate environmental aspects of the organization’s design, manufacture, purchase, distribution, and disposal of products. 

Management needs to identify whether its environmental management system is intended to comply with the requirements of an external program or standard as required in ISO 14001. It must evaluate any differences in these programs/standards and determine if it needs to develop additional procedures to ensure compliance. The organization’s procedures should be regularly reviewed to verify that they are still relevant, accurate, and effective in providing a means of meeting its environmental responsibilities as specified by any applicable external program or standard.

The organization should determine whether a contract manufacturer or outsourcing facility has its own environmental management system and how it will meet its own specific requirements as well implementing the requirements of the organization, which is using the services of that facility. If such a relationship is established, management must establish procedures to monitor performance and ensure compliance with these requirements. 

Requirements of ISO 45001:2018 

The occupational health and safety management system (OHSMS) is part of ISO 45001:2018. It is meant for the management system to promote an occupational health and safety policy, a continuous improvement process, safe conditions in the workplace, and appropriate guidance and communication. The system should include employee participation because it is vital to sustaining its effectiveness. 

The organization must have an occupational health and safety policy. This should be communicated effectively to every member of staff, involve consultation between management and the workforce, and state how it will work together to achieve its goals in relation to employees’ health and safety.

This is one area where ISO 45001:2018 differs significantly from the other two standards. The nature of the organization’s business and its operational processes will determine what is required to demonstrate that this policy is linked to the organization’s objectives. For example, a detailed description would be necessary if the assembly of products was highly complex or involved hazardous materials. On the other hand, a simple definition with just a few examples of how it is put into practice would suffice for services organizations. 

Management must conduct a gap analysis of occupational health and safety aspects to determine all the activities that relate to employees’ health and safety. It should also identify areas where procedures are inadequate or non-existent, risk assessments (and how often they are updated), roles and responsibilities, training programs for staff, regulatory requirements, incident investigation systems, occupational health and safety committees or consultative groups, how it is going to implement the action plan, policies on providing feedback to staff, and which employees are covered by occupational health and safety legislation.

Requirements of ISO 22301 

Business continuity management is part of ISO 22301:2018. It is required because organizations need a business continuity management system that addresses risks related to their critical activities and supports the achievement of their business, development, and emergency response objectives. 

Management needs to understand how critical activities link to the organization’s strategic objectives. Risk assessments need to be conducted for all elements that could affect the delivery of these activities and management must take steps to control or manage these risks so that they don’t prevent them from achieving their goals. 

The organization’s business continuity management system needs to include policies, procedures, processes, and resources for strategic, operational, and event-related activities. It is important that it addresses the most critical activities because they could require considerable time or resources to be restored after an incident. 

Required documentation includes policies on risk assessment and identification of critical activities, provisions, and plans for identifying and responding to risk, guidance for decision making when events occur, information on the availability of resources needed to conduct business continuity management activities, details on how data is backed-up or stored securely, procedures that are used during all stages of an incident, performance evaluations of staff involved in business continuity management activities, organizational structures such as management chains and communication protocols, and the organization’s emergency response procedures. 

Business continuity management activities should be conducted according to documented plans that prepare for incidents that could occur. These include planning how different parts of the business will respond to risks (such as natural disasters or cyber attacks), whether they are likely to prevent the achievement of its objectives, or whether they could put staff or members of the public at risk. Plans should be reviewed to make sure that they reflect changes in the organization’s activities, its internal controls, and any new risks that have been identified.

Requirements of ISO 27001:2013

Information Security management is part of ISO 27001:2013. Organizations should have a documented information security management system to ensure that their information assets are protected from unauthorized access, malicious modification, or destruction.

Information Security policies as specified in ISO 27002 relate to all aspects of an organization’s privileged users and the activities they perform. They need to be implemented for all processes and technology solutions. Procedures for privileged users need to be documented in order to ensure consistent implementation of practices and controls across the organization.

Security needs to be managed on an ongoing basis because threats are constantly changing. Management should monitor risks regularly so that it can identify things that could prevent the achievement of its objectives, or event threaten the well-being of its staff or the public. 

Resources need to be available in order for information security management activities to be carried out, such as monitoring of systems and technologies used by privileged users, review of documentation showing how policies are implemented, and coordination with other business continuity management activities. 

Procedures should be documented for maintaining information security which includes techniques such as backups and encryption, changing administrative passwords periodically, monitoring network activity and configuring firewalls. Controls need to be in place for preventing authorized users from using personal mobile devices or removable storage media on the internal network. 

Auditing needs to be carried out regularly so that management can determine whether there are any gaps in an organization’s information security management system, ensure that it is effectively implemented and maintained, and identify how well the security risks are managed. 

Records need to be kept of information security activities to show compliance with applicable laws, regulations or standards, demonstrate due care taken by an organization in protecting its assets, and comply with any insurance requirements.

Business continuity management plans need to include detailed information about how the business will be able to continue its essential activities after a disruptive event, based on ensuring that systems and technology solutions are protected from unauthorized access, malicious modification or destruction. Procedures need to be documented for coordinating all relevant disaster recovery activities. Documentation should also describe how the organization’s various IT systems interface with each other and the business continuity management plan.

Requirements of ISO 22000:2018 

Food safety management systems (FSMS) need to be designed and implemented to ensure that food is safe for consumption. A documented Food Safety Management System (FSMS) should show how authorities have been informed of hazards and risks related to such things as the freshness or suitability of food ingredients, use of chemicals in production, storage of food and personal hygiene of staff. It should also include food safety management standards, procedures for handling, storage and distribution of food including how the specific needs of vulnerable groups such as pregnant women or young children are taken into account.

Food suppliers need to identify hazards in their processes and develop mitigation strategies for those hazards. For example, they might ensure that raw materials are fresh and receive regular checks to confirm that the suppliers are meeting standards. Processes need to be documented so that the controls can be verified at any time, such as example how a product should be handled when being transported or stored. 

When food is being processed, staff members need to know who their immediate supervisor is who has responsibility for them. They also need to know who their designated person for food safety is and what they are required to do in the event of an incident. Recipes need to be available, along with any supporting documentation which discusses how equipment should be calibrated or cleaned, as well as procedures for documenting corrective actions taken when problems occur. 

Each shipment of food products needs is accompanied by a Certificate of Analysis that can be used to verify compliance with the Hazard Analysis and Critical Control Points (HACCP) principles. Procedures need to be documented for ensuring that supply chain partners meet food safety requirements, providing assurance about the quality of suppliers’ management systems, product traceability or other aspects of their operations.

Food handlers need to be trained on how to manage food safety and quality so that they can ensure that the food is safe for consumption. They need to know which food handling practices are prohibited, such as keeping raw foods in the same area as cooked foods or storing cooked food above ready-to-eat products. Staff members also need to have access to a copy of the FSMS so they know what it contains and how to comply with its requirements.

Food businesses need to have procedures in place for the recall of food products where this is necessary as a result of a food safety hazard being identified. A documented Food Recall Procedure should explain which individuals or teams are responsible for identifying situations where there is a potential problem with the degree of safety. It needs to describe how products are traced through the supply chain and identify what information needs to be shared with consumers so that they can check if any specific lots of food or drinks are affected by a recall action.

Management procedures should cover decisions about which foods will be recalled where it is not possible to fully address all risks. For example, it may not be possible to remove all potentially harmful bacteria from a product or you might decide that the benefits of selling an item outweigh any residual risk.

Requirements of ISO 50001:2018

– Energy management systems – Requirements with guidance for use are part of the standard and so energy efficiency measures that reduce carbon dioxide emissions should be considered in the design, purchase, and operation of every site. 

Those suppliers that want to use ISO 50001:2018 need to have a documented energy management system. The standard outlines what information needs be included in the system, for example, targets and measurements as well as process flows and control systems. Those who are using an approved equivalent may choose which elements of the ISO 50001:2018 requirements they include in their systems and may add their own specific details.

The standard also gives guidance on how to choose the right energy efficiency measures that are appropriate for your business. For example, this can take into account whether there are technical or commercial limitations in using available technologies as well as preferential purchasing policies from government bodies that might be effective in gaining financial support. The guidance is designed to make sure that the most appropriate measures are selected.

ISO 50001:2018 is different from ISO 14001:2015 because it focuses on the energy use of a site rather than its environmental impacts, while ISO 50001:2018 supports and aligns with the requirements of ISO 14004 (energy management) and considers how technical and commercial considerations can be used to help implement the best overall energy efficiency measures. 

It is important that all food businesses use ISO 50001:2018 as it provides you with a robust standardized system for managing your business’s energy use, whatever type of food business activity you carry out, and wherever you are located.

The implementation of ISO 50001:2018 provides a framework that enables food businesses to improve and maintain their energy performance. When implemented effectively, this standard will help you reduce your energy costs and carbon emissions while also identifying areas where your business could make further improvements.

It is important that all food businesses use ISO 50001:2018 as it provides them with a robust standardized system for managing their business’s energy use, whatever type of food business activity they carry out, and wherever they are located.

Get help from EAS

Contact EAS for any assistance in obtained ISO certification or conducting pre-assessment on the requirements implemented. Email:

Leave a Reply

Your email address will not be published. Required fields are marked *

WhatsApp chat