This article will explain what you need to do to as a business to comply with ISO9000, ISO14000, HACCP and any other compliance regulations or laws.

In manufacturing, there is often a ‘quality check’ after production, and any products that don’t meet that check are rejected:

This is called ‘quality control’. The problem here is that if the production line keeps spitting out, say 10% bad products, then 10% of the product will always be rejected. A more sophisticated approach is to look at the bad products and try to figure out how to avoid them. This is called ‘quality assurance’, or just ‘QA’:

Now every time there’s a rejected product, you have a look at what you can change in the production line to avoid that rejection in future.

But what if you’re not in manufacturing? What if you’re running an insurance company? In that case, you just replace ‘production line’ with ‘policies and procedures’. In the same way that the machines in a production line determine the product, so your company’s policies and procedures (assuming you have any!) will determine its products or services.

So here instead of a ‘quality control’ step we have a list of ‘things that went wrong’ – in an insurance company this might be customer complaints, or even lawsuits. It can also include staff suggestions (things that haven’t gone wrong yet, but which staff can see might go wrong in the future).

So far so good. Now as a buyer you might decide (as indeed the Queensland State Government did a couple of decades ago) that you only want to deal with suppliers that practice quality assurance. How do you do this?

Well that’s where ISO9000 comes in. This is a short (about 20 pages) document that’s published by an international body, and lists all of the things that an organisation has to do to implement quality assurance.

Note that it doesn’t tell you how to run your insurance company (or manufacturing company, or whatever). Its requirements are at a pretty high level. For example, an older version of ISO9001 has the following requirement: “Example clause 4.6.2 “The supplier shall … establish and maintain quality records of acceptable subcontractors”.

So what this is saying is that in order to comply with ISO9000, you have to have a list of suppliers (ie subcontractors) that you’ve checked out and are okay to use. That seems pretty straightforward, until you dig into it a bit. You’ll need the list, sure. But you’ll also need a procedure on how to use the list, and on what would make you reject a new supplier, and how a new supplier that is okay can be added to the list … and so on.

In practice you’ll need a set of policies and procedures that meet all of the requirements in ISO9000. There are a few of them. And you’ll want to have somewhere to keep all of those policies and procedures, so you know which ones are the current version. These days this is generally online, and looks like this:

(This is a real capture of HCi’s internal policies and procedures).

If you have a quality system that meets the requirements of ISO9000 you can then pay a certification body to come and ‘audit’ your system every six months or so, and they will then give you a certificate showing that you comply. There’s a list of all Australian certification bodies on this site:

You can then show the certificate to your customers as proof that you ‘comply’ with ISO9000.

As well as these ‘external audits’ you also need to run ‘internal audits’ where your quality manager or compliance manager checks that your policies and procedures are actually being followed correctly.

ISO9000 is about product and service ‘quality’, but there are a bunch of other standards that you can also get certified to, including:

  • ISO14000: environmental management
  • HACCP: food safety
  • ISO31000: risk management (guidelines only – no certification)
  • ISO27000: IT security
  • ISO26000: social responsibility
  • ISO37001: anti bribery

ISO publishes new standards all the time, and there are industry-specific ones as well. You can find a list here:

But here’s the good news: most of them overlap with ISO9000 to a large extent. It’s a bit like learning new languages: once you have a set of policies and procedures for one of these, you’re most of the way to complying with the others.

That’s why large organisations have a set of policies and procedures that comply with several of these standards, and they tend to call this set a ‘Management System’. Now, this is not a computer system (although it might be held on a computer), it’s just a set of written documents.

Once you have a Management System, it will allow you to comply with any of the ISO or other standards that you might want to comply with. It will also let you comply with laws and regulations – because once you have the basic systems and processes in place, checking them against ISO9000 is no different to checking them against, say, OH&S legislation.

If you work in a bank, you might not use the term ‘Management System’ or ‘quality standard’. But you might well have a ‘compliance’ department, which does the same thing. It’s largely just a matter of terminology.

Whether you call it a Management System or a quality system, or just policies and procedures, make sure to do the following:

  • Assign responsibility to someone; if you have more than about 50 staff, you’ll probably need one person dedicated to just looking after policies and procedures
  • Involve staff in writing stuff down; you can’t just write procedures and hand them to people and expect them to follow them, unless they feel they’ve been involved in the process
  • Use professional writers – you wouldn’t ask your warehouse staff to write warehouse software, would you?

In summary:

What is QA? QA is short for ‘quality assurance’, which is a way of controlling what an organisation does through policies and procedures, and improving them over time.

What is a management system/quality management system/compliance management system? It’s a set of policies and procedures that (usually) meets the requirements of one or more ISO standards.

How do you implement ISO9000? You’ll need to write policies and procedures that match the list in the standard, and get people to use them. Then (optionally) pay an external company to come and do an audit and give you a certificate.

How do you implement standards like ISO14000, ISO31000, ISO26000 or ISO37001? You’ll need to write policies and procedures that match the list in the standard, and get people to use them. Then (optionally) pay an external company to come and do an audit and give you a certificate. If you already have a set of policies and procedures that meet ISO9000, then you’ll only have to add a few key ones to meet the new standard.