WHITE PAPER · INTERNET OF THINGS (IoT) · CONCEPTUAL OVERVIEW · Version 1.

TECHNICAL STANDARDIZATION

MANAGEMENT SYSTEM
STANDARDS: OVERVIEW
TECHNICAL STANDARDIZATION

Version 1.0 · September 2022

ISBN : 978-99987-869-3-6
 TECHNICAL STANDARDIZATION

MANAGEMENT SYSTEM
STANDARDS: OVERVIEW

Version 1.0 · September 2022

Institut Luxembourgeois de la Agence pour la Normalisation et

Normalisation, de l‘Accréditation, de la l’Economie de la Connaissance
Sécurité et qualité des produits et services
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

Foreword
Technical standardization plays an important role in the support of economic
development. Nowadays, almost every sector relies on standards to provide services in
an efficient manner. Standards are therefore considered as a major source of benefits,
and Management System Standards are particularly effective in this respect since they
have impact on the whole economic ecosystem.

In this frame, the “Institut Luxembourgeois de la Normalisation, de l’Accréditation, de la

Sécurité et qualité des produits et services” (ILNAS), via its “Luxembourg Standardization
Strategy 2020-2030”, signed by the Minister of the Economy, considers standardization as
a tool of performance and excellence at the service of the economy that also strengthen
national economic trust.

As such, Management System Standards as well as the domain of conformity assessment

form some key elements of this trust, allowing to demonstrate that products, services,
systems, processes, etc. meet specified requirements, which can notably be determined
by customers or regulation.

In this context, the Luxembourg standardization strategy identifies the ISO committee
for conformity assessment (ISO/CASCO), which develops policy guidelines and publishes
standards on conformity assessment, as being of significant interest to support the
national economy.

Thus, the Politique normative nationale « ISO CASCO » 2022-2030 has been defined to
guarantee national involvement in standardization activities relating to conformity
assessment in line with market needs. To this end, it provides for the progressive
implementation of three master projects:

• Strengthen national involvement in the ISO/CASCO committee;

• Promote ISO/CASCO developments at the national level;
• Develop the fields of research and education related to ISO/CASCO.

Within this global framework, the current report sets the preliminary background for
understanding the importance of Management System Standards and their place in the
conformity assessment process. It represents a first step for raising awareness of the
importance of technical standardization for this domain to the national market and
constitutes a basis for the future development of the research and education related
to it. Convinced of the importance of Management System Standards and of the whole
conformity assessment process, ILNAS, with the support of ANEC GIE, delivers this report
with a view towards encouraging the national market’s future use of related standards
and the involvement in the related standards development process, for the benefit of
Luxembourg’s economy.

Jean-Marie REIFF, Director

ILNAS
Jean-Philippe HUMBERT, Deputy Director
ILNAS

4
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

Abstract
Management System Standards (MSS) have gained in popularity in recent
years. They cover a variety of domains and topics, such as product or service
quality, environmental performance, operational efficiency, or health and
safety in the workplace.

This report is an introduction to the world of MSS. First, it explains the concept of MSS
along with the presentation of its building blocks, objectives and benefits of using
it. The document then outlines the topics covered by various MSS and introduces
the most commonly used ones. This overview is complemented by figures showing
the constant growth in the adoption of the MSS in the world and in Luxembourg,
demonstrating the interest in this type of standards and related certifications. Next,
the report opens up the topic of conformity assessment, discussing the role of
accreditation and certification in building the chain of confidence related to the good
practices outlined in the MSS.

Furthermore, to illustrate the importance of MSS, this deliverable includes testimonials

from national organizations that have implemented - most of them being certified -
such standards. They discuss the benefits and the challenges associated to the usage
of the MSS, based on their experience, and explain the importance of being involved
in the standards development process. Finally, the report highlights the possibilities
offered by ILNAS to access the MSS, as well as to participate in their development.

5
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

6
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

Table of Contents
1. What is a Management System Standard? 9
1.1. Definition 9
1.2. Types of Management System Standards (MSS) 9
1.3. High level structure 10
1.4. Integrated use of MSS 11
1.5. Benefits of MSS 11

2. Examples of MSS 14
2.1. Topics covered by existing MSS 14
2.2. Popular MSS 15
2.3. Upcoming MSS 20

3. MSS in numbers 21
3.1. Continuous growth of the usage of MSS 21
3.2. Adoption of MSS in Luxembourg 22

4. Conformity assessment: Chain of confidence-building 23

4.1. Conformity assessment process 23
4.2. Certification 24
4.3. Accreditation 24
4.3.1. ISO/CASCO Committee on conformity assessment 25
4.3.2. Accreditation body in Luxembourg 25

5. Why should any organization use a MSS:

Testimonials from Luxembourg 26
6. Standardization opportunities in Luxembourg 28
6.1. How to access MSS? 28
6.2. Who can participate in standards development
in Luxembourg? 28

References 29

7
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

8
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

1. What is a Management System Standard?

1.1. Definition
ISO defines a management system as a “set of interrelated or interacting elements of an
organization to establish policies and objectives, as well as processes to achieve those
objectives” [1]. The management system’s “elements” refer to the organization’s structure,
roles and responsibilities, planning and operation. The “objectives” can cover a variety
of topics, such as product or service quality, environmental performance, operational
efficiency, or health and safety in the workplace [2]. The “organization” is defined as a
“person or group of people that has its own functions with responsibilities, authorities
and relationships to achieve its objectives” and thus can be a corporation, an enterprise, a
partnership, an institution, a part of a legal entity, and so on [3].

In this frame, a management system standard (MSS) is an overarching document, setting

out requirements or guidance, which supports the governance and leadership functions
in the implementation and maintenance of the management system. Generally designed
for any economic sector, type and size of organization, languages, geographical, cultural
or social conditions, a MSS provides requirements and/or guidelines at all levels of an
organization. A general-purpose MSS can be complemented by sector-specific guidance
where applicable [1] [2].

1.2. Types of Management System Standards (MSS)

ISO distinguishes between two types of MSS: those that contain requirements and those that
provide recommendations. Requirements are the provisions that convey criteria to be fulfilled, and
recommendations are provisions that convey advice or guidance. A MSS can be of either type or a
combination of both [4] [5].

Type A
A Type A MSS contains requirements, such as those dictating the establishment of a risk management
system. An organization that puts in place a Type A MSS can then claim conformance against those
requirements. Some Type A MSS also contain guidance on the implementation of the identified
requirements, thus supporting the organization [5].

Type B
A Type B MSS typically provides recommendations and guidance on how to achieve a specific objective,
for example how to monitor and measure customer satisfaction. Recommendations in Type B MSS
can address the requirements expressed in Type A MSS but can also be independent [5].

9
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

1.3. High level structure

Management System Standards contain a certain amount of requirements to the organizations
implementing it. To facilitate the implementation of MSSs and enhance their consistency, ISO
introduced in 2012 a high-level, harmonized structure identifying common requirements and ways to
add discipline-specific ones1. This structure had to be used by all MSSs of Type A developed or revised
by ISO committees thenceforth. In 2019, IEC joined the initiative in the effort to harmonize ISO’s and
IEC’s portfolio of management system standards. The high-level structure of a MSS is described in the
Appendix 2 to the Annex SL of the ISO/IEC Directives that is publicly-available and can be downloaded
for free [2] [3].

The high-level structure notably imposes the following aspects to be considered by an organization
[3]:

CONTEXT OF THE ORGANIZATION

Understand the issues that can impact the organization, as well as the needs and expectations of interested
parties, in order to determine the boundaries and applicability.

LEADERSHIP
Demonstrated commitment from the top-management with respect to the scope of the MS that translates
into a relevant policy, integration of the MS in the business processes, assignment of roles and responsibilities
and proper communication around it.

PLANNING
Analyze the risks and opportunities for an organization in order to set the objectives and establish a course
of actions to achieve them.

SUPPORT
Determine and provide the resources, guarantee the necessary competence, set up proper communication
and create and update documented information needed for the establishment, implementation, maintenance
and continual improvement of the MS.

OPERATION
Specify, implement and control the processes needed to execute the planned actions and reach the objectives.

PERFORMANCE EVALUATION
Monitor, measure, analyze and evaluate the MS and its processes to assess its performance with respect
to the execution of the planned actions and achievement of objectives, which should be complemented by
internal audits and management reviews to guarantee that the MS is effectively implemented and maintained
and remains appropriate with respect to the strategic direction of the organization, respectively.

IMPROVEMENT
Continually improve the suitability, adequacy and effectiveness of the MS and apply corrective actions to deal
with nonconformities.

1
“Discipline-specific” is used to indicate specific subject(s) to which a management system standard refers, such as energy, quality, records, environment, etc. [1]

10
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

1.4. Integrated use of MSS

Thanks to the high-level structure, all the MSS can work together. An organization can establish one
single management system that meets the requirements of two or more MSS simultaneously in
an integrated manner. Thus, it can reach its objectives in different areas of operation. To support
organizations willing to adopt the overarching approach, ISO published a guidance on “The integrated
use of management system standards (IUMSS)” [2].

In total, there are four different types of ISO documents that support organizational management.
Since MSSs set out general-purpose requirements or guidance for a given domain, they can be
complemented by other management standards that are introduced below. In summary, they can
either help to address sector-specific requirements or provide additional implementation guidance [2].

Sector-specific MSS
As the name suggests, a sector-specific MSS provides additional requirements or guidance for the
application of a generic management standard in a specific economic or business sector. These are,
for example, specific requirements for a quality management system in organizations providing
medical devices (ISO 13485:2016) or supplying products and services to the petroleum, petrochemical
and natural gas industries (ISO 29001:2020), or in local governments looking to meet the needs and
expectations of their citizens/customers (ISO 18091:2019) [2].

Management System-related standards and implementation guidance

These standards provide further guidance and/or requirements on the MSS or the specific aspects
of a management system, or on related supporting techniques. Examples of these standards are
guidelines for auditing of management systems, in general (ISO 19011:2018) or for a specific domain,
such as food safety (ISO 22003-1:2022) or information security (ISO/IEC 27007:2020).

Management standards
Management Standards are intended to support the implementation of specific aspects of an
organization’s management system. The examples of these are risk management guidelines
(ISO 31000:2018), guidance on social responsibility (ISO 26000:2010) or guiding principles for the
governance of IT for the organizations (ISO/IEC 38500:2015).

11
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

1.5. Benefits of MSS

Why is it interesting to implement a MSS? What are the benefits of having a Management System put
in place in an organization? Here are some of the reasons [6] [7] [8] [9]:

Harmonize and optimize organizational practices. The implementation of a MSS allows organizations
to improve their operational processes and reach their objectives efficiently and effectively by defining
goals, planning activities carefully, and sharing information with all parties involved.

They talk from experience

Using ISO 9001, ISO 14001 and ISO 45001 helped us to structure
and harmonize Quality-Safety-Environment practices within the
group. By implementing the management system, we could
achieve better traceability of documented information and
reinforce information feedback with continuous improvement.

Youcef Si Larbi,
Responsable Qualité, LSC Engineering Group

Reduce duplication of effort and therefore costs. When planning actions to improve the effec-
tiveness and efficiency of business as per MSS requirements, decision-makers get the opportunity to
select cost-effective strategies.

Reduce risks and increase performance and profitability. A MSS requires putting in place proper
risk management and continuous improvement processes to ensure the necessary changes are made
in a timely manner to maintain the required levels of performance.

They talk from experience

ISO 9001:2015 helps structuring thinking about risks. Thanks to

the mandatory risk management framework, we integrated the
identification of our weak places and the mitigation strategies. Thus,
we know where to pay attention to. And when a risk becomes a reality,
we know exactly what to do.
Dmitry Lozhnikov,
Quality Manager, Astron Buildings LLC

12
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

Improve internal and external communication. By design, a MSS stipulates that the requirements
of all stakeholders, both internal and external to the organization, are taken into account, captured in
the company policy and communicated to all relevant parties.

Facilitate access to market and increase market acceptance. A MSS is a collection of international
good practices for a given domain. Thus, compliance with a MSS can facilitate and increase access to
the market. Moreover, demonstrated compliance with a MSS is a sign of continuing quality control,
covering all the stakeholders in the supply chain, which is helpful to gain the market’s trust. In addi-
tion, if the certification against a MSS is delivered by an accredited conformity assessment body, the
organization will benefit from a certificate recognized worldwide, which facilitates access to the for-
eign market (more about certification and accreditation in the section 4).

They talk from experience

Thanks to ISO 9001 certification we could gain in market share with

certain clients.
Youcef Si Larbi,
Responsable Qualite, LSC Engineering Group

In 2018 we had an external audit regarding the GDPR. We were advised

to start following the ISO guidelines in order to start implementing a
concrete information security management. As we were at that time a
fast growing mid-sized company, we decide to go further and today we
run the Management System efficiently. Even if we are not certified yet,
we already see some results coming.
Antonello Caggiano,
Senior Manager, Value Partners S.A.

Focus on sustainable development. Implementation of different MSS, targeting economic (quality),

environmental and social objectives, in an integrated manner helps organizations to become more
sustainability-oriented and gain in performance. “MSS requires organizational commitment to devel-
oping the principles of sustainability, namely, to guarantee the quality of its products and services,
ensure the preservation of the environment, and provide for the safety and health of employees,
without neglecting social responsibility, ethical principles, and risk-based thinking” [9].

13
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

2. Examples of MSS

2.1. Topics covered by existing MSS

BUSINESS MANAGEMENT AND INNOVATION

Examples: ISO 9001, ISO 10012, ISO 30401, ISO 37001,
ISO 37301, ISO 44001, ISO 54001, ISO 55001

BUILDING AND CONSTRUCTION

Example: ISO 41001

SECURITY, SAFETY AND RISK

Examples: ISO 18788, ISO 22301, ISO 28000, ISO 28001,
ISO 28002, ISO 45001, ISO/IEC 80079-34

FOOD AND AGRICULTURE

Examples: ISO 22000, ISO 34101-1, ISO/TS 34700

ENERGY
Examples: ISO 19443, ISO 50001

INFORMATION TECHNOLOGY, GRAPHICS AND PHOTOGRAPHY

Examples: ISO 14298, ISO/IEC 19770-1, ISO/IEC 20000-1,
ISO/IEC 27001, ISO/IEC 27701, ISO 30301

HEALTH, MEDICINE AND LABORATORY EQUIPMENT

Examples: ISO 13485, ISO 15378, ISO 25424, ISO 35001

SUSTAINABILITY AND EVIRONMENT

Examples: ISO 14001, ISO 16000-40, ISO 37101

MECHANICAL ENGINEERING
Example: ISO 29001

SERVICES
Examples: ISO 20121, ISO 21001, ISO 21101, ISO 21401, ISO 46001

TRANSPORT
Examples: ISO/TS 22163, ISO 28007-1, ISO 30000, ISO 39001

14
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

2.2. Popular MSS2

ISO 9001:2015

Quality management

Developed by ISO/TC 176/SC 2 Quality systems, ISO 9001:2015 specifies requirements for a quality
management system when an organization:

n needs to demonstrate its ability to consistently provide products and services that
meet customer and applicable statutory and regulatory requirements, and

n aims to enhance customer satisfaction through the effective application of the system,
including processes for improvement of the system and the assurance of conformity
to customer and applicable statutory and regulatory requirements.

ISO 14001:2015

Environmental management systems — Requirements with guidance for use

Developed by ISO/TC 207/SC 1 Environmental management systems, ISO 14001:2015 specifies the
requirements for an environmental management system that an organization can use to enhance its
environmental performance. ISO 14001:2015 is intended for use by an organization seeking to manage
its environmental responsibilities in a systematic manner that contributes to the environmental pillar
of sustainability.

ISO 14001:2015 helps an organization achieve the intended outcomes of its environmental
management system, which provide value for the environment, the organization itself and interested
parties. Consistent with the organization’s environmental policy, the intended outcomes of an
environmental management system include:

n enhancement of environmental performance;

n fulfilment of compliance obligations;

n achievement of environmental objectives.

2
The links to standards refer, where possible, to the international documents adopted by European standards development organizations and then by ILNAS as
national standards. Any differences that were introduced to the international documents are clearly identified or it is explicitly stated that no changes were made.

15
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

ISO/IEC 27001:2013

Information technology — Security techniques —

Information security management systems — Requirements

Developed by ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection, ISO/IEC
27001:2013 specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of the organization. It also
includes requirements for the assessment and treatment of information security risks tailored to the
needs of the organization.

NOTE: Two technical corrigenda and one amendment were provided to this standard in 2014 and 2015.

ISO 22000:2018

Food safety management systems — Requirements for any organization in the food chain
Developed by ISO/TC 34/SC 17 Management systems for food safety, ISO/IEC 22000 specifies requirements
for a food safety management system (FSMS) to enable an organization that is directly or indirectly
involved in the food chain:

n to plan, implement, operate, maintain and update a FSMS providing products and
services that are safe, in accordance with their intended use;

n to demonstrate compliance with applicable statutory and regulatory food safety

requirements;

n to evaluate and assess mutually agreed customer food safety requirements and to
demonstrate conformity with them;

n to effectively communicate food safety issues to interested parties within the food
chain;

n to ensure that the organization conforms to its stated food safety policy;

n to demonstrate conformity to relevant interested parties;

n to seek certification or registration of its FSMS by an external organization, or make a

self-assessment or self-declaration of conformity to this document.

This document allows any organization, including small and/or less developed organizations (e.g. a
small farm, a small packer-distributor, a small retail or food service outlet) to implement externally-
developed elements in their FSMS.

16
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

ISO 45001:2018

Occupational health and safety management systems — Requirements with guidance for use

Developed by ISO/TC 283 Occupational health and safety management, ISO 45001:2018 specifies
requirements for an occupational health and safety (OH&S) management system, and gives guidance
for its use, to enable organizations to provide safe and healthy workplaces by preventing work-related
injury and ill health, as well as by proactively improving its OH&S performance.

ISO 45001:2018 is applicable to any organization that wishes to establish, implement and maintain
an OH&S management system to improve occupational health and safety, eliminate hazards and
minimize OH&S risks (including system deficiencies), take advantage of OH&S opportunities, and
address OH&S management system nonconformities associated with its activities.

ISO 45001:2018 helps an organization to achieve the intended outcomes of its OH&S management
system. Consistent with the organization’s OH&S policy, the intended outcomes of an OH&S
management system include:

n continual improvement of OH&S performance;

n fulfilment of legal requirements and other requirements;

n achievement of OH&S objectives.

ISO 45001:2018 does not state specific criteria for OH&S performance, nor addresses issues such as
product safety, property damage or environmental impacts. Nevertheless, it enables organizations to
integrate other aspects of health and safety, such as worker wellness/wellbeing.

ISO 13485:2016

Medical devices — Quality management systems — Requirements for regulatory purposes

Developed by ISO/TC 210 Quality management and corresponding general aspects for medical devices,
ISO 13485:2016 specifies requirements for a quality management system where an organization
needs to demonstrate its ability to provide medical devices and related services that consistently
meet customer and applicable regulatory requirements. Such organizations can be involved in one or
more stages of the life-cycle, including design and development, production, storage and distribution,
installation, or servicing of a medical device and design and development or provision of associated
activities (e.g. technical support). ISO 13485:2016 can also be used by suppliers or external parties
that provide product, including quality management system-related services to such organizations.

NOTE: This is a sector-specific standard and thus does not comply fully with the high-level structure.

17
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

ISO 50001:2018

Energy management systems — Requirements with guidance for use

Developed by ISO/TC 301 Energy management and energy savings, this document specifies requirements
for establishing, implementing, maintaining and improving an energy management system (EnMS).
The intended outcome is to enable an organization to follow a systematic approach in achieving
continual improvement of energy performance and the EnMS. This document:

n is applicable to activities affecting energy performance that are managed and

controlled by the organization;

n is applicable irrespective of the quantity, use, or types of energy consumed;

n requires demonstration of continual energy performance improvement, but does not

define levels of energy performance improvement to be achieved.

ISO 22301:2019

Security and resilience — Business continuity management systems — Requirements

Developed by ISO/TC 292 Security and resilience, this document specifies requirements to implement,
maintain and improve a management system to protect against, reduce the likelihood of the
occurrence of, prepare for, respond to and recover from disruptions when they arise. This document
is applicable to all types and sizes of organizations that:

n implement, maintain and improve a BCMS;

n seek to ensure conformity with stated business continuity policy;

n need to be able to continue to deliver products and services at an acceptable

predefined capacity during a disruption;

n seek to enhance their resilience through the effective application of the BCMS.

NOTE: This standard is available for free.

18
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

ISO/IEC 20000-1:2018

Information technology — Service management — Part 1: Service management system requirements

Developed by ISO/IEC JTC 1/SC 40 IT service management and IT governance, this document specifies
requirements for an organization to establish, implement, maintain and continually improve a service
management system (SMS). The requirements specified in this document include the planning, design,
transition, delivery and improvement of services to meet the service requirements and deliver value.
This document can be used by:

n a customer seeking services and requiring assurance regarding the quality of those
services;

n a customer requiring a consistent approach to the service lifecycle by all its service
providers, including those in a supply chain;

n an organization to demonstrate its capability for the planning, design, transition,

delivery and improvement of services;

n an organization to monitor, measure and review its SMS and the services;

n an organization to improve the planning, design, transition, delivery and improvement

of services through effective implementation and operation of an SMS;

n an organization or other party performing conformity assessments against the

requirements specified in this document;

n a provider of training or advice in service management.

ISO 37001:2016

Anti-bribery management systems — Requirements with guidance for use

Developed by ISO/TC 309 Governance of organizations, ISO 37001:2016 specifies requirements and
provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-
bribery management system. It is designed to help an organization to prevent, detect and respond to
bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities. ISO
37001:2016 addresses the following in relation to the organization’s activities:

n bribery in the public, private and not-for-profit sectors;

n bribery by or of the organization;

n bribery by the organization’s personnel acting on the organization’s behalf or for its
benefit;

n bribery by the organization’s business associates acting on the organization’s behalf

or for its benefit;

n bribery of the organization’s personnel in relation to the organization’s activities;

19
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

n bribery of the organization’s business associates in relation to the organization’s activities;

n direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party).

ISO 37001:2016 is applicable only to bribery. It does not specifically address fraud, cartels and other
anti-trust/competition offences, money-laundering or other activities related to corrupt practices.

2.3. Upcoming MSS

As any standard, MSS are subject to regular review. Thus, some of the existing MSS are being updated.
For example, the following MSS updates were in preparation at the time of writing of this report:

n ISO/CD 21001 Educational organizations — Management systems for educational or-

ganizations — Requirements with guidance for use (to replace the one published in
2018);
n ISO/CD 55001 Asset management — Management systems — Requirements (to re-
place the one published in 2014).

New MSS to provide requirements or guidance for new, not yet covered, domains also keep emerging.
To provide a few examples:

n ISO/IEC CD 42001 Information Technology — Artificial intelligence — Management

system;
n ISO/DIS 31101 Robotics — Services provided by service robots — Safety management
systems requirements;
n ISO/CD 7101 Health Care Quality Management System Standard.

20
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

3. MSS in numbers

Each year ISO conducts a survey to assess the adoption of MSSs. They count the number of valid
certificates that organizations declare to have received through a certification process3 [10] [11].
Certification allows organizations to demonstrate compliance against requirements stated in a MSS
and is discussed in the section 4. This section provides some statistics about the certificates delivered
upon demonstrated compliance with the MSSs, based on the data from ISO surveys. The number of
certificates per year corresponds to a number of valid certificates as of 31st of December of the year of
survey issued either during that year or in two years preceding it and still valid on the 31st December.

3.1. Continuous growth of the usage of MSS

Figure 1 shows the evolution of the adoption of the three most popular MSSs world-wide, over the
2010-2020 period. Are considered:

n ISO 9001 Quality management systems — Requirements

n ISO 14001 Environmental management systems — Requirements with guidance for use
n ISO/IEC 27001 Information technology — Security techniques — Information security man-
agement systems — Requirements

The numbers mainly show consistent growth of the number of certificates. The drop in 2018 is due to
the survey methodology, as explained by ISO4.

Figure 1: Evolution of the number of certificates for ISO 9001, ISO 14001 and ISO/IEC 27001 over 2010-2020 worldwide [11]

3
ISO Disclaimer: “The ISO Survey is not a database. The providers of the data are the certification bodies accredited by IAF members and they participate on a volun-
tary basis. The level of participation fluctuates from one edition of the survey to another and can impact the survey results especially at the country level. Interpreta-
tions of the results and any conclusions on the trends should be made with these considerations in mind.”
4
Such changes cover mostly the multi-site organizations and multi-sector certificates. For example, instead of counting multiple times a certified organization that has
multiple sites, it is now counted once, and the number of sites remains as a separate indicator.

21
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

3.2. Adoption of MSS in Luxembourg

Figure 2 shows the evolution of the adoption of the three most popular MSSs (ISO 9001, ISO 14001
and ISO/IEC 27001) in Luxembourg during 2010-2020. Starting from 2011, the number of ISO 9001
certificates remains constantly over 150 with peaks of over 250 certificates in 2013, 2015 and 2018.
The number of certificates for ISO 14001 varies from 70 to 128 in 2013-2020, while it was only 19 in
2010. The number of certificates for ISO/IEC 27001 has grown from 5 in 2010 to 27 in 2019, with a
drop to 17 in 2020.

Figure 2: Evolution of the number of certificates for ISO 9001, ISO 14001 and ISO/IEC 27001 over 2010-2020 in Luxembourg [10]

Figure 3 presents the number of certificates hold by organizations in Luxembourg in 2020 for various
MSSs. The leading number of certificates (157) was delivered for the conformity against ISO 9001. The
second place (84 certificates) goes to ISO 14001, demonstrating the attention the organizations in
Luxembourg pay to environmental questions. ISO 45001 for occupational health and safety is on the
third place with 32 valid certificates, leaving the fourth place to ISO/IEC 27001 for which 17 certificates
were issued. For other management systems, less than 10 certificates per standard were delivered.

0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160

ISO 9001:2015 Quality management systems - Requirements 157

ISO 14001:2015 Environmental management systems
- Requirements with guidance for use 84
ISO/IEC 27001:2013 Information technology - Security techniques - Infor-
mation security management systems - Requirements 17
ISO 22000:2018 Food safety management systems
- Requirements for any organization in the food chain 5
ISO 45001:2018 Occupational health and safety management systems
- Requirements with guidance for use 32
ISO 13485:2016 Medical devices - Quality management systems
- Requirements for regulatory purposes 6
ISO 50001:2011&2018 Energy management systems
- Requirements with guidance for use 3
ISO 22301:2012 Societal security - Business continuity management
systems - Requirements 5
ISO/IEC 20000-1:2018 Information technology - Service management
- Part 1: Service management system requirements 3

Figure 3: Number of certificates hold by organizations in Luxembourg in 2020 for different MSS

22
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

4. Conformity assessment:
Chain of confidence-building

4.1. Conformity assessment process

Section 3 mentions the certification as a means to demonstrate compliance against requirements
stated in a MSS. Certification is one of the activities that falls within the frame of conformity assessment,
which is defined by ISO as a “demonstration that specified requirements are fulfilled” [12]. Other
activities include testing, inspection, validation and verification, depending on the type and the
object of conformity assessment [12]. The requirements against which conformity is demonstrated
can be defined in standards, such as MSS, or other specifications. This report focuses mainly on the
process of conformity assessment against the requirements stated in a MSS, covering certification
and accreditation activities.

In principle, the assessment of conformity can be performed at different levels [13]:

n First party – self-declaration of conformance made by an organization,

n Second party – declaration made by an entity tied with the organization by a profes-
sional relation, such as client, customer, supplier, etc.

n Third party – declaration made by an independent organization – such as a conformity

assessment body (CAB) - that issues a certificate as a proof of successful demonstra-
tion of conformity.

In case of a third-party conformity assessment, an organization can select a body to perform the
assessment. To enhance the value of the obtained certificate of conformity, they can opt for an
accredited body that has proven its competency, reliability, impartiality and compliance with best
practices through a process called accreditation [13] [14]. If a conformity assessment body was
accredited by a member of the International Accreditation Forum (IAF), the subsequent certificate
delivered in recognition of conformity assessment is recognized and accepted throughout the world
[14]. To guarantee the quality and transparency of the accreditation bodies, the peer evaluation takes
place among them.

Thus, a third-party conformity assessment contributes to a subsequent confidence-building and

increasing trade benefits for the organizations. It starts from the willingness of an organization
to implement the requirements stated in the MSS, or in other specifications. These requirements
represent state of good practices and as such benefit the quality of organization’s operations. Then,
by opting for a third-party conformity assessment the organization demonstrates to all its customers
the quality of its operations in a transparent way.

In the following sections, the certification and accreditation processes are defined in a more formal
way.

23
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

4.2. Certification
“Certification is the provision by an independent body of written assurance (a certificate) that the
product, service or system in question meets specific requirements” [15]. In order to claim conformance
with requirements, an organization needs to provide evidence. Such evidence is generally provided
during an audit. If an organization successfully passes the assessment by a third-party, an audit
results in a certification. As such, audit can be performed by first or second party, but in this case, it
does not result in certification. Moreover, and with respect to MSS, since certification is an assurance
of meeting the requirements, a certificate can only be delivered upon the compliance with Type A MSS
[5] [13] [15].

4.3. Accreditation
Accreditation is a “third-party attestation related to a conformity assessment body, conveying formal
demonstration of its competence, impartiality and consistent operation in performing specific
conformity assessment activities” [12]. Thus, an accreditation body performs the accreditation to
assess the conformity assessment body. Depending on the object of conformity, different standards
can be used by accreditation body to evaluate the conformity assessment body [13]. In case of MSS,
ISO/IEC 17021-1 Conformity assessment — Requirements for bodies providing audit and certification of
management systems — Part 1: Requirements is used.

An accreditation body itself needs to be compliant with the requirements stated in the international
standard ISO/IEC 17011 Conformity assessment — Requirements for accreditation bodies accrediting
conformity assessment bodies. They are being evaluated by the peers against this standard based on
the peer evaluation procedure based on IAF and regional (European co-operation for Accreditation -
EA - in Europe) guidance. Peer evaluation is a guaranty of mutual recognition of accreditation bodies.

Figure 4 shows the whole confidence-building chain, taking as example the context of certification
against a MSS and including the stakeholders involved and the standards used.

CHAIN OF CONFIDENCE-BUILDING

IAF ACCREDITATION BODY CERTIFICATION BODY ORGANIZATION

• Peer evaluation among • Accreditation of • Certification of an

Accreditation bodies Certification body organization • Demonstration of
• Based on ISO/IEC 17011 • Based on ISO/IEC 17021-1 • Based on a MSS compliance towards
and additional IAF and additional IAF criteria (international or adopted customers
criteria and guidance and guidance by National Body)

Figure 4: Chain of confidence-building through certification and accreditation

24
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

4.3.1. ISO/CASCO Committee on conformity assessment

Standards for the conformity assessment are produced by ISO/CASCO Committee on conformity
assessment. Its primary role is to study means of assessing the conformity of products, processes,
services and management systems. CASCO also prepares international guides and standards relating
to the practices of conformity assessment and promotes their appropriate use. CASCO is meant to
support and improve national and regional conformity assessment systems and increase their mutual
recognition. In this frame, they collaborate with other technical committees, namely with those
developing the Management System Standards, to ensure a consistent and harmonized approach to
the development of standards that are subject to conformity assessment.

4.3.2. Accreditation body in Luxembourg

In Luxembourg, the national accreditation body is OLAS, Office Luxembourgeois d’Accréditation et de

Surveillance. OLAS is part of European and International accreditation network, and as such undergoes
peer evaluation based on ISO/IEC 17011 and additional IAF guidance and benefits from mutual
recognition among accreditation bodies. In this frame, the conformity assessment bodies accredited
by OLAS deliver certificates that are valid across Europe and internationally. The organizations that
receive such certificates gain simplified access to European and international market.

OLAS conducts the accreditation process and maintains the list of accredited national organizations.

They talk from experience

Eurofoil Innovation Centre was accredited from 2012 till May 2022 by
Office Luxembourgeois d'Accréditation et de Surveillance (OLAS). This
accreditation was internationally recognized thanks to the mutual
recognition agreements of which OLAS is a signatory. In this context,
the accreditation represents a pledge of technical competence and
trust for all stakeholders. This is particularly a major asset for activities
relating to automotive products for which the Eurofoil France site is
ISO/TS 16949 certified.

Alexandre Fallet,
R&D Laboratory Manager, Eurofoil Innovation Centre

25
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

5. Why should any organization use a MSS:

Testimonials from Luxembourg

Rudy Kech,
Chief Operating Officer and IMS Manager, CRI Group a VASS company

Inside CRI Group before VASS Acquisition, we built an Integrated Management System (IMS) based on 3
standards, ISO 9001:2015 QMS, ISO/IEC 20000-1:2018 SMS and ISO/IEC 27001:2013 ISM for which we are
certified.

MSS is a fantastic management tool which allows the definition of the AS-IS (current image of the company)
and transition towards a TO-BE (target) defined with the team and agreed by the top management.

One of the key success factors is the Leadership, commitment, and support of the top management with
respect to the management system. Without it, the enforcement of MSS becomes very tricky.

Many managers are interested by the ISO standards but are reluctant to spend money to build and
maintain it. Therefore, the first challenge is to convince the top management of the added value of ISO
standards for their specific needs. In the ICT consulting business for the For-EU Institutions, some of the
certifications are mandatory to answer the biggest calls for tender:

• ISO 9001 is often requested directly as a certificate or via relevant Quality procedures.

• ISO/IEC 20000 and ISO/IEC 27001 are more and more appreciated for cybersecurity calls for tender.

• it is possible that ISO 14001 could be requested in the future to match EU environmental objectives.

Introduced by Management system, policies and procedures are wonderful communication tools that
allow to clearly document the management expectations/rules.

The ISO Management system shall be agile with processes directly implemented in the tools and easy
to update. It shall be subject to discussion and feed back of the team using it to take into account
improvement recommendations but also to ensure people feel part of the process. This improves the
engagement rate.

People don’t like to read long procedures. Nevertheless, regular training targeted on knowledge gaps
allows to get the adherence of the team to the recommended best practices.

In conclusion: The Integrated Management System (IMS) is an important management tool. While the
IMS is implemented in the relevant tools in an agile way, it enables a transparent guidance for the
collaborators, operational efficiency, but also the automation of repetitive tasks.

26
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

Hanna Lteif,
Director, Numen Europe

Working in digital transformation and digital documents management, we have been certified ISO 9001
since 1998, ISO/IEC 27001 since 2014 and PSDC since 2017.

The implementation of quality management system allowed us to harmonize the procedures and good
practices proper to our activities. Moreover, having it all written down helps to preserve the quality of
services in the long run, independently of people involved in the process. The information is preserved
and everyone has access to it. It makes also the onboarding of the new teams easier.

There is also an economic aspect. On the one hand, more and more clients require the certification (PSDC
or ISO/IEC 27001) to be sure the services and products they receive are compliant with the regulation. On
the other hand, even if our core business is more oriented towards PSDC, being certified ISO/IEC 27001
(which is a basis to PSDC anyway) opened new market opportunities to us.

Of course, implementing Management Systems does not come without challenges. The complexity of the
system can increase rapidly and it can be challenging to maintain it and keep the personnel up to date.
Regular communication is really important to address the potential issues. It comes with a certain cost,
obviously, but it helps us to continuously improve the quality of our services.

Dmitry Lozhnikov,
Quality Manager, Astron Buildings

Astron Buildings is certified ISO 9001 and the Quality Management System is well integrated in the
company.

All the processes, procedures and instructions are assembled in a quality manual, which represent a
substantial body of knowledge. It is complemented by technical manual containing specific technical
instructions. Both documents are availbale across our various international locations allowing to
harmonize the work realised on different sites. Each time a new person joins the company, the onboarding
process starts with the quality and technical manuals. Also, it's a good basis to exchange about good
practices and discuss necessary updates among personnel. Yes, over the years our Quality Management
System has become rather complex and one of the challenges we are facing now is how to simplify it, but
with the involvement and good will of the top management we are on a good track.

Moreover, when participating in tendering it is easy to demonstrate how we achieve the quality of our
products and services to convince potential clients. The certification is not always required in a tender,
although it really depends on a country, but it serves as a warantee that the client will be satisfied by the
quality of service.

Starting from 2015, the concept of risk management was introduced in the Quality Management System.
We found it very helpful addition. Structured thinking about risks allows to be prepared to all kinds of
situations and handle them properly if they become a reality.

27
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

6. Standardization opportunities in Luxembourg

A proper understanding of the stakes associated with technical standardization, including

Management System Standards and conformity assessment standards, is key to adopting the
appropriate position across the standardization landscape and benefit from all the related
opportunities. In this frame, ILNAS aims at facilitating the appropriation of technical standards by the
national stakeholders and their participation in the standardization process, for the benefit of the
national economy.

6.1. How to access MSS?

In Luxembourg, multiple options are available to get to know the content of the MSS:

Reading stations: across the country, nine reading stations are set through which any interested
party can search for and read the published standards. This is a useful option when a person is
interested to get a first appreciation of the contents of a standard.

ILNAS e-Shop: when an organization wants to put in place

a management system, or is preparing for a certification,
it can buy published standards from ILNAS e-shop. Also, in
case of a revision of a standard, a pre-final version before
publication is available during a specific period of time for
public consultation.

6.2. Who can participate in standards development

in Luxembourg?
In order to be aware of any revision of a MSS or to follow the progress of MSS in development,
organizations in Luxembourg can register experts in the technical committees where the relevant
standards are developed. Not only the experts will be able to keep up to date but also to contribute
to the content of the future standards, defending organization’s interests.

Any interested stakeholder can get involved through ILNAS by becoming an active national
standardization delegate free-of-charge. Interested experts can easily request to ILNAS their
registration using a dedicated form.

28
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

References

[1] ISO/IEC, "ISO/IEC Directives, Part 1: Procedures for the technical work - Consolidated ISO Supplement -
Procedures specific to ISO," 2021. [Online].
Available: https://www.iso.org/sites/directives/current/consolidated/index.xhtml. [Accessed August 2022].

[2] ISO, "Popular standards: Management System Standards," [Online].

Available: https://www.iso.org/management-system-standards.html. [Accessed August 2022].

[3] ISO/IEC, "Annex SL Guidance documents," 2021. [Online].

Available: https://isotc.iso.org/livelink/livelink?func=ll&objId=16347818&objAction=browse&viewType=1.
[Accessed August 2022].

[4] ISO/IEC, "ISO/IEC Guide 2," 2004. [Online].

Available: https://isotc.iso.org/livelink/livelink/Open/8389141. [Accessed August 2022].

[5] ISO, "Management System Standards - Management System Standards List," [Online].
Available: https://www.iso.org/management-system-standards-list.html. [Accessed August 2022].

[6] Professional Evaluation and Certification Board (PECB), "Benefits of Integrated Management System,"
2014. [Online].
Available: https://pecb.com/article/benefits-of-integrated-management-system. [Accessed August 2022].

[7] Thames Valley Chamber of Commerce Group, "ISO Management Standards," 2017. [Online].
Available: https://www.thamesvalleychamber.co.uk/wp-content/uploads/2017/01/TVCC_ISO_Management_
Standards_v10_AF_FINAL.pdf. [Accessed August 2022].

[8] International Monetary Fund, "Chapter 13 QUALITY MANAGEMENT AND REPORTING," 2018. [Online].
Available: https://www.imf.org/-/media/Files/Data/CPI/chapter-13-quality-management-and-reporting.ashx.
[Accessed August 2022].

[9] C. Silva, J. Magano, A. Moskalenko, T. Nogueira, M. A. Pimenta Dinis and H. F. Pedrosa e Sousa, "Sustainable
Management Systems Standards (SMSS): Structures, Roles, and Practices in Corporate Sustainability," 2020.
[Online]. Available: https://www.mdpi.com/2071-1050/12/15/5892. [Accessed August 2022].

[10] ISO, "Certification and conformity: the ISO survey," [Online].

Available: https://www.iso.org/the-iso-survey.html. [Accessed August 2022].

[11] ISO, "ISO Survey of certifications to management system standards - Full results," [Online].
Available: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1.
[Accessed August 2022].

[12] ISO/CASCO, "ISO/IEC 17000:2020 Conformity assessment — Vocabulary and general principles," 2020.
[Online]. Available: https://www.iso.org/standard/73029.html. [Accessed August 2020].

[13] ISO/CASCO, "CASCO Educational toolbox - 9 modules on conformity assessment: 4 - What is conformity
assessment," 2019. [Online].
Available: https://isotc.iso.org/livelink/livelink?func=ll&objId=20644954&objAction=browse&viewType=1
[Accessed August 2022].

[14] IAF - International Accreditation Forum, "IAF Documents - Why use an accredited certification body?," 2012.
[Online]. Available: https://iaf.nu/iaf_system/uploads/documents/IAF_Why_use_accredited_CB_0112.pdf.
[Accessed August 2022].

[15] ISO, "Standards: Certification & Conformity," [Online].

Available: https://www.iso.org/conformity-assessment.html . [Accessed August 2022].

29
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

30
TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

31
 TECHNICAL STANDARDIZATION · MANAGEMENT SYSTEM STANDARDS: OVERVIEW

Technical Standardization · MANAGEMENT SYSTEM STANDARDS: OVERVIEW · September 2022 · Version 1.0 · © ILNAS/ANEC · ISBN 978-99987-869-3-6

Please fill out the satisfaction survey:

https://gd.lu/bf2KjB

Institut Luxembourgeois de la Agence pour la Normalisation

Normalisation, de l‘Accréditation, de la et l’Economie de la Connaissance
Sécurité et qualité des produits et services

Southlane Tower I · 1, avenue du Swing · L-4367 Belvaux · Tel. : (+352) 24 77 43 -70 · Fax : (+352) 24 79 43 -70 · E-mail : normalisation@ilnas.etat.lu
32
32
www.portail-qualite.lu
WHITE PAPER · DIGITAL TRUST · Version 3.0 · October 2016 32