What are ISO Compliance Obligations?
What are Compliance Obligations?
In the ISO Management Standards, Compliance Obligations is the preferred term that refers to both ‘legal requirements’ and also requirements that are imposed by other interested parties, such as Regulators, Advisory Bodies, Customers or Industry Bodies.
The official definition is:
‘legal requirements that an organization has to comply with and other requirements that an organization has to or chooses to comply with’
Some of the Standards state that Compliance Obligations will include, but not be limited to:
- Applicable laws and regulations
- Voluntary commitments
- Organizational and industry standards
- Contractual relationships
- Codes of practice
- Agreements with community groups or non-governmental organizations
Compliance Obligations are therefore requirements that an organisation must take into account when planning and managing it’s ISO management systems.
Due to the context of the industry or sector, some standards will use multiple terms, so look out for:
- Legal and Regulatory Requirements
- Statutory requirements
Why do I need to comply with these ISO Compliance Obligations?
ISO Management Standards are voluntary standards that an organisation chooses to follow and use to provide assurance to it’s stakeholders and interested parties.
Part of the ISO management system requires that the company sets a relevant policy which ‘includes a commitment to fulfil its compliance obligations’.
To fulfil this commitment, the organisation immediately sets itself the task to understand and ensure:
- The compliance obligations that are relevant to it are known and managed
- That it maintains current information on the status and requirements of these compliance obligations
- It manages tasks and changes relevant to compliance obligations (including identifying additional and new obligations)
Typically, an organisation will develop a local procedure that demonstrates how it completes and maintains these tasks, as well as maintaining documented evidence of how it meets each compliance obligation.
An example of the requirements from ISO 14001:2015 (see ISO 14001:2015 Clause 6.1.2 for the full text) sets out that an organisation must:
a) determine and have access to the compliance obligations related to its environmental aspects
b) determine how these compliance obligations apply
c) take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system.
In addition, the organization shall maintain documented information of its compliance obligations.
How does the ISO Compliance Register tool help me with my Compliance Obligations?
The ISO Compliance Register tool has been specifically designed for users of ISO management systems to meet their compliance obligations.
You will be able to search for relevant obligations using simple search terms, read through a simple overview that will help you decide it’s relevance, and then add it to your ISO Compliance register. Every month, updates to the legislation or other requirements is made automatically and you can see these quickly through the updates on your Dashboard.
Using the functions in the ISO Compliance Register tool, you can detail how the requirements are managed in your organisation and share this information with your team. You can audit each requirement using the simple audit procedures and retain or download the evidence.
You can work online with your ISO Management Review team to improve your compliance obligations performance and manage this through a simple task management system.
Where are compliance obligations in the ISO Management Standards?
The ISO Standards require that Compliance Obligations are managed and a commitment by organisation to meet them is required. Some of the Standards go further, and state that the ability to meet Compliance Obligations is one of the key benefits of having the Standards in place (See ISO 14001 Clause 0.2 Aim of an Environmental Management System).
As you can see from the table below, Compliance Obligations are a critical feature in all the ISO Management Standards, so it is critical that your ISO Management system takes them into account.
The clauses set out below clearly show that Compliance obligations should be managed fully utilising the Plan-Do-Check-Act paradigm; ensure that the requirements are understood, that they are embedded in risk management processes and then used in operational processes. Finally, they should be audited, evaluated and discussed at your ISO Management Review.
Compliance Obligations are set out in the ISO Management Standards as follows:
Standard | Topic | Clauses where Compliance Obligations are mentioned |
ISO 9001:2015 | Quality | 4.1 Understanding the organization and its context |
ISO 14001:2015 | Environmental Management | 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the environmental management system 5.2 Environmental policy 6.1 Actions to address risks and opportunities 6.1.3 Compliance obligations 6.1.4 Planning action 6.2 Environmental objectives and planning to achieve them 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 9.1 Monitoring, measurement, analysis and evaluation 9.1.2 Evaluation of compliance 9.3 Management review |
ISO 27001:2013 | Information Security | 4.2 Understanding the needs and expectations of interested parties Control A.18 |
ISO 22301:2019 | Business Continuity | 4.2.2 Legal and regulatory requirements 4.3.2 Scope of the business continuity management system 8.6 Evaluation of business continuity documentation and capabilities |
ISO 22000: | Food Safety | Scope 1.b) to demonstrate compliance with applicable statutory and regulatory food safety requirements 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 5.1 Leadership and commitment 5.2 Policy 6.2 Objectives of the food safety management system and planning to achieve them 7.4 Communication 7.5 Documented information 8.2 Prerequisite programmes (PRPs) 8.3 Traceability system 8.4 Emergency preparedness and response 8.5 Hazard control 8.9.5 Withdrawal/recall |
ISO 50001:2018 | Energy Management | 4.2 Needs and Expectations of Interested Parties 5.2 Policy 9.1.2 Evaluation of compliance with legal requirements and other requirements 9.3 Management Review |
ISO 45001:2018 | Occupational Health and Safety | 0.2 Aim of an OH&S management system 0.3 Success factors 1 Scope 4.2 Understanding the needs and expectations of workers and other interested parties 5.2 OH&S policy 5.4 Consultation and participation of workers 6.1.3 Determination of legal requirements and other requirements 6.1.4 Planning action 7.4 Communication 7.5 Documented information 8.1.2 Eliminating hazards and reducing OH&S risks 8.1.4.3 Outsourcing 9.1 Monitoring, measurement, analysis and performance evaluation 9.1.2 Evaluation of compliance 9.3 Management review |