Congratulations, you are on the certification journey!
In general, most businesses are managing their overall processes and risks quite well. If you have a client base, revenue and have been operating for some time, you will likely find you safety, environmental and quality processes will largely meet most requirements of the standards.
There are some parts of the standard that are a little less intuitive, and this is where external auditors most likely see gaps. Here are 4 areas where organisations are likely to have gaps:
The standards are really an agreed set of best practice business principles for managing various types of business risks. By default, if you are meeting your stakeholder requirements, following required legislation and delivering product and services, you will most likely find the majority of the content of standards will intuitively fall into place.
Management System Policies: Each standard has some specific requirements around the policy document (or documents if you are looking at ISO 27001). Most businesses will have recorded vision and mission statements, or some other form of statement of intent, however each management system has its own set of requirements in relation to a policy. ISO 9001 for instance requires you have a statement that is relevant to your objectives and targets, and you commit to continual improvement, while ISO 45001 requires you have a specific statement to eliminate hazards and risks and consult with workers.
Understanding the 'Boundary of your system': Each management system standard requires that you actually document the scope. The scope should be a simple and easy to understand statement about the activities and locations you intend to cover in your certification. This isn't a marketing tool, the statement should be really plain and clear. The scope states the limits of the management system audit. It communicates to your stakeholders in unambiguous terms exactly what activities are covered by your certification.
Internal Audit: Checks and balances are generally a part of most businesses, however internal audit is a higher level function designed to make sure you are following your processes and managing critical control points in your business. Often these activities are undertaken in some form, however they are not formalised to the extent required in the standards. The standards require audits have a scope and criteria. There should also be some sort of reporting mechanism back to the management team. Additionally, the standards require that you not only make sure you are adhering to your own internal processes, but that you are also compliant with the management systems themselves.
Corrective Action: Often business have an informal process for capturing and managing issues, however each management standard requires that this process involves determining the cause of nonconformances and incidents. This should then lead to identifying the best course of action to put in place to prevent the nonconformance repeating.
So, there you have it! 4 key areas where gaps are likely to be seen on your Stage 1 audit.
