ISO 22458:2022 Consumer Vulnerability sets out requirements and guidance for organisations that provide services to consumers, covering organisational culture and strategy, inclusive service design, and how to identify and respond to consumers in vulnerable situations. This section of the Knowledge Base covers every clause of the standard in plain language, explaining what each requirement means in practice and what an organisation needs to do to comply.
ISO 22458 is an international standard that sets out requirements and recommendations for organisations on how to design and deliver inclusive services that minimise the risk of consumer harm and improve outcomes for people in vulnerable situations. It was developed by ISO Project Committee PC 311 and published in 2022 as ISO 22458:2022. The standard replaces the earlier British Standard BS 18477:2010 and broadens its scope to international application.
The standard applies to organisations of any size and any sector that provide services to consumers - private companies, charities, government agencies and local authorities. "Service" is interpreted broadly and includes service-related products such as energy tariffs, insurance policies, mobile contracts and credit products. The standard is built on the principle that any consumer can experience vulnerability at any time, so the organisation's job is to design services that work for everyone and respond well when someone is in difficulty.
ISO 22458 is most directly relevant to organisations whose services have a significant impact on consumers' wellbeing - utilities, financial services, healthcare, telecommunications, housing providers, charities, and any business where a poor outcome for a vulnerable consumer could cause real harm. Sector regulators in the UK and elsewhere increasingly expect to see evidence of vulnerable consumer arrangements, and ISO 22458 provides a recognised framework for delivering and demonstrating that.
Organisations adopt the standard for several reasons - regulatory expectation, customer trust, internal consistency, and the operational benefits of a documented framework that frontline staff can be trained against. Certification to the standard is available but not the only route - many organisations align their existing management system with ISO 22458 requirements without formally certifying.
To comply with ISO 22458, an organisation needs to put in place top management commitment, an outcomes-focused strategy, the four required policies (consumer vulnerability, data protection, third-party representatives, and where relevant interruptions to essential services), inclusive design across all consumer touchpoints, trained and empowered frontline staff, identification and response arrangements, and a monitoring and improvement cycle. The work integrates naturally with an existing ISO 9001 or integrated management system.
The standard is structured around six auditable clauses. Clauses 1-3 are introductory. The substantive requirements run from Clause 4 (organisational commitment, principles and strategy) through Clause 9 (monitoring, evaluation and improvement). Each clause is covered by a dedicated article in this knowledge base.
When I look at ISO 22458 arrangements during an audit, I'm not interested in whether the policies exist on paper - that is the bare minimum. I'm looking for evidence that frontline staff have been trained, that customer records show vulnerability information being captured and acted on, that the four monitoring inputs (customer satisfaction, aggregated data, complaints, staff feedback) are reviewed regularly, and that the organisation has actually changed something as a result. Where the management system is genuinely embedded, that evidence is straightforward to find. Where it is not, the cracks show up quickly.
The ISO 22458 requirements that organisations underestimate most often are the third-party representatives policy and the inclusive design impact assessment. Both look simple on the surface and both are unusually specific in what they ask for. The third-party policy has to address fraud, abuse, removal of access where circumstances change, and informal helpers - not just power of attorney. The impact assessment has to cover all seven touchpoint categories, not just the obvious ones. Getting these right early avoids retrofitting them later.
ISO 22458 sometimes gets dismissed as common sense dressed up in standard language. It is mostly common sense - but the value is in writing it down so a whole organisation does the same common-sense thing consistently rather than relying on individual advisors to work it out call by call. The clauses are short, the requirements are practical, and most organisations will find they already do a fair amount of what the standard asks. The work is in closing the gaps and giving the system a name and a structure.