How to Set Up an ISO Management System from Scratch
Setting Up a System in Brief
Document what the business actually does, then identify the gaps against the standard you want to follow. Most organisations find the gap is smaller than they feared - the controls usually exist informally; the standard asks for them to be documented and consistent.
Setting Up a Management System
Most organisations already do most of what a management system requires. Staff follow processes, equipment gets maintained, problems get logged and fixed, decisions get made. Setting up a management system is the exercise of making those existing processes visible, consistent and documented, then identifying anything the relevant ISO standards expect that is not yet in place. It is less about building something new and more about giving structure to what already exists.
This article covers the main types of management system, the stages involved in setting one up, and the practical steps for doing it with the IMS1 manual and alphaZ document framework.
What a Management System Does
A management system is a connected set of documents and processes that an organisation uses to run and control its activities. It ties together policies, procedures, registers, forms, training records and audit outputs so that an organisation can demonstrate how it operates, who is responsible for what, and how it keeps improving.
The word "integrated" in Integrated Management System (IMS) describes a single system that meets the requirements of more than one standard. One manual, one folder structure, one set of audit records, one management review. Rather than maintain separate ISO 9001, ISO 14001 and ISO 45001 systems running in parallel, an integrated approach handles all three through a shared framework with specific add-ons where each standard requires them.
A properly functioning management system is not a separate admin layer bolted onto the business. It is the business, described in a way that staff, customers and auditors can follow.
Take Credit for What You Already Do
The most common mistake when setting up a management system is assuming that everything has to be built from scratch to meet an ISO standard. It almost never does. Recruitment, training, equipment maintenance, supplier checks, incident reporting, customer complaints - these are activities that most organisations already handle, often informally or through existing systems.
The setup exercise is to identify what already works, document it in a way the standard recognises, and fill any genuine gaps. A quality procedure does not become more valid because it was written from a template. If a team already follows a reliable process for handling non-conforming stock, that process is the content of the procedure; the job is to write it down.
Types of Management System You Might Set Up
The ISO family covers management system standards for most of the major areas an organisation is expected to control. The commonly adopted ones are:
Quality Management System (QMS)
A QMS gives structure to how an organisation delivers products and services consistently and meets customer requirements. The international standard is ISO 9001, the most widely adopted management system standard in the world. A QMS covers context and planning, leadership, resources, operational control, performance monitoring and improvement. See ISO 9001 Explained for a full breakdown.
Environmental Management System (EMS)
An EMS helps an organisation identify its environmental aspects and impacts, comply with environmental legislation, and improve environmental performance over time. The international standard is ISO 14001. An EMS is increasingly required by larger customers as part of supply-chain expectations, and is often the first additional system added to an existing QMS.
Occupational Health and Safety Management System (OHSMS)
An OHSMS covers how an organisation manages risks to the health and safety of workers, contractors and visitors. The international standard is ISO 45001. In the UK, an OHSMS does not replace the employer's duties under the Health and Safety at Work Act 1974 and its subordinate regulations, but helps demonstrate that those duties are being systematically managed.
Information Security Management System (ISMS)
An ISMS controls how information is protected - confidentiality, integrity and availability. The international standard is ISO 27001. It is expected in most industries that handle client data, personal data or commercially sensitive information. An ISMS sits alongside UK GDPR and Data Protection Act 2018 compliance rather than replacing them.
Business Continuity Management System (BCMS)
A BCMS sets out how an organisation keeps delivering its products and services during disruptive events - cyber attacks, power failures, loss of premises, supply-chain breakdowns. The international standard is ISO 22301. It is a legal expectation in some sectors (for example, NHS bodies must meet the Civil Contingencies Act 2004), and a commercial expectation in many others.
Anti-Bribery Management System (ABMS)
An ABMS provides controls to prevent, detect and respond to bribery. The international standard is ISO 37001. In the UK it sits alongside the Bribery Act 2010, and helps organisations demonstrate that they have "adequate procedures" in place under section 7 of that Act.
Other management system standards cover specific areas such as consumer vulnerability (ISO 22458) and artificial intelligence (ISO 42001). Most of the common standards share a common framework (Annex SL / Harmonised Structure), which makes integration across several standards much simpler than setting them up separately.
The Five Key Stages of Setting Up a Management System
Setting up a management system - whether for a single standard or several combined - follows roughly the same pattern.
Stage 1 - Review what is already in place
Before downloading templates, list what the organisation already does. Policy documents, staff handbooks, equipment registers, training records, customer complaint logs, supplier lists, existing procedures. Also look at the management structure, job descriptions and any software used to run operations. Most organisations find that 70 to 80 percent of what an ISO standard expects is already happening in some form - the task is to recognise it and give it a consistent home.
A gap analysis against the relevant standard is a useful part of this stage. It identifies where existing practice already meets requirements, where it needs strengthening, and where nothing is in place yet.
Stage 2 - Review available templates and documents
Work out which of the available templates and policies are useful. A template is only an improvement if it is better than what the organisation already has, or fills a genuine gap. Templates that duplicate an existing document should not be used - merge the useful content into the existing document instead. This prevents the common problem of an organisation ending up with two policies saying slightly different things about the same subject.
Stage 3 - Initial setup
Download the core manual and register templates, update the headers with company details, and put the folder structure in place on the network or cloud location where staff will access it. The IMS1 Integrated Management System Manual is designed to act as the single overview document, with all other files referenced from it. A standard 10-section filing structure is included, which doubles as an evidence folder for audit.
Folders that will not be used in your organisation can be removed, and existing documents that belong in the system (policies already in use, existing registers, established procedures) should be moved into the relevant folder rather than duplicated.
Stage 4 - Update and implement
Work through the IMS1 manual section by section, replacing the default content with descriptions of how your organisation actually operates. The manual is designed so that someone reading it - a new employee, an auditor, a potential customer - can understand how the business works and where to find the evidence to back it up. Where existing procedures or software already cover a requirement, the manual can signpost to them rather than duplicate the content.
At this stage, the implementation checklists are useful for tracking progress. They are organised around the manual's structure and the ISO clause requirements, and help identify anything still outstanding.
Stage 5 - Check and maintain
Once the system is in place, internal audits confirm that what is documented reflects what is actually happening, and that the system meets the relevant ISO requirements. Internal audits are a requirement for certification and a useful discipline regardless of whether certification is pursued. A management review follows the audit cycle, bringing together performance data, audit findings, risks and improvement actions so that top management can confirm the system is working and set direction for the next cycle.
A management system that stops being reviewed stops being useful - within a year or two it drifts out of step with how the organisation actually operates. Maintenance is not optional.
Avoiding Common Setup Problems
A few patterns cause repeated problems and are worth avoiding from the start.
Clause-based manuals. Some providers structure the management system manual around the clauses of the relevant ISO standard (Clause 4 Context, Clause 5 Leadership, and so on). This looks logical on paper but creates an unwieldy document that no one reads, and makes integration across multiple standards difficult. A process-based or activity-based structure - describing how the organisation actually operates - is more useful to staff and still demonstrably covers the standard's requirements.
Duplication across documents. If a procedure already exists somewhere else in the organisation, the manual should signpost to it rather than restate it. Otherwise the same information ends up in two places, gets updated in one and not the other, and an auditor spots the inconsistency.
Over-engineering. A management system is only as good as the staff who use it. Over-detailed procedures, excessive cross-references and ten-page policies that could be expressed in one page push people away from the system rather than into it. The ISO standards do not require length - they require evidence that processes are controlled.
Waiting until you have everything. A management system is a live set of documents, not a finished artefact. Starting with the core structure and filling in detail as the organisation works through its processes is more effective than trying to produce a complete system before going live.
Setting up a management system sounds far harder than it actually is. Most of what ISO expects, you are already doing. You look after your equipment, you train your staff, you check your suppliers, you deal with complaints. The job is mostly to write down how you do those things in a way that holds together. If someone tells you it has to be complicated, they are selling you complicated. And you do not need a separate system for every standard either - one manual, one folder, one management review. That is what integrated means.
When we set ours up, the biggest time saver was listing what we already had before we downloaded a single template. Staff handbook, maintenance logs, supplier checks, training matrix - all there, just not called a management system. About three-quarters of what we needed was already in place once we stopped and looked.
Keeping it structured around how we actually work helped too. Production, despatch, quality checks, customer returns - those are real. Clause 8.5.4 is not real to anyone on the shop floor. The manual reads the way the business runs, and nobody has to translate it.
We were audit-ready in about four months from the first review.
For a first certification audit, the evidence I look for is simple. Is there a documented management system, is someone accountable for it, and does what is written match what I see when I walk round. I will ask staff about the processes that apply to their role. If they describe something that the manual says does not happen, or the manual describes something they have never heard of, that is the gap.
Organisations that pass first time are almost always the ones where the system reflects the business. The ones that struggle have built a system for the audit, not for the work.
Practical Compliance Guidance
Section 1 of the IMS1 manual provides the overview framework for a management system. It is designed as the single top-level document that references everything else - policies, procedures, registers, audit programmes and management review outputs - rather than duplicating their content.
The alphaZ documents below cover the key documents and checklists involved in setting up and running a management system. They are available as part of the relevant ISO toolkit or individually.
| alphaZ document | How to use it |
|---|---|
| ISO 9001/14001/45001 IMS Toolkit | Complete integrated toolkit covering quality, environmental and health and safety management. Includes the IMS1 manual, all key registers, policies, procedures and audit checklists in the standard folder structure. |
| IMS Implementation Checklists | Structured checklists that track progress against the IMS1 manual sections and the ISO standard clauses. Use during setup to identify what is complete and what is still outstanding. |
| I-C-IMS Gap Analysis Checklists | Checklists to compare existing practice against ISO standard requirements. Use at Stage 1 to identify what is already in place and what needs to be developed. |
| F-IMS20 Document Register | Central register of all documents controlled by the management system. Records issue numbers, approval status and location to demonstrate document control. |
| F-IMS22 Interested Parties Register | Records the relevant interested parties for the organisation and their needs and expectations. Used to identify what the management system has to address. |
| F-IMS23 Opportunities and Risks Register | Records the risks and opportunities identified for the management system and the actions taken to address them. Core to the Plan stage of the management system. |
| F-Q3 Management Review | Management review form covering all the inputs and outputs the ISO standards require. Completed at planned intervals to review the effectiveness of the system and set direction. |
| ER1 Issues and Actions Register | Records issues raised, corrective actions and improvements. The working record of how the system is maintained and improved over time. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
Setting up a management system is not itself a legal requirement in the UK, but several sectors and regulated industries require arrangements that a management system helps to deliver. Examples include:
- Civil Contingencies Act 2004
- Bribery Act 2010
- Health and Safety at Work etc Act 1974
- Data Protection Act 2018
