ISO Mistake #8
Overcomplicating the system (including compliance requirements that have no real bearing on your operation)
Obviously, in implementing and maintaining any ISO standard, you have to meet the minimum requirements of the relevant standard, so, without doubt, there is a minimum degree of complexity. However, once you have met the minimum degree of complexity, given that it is useful, only then would we recommend building in additional complexity.
In most instances, it’s a case of start simple and build from there.
One of the more critical items where this approach is important is in the development of the compliance register.
The requirement for a legal or compliance register has long been a central component of the 14001, 45001 and 27001 standard’s. In addition to which, whilst it’s not a specific requirement of 9001 in the same way as it is for these other standards, assessors are increasingly moving 9001 clients towards having a compliance register.
The Compliance Register
It should also be noted that these standards usually refer to legal and “other” requirements. These “other” requirements could be driven from a number of different influences for instance; trade associations, professional bodies, regulatory bodies, or even indeed even specific customer requirements.
The compliance requirements themselves may include different types of legislation and regulation, for instance those around the following areas:
- Competition
- Company
- Consumer
- Employment
- GDPR
- Insurance
- Intellectual property
- Tax
This is in addition to the standard specific environmental, health and safety and information security legislation.
The point is, your compliance register does not have to cover all legislation and regulations, only those applicable to you.
Solution & resources
Use the Statius master legal register.
Subscribe to a legal compliance services provider: