Management System

Context, Requirements and Scope

 Management System Context, Requirements and Scope

[Replace with your case study company logo]

Management System
Context, Requirements and Scope

Document Ref. MS-DOC-04-1

Version: 1
Dated: [Insert date]
Document Author:
Document Owner:

Version 1 Page 2 of 17 [Insert date]

 Management System Context, Requirements and Scope

Revision History

Versio Date Revision Summary of Changes

n Author

Distribution

Name Title

Approval

Name Position Signature Date

Version 1 Page 3 of 17 [Insert date]

 Management System Context, Requirements and Scope

Contents

1 INTRODUCTION........................................................................................................................... 5
2 ORGANISATIONAL CONTEXT................................................................................................... 6
2.1 ACTIVITIES............................................................................................................................. 6
2.2 FUNCTIONS............................................................................................................................ 6
2.3 SERVICES.............................................................................................................................. 7
2.4 PRODUCTS............................................................................................................................. 7
2.5 PARTNERSHIPS....................................................................................................................... 8
2.6 SUPPLY CHAINS..................................................................................................................... 8
2.7 RELATIONSHIPS WITH INTERESTED PARTIES.............................................................................8
3 OBJECTIVES AND POLICIES................................................................................................... 10
3.1 BUSINESS OBJECTIVES......................................................................................................... 10
3.2 BUSINESS POLICIES.............................................................................................................. 10
3.3 QUALITY OBJECTIVES........................................................................................................... 10
4 RISK AND OPPORTUNITY MANAGEMENT.............................................................................12
4.1 RISK AND OPPORTUNITY MANAGEMENT STRATEGY................................................................12
4.2 RISK APPETITE..................................................................................................................... 12
4.3 INTERNAL UNCERTAINTY FACTORS........................................................................................13
4.4 EXTERNAL UNCERTAINTY FACTORS.......................................................................................13
4.5 RISK CRITERIA..................................................................................................................... 13
5 REQUIREMENTS....................................................................................................................... 14
6 PURPOSE AND SCOPE OF THE [XXXX] MS...........................................................................16
6.1 PURPOSE............................................................................................................................. 16
6.2 SCOPE OF THE [XXXX] MS.................................................................................................... 16
6.2.1 Organizational................................................................................................................ 16
6.2.2 Services......................................................................................................................... 16
6.2.3 Geographical location..................................................................................................... 17
6.2.4 Customers...................................................................................................................... 17
6.2.5 Technology..................................................................................................................... 17
6.2.6 Exclusions...................................................................................................................... 17

List of Figures
FIGURE 1 - ORGANIZATION CHART............................................................................................................ 9

List of Tables
TABLE 1 – REQUIREMENTS SUMMARY OF INTERESTED PARTIES / LEGAL AND REGULATORY BODIES..........17

Version 1 Page 4 of 17 [Insert date]

 Management System Context, Requirements and Scope

1 Introduction

[Organization Name] is committed to ensuring the quality of its products and services
and to enhancing customer satisfaction and has implemented a [Information Security
/ IT Service / Quality / Business Continuity / xxxx] Management System (xxMS) that
is compliant with [ISO xxxxx], the international standard for [xxxx] management
systems.

The purpose of this document is to describe the way the business operates, internal
and external factors influencing it and to highlight in general terms the direction of
the organization. This will allow the scope of the [xxxx] MS to be appropriately
defined and high-level objectives to be set.

Version 1 Page 5 of 17 [Insert date]

 Management System Context, Requirements and Scope

2 Organisational Context

The organisational context of [Organization Name] is set out in the following

sections. Given the fast-moving nature of the business and the markets in which it
operates the context will change over time. This document will be reviewed on an
annual basis and any significant changes incorporated. The [xxxx] MS will also be
updated to cater for the implications of such changes.

2.1 Activities

[Organization Name] undertakes a wide range of business activities within its target
sectors and is constantly developing new products and services to bring to market.

Describe:

 What does the organization do?

 When was it formed?
 What is its structure e.g. group of companies?
 What is its main industrial sector?
 Who are its main customers?
 In which geographical regions does it operate?
 What is its annual turnover?

2.2 Functions

[Organization Name] consists of the following organizational functions:

 Sales and Marketing

 Finance and Accounting
 Human Resources
 Operations
 Logistics
 Product Research and Development
 Project Management
 Risk and Compliance
 Consulting
 Information Technology

An organization chart is shown below:

Version 1 Page 6 of 17 [Insert date]

 Management System Context, Requirements and Scope

Figure 1 - Organization chart

[Describe where the various functions are based e.g. HR, Finance and Marketing are
in a corporate headquarters whilst Operations is in a regional structure spread
across x offices nationwide/internationally.]

2.3 Services

[Organization Name] offers the following major services to its customers:

 [List the main services]

Specify:

 Are all services offered to all customers?

 Which services create the most revenue and profit?
 Are any services dependent on others (prerequisites)?
 Which services are the highest profile?
 Are any of the services subject to external regulation?
 Do any of the services have a health and safety aspect?

2.4 Products

[Organization Name] offers the following major products to its customers:

 [List the main products]

Specify:

 Are all products offered to all customers?

 Which products create the most revenue and profit?
 Are any products dependent on others (prerequisites)?
 Which products are the most high profile?

Version 1 Page 7 of 17 [Insert date]

 Management System Context, Requirements and Scope

 Are any of the products subject to external regulation?

 Do any of the products have a health and safety aspect?

2.5 Partnerships

[Organization Name] has a policy of forming partnerships with other organizations

which complement its own offerings and bring increased benefits to its customers.

The following major partnerships are currently in place:

For each partnership specify:

 Organization name
 Location(s)
 Nature of partnership
 Which products or services are affected by the partnership
 Which/how many customers are involved
 How long the partnership has been in place
 Any other relevant information

2.6 Supply Chains

In order to provide our products and services to our customers a number of

important supply chain routes are in place. The major ones are:

Describe for each supply chain:

 The products and services affected

 The links in the supply chain both in terms of organisations involved and
geography
 How established the supply chain is
 Revenue and profit value that relies upon the supply chain
 Any other relevant information

2.7 Relationships with Interested Parties

In addition to our partners and suppliers, [Organization Name] has many other
interested parties it deals with. These include:

 Citizens
 Customers
 Distributors
 Shareholders
 Investors
 Owners
 Insurers

Version 1 Page 8 of 17 [Insert date]

 Management System Context, Requirements and Scope

 Government
 Regulators
 Recovery service suppliers
 Competitors
 Media
 Commentators
 Trade groups
 Neighbours
 Pressure groups
 Emergency services
 Other response agencies
 Transport services
 Dependents of staff

List for each significant Interested Party:

 Name of organization
 The nature of the interest
 Degree of influence over the organization
 Value of the interest (if appropriate)
 Any other relevant information

Version 1 Page 9 of 17 [Insert date]

 Management System Context, Requirements and Scope

3 Objectives and Policies

The purpose of the [xxxx] MS is to ensure that [Organization Name] consistently

delivers services that meet customer requirements and enhance customer
satisfaction, whilst meeting business objectives. This section sets out what the major
business objectives and policies are for the current financial year so that a clear
relationship can be established between these and the objectives of the [xxxx] MS.

3.1 Business Objectives

For the financial year 20xx/20yy [Organization Name] has set the following major
business objectives:

 List the major business objectives – reference to business planning

documentation may be made here

3.2 Business Policies

Policies have been set by the organization in a variety of areas and these must be
taken account of during the business continuity planning process to ensure that they
are met.

The main relevant policies are:

 Corporate Risk Management Strategy

 Human Resources Policy
 Home Working Policy
 Flexible Working Policy
 Equality and Diversity Policy
 Internet Acceptable Use Policy
 Information Security Policy
 Legal Responsibilities Policy
 Other relevant policies

3.3 Quality Objectives

Based on the requirements and factors set out in this document, the following major
objectives are set for quality:

Define the main priorities that the [xxxx] MS must address, particularly in terms of the
internal and external uncertainty factors described in sections 4.3 and 4.4 of this
document.

For example:

Version 1 Page 10 of 17 [Insert date]

 Management System Context, Requirements and Scope

 Objective 1 - Comply with health and safety legislation at all times

 Objective 2 – Maintain shareholder confidence
 Objective 3 – Maintain customer service levels
 Objective 4 – Maximise revenue

The success of the [xxxx] MS will be judged on its ability to meet these overall
objectives.

Version 1 Page 11 of 17 [Insert date]

 Management System Context, Requirements and Scope

4 Risk and Opportunity Management

4.1 Risk and Opportunity Management Strategy

[Organization Name]’s strategy with respect to the high level management of risk
and opportunity is to broadly adopt the principles of the ISO31000 standard (Risk
management – principles and guidelines) so that risk and opportunity management:

 creates and protects value

 is an integral part of all organizational processes
 is part of decision-making
 explicitly addresses uncertainty
 is systematic, structured and timely
 is based on the best available information
 is tailored
 takes human and cultural factors into account
 is transparent and inclusive
 is dynamic, iterative and responsive to change
 facilitates continual improvement of the organization

These principles will also be applied to the management of risk and opportunity with
respect to the business objectives of the organization.

4.2 Risk Appetite

The [xxxx] MS is designed to address the major risks that are identified to
[Organization Name]. In identifying, assessing and managing these risks there are a
number of options open to the organisation according to its appetite for risk.

In general terms the organizations appetite for risk may be said to be Low / Moderate
/ High (delete as appropriate).

[Low] The strategy of the organization is to avoid risk where possible and to invest
resources in mitigating residual risk through effective measures.

[Moderate] The strategy of the organization is to accept reasonable levels of risk

whilst making some effort to ensure measures are in place to handle risks if they
occur.

[High] The strategy of the organization is to accept significant levels of risk as an

integral part of the business it is in, on the basis that the resulting rewards will be
sufficient justification.

This level of risk appetite will be applied to the risk assessments that are carried out
as part of the [xxxx] MS and will determine the actions that need to be taken to
mitigate risk to an acceptable degree.

Version 1 Page 12 of 17 [Insert date]

 Management System Context, Requirements and Scope

4.3 Internal Uncertainty Factors

With regard to the [Organization Name] business itself, there are a number of
internal factors that create uncertainty that gives rise to risk and opportunity. These
include:

[List any specific risk factors e.g.

 Uncertainties in employee relations

 Significant organizational changes
 Location moves
 Company financial performance
 Perceptions, values and culture]

These general internal uncertainty factors will be considered in more detail as part of
the risk and opportunity assessment process.

4.4 External Uncertainty Factors

With regard to the external environment in which [Organization Name] operates,

there are a number of external factors that create uncertainty that gives rise to risk
and opportunity.

These include:

[List any specific risk factors e.g.

 Potential legislative or regulatory changes

 Political unrest in countries in which the organization operates
 Inherent environmental risks e.g. forest fire, floods
 Economic factors – supplier failure, lack of customer demand
 Relationships with interested parties outside the organization]

These general external uncertainty factors will be considered in more detail as part
of the risk and opportunity assessment process.

4.5 Risk Criteria

The criteria for assessing risk in the context of the organization’s appetite are defined
in a separate document Risk Assessment and Treatment Process.

Version 1 Page 13 of 17 [Insert date]

 Management System Context, Requirements and Scope

5 Requirements

This section of the document sets out the interested parties that are relevant to the
[xxxx] MS and their requirements. It also summarises the applicable legal and
regulatory requirements to which the organization subscribes.

An interested party is defined as “a person or organization that can affect, be

affected by, or perceive themselves to be affected by a decision or activity”.

The following are defined as interested parties that are relevant to the [xxxx] MS:

 Shareholders
 Board of Directors
 Suppliers
 Customers
 Regulatory bodies
 Customer user groups
 Employees of the organisation
 Contractors providing services to the organization
 National or local government organizations
 Emergency services
 Trade associations and industry bodies
 Trade unions

Applicable legal and regulatory requirements arise from the following:

 Sarbanes-Oxley Act 2002 (USA)

 European Union General Data Protection Regulation (EU GDPR)
 Health and Safety legislation
 Payment Card Industry – Data Security Standard compliance
 Financial Services legislation
 National and international standards e.g. ISO/IEC 27001, ISO/IEC 20000-1,
ISO 9001, ISO 22301
 Consumer protection legislation
 [Specify laws and regulation relevant to your organisation]

The applicable requirements of interested parties and legal and regulatory bodies
are summarised in the table on the following page.

Version 1 Page 14 of 17 [Insert date]

 Management System Context, Requirements and Scope

Interested Party / Legal or Reqt. Requirement Summary Source / link to supporting

Regulatory Body Ref. documents
Shareholders R1 Value of share price should be maintained Minutes of Annual General
Meeting dd/mm/yyyy
Board of Directors R2 Value of share price should be maintained
Minutes of Board Meeting
R3 Organisational reputation must be protected
dd/mm/yyyy
R4 Revenue stream must be maintained
Suppliers R5 Payment schedule must be kept to
R6 Facility for receiving shipments must be Minutes of supplier meetings
available
Customers R7 Delivery schedule should not be affected Customer meetings/focus group
sessions
Regulatory bodies Etc.
Customer user groups
Employees of the organization
Contractors providing services to the
organization
National or local government
organizations
Emergency services
Trade associations and industry
bodies
Trade unions
Sarbanes-Oxley Act 2002 (USA)
Health and Safety legislation
Payment Card Industry – Data
Security Standard compliance

Table 1 – Requirements Summary of Interested Parties / Legal and Regulatory Bodies

Version 1 Page 15 of 17 [Insert date]

 Management System Context, Requirements and Scope

6 Purpose and Scope of the [xxxx] MS

6.1 Purpose

The purpose of the [xxxx] MS is to:

1. Understand the organization’s needs and the necessity for establishing

service management policy and objectives
2. Monitor and review the performance and effectiveness of the [xxxx] MS
3. Continually improve the organization’s xxxx services based on objective
measurement

This purpose applies to the scope of the [xxxx] MS as defined below.

6.2 Scope of the [xxxx] MS

For the purposes of certification within [Organization Name], the boundaries of the
[xxxx] MS are defined as follows:

“The xx management system of [Service Provider] that delivers [All] xxx services to
[all] business units within [Organization Name] at [all] locations”

Details of the xxxx services provided can be found within the [Service Provider]
Service Catalogue and a list of business units/stakeholders within the Business
Relationship Management Plan.

The defined scope of [Organization Name]’s [xxxx] MS takes into account the
internal and external factors referred to in sections 4.3 and 4.4 of this document and
the requirements referred to in section 5. It also reflects the needs of interested
parties and the legal and regulatory requirements that are applicable to the
organization.

The scope is further clarified below in terms of the parts of the organization, services,
geographical location, customers and technology.

6.2.1 Organizational

The [xxxx] MS includes the following parts of the [Organization Name] organization:

[If required, specify the parts of the organization included in terms of business
function, or other organizational boundary e.g. individual companies within a group
structure]

6.2.2 Services

The following services are within the scope of the [xxxx] MS:

Version 1 Page 16 of 17 [Insert date]

 Management System Context, Requirements and Scope

[If required, list the services at an appropriate level of detail. This may be in the form
of service types rather than specifics which are likely to change rapidly over time.
The services selected must be consistent with the organizational split given in the
previous section]

6.2.3 Geographical location

The following locations are within the scope of the [xxxx] MS:

[If required, specify the geographical locations in which the organization operates
that are included in the [xxxx] MS scope e.g. the Paris and Atlanta offices, or
Germany, or EMEA (Europe, Middle East and Africa)]

6.2.4 Customers

Services delivered to the following customers are included in the scope of the [xxxx]
MS:

 [If required, specify names of internal and/or external customers]

6.2.5 Technology

The following technology components are within the scope of the [xxxx] MS:

 [If required, list the relevant technology within scope e.g.

o Servers
o Networks
o Applications]

6.2.6 Exclusions

The following areas are specifically excluded from the scope of the [xxxx] MS:

[If applicable, detail what is excluded and why, in terms of organizational parts,
services, locations, customers and technology. This must remain consistent with the
overall approach and not compromise the ability of the [xxxx] MS to produce the
desired results and meet its objectives.]

Version 1 Page 17 of 17 [Insert date]