What is ISO 22320?
ISO 22320 is a reference framework that helps organizations structure management, control, planning, and performance evaluation within a defined scope. The goal is to build an auditable system that improves results, reduces errors, and increases stakeholder confidence.
A strong implementation creates a shared internal language: what are the processes, who owns them, what are the risks/opportunities, what documents and records exist, and how effectiveness is measured. When these answers are both documented and practiced, external audits become predictable.
Implementing ISO 22320 is not about copying theory; it’s about operationalizing it: defining inputs/outputs, acceptance criteria, change control, competence management, and the handling of nonconformities and corrective actions.
If ISO 22320 follows a high-level structure (HLS) typical for management system standards, requirements commonly map to: context, leadership, planning, support, operation, performance evaluation, and improvement—making integration with other standards much easier.
At Quality Report, we focus on making the management system part of everyday operations—not a documentation project. Successful implementation means roles are clear, KPIs are monitored, risks and opportunities are managed, and improvement actions are actually closed with evidence.
Practical implementation depends on organizational size, industry, number of sites, and process complexity. We start with scope and core processes, then define the minimum effective controls, documents, and records that drive performance without slowing the business.
Generic templates alone often create a gap between “what’s written” and “what’s done”. We use templates only as a starting point, then tailor them to real workflows, responsibilities, and measurable outputs.
Why Emergency Management — Incident Management matters
First, it reduces risk: operational risk, reputation risk, compliance risk, and service disruption. A clear system decreases dependency on individual heroes and makes performance repeatable.
Second, it improves results. When processes are defined, measured, and reviewed, improvement opportunities become visible—whether you’re targeting lead time, waste, incidents, cybersecurity exposure, or customer satisfaction.
Third, it builds trust and competitiveness. Many large clients and tenders prefer organizations with implemented management systems and evidence of audit readiness.
Finally, it strengthens culture: role clarity, training discipline, data‑driven decisions, and routine management reviews that keep priorities aligned.
Scope definition (and why it affects cost & timing)
Scope is the most influential factor on implementation time, project effort, and audit outcomes. An unrealistic scope (too wide or too narrow) increases complexity or creates issues during certification.
We define scope by sites/locations, activities and services/products, support functions (HR, procurement, IT), and external interfaces (contractors, suppliers, partners).
Next, we draft a simple process map: core processes, support processes, and governance processes—then link each process to outputs, KPIs, and traceable records.
If multiple standards are required, we design the scope to support an Integrated Management System, reducing duplicated documents and meetings.
Turning requirements into day‑to‑day operations
We start by defining what must actually happen to demonstrate conformity. Conformity is not a policy statement—it’s implementation and records: plans, reviews, audits, corrective actions, and performance results.
In practice we group requirements into operational themes: policy/objectives, risk & opportunity management, resources and competence, document/record control, operational control and supplier management, performance evaluation (KPIs + internal audit + management review), and continual improvement.
These themes become simple tools: a requirements mapping matrix, implementation plan, risk register, competence matrix, internal audit checklist, management review agenda/minutes, and a corrective action tracker.
This approach converts audits from “clause memorization” into “evidence tracing”: objective → KPI → record → decision → action → improvement result.
• Example: instead of saying “we review suppliers”, define criteria, frequency, ownership, records, and decision outputs (approve/improve/stop).
• Example: instead of “we measure customer satisfaction”, define channels, analysis method, and improvement linkage.
Suggested implementation roadmap (4–12 weeks)
Duration depends on current maturity. As a practical baseline: weeks 1–2 for scope, gap assessment, and a realistic plan; weeks 3–6 for core documentation and aligning existing practices with KPIs.
Weeks 7–9 focus on real implementation: using forms, generating records, training teams, and coaching process owners. This is where real gaps appear and documents are refined quickly.
Weeks 10–11 complete internal audits based on risk, then corrective actions are implemented and verified for effectiveness.
Week 12 closes with management review: audit results, performance, risks, changes, improvement opportunities, and management decisions—leading into readiness for certification auditing.
Documents & records (what auditors typically look for)
Documents are not the goal—they are a control mechanism and proof of systematic work. We separate: top-level documents (policy/objectives/scope), operational procedures, and the records that prove implementation.
Common documents include: policy, measurable objectives, process map, risk/opportunity matrix, competence and training plan, document/record control, core operational procedures, and nonconformity/corrective action procedures.
Records are usually the key audit evidence: training records, supplier evaluation, process monitoring logs, KPI results, complaints analysis, internal audit reports, management review minutes, and corrective action effectiveness proofs.
We build a “smart minimum” documentation set: enough for compliance and effectiveness without bureaucracy. Every document should have an owner, a review cycle, and a clear operational purpose.
Internal audit & management review (how readiness is ensured)
Internal audit is not about blaming people—it’s a verification and improvement mechanism. We align internal audit programs with risk and importance, using auditing guidance (e.g., ISO 19011).
During audits, we focus on objective evidence: records, KPIs, outputs, decisions, and follow‑ups. Findings are written clearly: requirement + evidence + deviation + impact + suggested correction.
Management review is a leadership practice that demonstrates control and alignment. It covers performance, audit results, complaints, changes, risks, improvement opportunities, and decisions on resources and priorities.
With this loop completed, certification audits become a structured verification rather than a surprise event.
KPIs & practical examples (make the system measurable)
Strong systems are measurable. We help you choose 6–12 useful KPIs instead of dozens of “vanity metrics”. Each KPI should map to an objective, include acceptance limits, define data sources, review frequency, and a clear owner.
• Examples you can tailor: on-time corrective action closure, complaint resolution lead time, training plan completion, rework/waste rates, supplier performance, incident/uptime metrics—depending on your context.
The key is linking KPIs to decisions. When a KPI drops: who investigates, what action is taken, and how effectiveness is verified? This evidence shows auditors that the system manages performance—not just reports numbers.
We also use simple visualizations (trend lines, Pareto of causes, risk matrices) to help leadership understand status and make data-driven decisions.
Common mistakes that delay certification (and how to avoid them)
The most common mistake is document overload: procedures no one uses and forms never filled. Auditors quickly notice the implementation gap. The fix is a smart minimum set of documents backed by training, real practice, and real records.
Another issue is unrealistic scope: excluding key activities without justification or including sites that are not ready. We focus on a realistic scope first, then expand systematically if needed.
Many organizations treat risk and opportunity as a “checklist” exercise. We turn it into a decision tool by linking risks to controls, actions, KPIs, and periodic review.
Finally, weak management review. Management review is not a ceremonial meeting—it’s leadership control, evidence of decisions, resource allocation, and improvement prioritization.
Pricing factors (what affects your proposal)
Pricing is not determined by the standard name alone. Key drivers are scope: number of sites, headcount, process complexity, current system maturity, and existing documentation.
Availability of an internal coordinator, decision speed, and historical records/KPIs also affect duration. Organizations with established data typically implement faster.
A typical proposal includes: gap assessment, documentation design, implementation workshops and training, internal audit, management review, and an improvement plan—with clear deliverables per phase.
To receive an accurate quote, share your industry, scope, sites count, headcount, target standards, and any target audit date.
