Some odd 15 years ago, I remember reading my first ISO management system standard, seeing the term ‘top management,’ and thinking someday I should figure out what that means. The reality of implementing and auditing management systems pressed that into my mind a lot sooner than I had thought in the moment.

For you, understanding the intended definition of ‘top management’ may have taken a different path, but why you need to understand it is similar. Part professional interest, and part necessity.

As I tell my implementation clients, “If you understand how you will have to evidence an ISO management system in a certification audit, you can better understand how you should implement the management system.” Throughout the various posts I make, that is probably one of the most important ‘take aways’ that you should embrace.

Before we begin, you should note that ISO believes that ‘top management’ uses a management system to achieve the intended outcomes for the organization. Top management is not a slave to the system; the management system enables top management to optimize the use of resources considering the long- and short-term consequences of their decision(s). It provides the means to identify actions to address intended and unintended consequences when providing of products and services.          [ISO 9000:2015, Clause 2.2.2].

Top Management Defined

Here is how ‘top management’ is uniformly defined across the different ISO management systems, and then I will provide examples, clarifications, and audit considerations.

Top Management

Person or group of people who directs and controls an organization at the highest level.

NOTE 1: Top management has the power to delegate authority and provide resources within the organization.

NOTE 2: If the scope of the management system covers only a part of an organization, then top management refers to those who direct and control that part of the organization.

NOTE 3: Other terms used as a synonym within ISO standards include executive management, leadership, and top management implements necessary governance.

NOTE 4: Depending on the legal framework, size, and the resources of the organization, top management either reports to a governing body, or top management is the governing body.

NOTE 5: Management should be regarded as the function, not the activity.

NOTE 6: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to ISO/IEC Directives, Part 1.  

If you look at other formal ISO terms that are the responsibility of ‘top management’ you get further insights into the importance and role of top management:

Policy

Intentions and direction of an organization as formally expressed by its top management.

Vision

Aspiration of what an organization would like to become as expressed by top management.

Mission

Organization’s purpose for existing as expressed by top management.

Common Mistakes

There are two common mistakes that I see with how top management is constituted during audits – wrong composition of members, and passive behavior.

Frequently, in audits, organizations represent top management as some sort of a steering committee, or whatever they call it. Committee members can be extraneous and do not align with the intent and definition of top management. They are not responsible, they don’t have authority, they do not control the resources, they do not own the risk, and they are not actually accountable for the outcomes. They are passive spectators.

NOTE: The steering committee may meet the definition of a governing body, which top management may report to, but the committee is not top management.  

Top management is not a passive oversight entity. It is an active presence in the management system that ensures that the management system is properly established, evolves, and continuously improves to achieve the intended outcomes of the management system. When necessary, top management changes the management system. They don’t wait for a steering committee to opine.

Auditing Top Management

There will be a combination of documented information available, but I find the interview of top management generates the most relevant evidence during an audit, as evaluated against the following management clauses:

·      5.1 Leadership and Commitment

·      5.2 <Management System> Policy

·      5.3 Roles, Responsibilities and Authorities

·      6.2 <Management System> Objectives and Planning to Achieve Them

·      9.3 Management Review

NOTE: When possible, I try to interview top management near the end of the audit for two reasons. I usually see evidence that I want to ensure that top management is aware of, and to be considerate, top management tends to be busy. They do not want to be re-interviewed to clarify some anomaly in the evidence.

At the end of the interview, I can usually provide them an overview of audit findings and conclusions, which they are going to ask about. This helps to prepare the organization for the closing meeting of the audit.

You may have other thoughts, and there are reasons in an audit when top management needs to be interviewed earlier. As a German Field Marshall once said, “No battle plan survives first contact with the enemy.”

NOTE: ISO guidance standards for management systems can be leveraged to understand ISO’s intent for each of the management system clauses, and in other cases, like ISO 27007 for an Information Security Management System (ISMS), you will find clear audit criteria for each of the core clauses that state ‘top management’ responsibilities.

To be efficient, I generally want to interview ‘top management’ together. Some answers require a combined response given the division of roles and responsibilities. Here are a couple of the questions that I routinely ask:

·      Can you identify actions taken to integrate the management system into the organizations processes? (Clause 5.1 and 8.1)

·      Can you identify examples of how necessary resources are planned and allocated for the management system, to include an ongoing budget? (Clause 5.1 and 7.1)

·      Explain the relationship of your management system’s intended outcomes and how you established your management system objectives? (Clause 4.1, 5.1, and 6.2)

·      Clause 5.3 Roles, Responsibilities and Authorities requires that you establish relevant roles. Who is responsible within the management system to provide reporting to ensure you remain informed on an ongoing basis? (Clause 5.3, 9.1, and 9.3)

·      Can you give me an example of a scenario or event that would trigger an update of the risk assessment and risk treatment plan. (Clause 4.3, 6.1, 8.X)

·      Looking forward, what events may require a change of the management system? (Any of the management system clauses)

·      Under which conditions would you be required to notify your certification body of a change? (ISO 17021-1, Clause 8.5.3 Notice of Changes by a Certified Client, which is usually restated in the certification agreement with an organization)

Of course, there are other questions that may be relevant for the organization, but I generally cover the topics above in all cases.

Summary

So, when we consider the above, we can summarize this article by stating that top management enables and ensures the:

-              Provision of adequate human and other resources

-              Monitors processes and results

-              Determines and evaluates risks and opportunities

-              Implements appropriate actions

Responsible acquisition, deployment, maintenance, enhancement and disposal of resources support the organization in achieving its objectives.

In many cases, I believe that top management actually meets the definition of the Risk Owner(s) role, which is defined by ISO as, “person or entity with the accountability and authority to manage a risk” or the risk owners should report (directly or by dotted line) to top management. Think about it, ultimately, top management is making the ongoing determination about current state, treatment, effectiveness, remediation, and acceptability of risk within the management system. If risk is not acceptable, top management should take necessary actions, and employ whatever resources are necessary to bring risk back into an acceptable state.

Too often, I see a plethora of risk owners, with fragmented and unpredictable communication channels to top management, and now we are headed towards an audit finding. If top management does not remain informed, they cannot act on the risks, and the risk owners may not have control over the resources necessary to treat the risk.

Understanding the definition, intent, and the role of top management makes it easier to understand whether your management system has properly established top management, and over time, when you need to update how top management is constituted.

ISO has initiated actions to develop and publish ISO 17021-16 for the audit and certification of Innovation Management Systems (IMS), based on the ISO 56001:2024 Innovation Management System - Requirements. This will be the first edition of this audit and certification standard.

Innovation management is an important business area. Organizations compete based on price and differentiators, and innovation is one of the principal ways that organizations create differentiators. While still a young standard, ISO expects interest in innovation management to accelerate. As an example, all most all forms of artificial intelligence (AI) started as innovation initiatives.

The development of ISO 17021-16 is expected to be completed before mid-2027, and is jointly oversee by the ISO CASCO committee for conformity assessments and ISO Technical Committee 279 - Innovation Management. Once published, ISO certification bodies (CBs) worldwide will be able to apply for, and become authorized to perform ISO 56001 certification audits.

NOTE: Dallas N. Bishoff, the President of PROCESS 360, serves as the U.S. expert for the development of this standard. Given Dallas’ extension audit credentials, his voice and vision will drive this intiative towards a success outcome.

ISO 19011:2018 Guidelines for Auditing Management Systems is under revision, and is expected to be reissued in 2026. All ISO management systems are audited using the uniform collection of processes published in ISO 19011, which is the principal guidance for audit programs, how audits are conducted, audit reports are generated, and continual improvement is incorporated into management system audits.

The revision is oversee by ISO Project Committee (PC) 302. You can track the progress of ISO 19011 here on the PC 302 website.

NOTE: Dallas N. Bishoff, the President of PROCESS 360 is a voting member of PC 302.

On October 15, 2025 ISO initiative a review of ISO 17021-1:2015 Requirements for Bodies Providing Audit and Certification of Management System — Part 1: Requirements. ISO 17021-1, is the foundational standard used to certify all management systems, and maintain the certificate life cycle.

Generally, each management system is addressed by a dedicated standard that is part of the 17021-1 series, As an example, the ISO 9001 QMS standard is covered by Part 3 (ISO 17021-3). In other cases the audit and certification standard is an extension of the management system series. ISO 20000 (Service Management) is addressed by ISO 20000-6:2017; ISO 27001 (Information Security) is addressed by ISO 27006; ISO 27701 (Privacy Management) is addressed by ISO 27706; and ISO 42001 is addressed by ISO 42006. All of these standards start with ISO 17021-1 and identify the unique aspects, extensions, and requirements necessary to establish the audit and certify an organization against a specific management system standard.

The review and revision process will probably last all of 2026. The revision is overseen by CASCO, the ISO Technical Committee responsible for conformity assessments.

ISO 37304 Compliance Management Systems — Requirements for Bodies Providing Audit and Certification of Compliance Management Systems is currently under development, and in the Draft International Standard (DIS) stage. This standard will still have to pass through the Final Draft International Standard stage before it can be officially published, which is expected in 2026.

When published, ISO certification bodies can gain authorization to formally certify an organization’s Compliance Management System (CMS). ISO 37304 is an extension to the ISO 17021, Part 1: Requirements. This means that companies will be able to formally apply for and receive a formal ISO 37301 certificate, and gain recognition for their CMS programs.

ISO 17012 Guidelines for the Use of Remote Auditing Methods in Auditing Management Systems was published in 2024, and provides valuable guidance on how to conduct remote audits, which have become more prevalent after COVID.

Remote audits have unique challenges, especially auditing physical environments remotely, and the introduction of video conferencing and collaboration platforms to evaluate evidence. Video conferencing can incorporate recordings that may capture sensitive information, to include intellectual property, privacy information, business partner protected information, and client / attorney privileged protected content.

NOTE: The practice and risks of conducting audits using AI tools for evidence evaluation, audit transcription services, and related capabilities are not addressed by ISO 17012 (or other audit standards). AI possesses unique challenges to the confidentiality principle in audits. (See ISO 17021-1, Clause 4.6 and ISO 19011, Clause 4 d)). Auditors need to understand the application and risk of AI before incorporating artificial intelligence into audit practices.