Management System Insights
Clause-by-clause analysis, implementation guidance, and contrarian perspectives on ISO management systems. Expert-level content for compliance managers, internal auditors, risk professionals, and operations leaders.
Latest Analysis
ISO 37001:2025 — What Changed and What It Means for Your Anti-Bribery System
Five delta requirements. New transition deadlines. Climate change context at Clause 4.1, anti-bribery culture at 5.1.3, business partner training at 7.3.3, M&A non-financial controls at 8.4, and the renamed anti-bribery function. What to do before August 2026.
Read Full Analysis →Why Your Risk Register Is Not a Risk Management System
The structural difference between a static list and an operational risk framework. Why auditors can tell. Why Clause 6.1 requires more than a spreadsheet. And why most SMEs get this wrong at Stage 2.
Read Full Analysis →Standard-Specific Analysis & Implementation Guidance
Clause 7.1.5 — Why Calibration Failures Top the Major NC List
Monitoring and measurement resource management is a top-five Major NC source in SME Stage 2 audits.
Read →Building the Statement of Applicability — 93 Controls, No Shortcuts
Every Annex A control must be addressed. How to build an SoA that survives Stage 2 scrutiny.
Read →CCP vs OPRP — Getting the Two-Stage Classification Right
CCP/OPRP classification per Codex CXC 1-69. Why critical limits are product- and jurisdiction-specific.
Read →The AI Management System — What ISO 42001 Actually Requires
38 Annex A controls, AI impact assessments, and the management system structure behind responsible AI.
Read →Clause 8 Demystified — Service Lifecycle for IT Organisations
The correct Clause 8 structure (8.1–8.7 only). Common errors and coverage gaps that lead to Major NCs.
Read →Clause 9.4 — Governing Body Review and Why It Is Unique
The only ISO MSS with a dedicated governing body review clause. What it requires and why most miss it.
Read →Subscribe to the Newsletter
Clause-by-clause ISO analysis, contrarian perspectives on management system performance, and the SGRII Pillar Lens framework. Published on Substack.
Subscribe on SubstackInternal Audit Best Practices & Improvement Methodology
The Five Most Common Major NCs in SME Stage 2 Audits
Calibration failures, incomplete risk assessments, inadequate management review inputs, documentation drift, and missing effectiveness verification.
Read →Why “Human Error” Is Never an Acceptable Root Cause
Root cause analysis must identify system deficiency. Blaming individuals masks the structural failures that caused the nonconformity.
Read →Evidence-Based Verification — Why Date-Based Closure Fails Audits
Corrective actions closed by date, not evidence, represent a systemic weakness. What effectiveness verification looks like in practice.
Read →Frameworks, Models, and Contrarian Perspectives
Risk vs NC — Why Clause 6.1 and Clause 10.2 Must Stay Separate
Prospective risk management and retrospective corrective action serve different functions. Combining them undermines both.
Read →Opportunity Identification — Independent First, Mirror Second
Independent identification should account for at least half of opportunities. The mirror technique is supplementary.
Read →The Five Broken Promises — Why Organisations Fail at System Change
Organisational psychology insights from March, Argyris, and Kahneman applied to management system failure.
Read →From Insight to Implementation
Every insight connects to a framework. Every framework is available for immediate download.