IMS Manual - Clause 6: Planning

Purpose

This section of the IMS Manual describes how Swedwise plans its Integrated Management System to address risks and opportunities, determine and achieve objectives, and manage changes. It demonstrates compliance with Clause 6 requirements of ISO 9001:2015, ISO 14001:2015, and ISO 27001:2022.

Scope

This manual section covers:

• Actions to address risks and opportunities across quality, environmental, and information security domains
• Environmental aspects identification and evaluation (ISO 14001)
• Compliance obligations determination (all standards)
• Information security risk assessment approach (ISO 27001)
• IMS objectives setting and planning
• Planning for changes to the IMS

6.1 Actions to Address Risks and Opportunities

6.1.1 Risk-Based Thinking Approach

Swedwise embeds risk-based thinking throughout its Integrated Management System. Rather than maintaining separate risk management processes for quality, environmental, and information security, we operate a unified risk assessment and treatment framework.

Risk-Based Thinking Principles:

Swedwise recognizes that risk is inherent in all aspects of business. Our approach:

• Proactive, not reactive: Identify risks before they materialize
• Opportunity-focused: Risks can be positive (opportunities) or negative (threats)
• Context-aware: Consider both internal and external factors affecting the organization
• Integrated: Quality, environmental, and security risks are assessed together
• Proportionate: Risk treatment effort matches risk significance
• Evidence-based: Decisions informed by data, analysis, and stakeholder input

Integration Across Disciplines:

Management System	Risk Focus	Examples
Quality (ISO 9001)	Risks to customer satisfaction and service delivery	Consultant unavailability, scope creep, customer dissatisfaction, competence gaps
Environmental (ISO 14001)	Environmental aspects and their impacts	Office energy use, business travel emissions, e-waste, cloud infrastructure impacts
Information Security (ISO 27001)	Risks to confidentiality, integrity, and availability	Data breaches, unauthorized access, phishing, system outages, supplier security

All risks are managed in a single Integrated Risk Register (SW-IMS-REG-001), enabling holistic view and efficient resource allocation.

6.1.2 Risk Assessment Methodology

Swedwise uses a standardized risk assessment methodology documented in the Risk Assessment Procedure (SW-IMS-PRO-002).

Risk Assessment Process:

1. Context Analysis: Understand internal and external environment (Clause 4)
2. Asset/Activity Identification: Identify what needs protection or what activities have impacts
3. Threat/Aspect Identification: Determine what could go wrong or what environmental aspects exist
4. Vulnerability Analysis: Identify weaknesses that could be exploited
5. Likelihood Assessment: Evaluate probability of risk occurring (1-5 scale)
6. Impact Assessment: Evaluate consequence if risk occurs (1-5 scale)
7. Risk Calculation: Risk Score = Likelihood × Impact
8. Risk Evaluation: Compare to acceptance criteria; prioritize
9. Risk Treatment: Select appropriate treatment (Avoid, Reduce, Transfer, Accept)

Risk Matrix (5×5):

Swedwise uses a consistent risk matrix across all domains:

• Likelihood: Rare (1), Unlikely (2), Possible (3), Likely (4), Almost Certain (5)
• Impact: Negligible (1), Minor (2), Moderate (3), Major (4), Critical (5)
• Risk Level: Low (1-4), Medium (5-9), High (10-14), Critical (15-25)

Risk Acceptance Criteria:

• Low risks (1-4): May be accepted with monitoring
• Medium risks (5-9): Monitor closely; reduce where cost-effective
• High risks (10-14): Require treatment plan and management approval
• Critical risks (15-25): Immediate action; CEO approval required to accept

Risk Treatment Options:

Treatment	Description	When Used
Avoid	Eliminate risk source or change approach	Risk too high; no cost-effective controls
Reduce	Implement controls to lower likelihood/impact	Most common; cost-effective controls available
Transfer	Share risk with third party	Financial/specialist risks; insurance, SLAs
Accept	Retain risk without additional treatment	Low risks or cost exceeds benefit

6.1.3 Opportunity Identification

Swedwise recognizes that not all risks are negative. Opportunities are positive risks that can enhance performance, customer satisfaction, environmental protection, or security posture.

Opportunities Considered:

Quality Opportunities:

• Process improvements to enhance efficiency
• Technology adoption to improve service delivery
• Customer feedback leading to new service offerings
• Strategic partnerships expanding capabilities

Environmental Opportunities:

• Remote work reducing travel emissions
• Cloud infrastructure optimization reducing energy consumption
• Circular economy approaches (equipment reuse/refurbishment)
• Green procurement supporting sustainable suppliers

Information Security Opportunities:

• Automation improving consistency and reducing human error
• Advanced security controls differentiating SaaS offerings
• Security certifications enabling new markets
• Threat intelligence improving proactive defense

Opportunity Management:

• Opportunities identified during risk assessments, management reviews, and innovation discussions
• Evaluated using similar likelihood/impact approach (but focusing on positive outcomes)
• Prioritized based on strategic alignment and resource availability
• Assigned to owners with implementation plans

6.1.4 Integrated Risk Register

All identified risks and opportunities are documented in the Integrated Risk Register (SW-IMS-REG-001).

Register Contents:

For each risk/opportunity:

• Unique ID and category (Quality, Environmental, Information Security, Strategic/Operational)
• Description and affected asset/process
• Inherent risk score (before controls)
• Existing controls and their effectiveness
• Residual risk score (after controls)
• Risk level and treatment decision
• Risk owner and review date
• Treatment actions (if required)

Risk Register Maintenance:

• Comprehensive Review: Annually (minimum), led by IMS Owner with cross-functional participation
• Quarterly Review: High and critical risks reviewed for status changes
• Continuous Monitoring: Risk owners monitor assigned risks; report changes
• Triggered Reviews: When significant incidents, organizational changes, or regulatory changes occur

Reporting:

• Risk dashboard provided to Management Team quarterly
• Top 10 risks reported in Management Review
• Risk trends analyzed (increasing/decreasing risk profile)

6.1.5 Environmental Aspects (ISO 14001 Requirement)

As part of risk assessment, Swedwise systematically identifies environmental aspects of its activities, products, and services and evaluates their environmental impacts.

Environmental Aspect Definition:
An environmental aspect is an element of Swedwise's activities, products, or services that interacts (or can interact) with the environment.

Aspect Identification Approach:

Swedwise considers environmental aspects across:

Office Operations (3 locations: Karlstad, Stockholm, Uddevalla):

• Energy consumption (heating, cooling, lighting, IT equipment)
• Water use
• Waste generation (general, recyclable, electronic)
• Paper consumption

Business Activities:

• Business travel (air, rail, car)
• Consultant commuting (not fully controlled, but considered)
• IT equipment procurement and lifecycle
• Cloud infrastructure energy use (indirect, via suppliers)

Service Delivery:

• SaaS platform energy consumption (hosted at Entiros data center)
• Customer site activities (limited environmental control)

Conditions Considered:

• Normal operations: Day-to-day activities
• Abnormal operations: Peak periods, seasonal variations
• Emergency conditions: Fire, power failure, equipment malfunction

Lifecycle Perspective:

• Procurement: Supplier environmental performance, product lifecycle
• Use: Energy efficiency, consumables
• Disposal: Recycling, e-waste management

Aspect Evaluation Criteria:

Environmental aspects are evaluated for significance using the risk matrix approach (likelihood × severity of impact):

Significance Factors:

• Type of impact: Climate change, resource depletion, pollution, biodiversity
• Scale: Magnitude of impact (local, regional, global)
• Severity: Potential harm to environment
• Frequency: How often aspect occurs
• Reversibility: Can impact be reversed?
• Stakeholder concern: Regulatory, customer, or community interest

Significant Aspects:
Aspects scoring Medium risk or higher (≥5) are considered significant and require:

• Operational controls to minimize impact
• Objectives and targets for improvement
• Monitoring and measurement
• Awareness and training for relevant staff

Environmental Aspects Register:

Maintained as part of Integrated Risk Register (SW-IMS-REG-001) with environmental-specific details:

Example significant aspects for Swedwise:

Aspect	Activity	Impact	Likelihood	Severity	Significance	Controls
Office energy use	Heating, cooling, IT	Climate change, resource depletion	5 (Certain)	2 (Minor)	10 (High)	Energy-efficient equipment, remote work policy
Business travel (flights)	Customer meetings, conferences	GHG emissions, air pollution	5 (Certain)	2 (Minor)	10 (High)	Virtual meeting preference, travel approval
E-waste disposal	Equipment end-of-life	Soil/water contamination	3 (Possible)	2 (Minor)	6 (Medium)	Certified recycling partner
Cloud infrastructure energy	SaaS hosting	Climate change (indirect)	5 (Certain)	2 (Minor)	10 (High)	Supplier selection (renewable energy), resource optimization

Environmental Aspects Review:

• Annually during comprehensive risk assessment
• When new activities, products, or services introduced
• When organizational changes affect environmental footprint

6.1.6 Compliance Obligations

Swedwise systematically determines and maintains awareness of compliance obligations related to quality, environmental, and information security.

Types of Compliance Obligations:

Legal and Regulatory Requirements:

Quality and General Business:

• Swedish consumer protection laws (Konsumentköplagen)
• EU Product Liability Directive
• Labor law (Arbetsmiljölagen) - employee health and safety
• Accounting and tax regulations

Environmental:

• Swedish Environmental Code (Miljöbalken)
• EU Waste Electrical and Electronic Equipment Directive (WEEE)
• Energy efficiency requirements
• Hazardous waste regulations (limited applicability for office operations)

Information Security and Privacy:

• EU General Data Protection Regulation (GDPR) - primary data protection law
• Swedish Data Protection Act (Dataskyddslagen)
• NIS2 Directive (if applicable as critical infrastructure or essential service)
• Telecommunications regulations (for SaaS notification services)
• Sector-specific regulations (e.g., public sector procurement requirements)

Contractual Requirements:

• Customer contracts (service levels, security commitments, data handling)
• Supplier agreements (OpenText licensing, cloud hosting SLAs)
• Partnership agreements
• Insurance policy requirements

Voluntary Commitments:

• ISO 9001:2015 (Quality Management)
• ISO 14001:2015 (Environmental Management)
• ISO 27001:2022 (Information Security Management)
• Industry best practices and standards
• Customer codes of conduct (when contractually binding)

Compliance Determination Process:

Step 1: Identify Applicable Obligations

• IMS Owner maintains Compliance Obligations Register (SW-IMS-REG-002)
• Sources: Legal databases, industry associations, customer contracts, regulatory updates
• Reviewed by legal advisor (external) annually or when changes occur

Step 2: Understand Requirements

• Interpret what compliance requires in Swedwise's context
• Document specific obligations and responsible parties
• Identify compliance evidence needed

Step 3: Integrate into IMS

• Incorporate requirements into policies, procedures, and controls
• Assign compliance monitoring to relevant owners (e.g., CISO for GDPR, Environmental Lead for WEEE)
• Define compliance metrics and targets

Step 4: Monitor and Review

• Track compliance status (compliant, non-compliant, not applicable)
• Internal audits verify compliance (SW-IMS-PRO-004)
• Management review assesses compliance performance
• Update register when regulations change

Compliance Obligations Register (SW-IMS-REG-002):

Contents:

• Obligation ID and category
• Legal/regulatory reference or contract source
• Summary of requirement
• Applicable departments/processes
• Responsible owner
• Compliance status and evidence
• Review date
• Related IMS documents (policies/procedures implementing requirement)

Staying Informed of Changes:

• Subscription to regulatory update services
• Legal advisor quarterly briefings
• Industry association newsletters
• Certification body updates
• Customer and supplier notifications

Non-Compliance Response:

• Non-conformities identified and managed per SW-IMS-PRO-006 (Non-Conformity and Corrective Action)
• Root cause analysis and corrective action
• Management notification for significant compliance breaches
• Regulatory reporting if required (e.g., GDPR breach notification)

6.1.7 Information Security Risk Assessment (ISO 27001 Requirement)

While Swedwise uses an integrated risk assessment approach, information security risks receive specific attention due to ISO 27001 requirements and the nature of Swedwise's business (handling customer data, SaaS service delivery).

Information Security Risk Assessment Approach:

Asset-Based Risk Assessment:

Swedwise identifies and classifies information assets requiring protection:

Asset Categories:

• Information assets: Customer data, contracts, financial records, employee data, intellectual property
• Software assets: SaaS platforms, development tools, CRM, productivity software
• Hardware assets: Laptops, mobile devices, servers, network equipment
• Services: Cloud hosting, email, collaboration tools, backup services
• Personnel: Key roles with privileged access or critical knowledge
• Intangible assets: Reputation, customer trust, brand

Asset Classification:
Each information asset classified per Information Classification Policy (SW-ISMS-POL-007):

• Public: No confidentiality requirement
• Internal: For Swedwise staff only
• Confidential: Restricted to specific roles
• Restricted: Highest sensitivity; special authorization required

Threat and Vulnerability Identification:

Threat Categories:

• Malicious external: Hacking, phishing, ransomware, DDoS
• Malicious internal: Insider theft, sabotage
• Accidental: Human error, misconfiguration, lost devices
• Environmental: Fire, flood, power failure
• Technical: Hardware failure, software bugs, capacity limits
• Supplier/Third-party: Cloud provider breach, vendor vulnerabilities

Vulnerability Analysis:
For each asset-threat combination, identify vulnerabilities:

• Technical vulnerabilities (unpatched systems, weak passwords, misconfiguration)
• Physical vulnerabilities (inadequate access controls, device theft risk)
• Process vulnerabilities (unclear procedures, insufficient training)

Risk Calculation:
Using standard 5×5 matrix:

• Likelihood: Probability of threat exploiting vulnerability
• Impact: Consequence to confidentiality, integrity, or availability

Impact Assessment Dimensions:

• Confidentiality breach: Unauthorized disclosure of information
• Integrity breach: Unauthorized modification of data or systems
• Availability breach: Service disruption or data unavailability
• Compliance impact: Regulatory violations (e.g., GDPR breach)
• Reputational impact: Customer trust, brand damage
• Financial impact: Direct costs, fines, lost revenue

Risk Treatment:
Per standard approach (Avoid, Reduce, Transfer, Accept) with security-specific controls:

Preventive Controls: Stop incidents from occurring

• Access controls (authentication, authorization)
• Encryption (data at rest and in transit)
• Network segmentation and firewalls
• Security awareness training
• Supplier security assessments

Detective Controls: Identify when incidents occur

• Security monitoring and logging
• Intrusion detection systems
• Vulnerability scanning
• Security audits and reviews

Corrective Controls: Minimize impact after incidents

• Incident response procedures
• Backup and recovery
• Business continuity plans
• Cyber insurance

Statement of Applicability (SoA):

ISO 27001 Annex A contains 93 controls across four themes. Swedwise documents which controls apply, justification for inclusion/exclusion, and implementation status in the Statement of Applicability (SW-ISMS-REG-001).

SoA Structure:

Annex A Control	Control Name	Applicable?	Justification	Implementation Status	Reference Document
5.1	Information security policies	Yes	Foundational requirement	Implemented	SW-ISMS-POL-001
5.7	Threat intelligence	Partially	Limited resources; rely on vendor feeds	Implemented	Vulnerability Management Procedure
8.23	Web filtering	No	Consultants work at customer sites; not feasible	N/A	N/A

SoA Review:

• Annually during risk assessment
• When significant risks identified or treated
• During ISO 27001 audits
• When new services or technologies introduced

Information Security Risk Register:

Subset of Integrated Risk Register focusing on security risks, with additional detail:

• Asset and classification level
• Threat and vulnerability specifics
• Impact on CIA (Confidentiality, Integrity, Availability)
• Annex A controls addressing the risk
• Residual risk after control implementation

6.2 IMS Objectives and Planning to Achieve Them

6.2.1 Objective-Setting Approach

Swedwise establishes integrated objectives across quality, environmental, and information security domains. Objectives are set at:

• Organizational level: High-level IMS objectives approved by Management Team
• Departmental level: Specific objectives aligned with organizational objectives
• Individual level: Personal objectives in performance reviews (where relevant)

Objective Principles:

All IMS objectives are SMART:

• Specific: Clear and unambiguous
• Measurable: Quantifiable with defined metrics
• Achievable: Realistic given resources and context
• Relevant: Aligned with business strategy and stakeholder needs
• Time-bound: Defined timeframe for achievement

Alignment:

• Objectives support IMS policy commitments
• Objectives address significant risks and opportunities
• Objectives consider compliance obligations
• Objectives reflect stakeholder expectations (customers, employees, owners, community)
• Objectives enable continual improvement

6.2.2 IMS Objectives

Swedwise's current IMS objectives are documented in IMS Objectives Register (SW-IMS-REG-003).

Example Organizational Objectives (to be finalized and populated):

Quality Objectives (ISO 9001):

Objective	Metric	Target	Review Frequency
Customer Satisfaction	Customer satisfaction survey rating	≥ 4.0 / 5.0	Quarterly
Service Delivery Quality	On-time project delivery rate	≥ 90%	Quarterly
SaaS Service Reliability	Platform uptime	≥ 99.9%	Monthly
Competence Development	Staff completing required training	100%	Quarterly

Environmental Objectives (ISO 14001):

Objective	Metric	Target	Review Frequency
Carbon Footprint Reduction	Business travel CO2 emissions	Reduce by 10% year-over-year	Annually
Waste Management	E-waste recycling rate	≥ 95%	Annually
Energy Efficiency	Office energy consumption per employee	Reduce by 5% year-over-year	Quarterly
Sustainable Procurement	Suppliers with environmental certification	≥ 70% of critical suppliers	Annually

Information Security Objectives (ISO 27001):

Objective	Metric	Target	Review Frequency
Security Incident Prevention	Material security breaches	Zero	Quarterly
Security Awareness	Staff completing security training	100% annually	Quarterly
Vulnerability Management	High-risk vulnerabilities remediated	Within 30 days	Monthly
Phishing Resistance	Phishing simulation click rate	< 5%	Quarterly

Continuous Improvement Objective (All Standards):

Objective	Metric	Target	Review Frequency
IMS Improvement	Documented improvements implemented	≥ 20 per year	Quarterly
Corrective Action Timeliness	Corrective actions closed on time	≥ 90%	Quarterly

6.2.3 Planning to Achieve Objectives

For each objective, Swedwise plans:

What will be done:

• Specific actions, initiatives, or projects
• Resources required (people, budget, tools, time)
• Process changes or improvements needed

Who will be responsible:

• Objective owner (accountable for achievement)
• Supporting roles and teams
• Escalation path if targets at risk

When it will be completed:

• Milestones and deadlines
• Interim checkpoints for progress review

How results will be evaluated:

• Measurement method and data sources
• Reporting frequency and format
• Success criteria and thresholds

Example: Objective Action Plan

Objective: Reduce business travel CO2 emissions by 10% year-over-year

Action Plan:

1. Baseline: Calculate 2024 travel emissions (flight, car, rail)
   • Responsible: Environmental Lead
   • Due: January 31, 2025
2. Virtual Meeting Policy: Establish preference for virtual over in-person meetings
   • Responsible: Management Team
   • Due: February 28, 2025
3. Travel Approval Process: Require justification for air travel; manager approval
   • Responsible: IMS Owner
   • Due: March 31, 2025
4. Quarterly Monitoring: Track travel bookings and calculate emissions
   • Responsible: Environmental Lead
   • Frequency: Quarterly
5. Annual Review: Compare 2025 emissions to 2024 baseline
   • Responsible: Environmental Lead + Management Team
   • Due: January 2026

Resources:

• Carbon calculation tool or consultant (initial: 20,000 SEK)
• Staff time for policy development and communication (IMS Owner, Environmental Lead)
• Booking system integration (if needed)

Measurement:

• Metric: Tonnes CO2e from business travel
• Data source: Travel booking records + emission factors
• Target: 10% reduction vs. 2024 baseline
• Reporting: Quarterly dashboard; annual management review

6.2.4 Objective Tracking and Review

Ongoing Monitoring:

• Objective owners monitor performance monthly or quarterly
• Data collected and metrics calculated
• Trends analyzed (improving, stable, declining)
• Risks to objective achievement identified early

Reporting:

• Objectives dashboard provided to Management Team quarterly
• Red/Amber/Green status (on track, at risk, off track)
• Narrative explaining performance and actions

Management Review:

• Objectives reviewed in each Management Review (quarterly minimum)
• Performance vs. targets assessed
• Barriers to achievement discussed
• Objectives adjusted if needed (targets, timelines, resources)

Annual Objective Review:

• At year-end, evaluate achievement of annual objectives
• Celebrate successes and recognize contributors
• Analyze failures and capture lessons learned
• Set objectives for coming year based on:
  • Previous year's performance
  • Strategic direction changes
  • Stakeholder feedback
  • Risk assessment findings
  • Compliance obligation changes

Objective Revision:
Objectives may be revised during the year if:

• Significant organizational change (new service, restructure)
• External factors make objective unachievable or irrelevant
• Objective achieved early; new stretch target set
• Resource constraints require re-prioritization

Revisions require Management Team approval and are documented in IMS Objectives Register.

6.3 Planning of Changes

6.3.1 Change Management Approach

Swedwise recognizes that the IMS must adapt to changes in the organization, its context, and stakeholder needs. Changes are planned and implemented in a controlled manner to ensure IMS integrity and effectiveness.

Types of Changes Requiring Planning:

Organizational Changes:

• Office relocations or new locations
• Organizational restructuring
• Ownership or management changes
• Significant headcount growth or reduction
• New business lines or service offerings

Operational Changes:

• New or modified processes
• Technology changes (IT systems, platforms, tools)
• Supplier changes (new suppliers, terminations)
• Infrastructure changes (cloud migration, data center changes)

IMS-Specific Changes:

• New or revised policies and procedures
• Changes to IMS scope
• Changes to objectives or targets
• Control changes (adding/removing controls)
• Certification scope expansion

Regulatory or Customer Changes:

• New legal or regulatory requirements
• Changed customer requirements
• Certification standard updates (e.g., ISO standard revisions)

6.3.2 Change Planning Process

Significant changes follow the Change Management Procedure (SW-IMS-PRO-008).

Change Planning Steps:

1. Identify Change Need

• Change requested or identified by management, staff, customer, regulation
• Business case or justification documented

2. Impact Assessment

• What parts of IMS are affected? (policies, procedures, controls, objectives, responsibilities)
• What risks does change introduce or modify?
• What resources are required? (people, budget, time)
• Who is affected? (staff, customers, suppliers, certification)

3. Change Approval

• Change Request submitted to IMS Owner or Change Advisory Board
• Risk and impact assessed
• Approval based on significance (minor: IMS Owner; major: Management Team)

4. Change Planning

• Detailed implementation plan developed
• Communication plan created (who needs to know, when, how)
• Training plan (if competence affected)
• Rollback plan (if change fails, how to restore)
• Verification plan (how to confirm change successful)

5. Change Implementation

• Execute change per plan
• Document actions taken
• Monitor for issues

6. Post-Change Verification

• Verify intended outcomes achieved
• Confirm IMS still effective
• Update documentation (policies, procedures, records)
• Communicate completion

7. Post-Change Review

• Lessons learned captured
• Effectiveness evaluated
• Improvements identified for future changes

6.3.3 Change Considerations for IMS Integrity

When planning changes, Swedwise ensures IMS integrity is maintained:

Documented Information:

• Policies, procedures, and forms updated to reflect change
• Version control maintained per Document Control Procedure (SW-IMS-PRO-001)
• Obsolete documents withdrawn

Competence:

• Training needs assessed and addressed
• Staff awareness of changes ensured
• New staff onboarding materials updated

Risks and Opportunities:

• Change impacts on risk profile evaluated
• New risks identified and treated
• Opportunities from change captured

Objectives:

• Objectives reviewed; adjusted if change affects ability to achieve
• New objectives set if change introduces new areas of focus

Compliance:

• Legal and regulatory compliance maintained
• Certification requirements still met
• Customer contractual obligations fulfilled

Resources:

• Adequate resources allocated for change implementation
• Resource impacts on ongoing operations considered

Communication:

• Internal and external stakeholders informed
• Expectations managed
• Feedback mechanisms established

6.3.4 Change Authorization

Changes are authorized at appropriate levels based on significance and risk:

Change Significance	Examples	Authorization
Minor	Procedure clarification, form update, standard change	IMS Owner
Moderate	New guideline, process improvement, office move	IMS Owner + Department Head
Major	New service, policy revision, scope change, restructure	Management Team
Strategic	Certification scope, ownership change, major outsourcing	Management Team + CEO/Board

Emergency Changes:

• Urgent changes to address critical incidents or threats
• Expedited approval by IMS Owner + CISO (technical) or CEO (strategic)
• Retrospective review by Change Advisory Board within 5 days
• Documented per Change Management Procedure

6.3.5 Certification Body Notification

Certain changes must be communicated to ISO certification body:

Changes Requiring Notification:

• Changes to IMS scope (new locations, services, exclusions)
• Organizational ownership or legal status changes
• Significant organizational restructuring
• Change of key IMS personnel (if relevant)
• Major incidents affecting compliance (e.g., significant data breach)

Notification Timeline: Typically within 30 days of change or as specified in certification agreement.

Responsibility: IMS Owner notifies certification body; maintains records of notifications.

Related Documents

• SW-IMS-POL-001 - Integrated Management System Policy
• SW-IMS-PRO-002 - Risk Assessment Procedure
• SW-IMS-PRO-004 - Context and Interested Parties Procedure
• SW-IMS-PRO-006 - Non-Conformity and Corrective Action Procedure
• SW-IMS-PRO-008 - Change Management Procedure
• SW-ISMS-POL-007 - Information Classification Policy
• SW-IMS-REG-001 - Integrated Risk Register
• SW-IMS-REG-002 - Compliance Obligations Register
• SW-IMS-REG-003 - IMS Objectives Register
• SW-ISMS-REG-001 - Statement of Applicability (ISO 27001 Annex A Controls)
• SW-EMS-REG-001 - Environmental Aspects Register

Review and Maintenance

This manual section is reviewed annually by the IMS Owner or when:

• Significant changes to planning processes occur
• ISO standard requirements change
• Audit findings identify gaps or improvements
• Management review identifies planning effectiveness issues

---

Document Control

Version	Date	Author	Changes
1.0	[TBD]	IMS Owner	Initial release

Next Review Date: [TBD - typically 12 months from effective date]

---

Approval

Role	Name	Signature	Date
IMS Owner
Management Team Representative