If you've ever tried to implement ISO 9001 alongside ISO 14001 or ISO 45001 and found yourself staring at two nearly identical clauses about "context of the organization," that's Annex SL at work. Once you understand why it exists, managing multiple management systems gets considerably less painful — and building a genuinely integrated system becomes a realistic goal rather than an aspiration.
What Is Annex SL, and Why Did ISO Rename It?
Annex SL was the appendix published in the ISO/IEC Directives, Part 1, that created a common high-level structure for all ISO management system standards. In 2021, ISO formally replaced that term with Harmonized Structure (HS), though most practitioners still reach for the old name out of habit. The concept is identical regardless of what you call it: every new or revised ISO management system standard must follow the same 10-clause skeleton, use the same core text where applicable, and adopt a shared set of defined terms.
The problem Annex SL was built to solve was real. Before its introduction in 2012, each standard had its own architecture. ISO 9001:2008 looked structurally nothing like ISO 14001:2004. An organization trying to build an integrated management system had to reconcile completely different frameworks, which added cost and complexity without adding any value to how the business actually operated. Management reviews ran on parallel tracks. Internal audits used different terminology. Documented information lived in separate silos.
As of 2023, more than 1.3 million organizations worldwide hold ISO 9001 certification — the largest certification base of any ISO management system standard. A significant portion of those organizations also hold ISO 14001, ISO 45001, or another management system certificate. When those structures don't align, the friction compounds at every audit cycle, every document review, and every executive-level conversation about performance.
The Harmonized Structure was ISO's answer to that friction.
The 10-Clause Framework That Shapes Every Modern ISO Standard
The HS organizes every management system standard into the same ten sections:
- Scope — what the standard covers
- Normative references — documents indispensable for application
- Terms and definitions — shared vocabulary
- Context of the organization — understanding the organization and its stakeholders
- Leadership — top management commitment and policy
- Planning — risks, objectives, and plans to address them
- Support — resources, competence, awareness, communication, documented information
- Operation — planning and controlling operational processes
- Performance evaluation — monitoring, measurement, internal audit, management review
- Improvement — nonconformities, corrective actions, continual improvement
Clauses 1–3 are essentially setup material. The substance lives in Clauses 4–10, and those seven clauses are where you find the identical or near-identical requirements that let you build one integrated system instead of maintaining separate ones.
The way I explain it to clients: think of the Harmonized Structure as the skeleton. Each standard then adds its own discipline-specific muscle and tissue on top of that shared skeleton. ISO 9001 adds product and service quality requirements at Clause 8. ISO 14001 adds environmental aspects and compliance obligations. ISO 45001 adds hazard identification and worker participation requirements. The skeleton is the same; what's built on it varies by discipline. That's not an incidental feature — it's the whole design.
How Clause Structure Maps Across the Four Major Standards
This table shows how the same HS clause maps to requirements across four commonly integrated standards. The clause numbers are identical by design.
| HS Clause | ISO 9001:2015 | ISO 14001:2015 | ISO 45001:2018 | ISO 27001:2022 |
|---|---|---|---|---|
| 4 — Context | Org context, interested parties, QMS scope | Org context, environmental issues, compliance obligations | Org context, worker needs, OH&S scope | Org context, interested parties, ISMS scope |
| 5 — Leadership | Quality policy, roles, customer focus | Environmental policy, roles | OH&S policy, worker consultation | Information security policy, roles |
| 6 — Planning | Risks/opportunities, quality objectives | Environmental aspects, compliance, objectives | Hazard ID, legal requirements, OH&S objectives | Information security risks, treatment plan, objectives |
| 7 — Support | Resources, competence, documented information | Resources, competence, documented information | Resources, competence, documented information | Resources, competence, documented information |
| 8 — Operation | Product/service requirements, design, external providers, production | Operational control, emergency preparedness | Hazard controls, management of change, emergency response | Operational planning, supplier relationships |
| 9 — Performance Evaluation | Monitoring, internal audit, management review | Monitoring, compliance evaluation, management review | Monitoring, compliance evaluation, management review | Monitoring, internal audit, management review |
| 10 — Improvement | Nonconformities, corrective actions, continual improvement | Nonconformities, corrective actions, continual improvement | Incidents, nonconformities, corrective actions | Nonconformities, corrective actions, continual improvement |
A well-written Clause 4 procedure can satisfy the context requirement across all four standards simultaneously, as long as it captures discipline-specific inputs — quality issues, environmental aspects, safety hazards, information security risks — within the same process framework. That one procedure replaces four separate documents. That's not a minor efficiency gain.
Why ISO 9001 Users Should Care About This — Even Without a Second Certification
A mistake I see regularly is treating Annex SL as a background technicality — something the standard writers cared about, not something with day-to-day implications for a quality team. In my experience working with more than 200 organizations, the opposite is true, and the payoff shows up in three distinct ways.
First, integrated systems cost less to maintain. According to research published by the British Standards Institution, organizations running an integrated management system spend approximately 20–30% less on certification audits annually compared to organizations maintaining separate management systems for each standard. For a mid-size manufacturer holding three certifications, that can translate to tens of thousands of dollars in reduced external audit fees and internal preparation time over a three-year certification cycle.
Second, the structure improves how your QMS is built, even in isolation. Organizations that understand the HS tend to build their management systems to the clause level rather than to the standard. Instead of a "quality manual" and an "environmental manual," they have one Clause 4 process, one Clause 5 policy framework, one Clause 9 internal audit program. The documentation is leaner, audits are more efficient, and management review covers the full system in a single meeting.
Third, understanding the structure prepares you for whatever comes next. If your organization ever considers adding ISO 14001, ISO 45001, or ISO 27001, the fact that they all share the Harmonized Structure is your biggest implementation advantage. The gap analysis for a second or third certification becomes a clause-by-clause question: "what does this standard require at each clause that our current system doesn't already address?" rather than starting from scratch with an unfamiliar architecture.
The Harmonized Structure is the reason a quality manager who understands ISO 9001 can read ISO 45001 and navigate it in an afternoon. The architecture is already familiar.
What the "Common Text" Actually Means for Your Documentation
The HS goes beyond numbering clauses the same way. Several sections contain mandated common text — identical wording that must appear in every standard unless there is a discipline-specific reason to modify it. The definitions for "management system," "top management," "policy," "objective," "risk," "documented information," and several others are shared across all HS-based standards.
This has practical implications for your document control procedure. A single definition of "documented information" — the HS term that replaced "documents and records" from the pre-2015 era — applies to all your management systems. You don't need a quality-specific definition and an environmental-specific definition. One procedure governs everything.
That said, I want to be honest about where this stops. The shared skeleton doesn't make the standards interchangeable. ISO 27001's information security controls in Annex A are highly technical and specific in ways that have no counterpart in ISO 9001. ISO 45001's requirements around worker consultation and participation go substantially beyond anything ISO 9001 asks for. The common structure makes integration possible and efficient; it doesn't make it effortless or automatic. Anyone who tells you that holding ISO 9001 means you're halfway to ISO 45001 with minimal additional work is oversimplifying in a way that leads to gaps at audit time.
What Changed When ISO Moved from Annex SL to the Harmonized Structure in 2021
The 2021 update wasn't cosmetic. The new Harmonized Structure introduced refinements to how requirements around risk-based thinking, organizational context, and the integration of the management system with business processes are expressed. More than 40 ISO management system standards now follow the HS framework, and all future standards will be built to the updated 2021 version rather than the original 2012 Annex SL.
For ISO 9001 users, the practical implication is that the next revision of ISO 9001 — currently anticipated in the 2026–2027 timeframe, though ISO's timelines shift — will be built to the updated Harmonized Structure. The 10-clause skeleton will remain. The changes will focus on how specific requirements are expressed within that structure, with a continued push toward embedding the management system in core business processes rather than running it as a parallel compliance program.
That directional push is the most important thing to understand about where ISO is heading. The Harmonized Structure is the structural mechanism that makes genuine integration possible — and the organizations that have internalized this, where quality and safety and environmental management are woven into how the business actually runs rather than managed as separate compliance overhead, are the ones that get real value from their certifications rather than just the certificate on the wall.
How to Apply the Harmonized Structure When Building or Updating Your QMS
For practitioners ready to translate this into action, a few moves that consistently make a difference:
Structure your procedures to the clause. Name and scope each procedure by the HS clause it addresses — for example, "Clause 6.1 — Risk and Opportunity Process" — rather than by a generic descriptive title. This makes the framework visible in your documentation architecture and makes expansion to additional standards straightforward later.
Write your management review agenda in clause order. Management review (Clause 9.3) is one of the most underused tools in a quality system. Structuring the agenda to walk through Clauses 4–10 systematically ensures nothing is skipped and creates a natural framework for adding inputs from additional standards if you pursue them.
Audit to the clause intent, not just to the procedure. Internal auditors who understand the HS can audit against what each clause is actually trying to accomplish, not just against whether a procedure was followed. That produces more useful findings. You can explore this approach further in our guide to ISO 9001 internal audits.
Know where ISO 9001 added its own requirements above the HS floor. ISO 9001's Clause 8 is substantially heavier than what the basic HS requires for operational control — it adds product and service planning, design and development, external provider management, and production and service provision requirements that are specific to quality management. Knowing where the standard diverged from the shared skeleton helps you understand which requirements belong to quality specifically and which belong to management systems generally. This distinction matters when you're deciding what to integrate and what to keep discipline-specific. See our ISO 9001 clause-by-clause breakdown for a deeper look at each section.
The Harmonized Structure and Emerging Standards: ISO 42001 as a Preview
The compounding return on understanding the HS becomes visible with newer standards. ISO 42001:2023 — the artificial intelligence management system standard — published with the full HS clause structure. If you're in a sector where AI governance is becoming a compliance requirement, which describes a rapidly expanding range of industries following the EU AI Act's rollout, ISO 42001:2023 clause 6.1.2 (planning to address risks and opportunities for AI systems) will look immediately familiar to anyone who has worked with ISO 9001 clause 6.1.2. Same clause number, same underlying structure, AI-specific requirements layered on top.
That's the return on investment for understanding the framework rather than just learning the individual standard. Every new management system standard ISO publishes will use this architecture. The time you spend understanding the Harmonized Structure once compounds across every certification your organization will ever pursue.
Jared Clark is Principal Consultant at Certify Consulting, with 8+ years of experience and a 100% first-time audit pass rate across 200+ client engagements spanning ISO 9001, ISO 14001, ISO 45001, and FDA compliance.
Last updated: 2026-06-26
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.