YES. Absolutely. You can implement any management system in your organization without any external help. Most of the organizations do just that. Anyone with basic knowledge of the subject (quality, health & safety, information security, etc.) and the related standard can implement that particular management system.

So why consultants you say? Consultants bring industry knowledge, best practices, and efficiency to the implementation, ensuring smoother adoption and compliance. A consultant can provide valuable expertise and guidance throughout the process which will cut both the time and the trial & error down drastically. Of course,  you do have to select the right consultant to properly assist you throughout this journey.

It depends on the management system. For example, to implement a Quality Management system based on ISO 9001, you will need to know the requirements and how to implement them. The requirements can be found in the standard ISO 9001:2015; how to implement them  can be found in the guideline ISO 9002:2016. Both can be purchased directly from ISO.org (https://www.iso.org).

Once both copies are acquired, start studying them in details before planning the implementation. The standard will tell you what you need to comply and the guideline will tell you how to create it.

Now, the above involves external requirements (what you need from outside the organization), internally, one of the first things you need to get is Top Management approval. From there you will identify the resources required, set up a plan and create a project.

The same applies to other management systems. For example, to implement Information Security, you start with the standard ISO 27001:2022, then identify which guideline you will need to use (see Information Security Standards.

Every organization requires slightly different approach. No one approach is suitable for all organization but our approach gives you an idea on how we go about implementing the average project. Remember, we first need to understand your requirements and how your organization functions, only then can we customize a solution to fit your need.

A standard is a mandatory rule or requirement that must be followed, whereas a guideline is a recommended practice or suggestion that can be followed voluntarily.  Standards are often more rigid and enforced, whereas guidelines offer flexibility and are advisory in nature.

The short answer is no. Other than the Intellectual Property Rights violation, it is not as simple as copy & paste the text, change the company name and logo, print, approve and you are done. True there are "kits" out there that do just that. They give you a simplified version of the minimum requirements where you only have to add your company name and logo and you have a set of documentation that may pass the initial audit. You are making the company follow a generic process instead of creating a process that suits your company.

In general, it is easier to implement a management system but much harder to maintain it. However, If you implement it correctly, maintaining it will not be difficult.

If you decide to buy a kit, make sure it is suitable for your organization, and that you are able to modify it accordingly. Remember, these kits are very generic intentionally. They may be designed taking into consideration one country requirements and are not applicable to your country, region, or state. For sure, they will not take into consideration your organization's special requirements.

It can take as little as three (3) months to a year to implement one or more management systems. It all depends on the resources allocated, the complexity of the organizational, and the qualification and capabilities of the implementation team and/or Consultants.

No, not necessarily. You can implement an integrated management system based on PAS99 and integrate multiple management systems in a much shorter time span. For a small to mid sized organization, we normally implement QHSE (3 standards ISO 9001, 14001, and 45001) in less than 6 months. The same applies with Information Security & IT Service management (ISO 27001 & 20000-1).