“Management system” is the abstract term for a set of interlocking management tools designed to achieve specific goals. These objectives may be an appropriate level of quality, compliance, data protection or even security levels, or a combination of all of these.

Today, management systems serve as control models in various management disciplines. International standards such as ISO 9001 for quality management, ISO/IEC 20000-1 for service management, ISO 22301 for business continuity management, ISO/IEC 27001 for information security management, ISO/IEC 27701 for data protection management and ISO 37001 for compliance management all follow the standardized approach. In addition, there are national standards; for example, the German Federal Office for Information Security (BSI) formulates the management of IT security and business continuity in the form of management systems in its standards 200-2 and 200-4.

Management systems as a standardized, comprehensive approach are regarded as best practice; they give one's own approach a recognized structure and lend the confidence of being successful. Anyone who tries to somehow manage the protection of their company data, for example, quickly finds themselves accused of not having taken adequate precautions in the event of incidents, and the management risks personal liability for damages and severe penalties for the company, for example for improper processing of personal data. Conversely, if a management system has been certified by a recognized auditing body, it is regarded as a seal of quality. This is another reason why such certification is often required in tenders.

A management system generally includes the policies, procedures, guidelines, and related resources and activities that are controlled by the organization to achieve its stated objectives. ISO describes the requirements for establishing and operating a management system generally as follows: 

Over time, however, some elements of the management system prove to be inappropriate, unsuitable or simply ineffective, for example because conditions have changed: The system is no longer in a stable state, the achievement of objectives is in danger. That is why the continuous improvement process (CIP) is an integral part of every management system.

Based on Deming's PDCA cycle, planning (Plan) and operation (Do) are followed by an assessment of performance (Check), followed by improvements and corrections (Act), and then planning is taken up again. Many companies have third parties audit the effectiveness of their management system and identify areas for improvement. A decisive factor for the success of a management system is that the management stands behind it. It must set the framework, provide the necessary resources and bear the responsibility. 

The challenge in setting up a management system is to implement the requirements effectively and efficiently. The norms and standards provide the requirements, a kind of checklist of aspects to consider. However, there is no one-size-fits-all implementation; each management system must be individually shaped and designed. It is easy to end up with a bureaucratic monster, or the management system only fulfills requirements on paper.  As a result, employees reject the management system in principle or it fails to have the desired effect in practice. In both cases, the management system fails - at first! Because in positive terms, there is then a lot of potential for the continuous improvement process.